WebAssembly: f32.max with NaN generates incorrect result
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
2
3         WebAssembly: f32.max with NaN generates incorrect result
4         https://bugs.webkit.org/show_bug.cgi?id=175691
5         <rdar://problem/33952228>
6
7         Reviewed by Saam Barati.
8
9         Enable all f32.max NaN tests
10
11         * wasm/spec-tests/f32.wast.js:
12         * wasm/wasm.json:
13
14 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
15
16         [JSC] Move test into directory for WASM tests
17         https://bugs.webkit.org/show_bug.cgi?id=196187
18
19         Reviewed by Mark Lam.
20
21         Move Test into wasm-directory. Otherwise this test
22         is also executed on systems without WASM support.
23
24         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
25
26 2019-03-23  Mark Lam  <mark.lam@apple.com>
27
28         Rolling out r243032 and r243071 because the fix is incorrect.
29         https://bugs.webkit.org/show_bug.cgi?id=195892
30         <rdar://problem/48981239>
31
32         Not reviewed.
33
34         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
35
36 2019-03-22  Mark Lam  <mark.lam@apple.com>
37
38         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
39         https://bugs.webkit.org/show_bug.cgi?id=196154
40         <rdar://problem/49145307>
41
42         Reviewed by Filip Pizlo.
43
44         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
45         There's no need to run this test on more than 1 test configuration.
46
47         * stress/typed-array-lastIndexOf-exception-check.js: Added.
48         * stress/web-assembly-link-error-exception-check.js:
49
50 2019-03-22  Mark Lam  <mark.lam@apple.com>
51
52         Placate exception check validation in constructJSWebAssemblyLinkError().
53         https://bugs.webkit.org/show_bug.cgi?id=196152
54         <rdar://problem/49145257>
55
56         Reviewed by Michael Saboff.
57
58         * stress/web-assembly-link-error-exception-check.js: Added.
59
60 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
61
62         Skip tests running out of memory on ARM/MIPS
63         https://bugs.webkit.org/show_bug.cgi?id=196131
64
65         Unreviewed. Skip test if memory is limited.
66
67         * microbenchmarks/put-by-val-direct-large-index.js:
68
69 2019-03-21  Mark Lam  <mark.lam@apple.com>
70
71         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
72         https://bugs.webkit.org/show_bug.cgi?id=196116
73         <rdar://problem/48976951>
74
75         Reviewed by Filip Pizlo.
76
77         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
78
79 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
80
81         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
82         https://bugs.webkit.org/show_bug.cgi?id=196078
83         <rdar://problem/35925380>
84
85         Reviewed by Mark Lam.
86
87         Add a new benchmark that allocates several objects and invokes put_by_val_direct
88         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
89
90         * microbenchmarks/put-by-val-direct-large-index.js: Added.
91
92 2019-03-21  Mark Lam  <mark.lam@apple.com>
93
94         Placate exception check validation in operationArrayIndexOfString().
95         https://bugs.webkit.org/show_bug.cgi?id=196067
96         <rdar://problem/49056572>
97
98         Reviewed by Michael Saboff.
99
100         * stress/string-equal-exception-check.js: Added.
101
102 2019-03-21  Mark Lam  <mark.lam@apple.com>
103
104         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
105         https://bugs.webkit.org/show_bug.cgi?id=196055
106         <rdar://problem/49067448>
107
108         Reviewed by Yusuke Suzuki.
109
110         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
111
112 2019-03-20  Saam Barati  <sbarati@apple.com>
113
114         typeOfDoubleSum is wrong for when NaN can be produced
115         https://bugs.webkit.org/show_bug.cgi?id=196030
116
117         Reviewed by Filip Pizlo.
118
119         * stress/double-add-sub-mul-can-produce-nan.js: Added.
120         (assert):
121         (noInline.sub):
122         (noInline):
123         (assert.mul):
124         (assert.add):
125
126 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
127
128         Update the test to ensure OutOfMemoryError is thrown as intended
129         https://bugs.webkit.org/show_bug.cgi?id=196032
130         <rdar://problem/46842740>
131
132         Rubber stamped by Saam Barati.
133
134         * stress/create-error-out-of-memory-rope-string.js:
135         (assert):
136         (catch):
137
138 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
139
140         JSC::createError needs to check for OOM in errorDescriptionForValue
141         https://bugs.webkit.org/show_bug.cgi?id=196032
142         <rdar://problem/46842740>
143
144         Reviewed by Mark Lam.
145
146         * stress/create-error-out-of-memory-rope-string.js: Added.
147
148 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
149
150         Unreviewed, reduce # of iterations to avoid timing out after r242991
151         https://bugs.webkit.org/show_bug.cgi?id=195791
152
153         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
154
155         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
156
157 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
158
159         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
160         https://bugs.webkit.org/show_bug.cgi?id=195950
161
162         Unreviewed, reducing the amount of memory used on this test to avoid
163         OOM on devices with memory restrictions.
164
165         * microbenchmarks/generate-multiple-llint-entrypoints.js:
166
167 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
168
169         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
170         https://bugs.webkit.org/show_bug.cgi?id=194648
171
172         Reviewed by Keith Miller.
173
174         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
175
176 2019-03-18  Mark Lam  <mark.lam@apple.com>
177
178         Missing a ThrowScope release in JSObject::toString().
179         https://bugs.webkit.org/show_bug.cgi?id=195893
180         <rdar://problem/48970986>
181
182         Reviewed by Michael Saboff.
183
184         * stress/to-string-exception-check-release.js: Added.
185
186 2019-03-18  Mark Lam  <mark.lam@apple.com>
187
188         Structure::flattenDictionary() should clear unused property slots.
189         https://bugs.webkit.org/show_bug.cgi?id=195871
190         <rdar://problem/48959497>
191
192         Reviewed by Michael Saboff.
193
194         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
195
196 2019-03-15  Mark Lam  <mark.lam@apple.com>
197
198         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
199         https://bugs.webkit.org/show_bug.cgi?id=195827
200         <rdar://problem/48845513>
201
202         Reviewed by Filip Pizlo.
203
204         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
205
206 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
207
208         [ARM,MIPS] Skip slow tests
209         https://bugs.webkit.org/show_bug.cgi?id=195799
210
211         Unreviewed, test does not finish on ARM and MIPS within the
212         timeout limit.
213
214         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
215
216 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
217
218         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
219         https://bugs.webkit.org/show_bug.cgi?id=195791
220         <rdar://problem/48806130>
221
222         Reviewed by Mark Lam.
223
224         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
225         (foo):
226
227 2019-03-14  Saam barati  <sbarati@apple.com>
228
229         We can't remove code after ForceOSRExit until after FixupPhase
230         https://bugs.webkit.org/show_bug.cgi?id=186916
231         <rdar://problem/41396612>
232
233         Reviewed by Yusuke Suzuki.
234
235         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
236         (foo):
237         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
238         (foo):
239
240 2019-03-13  Michael Saboff  <msaboff@apple.com>
241
242         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
243         https://bugs.webkit.org/show_bug.cgi?id=195735
244
245         Reviewed by Mark Lam.
246
247         New regression test.
248
249         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
250         (foo):
251         (bar):
252
253 2019-03-14  Saam barati  <sbarati@apple.com>
254
255         Fixup uses KnownInt32 incorrectly in some nodes
256         https://bugs.webkit.org/show_bug.cgi?id=195279
257         <rdar://problem/47915654>
258
259         Reviewed by Yusuke Suzuki.
260
261         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
262         (foo):
263
264 2019-03-14  Keith Miller  <keith_miller@apple.com>
265
266         DFG liveness can't skip tail caller inline frames
267         https://bugs.webkit.org/show_bug.cgi?id=195715
268
269         Reviewed by Saam Barati.
270
271         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
272         (i.foo):
273
274 2019-03-13  Mark Lam  <mark.lam@apple.com>
275
276         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
277         https://bugs.webkit.org/show_bug.cgi?id=195415
278
279         Not reviewed.
280
281         Changed these tests to only run the default configuration.
282         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
283         There's no strong need to run this test on that variant.
284
285         * stress/dfg-to-string-on-int-does-gc.js:
286         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
287
288 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
289
290         String overflow when using StringBuilder in JSC::createError
291         https://bugs.webkit.org/show_bug.cgi?id=194957
292
293         Reviewed by Mark Lam.
294
295         Add test string-overflow-createError-bulder.js that overflows
296         StringBuilder in notAFunctionSourceAppender. The second new test
297         string-overflow-createError-fit.js has an error message that doesn't
298         overflow, it still failed since the String's capacity can't be doubled.
299         Run test string-overflow-createError.js only in the default
300         configuration to reduce memory consumption when running the test
301         in all configurations on multiple CPUs in parallel.
302
303         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
304         (catch):
305         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
306         (catch):
307         * stress/string-overflow-createError.js:
308
309 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
310
311         [JSC] OSR entry should respect abstract values in addition to flush formats
312         https://bugs.webkit.org/show_bug.cgi?id=195653
313
314         Reviewed by Mark Lam.
315
316         * stress/osr-entry-locals-none.js: Added.
317
318 2019-03-12  Michael Saboff  <msaboff@apple.com>
319
320         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
321         https://bugs.webkit.org/show_bug.cgi?id=195613
322
323         Reviewed by Mark Lam.
324
325         New regression test.
326
327         * stress/regexp-backref-inbounds.js: Added.
328         (testRegExp):
329
330 2019-03-12  Mark Lam  <mark.lam@apple.com>
331
332         The HasIndexedProperty node does GC.
333         https://bugs.webkit.org/show_bug.cgi?id=195559
334         <rdar://problem/48767923>
335
336         Reviewed by Yusuke Suzuki.
337
338         * stress/HasIndexedProperty-does-gc.js: Added.
339
340 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
341
342         [ESNext][BigInt] Implement "~" unary operation
343         https://bugs.webkit.org/show_bug.cgi?id=182216
344
345         Reviewed by Keith Miller.
346
347         * stress/big-int-bit-not-general.js: Added.
348         * stress/big-int-bitwise-not-jit.js: Added.
349         * stress/big-int-bitwise-not-wrapped-value.js: Added.
350         * stress/bit-op-with-object-returning-int32.js:
351         * stress/bitwise-not-fixup-rules.js: Added.
352         * stress/value-bit-not-ai-rule.js: Added.
353
354 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
355
356         Invalid flags in a RegExp literal should be an early SyntaxError
357         https://bugs.webkit.org/show_bug.cgi?id=195514
358
359         Reviewed by Darin Adler.
360
361         * test262/expectations.yaml:
362         Mark 4 test cases as passing.
363
364         * stress/regexp-syntax-error-invalid-flags.js:
365         * stress/regress-161995.js: Removed.
366         Update existing test, merging in an older test for the same behavior.
367
368 2019-03-08  Mark Lam  <mark.lam@apple.com>
369
370         Stack overflow crash in JSC::JSObject::hasInstance.
371         https://bugs.webkit.org/show_bug.cgi?id=195458
372         <rdar://problem/48710195>
373
374         Reviewed by Yusuke Suzuki.
375
376         * stress/stack-overflow-in-custom-hasInstance.js: Added.
377
378 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
379
380         op_check_tdz does not def its argument
381         https://bugs.webkit.org/show_bug.cgi?id=192880
382         <rdar://problem/46221598>
383
384         Reviewed by Saam Barati.
385
386         * microbenchmarks/let-for-in.js: Added.
387         (foo):
388
389 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
390
391         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
392         https://bugs.webkit.org/show_bug.cgi?id=195429
393
394         Reviewed by Saam Barati.
395
396         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
397         (foo):
398         * stress/string-from-char-code-255.js: Added.
399
400 2019-03-06  Mark Lam  <mark.lam@apple.com>
401
402         Fix incorrect handling of try-finally completion values.
403         https://bugs.webkit.org/show_bug.cgi?id=195131
404         <rdar://problem/46222079>
405
406         Reviewed by Saam Barati and Yusuke Suzuki.
407
408         Added many permutations of new test case to test-finally.js.  test-finally.js has
409         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
410         tests passes there as well.
411
412         * stress/test-finally.js:
413
414 2019-03-06  Saam Barati  <sbarati@apple.com>
415
416         Air::reportUsedRegisters must padInterference
417         https://bugs.webkit.org/show_bug.cgi?id=195303
418         <rdar://problem/48270343>
419
420         Reviewed by Keith Miller.
421
422         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
423
424 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
425
426         [JSC] AI should not propagate AbstractValue relying on constant folding phase
427         https://bugs.webkit.org/show_bug.cgi?id=195375
428
429         Reviewed by Saam Barati.
430
431         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
432         (let.array):
433
434 2019-03-05  Saam barati  <sbarati@apple.com>
435
436         op_switch_char broken for rope strings after JSRopeString layout rewrite
437         https://bugs.webkit.org/show_bug.cgi?id=195339
438         <rdar://problem/48592545>
439
440         Reviewed by Yusuke Suzuki.
441
442         * stress/switch-on-char-llint-rope.js: Added.
443
444 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
445
446         [JSC] Store bits for JSRopeString in 3 stores
447         https://bugs.webkit.org/show_bug.cgi?id=195234
448
449         Reviewed by Saam Barati.
450
451         * stress/null-rope-and-collectors.js: Added.
452
453 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
454
455         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
456         https://bugs.webkit.org/show_bug.cgi?id=195207
457
458         Unreviewed. After test runtime was reduced in r242213, test can be
459         run again on ARM/MIPS.
460
461         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
462
463 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
464
465         [JSC] sizeof(JSString) should be 16
466         https://bugs.webkit.org/show_bug.cgi?id=194375
467
468         Reviewed by Saam Barati.
469
470         * microbenchmarks/make-rope.js: Added.
471         (makeRope):
472         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
473         (returnRope.helper): Deleted.
474         (returnRope): Deleted.
475
476 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
477
478         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
479         https://bugs.webkit.org/show_bug.cgi?id=195144
480
481         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
482         Change the number from 1e8 to 1e5.
483
484         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
485         (foo):
486
487 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
488
489         Test times out on ARM/MIPS
490         https://bugs.webkit.org/show_bug.cgi?id=195168
491
492         Unreviewed. Skip test on ARM/MIPS.
493
494         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
495
496 2019-02-27  Mark Lam  <mark.lam@apple.com>
497
498         The parser is failing to record the token location of new in new.target.
499         https://bugs.webkit.org/show_bug.cgi?id=195127
500         <rdar://problem/39645578>
501
502         Reviewed by Yusuke Suzuki.
503
504         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
505
506 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
507
508         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
509         https://bugs.webkit.org/show_bug.cgi?id=195144
510         <rdar://problem/47595961>
511
512         Reviewed by Mark Lam.
513
514         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
515         (bar):
516         (foo):
517         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
518         (bar):
519         (foo):
520
521 2019-02-27  Robin Morisset  <rmorisset@apple.com>
522
523         DFG: Loop-invariant code motion (LICM) should not hoist dead code
524         https://bugs.webkit.org/show_bug.cgi?id=194945
525         <rdar://problem/48311657>
526
527         Reviewed by Mark Lam.
528
529         * stress/licm-dead-code.js: Added.
530
531 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
532
533         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
534         https://bugs.webkit.org/show_bug.cgi?id=194677
535         <rdar://problem/48112492>
536
537         Reviewed by Mark Lam.
538
539         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
540         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
541         it immediately fails due the large size.
542
543         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
544         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
545         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
546         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
547
548         This patch changes the test to produce 16bit string from String.fromCharCode.
549
550         * stress/regress-178386.js:
551
552 2019-02-26  Mark Lam  <mark.lam@apple.com>
553
554         wasmToJS() should purify incoming NaNs.
555         https://bugs.webkit.org/show_bug.cgi?id=194807
556         <rdar://problem/48189132>
557
558         Reviewed by Saam Barati.
559
560         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
561
562 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
563
564         [JSC] Repeat string created from Array.prototype.join() take too much memory
565         https://bugs.webkit.org/show_bug.cgi?id=193912
566
567         Reviewed by Saam Barati.
568
569         Added a test and a microbenchmark for corner cases of
570         Array.prototype.join() with an uninitialized array.
571
572         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
573         * stress/array-prototype-join-uninitialized.js: Added.
574         (testArray):
575         (testABC):
576         (B):
577         (C):
578
579 2019-02-22  Robin Morisset  <rmorisset@apple.com>
580
581         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
582         https://bugs.webkit.org/show_bug.cgi?id=194953
583         <rdar://problem/47595253>
584
585         Reviewed by Saam Barati.
586
587         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
588
589         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
590
591 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
592
593         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
594         https://bugs.webkit.org/show_bug.cgi?id=172848
595         <rdar://problem/25709212>
596
597         Reviewed by Mark Lam.
598
599         * typeProfiler/inheritance.js:
600         Rewrite the test slightly for clarity. The hoisting was confusing.
601
602         * heapProfiler/class-names.js: Added.
603         (MyES5Class):
604         (MyES6Class):
605         (MyES6Subclass):
606         Test object types and improved class names.
607
608         * heapProfiler/driver/driver.js:
609         (CheapHeapSnapshotNode):
610         (CheapHeapSnapshot):
611         (createCheapHeapSnapshot):
612         (HeapSnapshot):
613         (createHeapSnapshot):
614         Update snapshot parsing from version 1 to version 2.
615
616 2019-02-19  Truitt Savell  <tsavell@apple.com>
617
618         Unreviewed, rolling out r241784.
619
620         Broke all OpenSource builds.
621
622         Reverted changeset:
623
624         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
625         instances view"
626         https://bugs.webkit.org/show_bug.cgi?id=172848
627         https://trac.webkit.org/changeset/241784
628
629 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
630
631         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
632         https://bugs.webkit.org/show_bug.cgi?id=172848
633         <rdar://problem/25709212>
634
635         Reviewed by Mark Lam.
636
637         * typeProfiler/inheritance.js:
638         Rewrite the test slightly for clarity. The hoisting was confusing.
639
640         * heapProfiler/class-names.js: Added.
641         (MyES5Class):
642         (MyES6Class):
643         (MyES6Subclass):
644         Test object types and improved class names.
645
646         * heapProfiler/driver/driver.js:
647         (CheapHeapSnapshotNode):
648         (CheapHeapSnapshot):
649         (createCheapHeapSnapshot):
650         (HeapSnapshot):
651         (createHeapSnapshot):
652         Update snapshot parsing from version 1 to version 2.
653
654 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
655
656         [ARM] Fix crash with sampling profiler
657         https://bugs.webkit.org/show_bug.cgi?id=194772
658
659         Reviewed by Mark Lam.
660
661         Do not skip test since crash with sampling profiler is now fixed.
662
663         * stress/sampling-profiler-richards.js:
664
665 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
666
667         [JSC] Add LazyClassStructure::getInitializedOnMainThread
668         https://bugs.webkit.org/show_bug.cgi?id=194784
669         <rdar://problem/48154820>
670
671         Reviewed by Mark Lam.
672
673         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
674         (getProperties):
675         (getRandomProperty):
676         (i.catch):
677
678 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
679
680         [ARM] Test gardening: Test running out of executable memory
681         https://bugs.webkit.org/show_bug.cgi?id=194771
682
683         Unreviewed. Do not run test without LLInt, test is running out of executable
684         memory on ARM otherwise.
685
686         * stress/tagged-template-object-collect.js:
687
688 2019-02-18  Tomas Popela  <tpopela@redhat.com>
689
690         Unreviewed, skip the test on platforms without sampling profiler
691
692         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
693         (platformSupportsSamplingProfiler.foo):
694         (platformSupportsSamplingProfiler.test):
695         (platformSupportsSamplingProfiler):
696         (foo): Deleted.
697         (test): Deleted.
698
699 2019-02-17  Saam Barati  <sbarati@apple.com>
700
701         Deadlock when adding a Structure property transition and then doing incremental marking
702         https://bugs.webkit.org/show_bug.cgi?id=194767
703
704         Reviewed by Mark Lam.
705
706         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
707
708 2019-02-15  Michael Saboff  <msaboff@apple.com>
709
710         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
711         https://bugs.webkit.org/show_bug.cgi?id=194558
712
713         Reviewed by Saam Barati.
714
715         New regression test.
716
717         * stress/regexp-unicode-within-string.js: Added.
718
719 2019-02-15  Mark Lam  <mark.lam@apple.com>
720
721         SamplingProfiler::stackTracesAsJSON() should escape strings.
722         https://bugs.webkit.org/show_bug.cgi?id=194649
723         <rdar://problem/48072386>
724
725         Reviewed by Saam Barati.
726
727         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
728         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
729         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
730         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
731
732 2019-02-15  Robin Morisset  <rmorisset@apple.com>
733         CodeBlock::jettison should clear related watchpoints
734         https://bugs.webkit.org/show_bug.cgi?id=194544
735
736         Reviewed by Mark Lam.
737
738         * stress/regexp-replace-double-watchpoint.js: Added.
739         (foo):
740
741 2019-02-15  Saam barati  <sbarati@apple.com>
742
743         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
744         https://bugs.webkit.org/show_bug.cgi?id=194036
745
746         Reviewed by Yusuke Suzuki.
747
748         * stress/tail-call-many-arguments.js: Added.
749         (foo):
750         (bar):
751
752 2019-02-14  Saam Barati  <sbarati@apple.com>
753
754         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
755         https://bugs.webkit.org/show_bug.cgi?id=194583
756         <rdar://problem/48028140>
757
758         Reviewed by Yusuke Suzuki.
759
760         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
761
762 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
763
764         [JSC] String.fromCharCode's slow path always generates 16bit string
765         https://bugs.webkit.org/show_bug.cgi?id=194466
766
767         Reviewed by Keith Miller.
768
769         * stress/string-from-char-code-slow-path.js: Added.
770         (shouldBe):
771         (testWithLength):
772
773 2019-02-08  Saam barati  <sbarati@apple.com>
774
775         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
776         https://bugs.webkit.org/show_bug.cgi?id=194334
777         <rdar://problem/47844327>
778
779         Reviewed by Mark Lam.
780
781         * stress/check-in-bounds-should-be-a-child-use.js: Added.
782         (func):
783
784 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
785
786         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
787         https://bugs.webkit.org/show_bug.cgi?id=194369
788         <rdar://problem/47813087>
789
790         Reviewed by Saam Barati.
791
792         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
793         (A):
794
795 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
796
797         [JSC] PrivateName to PublicName hash table is wasteful
798         https://bugs.webkit.org/show_bug.cgi?id=194277
799
800         Reviewed by Michael Saboff.
801
802         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
803
804         * ChakraCore.yaml:
805
806 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
807
808         [ARM] Test running out of executable memory
809         https://bugs.webkit.org/show_bug.cgi?id=194285
810
811         Unreviewed. Do no execute test with LLInt disabled, test runs out of
812         executable memory otherwise.
813
814         * stress/class-subclassing-function.js:
815
816 2019-02-04  Robin Morisset  <rmorisset@apple.com>
817
818         when lowering AssertNotEmpty, create the value before creating the patchpoint
819         https://bugs.webkit.org/show_bug.cgi?id=194231
820
821         Reviewed by Saam Barati.
822
823         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
824         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
825         So even tiny changes to this test can change the path code taken.
826
827         * stress/assert-not-empty.js: Added.
828         (foo):
829
830 2019-02-01  Mark Lam  <mark.lam@apple.com>
831
832         Remove invalid assertion in DFG's compileDoubleRep().
833         https://bugs.webkit.org/show_bug.cgi?id=194130
834         <rdar://problem/47699474>
835
836         Reviewed by Saam Barati.
837
838         * stress/constant-fold-double-rep-into-double-constant.js: Added.
839
840 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
841
842         Import latest Test262 updates.
843
844         Rubber-stamped by Keith Miller.
845
846         * test262.yaml: Deleted.
847         * test262/config.yaml:
848         * test262/expectations.yaml:
849         * test262/latest-changes-summary.txt:
850         * test262/test/:
851         * test262/test262-Revision.txt:
852
853 2019-01-30  Robin Morisset  <rmorisset@apple.com>
854
855         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
856         https://bugs.webkit.org/show_bug.cgi?id=194050
857         <rdar://problem/47595592>
858
859         Reviewed by Yusuke Suzuki.
860
861         * stress/object-keys-osr-exit.js: Added.
862         (foo):
863         (catch):
864
865 2019-01-29  Mark Lam  <mark.lam@apple.com>
866
867         ValueRecovery::recover() should purify NaN values it recovers.
868         https://bugs.webkit.org/show_bug.cgi?id=193978
869         <rdar://problem/47625488>
870
871         Reviewed by Saam Barati.
872
873         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
874
875 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
876
877         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
878         https://bugs.webkit.org/show_bug.cgi?id=193713
879
880         * stress/try-get-by-id-should-spill-registers-dfg.js:
881         (let.f.createBuiltin):
882
883 2019-01-28  Mark Lam  <mark.lam@apple.com>
884
885         ToString node actually does GC.
886         https://bugs.webkit.org/show_bug.cgi?id=193920
887         <rdar://problem/46695900>
888
889         Reviewed by Yusuke Suzuki.
890
891         * stress/dfg-to-string-on-int-does-gc.js: Added.
892         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
893         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
894
895 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
896
897         [JSC] NativeErrorConstructor should not have own IsoSubspace
898         https://bugs.webkit.org/show_bug.cgi?id=193713
899
900         Reviewed by Saam Barati.
901
902         Remove @Error use.
903
904         * stress/try-get-by-id-should-spill-registers-dfg.js:
905         (let.f.createBuiltin):
906
907 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
908
909         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
910         https://bugs.webkit.org/show_bug.cgi?id=190693
911
912         Reviewed by Michael Saboff.
913
914         * stress/regress-190693.js: Added.
915         (truth):
916         (assert):
917         (shouldThrowInvalidConstAssignment):
918         (taz):
919
920 2019-01-24  Saam Barati  <sbarati@apple.com>
921
922         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
923         https://bugs.webkit.org/show_bug.cgi?id=193751
924         <rdar://problem/47280215>
925
926         Reviewed by Michael Saboff.
927
928         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
929         (let.thing):
930         (foo.let.hello):
931         (foo):
932
933 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
934
935         [JSC] Reenable baseline JIT on mips
936         https://bugs.webkit.org/show_bug.cgi?id=192983
937
938         Reviewed by Mark Lam.
939
940         Added a new test for a case that was triggering a RELEASE_ASSERT when
941         testing.
942         Disable some slow tests that were already disabled for arm and x86.
943
944         * stress/json-parse-big-object.js: Added.
945         * stress/new-largeish-contiguous-array-with-size.js:
946         * stress/op_add.js:
947         * stress/op_bitand.js:
948         * stress/op_bitor.js:
949         * stress/op_bitxor.js:
950         * stress/op_lshift-ConstVar.js:
951         * stress/op_lshift-VarConst.js:
952         * stress/op_lshift-VarVar.js:
953         * stress/op_mod-ConstVar.js:
954         * stress/op_mod-VarConst.js:
955         * stress/op_mod-VarVar.js:
956         * stress/op_mul-ConstVar.js:
957         * stress/op_mul-VarConst.js:
958         * stress/op_mul-VarVar.js:
959         * stress/op_rshift-ConstVar.js:
960         * stress/op_rshift-VarConst.js:
961         * stress/op_rshift-VarVar.js:
962         * stress/op_sub-ConstVar.js:
963         * stress/op_sub-VarConst.js:
964         * stress/op_sub-VarVar.js:
965         * stress/op_urshift-ConstVar.js:
966         * stress/op_urshift-VarConst.js:
967         * stress/op_urshift-VarVar.js:
968         * stress/sampling-profiler-richards.js:
969         * stress/spread-forward-call-varargs-stack-overflow.js:
970
971 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
972
973         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
974         https://bugs.webkit.org/show_bug.cgi?id=193711
975         <rdar://problem/47250262>
976
977         Reviewed by Saam Barati.
978
979         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
980         (shouldBe):
981         (foo):
982         (bar):
983         (baz):
984
985 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
986
987         Unreviewed, fix initial global lexical binding epoch
988         https://bugs.webkit.org/show_bug.cgi?id=193603
989         <rdar://problem/47380869>
990
991         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
992         (f1.f2.f3.f4):
993         (f1.f2.f3):
994         (f1.f2):
995         (f1):
996
997 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
998
999         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
1000         https://bugs.webkit.org/show_bug.cgi?id=193709
1001         <rdar://problem/47363838>
1002
1003         Unreviewed, rollout to watch the tests.
1004
1005         * stress/object-tostring-changed-proto.js: Removed.
1006         * stress/object-tostring-changed.js: Removed.
1007         * stress/object-tostring-misc.js: Removed.
1008         * stress/object-tostring-other.js: Removed.
1009         * stress/object-tostring-untyped.js: Removed.
1010
1011 2019-01-22  Saam Barati  <sbarati@apple.com>
1012
1013         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
1014
1015         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1016         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
1017         (testUncheckedLessThanZero):
1018         (testUncheckedLessThanOrEqualZero):
1019         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
1020         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
1021
1022 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
1023
1024         [JSC] Invalidate old scope operations using global lexical binding epoch
1025         https://bugs.webkit.org/show_bug.cgi?id=193603
1026         <rdar://problem/47380869>
1027
1028         Reviewed by Saam Barati.
1029
1030         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1031         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1032         (shouldThrow):
1033         (bar):
1034         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1035         (shouldBe):
1036         (get1):
1037         (get2):
1038         (get1If):
1039         (get2If):
1040         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1041         (shouldThrow):
1042         (foo):
1043
1044 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
1045
1046         Unreviewed, roll out r240220 due to date-format-xparb regression
1047         https://bugs.webkit.org/show_bug.cgi?id=193603
1048
1049         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1050         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
1051         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
1052         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
1053
1054 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
1055
1056         DoesGC rule is wrong for nodes with BigIntUse
1057         https://bugs.webkit.org/show_bug.cgi?id=193652
1058
1059         Reviewed by Saam Barati.
1060
1061         * stress/big-int-value-op-update-gc-rules.js: Added.
1062         (assert):
1063         (doesGCAdd):
1064         (doesGCSub):
1065         (doesGCDiv):
1066         (doesGCMul):
1067         (doesGCBitAnd):
1068         (doesGCBitOr):
1069         (doesGCBitXor):
1070
1071 2019-01-20  Saam Barati  <sbarati@apple.com>
1072
1073         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1074         https://bugs.webkit.org/show_bug.cgi?id=193644
1075         <rdar://problem/46209745>
1076
1077         Reviewed by Yusuke Suzuki.
1078
1079         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1080         (foo):
1081         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1082         (foo):
1083         (bar):
1084
1085 2019-01-20  Saam Barati  <sbarati@apple.com>
1086
1087         MovHint must merge NodeBytecodeUsesAsValue for its child
1088         https://bugs.webkit.org/show_bug.cgi?id=186916
1089         <rdar://problem/41396612>
1090
1091         Reviewed by Yusuke Suzuki.
1092
1093         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1094         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1095
1096 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1097
1098         [JSC] Invalidate old scope operations using global lexical binding epoch
1099         https://bugs.webkit.org/show_bug.cgi?id=193603
1100         <rdar://problem/47380869>
1101
1102         Reviewed by Saam Barati.
1103
1104         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1105         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1106         (shouldThrow):
1107         (bar):
1108         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1109         (shouldBe):
1110         (get1):
1111         (get2):
1112         (get1If):
1113         (get2If):
1114         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1115         (shouldThrow):
1116         (foo):
1117
1118 2019-01-17  Saam barati  <sbarati@apple.com>
1119
1120         StringObjectUse should not be a structure check for the original string object structure
1121         https://bugs.webkit.org/show_bug.cgi?id=193483
1122         <rdar://problem/47280522>
1123
1124         Reviewed by Yusuke Suzuki.
1125
1126         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1127         (foo):
1128         (a.valueOf.0):
1129
1130 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1131
1132         [JSC] ToThis omission in DFGByteCodeParser is wrong
1133         https://bugs.webkit.org/show_bug.cgi?id=193513
1134         <rdar://problem/45842236>
1135
1136         Reviewed by Saam Barati.
1137
1138         * stress/to-this-omission-with-different-strict-modes.js: Added.
1139         (thisA):
1140         (thisAStrictWrapper):
1141
1142 2019-01-15  Mark Lam  <mark.lam@apple.com>
1143
1144         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1145         https://bugs.webkit.org/show_bug.cgi?id=193423
1146         <rdar://problem/46209355>
1147
1148         Reviewed by Saam Barati.
1149
1150         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1151         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1152         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1153         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1154
1155 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1156
1157         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1158         https://bugs.webkit.org/show_bug.cgi?id=193438
1159         <rdar://problem/45581249>
1160
1161         Reviewed by Saam Barati and Keith Miller.
1162
1163         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1164         Then, GetByVal(String) crashed.
1165
1166         * stress/string-get-by-val-lowering.js: Added.
1167         (shouldBe):
1168         (test):
1169         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1170         (Hello):
1171         (foo):
1172
1173 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1174
1175         Unreviewed, skip JIT tests if it's not enabled
1176
1177         * stress/bit-op-with-object-returning-int32.js:
1178
1179 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1180
1181         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1182         https://bugs.webkit.org/show_bug.cgi?id=192966
1183
1184         Reviewed by Yusuke Suzuki.
1185
1186         * stress/bit-op-with-object-returning-int32.js: Added.
1187
1188 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1189
1190         Skip a slow test and a flakey test on arm
1191
1192         Unreviewed gardening.
1193
1194         * typeProfiler/getter-richards.js:
1195         this test always times out, it used to be always skipped on arm and
1196         mips, but got accidentally enabled by r237919 now that we have DFG on
1197         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1198
1199 2019-01-14  Keith Miller  <keith_miller@apple.com>
1200
1201         Skip type-check-hoisting-phase-hoist... with no jit
1202         https://bugs.webkit.org/show_bug.cgi?id=193421
1203
1204         Reviewed by Mark Lam.
1205
1206         It's timing out the 32-bit bots and takes 330 seconds
1207         on my machine when run by itself.
1208
1209         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1210
1211 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1212
1213         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1214         https://bugs.webkit.org/show_bug.cgi?id=193413
1215         <rdar://problem/46092389>
1216
1217         Reviewed by Keith Miller.
1218
1219         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1220         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1221         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1222         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1223
1224         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1225         (compareArray):
1226
1227 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1228
1229         [BigInt] Literal parsing is crashing when used inside a Object Literal
1230         https://bugs.webkit.org/show_bug.cgi?id=193404
1231
1232         Reviewed by Yusuke Suzuki.
1233
1234         * stress/big-int-literal-inside-literal-object.js: Added.
1235
1236 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1237
1238         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1239         https://bugs.webkit.org/show_bug.cgi?id=193372
1240
1241         Reviewed by Saam Barati.
1242
1243         * stress/typed-array-array-modes-profile.js: Added.
1244         (foo):
1245
1246 2019-01-14  Mark Lam  <mark.lam@apple.com>
1247
1248         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1249         https://bugs.webkit.org/show_bug.cgi?id=193402
1250         <rdar://problem/46012309>
1251
1252         Reviewed by Keith Miller.
1253
1254         * stress/regexp-compile-oom.js:
1255         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1256           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1257
1258 2019-01-11  Saam barati  <sbarati@apple.com>
1259
1260         DFG combined liveness can be wrong for terminal basic blocks
1261         https://bugs.webkit.org/show_bug.cgi?id=193304
1262         <rdar://problem/45268632>
1263
1264         Reviewed by Yusuke Suzuki.
1265
1266         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1267
1268 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1269
1270         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1271         https://bugs.webkit.org/show_bug.cgi?id=193308
1272         <rdar://problem/45546542>
1273
1274         Reviewed by Saam Barati.
1275
1276         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1277         (shouldThrow):
1278         (shouldBe):
1279         (foo):
1280         (get shouldThrow):
1281         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1282         (shouldThrow):
1283         (shouldBe):
1284         (foo):
1285         (get shouldBe):
1286         (get shouldThrow):
1287         (get return):
1288         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1289         (shouldThrow):
1290         (shouldBe):
1291         (foo):
1292         (get shouldBe):
1293         (get shouldThrow):
1294         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1295         (shouldThrow):
1296         (shouldBe):
1297         (foo):
1298         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1299         (shouldThrow):
1300         (shouldBe):
1301         (foo):
1302         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1303         (shouldThrow):
1304         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1305         (shouldThrow):
1306         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1307         (shouldThrow):
1308         (shouldBe):
1309         (foo):
1310         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1311         (shouldThrow):
1312         (shouldBe):
1313         (foo):
1314         (get shouldBe):
1315         (get shouldThrow):
1316         (get return):
1317         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1318         (shouldThrow):
1319         (shouldBe):
1320         (foo):
1321         (get shouldBe):
1322         (get shouldThrow):
1323         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1324         (shouldThrow):
1325         (shouldBe):
1326         (foo):
1327         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1328         (shouldThrow):
1329         (shouldBe):
1330         (foo):
1331
1332 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1333
1334         Enable DFG on ARM/Linux again
1335         https://bugs.webkit.org/show_bug.cgi?id=192496
1336
1337         Reviewed by Yusuke Suzuki.
1338
1339         Test wasn't really skipped before moving the line with skip
1340         to the top.
1341
1342         * stress/regress-192717.js:
1343
1344 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1345
1346         Unreviewed, rolling out r239825.
1347         https://bugs.webkit.org/show_bug.cgi?id=193330
1348
1349         Broke tests on armv7/linux bots (Requested by guijemont on
1350         #webkit).
1351
1352         Reverted changeset:
1353
1354         "Enable DFG on ARM/Linux again"
1355         https://bugs.webkit.org/show_bug.cgi?id=192496
1356         https://trac.webkit.org/changeset/239825
1357
1358 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1359
1360         Enable DFG on ARM/Linux again
1361         https://bugs.webkit.org/show_bug.cgi?id=192496
1362
1363         Reviewed by Yusuke Suzuki.
1364
1365         Test wasn't really skipped before moving the line with skip
1366         to the top.
1367
1368         * stress/regress-192717.js:
1369
1370 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1371
1372         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1373         https://bugs.webkit.org/show_bug.cgi?id=193127
1374
1375         Reviewed by Saam Barati.
1376
1377         * stress/array-species-create-should-handle-masquerader.js: Added.
1378         (shouldThrow):
1379         * stress/is-undefined-or-null-builtin.js: Added.
1380         (shouldBe):
1381         (isUndefinedOrNull.vm.createBuiltin):
1382
1383 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1384
1385         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1386         https://bugs.webkit.org/show_bug.cgi?id=193221
1387
1388         Reviewed by Mark Lam.
1389
1390         * stress/put-by-id-flags.js: Added.
1391         (f):
1392         (g):
1393         (numberOfDFGCompiles):
1394
1395 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1396
1397         Baseline version of get_by_id may corrupt metadata
1398         https://bugs.webkit.org/show_bug.cgi?id=193085
1399         <rdar://problem/23453006>
1400
1401         Reviewed by Saam Barati.
1402
1403         * stress/get-by-id-change-mode.js: Added.
1404         (forEach):
1405
1406 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1407
1408         [JSC] Optimize Object.prototype.toString
1409         https://bugs.webkit.org/show_bug.cgi?id=193031
1410
1411         Reviewed by Saam Barati.
1412
1413         * stress/object-tostring-changed-proto.js: Added.
1414         (shouldBe):
1415         (test):
1416         * stress/object-tostring-changed.js: Added.
1417         (shouldBe):
1418         (test):
1419         * stress/object-tostring-misc.js: Added.
1420         (shouldBe):
1421         (test):
1422         (i.switch):
1423         * stress/object-tostring-other.js: Added.
1424         (shouldBe):
1425         (test):
1426         * stress/object-tostring-untyped.js: Added.
1427         (shouldBe):
1428         (test):
1429         (i.switch):
1430
1431 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1432
1433         test262-runner misbehaves when test file YAML has a trailing space
1434         https://bugs.webkit.org/show_bug.cgi?id=193053
1435
1436         Reviewed by Yusuke Suzuki.
1437
1438         * test262/expectations.yaml:
1439         Mark two dozen tests as passing (and correct the output of another).
1440
1441 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1442
1443         Unreviewed, JSTests gardening with memoryLimited
1444
1445         * stress/string-overflow-createError.js:
1446
1447 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1448
1449         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1450         https://bugs.webkit.org/show_bug.cgi?id=193050
1451
1452         Reviewed by Yusuke Suzuki.
1453
1454         * test262.yaml:
1455         * test262/expectations.yaml:
1456         Mark 16 tests as passing.
1457
1458 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1459
1460         [BigInt] Support BigInt in JSON.stringify
1461         https://bugs.webkit.org/show_bug.cgi?id=192624
1462
1463         Reviewed by Saam Barati.
1464
1465         * stress/big-int-json-stringify-to-json.js: Added.
1466         (shouldBe):
1467         (shouldThrow):
1468         (BigInt.prototype.toJSON):
1469         (shouldBe.JSON.stringify):
1470         * stress/big-int-json-stringify.js: Added.
1471         (shouldBe):
1472         (shouldThrow):
1473
1474 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1475
1476         [JSC] Implement "well-formed JSON.stringify" proposal
1477         https://bugs.webkit.org/show_bug.cgi?id=191677
1478
1479         Reviewed by Darin Adler.
1480
1481         * stress/json-surrogate-pair.js: Added.
1482         (shouldBe):
1483         * test262/expectations.yaml:
1484
1485 2018-12-20  Keith Miller  <keith_miller@apple.com>
1486
1487         Add support for globalThis
1488         https://bugs.webkit.org/show_bug.cgi?id=165171
1489
1490         Reviewed by Mark Lam.
1491
1492         * test262/config.yaml:
1493
1494 2018-12-19  Keith Miller  <keith_miller@apple.com>
1495
1496         Update test262 configuration to not run tests dependent on ICU version.
1497         https://bugs.webkit.org/show_bug.cgi?id=192920
1498
1499         Reviewed by Saam Barati.
1500
1501         * test262/expectations.yaml:
1502
1503 2018-12-20  Mark Lam  <mark.lam@apple.com>
1504
1505         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1506         https://bugs.webkit.org/show_bug.cgi?id=192939
1507         <rdar://problem/46869516>
1508
1509         Reviewed by Keith Miller.
1510
1511         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1512
1513 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1514
1515         WTF::String and StringImpl overflow MaxLength
1516         https://bugs.webkit.org/show_bug.cgi?id=192853
1517         <rdar://problem/45726906>
1518
1519         Reviewed by Mark Lam.
1520
1521         * stress/string-16bit-repeat-overflow.js: Added.
1522         (catch):
1523
1524 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1525
1526         Unreviewed follow-up to r192914.
1527
1528         * test262/expectations.yaml:
1529         Add the last 20 missing expectations.
1530
1531 2018-12-19  Keith Miller  <keith_miller@apple.com>
1532
1533         Fix test262 expectations
1534         https://bugs.webkit.org/show_bug.cgi?id=192914
1535
1536         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1537
1538         * test262/expectations.yaml:
1539
1540 2018-12-19  Keith Miller  <keith_miller@apple.com>
1541
1542         Update test262 tests.
1543         https://bugs.webkit.org/show_bug.cgi?id=192907
1544
1545         Rubber stamped by Mark Lam.
1546
1547         * test262/*: Omitted because prepare-changelog crashes.
1548
1549 2018-12-19  Mark Lam  <mark.lam@apple.com>
1550
1551         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1552         https://bugs.webkit.org/show_bug.cgi?id=192464
1553         <rdar://problem/46519455>
1554
1555         Reviewed by Saam Barati.
1556
1557         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1558         microbenchmark.
1559
1560         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1561         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1562
1563 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1564
1565         String overflow in JSC::createError results in ASSERT in WTF::makeString
1566         https://bugs.webkit.org/show_bug.cgi?id=192833
1567         <rdar://problem/45706868>
1568
1569         Reviewed by Mark Lam.
1570
1571         * stress/string-overflow-createError.js: Added.
1572
1573 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1574
1575         Error message for `-x ** y` contains a typo.
1576         https://bugs.webkit.org/show_bug.cgi?id=192832
1577
1578         Reviewed by Saam Barati.
1579
1580         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1581         (assert.assert.return.throws):
1582         * stress/pow-expects-update-expression-on-lhs.js:
1583         (throw.new.Error):
1584         Update test expectations which match against the exact error message.
1585
1586 2018-12-18  Mark Lam  <mark.lam@apple.com>
1587
1588         Gardening: test options fix.
1589         https://bugs.webkit.org/show_bug.cgi?id=192822
1590
1591         Unreviewed.
1592
1593         * stress/json-stringify-string-builder-overflow.js:
1594
1595 2018-12-18  Mark Lam  <mark.lam@apple.com>
1596
1597         JSON.stringify() should throw OOM on StringBuilder overflows.
1598         https://bugs.webkit.org/show_bug.cgi?id=192822
1599         <rdar://problem/46670577>
1600
1601         Reviewed by Saam Barati.
1602
1603         * stress/json-stringify-string-builder-overflow.js: Added.
1604
1605 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1606
1607         Redeclaration of var over let/const/class should be a syntax error.
1608         https://bugs.webkit.org/show_bug.cgi?id=192298
1609
1610         Reviewed by Keith Miller.
1611
1612         * test262.yaml:
1613         * test262/expectations.yaml:
1614         Mark 46 tests as passing.
1615
1616         * stress/block-scope-redeclarations.js:
1617         Add some new tests.
1618
1619         * stress/for-in-invalidate-context-weird-assignments.js:
1620         * stress/for-in-tests.js:
1621         Replace tests for outdated behavior with tests for SyntaxError.
1622
1623         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1624         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1625         Update expectations.
1626
1627 2018-12-18  Mark Lam  <mark.lam@apple.com>
1628
1629         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1630         https://bugs.webkit.org/show_bug.cgi?id=191374
1631         <rdar://problem/46525447>
1632
1633         Reviewed by Yusuke Suzuki.
1634
1635         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1636
1637         * stress/elidable-new-object-roflcopter-then-exit.js:
1638
1639 2018-12-17  Mark Lam  <mark.lam@apple.com>
1640
1641         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1642         https://bugs.webkit.org/show_bug.cgi?id=192019
1643         <rdar://problem/46525456>
1644
1645         Reviewed by Yusuke Suzuki.
1646
1647         The test runs too slow on 32-bit.
1648
1649         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1650
1651 2018-12-17  Mark Lam  <mark.lam@apple.com>
1652
1653         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1654         https://bugs.webkit.org/show_bug.cgi?id=191373
1655         <rdar://problem/46525458>
1656
1657         Reviewed by Yusuke Suzuki.
1658
1659         The test is already slow running with a JIT on 64-bit.  It will always timeout
1660         on 32-bit without a JIT.
1661
1662         * stress/materialize-regexp-cyclic-regexp.js:
1663
1664 2018-12-17  Mark Lam  <mark.lam@apple.com>
1665
1666         Array unshift/shift should not race against the AI in the compiler thread.
1667         https://bugs.webkit.org/show_bug.cgi?id=192795
1668         <rdar://problem/46724263>
1669
1670         Reviewed by Saam Barati.
1671
1672         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1673
1674 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1675
1676         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1677         https://bugs.webkit.org/show_bug.cgi?id=190047
1678
1679         Reviewed by Saam Barati.
1680
1681         * stress/object-keys-cached-zero.js: Added.
1682         (shouldBe):
1683         (test):
1684         * stress/object-keys-changed-attribute.js: Added.
1685         (shouldBe):
1686         (test):
1687         * stress/object-keys-changed-index.js: Added.
1688         (shouldBe):
1689         (test):
1690         * stress/object-keys-changed.js: Added.
1691         (shouldBe):
1692         (test):
1693         * stress/object-keys-indexed-non-cache.js: Added.
1694         (shouldBe):
1695         (test):
1696         * stress/object-keys-overrides-get-property-names.js: Added.
1697         (shouldBe):
1698         (test):
1699         (noInline):
1700
1701 2018-12-17  Mark Lam  <mark.lam@apple.com>
1702
1703         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1704         https://bugs.webkit.org/show_bug.cgi?id=192779
1705         <rdar://problem/46775869>
1706
1707         Reviewed by Saam Barati.
1708
1709         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1710
1711 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1712
1713         Unreviewed test gardening, address a syntax error in a new test.
1714
1715         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1716
1717 2018-12-17  Mark Lam  <mark.lam@apple.com>
1718
1719         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1720         https://bugs.webkit.org/show_bug.cgi?id=192776
1721         <rdar://problem/46772368>
1722
1723         Reviewed by Keith Miller.
1724
1725         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1726
1727 2018-12-17  Mark Lam  <mark.lam@apple.com>
1728
1729         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1730         https://bugs.webkit.org/show_bug.cgi?id=192770
1731         <rdar://problem/46449037>
1732
1733         Reviewed by Keith Miller.
1734
1735         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1736
1737 2018-12-14  Mark Lam  <mark.lam@apple.com>
1738
1739         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1740         https://bugs.webkit.org/show_bug.cgi?id=192717
1741         <rdar://problem/46660677>
1742
1743         Reviewed by Saam Barati.
1744
1745         * stress/regress-192717.js: Added.
1746
1747 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1748
1749         Unreviewed, rolling out r239153, r239154, and r239155.
1750         https://bugs.webkit.org/show_bug.cgi?id=192715
1751
1752         Caused flaky GC-related crashes seen with layout tests
1753         (Requested by ryanhaddad on #webkit).
1754
1755         Reverted changesets:
1756
1757         "[JSC] Optimize Object.keys by caching own keys results in
1758         StructureRareData"
1759         https://bugs.webkit.org/show_bug.cgi?id=190047
1760         https://trac.webkit.org/changeset/239153
1761
1762         "Unreviewed, build fix after r239153"
1763         https://bugs.webkit.org/show_bug.cgi?id=190047
1764         https://trac.webkit.org/changeset/239154
1765
1766         "Unreviewed, build fix after r239153, part 2"
1767         https://bugs.webkit.org/show_bug.cgi?id=190047
1768         https://trac.webkit.org/changeset/239155
1769
1770 2018-12-14  Keith Miller  <keith_miller@apple.com>
1771
1772         Callers of JSString::getIndex should check for OOM exceptions
1773         https://bugs.webkit.org/show_bug.cgi?id=192709
1774
1775         Reviewed by Mark Lam.
1776
1777         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1778
1779 2018-12-13  Mark Lam  <mark.lam@apple.com>
1780
1781         Add a missing exception check.
1782         https://bugs.webkit.org/show_bug.cgi?id=192626
1783         <rdar://problem/46662163>
1784
1785         Reviewed by Keith Miller.
1786
1787         * stress/regress-192626.js: Added.
1788
1789 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1790
1791         [BigInt] Add ValueDiv into DFG
1792         https://bugs.webkit.org/show_bug.cgi?id=186178
1793
1794         Reviewed by Yusuke Suzuki.
1795
1796         * stress/big-int-div-jit-osr.js: Added.
1797         * stress/big-int-div-jit-untyped.js: Added.
1798         * stress/value-div-fixup-int32-big-int.js: Added.
1799
1800 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1801
1802         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1803         https://bugs.webkit.org/show_bug.cgi?id=190047
1804
1805         Reviewed by Keith Miller.
1806
1807         * stress/object-keys-cached-zero.js: Added.
1808         (shouldBe):
1809         (test):
1810         * stress/object-keys-changed-attribute.js: Added.
1811         (shouldBe):
1812         (test):
1813         * stress/object-keys-changed-index.js: Added.
1814         (shouldBe):
1815         (test):
1816         * stress/object-keys-changed.js: Added.
1817         (shouldBe):
1818         (test):
1819         * stress/object-keys-indexed-non-cache.js: Added.
1820         (shouldBe):
1821         (test):
1822         * stress/object-keys-overrides-get-property-names.js: Added.
1823         (shouldBe):
1824         (test):
1825         (noInline):
1826
1827 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1828
1829         [DFG][FTL] Add NewSymbol
1830         https://bugs.webkit.org/show_bug.cgi?id=192620
1831
1832         Reviewed by Saam Barati.
1833
1834         * microbenchmarks/symbol-creation.js: Added.
1835         (test):
1836         * stress/symbol-description-identity.js: Added.
1837         (shouldBe):
1838         (test):
1839         * stress/symbol-identity.js: Added.
1840         (shouldBe):
1841         (test):
1842         * stress/symbol-with-description-throw-error.js: Added.
1843         (shouldBe):
1844         (shouldThrow):
1845         (test):
1846         (object.toString):
1847
1848 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1849
1850         [BigInt] Implement DFG/FTL typeof for BigInt
1851         https://bugs.webkit.org/show_bug.cgi?id=192619
1852
1853         Reviewed by Keith Miller.
1854
1855         * stress/big-int-boolean-proven-type.js: Added.
1856         (assert):
1857         (bool):
1858         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1859         (assert):
1860         (typeOf):
1861         (i.switch):
1862         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1863         (assert):
1864         (typeOf):
1865         * stress/big-int-type-of.js:
1866         (typeOf):
1867         (func):
1868
1869 2018-12-10  Mark Lam  <mark.lam@apple.com>
1870
1871         PropertyAttribute needs a CustomValue bit.
1872         https://bugs.webkit.org/show_bug.cgi?id=191993
1873         <rdar://problem/46264467>
1874
1875         Reviewed by Saam Barati.
1876
1877         * stress/regress-191993.js: Added.
1878
1879 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1880
1881         [BigInt] Add ValueMul into DFG
1882         https://bugs.webkit.org/show_bug.cgi?id=186175
1883
1884         Reviewed by Yusuke Suzuki.
1885
1886         * stress/big-int-mul-jit-osr.js: Added.
1887         * stress/big-int-mul-jit-untyped.js: Added.
1888         * stress/value-mul-fixup-int32-big-int.js: Added.
1889
1890 2018-12-06  Keith Miller  <keith_miller@apple.com>
1891
1892         stress/big-wasm-memory tests failing on 32-bit JSC bot
1893         https://bugs.webkit.org/show_bug.cgi?id=192020
1894
1895         Reviewed by Saam Barati.
1896
1897         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1898         the wasm stress tests if the WebAssembly object does not exist.
1899
1900         * stress/big-wasm-memory-grow-no-max.js:
1901         (test.foo):
1902         (test):
1903         (foo): Deleted.
1904         (catch): Deleted.
1905         * stress/big-wasm-memory-grow.js:
1906         (test.foo):
1907         (test):
1908         (foo): Deleted.
1909         (catch): Deleted.
1910         * stress/big-wasm-memory.js:
1911         (test.foo):
1912         (test):
1913         (foo): Deleted.
1914         (catch): Deleted.
1915
1916 2018-12-05  Mark Lam  <mark.lam@apple.com>
1917
1918         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1919         https://bugs.webkit.org/show_bug.cgi?id=192441
1920         <rdar://problem/46480355>
1921
1922         Reviewed by Saam Barati.
1923
1924         * stress/regress-192441.js: Added.
1925
1926 2018-12-04  Mark Lam  <mark.lam@apple.com>
1927
1928         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1929         https://bugs.webkit.org/show_bug.cgi?id=192386
1930         <rdar://problem/46445516>
1931
1932         Reviewed by Saam Barati.
1933
1934         * stress/regress-192386.js: Added.
1935
1936 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1937
1938         [ESNext][BigInt] Support logic operations
1939         https://bugs.webkit.org/show_bug.cgi?id=179903
1940
1941         Reviewed by Yusuke Suzuki.
1942
1943         * stress/big-int-branch-usage.js: Added.
1944         * stress/big-int-logical-and.js: Added.
1945         * stress/big-int-logical-not.js: Added.
1946         * stress/big-int-logical-or.js: Added.
1947
1948 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1949
1950         Unreviewed, rolling out r238833.
1951
1952         Breaks macOS and iOS debug builds.
1953
1954         Reverted changeset:
1955
1956         "[ESNext][BigInt] Support logic operations"
1957         https://bugs.webkit.org/show_bug.cgi?id=179903
1958         https://trac.webkit.org/changeset/238833
1959
1960 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1961
1962         [ESNext][BigInt] Support logic operations
1963         https://bugs.webkit.org/show_bug.cgi?id=179903
1964
1965         Reviewed by Yusuke Suzuki.
1966
1967         * stress/big-int-branch-usage.js: Added.
1968         * stress/big-int-logical-and.js: Added.
1969         * stress/big-int-logical-not.js: Added.
1970         * stress/big-int-logical-or.js: Added.
1971
1972 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1973
1974         [ESNext][BigInt] Implement support for "<<" and ">>"
1975         https://bugs.webkit.org/show_bug.cgi?id=186233
1976
1977         Reviewed by Yusuke Suzuki.
1978
1979         * stress/big-int-left-shift-general.js: Added.
1980         * stress/big-int-left-shift-range-error.js: Added.
1981         * stress/big-int-left-shift-type-error.js: Added.
1982         * stress/big-int-left-shift-wrapped-value.js: Added.
1983         * stress/big-int-right-shift-general.js: Added.
1984         * stress/big-int-right-shift-type-error.js: Added.
1985         * stress/big-int-right-shift-wrapped-value.js: Added.
1986         * stress/left-shift-to-primitive-precedence.js: Added.
1987         * stress/right-shift-to-primitive-precedence.js: Added.
1988
1989 2018-11-30  Dean Jackson  <dino@apple.com>
1990
1991         Add first-class support for .mjs files in jsc binary
1992         https://bugs.webkit.org/show_bug.cgi?id=192190
1993         <rdar://problem/46375715>
1994
1995         Reviewed by Keith Miller.
1996
1997         * stress/simple-module.mjs: Added.
1998         * stress/simple-script.js: Added.
1999
2000 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
2001
2002         [BigInt] Implement ValueBitXor into DFG
2003         https://bugs.webkit.org/show_bug.cgi?id=190264
2004
2005         Reviewed by Yusuke Suzuki.
2006
2007         * stress/big-int-bitwise-xor-jit.js: Added.
2008         * stress/big-int-bitwise-xor-memory-stress.js: Added.
2009         * stress/big-int-bitwise-xor-untyped.js: Added.
2010
2011 2018-11-27  Saam barati  <sbarati@apple.com>
2012
2013         r238510 broke scopes of size zero
2014         https://bugs.webkit.org/show_bug.cgi?id=192033
2015         <rdar://problem/46281734>
2016
2017         Reviewed by Keith Miller.
2018
2019         * stress/r238510-bad-loop.js: Added.
2020         (foo):
2021
2022 2018-11-27  Mark Lam  <mark.lam@apple.com>
2023
2024         [Re-landing] NaNs read from Wasm code needs to be be purified.
2025         https://bugs.webkit.org/show_bug.cgi?id=191056
2026         <rdar://problem/45660341>
2027
2028         Reviewed by Filip Pizlo.
2029
2030         * wasm/regress/regress-191056.js: Added.
2031
2032 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
2033
2034         Unreviewed, rolling out r238509.
2035
2036         Causes JSC tests to fail on iOS.
2037
2038         Reverted changeset:
2039
2040         "NaNs read from Wasm code needs to be be purified."
2041         https://bugs.webkit.org/show_bug.cgi?id=191056
2042         https://trac.webkit.org/changeset/238509
2043
2044 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
2045
2046         Re-introduce op_bitnot
2047         https://bugs.webkit.org/show_bug.cgi?id=190923
2048
2049         Reviewed by Yusuke Suzuki.
2050
2051         * stress/bit-not-must-generate.js: Added.
2052         * stress/bitwise-not-no-int32.js: Added.
2053
2054 2018-11-26  Saam barati  <sbarati@apple.com>
2055
2056         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
2057         https://bugs.webkit.org/show_bug.cgi?id=191956
2058         <rdar://problem/45665806>
2059
2060         Reviewed by Yusuke Suzuki.
2061
2062         * stress/end-basic-block-set-local-should-filter-type.js: Added.
2063         (bar):
2064         (foo):
2065
2066 2018-11-26  Saam barati  <sbarati@apple.com>
2067
2068         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2069         https://bugs.webkit.org/show_bug.cgi?id=191958
2070         <rdar://problem/46221877>
2071
2072         Reviewed by Yusuke Suzuki.
2073
2074         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2075         (x):
2076         (foo):
2077
2078 2018-11-26  Mark Lam  <mark.lam@apple.com>
2079
2080         NaNs read from Wasm code needs to be be purified.
2081         https://bugs.webkit.org/show_bug.cgi?id=191056
2082         <rdar://problem/45660341>
2083
2084         Reviewed by Filip Pizlo.
2085
2086         * wasm/regress/regress-191056.js: Added.
2087
2088 2018-11-26  Michael Saboff  <msaboff@apple.com>
2089
2090         32-bit JSC test failure: stress/regexp-compile-oom.js
2091         https://bugs.webkit.org/show_bug.cgi?id=191375
2092
2093         Reviewed by Mark Lam.
2094
2095         Disabled the test for 32 bit platforms.
2096
2097         * stress/regexp-compile-oom.js:
2098
2099 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2100
2101         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2102         https://bugs.webkit.org/show_bug.cgi?id=191716
2103         <rdar://problem/45723878>
2104
2105         Reviewed by Saam Barati.
2106
2107         * stress/regress-187373.js: Added.
2108         (async.fn):
2109
2110 2018-11-21  Saam barati  <sbarati@apple.com>
2111
2112         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2113         https://bugs.webkit.org/show_bug.cgi?id=191897
2114         <rdar://problem/45871998>
2115
2116         Reviewed by Mark Lam.
2117
2118         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2119         (bar):
2120         (foo):
2121
2122 2018-11-21  Saam barati  <sbarati@apple.com>
2123
2124         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2125         https://bugs.webkit.org/show_bug.cgi?id=191895
2126         <rdar://problem/46167406>
2127
2128         Reviewed by Mark Lam.
2129
2130         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2131         (foo):
2132         (bar):
2133
2134 2018-11-21  Mark Lam  <mark.lam@apple.com>
2135
2136         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2137         https://bugs.webkit.org/show_bug.cgi?id=191776
2138         <rdar://problem/46152851>
2139
2140         Reviewed by Saam Barati.
2141
2142         * stress/big-wasm-memory-grow-no-max.js:
2143         * stress/big-wasm-memory-grow.js:
2144         * stress/big-wasm-memory.js:
2145         - updated these to expect an OutOfMemoryError.
2146
2147         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2148         (Binary.prototype.emit_u8):
2149         (Binary.prototype.emit_u32v):
2150         (Binary.prototype.emit_header):
2151         (Binary.prototype.emit_section):
2152         (Binary):
2153         (WasmModuleBuilder):
2154         (WasmModuleBuilder.prototype.addMemory):
2155         (WasmModuleBuilder.prototype.toArray):
2156         (WasmModuleBuilder.prototype.toBuffer):
2157         (WasmModuleBuilder.prototype.instantiate):
2158         (catch):
2159         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2160         (catch):
2161
2162 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2163
2164         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2165         https://bugs.webkit.org/show_bug.cgi?id=190836
2166
2167         Reviewed by Saam Barati and Yusuke Suzuki.
2168
2169         * stress/big-int-out-of-memory-tests.js: Added.
2170
2171 2018-11-20  Mark Lam  <mark.lam@apple.com>
2172
2173         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2174         https://bugs.webkit.org/show_bug.cgi?id=191856
2175         <rdar://problem/46089992>
2176
2177         Reviewed by Yusuke Suzuki.
2178
2179         * stress/regress-191856.js: Added.
2180         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2181
2182 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2183
2184         Enable JIT on ARM/Linux
2185         https://bugs.webkit.org/show_bug.cgi?id=191548
2186
2187         Reviewed by Yusuke Suzuki.
2188
2189         Disable test on system with limited memory. Program was killed by
2190         the OS before the exception was thrown.
2191
2192         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2193
2194 2018-11-20  Saam barati  <sbarati@apple.com>
2195
2196         Merging an IC variant may lead to the IC status containing overlapping structure sets
2197         https://bugs.webkit.org/show_bug.cgi?id=191869
2198         <rdar://problem/45403453>
2199
2200         Reviewed by Mark Lam.
2201
2202         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2203
2204 2018-11-19  Mark Lam  <mark.lam@apple.com>
2205
2206         globalFuncImportModule() should return a promise when it clears exceptions.
2207         https://bugs.webkit.org/show_bug.cgi?id=191792
2208         <rdar://problem/46090763>
2209
2210         Reviewed by Michael Saboff.
2211
2212         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2213
2214 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2215
2216         Skip new memory-hungry tests on memory limited devices
2217
2218         Unreviewed gardening.
2219
2220         * stress/big-wasm-memory-grow-no-max.js:
2221         * stress/big-wasm-memory-grow.js:
2222         * stress/big-wasm-memory.js:
2223
2224 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2225
2226         Unreviewed, rolling in the rest of r237254
2227         https://bugs.webkit.org/show_bug.cgi?id=190340
2228
2229         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2230         * stress/function-cache-with-parameters-end-position.js: Added.
2231         (shouldBe):
2232         (shouldThrow):
2233         (i.anonymous):
2234         * stress/function-constructor-name.js: Added.
2235         (shouldBe):
2236         (GeneratorFunction):
2237         (AsyncFunction.async):
2238         (AsyncGeneratorFunction.async):
2239         (anonymous):
2240         (async.anonymous):
2241         * test262/expectations.yaml:
2242
2243 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2244
2245         All users of ArrayBuffer should agree on the same max size
2246         https://bugs.webkit.org/show_bug.cgi?id=191771
2247
2248         Reviewed by Mark Lam.
2249
2250         * stress/big-wasm-memory-grow-no-max.js: Added.
2251         (foo):
2252         (catch):
2253         * stress/big-wasm-memory-grow.js: Added.
2254         (foo):
2255         (catch):
2256         * stress/big-wasm-memory.js: Added.
2257         (foo):
2258         (catch):
2259
2260 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2261
2262         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2263         run for each JSC config since they're regression tests for runtime bugs.
2264
2265         * stress/json-stringified-overflow-2.js:
2266         * stress/json-stringified-overflow.js:
2267
2268 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2269
2270         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2271         config since they're regression tests for runtime bugs.
2272
2273         * stress/large-unshift-splice.js:
2274         * stress/regress-185888.js:
2275
2276 2018-11-16  Saam Barati  <sbarati@apple.com>
2277
2278         KnownCellUse should also have SpecCellCheck as its type filter
2279         https://bugs.webkit.org/show_bug.cgi?id=191729
2280         <rdar://problem/45872852>
2281
2282         Reviewed by Filip Pizlo.
2283
2284         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2285         (C):
2286
2287 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2288
2289         Fix assertion failure on BytecodeGenerator::recordOpcode
2290         https://bugs.webkit.org/show_bug.cgi?id=191724
2291         <rdar://problem/45724395>
2292
2293         Reviewed by Saam Barati.
2294
2295         * stress/regress-187373-2.js: Added.
2296         (foo):
2297
2298 2018-11-15  Mark Lam  <mark.lam@apple.com>
2299
2300         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2301         https://bugs.webkit.org/show_bug.cgi?id=191730
2302         <rdar://problem/46048517>
2303
2304         Reviewed by Saam Barati.
2305
2306         * stress/regress-187006.js: Removed.
2307           - this test is invalid because its sole purpose is to test for the non-spec
2308             compliant behavior that we just fixed.
2309
2310         * stress/regress-191730.js: Added.
2311
2312 2018-11-15  Mark Lam  <mark.lam@apple.com>
2313
2314         RegExp operations should not take fast patch if lastIndex is not numeric.
2315         https://bugs.webkit.org/show_bug.cgi?id=191731
2316         <rdar://problem/46017305>
2317
2318         Reviewed by Saam Barati.
2319
2320         * stress/regress-191731.js: Added.
2321
2322 2018-11-13  Saam Barati  <sbarati@apple.com>
2323
2324         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2325         https://bugs.webkit.org/show_bug.cgi?id=191600
2326
2327         Reviewed by Mark Lam.
2328
2329         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2330         (foo):
2331         (test):
2332         (bar):
2333
2334 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2335
2336         Unreviewed, rolling out r238132.
2337
2338         The test added with this change is timing out on Debug JSC
2339         bots.
2340
2341         Reverted changeset:
2342
2343         "[BigInt] JSBigInt::createWithLength should throw when length
2344         is greater than JSBigInt::maxLength"
2345         https://bugs.webkit.org/show_bug.cgi?id=190836
2346         https://trac.webkit.org/changeset/238132
2347
2348 2018-11-13  Mark Lam  <mark.lam@apple.com>
2349
2350         Add OOM detection to StringPrototype's substituteBackreferences().
2351         https://bugs.webkit.org/show_bug.cgi?id=191563
2352         <rdar://problem/45720428>
2353
2354         Reviewed by Saam Barati.
2355
2356         * stress/regress-191563.js: Added.
2357
2358 2018-11-13  Mark Lam  <mark.lam@apple.com>
2359
2360         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2361         https://bugs.webkit.org/show_bug.cgi?id=191579
2362         <rdar://problem/45942472>
2363
2364         Reviewed by Saam Barati.
2365
2366         * stress/regress-191579.js: Added.
2367
2368 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2369
2370         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2371         https://bugs.webkit.org/show_bug.cgi?id=190836
2372
2373         Reviewed by Saam Barati.
2374
2375         * stress/big-int-out-of-memory-tests.js: Added.
2376
2377 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2378
2379         U+180E is no longer a whitespace character
2380         https://bugs.webkit.org/show_bug.cgi?id=191415
2381
2382         Reviewed by Saam Barati.
2383
2384         * ChakraCore/test/es5/regexSpace.baseline:
2385         * ChakraCore/test/es6/unicode_whitespace.js:
2386         Update tests to latest version.
2387         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2388
2389         * test262.yaml:
2390         * test262/config.yaml:
2391         * test262/expectations.yaml:
2392         Update expectations.
2393
2394 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2395
2396         [BigInt] Add support to BigInt into ValueAdd
2397         https://bugs.webkit.org/show_bug.cgi?id=186177
2398
2399         Reviewed by Keith Miller.
2400
2401         * stress/big-int-negate-jit.js:
2402         * stress/value-add-big-int-and-string.js: Added.
2403         * stress/value-add-big-int-prediction-propagation.js: Added.
2404         * stress/value-add-big-int-untyped.js: Added.
2405
2406 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2407
2408         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2409         https://bugs.webkit.org/show_bug.cgi?id=191184
2410
2411         Reviewed by Saam Barati.
2412
2413         Most tests were failing due to timeouts, since they are too slow to
2414         run on CLoop. The exceptions are:
2415
2416         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2417         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2418         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2419         to change the stack size since CLoop requires it to be page aligned.
2420
2421         * microbenchmarks/array-push-1.js:
2422         * microbenchmarks/array-push-2.js:
2423         * microbenchmarks/elidable-new-object-dag.js:
2424         * microbenchmarks/elidable-new-object-roflcopter.js:
2425         * microbenchmarks/elidable-new-object-tree.js:
2426         * microbenchmarks/getter-richards.js:
2427         * microbenchmarks/sinkable-new-object-dag.js:
2428         * microbenchmarks/string-concat-long-convert.js:
2429         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2430         * slowMicrobenchmarks/array-push-3.js:
2431         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2432         * slowMicrobenchmarks/spread-small-array.js:
2433         * slowMicrobenchmarks/undefined-property-access.js:
2434         * stress/activation-sink-default-value-tdz-error.js:
2435         * stress/activation-sink-default-value.js:
2436         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2437         * stress/activation-sink-osrexit-default-value.js:
2438         * stress/activation-sink-osrexit.js:
2439         * stress/activation-sink.js:
2440         * stress/allow-math-ic-b3-code-duplication.js:
2441         * stress/array-push-multiple-int32.js:
2442         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2443         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2444         * stress/arrowfunction-lexical-this-activation-sink.js:
2445         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2446         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2447         * stress/elide-new-object-dag-then-exit.js:
2448         * stress/materialize-regexp-cyclic.js:
2449         * stress/new-regex-inline.js:
2450         * stress/op_add.js:
2451         * stress/op_bitand.js:
2452         * stress/op_bitor.js:
2453         * stress/op_bitxor.js:
2454         * stress/op_div-ConstVar.js:
2455         * stress/op_div-VarConst.js:
2456         * stress/op_div-VarVar.js:
2457         * stress/op_lshift-ConstVar.js:
2458         * stress/op_lshift-VarConst.js:
2459         * stress/op_lshift-VarVar.js:
2460         * stress/op_mod-ConstVar.js:
2461         * stress/op_mod-VarConst.js:
2462         * stress/op_mod-VarVar.js:
2463         * stress/op_mul-ConstVar.js:
2464         * stress/op_mul-VarConst.js:
2465         * stress/op_mul-VarVar.js:
2466         * stress/op_rshift-ConstVar.js:
2467         * stress/op_rshift-VarConst.js:
2468         * stress/op_rshift-VarVar.js:
2469         * stress/op_sub-ConstVar.js:
2470         * stress/op_sub-VarConst.js:
2471         * stress/op_sub-VarVar.js:
2472         * stress/op_urshift-ConstVar.js:
2473         * stress/op_urshift-VarConst.js:
2474         * stress/op_urshift-VarVar.js:
2475         * stress/proxy-get-set-correct-receiver.js:
2476         * stress/regress-179562.js:
2477         * stress/rest-parameter-many-arguments.js:
2478         * stress/sampling-profiler-richards.js:
2479         * stress/splay-flash-access-1ms.js:
2480         * stress/tailCallForwardArguments.js:
2481         * stress/typed-array-get-by-val-profiling.js:
2482         * typeProfiler/getter-richards.js:
2483
2484 2018-11-06  Michael Saboff  <msaboff@apple.com>
2485
2486         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2487         https://bugs.webkit.org/show_bug.cgi?id=191271
2488
2489         Reviewed by Saam Barati.
2490
2491         Added more test cases and made all test cases run with the same deeply recursive stack
2492         instead of finding that same point for each test case.
2493
2494         * stress/regexp-compile-oom.js:
2495         (prototype.runTest):
2496         (recurseAndTest):
2497         (testList.push.new.TestAndExpectedException):
2498
2499 2018-11-05  Michael Saboff  <msaboff@apple.com>
2500
2501         Unreviewed build fix for linux.
2502
2503         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2504
2505 2018-11-02  Michael Saboff  <msaboff@apple.com>
2506
2507         Rolling in r237753 with unreviewed build fix.
2508
2509         Fixed issues with DECLARE_THROW_SCOPE placement.
2510
2511 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2512
2513         Unreviewed, rolling out r237753.
2514
2515         Introduced JSC test failures
2516
2517         Reverted changeset:
2518
2519         "Running out of stack space not properly handled in
2520         RegExp::compile() and its callers"
2521         https://bugs.webkit.org/show_bug.cgi?id=191206
2522         https://trac.webkit.org/changeset/237753
2523
2524 2018-11-02  Michael Saboff  <msaboff@apple.com>
2525
2526         Running out of stack space not properly handled in RegExp::compile() and its callers
2527         https://bugs.webkit.org/show_bug.cgi?id=191206
2528
2529         Reviewed by Filip Pizlo.
2530
2531         New regression test.
2532
2533         * stress/regexp-compile-oom.js: Added.
2534         (recurseAndTest):
2535
2536 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2537
2538         Skip tests on arm/mips that time out now we're running on CLoop
2539
2540         Unreviewed gardening.
2541
2542         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2543         time out on the bots and need to be disabled. There's more tests
2544         disabled on arm because the timeout is longer on the mips bot (as the
2545         device is slower to start with), so many of the tests don't time out
2546         there.
2547
2548         * microbenchmarks/getter-richards.js: disable on arm and mips.
2549         * stress/op_add.js: disable on arm.
2550         * stress/op_bitand.js: disable on arm.
2551         * stress/op_bitor.js: disable on arm.
2552         * stress/op_bitxor.js: disable on arm.
2553         * stress/op_lshift-ConstVar.js: disable on arm.
2554         * stress/op_lshift-VarConst.js: disable on arm.
2555         * stress/op_lshift-VarVar.js: disable on arm.
2556         * stress/op_mod-ConstVar.js: disable on arm.
2557         * stress/op_mod-VarConst.js: disable on arm.
2558         * stress/op_mod-VarVar.js: disable on arm.
2559         * stress/op_mul-ConstVar.js: disable on arm.
2560         * stress/op_mul-VarConst.js: disable on arm.
2561         * stress/op_mul-VarVar.js: disable on arm.
2562         * stress/op_rshift-ConstVar.js: disable on arm.
2563         * stress/op_rshift-VarConst.js: disable on arm.
2564         * stress/op_rshift-VarVar.js: disable on arm.
2565         * stress/op_sub-ConstVar.js: disable on arm.
2566         * stress/op_sub-VarConst.js: disable on arm.
2567         * stress/op_sub-VarVar.js: disable on arm.
2568         * stress/op_urshift-ConstVar.js: disable on arm.
2569         * stress/op_urshift-VarConst.js: disable on arm.
2570         * stress/op_urshift-VarVar.js: disable on arm.
2571         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2572         * stress/value-to-boolean.js: disable on arm and mips.
2573
2574 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2575
2576         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2577         https://bugs.webkit.org/show_bug.cgi?id=191108
2578         <rdar://problem/45690700>
2579
2580         Reviewed by Saam Barati.
2581
2582         * stress/wide-op_catch.js: Added.
2583         (catch):
2584
2585 2018-10-29  Mark Lam  <mark.lam@apple.com>
2586
2587         Correctly detect string overflow when using the 'Function' constructor.
2588         https://bugs.webkit.org/show_bug.cgi?id=184883
2589         <rdar://problem/36320331>
2590
2591         Reviewed by Saam Barati.
2592
2593         I've verified that this passes on 32-bit as well.
2594
2595         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2596
2597 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2598
2599         Add support for GetStack FlushedDouble
2600         https://bugs.webkit.org/show_bug.cgi?id=191012
2601         <rdar://problem/45265141>
2602
2603         Reviewed by Saam Barati.
2604
2605         * stress/get-stack-double.js: Added.
2606         (bar):
2607         (noInline):
2608
2609 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2610
2611         New bytecode format for JSC
2612         https://bugs.webkit.org/show_bug.cgi?id=187373
2613         <rdar://problem/44186758>
2614
2615         Reviewed by Filip Pizlo.
2616
2617         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2618
2619         * stress/maximum-inline-capacity.js: Added.
2620         (test1):
2621         (test3.Foo):
2622         (test3):
2623
2624 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2625
2626         Unreviewed, rolling out r237479 and r237484.
2627         https://bugs.webkit.org/show_bug.cgi?id=190978
2628
2629         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2630
2631         Reverted changesets:
2632
2633         "New bytecode format for JSC"
2634         https://bugs.webkit.org/show_bug.cgi?id=187373
2635         https://trac.webkit.org/changeset/237479
2636
2637         "Gardening: Build fix after r237479."
2638         https://bugs.webkit.org/show_bug.cgi?id=187373
2639         https://trac.webkit.org/changeset/237484
2640
2641 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2642
2643         New bytecode format for JSC
2644         https://bugs.webkit.org/show_bug.cgi?id=187373
2645         <rdar://problem/44186758>
2646
2647         Reviewed by Filip Pizlo.
2648
2649         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2650
2651         * stress/maximum-inline-capacity.js: Added.
2652         (test1):
2653         (test3.Foo):
2654         (test3):
2655
2656 2018-10-26  Mark Lam  <mark.lam@apple.com>
2657
2658         Fix missing edge cases with JSGlobalObjects having a bad time.
2659         https://bugs.webkit.org/show_bug.cgi?id=189028
2660         <rdar://problem/45204939>
2661
2662         Reviewed by Saam Barati.
2663
2664         * stress/regress-189028.js: Added.
2665
2666 2018-10-22  Mark Lam  <mark.lam@apple.com>
2667
2668         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2669         https://bugs.webkit.org/show_bug.cgi?id=190515
2670         <rdar://problem/45222379>
2671
2672         Rubber-stamped by Saam Barati.
2673
2674         Adding another test.
2675
2676         * stress/regress-190515-2.js: Added.
2677
2678 2018-10-22  Mark Lam  <mark.lam@apple.com>
2679
2680         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2681         https://bugs.webkit.org/show_bug.cgi?id=190515
2682         <rdar://problem/45222379>
2683
2684         Reviewed by Saam Barati.
2685
2686         * stress/regress-190515.js: Added.
2687
2688 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2689
2690         Unreviewed, rolling out r237254.
2691         https://bugs.webkit.org/show_bug.cgi?id=190760
2692
2693         "It regresses JetStream 2 by 5% on some iOS devices"
2694         (Requested by saamyjoon on #webkit).
2695
2696         Reverted changeset:
2697
2698         "[JSC] JSC should have "parseFunction" to optimize Function
2699         constructor"
2700         https://bugs.webkit.org/show_bug.cgi?id=190340
2701         https://trac.webkit.org/changeset/237254
2702
2703 2018-10-19  Saam Barati  <sbarati@apple.com>
2704
2705         vmCall should check if we exit before emitting an OSR exit due to exceptions
2706         https://bugs.webkit.org/show_bug.cgi?id=190740
2707         <rdar://problem/45220139>
2708
2709         Reviewed by Mark Lam.
2710
2711         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2712         (foo):
2713
2714 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2715
2716         [ESNext][BigInt] Implement support for "^"
2717         https://bugs.webkit.org/show_bug.cgi?id=186235
2718
2719         Reviewed by Yusuke Suzuki.
2720
2721         * stress/big-int-bitwise-xor-general.js: Added.
2722         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2723         * stress/big-int-bitwise-xor-type-error.js: Added.
2724         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2725
2726 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2727
2728         [BigInt] Add ValueSub into DFG
2729         https://bugs.webkit.org/show_bug.cgi?id=186176
2730
2731         Reviewed by Yusuke Suzuki.
2732
2733         * stress/big-int-subtraction-jit.js:
2734         * stress/value-sub-big-int-prediction-propagation.js: Added.
2735         * stress/value-sub-big-int-untyped.js: Added.
2736         * stress/value-sub-spec-none-case.js: Added.
2737
2738 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2739
2740         [JSC] JSC should have "parseFunction" to optimize Function constructor
2741         https://bugs.webkit.org/show_bug.cgi?id=190340
2742
2743         Reviewed by Mark Lam.
2744
2745         This patch fixes the line number of syntax errors raised by the Function constructor,
2746         since we now parse the final code only once. And we no longer use block statement
2747         for Function constructor's parsing.
2748
2749         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2750         * stress/function-cache-with-parameters-end-position.js: Added.
2751         (shouldBe):
2752         (shouldThrow):
2753         (i.anonymous):
2754         * stress/function-constructor-name.js: Added.
2755         (shouldBe):
2756         (GeneratorFunction):
2757         (AsyncFunction.async):
2758         (AsyncGeneratorFunction.async):
2759         (anonymous):
2760         (async.anonymous):
2761         * test262/expectations.yaml:
2762
2763 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2764
2765         Unreviewed, rolling out r237242.
2766         https://bugs.webkit.org/show_bug.cgi?id=190701
2767
2768         it breaks "stress/sampling-profiler-basic.js" (Requested by
2769         caiolima on #webkit).
2770
2771         Reverted changeset:
2772
2773         "[BigInt] Add ValueSub into DFG"
2774         https://bugs.webkit.org/show_bug.cgi?id=186176
2775         https://trac.webkit.org/changeset/237242
2776
2777 2018-10-17  Keith Miller  <keith_miller@apple.com>
2778
2779         AI does not clear Phantom allocation nodes.
2780         https://bugs.webkit.org/show_bug.cgi?id=190694
2781
2782         Reviewed by Saam Barati.
2783
2784         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2785         (Day):
2786         (DaysInYear):
2787         (TimeInYear):
2788         (TimeFromYear):
2789         (DayFromYear):
2790         (InLeapYear):
2791         (YearFromTime):
2792         (WeekDay):
2793         (DaylightSavingTA):
2794         (GetSecondSundayInMarch):
2795         (TimeInMonth):
2796
2797 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2798
2799         [BigInt] Add ValueSub into DFG
2800         https://bugs.webkit.org/show_bug.cgi?id=186176
2801
2802         Reviewed by Yusuke Suzuki.
2803
2804         * stress/big-int-subtraction-jit.js:
2805         * stress/value-sub-big-int-prediction-propagation.js: Added.
2806         * stress/value-sub-big-int-untyped.js: Added.
2807
2808 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2809
2810         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2811         https://bugs.webkit.org/show_bug.cgi?id=190611
2812
2813         Reviewed by Saam Barati.
2814
2815         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2816         to improve test runtime. On ARM/MIPS this test even timed out when running all
2817         tests.
2818
2819         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2820         (test):
2821
2822 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2823
2824         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2825
2826         Unreviewed gardening.
2827
2828         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2829
2830 2018-10-15  Saam barati  <sbarati@apple.com>
2831
2832         Emit fjcvtzs on ARM64E on Darwin
2833         https://bugs.webkit.org/show_bug.cgi?id=184023
2834
2835         Reviewed by Yusuke Suzuki and Filip Pizlo.
2836
2837         * stress/double-to-int32-NaN.js: Added.
2838         (assert):
2839         (foo):
2840
2841 2018-10-15  Saam Barati  <sbarati@apple.com>
2842
2843         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2844         https://bugs.webkit.org/show_bug.cgi?id=190262
2845         <rdar://problem/44986241>
2846
2847         Reviewed by Mark Lam.
2848
2849         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2850         (test):
2851         * stress/slice-array-storage-with-holes.js: Added.
2852         (main):
2853
2854 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2855
2856         Unreviewed, rolling out r237054.
2857         https://bugs.webkit.org/show_bug.cgi?id=190593
2858
2859         "this regressed JetStream 2 by 6% on iOS" (Requested by
2860         saamyjoon on #webkit).
2861
2862         Reverted changeset:
2863
2864         "[JSC] JSC should have "parseFunction" to optimize Function
2865         constructor"
2866         https://bugs.webkit.org/show_bug.cgi?id=190340
2867         https://trac.webkit.org/changeset/237054
2868
2869 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2870
2871         [JSC] JSON.stringify can accept call-with-no-arguments
2872         https://bugs.webkit.org/show_bug.cgi?id=190343
2873
2874         Reviewed by Mark Lam.
2875
2876         * stress/json-stringify-no-arguments.js: Added.
2877         (shouldBe):
2878
2879 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2880
2881         [JSC] JSC should have "parseFunction" to optimize Function constructor
2882         https://bugs.webkit.org/show_bug.cgi?id=190340
2883
2884         Reviewed by Mark Lam.
2885
2886         This patch fixes the line number of syntax errors raised by the Function constructor,
2887         since we now parse the final code only once. And we no longer use block statement
2888         for Function constructor's parsing.
2889
2890         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2891         * stress/function-cache-with-parameters-end-position.js: Added.
2892         (shouldBe):
2893         (shouldThrow):
2894         (i.anonymous):
2895         * stress/function-constructor-name.js: Added.
2896         (shouldBe):
2897         (GeneratorFunction):
2898         (AsyncFunction.async):
2899         (AsyncGeneratorFunction.async):
2900         (anonymous):
2901         (async.anonymous):
2902         * test262/expectations.yaml:
2903
2904 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2905
2906         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2907         https://bugs.webkit.org/show_bug.cgi?id=190426
2908
2909         Unreviewed gardening.
2910
2911         * stress/sampling-profiler-richards.js:
2912
2913 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2914
2915         [ESNext][BigInt] Implement support for "|"
2916         https://bugs.webkit.org/show_bug.cgi?id=186229
2917
2918         Reviewed by Yusuke Suzuki.
2919
2920         * stress/big-int-bitwise-and-jit.js:
2921         * stress/big-int-bitwise-or-general.js: Added.
2922         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2923         * stress/big-int-bitwise-or-jit.js: Added.
2924         * stress/big-int-bitwise-or-memory-stress.js: Added.
2925         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2926         * stress/big-int-bitwise-or-type-error.js: Added.
2927         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2928
2929 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2930
2931         Skip test on systems with limited memory
2932         https://bugs.webkit.org/show_bug.cgi?id=190310
2933
2934         Invoking runDefault adds test to runlist, skipping the test in the next
2935         line does not prevent the test from executing. Change order of lines such
2936         that runDefault is only executed if test is not executed.
2937
2938         Reviewed by Mark Lam.
2939
2940         * stress/regress-190187.js:
2941
2942 2018-10-03  Saam barati  <sbarati@apple.com>
2943
2944         lowXYZ in FTLLower should always filter the type of the incoming edge
2945         https://bugs.webkit.org/show_bug.cgi?id=189939
2946         <rdar://problem/44407030>
2947
2948         Reviewed by Michael Saboff.
2949
2950         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2951         (foo):
2952         (test):
2953
2954 2018-10-03  Mark Lam  <mark.lam@apple.com>
2955
2956         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2957         https://bugs.webkit.org/show_bug.cgi?id=190187
2958         <rdar://problem/42512909>
2959
2960         Reviewed by Michael Saboff.
2961
2962         * stress/regress-190187.js: Added.
2963
2964 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2965
2966         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2967         https://bugs.webkit.org/show_bug.cgi?id=190033
2968
2969         Reviewed by Yusuke Suzuki.
2970
2971         * stress/big-int-to-string.js:
2972
2973 2018-10-01  Mark Lam  <mark.lam@apple.com>
2974
2975         Function.toString() should also copy the source code Functions that are class definitions.
2976         https://bugs.webkit.org/show_bug.cgi?id=190186
2977         <rdar://problem/44733360>
2978
2979         Reviewed by Saam Barati.
2980
2981         * stress/regress-190186.js: Added.
2982
2983 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2984
2985         Split NaN-check into separate test
2986         https://bugs.webkit.org/show_bug.cgi?id=190010
2987
2988         Reviewed by Saam Barati.
2989
2990         DataView exposes NaN-representation, which is not necessarily the same on each
2991         architecture. Therefore move the check of the NaN-representation into its own
2992         file such that we can disable this test on MIPS where NaN-representation can be
2993         different on older CPUs.
2994
2995         * stress/dataview-jit-set-nan.js: Added.
2996         (assert):
2997         (test.storeLittleEndian):
2998         (test.storeBigEndian):
2999         (test.store):
3000         (test):
3001         * stress/dataview-jit-set.js:
3002         (test5):
3003
3004 2018-10-01  Commit Queue  <commit-queue@webkit.org>
3005
3006         Unreviewed, rolling out r236647.
3007         https://bugs.webkit.org/show_bug.cgi?id=190124
3008
3009         Breaking test stress/big-int-to-string.js (Requested by
3010         caiolima_ on #webkit).
3011
3012         Reverted changeset:
3013
3014         "[BigInt] BigInt.proptotype.toString is broken when radix is
3015         power of 2"
3016         https://bugs.webkit.org/show_bug.cgi?id=190033
3017         https://trac.webkit.org/changeset/236647
3018
3019 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
3020
3021         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
3022         https://bugs.webkit.org/show_bug.cgi?id=190033
3023
3024         Reviewed by Yusuke Suzuki.
3025
3026         * stress/big-int-to-string.js:
3027
3028 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
3029
3030         [ESNext][BigInt] Implement support for "&"
3031         https://bugs.webkit.org/show_bug.cgi?id=186228
3032
3033         Reviewed by Yusuke Suzuki.
3034
3035         * stress/big-int-bitwise-and-general.js: Added.
3036         (assert):
3037         (assert.sameValue):
3038         * stress/big-int-bitwise-and-jit.js: Added.
3039         (let.assert.sameValue):
3040         (bigIntBitAnd):
3041         * stress/big-int-bitwise-and-memory-stress.js: Added.
3042         (assert):
3043         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
3044         (assert.sameValue):
3045         (let.o.Symbol.toPrimitive):
3046         (catch):
3047         * stress/big-int-bitwise-and-type-error.js: Added.
3048         (assert):
3049         (assertThrowTypeError):
3050         (let.o.valueOf):
3051         (o.valueOf):
3052         (o.toString):
3053         (o.Symbol.toPrimitive):
3054         * stress/big-int-bitwise-and-wrapped-value.js: Added.
3055         (assert.sameValue):
3056         (testBitAnd):
3057         (let.o.Symbol.toPrimitive):
3058         (o.valueOf):
3059         (o.toString):
3060
3061 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
3062
3063         JSC test stress/jsc-read.js doesn't support CRLF
3064         https://bugs.webkit.org/show_bug.cgi?id=190063
3065
3066         Reviewed by Yusuke Suzuki.
3067
3068         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3069
3070         * stress/jsc-read.js:
3071         (test):
3072
3073 2018-09-27  Saam barati  <sbarati@apple.com>
3074
3075         Verify the contents of AssemblerBuffer on arm64e
3076         https://bugs.webkit.org/show_bug.cgi?id=190057
3077         <rdar://problem/38916630>
3078
3079         Reviewed by Mark Lam.
3080
3081         * stress/regress-189132.js:
3082
3083 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3084
3085         Disable test without LLInt on ARMv7
3086         https://bugs.webkit.org/show_bug.cgi?id=190037
3087
3088         Reviewed by Mark Lam.
3089
3090         Test runs out of executable memory on ARMv7, do not run
3091         this test without LLInt enabled.
3092
3093         * stress/regress-169445.js:
3094
3095 2018-09-26  Keith Miller  <keith_miller@apple.com>
3096
3097         We should zero unused property storage when rebalancing array storage.
3098         https://bugs.webkit.org/show_bug.cgi?id=188151
3099
3100         Reviewed by Michael Saboff.
3101
3102         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3103
3104 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3105
3106         [JSC] Optimize Array#lastIndexOf
3107         https://bugs.webkit.org/show_bug.cgi?id=189780
3108
3109         Reviewed by Saam Barati.
3110
3111         * stress/array-lastindexof-array-prototype-trap.js: Added.
3112         (shouldBe):
3113         (AncestorArray.prototype.get 2):
3114         (AncestorArray):
3115         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3116         (shouldBe):
3117         * stress/array-lastindexof-hole-nan.js: Added.
3118         (shouldBe):
3119         (throw.new.Error):
3120         * stress/array-lastindexof-infinity.js: Added.
3121         (shouldBe):
3122         (throw.new.Error):
3123         * stress/array-lastindexof-negative-zero.js: Added.
3124         (shouldBe):
3125         (throw.new.Error):
3126         * stress/array-lastindexof-own-getter.js: Added.
3127         (shouldBe):
3128         (throw.new.Error.get array):
3129         (get array):
3130         * stress/array-lastindexof-prototype-trap.js: Added.
3131         (shouldBe):
3132         (DerivedArray.prototype.get 2):
3133         (DerivedArray):
3134
3135 2018-09-25  Saam Barati  <sbarati@apple.com>
3136
3137         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3138         https://bugs.webkit.org/show_bug.cgi?id=189940
3139         <rdar://problem/43640987>
3140
3141         Reviewed by Mark Lam.
3142
3143         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3144
3145 2018-09-24  Saam Barati  <sbarati@apple.com>
3146
3147         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3148         https://bugs.webkit.org/show_bug.cgi?id=189922
3149         <rdar://problem/44651275>
3150
3151         Reviewed by Mark Lam.
3152
3153         * stress/array-indexof-fast-path-effects.js: Added.
3154         * stress/array-indexof-cached-length.js: Added.
3155
3156 2018-09-24  Saam barati  <sbarati@apple.com>
3157
3158         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3159         https://bugs.webkit.org/show_bug.cgi?id=189682
3160         <rdar://problem/43557315>
3161
3162         Reviewed by Mark Lam.
3163
3164         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3165         (foo):
3166
3167 2018-09-22  Saam barati  <sbarati@apple.com>
3168
3169         The sampling should not use Strong<CodeBlock> in its machineLocation field
3170         https://bugs.webkit.org/show_bug.cgi?id=189319
3171
3172         Reviewed by Filip Pizlo.
3173
3174         * stress/sampling-profiler-richards.js: Added.
3175
3176 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3177
3178         [JSC] Optimize Array#indexOf in C++ runtime
3179         https://bugs.webkit.org/show_bug.cgi?id=189507
3180
3181         Reviewed by Saam Barati.
3182
3183         * stress/array-indexof-array-prototype-trap.js: Added.
3184         (shouldBe):
3185         (AncestorArray.prototype.get 2):
3186         (AncestorArray):
3187         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3188         (shouldBe):
3189         * stress/array-indexof-hole-nan.js: Added.
3190         (shouldBe):
3191         (throw.new.Error):
3192         * stress/array-indexof-infinity.js: Added.
3193         (shouldBe):
3194         (throw.new.Error):
3195         * stress/array-indexof-negative-zero.js: Added.
3196         (shouldBe):
3197         (throw.new.Error):
3198         * stress/array-indexof-own-getter.js: Added.
3199         (shouldBe):
3200         (throw.new.Error.get array):
3201         (get array):
3202         * stress/array-indexof-prototype-trap.js: Added.
3203         (shouldBe):
3204         (DerivedArray.prototype.get 2):
3205         (DerivedArray):
3206
3207 2018-09-19  Saam barati  <sbarati@apple.com>
3208
3209         AI rule for MultiPutByOffset executes its effects in the wrong order
3210         https://bugs.webkit.org/show_bug.cgi?id=189757
3211         <rdar://problem/43535257>
3212
3213         Reviewed by Michael Saboff.
3214
3215         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3216         (foo):
3217         (Foo):
3218         (g):
3219
3220 2018-09-17  Mark Lam  <mark.lam@apple.com>
3221
3222         Ensure that ForInContexts are invalidated if their loop local is over-written.
3223         https://bugs.webkit.org/show_bug.cgi?id=189571
3224         <rdar://problem/44402277>
3225
3226         Reviewed by Saam Barati.
3227
3228         * stress/regress-189571.js: Added.
3229
3230 2018-09-17  Saam barati  <sbarati@apple.com>
3231
3232         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3233         https://bugs.webkit.org/show_bug.cgi?id=189676
3234         <rdar://problem/39682897>
3235
3236         Reviewed by Michael Saboff.
3237
3238         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3239         (A):
3240         (K):
3241         (i.catch):
3242
3243 2018-09-14  Saam barati  <sbarati@apple.com>
3244
3245         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3246         https://bugs.webkit.org/show_bug.cgi?id=189628
3247         <rdar://problem/39481690>
3248
3249         Reviewed by Mark Lam.
3250
3251         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3252         (foo):
3253
3254 2018-09-11  Mark Lam  <mark.lam@apple.com>
3255
3256         Test for array initialization in arrayProtoFuncSplice.
3257         https://bugs.webkit.org/show_bug.cgi?id=170253
3258         <rdar://problem/31328773>
3259
3260         Rubber-stamped by Saam Barati.
3261
3262         * stress/regress-170253.js: Added.
3263
3264 2018-09-11  Mark Lam  <mark.lam@apple.com>
3265
3266         Test for IntlObject initialization.
3267         https://bugs.webkit.org/show_bug.cgi?id=170251
3268         <rdar://problem/31328419>
3269
3270         Rubber-stamped by Saam Barati.
3271
3272         * stress/regress-170251.js: Added.
3273
3274 2018-09-11  Mark Lam  <mark.lam@apple.com>
3275
3276         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3277         https://bugs.webkit.org/show_bug.cgi?id=169889
3278         <rdar://problem/31155607>
3279
3280         Reviewed by Saam Barati.
3281
3282         * stress/regress-169889-array-concat.js: Added.
3283         * stress/regress-169889-array-concat1.js: Added.
3284         * stress/regress-169889-array-slice.js: Added.
3285
3286 2018-09-11  Mark Lam  <mark.lam@apple.com>
3287
3288         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3289         https://bugs.webkit.org/show_bug.cgi?id=169445
3290         <rdar://problem/30957435>
3291
3292         Reviewed by Saam Barati.
3293
3294         * stress/regress-169445.js: Added.
3295         (let.gun.eval.A):
3296         (let.gun.eval.B.C):
3297         (let.gun.eval.B.C.prototype.trigger):
3298         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3299         (let.gun.eval.B):
3300         (let.gun.eval):
3301
3302 == Rolled over to ChangeLog-2018-09-11 ==