The parser is failing to record the token location of new in new.target.
[WebKit-https.git] / JSTests / ChangeLog
index 4dc67e7..5f20112 100644 (file)
@@ -1,3 +1,468 @@
+2019-02-27  Mark Lam  <mark.lam@apple.com>
+
+        The parser is failing to record the token location of new in new.target.
+        https://bugs.webkit.org/show_bug.cgi?id=195127
+        <rdar://problem/39645578>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
+
+2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
+        https://bugs.webkit.org/show_bug.cgi?id=195144
+        <rdar://problem/47595961>
+
+        Reviewed by Mark Lam.
+
+        * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
+        (bar):
+        (foo):
+        * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
+        (bar):
+        (foo):
+
+2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
+        https://bugs.webkit.org/show_bug.cgi?id=194677
+        <rdar://problem/48112492>
+
+        Reviewed by Mark Lam.
+
+        Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
+        This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
+        it immediately fails due the large size.
+
+        After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
+        8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
+        time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
+        OOM error anyway because JSON.stringify's builder overflows with such a large string input.
+
+        This patch changes the test to produce 16bit string from String.fromCharCode.
+
+        * stress/regress-178386.js:
+
+2019-02-26  Mark Lam  <mark.lam@apple.com>
+
+        wasmToJS() should purify incoming NaNs.
+        https://bugs.webkit.org/show_bug.cgi?id=194807
+        <rdar://problem/48189132>
+
+        Reviewed by Saam Barati.
+
+        * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
+
+2019-02-26  Guillaume Emont  <guijemont@igalia.com>
+
+        [JSC] Repeat string created from Array.prototype.join() take too much memory
+        https://bugs.webkit.org/show_bug.cgi?id=193912
+
+        Reviewed by Saam Barati.
+
+        Added a test and a microbenchmark for corner cases of
+        Array.prototype.join() with an uninitialized array.
+
+        * microbenchmarks/array-prototype-join-uninitialized.js: Added.
+        * stress/array-prototype-join-uninitialized.js: Added.
+        (testArray):
+        (testABC):
+        (B):
+        (C):
+
+2019-02-22  Robin Morisset  <rmorisset@apple.com>
+
+        DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
+        https://bugs.webkit.org/show_bug.cgi?id=194953
+        <rdar://problem/47595253>
+
+        Reviewed by Saam Barati.
+
+        I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
+
+        * stress/has-indexed-property-with-worsening-array-mode.js: Added.
+
+2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
+        https://bugs.webkit.org/show_bug.cgi?id=172848
+        <rdar://problem/25709212>
+
+        Reviewed by Mark Lam.
+
+        * typeProfiler/inheritance.js:
+        Rewrite the test slightly for clarity. The hoisting was confusing.
+
+        * heapProfiler/class-names.js: Added.
+        (MyES5Class):
+        (MyES6Class):
+        (MyES6Subclass):
+        Test object types and improved class names.
+
+        * heapProfiler/driver/driver.js:
+        (CheapHeapSnapshotNode):
+        (CheapHeapSnapshot):
+        (createCheapHeapSnapshot):
+        (HeapSnapshot):
+        (createHeapSnapshot):
+        Update snapshot parsing from version 1 to version 2.
+
+2019-02-19  Truitt Savell  <tsavell@apple.com>
+
+        Unreviewed, rolling out r241784.
+
+        Broke all OpenSource builds.
+
+        Reverted changeset:
+
+        "Web Inspector: Improve ES6 Class instances in Heap Snapshot
+        instances view"
+        https://bugs.webkit.org/show_bug.cgi?id=172848
+        https://trac.webkit.org/changeset/241784
+
+2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
+        https://bugs.webkit.org/show_bug.cgi?id=172848
+        <rdar://problem/25709212>
+
+        Reviewed by Mark Lam.
+
+        * typeProfiler/inheritance.js:
+        Rewrite the test slightly for clarity. The hoisting was confusing.
+
+        * heapProfiler/class-names.js: Added.
+        (MyES5Class):
+        (MyES6Class):
+        (MyES6Subclass):
+        Test object types and improved class names.
+
+        * heapProfiler/driver/driver.js:
+        (CheapHeapSnapshotNode):
+        (CheapHeapSnapshot):
+        (createCheapHeapSnapshot):
+        (HeapSnapshot):
+        (createHeapSnapshot):
+        Update snapshot parsing from version 1 to version 2.
+
+2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        [ARM] Fix crash with sampling profiler
+        https://bugs.webkit.org/show_bug.cgi?id=194772
+
+        Reviewed by Mark Lam.
+
+        Do not skip test since crash with sampling profiler is now fixed.
+
+        * stress/sampling-profiler-richards.js:
+
+2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Add LazyClassStructure::getInitializedOnMainThread
+        https://bugs.webkit.org/show_bug.cgi?id=194784
+        <rdar://problem/48154820>
+
+        Reviewed by Mark Lam.
+
+        * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
+        (getProperties):
+        (getRandomProperty):
+        (i.catch):
+
+2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        [ARM] Test gardening: Test running out of executable memory
+        https://bugs.webkit.org/show_bug.cgi?id=194771
+
+        Unreviewed. Do not run test without LLInt, test is running out of executable
+        memory on ARM otherwise.
+
+        * stress/tagged-template-object-collect.js:
+
+2019-02-18  Tomas Popela  <tpopela@redhat.com>
+
+        Unreviewed, skip the test on platforms without sampling profiler
+
+        * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
+        (platformSupportsSamplingProfiler.foo):
+        (platformSupportsSamplingProfiler.test):
+        (platformSupportsSamplingProfiler):
+        (foo): Deleted.
+        (test): Deleted.
+
+2019-02-17  Saam Barati  <sbarati@apple.com>
+
+        Deadlock when adding a Structure property transition and then doing incremental marking
+        https://bugs.webkit.org/show_bug.cgi?id=194767
+
+        Reviewed by Mark Lam.
+
+        * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
+
+2019-02-15  Michael Saboff  <msaboff@apple.com>
+
+        RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
+        https://bugs.webkit.org/show_bug.cgi?id=194558
+
+        Reviewed by Saam Barati.
+
+        New regression test.
+
+        * stress/regexp-unicode-within-string.js: Added.
+
+2019-02-15  Mark Lam  <mark.lam@apple.com>
+
+        SamplingProfiler::stackTracesAsJSON() should escape strings.
+        https://bugs.webkit.org/show_bug.cgi?id=194649
+        <rdar://problem/48072386>
+
+        Reviewed by Saam Barati.
+
+        * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
+        * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
+        * stress/type-profiler-with-double-quote-in-field-name.js: Added.
+        * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
+
+2019-02-15  Robin Morisset  <rmorisset@apple.com>
+        CodeBlock::jettison should clear related watchpoints
+        https://bugs.webkit.org/show_bug.cgi?id=194544
+
+        Reviewed by Mark Lam.
+
+        * stress/regexp-replace-double-watchpoint.js: Added.
+        (foo):
+
+2019-02-15  Saam barati  <sbarati@apple.com>
+
+        [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
+        https://bugs.webkit.org/show_bug.cgi?id=194036
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/tail-call-many-arguments.js: Added.
+        (foo):
+        (bar):
+
+2019-02-14  Saam Barati  <sbarati@apple.com>
+
+        Cache the results of BytecodeGenerator::getVariablesUnderTDZ
+        https://bugs.webkit.org/show_bug.cgi?id=194583
+        <rdar://problem/48028140>
+
+        Reviewed by Yusuke Suzuki.
+
+        * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
+
+2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] String.fromCharCode's slow path always generates 16bit string
+        https://bugs.webkit.org/show_bug.cgi?id=194466
+
+        Reviewed by Keith Miller.
+
+        * stress/string-from-char-code-slow-path.js: Added.
+        (shouldBe):
+        (testWithLength):
+
+2019-02-08  Saam barati  <sbarati@apple.com>
+
+        Nodes that rely on being dominated by CheckInBounds should have a child edge to it
+        https://bugs.webkit.org/show_bug.cgi?id=194334
+        <rdar://problem/47844327>
+
+        Reviewed by Mark Lam.
+
+        * stress/check-in-bounds-should-be-a-child-use.js: Added.
+        (func):
+
+2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
+        https://bugs.webkit.org/show_bug.cgi?id=194369
+        <rdar://problem/47813087>
+
+        Reviewed by Saam Barati.
+
+        * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
+        (A):
+
+2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] PrivateName to PublicName hash table is wasteful
+        https://bugs.webkit.org/show_bug.cgi?id=194277
+
+        Reviewed by Michael Saboff.
+
+        This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
+
+        * ChakraCore.yaml:
+
+2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        [ARM] Test running out of executable memory
+        https://bugs.webkit.org/show_bug.cgi?id=194285
+
+        Unreviewed. Do no execute test with LLInt disabled, test runs out of
+        executable memory otherwise.
+
+        * stress/class-subclassing-function.js:
+
+2019-02-04  Robin Morisset  <rmorisset@apple.com>
+
+        when lowering AssertNotEmpty, create the value before creating the patchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=194231
+
+        Reviewed by Saam Barati.
+
+        This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
+        The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
+        So even tiny changes to this test can change the path code taken.
+
+        * stress/assert-not-empty.js: Added.
+        (foo):
+
+2019-02-01  Mark Lam  <mark.lam@apple.com>
+
+        Remove invalid assertion in DFG's compileDoubleRep().
+        https://bugs.webkit.org/show_bug.cgi?id=194130
+        <rdar://problem/47699474>
+
+        Reviewed by Saam Barati.
+
+        * stress/constant-fold-double-rep-into-double-constant.js: Added.
+
+2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
+
+        Import latest Test262 updates.
+
+        Rubber-stamped by Keith Miller.
+
+        * test262.yaml: Deleted.
+        * test262/config.yaml:
+        * test262/expectations.yaml:
+        * test262/latest-changes-summary.txt:
+        * test262/test/:
+        * test262/test262-Revision.txt:
+
+2019-01-30  Robin Morisset  <rmorisset@apple.com>
+
+        Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
+        https://bugs.webkit.org/show_bug.cgi?id=194050
+        <rdar://problem/47595592>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/object-keys-osr-exit.js: Added.
+        (foo):
+        (catch):
+
+2019-01-29  Mark Lam  <mark.lam@apple.com>
+
+        ValueRecovery::recover() should purify NaN values it recovers.
+        https://bugs.webkit.org/show_bug.cgi?id=193978
+        <rdar://problem/47625488>
+
+        Reviewed by Saam Barati.
+
+        * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
+
+2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
+        https://bugs.webkit.org/show_bug.cgi?id=193713
+
+        * stress/try-get-by-id-should-spill-registers-dfg.js:
+        (let.f.createBuiltin):
+
+2019-01-28  Mark Lam  <mark.lam@apple.com>
+
+        ToString node actually does GC.
+        https://bugs.webkit.org/show_bug.cgi?id=193920
+        <rdar://problem/46695900>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/dfg-to-string-on-int-does-gc.js: Added.
+        * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
+        * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
+
+2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] NativeErrorConstructor should not have own IsoSubspace
+        https://bugs.webkit.org/show_bug.cgi?id=193713
+
+        Reviewed by Saam Barati.
+
+        Remove @Error use.
+
+        * stress/try-get-by-id-should-spill-registers-dfg.js:
+        (let.f.createBuiltin):
+
+2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
+        https://bugs.webkit.org/show_bug.cgi?id=190693
+
+        Reviewed by Michael Saboff.
+
+        * stress/regress-190693.js: Added.
+        (truth):
+        (assert):
+        (shouldThrowInvalidConstAssignment):
+        (taz):
+
+2019-01-24  Saam Barati  <sbarati@apple.com>
+
+        Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
+        https://bugs.webkit.org/show_bug.cgi?id=193751
+        <rdar://problem/47280215>
+
+        Reviewed by Michael Saboff.
+
+        * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
+        (let.thing):
+        (foo.let.hello):
+        (foo):
+
+2019-01-24  Guillaume Emont  <guijemont@igalia.com>
+
+        [JSC] Reenable baseline JIT on mips
+        https://bugs.webkit.org/show_bug.cgi?id=192983
+
+        Reviewed by Mark Lam.
+
+        Added a new test for a case that was triggering a RELEASE_ASSERT when
+        testing.
+        Disable some slow tests that were already disabled for arm and x86.
+
+        * stress/json-parse-big-object.js: Added.
+        * stress/new-largeish-contiguous-array-with-size.js:
+        * stress/op_add.js:
+        * stress/op_bitand.js:
+        * stress/op_bitor.js:
+        * stress/op_bitxor.js:
+        * stress/op_lshift-ConstVar.js:
+        * stress/op_lshift-VarConst.js:
+        * stress/op_lshift-VarVar.js:
+        * stress/op_mod-ConstVar.js:
+        * stress/op_mod-VarConst.js:
+        * stress/op_mod-VarVar.js:
+        * stress/op_mul-ConstVar.js:
+        * stress/op_mul-VarConst.js:
+        * stress/op_mul-VarVar.js:
+        * stress/op_rshift-ConstVar.js:
+        * stress/op_rshift-VarConst.js:
+        * stress/op_rshift-VarVar.js:
+        * stress/op_sub-ConstVar.js:
+        * stress/op_sub-VarConst.js:
+        * stress/op_sub-VarVar.js:
+        * stress/op_urshift-ConstVar.js:
+        * stress/op_urshift-VarConst.js:
+        * stress/op_urshift-VarVar.js:
+        * stress/sampling-profiler-richards.js:
+        * stress/spread-forward-call-varargs-stack-overflow.js:
+
 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()