JSC::createError needs to check for OOM in errorDescriptionForValue
[WebKit-https.git] / JSTests / ChangeLog
index 12c1b78..d7c5ee8 100644 (file)
+2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
+
+        JSC::createError needs to check for OOM in errorDescriptionForValue
+        https://bugs.webkit.org/show_bug.cgi?id=196032
+        <rdar://problem/46842740>
+
+        Reviewed by Mark Lam.
+
+        * stress/create-error-out-of-memory-rope-string.js: Added.
+
+2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Unreviewed, reduce # of iterations to avoid timing out after r242991
+        https://bugs.webkit.org/show_bug.cgi?id=195791
+
+        To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
+
+        * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
+
+2019-03-19  Caio Lima  <ticaiolima@gmail.com>
+
+        [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
+        https://bugs.webkit.org/show_bug.cgi?id=195950
+
+        Unreviewed, reducing the amount of memory used on this test to avoid
+        OOM on devices with memory restrictions.
+
+        * microbenchmarks/generate-multiple-llint-entrypoints.js:
+
+2019-03-19  Caio Lima  <ticaiolima@gmail.com>
+
+        [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
+        https://bugs.webkit.org/show_bug.cgi?id=194648
+
+        Reviewed by Keith Miller.
+
+        * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
+
+2019-03-18  Mark Lam  <mark.lam@apple.com>
+
+        Missing a ThrowScope release in JSObject::toString().
+        https://bugs.webkit.org/show_bug.cgi?id=195893
+        <rdar://problem/48970986>
+
+        Reviewed by Michael Saboff.
+
+        * stress/to-string-exception-check-release.js: Added.
+
+2019-03-18  Mark Lam  <mark.lam@apple.com>
+
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+
+        Reviewed by Michael Saboff.
+
+        * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
+
+2019-03-15  Mark Lam  <mark.lam@apple.com>
+
+        Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
+        https://bugs.webkit.org/show_bug.cgi?id=195827
+        <rdar://problem/48845513>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
+
+2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        [ARM,MIPS] Skip slow tests
+        https://bugs.webkit.org/show_bug.cgi?id=195799
+
+        Unreviewed, test does not finish on ARM and MIPS within the
+        timeout limit.
+
+        * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
+
+2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
+        https://bugs.webkit.org/show_bug.cgi?id=195791
+        <rdar://problem/48806130>
+
+        Reviewed by Mark Lam.
+
+        * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
+        (foo):
+
+2019-03-14  Saam barati  <sbarati@apple.com>
+
+        We can't remove code after ForceOSRExit until after FixupPhase
+        https://bugs.webkit.org/show_bug.cgi?id=186916
+        <rdar://problem/41396612>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
+        (foo):
+        * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
+        (foo):
+
+2019-03-13  Michael Saboff  <msaboff@apple.com>
+
+        ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
+        https://bugs.webkit.org/show_bug.cgi?id=195735
+
+        Reviewed by Mark Lam.
+
+        New regression test.
+
+        * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
+        (foo):
+        (bar):
+
+2019-03-14  Saam barati  <sbarati@apple.com>
+
+        Fixup uses KnownInt32 incorrectly in some nodes
+        https://bugs.webkit.org/show_bug.cgi?id=195279
+        <rdar://problem/47915654>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
+        (foo):
+
+2019-03-14  Keith Miller  <keith_miller@apple.com>
+
+        DFG liveness can't skip tail caller inline frames
+        https://bugs.webkit.org/show_bug.cgi?id=195715
+
+        Reviewed by Saam Barati.
+
+        * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
+        (i.foo):
+
+2019-03-13  Mark Lam  <mark.lam@apple.com>
+
+        Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
+        https://bugs.webkit.org/show_bug.cgi?id=195415
+
+        Not reviewed.
+
+        Changed these tests to only run the default configuration.
+        The ftl-no-cjit-validate-sampling-profiler variant was timing out.
+        There's no strong need to run this test on that variant.
+
+        * stress/dfg-to-string-on-int-does-gc.js:
+        * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
+
+2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        String overflow when using StringBuilder in JSC::createError
+        https://bugs.webkit.org/show_bug.cgi?id=194957
+
+        Reviewed by Mark Lam.
+
+        Add test string-overflow-createError-bulder.js that overflows
+        StringBuilder in notAFunctionSourceAppender. The second new test
+        string-overflow-createError-fit.js has an error message that doesn't
+        overflow, it still failed since the String's capacity can't be doubled.
+        Run test string-overflow-createError.js only in the default
+        configuration to reduce memory consumption when running the test
+        in all configurations on multiple CPUs in parallel.
+
+        * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
+        (catch):
+        * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
+        (catch):
+        * stress/string-overflow-createError.js:
+
+2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] OSR entry should respect abstract values in addition to flush formats
+        https://bugs.webkit.org/show_bug.cgi?id=195653
+
+        Reviewed by Mark Lam.
+
+        * stress/osr-entry-locals-none.js: Added.
+
+2019-03-12  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
+        https://bugs.webkit.org/show_bug.cgi?id=195613
+
+        Reviewed by Mark Lam.
+
+        New regression test.
+
+        * stress/regexp-backref-inbounds.js: Added.
+        (testRegExp):
+
+2019-03-12  Mark Lam  <mark.lam@apple.com>
+
+        The HasIndexedProperty node does GC.
+        https://bugs.webkit.org/show_bug.cgi?id=195559
+        <rdar://problem/48767923>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/HasIndexedProperty-does-gc.js: Added.
+
+2019-03-11  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][BigInt] Implement "~" unary operation
+        https://bugs.webkit.org/show_bug.cgi?id=182216
+
+        Reviewed by Keith Miller.
+
+        * stress/big-int-bit-not-general.js: Added.
+        * stress/big-int-bitwise-not-jit.js: Added.
+        * stress/big-int-bitwise-not-wrapped-value.js: Added.
+        * stress/bit-op-with-object-returning-int32.js:
+        * stress/bitwise-not-fixup-rules.js: Added.
+        * stress/value-bit-not-ai-rule.js: Added.
+
+2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
+
+        Invalid flags in a RegExp literal should be an early SyntaxError
+        https://bugs.webkit.org/show_bug.cgi?id=195514
+
+        Reviewed by Darin Adler.
+
+        * test262/expectations.yaml:
+        Mark 4 test cases as passing.
+
+        * stress/regexp-syntax-error-invalid-flags.js:
+        * stress/regress-161995.js: Removed.
+        Update existing test, merging in an older test for the same behavior.
+
+2019-03-08  Mark Lam  <mark.lam@apple.com>
+
+        Stack overflow crash in JSC::JSObject::hasInstance.
+        https://bugs.webkit.org/show_bug.cgi?id=195458
+        <rdar://problem/48710195>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/stack-overflow-in-custom-hasInstance.js: Added.
+
+2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
+
+        op_check_tdz does not def its argument
+        https://bugs.webkit.org/show_bug.cgi?id=192880
+        <rdar://problem/46221598>
+
+        Reviewed by Saam Barati.
+
+        * microbenchmarks/let-for-in.js: Added.
+        (foo):
+
+2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
+        https://bugs.webkit.org/show_bug.cgi?id=195429
+
+        Reviewed by Saam Barati.
+
+        * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
+        (foo):
+        * stress/string-from-char-code-255.js: Added.
+
+2019-03-06  Mark Lam  <mark.lam@apple.com>
+
+        Fix incorrect handling of try-finally completion values.
+        https://bugs.webkit.org/show_bug.cgi?id=195131
+        <rdar://problem/46222079>
+
+        Reviewed by Saam Barati and Yusuke Suzuki.
+
+        Added many permutations of new test case to test-finally.js.  test-finally.js has
+        been run on Chrome and Firefox as a sanity check, and we confirmed that all the
+        tests passes there as well.
+
+        * stress/test-finally.js:
+
+2019-03-06  Saam Barati  <sbarati@apple.com>
+
+        Air::reportUsedRegisters must padInterference
+        https://bugs.webkit.org/show_bug.cgi?id=195303
+        <rdar://problem/48270343>
+
+        Reviewed by Keith Miller.
+
+        * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
+
+2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] AI should not propagate AbstractValue relying on constant folding phase
+        https://bugs.webkit.org/show_bug.cgi?id=195375
+
+        Reviewed by Saam Barati.
+
+        * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
+        (let.array):
+
+2019-03-05  Saam barati  <sbarati@apple.com>
+
+        op_switch_char broken for rope strings after JSRopeString layout rewrite
+        https://bugs.webkit.org/show_bug.cgi?id=195339
+        <rdar://problem/48592545>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/switch-on-char-llint-rope.js: Added.
+
+2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Store bits for JSRopeString in 3 stores
+        https://bugs.webkit.org/show_bug.cgi?id=195234
+
+        Reviewed by Saam Barati.
+
+        * stress/null-rope-and-collectors.js: Added.
+
+2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
+        https://bugs.webkit.org/show_bug.cgi?id=195207
+
+        Unreviewed. After test runtime was reduced in r242213, test can be
+        run again on ARM/MIPS.
+
+        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
+
+2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] sizeof(JSString) should be 16
+        https://bugs.webkit.org/show_bug.cgi?id=194375
+
+        Reviewed by Saam Barati.
+
+        * microbenchmarks/make-rope.js: Added.
+        (makeRope):
+        * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
+        (returnRope.helper): Deleted.
+        (returnRope): Deleted.
+
+2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
+        https://bugs.webkit.org/show_bug.cgi?id=195144
+
+        1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
+        Change the number from 1e8 to 1e5.
+
+        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
+        (foo):
+
+2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        Test times out on ARM/MIPS
+        https://bugs.webkit.org/show_bug.cgi?id=195168
+
+        Unreviewed. Skip test on ARM/MIPS.
+
+        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
+
+2019-02-27  Mark Lam  <mark.lam@apple.com>
+
+        The parser is failing to record the token location of new in new.target.
+        https://bugs.webkit.org/show_bug.cgi?id=195127
+        <rdar://problem/39645578>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
+
+2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
+        https://bugs.webkit.org/show_bug.cgi?id=195144
+        <rdar://problem/47595961>
+
+        Reviewed by Mark Lam.
+
+        * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
+        (bar):
+        (foo):
+        * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
+        (bar):
+        (foo):
+
+2019-02-27  Robin Morisset  <rmorisset@apple.com>
+
+        DFG: Loop-invariant code motion (LICM) should not hoist dead code
+        https://bugs.webkit.org/show_bug.cgi?id=194945
+        <rdar://problem/48311657>
+
+        Reviewed by Mark Lam.
+
+        * stress/licm-dead-code.js: Added.
+
+2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
+        https://bugs.webkit.org/show_bug.cgi?id=194677
+        <rdar://problem/48112492>
+
+        Reviewed by Mark Lam.
+
+        Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
+        This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
+        it immediately fails due the large size.
+
+        After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
+        8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
+        time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
+        OOM error anyway because JSON.stringify's builder overflows with such a large string input.
+
+        This patch changes the test to produce 16bit string from String.fromCharCode.
+
+        * stress/regress-178386.js:
+
+2019-02-26  Mark Lam  <mark.lam@apple.com>
+
+        wasmToJS() should purify incoming NaNs.
+        https://bugs.webkit.org/show_bug.cgi?id=194807
+        <rdar://problem/48189132>
+
+        Reviewed by Saam Barati.
+
+        * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
+
+2019-02-26  Guillaume Emont  <guijemont@igalia.com>
+
+        [JSC] Repeat string created from Array.prototype.join() take too much memory
+        https://bugs.webkit.org/show_bug.cgi?id=193912
+
+        Reviewed by Saam Barati.
+
+        Added a test and a microbenchmark for corner cases of
+        Array.prototype.join() with an uninitialized array.
+
+        * microbenchmarks/array-prototype-join-uninitialized.js: Added.
+        * stress/array-prototype-join-uninitialized.js: Added.
+        (testArray):
+        (testABC):
+        (B):
+        (C):
+
+2019-02-22  Robin Morisset  <rmorisset@apple.com>
+
+        DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
+        https://bugs.webkit.org/show_bug.cgi?id=194953
+        <rdar://problem/47595253>
+
+        Reviewed by Saam Barati.
+
+        I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
+
+        * stress/has-indexed-property-with-worsening-array-mode.js: Added.
+
+2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
+        https://bugs.webkit.org/show_bug.cgi?id=172848
+        <rdar://problem/25709212>
+
+        Reviewed by Mark Lam.
+
+        * typeProfiler/inheritance.js:
+        Rewrite the test slightly for clarity. The hoisting was confusing.
+
+        * heapProfiler/class-names.js: Added.
+        (MyES5Class):
+        (MyES6Class):
+        (MyES6Subclass):
+        Test object types and improved class names.
+
+        * heapProfiler/driver/driver.js:
+        (CheapHeapSnapshotNode):
+        (CheapHeapSnapshot):
+        (createCheapHeapSnapshot):
+        (HeapSnapshot):
+        (createHeapSnapshot):
+        Update snapshot parsing from version 1 to version 2.
+
+2019-02-19  Truitt Savell  <tsavell@apple.com>
+
+        Unreviewed, rolling out r241784.
+
+        Broke all OpenSource builds.
+
+        Reverted changeset:
+
+        "Web Inspector: Improve ES6 Class instances in Heap Snapshot
+        instances view"
+        https://bugs.webkit.org/show_bug.cgi?id=172848
+        https://trac.webkit.org/changeset/241784
+
+2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
+        https://bugs.webkit.org/show_bug.cgi?id=172848
+        <rdar://problem/25709212>
+
+        Reviewed by Mark Lam.
+
+        * typeProfiler/inheritance.js:
+        Rewrite the test slightly for clarity. The hoisting was confusing.
+
+        * heapProfiler/class-names.js: Added.
+        (MyES5Class):
+        (MyES6Class):
+        (MyES6Subclass):
+        Test object types and improved class names.
+
+        * heapProfiler/driver/driver.js:
+        (CheapHeapSnapshotNode):
+        (CheapHeapSnapshot):
+        (createCheapHeapSnapshot):
+        (HeapSnapshot):
+        (createHeapSnapshot):
+        Update snapshot parsing from version 1 to version 2.
+
+2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        [ARM] Fix crash with sampling profiler
+        https://bugs.webkit.org/show_bug.cgi?id=194772
+
+        Reviewed by Mark Lam.
+
+        Do not skip test since crash with sampling profiler is now fixed.
+
+        * stress/sampling-profiler-richards.js:
+
+2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Add LazyClassStructure::getInitializedOnMainThread
+        https://bugs.webkit.org/show_bug.cgi?id=194784
+        <rdar://problem/48154820>
+
+        Reviewed by Mark Lam.
+
+        * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
+        (getProperties):
+        (getRandomProperty):
+        (i.catch):
+
+2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        [ARM] Test gardening: Test running out of executable memory
+        https://bugs.webkit.org/show_bug.cgi?id=194771
+
+        Unreviewed. Do not run test without LLInt, test is running out of executable
+        memory on ARM otherwise.
+
+        * stress/tagged-template-object-collect.js:
+
+2019-02-18  Tomas Popela  <tpopela@redhat.com>
+
+        Unreviewed, skip the test on platforms without sampling profiler
+
+        * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
+        (platformSupportsSamplingProfiler.foo):
+        (platformSupportsSamplingProfiler.test):
+        (platformSupportsSamplingProfiler):
+        (foo): Deleted.
+        (test): Deleted.
+
+2019-02-17  Saam Barati  <sbarati@apple.com>
+
+        Deadlock when adding a Structure property transition and then doing incremental marking
+        https://bugs.webkit.org/show_bug.cgi?id=194767
+
+        Reviewed by Mark Lam.
+
+        * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
+
+2019-02-15  Michael Saboff  <msaboff@apple.com>
+
+        RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
+        https://bugs.webkit.org/show_bug.cgi?id=194558
+
+        Reviewed by Saam Barati.
+
+        New regression test.
+
+        * stress/regexp-unicode-within-string.js: Added.
+
+2019-02-15  Mark Lam  <mark.lam@apple.com>
+
+        SamplingProfiler::stackTracesAsJSON() should escape strings.
+        https://bugs.webkit.org/show_bug.cgi?id=194649
+        <rdar://problem/48072386>
+
+        Reviewed by Saam Barati.
+
+        * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
+        * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
+        * stress/type-profiler-with-double-quote-in-field-name.js: Added.
+        * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
+
+2019-02-15  Robin Morisset  <rmorisset@apple.com>
+        CodeBlock::jettison should clear related watchpoints
+        https://bugs.webkit.org/show_bug.cgi?id=194544
+
+        Reviewed by Mark Lam.
+
+        * stress/regexp-replace-double-watchpoint.js: Added.
+        (foo):
+
+2019-02-15  Saam barati  <sbarati@apple.com>
+
+        [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
+        https://bugs.webkit.org/show_bug.cgi?id=194036
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/tail-call-many-arguments.js: Added.
+        (foo):
+        (bar):
+
+2019-02-14  Saam Barati  <sbarati@apple.com>
+
+        Cache the results of BytecodeGenerator::getVariablesUnderTDZ
+        https://bugs.webkit.org/show_bug.cgi?id=194583
+        <rdar://problem/48028140>
+
+        Reviewed by Yusuke Suzuki.
+
+        * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
+
+2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] String.fromCharCode's slow path always generates 16bit string
+        https://bugs.webkit.org/show_bug.cgi?id=194466
+
+        Reviewed by Keith Miller.
+
+        * stress/string-from-char-code-slow-path.js: Added.
+        (shouldBe):
+        (testWithLength):
+
+2019-02-08  Saam barati  <sbarati@apple.com>
+
+        Nodes that rely on being dominated by CheckInBounds should have a child edge to it
+        https://bugs.webkit.org/show_bug.cgi?id=194334
+        <rdar://problem/47844327>
+
+        Reviewed by Mark Lam.
+
+        * stress/check-in-bounds-should-be-a-child-use.js: Added.
+        (func):
+
+2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
+        https://bugs.webkit.org/show_bug.cgi?id=194369
+        <rdar://problem/47813087>
+
+        Reviewed by Saam Barati.
+
+        * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
+        (A):
+
+2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] PrivateName to PublicName hash table is wasteful
+        https://bugs.webkit.org/show_bug.cgi?id=194277
+
+        Reviewed by Michael Saboff.
+
+        This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
+
+        * ChakraCore.yaml:
+
+2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        [ARM] Test running out of executable memory
+        https://bugs.webkit.org/show_bug.cgi?id=194285
+
+        Unreviewed. Do no execute test with LLInt disabled, test runs out of
+        executable memory otherwise.
+
+        * stress/class-subclassing-function.js:
+
+2019-02-04  Robin Morisset  <rmorisset@apple.com>
+
+        when lowering AssertNotEmpty, create the value before creating the patchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=194231
+
+        Reviewed by Saam Barati.
+
+        This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
+        The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
+        So even tiny changes to this test can change the path code taken.
+
+        * stress/assert-not-empty.js: Added.
+        (foo):
+
+2019-02-01  Mark Lam  <mark.lam@apple.com>
+
+        Remove invalid assertion in DFG's compileDoubleRep().
+        https://bugs.webkit.org/show_bug.cgi?id=194130
+        <rdar://problem/47699474>
+
+        Reviewed by Saam Barati.
+
+        * stress/constant-fold-double-rep-into-double-constant.js: Added.
+
+2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
+
+        Import latest Test262 updates.
+
+        Rubber-stamped by Keith Miller.
+
+        * test262.yaml: Deleted.
+        * test262/config.yaml:
+        * test262/expectations.yaml:
+        * test262/latest-changes-summary.txt:
+        * test262/test/:
+        * test262/test262-Revision.txt:
+
+2019-01-30  Robin Morisset  <rmorisset@apple.com>
+
+        Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
+        https://bugs.webkit.org/show_bug.cgi?id=194050
+        <rdar://problem/47595592>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/object-keys-osr-exit.js: Added.
+        (foo):
+        (catch):
+
+2019-01-29  Mark Lam  <mark.lam@apple.com>
+
+        ValueRecovery::recover() should purify NaN values it recovers.
+        https://bugs.webkit.org/show_bug.cgi?id=193978
+        <rdar://problem/47625488>
+
+        Reviewed by Saam Barati.
+
+        * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
+
+2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
+        https://bugs.webkit.org/show_bug.cgi?id=193713
+
+        * stress/try-get-by-id-should-spill-registers-dfg.js:
+        (let.f.createBuiltin):
+
+2019-01-28  Mark Lam  <mark.lam@apple.com>
+
+        ToString node actually does GC.
+        https://bugs.webkit.org/show_bug.cgi?id=193920
+        <rdar://problem/46695900>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/dfg-to-string-on-int-does-gc.js: Added.
+        * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
+        * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
+
+2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] NativeErrorConstructor should not have own IsoSubspace
+        https://bugs.webkit.org/show_bug.cgi?id=193713
+
+        Reviewed by Saam Barati.
+
+        Remove @Error use.
+
+        * stress/try-get-by-id-should-spill-registers-dfg.js:
+        (let.f.createBuiltin):
+
+2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
+        https://bugs.webkit.org/show_bug.cgi?id=190693
+
+        Reviewed by Michael Saboff.
+
+        * stress/regress-190693.js: Added.
+        (truth):
+        (assert):
+        (shouldThrowInvalidConstAssignment):
+        (taz):
+
+2019-01-24  Saam Barati  <sbarati@apple.com>
+
+        Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
+        https://bugs.webkit.org/show_bug.cgi?id=193751
+        <rdar://problem/47280215>
+
+        Reviewed by Michael Saboff.
+
+        * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
+        (let.thing):
+        (foo.let.hello):
+        (foo):
+
+2019-01-24  Guillaume Emont  <guijemont@igalia.com>
+
+        [JSC] Reenable baseline JIT on mips
+        https://bugs.webkit.org/show_bug.cgi?id=192983
+
+        Reviewed by Mark Lam.
+
+        Added a new test for a case that was triggering a RELEASE_ASSERT when
+        testing.
+        Disable some slow tests that were already disabled for arm and x86.
+
+        * stress/json-parse-big-object.js: Added.
+        * stress/new-largeish-contiguous-array-with-size.js:
+        * stress/op_add.js:
+        * stress/op_bitand.js:
+        * stress/op_bitor.js:
+        * stress/op_bitxor.js:
+        * stress/op_lshift-ConstVar.js:
+        * stress/op_lshift-VarConst.js:
+        * stress/op_lshift-VarVar.js:
+        * stress/op_mod-ConstVar.js:
+        * stress/op_mod-VarConst.js:
+        * stress/op_mod-VarVar.js:
+        * stress/op_mul-ConstVar.js:
+        * stress/op_mul-VarConst.js:
+        * stress/op_mul-VarVar.js:
+        * stress/op_rshift-ConstVar.js:
+        * stress/op_rshift-VarConst.js:
+        * stress/op_rshift-VarVar.js:
+        * stress/op_sub-ConstVar.js:
+        * stress/op_sub-VarConst.js:
+        * stress/op_sub-VarVar.js:
+        * stress/op_urshift-ConstVar.js:
+        * stress/op_urshift-VarConst.js:
+        * stress/op_urshift-VarVar.js:
+        * stress/sampling-profiler-richards.js:
+        * stress/spread-forward-call-varargs-stack-overflow.js:
+
+2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
+        https://bugs.webkit.org/show_bug.cgi?id=193711
+        <rdar://problem/47250262>
+
+        Reviewed by Saam Barati.
+
+        * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
+        (shouldBe):
+        (foo):
+        (bar):
+        (baz):
+
+2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Unreviewed, fix initial global lexical binding epoch
+        https://bugs.webkit.org/show_bug.cgi?id=193603
+        <rdar://problem/47380869>
+
+        * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
+        (f1.f2.f3.f4):
+        (f1.f2.f3):
+        (f1.f2):
+        (f1):
+
+2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        REGRESSION(r239612) Crash at runtime due to broken DFG assumption
+        https://bugs.webkit.org/show_bug.cgi?id=193709
+        <rdar://problem/47363838>
+
+        Unreviewed, rollout to watch the tests.
+
+        * stress/object-tostring-changed-proto.js: Removed.
+        * stress/object-tostring-changed.js: Removed.
+        * stress/object-tostring-misc.js: Removed.
+        * stress/object-tostring-other.js: Removed.
+        * stress/object-tostring-untyped.js: Removed.
+
+2019-01-22  Saam Barati  <sbarati@apple.com>
+
+        Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
+
+        * stress/arith-abs-to-arith-negate-range-optimizaton.js:
+        (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
+        (testUncheckedLessThanZero):
+        (testUncheckedLessThanOrEqualZero):
+        * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
+        * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
+
+2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Invalidate old scope operations using global lexical binding epoch
+        https://bugs.webkit.org/show_bug.cgi?id=193603
+        <rdar://problem/47380869>
+
+        Reviewed by Saam Barati.
+
+        * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
+        * stress/scope-operation-cache-global-property-before-deleting.js: Added.
+        (shouldThrow):
+        (bar):
+        * stress/scope-operation-cache-global-property-bump-counter.js: Added.
+        (shouldBe):
+        (get1):
+        (get2):
+        (get1If):
+        (get2If):
+        * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
+        (shouldThrow):
+        (foo):
+
+2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Unreviewed, roll out r240220 due to date-format-xparb regression
+        https://bugs.webkit.org/show_bug.cgi?id=193603
+
+        * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
+        * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
+        * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
+        * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
+
+2019-01-21  Caio Lima  <ticaiolima@gmail.com>
+
+        DoesGC rule is wrong for nodes with BigIntUse
+        https://bugs.webkit.org/show_bug.cgi?id=193652
+
+        Reviewed by Saam Barati.
+
+        * stress/big-int-value-op-update-gc-rules.js: Added.
+        (assert):
+        (doesGCAdd):
+        (doesGCSub):
+        (doesGCDiv):
+        (doesGCMul):
+        (doesGCBitAnd):
+        (doesGCBitOr):
+        (doesGCBitXor):
+
+2019-01-20  Saam Barati  <sbarati@apple.com>
+
+        DFG: When inlining DataView set* intrinsics we need to set undefined as our result
+        https://bugs.webkit.org/show_bug.cgi?id=193644
+        <rdar://problem/46209745>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
+        (foo):
+        * stress/data-view-set-intrinsic-undefined-result.js: Added.
+        (foo):
+        (bar):
+
+2019-01-20  Saam Barati  <sbarati@apple.com>
+
+        MovHint must merge NodeBytecodeUsesAsValue for its child
+        https://bugs.webkit.org/show_bug.cgi?id=186916
+        <rdar://problem/41396612>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/arith-abs-to-arith-negate-range-optimizaton.js:
+        * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
+
+2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Invalidate old scope operations using global lexical binding epoch
+        https://bugs.webkit.org/show_bug.cgi?id=193603
+        <rdar://problem/47380869>
+
+        Reviewed by Saam Barati.
+
+        * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
+        * stress/scope-operation-cache-global-property-before-deleting.js: Added.
+        (shouldThrow):
+        (bar):
+        * stress/scope-operation-cache-global-property-bump-counter.js: Added.
+        (shouldBe):
+        (get1):
+        (get2):
+        (get1If):
+        (get2If):
+        * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
+        (shouldThrow):
+        (foo):
+
+2019-01-17  Saam barati  <sbarati@apple.com>
+
+        StringObjectUse should not be a structure check for the original string object structure
+        https://bugs.webkit.org/show_bug.cgi?id=193483
+        <rdar://problem/47280522>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
+        (foo):
+        (a.valueOf.0):
+
+2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        [JSC] ToThis omission in DFGByteCodeParser is wrong
+        https://bugs.webkit.org/show_bug.cgi?id=193513
+        <rdar://problem/45842236>
+
+        Reviewed by Saam Barati.
+
+        * stress/to-this-omission-with-different-strict-modes.js: Added.
+        (thisA):
+        (thisAStrictWrapper):
+
+2019-01-15  Mark Lam  <mark.lam@apple.com>
+
+        JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
+        https://bugs.webkit.org/show_bug.cgi?id=193423
+        <rdar://problem/46209355>
+
+        Reviewed by Saam Barati.
+
+        * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
+        * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
+        * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
+        * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
+
+2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
+        https://bugs.webkit.org/show_bug.cgi?id=193438
+        <rdar://problem/45581249>
+
+        Reviewed by Saam Barati and Keith Miller.
+
+        Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
+        Then, GetByVal(String) crashed.
+
+        * stress/string-get-by-val-lowering.js: Added.
+        (shouldBe):
+        (test):
+        * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
+        (Hello):
+        (foo):
+
+2019-01-15  Tomas Popela  <tpopela@redhat.com>
+
+        Unreviewed, skip JIT tests if it's not enabled
+
+        * stress/bit-op-with-object-returning-int32.js:
+
+2019-01-15  Caio Lima  <ticaiolima@gmail.com>
+
+        DFGByteCodeParser rules for bitwise operations should consider type of their operands
+        https://bugs.webkit.org/show_bug.cgi?id=192966
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/bit-op-with-object-returning-int32.js: Added.
+
+2019-01-15  Guillaume Emont  <guijemont@igalia.com>
+
+        Skip a slow test and a flakey test on arm
+
+        Unreviewed gardening.
+
+        * typeProfiler/getter-richards.js:
+        this test always times out, it used to be always skipped on arm and
+        mips, but got accidentally enabled by r237919 now that we have DFG on
+        arm. Also skipping on mips as we plan to soon enable DFG for it too.
+
+2019-01-14  Keith Miller  <keith_miller@apple.com>
+
+        Skip type-check-hoisting-phase-hoist... with no jit
+        https://bugs.webkit.org/show_bug.cgi?id=193421
+
+        Reviewed by Mark Lam.
+
+        It's timing out the 32-bit bots and takes 330 seconds
+        on my machine when run by itself.
+
+        * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
+
+2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        [JSC] AI should check the given constant's array type when folding GetByVal into constant
+        https://bugs.webkit.org/show_bug.cgi?id=193413
+        <rdar://problem/46092389>
+
+        Reviewed by Keith Miller.
+
+        This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
+        It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
+        without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
+        but GetByVal does not have appropriate ArrayModes, JSC crashes.
+
+        * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
+        (compareArray):
+
+2019-01-14  Caio Lima  <ticaiolima@gmail.com>
+
+        [BigInt] Literal parsing is crashing when used inside a Object Literal
+        https://bugs.webkit.org/show_bug.cgi?id=193404
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/big-int-literal-inside-literal-object.js: Added.
+
+2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
+        https://bugs.webkit.org/show_bug.cgi?id=193372
+
+        Reviewed by Saam Barati.
+
+        * stress/typed-array-array-modes-profile.js: Added.
+        (foo):
+
+2019-01-14  Mark Lam  <mark.lam@apple.com>
+
+        Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
+        https://bugs.webkit.org/show_bug.cgi?id=193402
+        <rdar://problem/46012309>
+
+        Reviewed by Keith Miller.
+
+        * stress/regexp-compile-oom.js:
+        - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
+          is enabled.  As a result, it will fail on cloop builds though there is no bug.
+
+2019-01-11  Saam barati  <sbarati@apple.com>
+
+        DFG combined liveness can be wrong for terminal basic blocks
+        https://bugs.webkit.org/show_bug.cgi?id=193304
+        <rdar://problem/45268632>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
+
+2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
+        https://bugs.webkit.org/show_bug.cgi?id=193308
+        <rdar://problem/45546542>
+
+        Reviewed by Saam Barati.
+
+        * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        (get shouldThrow):
+        * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        (get shouldBe):
+        (get shouldThrow):
+        (get return):
+        * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        (get shouldBe):
+        (get shouldThrow):
+        * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
+        (shouldThrow):
+        * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
+        (shouldThrow):
+        * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        (get shouldBe):
+        (get shouldThrow):
+        (get return):
+        * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        (get shouldBe):
+        (get shouldThrow):
+        * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+        * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
+        (shouldThrow):
+        (shouldBe):
+        (foo):
+
+2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        Enable DFG on ARM/Linux again
+        https://bugs.webkit.org/show_bug.cgi?id=192496
+
+        Reviewed by Yusuke Suzuki.
+
+        Test wasn't really skipped before moving the line with skip
+        to the top.
+
+        * stress/regress-192717.js:
+
+2019-01-10  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r239825.
+        https://bugs.webkit.org/show_bug.cgi?id=193330
+
+        Broke tests on armv7/linux bots (Requested by guijemont on
+        #webkit).
+
+        Reverted changeset:
+
+        "Enable DFG on ARM/Linux again"
+        https://bugs.webkit.org/show_bug.cgi?id=192496
+        https://trac.webkit.org/changeset/239825
+
+2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
+
+        Enable DFG on ARM/Linux again
+        https://bugs.webkit.org/show_bug.cgi?id=192496
+
+        Reviewed by Yusuke Suzuki.
+
+        Test wasn't really skipped before moving the line with skip
+        to the top.
+
+        * stress/regress-192717.js:
+
+2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
+        https://bugs.webkit.org/show_bug.cgi?id=193127
+
+        Reviewed by Saam Barati.
+
+        * stress/array-species-create-should-handle-masquerader.js: Added.
+        (shouldThrow):
+        * stress/is-undefined-or-null-builtin.js: Added.
+        (shouldBe):
+        (isUndefinedOrNull.vm.createBuiltin):
+
+2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
+
+        LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
+        https://bugs.webkit.org/show_bug.cgi?id=193221
+
+        Reviewed by Mark Lam.
+
+        * stress/put-by-id-flags.js: Added.
+        (f):
+        (g):
+        (numberOfDFGCompiles):
+
 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
 
         Baseline version of get_by_id may corrupt metadata