blob: 991c0997f668b7a3c5e1eab1b124200e5e43d547 [file] [log] [blame]
2019-10-08 Ross Kirsling <ross.kirsling@sony.com>
Update test262 (2019.10.08).
Rubber-stamped by Keith Miller.
* test262/config.yaml:
* test262/expectations.yaml:
* test262/latest-changes-summary.txt:
* test262/test/:
* test262/test262-Revision.txt:
2019-10-07 Saam Barati <sbarati@apple.com>
Allow OSR exit to the LLInt
https://bugs.webkit.org/show_bug.cgi?id=197993
Reviewed by Tadeu Zagallo.
* stress/exit-from-getter-by-val.js: Added.
* stress/exit-from-setter-by-val.js: Added.
2019-10-07 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r250750.
Reverting change as this broke interal test over the weekend.
Reverted changeset:
"Allow OSR exit to the LLInt"
https://bugs.webkit.org/show_bug.cgi?id=197993
https://trac.webkit.org/changeset/250750
2019-10-04 Saam Barati <sbarati@apple.com>
Allow OSR exit to the LLInt
https://bugs.webkit.org/show_bug.cgi?id=197993
Reviewed by Tadeu Zagallo.
* stress/exit-from-getter-by-val.js: Added.
* stress/exit-from-setter-by-val.js: Added.
2019-10-04 Paulo Matos <pmatos@igalia.com>
Revert regexp test skip on armv7l and mips
https://bugs.webkit.org/show_bug.cgi?id=202310
Reviewed by Žan Doberšek.
Test was skipped in bug 202113 on armv7l and mips due to bug 202041.
Bug 202041 is fixed and change of bug 202113 can be reverted.
* stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
2019-10-02 Mark Lam <mark.lam@apple.com>
DoubleToStringConverter::ToExponential() should null terminate its string.
https://bugs.webkit.org/show_bug.cgi?id=202492
<rdar://problem/55907708>
Reviewed by Filip Pizlo.
* stress/dtoa-AddSubstring-should-uses-strnlen-in-assertion.js: Added.
2019-10-02 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] AsyncGenerator should have internal fields
https://bugs.webkit.org/show_bug.cgi?id=201498
Reviewed by Saam Barati.
* stress/async-generator-construct-failure.js: Added.
(shouldThrow):
(async.gen):
(TypeError):
* stress/async-generator-prototype-change.js: Added.
(shouldBe):
(async.gen):
* stress/async-generator-prototype-closure.js: Added.
(shouldBe):
(test.async.gen):
(test):
* stress/create-async-generator.js: Added.
(shouldBe):
(test.async.generator):
(test):
2019-10-01 Saam Barati <sbarati@apple.com>
ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
https://bugs.webkit.org/show_bug.cgi?id=199361
<rdar://problem/52454940>
Reviewed by Yusuke Suzuki.
* stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
(main.fn):
(main.executor):
(main):
* stress/allocation-sinking-hints-are-valid-ssa.js: Added.
(main.fn):
(main.executor):
(main):
2019-10-01 Keith Miller <keith_miller@apple.com>
skip test until we figure out why it's timing out
https://bugs.webkit.org/show_bug.cgi?id=202423
Reviewed by Mark Lam.
new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
Let's skip it until we figure out what's going on.
* stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:
2019-10-01 Keith Miller <keith_miller@apple.com>
Mark toctou test as skipped on debug builds
https://bugs.webkit.org/show_bug.cgi?id=202420
Reviewed by Saam Barati.
Keeps timing out... Let's just skip it.
* stress/toctou-having-a-bad-time-new-array.js:
2019-10-01 Keith Miller <keith_miller@apple.com>
Test262 update
Rubber-stamped by Michael Saboff.
Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...
* test262/*:
2019-10-01 Michael Saboff <msaboff@apple.com> and Paulo Matos <pmatos@igalia.com>
[YARR] Properly handle surrogates when matching back references
https://bugs.webkit.org/show_bug.cgi?id=202041
Reviewed by Keith Miller.
Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.
Updated test.
* stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
(testRegExpNotMatch):
2019-10-01 Keith Miller <keith_miller@apple.com>
Add support for the Wasm multi-value proposal
https://bugs.webkit.org/show_bug.cgi?id=202250
Reviewed by Saam Barati.
This patch adds a new way to run stress tests via the .wat text
format. By attaching an asm.js compiled version of the wabt tool
we can easily create wat files programatically and convert them
into a wasm blob to compile. To make this easy there is a
wabt-wrapper.js module file that exports two useful functions that
correspond to WebAssembly.compile and WebAssembly.instantiate.
* wasm.yaml:
* wasm/function-tests/if-no-else-non-void.js:
* wasm/js-api/web-assembly-instantiate.js:
(assert.asyncTest.async.test):
(assert.asyncTest):
* wasm/libwabt.js: Added.
(WabtModule):
(set get if):
* wasm/references/func_ref.js:
* wasm/references/validation.js:
(assert.throws):
* wasm/spec-harness/index.js:
* wasm/spec-tests/block.wast.js:
* wasm/spec-tests/br.wast.js:
* wasm/spec-tests/br_if.wast.js:
* wasm/spec-tests/call.wast.js:
* wasm/spec-tests/call_indirect.wast.js:
* wasm/spec-tests/func.wast.js:
* wasm/spec-tests/if.wast.js:
* wasm/spec-tests/loop.wast.js:
* wasm/spec-tests/type.wast.js:
* wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
(buildWat):
* wasm/stress/js-wasm-js-varying-arities.js: Added.
(paramForwarder):
* wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
(buildWat):
* wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
(buildWat.throwError):
(buildWat.throwErrorInIterator):
(buildWat.tooManyValues):
(buildWat.tooFewValues):
(buildWat):
* wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
(buildWat):
* wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
(buildWat):
* wasm/wabt-wrapper.js: Added.
(export.compile):
* wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
* wasm/wast-tests/br-if-at-end-of-block.wast: Added.
* wasm/wast-tests/harness.js:
(async.runWasmFile):
* wasm/wast-tests/single-param-loop-signature.wasm: Added.
* wasm/wast-tests/single-param-loop-signature.wast: Added.
2019-09-30 Tadeu Zagallo <tzagallo@apple.com>
Make assertion in JSObject::putOwnDataProperty more precise
https://bugs.webkit.org/show_bug.cgi?id=202379
<rdar://problem/49515980>
Reviewed by Yusuke Suzuki.
* stress/object-assign-target-proto-setter.js: Added.
(get Object):
2019-09-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
https://bugs.webkit.org/show_bug.cgi?id=202389
<rdar://problem/50717564>
Reviewed by Mark Lam.
* stress/heap-analyzer-taking-lock.js: Added.
2019-09-30 Saam Barati <sbarati@apple.com>
Inline caching is wrong for custom accessors and custom values
https://bugs.webkit.org/show_bug.cgi?id=201994
<rdar://problem/50850326>
Reviewed by Yusuke Suzuki.
* microbenchmarks/custom-accessor-materialized.js: Added.
(assert):
(test4.get const):
* microbenchmarks/custom-accessor-thin-air.js: Added.
(assert):
(test5.get const):
(test5.get proto):
* microbenchmarks/custom-accessor.js: Added.
(assert):
(test3.get const):
* microbenchmarks/custom-value-2.js: Added.
(assert):
(test1.getMultiline):
(test1):
* microbenchmarks/custom-value.js: Added.
(assert):
(test1.getMultiline):
(test1):
* stress/custom-accessor-delete-1.js: Added.
(assert):
(test3.get const):
* stress/custom-accessor-delete-2.js: Added.
(assert):
(test4.get const):
* stress/custom-accessor-delete-3.js: Added.
(assert):
(test5.get const):
(test5.get proto):
* stress/custom-value-delete-property-1.js: Added.
(assert):
(test1.getMultiline):
(test1):
* stress/custom-value-delete-property-2.js: Added.
(test2.foo):
(test2):
* stress/custom-value-delete-property-3.js: Added.
(test6.foo):
(test6):
2019-09-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
https://bugs.webkit.org/show_bug.cgi?id=202382
<rdar://problem/52669112>
Reviewed by Saam Barati.
* stress/compare-eq-bool-number-folding.js: Added.
(test):
2019-09-27 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
https://bugs.webkit.org/show_bug.cgi?id=202330
Reviewed by Saam Barati.
* stress/to-lower-case-gc-stress.js: Added.
2019-09-27 Alexey Shvayka <shvaikalesh@gmail.com>
Non-standard Error properties should not be enumerable
https://bugs.webkit.org/show_bug.cgi?id=198975
Reviewed by Ross Kirsling.
* ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
* microbenchmarks/let-for-in.js: Adjust test.
* test262/expectations.yaml: Mark 6 test cases as passing.
2019-09-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
https://bugs.webkit.org/show_bug.cgi?id=202299
<rdar://problem/52669116>
Reviewed by Saam Barati.
* stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
(foo):
(test):
* stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
(foo):
(C1.prototype.baz):
(C1):
(bar):
(noInline.bar.goo):
(C2.prototype.baz):
(C2):
(test):
2019-09-26 Alexey Shvayka <shvaikalesh@gmail.com>
toExponential, toFixed, and toPrecision should allow arguments up to 100
https://bugs.webkit.org/show_bug.cgi?id=199163
Reviewed by Ross Kirsling.
* ChakraCore/test/Number/toString_3.baseline-jsc:
* ChakraCore/test/es5/exceptions3.baseline-jsc:
* test262/expectations.yaml: Mark 6 test cases as passing.
2019-09-24 Alexey Shvayka <shvaikalesh@gmail.com>
[ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the result of the trap is undefined
https://bugs.webkit.org/show_bug.cgi?id=154376
Reviewed by Ross Kirsling.
Adds 2 test cases:
1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.
* stress/proxy-get-own-property.js:
2019-09-24 Caio Lima <ticaiolima@gmail.com>
[BigInt] Add ValueBitRShift into DFG
https://bugs.webkit.org/show_bug.cgi?id=192663
Reviewed by Robin Morisset.
* stress/big-int-right-shift-jit-osr.js: Added.
* stress/big-int-right-shift-jit-untyped.js: Added.
* stress/big-int-right-shift-jit.js: Added.
* stress/value-rshift-ai-rule.js: Added.
2019-09-23 Ross Kirsling <ross.kirsling@sony.com>
Array methods should throw TypeError upon attempting to modify a string
https://bugs.webkit.org/show_bug.cgi?id=201910
Reviewed by Keith Miller.
* stress/array-methods-should-not-modify-string.js: Added.
* mozilla/js1_6/Array/regress-304828.js:
Fix test. Original copy was changed similarly seven years ago:
https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js
* stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.
2019-09-23 Mark Lam <mark.lam@apple.com>
Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
https://bugs.webkit.org/show_bug.cgi?id=202122
<rdar://problem/55535249>
Reviewed by Yusuke Suzuki.
* stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.
2019-09-23 Caio Lima <ticaiolima@gmail.com>
Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
https://bugs.webkit.org/show_bug.cgi?id=202113
Unreviewed test gardening, skipped test in ARMv7 and MIPS.
It is going to be fixed in
https://bugs.webkit.org/show_bug.cgi?id=202041
* stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
2019-09-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
https://bugs.webkit.org/show_bug.cgi?id=202072
Reviewed by Mark Lam.
* stress/int52rep-with-double-checks-int52-range.js: Added.
(shouldBe):
(test):
2019-09-21 Caio Lima <ticaiolima@gmail.com>
stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
https://bugs.webkit.org/show_bug.cgi?id=202011
Reviewed by Mark Lam.
We are skipping this test into MIPS and ARMv7 because some of its assumptions
are not valid for them. The current behavior of the test in those architectures
is that it does not throw during `new ArrayBuffer(1000)` allocation site,
because eden collection keeps happening between iterations. The collection
is triggered on those architectures because the amount of stress
`new Promise` generates into GC limits is not enough to avoid them
while loop is executing.
Changing the size of `UInt8Array` from `80000000` to `160000000` can
be an alternative fix to avoid collection happening during `ArrayBuffer`
allocation loop, but we can't guarantee this test is always going to execute
without error when Gigacage is disabled, given we can reach an OOM state in
some allocations that need to succeed, making this test flaky for those
architectures.
* stress/test-out-of-memory.js:
2019-09-21 Tadeu Zagallo <tzagallo@apple.com>
AccessCase should strongly visit its dependencies while on stack
https://bugs.webkit.org/show_bug.cgi?id=201986
<rdar://problem/55521953>
Reviewed by Saam Barati and Yusuke Suzuki.
* stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
(foo):
(warmup):
2019-09-20 Saam Barati <sbarati@apple.com>
Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
* stress/toctou-having-a-bad-time-new-array.js:
2019-09-19 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
https://bugs.webkit.org/show_bug.cgi?id=202014
Reviewed by Saam Barati.
* stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
(__v0):
2019-09-19 Tadeu Zagallo <tzagallo@apple.com>
Syntax checker should report duplicate __proto__ properties
https://bugs.webkit.org/show_bug.cgi?id=201897
<rdar://problem/53201788>
Reviewed by Mark Lam.
* stress/syntax-checker-duplicate-underscore-proto.js: Added.
(catch):
2019-09-18 Saam Barati <sbarati@apple.com>
TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
https://bugs.webkit.org/show_bug.cgi?id=201953
<rdar://problem/53803524>
Reviewed by Yusuke Suzuki.
* stress/toctou-having-a-bad-time-new-array.js: Added.
(let.code):
2019-09-18 Saam Barati <sbarati@apple.com>
Phantom insertion phase may disagree with arguments forwarding about live ranges
https://bugs.webkit.org/show_bug.cgi?id=200715
<rdar://problem/54301717>
Reviewed by Yusuke Suzuki.
* stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
(main.v23):
(main.try.v43):
(main.):
(main):
2019-09-17 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Generator should have internal fields
https://bugs.webkit.org/show_bug.cgi?id=201159
Reviewed by Keith Miller.
* stress/create-generator.js: Added.
(shouldBe):
(test.generator):
(test):
* stress/generator-construct-failure.js: Added.
(shouldThrow):
(TypeError):
* stress/generator-prototype-change.js: Added.
(shouldBe):
(gen):
* stress/generator-prototype-closure.js: Added.
(shouldBe):
(test.gen):
(test):
* stress/object-assign-fast-path.js:
2019-09-17 Yusuke Suzuki <ysuzuki@apple.com>
Follow-up after String.codePointAt optimization
https://bugs.webkit.org/show_bug.cgi?id=201889
Reviewed by Saam Barati.
* stress/string-char-at-bad-type.js: Added.
(shouldBe):
(object.toString):
(test):
* stress/string-char-code-at-bad-type.js: Added.
(shouldBe):
(object.toString):
(test):
* stress/string-code-point-at-bad-type.js: Added.
(shouldBe):
(object.toString):
(test):
2019-09-17 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] CheckArray+NonArray is not filtering out Array in AI
https://bugs.webkit.org/show_bug.cgi?id=201857
<rdar://problem/54194820>
Reviewed by Keith Miller.
* stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
(foo):
2019-09-17 Saam Barati <sbarati@apple.com>
CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
https://bugs.webkit.org/show_bug.cgi?id=201853
<rdar://problem/53805461>
Reviewed by Yusuke Suzuki.
* stress/direct-arguments-check-array-filter-type.js: Added.
(foo):
2019-09-16 Tadeu Zagallo <tzagallo@apple.com>
Wasm StreamingParser should validate that number of functions matches number of declarations
https://bugs.webkit.org/show_bug.cgi?id=201850
<rdar://problem/55290186>
Reviewed by Yusuke Suzuki.
* wasm/regress/validate-number-of-functions-match-declarations.js: Added.
(catch):
2019-09-16 Michael Saboff <msaboff@apple.com>
[JSC] Perform check again when we found non-BMP characters
https://bugs.webkit.org/show_bug.cgi?id=201647
Reviewed by Yusuke Suzuki.
* stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
* stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
(testRegExpInbounds):
2019-09-16 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Add missing syntax errors for await in function parameter default expressions
https://bugs.webkit.org/show_bug.cgi?id=201615
Reviewed by Darin Adler.
* stress/async-await-reserved-word.js:
* stress/async-await-syntax.js:
Add test cases.
* test262/expectations.yaml:
Mark newly-passing test cases.
2019-09-16 Saam Barati <sbarati@apple.com>
JSObject::putInlineSlow should not ignore "__proto__" for Proxy
https://bugs.webkit.org/show_bug.cgi?id=200386
<rdar://problem/53854946>
Reviewed by Yusuke Suzuki.
* stress/proxy-__proto__-in-prototype-chain.js: Added.
* stress/proxy-property-replace-structure-transition.js: Added.
2019-09-13 Alexey Shvayka <shvaikalesh@gmail.com>
Date.prototype.toJSON does not execute steps 1-2
https://bugs.webkit.org/show_bug.cgi?id=105282
Reviewed by Ross Kirsling.
* test262/expectations.yaml: Mark 2 test cases as passing.
2019-09-12 Mark Lam <mark.lam@apple.com>
Harden JSC against the abuse of runtime options.
https://bugs.webkit.org/show_bug.cgi?id=201597
<rdar://problem/55167068>
Reviewed by Filip Pizlo.
Remove the call to forceGCSlowPaths(). This utility function will be removed.
The modern way to set the required option is to use //@ requireOptions.
* stress/ftl-try-catch-oom-error-lazy-slow-path.js:
2019-09-11 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Add StringCodePointAt intrinsic
https://bugs.webkit.org/show_bug.cgi?id=201673
Reviewed by Michael Saboff.
* stress/string-char-at-constant-index-out-of-range.js: Added.
(shouldBe):
(test):
* stress/string-char-code-at-constant-index-out-of-range.js: Added.
(shouldBe):
(test):
* stress/string-code-point-at--out-of-range.js: Added.
(shouldBe):
(test):
* stress/string-code-point-at-basic.js: Added.
(test):
* stress/string-code-point-at-constant-index-out-of-range.js: Added.
(shouldBe):
(test):
* stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
(shouldBe):
(test):
* stress/string-code-point-at-constant-surrogate-pair.js: Added.
(shouldBe):
(test):
(breaking):
* stress/string-code-point-at-surrogate-pair.js: Added.
(shouldBe):
* stress/string-code-point-at.js: Added.
(shouldBe):
2019-09-10 Michael Saboff <msaboff@apple.com>
JSC crashes due to stack overflow while building RegExp
https://bugs.webkit.org/show_bug.cgi?id=201649
Reviewed by Yusuke Suzuki.
New regression test.
* stress/regexp-bol-optimize-out-of-stack.js: Added.
(test):
(catch):
2019-09-10 Yusuke Suzuki <ysuzuki@apple.com>
[WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
https://bugs.webkit.org/show_bug.cgi?id=189043
Reviewed by Keith Miller.
The offset performing the validation becomes a bit different.
The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
* wasm/js-api/version.js:
2019-09-07 Keith Miller <keith_miller@apple.com>
OSR entry into wasm misses some contexts
https://bugs.webkit.org/show_bug.cgi?id=201569
Reviewed by Yusuke Suzuki.
Add a new harness and wast and the generated wasm file for
testing. The idea long term is to make it easy to test by creating
a C file and converting it to a wast then modify that to produce a
test.
* wasm.yaml:
* wasm/wast-tests/harness.js: Added.
(async.runWasmFile):
* wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
* wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
* wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
* wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
* wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
* wasm/wast-tests/osr-entry-inner-loop.wast: Added.
* wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
* wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
2019-09-09 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Promise resolve/reject functions should be created more efficiently
https://bugs.webkit.org/show_bug.cgi?id=201488
Reviewed by Mark Lam.
* microbenchmarks/promise-creation-many.js: Added.
(executor):
2019-09-09 Zan Dobersek <zdobersek@igalia.com>
Unreviewed JSC test gardening.
* stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
This test allocates a 2GB string before it goes out and tests
out-of-memory exception when appending other strings to it. As such,
skip the test on memory-limited platforms.
2019-09-07 Mark Lam <mark.lam@apple.com>
The jsc shell should allow disabling of the Gigacage for testing purposes.
https://bugs.webkit.org/show_bug.cgi?id=201579
Reviewed by Michael Saboff.
Unskip the tests now.
* stress/disable-gigacage-arrays.js:
* stress/disable-gigacage-strings.js:
* stress/disable-gigacage-typed-arrays.js:
2019-09-07 Mark Lam <mark.lam@apple.com>
Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
Not reviewed.
See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
* stress/disable-gigacage-arrays.js:
* stress/disable-gigacage-strings.js:
* stress/disable-gigacage-typed-arrays.js:
2019-09-07 Mark Lam <mark.lam@apple.com>
Gardening: speculative test fix to green bots [attempt #2].
https://bugs.webkit.org/show_bug.cgi?id=201529
<rdar://problem/53935772>
Not reviewed.
* stress/test-out-of-memory.js:
2019-09-06 Mark Lam <mark.lam@apple.com>
Gardening: speculative test fix to green bots.
https://bugs.webkit.org/show_bug.cgi?id=201529
<rdar://problem/53935772>
Not reviewed.
* stress/test-out-of-memory.js:
2019-09-06 Ross Kirsling <ross.kirsling@sony.com>
Math.round() produces wrong result for value prior to 0.5
https://bugs.webkit.org/show_bug.cgi?id=185115
Reviewed by Saam Barati.
* stress/math-round-basics.js:
Add positive/negative test cases.
* test262/expectations.yaml:
Mark test passing.
2019-09-06 Mark Lam <mark.lam@apple.com>
Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
https://bugs.webkit.org/show_bug.cgi?id=201551
Reviewed by Tadeu Zagallo.
Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
* stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
* wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
2019-09-06 Mark Lam <mark.lam@apple.com>
Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
https://bugs.webkit.org/show_bug.cgi?id=201529
<rdar://problem/53935772>
Reviewed by Yusuke Suzuki.
* stress/test-out-of-memory.js: Added.
2019-09-05 Tadeu Zagallo <tzagallo@apple.com>
LazyClassStructure::setConstructor should not store the constructor to the global object
https://bugs.webkit.org/show_bug.cgi?id=201484
<rdar://problem/50400451>
Reviewed by Yusuke Suzuki.
* stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
2019-09-05 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Do not use FTLOutput::weakPointer directly
https://bugs.webkit.org/show_bug.cgi?id=201495
Reviewed by Filip Pizlo.
* stress/create-promise-weak-pointer.js: Added.
(foo):
2019-09-04 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Make Promise implementation faster
https://bugs.webkit.org/show_bug.cgi?id=200898
Reviewed by Saam Barati.
* ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
(assert.assert.return.throws):
* modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
* modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
* stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
(shouldThrow):
(new.Promise):
(shouldThrow.Promise):
* stress/create-promise-should-respect-promise-realm.js: Added.
(shouldBe):
(other.new.OtherPromise):
(DerivedOtherPromise):
(i.promise.new.DerivedOtherPromise):
(createPromise):
* stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
(shouldBe):
(DerivedPromise):
(i.array.push.new.DerivedPromise):
(promise.new.DerivedPromise):
* stress/derived-promise-constructor-inlined.js: Added.
(shouldBe):
(DerivedPromise):
(i.array.push.new.DerivedPromise):
(DerivedPromise.all.array.then):
* stress/derived-promise-prototype-replaced.js: Added.
(shouldBe):
(DerivedPromise):
(i.array.push.new.DerivedPromise):
(promise.new.DerivedPromise):
* stress/internal-promise-constructor-not-confusing.js: Added.
(shouldBe):
(InternalPromise.vm.createBuiltin):
(DerivedPromise):
* stress/internal-promise-is-not-exposed.js: Added.
(shouldBe):
* stress/new-promise-should-respect-promise-realm.js: Added.
(shouldBe):
(other.new.OtherPromise):
(createPromise):
* stress/promise-cannot-be-called.js:
(shouldThrow):
* stress/promise-capability-fast-path.js: Added.
(shouldBe):
(i.array.push.new.Promise):
(i.array.i.then):
* stress/promise-capability-slow-path.js: Added.
(shouldBe):
(Promise.prototype.then):
(i.array.push.new.Promise):
(i.array.i.then):
* stress/promise-capability-then-slow-path.js: Added.
(shouldBe):
(DerivedPromise):
(DerivedPromise.prototype.then):
(i.array.push.new.DerivedPromise):
(i.array.i.then):
* stress/promise-constructor-inlined.js: Added.
(shouldBe):
(i.array.push.new.Promise):
(Promise.all.array.then):
* stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
(shouldBe):
(DerivedPromise):
(DerivedPromise2):
(i.array.push.new.DerivedPromise):
(i.array2.push.new.DerivedPromise2):
* stress/without-promise-functions.js: Added.
(shouldBe):
(async):
2019-09-03 Mark Lam <mark.lam@apple.com>
Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
https://bugs.webkit.org/show_bug.cgi?id=201309
<rdar://problem/54832121>
Reviewed by Yusuke Suzuki.
* stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
2019-08-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Generate new.target register only when it is used
https://bugs.webkit.org/show_bug.cgi?id=201335
Reviewed by Mark Lam.
* stress/ensure-new-register-allocated.js: Added.
(shouldBe):
(basic):
(arrow):
(Base):
(Derived):
(evaluate):
2019-08-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
https://bugs.webkit.org/show_bug.cgi?id=201331
Reviewed by Mark Lam.
* stress/simple-jump-table-copy.js: Added.
(let.code):
(g2):
2019-08-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
https://bugs.webkit.org/show_bug.cgi?id=201332
Reviewed by Mark Lam.
This test is very flaky, it is hard to reproduce.
* stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
(code):
2019-08-29 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Repatch should construct CallCases and CasesValue at the same time
https://bugs.webkit.org/show_bug.cgi?id=201325
Reviewed by Saam Barati.
* stress/repatch-switch.js: Added.
(main.f2.f0):
(main.f2.f3):
(main.f2.f1):
(main.f2):
(main):
2019-08-29 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
https://bugs.webkit.org/show_bug.cgi?id=198650
Reviewed by Saam Barati.
* stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
(main.v0):
(main):
2019-08-28 Mark Lam <mark.lam@apple.com>
DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
https://bugs.webkit.org/show_bug.cgi?id=201281
<rdar://problem/54028228>
Reviewed by Yusuke Suzuki and Saam Barati.
* stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
2019-08-28 Mark Lam <mark.lam@apple.com>
Placate exception check validation in DFG's operationHasGenericProperty().
https://bugs.webkit.org/show_bug.cgi?id=201245
<rdar://problem/54777512>
Reviewed by Robin Morisset.
* stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
2019-08-27 Mark Lam <mark.lam@apple.com>
constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
https://bugs.webkit.org/show_bug.cgi?id=201196
<rdar://problem/54703775>
Reviewed by Yusuke Suzuki.
* stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
2019-08-26 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Ensure x?.y ?? z is fast
https://bugs.webkit.org/show_bug.cgi?id=200875
Reviewed by Yusuke Suzuki.
* stress/nullish-coalescing.js:
2019-08-23 Tadeu Zagallo <tzagallo@apple.com>
Remove MaximalFlushInsertionPhase
https://bugs.webkit.org/show_bug.cgi?id=201036
Reviewed by Saam Barati.
Remove all the references to maximal flush
* stress/arith-ceil-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/arith-floor-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/arith-negate-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/arith-round-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/arith-trunc-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
* stress/has-indexed-property-should-accept-non-int32.js:
* stress/has-indexed-property-with-worsening-array-mode.js:
* stress/known-int32-cant-be-used-across-bytecode-boundary.js:
* stress/read-dead-bytecode-locals-in-must-handle-values1.js:
* stress/read-dead-bytecode-locals-in-must-handle-values2.js:
* stress/rest-parameter-many-arguments.js:
* stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
* stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
* stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
2019-08-23 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Do not overwrite argument registers in jsCallEntrypoint
https://bugs.webkit.org/show_bug.cgi?id=200952
Reviewed by Saam Barati.
* wasm/references/func_ref.js:
(assert.throws):
2019-08-22 Justin Michaud <justin_michaud@apple.com>
Add missing exception check in canonicalizeLocaleList
https://bugs.webkit.org/show_bug.cgi?id=201021
Reviewed by Mark Lam.
* stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
(catch):
2019-08-21 Mark Lam <mark.lam@apple.com>
Wasm::FunctionParser is failing to enforce maxFunctionLocals.
https://bugs.webkit.org/show_bug.cgi?id=201016
<rdar://problem/54579911>
Reviewed by Yusuke Suzuki.
* wasm/stress/too-many-locals.js: Added.
(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
2019-08-21 Ross Kirsling <ross.kirsling@sony.com>
JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
https://bugs.webkit.org/show_bug.cgi?id=200965
Reviewed by Saam Barati.
This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
* stress/optional-chaining.js:
2019-08-21 Michael Saboff <msaboff@apple.com>
[JSC] incorrent JIT lead to StackOverflow
https://bugs.webkit.org/show_bug.cgi?id=197823
Reviewed by Tadeu Zagallo.
New test.
* stress/bound-function-stack-overflow.js: Added.
(foo):
(catch):
2019-08-20 Justin Michaud <justin_michaud@apple.com>
Identify memcpy loops in b3
https://bugs.webkit.org/show_bug.cgi?id=200181
Reviewed by Saam Barati.
* microbenchmarks/memcpy-loop.js: Added.
(doTest):
(let.arr1):
* microbenchmarks/memcpy-typed-loop-large.js: Added.
(doTest):
(let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
(arr2):
* microbenchmarks/memcpy-typed-loop-small.js: Added.
(doTest):
(16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
(16.arr2):
* microbenchmarks/memcpy-typed-loop-speculative.js: Added.
(doTest):
(let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
(arr2):
* microbenchmarks/memcpy-wasm-large.js: Added.
(typeof.WebAssembly.string_appeared_here.eq):
(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
* microbenchmarks/memcpy-wasm-medium.js: Added.
(typeof.WebAssembly.string_appeared_here.eq):
(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
* microbenchmarks/memcpy-wasm-small.js: Added.
(typeof.WebAssembly.string_appeared_here.eq):
(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
* microbenchmarks/memcpy-wasm.js: Added.
(typeof.WebAssembly.string_appeared_here.eq):
(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
* stress/memcpy-typed-loops.js: Added.
(noLoop):
(invalidStart):
(const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
(arr2):
* wasm/function-tests/memcpy-wasm-loop.js: Added.
(0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
(string_appeared_here):
2019-08-20 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Array.prototype.toString should not get "join" function each time
https://bugs.webkit.org/show_bug.cgi?id=200905
Reviewed by Mark Lam.
* stress/array-prototype-join-change.js: Added.
(shouldBe):
(array2.join):
(DerivedArray):
(DerivedArray.prototype.join):
(array3.__proto__.join):
(Array.prototype.join):
2019-08-20 Justin Michaud <justin_michaud@apple.com>
Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
https://bugs.webkit.org/show_bug.cgi?id=200782
Reviewed by Saam Barati.
Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
* microbenchmarks/memcpy-typed-loop.js:
* stress/int8-repeat-in-then-out-of-bounds.js:
2019-08-19 Alexey Shvayka <shvaikalesh@gmail.com>
Proxy constructor should throw if handler is revoked Proxy
https://bugs.webkit.org/show_bug.cgi?id=198755
Reviewed by Saam Barati.
* stress/proxy-revoke.js: Adjust error message.
* test262/expectations.yaml: Mark 2 test cases as passing.
2019-08-19 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] OSR entry to Wasm OMG
https://bugs.webkit.org/show_bug.cgi?id=200362
Reviewed by Michael Saboff.
* wasm/stress/osr-entry-basic.js: Added.
(instance.exports.loop):
* wasm/stress/osr-entry-many-locals-f32.js: Added.
* wasm/stress/osr-entry-many-locals-f64.js: Added.
* wasm/stress/osr-entry-many-locals-i32.js: Added.
* wasm/stress/osr-entry-many-locals-i64.js: Added.
* wasm/stress/osr-entry-many-stacks-f32.js: Added.
* wasm/stress/osr-entry-many-stacks-f64.js: Added.
* wasm/stress/osr-entry-many-stacks-i32.js: Added.
* wasm/stress/osr-entry-many-stacks-i64.js: Added.
2019-08-19 Alexey Shvayka <shvaikalesh@gmail.com>
Date.prototype.toJSON throws if toISOString returns an object
https://bugs.webkit.org/show_bug.cgi?id=198495
Reviewed by Ross Kirsling.
* test262/expectations.yaml: Mark 6 test cases as passing.
2019-08-19 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
https://bugs.webkit.org/show_bug.cgi?id=200899
<rdar://problem/54073341>
Reviewed by Mark Lam.
* stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
(i.new.Promise):
* stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
(i.new.Promise):
2019-08-19 Michael Saboff <msaboff@apple.com>
Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
https://bugs.webkit.org/show_bug.cgi?id=197090
Reviewed by Yusuke Suzuki.
New test.
* stress/regexp-nonconsuming-counted-parens.js: Added.
2019-08-18 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Correct a->an in error messages and API docblocks
https://bugs.webkit.org/show_bug.cgi?id=200833
Reviewed by Don Olmstead.
* ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
(assert.assert.return.throws):
* stress/promise-finally-should-accept-non-promise-objects.js:
* wasm/js-api/table.js:
(assert.throws):
2019-08-17 Ross Kirsling <ross.kirsling@sony.com>
[ESNext] Implement optional chaining
https://bugs.webkit.org/show_bug.cgi?id=200199
Reviewed by Yusuke Suzuki.
* stress/nullish-coalescing.js:
* stress/optional-chaining.js: Added.
* stress/tail-call-recognize.js:
2019-08-17 Ross Kirsling <ross.kirsling@sony.com>
[ESNext] Support hashbang.
https://bugs.webkit.org/show_bug.cgi?id=200865
Reviewed by Mark Lam.
* stress/hashbang.js: Added.
* test262/expectations.yaml: Mark 6 cases as passing.
2019-08-17 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG ToNumber should support Boolean in fixup
https://bugs.webkit.org/show_bug.cgi?id=200864
Reviewed by Mark Lam.
* microbenchmarks/to-number-boolean.js: Added.
(test):
* stress/to-number-boolean-int32.js: Added.
(shouldBe):
(test):
(check):
* stress/to-number-boolean.js: Added.
(shouldBe):
(test):
(check):
* stress/to-number-int32.js: Added.
(shouldBe):
(test):
(check):
2019-08-16 Mark Lam <mark.lam@apple.com>
More missing exception checks in string comparison operators.
https://bugs.webkit.org/show_bug.cgi?id=200844
<rdar://problem/54378684>
Reviewed by Saam Barati.
* stress/missing-exception-check-in-string-greater-than-compare.js: Added.
* stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
* stress/missing-exception-check-in-string-less-than-compare.js: Added.
* stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
2019-08-16 Mark Lam <mark.lam@apple.com>
CodeBlock destructor should clear all of its watchpoints.
https://bugs.webkit.org/show_bug.cgi?id=200792
<rdar://problem/53947800>
Reviewed by Yusuke Suzuki.
* stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
2019-08-16 Justin Michaud <justin_michaud@apple.com>
Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
https://bugs.webkit.org/show_bug.cgi?id=200782
Reviewed by Saam Barati.
* microbenchmarks/int8-out-of-bounds.js: Added.
(foo):
* microbenchmarks/memcpy-typed-loop.js: Added.
(doTest):
(let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
(arr2):
* stress/int8-repeat-in-then-out-of-bounds.js: Added.
(foo):
2019-08-16 Mark Lam <mark.lam@apple.com>
[Re-land] ProxyObject should not be allow to access its target's private properties.
https://bugs.webkit.org/show_bug.cgi?id=200739
<rdar://problem/53972768>
Reviewed by Yusuke Suzuki.
* stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
* stress/proxy-with-private-symbols.js:
2019-08-16 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Promise.prototype.finally should accept non-promise objects
https://bugs.webkit.org/show_bug.cgi?id=200829
Reviewed by Mark Lam.
* stress/promise-finally-should-accept-non-promise-objects.js: Added.
(shouldBe):
(Thenable):
(Thenable.prototype.then):
2019-08-16 Alexey Shvayka <shvaikalesh@gmail.com>
Promise constructor should check argument before [[Construct]]
https://bugs.webkit.org/show_bug.cgi?id=198976
Reviewed by Ross Kirsling.
* stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
* stress/create-subclass-structure-might-throw.js: Fix test.
* test262/expectations.yaml: Mark 2 test cases as passing.
2019-08-16 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r248709.
Caused test/built-ins/Promise/prototype/finally/this-value-
non-promise.js to fail on test262 bot
Reverted changeset:
"ProxyObject should not be allow to access its target's
private properties."
https://bugs.webkit.org/show_bug.cgi?id=200739
https://trac.webkit.org/changeset/248709
2019-08-15 Alexey Shvayka <shvaikalesh@gmail.com>
DateConversion::formatDateTime incorrectly formats negative years
https://bugs.webkit.org/show_bug.cgi?id=199964
Reviewed by Ross Kirsling.
* test262/expectations.yaml: Mark 6 test cases as passing.
2019-08-15 Mark Lam <mark.lam@apple.com>
More missing exception checks in String.prototype.
https://bugs.webkit.org/show_bug.cgi?id=200762
<rdar://problem/54333896>
Reviewed by Michael Saboff.
* stress/missing-exception-check-in-string-lastIndexOf.js: Added.
* stress/missing-exception-check-in-string-toLower.js: Added.
* stress/missing-exception-check-in-string-toUpper.js: Added.
2019-08-14 Mark Lam <mark.lam@apple.com>
ProxyObject should not be allow to access its target's private properties.
https://bugs.webkit.org/show_bug.cgi?id=200739
<rdar://problem/53972768>
Reviewed by Yusuke Suzuki.
* stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
* stress/proxy-with-private-symbols.js: Rebased.
2019-08-14 Mark Lam <mark.lam@apple.com>
Missing exception check in string compare.
https://bugs.webkit.org/show_bug.cgi?id=200743
<rdar://problem/53975356>
Reviewed by Michael Saboff.
* stress/missing-exception-check-in-string-compare.js: Added.
2019-08-08 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Add "jump if (not) undefined or null" bytecode ops
https://bugs.webkit.org/show_bug.cgi?id=200480
Reviewed by Saam Barati.
* stress/destructuring-assignment-require-object-coercible.js:
* stress/nullish-coalescing.js:
2019-08-05 Michael Saboff <msaboff@apple.com>
JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
https://bugs.webkit.org/show_bug.cgi?id=199997
Reviewed by Saam Barati.
New test.
* stress/typedarray-no-alreadyChecked-assert.js: Added.
(checkIntArray):
(checkFloatArray):
2019-08-02 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Support WebAssembly in SamplingProfiler
https://bugs.webkit.org/show_bug.cgi?id=200329
Reviewed by Saam Barati.
* stress/sampling-profiler-wasm-name-section.js: Added.
(const.compile):
(platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
(platformSupportsSamplingProfiler.vm.isWasmSupported):
* stress/sampling-profiler-wasm.js: Added.
(platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
(platformSupportsSamplingProfiler.vm.isWasmSupported):
* stress/sampling-profiler/loop.wasm: Added.
* stress/sampling-profiler/loop.wast: Added.
* stress/sampling-profiler/nameSection.wasm: Added.
2019-08-02 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] LazyJSValue should be robust for empty JSValue
https://bugs.webkit.org/show_bug.cgi?id=200388
Reviewed by Saam Barati.
* stress/switch-constant-child-becomes-empty.js: Added.
(foo):
2019-08-01 Yusuke Suzuki <ysuzuki@apple.com>
GetterSetter type confusion during DFG compilation
https://bugs.webkit.org/show_bug.cgi?id=199903
Reviewed by Mark Lam.
* stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
2019-08-01 Ross Kirsling <ross.kirsling@sony.com>
Update Test262 (2019.08.01)
https://bugs.webkit.org/show_bug.cgi?id=200351
Reviewed by Keith Miller.
* test262/expectations.yaml:
* test262/harness/testIntl.js:
* test262/latest-changes-summary.txt:
* test262/test/:
* test262/test262-Revision.txt:
2019-07-30 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Make StructureChain less-tricky by using Auxiliary Buffer
https://bugs.webkit.org/show_bug.cgi?id=200192
Reviewed by Saam Barati.
* stress/structure-chain-stress.js: Added.
(keys):
2019-07-29 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Increment bytecode age only when SlotVisitor is first-visit
https://bugs.webkit.org/show_bug.cgi?id=200196
Reviewed by Robin Morisset.
* stress/reparsing-unlinked-codeblock.js:
2019-07-29 Justin Michaud <justin_michaud@apple.com>
[X86] Emit BT instruction for shift + mask in B3
https://bugs.webkit.org/show_bug.cgi?id=199891
Reviewed by Robin Morisset.
Lower the number of iterations to fix debug timeouts.
* microbenchmarks/bit-test-load.js:
(i):
2019-07-27 Justin Michaud <justin_michaud@apple.com>
[X86] Emit BT instruction for shift + mask in B3
https://bugs.webkit.org/show_bug.cgi?id=199891
Reviewed by Keith Miller.
* microbenchmarks/bit-test-constant.js: Added.
(let.glob.0.doTest):
* microbenchmarks/bit-test-load.js: Added.
(let.glob.0.let.arr.new.Int32Array.8.doTest):
(i):
* microbenchmarks/bit-test-nonconstant.js: Added.
(let.glob.0.doTest):
2019-07-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Potential GC fix for JSPropertyNameEnumerator
https://bugs.webkit.org/show_bug.cgi?id=200151
Reviewed by Mark Lam.
* stress/for-in-stress.js: Added.
(keys):
2019-07-25 Ross Kirsling <ross.kirsling@sony.com>
Legacy numeric literals should not permit separators or BigInt
https://bugs.webkit.org/show_bug.cgi?id=199984
Reviewed by Keith Miller.
* stress/big-int-literals.js:
* stress/numeric-literal-separators.js:
2019-07-25 Ross Kirsling <ross.kirsling@sony.com>
[ESNext] Implement nullish coalescing
https://bugs.webkit.org/show_bug.cgi?id=200072
Reviewed by Darin Adler.
* stress/nullish-coalescing.js: Added.
2019-07-24 Alexey Shvayka <shvaikalesh@gmail.com>
Three checks are missing in Proxy internal methods
https://bugs.webkit.org/show_bug.cgi?id=198630
Reviewed by Darin Adler.
* stress/proxy-delete.js: Assert isExtensible is called in correct order.
* test262/expectations.yaml: Mark 6 test cases as passing.
2019-07-23 Justin Michaud <justin_michaud@apple.com>
Sometimes we miss removable CheckInBounds
https://bugs.webkit.org/show_bug.cgi?id=200018
Reviewed by Saam Barati.
* microbenchmarks/typed-array-sum.js: Added.
(doTest):
2019-07-16 Mark Lam <mark.lam@apple.com>
ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
https://bugs.webkit.org/show_bug.cgi?id=199821
<rdar://problem/52452328>
Reviewed by Filip Pizlo.
* stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
2019-07-16 Keith Miller <keith_miller@apple.com>
Unreviewed, test262 gardening.
* test262/expectations.yaml:
2019-07-15 Keith Miller <keith_miller@apple.com>
A Possible Issue of Object.create method
https://bugs.webkit.org/show_bug.cgi?id=199744
Reviewed by Yusuke Suzuki.
* stress/object-create-non-object-properties-parameter.js: Added.
(catch):
2019-07-15 Keith Miller <keith_miller@apple.com>
Update test262
https://bugs.webkit.org/show_bug.cgi?id=199801
Rubber-stamped by Yusuke Suzuki.
* test262/expectations.yaml:
* test262/latest-changes-summary.txt:
* test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
(callback):
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/constructor.js: Added.
* test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
(cb):
(fg.new.FinalizationGroup):
(emptyCells):
(async.fn):
(fn.then.async):
* test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/length.js: Added.
* test262/test/built-ins/FinalizationGroup/name.js: Added.
* test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
(newTarget):
(fn):
* test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
* test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
(fn):
* test262/test/built-ins/FinalizationGroup/proto.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
(newTarget):
* test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
(newTarget):
* test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
(callback):
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
(cb):
(fg.new.FinalizationGroup):
(emptyCells):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
(fg.new.FinalizationGroup):
(fg.cleanupSome.cb):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
(callback):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
(fn):
(cb):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
(cb):
(fg.new.FinalizationGroup):
(emptyCells):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
(fg.new.FinalizationGroup):
(callback):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
(poisoned):
(fg.new.FinalizationGroup):
(emptyCells):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
(poisoned):
(emptyCells):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
(fn):
(cb):
(emptyCells):
(prototype.assert.sameValue.fg.cleanupSome):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
(fn):
(cb):
(poisoned):
(assert.sameValue.fg.cleanupSome):
(prototype.assert.sameValue.fg.cleanupSome):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
(cb):
* test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
(cb):
* test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
(fn):
* test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
(fn):
* test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
(fn):
* test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
(fn):
* test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
(fn):
* test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
* test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
(fn):
* test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
(cleanupCallback):
(let.key.of.Object.getOwnPropertyNames):
(set for):
* test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
* test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
(FinalizationGroup):
* test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
(cleanupCallback):
(let.key.of.Object.getOwnPropertyNames):
(set for):
* test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
* test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
* test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
* test262/test/built-ins/Function/prototype/restricted-property-caller.js:
* test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
(asyncProxy.new.Proxy.async):
* test262/test/built-ins/Object/prototype/toString/proxy-function.js:
(asyncProxy.new.Proxy.async):
* test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
(setIter.set Symbol):
(set defaultTag):
(gen):
(get return):
(set new):
* test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
(generatorProxy.new.Proxy):
(asyncProxy.new.Proxy.async):
* test262/test/built-ins/Object/subclass-object-arg.js:
* test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
* test262/test/built-ins/Promise/all/resolve-element-function-name.js:
* test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
* test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
* test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
* test262/test/built-ins/Promise/executor-function-name.js:
* test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
* test262/test/built-ins/Promise/reject-function-name.js:
* test262/test/built-ins/Promise/resolve-function-name.js:
* test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
* test262/test/built-ins/WeakRef/constructor.js: Added.
* test262/test/built-ins/WeakRef/instance-extensible.js: Added.
* test262/test/built-ins/WeakRef/length.js: Added.
* test262/test/built-ins/WeakRef/name.js: Added.
* test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
(newTarget):
* test262/test/built-ins/WeakRef/prop-desc.js: Added.
* test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
* test262/test/built-ins/WeakRef/proto.js: Added.
* test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
(newTarget):
* test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
(newTarget):
* test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
* test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
* test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
* test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
* test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
(emptyCells):
* test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
* test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
* test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
* test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
* test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
(fg.new.FinalizationGroup):
* test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
* test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
* test262/test/built-ins/WeakRef/prototype/proto.js: Added.
* test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
(let.key.of.Object.getOwnPropertyNames):
(set for):
* test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
* test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
* test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
* test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
* test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
* test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
* test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
* test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
* test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
* test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
* test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
* test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
* test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
* test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
* test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
* test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
* test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
* test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
(assertParts):
(assertPartsNumeric):
* test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
(assertParts):
(assertPartsNumeric):
* test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
(assertParts):
(assertPartsNumeric):
* test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
(assertParts):
* test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
* test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
* test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
* test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
* test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
* test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
(C.prototype.method):
* test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
(C.prototype.method.innerFunction):
(C.prototype.method):
* test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
(C):
(C.method):
* test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
(C):
(C.method.innerFunction):
(C.method):
* test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
(C):
(C.checkPrivateGetter):
* test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
(C):
(C.method):
* test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
(C):
(C.method.innerFunction):
(C.method):
* test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
(C):
(C.checkPrivateMethod):
* test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
(C):
(C.method):
* test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
(C):
(C.method.innerFunction):
(C.method):
* test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
(C):
(C.checkPrivateSetter):
* test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
* test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
* test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
* test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
* test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression):
(let.classStringExpression.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression):
(let.classStringExpression.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(const.C):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression.return.prototype.m):
(let.classStringExpression.return.prototype.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression.return.prototype.m):
(let.classStringExpression.return.prototype.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression):
(let.classStringExpression.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression.prototype.m):
(let.classStringExpression.prototype.access):
(let.classStringExpression):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression.prototype.m):
(let.classStringExpression.prototype.access):
(let.classStringExpression):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(const.C):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression.return.C.prototype.m):
(let.classStringExpression.return.C.prototype.access):
(let.classStringExpression.return.C):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression.return.C.prototype.m):
(let.classStringExpression.return.C.prototype.access):
(let.classStringExpression.return.C):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression):
(let.classStringExpression.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression):
(let.classStringExpression.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression):
(let.classStringExpression.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(const.C):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression.return.prototype.m):
(let.classStringExpression.return.prototype.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression.return.prototype.m):
(let.classStringExpression.return.prototype.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
(let.classStringExpression):
(let.classStringExpression.access):
(let.createAndInstantiateClass):
* test262/test/language/expressions/new.target/unary-expr.js: Added.
(new):
(async):
* test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
(A):
* test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
* test262/test/language/identifiers/vals-cjk-escaped.js: Added.
* test262/test/language/identifiers/vals-cjk.js: Added.
* test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
* test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
(C.prototype.method):
(C):
* test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
(C.prototype.method.innerFunction):
(C.prototype.method):
(C):
* test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
(C.prototype.checkPrivateField):
(C):
* test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
(C):
* test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
(C.prototype.getWithEval):
(C):
(D):
* test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
(C.prototype.get m):
(C.prototype.method):
(C):
* test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
(C.prototype.get m):
(C.prototype.method.innerFunction):
(C.prototype.method):
(C):
* test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
(let.createAndInstantiateClass):
* test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
(C.prototype.get m):
(C.prototype.checkPrivateGetter):
(C):
* test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
(C.prototype.get m):
(C.prototype.checkPrivateGetter):
(C):
* test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
(C.prototype.get m):
(C):
* test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
(C.prototype.get m):
(C.prototype.getWithEval):
(C):
(D.prototype.get m):
(D):
* test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
(C.prototype.m):
(C.prototype.method):
(C):
* test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
(C.prototype.m):
(C.prototype.method.innerFunction):
(C.prototype.method):
(C):
* test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
(C.prototype.m):
(C.prototype.checkPrivateMethod):
(C):
* test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
(C.prototype.m):
(C.prototype.checkPrivateMethod):
(C):
* test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
(C.prototype.m):
(C):
* test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
(C.prototype.m):
(C.prototype.getWithEval):
(C):
(D.prototype.m):
(D):
* test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
(C.prototype.set m):
(C.prototype.method):
(C):
* test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
(C.prototype.set m):
(C.prototype.method.innerFunction):
(C.prototype.method):
(C):
* test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
(C.prototype.set m):
(C.prototype.checkPrivateSetter):
(C):
* test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
(C.prototype.set m):
(C.prototype.checkPrivateSetter):
(C):
* test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
(C.prototype.set m):
(C):
* test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
(C.prototype.set m):
(C.prototype.setWithEval):
(C):
(D.prototype.set m):
(D):
* test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
* test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
* test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
* test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
(A.prototype.method):
(A):
(C.prototype.get m):
(C.prototype.access):
(C):
* test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
(A.prototype.method):
(A):
(C.prototype.m):
(C.prototype.access):
(C):
* test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
(A.prototype.method):
(A):
(C.prototype.set m):
(C.prototype.access):
(C):
* test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
(A):
* test262/test/language/statements/function/13.2-30-s.js:
* test262/test262-Revision.txt:
2019-07-15 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Improve wasm wpt test results by fixing miscellaneous issues
https://bugs.webkit.org/show_bug.cgi?id=199783
Reviewed by Mark Lam.
Fix our spec tests.
* wasm/js-api/Module-compile.js:
* wasm/js-api/test_basic_api.js:
(const.c.in.constructorProperties.switch):
* wasm/js-api/validate.js:
* wasm/js-api/web-assembly-instantiate.js:
* wasm/spec-tests/jsapi.js:
(testJSAPI.get test):
(testJSAPI.set test):
2019-07-15 Michael Catanzaro <mcatanzaro@igalia.com>
Unreviewed, rolling out r247440.
Broke builds
Reverted changeset:
"[JSC] Improve wasm wpt test results by fixing miscellaneous
issues"
https://bugs.webkit.org/show_bug.cgi?id=199783
https://trac.webkit.org/changeset/247440
2019-07-15 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Improve wasm wpt test results by fixing miscellaneous issues
https://bugs.webkit.org/show_bug.cgi?id=199783
Reviewed by Mark Lam.
Fix our spec tests.
* wasm/js-api/Module-compile.js:
* wasm/js-api/test_basic_api.js:
(const.c.in.constructorProperties.switch):
* wasm/js-api/validate.js:
* wasm/js-api/web-assembly-instantiate.js:
* wasm/spec-tests/jsapi.js:
(testJSAPI.get test):
(testJSAPI.set test):
2019-07-12 Justin Michaud <justin_michaud@apple.com>
B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
https://bugs.webkit.org/show_bug.cgi?id=196371
Reviewed by Keith Miller.
* microbenchmarks/mul-immediate-sub.js: Added.
(doTest):
2019-07-12 Caio Lima <ticaiolima@gmail.com>
[BigInt] Add ValueBitLShift into DFG
https://bugs.webkit.org/show_bug.cgi?id=192664
Reviewed by Saam Barati.
We are adding tests to cover ValueBitwise operations AI changes.
* stress/big-int-left-shift-untyped.js: Added.
* stress/bit-op-with-object-returning-int32.js:
* stress/value-bit-and-ai-rule.js: Added.
* stress/value-bit-lshift-ai-rule.js: Added.
* stress/value-bit-or-ai-rule.js: Added.
* stress/value-bit-xor-ai-rule.js: Added.
2019-07-11 Justin Michaud <justin_michaud@apple.com>
Add b3 macro lowering for CheckMul on arm64
https://bugs.webkit.org/show_bug.cgi?id=199251
Reviewed by Robin Morisset.
* microbenchmarks/check-mul-constant.js: Added.
(doTest):
* microbenchmarks/check-mul-no-constant.js: Added.
(doTest):
* microbenchmarks/check-mul-power-of-two.js: Added.
(doTest):
2019-07-10 Tadeu Zagallo <tzagallo@apple.com>
Optimize join of large empty arrays
https://bugs.webkit.org/show_bug.cgi?id=199636
Reviewed by Mark Lam.
* microbenchmarks/large-empty-array-join.js: Added.
* microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
2019-07-06 Michael Saboff <msaboff@apple.com>
switch(String) needs to check for exceptions when resolving the string
https://bugs.webkit.org/show_bug.cgi?id=199541
Reviewed by Mark Lam.
New tests.
* stress/switch-string-oom.js: Added.
(test):
(testLowerTiers):
(testFTL):
2019-07-05 Mark Lam <mark.lam@apple.com>
ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
https://bugs.webkit.org/show_bug.cgi?id=199533
<rdar://problem/52669111>
Reviewed by Filip Pizlo.
* stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
2019-07-05 Alexey Shvayka <shvaikalesh@gmail.com>
[JSC] Clean up ArraySpeciesCreate
https://bugs.webkit.org/show_bug.cgi?id=182434
Reviewed by Yusuke Suzuki.
Adjusts error message expectations in stress tests.
* stress/array-flatmap.js:
* stress/array-flatten.js:
* stress/array-species-create-should-handle-masquerader.js:
* test262/expectations.yaml: Mark 4 test cases as passing.
2019-07-02 Michael Saboff <msaboff@apple.com>
Exception from For..of loop assignment eliminates TDZ checks in subsequent code
https://bugs.webkit.org/show_bug.cgi?id=199395
Reviewed by Filip Pizlo.
New regession test.
* stress/for-of-tdz-with-try-catch.js: Added.
(test):
(i.catch):
2019-07-02 Keith Miller <keith_miller@apple.com>
Frozen Arrays length assignment should throw in strict mode
https://bugs.webkit.org/show_bug.cgi?id=199365
Reviewed by Yusuke Suzuki.
* stress/frozen-array-length-should-throw-strict.js: Added.
(test):
2019-07-01 Justin Michaud <justin_michaud@apple.com>
[Wasm-References] Disable references by default
https://bugs.webkit.org/show_bug.cgi?id=199390
Reviewed by Saam Barati.
* wasm/references-spec-tests/ref_is_null.js:
* wasm/references-spec-tests/ref_null.js:
* wasm/references/anyref_globals.js:
* wasm/references/anyref_modules.js:
* wasm/references/anyref_table.js:
* wasm/references/anyref_table_import.js:
* wasm/references/element_parsing.js:
* wasm/references/func_ref.js:
* wasm/references/is_null.js:
* wasm/references/multitable.js:
* wasm/references/table_misc.js:
* wasm/references/validation.js:
2019-07-01 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r246946.
Caused JSC test crashes on arm64
Reverted changeset:
"Add b3 macro lowering for CheckMul on arm64"
https://bugs.webkit.org/show_bug.cgi?id=199251
https://trac.webkit.org/changeset/246946
2019-06-28 Justin Michaud <justin_michaud@apple.com>
Add b3 macro lowering for CheckMul on arm64
https://bugs.webkit.org/show_bug.cgi?id=199251
Reviewed by Robin Morisset.
* microbenchmarks/check-mul-constant.js: Added.
(doTest):
* microbenchmarks/check-mul-no-constant.js: Added.
(doTest):
* microbenchmarks/check-mul-power-of-two.js: Added.
(doTest):
2019-06-26 Keith Miller <keith_miller@apple.com>
speciesConstruct needs to throw if the result is a DataView
https://bugs.webkit.org/show_bug.cgi?id=199231
Reviewed by Mark Lam.
* stress/typedarray-filter.js:
(subclasses.forEach):
* stress/typedarray-map.js:
(subclasses.forEach):
* stress/typedarray-slice.js:
(typedArrays.forEach):
* stress/typedarray-subarray.js:
(subclasses.forEach):
2019-06-24 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r246714.
https://bugs.webkit.org/show_bug.cgi?id=199179
revert to do patch in a different way. (Requested by keith_mi_
on #webkit).
Reverted changeset:
"All prototypes should call didBecomePrototype()"
https://bugs.webkit.org/show_bug.cgi?id=196315
https://trac.webkit.org/changeset/246714
2019-06-24 Alexey Shvayka <shvaikalesh@gmail.com>
Add Array.prototype.{flat,flatMap} to unscopables
https://bugs.webkit.org/show_bug.cgi?id=194322
Reviewed by Keith Miller.
* stress/unscopables.js: Fix test.
* test262/expectations.yaml: Mark 2 test cases as passing.
2019-06-21 Mark Lam <mark.lam@apple.com>
ArraySlice needs to keep the source array alive.
https://bugs.webkit.org/show_bug.cgi?id=197374
<rdar://problem/50304429>
Reviewed by Michael Saboff and Filip Pizlo.
* stress/array-slice-must-keep-source-array-alive.js: Added.
2019-06-22 Robin Morisset <rmorisset@apple.com> and Yusuke Suzuki <ysuzuki@apple.com>
All prototypes should call didBecomePrototype()
https://bugs.webkit.org/show_bug.cgi?id=196315
Reviewed by Saam Barati.
* stress/function-prototype-indexed-accessor.js: Added.
2019-06-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Strict, Sloppy and Arrow functions should have different classInfo
https://bugs.webkit.org/show_bug.cgi?id=197631
Reviewed by Saam Barati.
* stress/has-own-property-arguments.js: Added.
(shouldBe):
(A):
2019-06-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] ClassExpr should not store result in the middle of evaluation
https://bugs.webkit.org/show_bug.cgi?id=199106
Reviewed by Tadeu Zagallo.
* stress/class-expression-should-store-result-at-last.js: Added.
(shouldThrow):
(shouldThrow.let.a):
2019-06-20 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
https://bugs.webkit.org/show_bug.cgi?id=199044
Reviewed by Saam Barati.
Add wasm references spec tests as well as a worker test.
* wasm.yaml:
* wasm/Builder_WebAssemblyBinary.js:
(const.emitters.Element):
* wasm/js-api/element.js:
(assert.throws.new.WebAssembly.Module.builder.WebAssembly):
* wasm/references-spec-tests/ref_is_null.js: Added.
(hostref):
(is_hostref):
(is_funcref):
(eq_ref):
(let.handler.get target):
(register):
(module):
(instance):
(call):
(get instance):
(exports):
(run):
(assert_malformed):
(assert_invalid):
(assert_unlinkable):
(assert_uninstantiable):
(assert_trap):
(try.f):
(catch):
(assert_exhaustion):
(assert_return):
(assert_return_canonical_nan):
(assert_return_arithmetic_nan):
(assert_return_ref):
(assert_return_func):
* wasm/references-spec-tests/ref_null.js: Added.
(hostref):
(is_hostref):
(is_funcref):
(eq_ref):
(let.handler.get target):
(register):
(module):
(instance):
(call):
(get instance):
(exports):
(run):
(assert_malformed):
(assert_invalid):
(assert_unlinkable):
(assert_uninstantiable):
(assert_trap):
(try.f):
(catch):
(assert_exhaustion):
(assert_return):
(assert_return_canonical_nan):
(assert_return_arithmetic_nan):
(assert_return_ref):
(assert_return_func):
* wasm/references/element_parsing.js: Added.
(module):
* wasm/references/func_ref.js:
* wasm/references/multitable.js:
* wasm/references/table_misc.js:
(TableSize.0.End.End.WebAssembly):
* wasm/references/validation.js:
(assert.throws):
2019-06-19 Alexey Shvayka <shvaikalesh@gmail.com>
Optimize `resolve` method lookup in Promise static methods
https://bugs.webkit.org/show_bug.cgi?id=198864
Reviewed by Yusuke Suzuki.
* test262/expectations.yaml: Mark 18 test cases as passing.
2019-06-19 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Rename anyfunc to funcref
https://bugs.webkit.org/show_bug.cgi?id=198983
Reviewed by Yusuke Suzuki.
* wasm/function-tests/basic-element.js:
* wasm/function-tests/context-switch.js:
(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
(makeInstance):
(assert.eq.makeInstance):
* wasm/function-tests/exceptions.js:
(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
* wasm/function-tests/grow-memory-2.js:
(assert.eq.instance.exports.foo):
* wasm/function-tests/nameSection.js:
(const.compile):
* wasm/function-tests/stack-overflow.js:
(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
(assertOverflows.makeInstance):
* wasm/function-tests/table-basic-2.js:
(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
* wasm/function-tests/table-basic.js:
(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
* wasm/function-tests/trap-from-start-async.js:
* wasm/function-tests/trap-from-start.js:
* wasm/js-api/Module.exports.js:
(assert.truthy):
* wasm/js-api/Module.imports.js:
(assert.truthy):
* wasm/js-api/call-indirect.js:
(const.oneTable):
(const.multiTable):
(multiTable.const.makeTable):
(multiTable):
(multiTable.Polyphic2Import):
(multiTable.VirtualImport):
* wasm/js-api/element-data.js:
* wasm/js-api/element.js:
(assert.throws.new.WebAssembly.Module.builder.WebAssembly):
(assert.throws):
(badInstantiation.makeModule):
(badInstantiation.test):
(badInstantiation):
* wasm/js-api/extension-MemoryMode.js:
* wasm/js-api/table.js:
(new.WebAssembly.Module):
(assert.throws):
(assertBadTableImport):
(assert.throws.WebAssembly.Table.prototype.grow):
(new.WebAssembly.Table):
(assertBadTable):
(assert.truthy):
* wasm/js-api/test_basic_api.js:
(const.c.in.constructorProperties.switch):
* wasm/js-api/unique-signature.js:
(CallIndirectWithDuplicateSignatures):
* wasm/js-api/wrapper-function.js:
* wasm/modules/table.wat:
* wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
* wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
* wasm/modules/wasm-imports-wasm-exports/imports.wat:
* wasm/modules/wasm-imports-wasm-exports/sum.wat:
* wasm/references/anyref_table.js:
* wasm/references/anyref_table_import.js:
(doSet):
(assert.throws):
* wasm/references/func_ref.js:
(makeFuncrefIdent):
(assert.eq.instance.exports.fix):
(GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
(GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
(let.importedFun.of):
(makeAnyfuncIdent): Deleted.
(makeAnyfuncIdent.fun): Deleted.
* wasm/references/multitable.js:
(assert.eq):
(assert.throws):
* wasm/references/table_misc.js:
(GetLocal.0.TableFill.0.End.End.WebAssembly):
* wasm/references/validation.js:
(assert.throws.new.WebAssembly.Module.bin):
(assert.throws):
* wasm/spec-harness/index.js:
* wasm/spec-harness/wasm-constants.js:
* wasm/spec-harness/wasm-module-builder.js:
(WasmModuleBuilder.prototype.toArray):
* wasm/spec-harness/wast.js:
(elem_type):
(string_of_elem_type):
(string_of_table_type):
* wasm/spec-tests/jsapi.js:
* wasm/stress/wasm-table-grow-initialize.js:
* wasm/wasm.json:
2019-06-18 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Add support for Table.size, grow and fill instructions
https://bugs.webkit.org/show_bug.cgi?id=198761
Reviewed by Yusuke Suzuki.
* wasm/Builder_WebAssemblyBinary.js:
(const.putOp):
* wasm/references/table_misc.js: Added.
(TableSize.End.End.WebAssembly):
(GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
* wasm/wasm.json:
2019-06-18 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Add support for multiple tables
https://bugs.webkit.org/show_bug.cgi?id=198760
Reviewed by Saam Barati.
* wasm/Builder.js:
* wasm/js-api/call-indirect.js:
(const.oneTable):
(const.multiTable):
(multiTable):
(multiTable.Polyphic2Import):
(multiTable.VirtualImport):
(const.wasmModuleWhichImportJS): Deleted.
(const.makeTable): Deleted.
(): Deleted.
(Polyphic2Import): Deleted.
(VirtualImport): Deleted.
* wasm/js-api/table.js:
(new.WebAssembly.Module):
(assert.throws):
(assertBadTableImport):
(assert.truthy):
(assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
* wasm/references/anyref_table.js:
* wasm/references/anyref_table_import.js:
(makeImport):
(string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
(string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
* wasm/references/multitable.js: Added.
(assert.throws.1.exports.set_tbl0):
(assert.throws):
(assert.eq):
* wasm/references/validation.js:
(assert.throws.new.WebAssembly.Module.bin):
(assert.throws):
* wasm/spec-tests/imports.wast.js:
* wasm/wasm.json:
* wasm/Builder.js:
* wasm/js-api/call-indirect.js:
(const.oneTable):
(const.multiTable):
(multiTable):
(multiTable.Polyphic2Import):
(multiTable.VirtualImport):
(const.wasmModuleWhichImportJS): Deleted.
(const.makeTable): Deleted.
(): Deleted.
(Polyphic2Import): Deleted.
(VirtualImport): Deleted.
* wasm/js-api/table.js:
(new.WebAssembly.Module):
(assert.throws):
(assertBadTableImport):
(assert.truthy):
(assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
* wasm/references/anyref_table.js:
* wasm/references/anyref_table_import.js:
(makeImport):
(string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
(string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
* wasm/references/func_ref.js:
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
* wasm/references/multitable.js: Added.
(assert.throws.1.exports.set_tbl0):
(assert.throws):
(assert.eq):
(string_appeared_here.tableInsanity):
(I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
(I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
* wasm/references/validation.js:
(assert.throws.new.WebAssembly.Module.bin):
(assert.throws):
* wasm/spec-tests/imports.wast.js:
* wasm/wasm.json:
2019-06-18 Alexey Shvayka <shvaikalesh@gmail.com>
[ESNExt] String.prototype.matchAll
https://bugs.webkit.org/show_bug.cgi?id=186694
Reviewed by Yusuke Suzuki.
Implement String.prototype.matchAll.
(https://tc39.es/ecma262/#sec-string.prototype.matchall)
* test262/config.yaml:
2019-06-18 Tadeu Zagallo <tzagallo@apple.com>
DFG code should not reify the names of builtin functions with private names
https://bugs.webkit.org/show_bug.cgi?id=198849
<rdar://problem/51733890>
Reviewed by Filip Pizlo.
* stress/builtin-private-function-name.js: Added.
(then):
(PromiseLike):
2019-06-18 Keith Miller <keith_miller@apple.com>
MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
https://bugs.webkit.org/show_bug.cgi?id=198969
<rdar://problem/51620714>
Reviewed by Tadeu Zagallo.
* stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
(catch):
2019-06-17 Justin Michaud <justin_michaud@apple.com>
Validate that table element type is funcref if using an element section
https://bugs.webkit.org/show_bug.cgi?id=198910
Reviewed by Yusuke Suzuki.
* wasm/references/anyref_table.js:
2019-06-17 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Introduce DisposableCallSiteIndex to enforce type-safety
https://bugs.webkit.org/show_bug.cgi?id=197378
Reviewed by Saam Barati.
* stress/disposable-call-site-index-with-call-and-this.js: Added.
(foo):
(bar):
* stress/disposable-call-site-index.js: Added.
(foo):
(bar):
2019-06-17 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Add support for Funcref in parameters and return types
https://bugs.webkit.org/show_bug.cgi?id=198157
Reviewed by Yusuke Suzuki.
* wasm/Builder.js:
(export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
* wasm/references/anyref_globals.js:
* wasm/references/func_ref.js: Added.
(fullGC.gc.makeExportedFunction):
(makeExportedIdent):
(makeAnyfuncIdent):
(fun):
(assert.eq.instance.exports.fix.fun):
(assert.eq.instance.exports.fix):
(string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
(string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
(assert.throws):
(assert.throws.doTest):
(let.importedFun.of):
(makeAnyfuncIdent.fun):
* wasm/references/validation.js:
(assert.throws):
* wasm/wasm.json:
2019-06-17 Ross Kirsling <ross.kirsling@sony.com>
Update test262 tests (2019.06.13)
https://bugs.webkit.org/show_bug.cgi?id=198821
Reviewed by Konstantin Tokarev.
* test262/expectations.yaml:
* test262/harness/:
* test262/latest-changes-summary.txt:
* test262/test/:
* test262/test262-Revision.txt:
2019-06-16 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Grown region of WasmTable should be initialized with null
https://bugs.webkit.org/show_bug.cgi?id=198903
Reviewed by Saam Barati.
* wasm/stress/wasm-table-grow-initialize.js: Added.
(shouldBe):
2019-06-13 Yusuke Suzuki <ysuzuki@apple.com>
Yarr bytecode compilation failure should be gracefully handled
https://bugs.webkit.org/show_bug.cgi?id=198700
Reviewed by Michael Saboff.
* stress/regexp-bytecode-compilation-fail.js: Added.
(shouldThrow):
2019-06-12 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
https://bugs.webkit.org/show_bug.cgi?id=198770
Reviewed by Saam Barati.
* stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
(test):
2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com>
JSC should throw if proxy set returns falsish in strict mode context
https://bugs.webkit.org/show_bug.cgi?id=177398
Reviewed by Yusuke Suzuki.
1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
* stress/proxy-set.js: Add 2 test cases.
* stress/regexp-match-proxy.js: Fix test.
* stress/regexp-replace-proxy.js: Fix test.
2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com>
Error message for non-callable Proxy `construct` trap is misleading
https://bugs.webkit.org/show_bug.cgi?id=198637
Reviewed by Saam Barati.
* stress/proxy-construct.js:
2019-06-10 Tadeu Zagallo <tzagallo@apple.com>
AI BitURShift's result should not be unsigned
https://bugs.webkit.org/show_bug.cgi?id=198689
<rdar://problem/51550063>
Reviewed by Saam Barati.
* stress/urshift-int32-overflow.js: Added.
(foo.):
(foo):
2019-06-11 Guillaume Emont <guijemont@igalia.com>
Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
Unreviewed gardening.
* stress/ftl-gettypedarrayoffset-wasteful.js:
Skipped on arm/linux as it always times out on the bot since a change
between r246270 and r246278 inclusive.
2019-06-10 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
https://bugs.webkit.org/show_bug.cgi?id=198023
Reviewed by Saam Barati.
* stress/reparsing-unlinked-codeblock.js: Added.
(shouldBe):
(hello):
2019-06-09 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use mergePrediction in ValuePow prediction propagation
https://bugs.webkit.org/show_bug.cgi?id=198648
Reviewed by Saam Barati.
* stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2019-06-07 Tadeu Zagallo <tzagallo@apple.com>
AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
https://bugs.webkit.org/show_bug.cgi?id=198581
<rdar://problem/51099753>
Reviewed by Saam Barati.
* stress/global-object-proto-getter.js: Added.
(f):
(test):
2019-06-05 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
https://bugs.webkit.org/show_bug.cgi?id=198398
Reviewed by Saam Barati.
* wasm/references/anyref_table.js: Added.
(string_appeared_here.doGCSet):
(doGCTest):
(doGCSet.doGCTest.let.count.0.doBarrierSet):
* wasm/references/anyref_table_import.js: Added.
(makeImport):
(string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
(string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
* wasm/references/is_null_error.js: Removed.
* wasm/references/validation.js: Added.
(assert.throws.new.WebAssembly.Module.bin):
(assert.throws):
* wasm/wasm.json:
2019-06-05 Justin Michaud <justin_michaud@apple.com>
WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
https://bugs.webkit.org/show_bug.cgi?id=198106
Reviewed by Saam Barati.
* wasm/regress/selectf64.js: Added.
* wasm/regress/selectf64.wasm: Added.
* wasm/regress/selectf64.wat: Added.
2019-06-04 Tadeu Zagallo <tzagallo@apple.com>
Argument elimination should check transitive dependents for interference
https://bugs.webkit.org/show_bug.cgi?id=198520
<rdar://problem/50863343>
Reviewed by Filip Pizlo.
* stress/argument-elimination-inline-rest-past-kill.js: Added.
(f2):
(f3):
2019-06-04 Tadeu Zagallo <tzagallo@apple.com>
Argument elimination should check for negative indices in GetByVal
https://bugs.webkit.org/show_bug.cgi?id=198302
<rdar://problem/51188095>
Reviewed by Filip Pizlo.
* stress/eliminate-arguments-negative-rest-access.js: Added.
(inlinee):
(opt):
2019-06-03 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "**"
https://bugs.webkit.org/show_bug.cgi?id=190799
Reviewed by Saam Barati.
* stress/big-int-exp-basic.js: Added.
* stress/big-int-exp-jit-osr.js: Added.
* stress/big-int-exp-jit-untyped.js: Added.
* stress/big-int-exp-jit.js: Added.
* stress/big-int-exp-negative-exponent.js: Added.
* stress/big-int-exp-to-primitive.js: Added.
* stress/big-int-exp-type-error.js: Added.
* stress/big-int-exp-wrapped-value.js: Added.
* stress/value-pow-ai-rule.js: Added.
2019-05-30 Tadeu Zagallo <tzagallo@apple.com> and Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
https://bugs.webkit.org/show_bug.cgi?id=197979
Reviewed by Filip Pizlo.
* stress/16bit-code.js: Added.
(shouldBe):
* stress/32bit-code.js: Added.
(shouldBe):
2019-05-30 Justin Michaud <justin_michaud@apple.com>
oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
https://bugs.webkit.org/show_bug.cgi?id=198355
Reviewed by Saam Barati.
* wasm/references/is_null.js:
2019-05-30 Stephan Szabo <stephan.szabo@sony.com>
[PlayStation] Skip additional tests on PlayStation
https://bugs.webkit.org/show_bug.cgi?id=198352
Reviewed by Don Olmstead.
Skip pow test on PlayStation due to behavior difference in standard library.
Skip incremental marking test due to OOM on PlayStation systems.
* stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
* stress/math-pow-with-constants.js:
* stress/pow-with-constants.js:
2019-05-28 Dean Jackson <dino@apple.com>
Implement Promise.allSettled
https://bugs.webkit.org/show_bug.cgi?id=197600
<rdar://problem/50483885>
Reviewed by Keith Miller.
Start testing Promise.allSettled. We pass most of the tests.
The ones that fail are similar to the Promise.all tests we already fail.
* test262/config.yaml: Remove Promise.allSettled from skipped tests.
* test262/expectations.yaml: Add new expectations for allSettled tests.
2019-05-28 Michael Saboff <msaboff@apple.com>
[YARR] Properly handle RegExp's that require large ParenContext space
https://bugs.webkit.org/show_bug.cgi?id=198065
Reviewed by Keith Miller.
New test.
* stress/regexp-large-paren-context.js: Added.
(testLargeRegExp):
2019-05-28 Tadeu Zagallo <tzagallo@apple.com>
JITOperations putByVal should mark negative array indices as out-of-bounds
https://bugs.webkit.org/show_bug.cgi?id=198271
Reviewed by Saam Barati.
* microbenchmarks/get-by-val-negative-array-index.js:
(foo):
Update the getByVal microbenchmark added in r245769. This now shows that r245769
is 4.2x faster than the previous commit.
* microbenchmarks/put-by-val-negative-array-index.js: Added.
(foo):
2019-05-25 Tadeu Zagallo <tzagallo@apple.com>
JITOperations getByVal should mark negative array indices as out-of-bounds
https://bugs.webkit.org/show_bug.cgi?id=198229
Reviewed by Saam Barati.
* microbenchmarks/get-by-val-negative-array-index.js: Added.
(foo):
2019-05-24 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Support Anyref in globals
https://bugs.webkit.org/show_bug.cgi?id=198102
Reviewed by Saam Barati.
Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
* wasm/Builder.js:
(export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
* wasm/Builder_WebAssemblyBinary.js:
(const.putInitExpr):
* wasm/references/anyref_globals.js: Added.
(GetGlobal.0.End.End.WebAssembly):
(5.doGCSet):
(doGCTest):
(doGCSet.doGCTest.let.count.0.doBarrierSet):
2019-05-23 Tadeu Zagallo <tzagallo@apple.com>
DFG::OSREntry should not perform arity check
https://bugs.webkit.org/show_bug.cgi?id=198189
Reviewed by Saam Barati.
* microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
(foo):
2019-05-23 Stephan Szabo <stephan.szabo@sony.com>
[PlayStation] Skip additional tests on PlayStation
https://bugs.webkit.org/show_bug.cgi?id=198145
Reviewed by Ross Kirsling.
* exceptionFuzz.yaml:
Add skip on hostOS playstation
* executableAllocationFuzz.yaml:
Add skip on hostOS playstation
2019-05-23 Tadeu Zagallo <tzagallo@apple.com>
createListFromArrayLike should throw if value is not an object
https://bugs.webkit.org/show_bug.cgi?id=198138
Reviewed by Yusuke Suzuki.
* stress/create-list-from-array-like-not-object.js: Added.
(testValid):
(testInvalid):
* stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
(opt):
* stress/proxy-proto-enumerator.js: Added.
(main):
* stress/proxy-proto-own-keys.js: Added.
(assert):
(ownKeys):
2019-05-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
https://bugs.webkit.org/show_bug.cgi?id=197809
Reviewed by Michael Saboff.
* stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
(foo):
2019-05-22 Ross Kirsling <ross.kirsling@sony.com>
[ESNext] Implement support for Numeric Separators
https://bugs.webkit.org/show_bug.cgi?id=196351
Reviewed by Keith Miller.
* stress/numeric-literal-separators.js: Added.
Add tests for feature.
* test262/expectations.yaml:
Mark 60 test cases as passing.
2019-05-22 Tadeu Zagallo <tzagallo@apple.com>
llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
https://bugs.webkit.org/show_bug.cgi?id=198120
<rdar://problem/49668795>
Reviewed by Michael Saboff.
* stress/get-array-length-concurrently-change-mode.js: Added.
(main):
2019-05-22 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r245634.
https://bugs.webkit.org/show_bug.cgi?id=198140
'This patch makes JSC crash on launch in debug builds'
(Requested by tadeuzagallo on #webkit).
Reverted changeset:
"[ESNext] Implement support for Numeric Separators"
https://bugs.webkit.org/show_bug.cgi?id=196351
https://trac.webkit.org/changeset/245634
2019-05-22 Tadeu Zagallo <tzagallo@apple.com>
Stack-buffer-overflow in decodeURIComponent
https://bugs.webkit.org/show_bug.cgi?id=198109
<rdar://problem/50397550>
Reviewed by Michael Saboff.
* stress/decode-uri-icu-count-trail-bytes.js: Added.
(i.j.try.i.toString):
(i.j.catch):
2019-05-22 Yusuke Suzuki <ysuzuki@apple.com>
Don't clear PropertyNameArray in Proxy code
https://bugs.webkit.org/show_bug.cgi?id=197691
Reviewed by Saam Barati.
* stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
(shouldBe):
(opt):
2019-05-22 Ross Kirsling <ross.kirsling@sony.com>
[ESNext] Implement support for Numeric Separators
https://bugs.webkit.org/show_bug.cgi?id=196351
Reviewed by Keith Miller.
* stress/numeric-literal-separators.js: Added.
Add tests for feature.
* test262/expectations.yaml:
Mark 60 test cases as passing.
2019-05-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
https://bugs.webkit.org/show_bug.cgi?id=198101
Reviewed by Michael Saboff.
* stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
(shouldBe):
2019-05-20 Keith Miller <keith_miller@apple.com>
Cleanup Yarr regexp code around paren contexts.
https://bugs.webkit.org/show_bug.cgi?id=198063
Reviewed by Yusuke Suzuki.
* stress/regexp-many-named-sequential-capture-groups.js: Added.
(i.s):
* stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2019-05-17 Justin Michaud <justin_michaud@apple.com>
[WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
https://bugs.webkit.org/show_bug.cgi?id=197969
Reviewed by Keith Miller.
Support the anyref type in Builder.js, plus add some extra error logging.
Add new folder for wasm references tests.
* wasm.yaml:
* wasm/Builder.js:
(const._isValidValue):
* wasm/references/anyref_modules.js: Added.
(Call.3.RefIsNull.End.End.WebAssembly.js.ident):
(Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
(Call.3.RefIsNull.End.End.WebAssembly):
(undefined):
* wasm/references/is_null.js: Added.
* wasm/references/is_null_error.js: Added.
* wasm/spec-harness/index.js:
* wasm/wasm.json:
2019-05-16 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Invalid AssignmentTargetType should be an early error.
https://bugs.webkit.org/show_bug.cgi?id=197603
Reviewed by Keith Miller.
* test262/expectations.yaml:
Update expectations to reflect new SyntaxErrors.
(Ideally, these should all be viewed as passing in the near future.)
* stress/async-await-basic.js:
* stress/big-int-literals.js:
Update tests to reflect new SyntaxErrors.
* ChakraCore.yaml:
* ChakraCore/test/EH/try6.baseline-jsc:
* ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
Update baselines to reflect new SyntaxErrors.
2019-05-15 Saam Barati <sbarati@apple.com>
Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
https://bugs.webkit.org/show_bug.cgi?id=197855
<rdar://problem/50236506>
Reviewed by Michael Saboff.
* stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
(f0):
(bar):
(foo):
* stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
(f1):
(f2):
(foo):
2019-05-14 Keith Miller <keith_miller@apple.com>
Fix issue with byteOffset on ARM64E
https://bugs.webkit.org/show_bug.cgi?id=197884
Reviewed by Saam Barati.
We didn't have any tests that run with non-byte/non-zero offset
typed arrays.
* stress/ftl-gettypedarrayoffset-wasteful.js:
2019-05-14 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
https://bugs.webkit.org/show_bug.cgi?id=197833
Reviewed by Darin Adler.
* stress/generator-name.js: Added.
(shouldBe):
(gen):
(catch):
2019-05-13 Tadeu Zagallo <tzagallo@apple.com>
JSObject::getOwnPropertyDescriptor is missing an exception check
https://bugs.webkit.org/show_bug.cgi?id=197693
<rdar://problem/50441784>
Reviewed by Saam Barati.
* stress/proxy-spread.js: Added.
(foo):
2019-05-10 Saam barati <sbarati@apple.com>
Call to JSToWasmICCallee::createStructure passes in wrong prototype value
https://bugs.webkit.org/show_bug.cgi?id=197807
<rdar://problem/50530400>
Reviewed by Yusuke Suzuki.
* stress/js-to-wasm-callee-has-correct-prototype.js: Added.
(test.getInstance):
(test):
2019-05-10 Ross Kirsling <ross.kirsling@sony.com>
[Test262] Unreviewed expectations update following r245188.
* test262/config.yaml:
* test262/expectations.yaml:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
* test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
These files have invalid YAML comments. Will also submit corrections back to Test262.
2019-05-10 Keith Miller <keith_miller@apple.com>
Update test262 tests.
Rubber-stamped by Yusuke Suzuki.
* test262/*: mega-patch too many things to list individually.
2019-05-09 Keith Miller <keith_miller@apple.com>
Unreview, fix test to have a try-catch.
* stress/many-nested-functions-parser-stack-overflow.js:
(catch):
2019-05-09 Keith Miller <keith_miller@apple.com>
parseStatementListItem needs a stack overflow check
https://bugs.webkit.org/show_bug.cgi?id=197749
Reviewed by Saam Barati.
* stress/many-nested-functions-parser-stack-overflow.js: Added.
2019-05-08 Saam barati <sbarati@apple.com>
AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
https://bugs.webkit.org/show_bug.cgi?id=197715
<rdar://problem/50399252>
Reviewed by Filip Pizlo.
* stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
(foo):
(bar):
2019-05-08 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r245068.
Caused debug layout tests to exit early due to an assertion
failure.
Reverted changeset:
"All prototypes should call didBecomePrototype()"
https://bugs.webkit.org/show_bug.cgi?id=196315
https://trac.webkit.org/changeset/245068
2019-05-08 Yusuke Suzuki <ysuzuki@apple.com>
Invalid DFG JIT genereation in high CPU usage state
https://bugs.webkit.org/show_bug.cgi?id=197453
Reviewed by Saam Barati.
* stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
(trigger):
(main):
2019-05-08 Robin Morisset <rmorisset@apple.com>
All prototypes should call didBecomePrototype()
https://bugs.webkit.org/show_bug.cgi?id=196315
Reviewed by Saam Barati.
This changelog already landed, but the commit was missing the actual changes.
* stress/function-prototype-indexed-accessor.js: Added.
2019-05-08 Caio Lima <ticaiolima@gmail.com>
[BigInt] Add ValueMod into DFG
https://bugs.webkit.org/show_bug.cgi?id=186174
Reviewed by Saam Barati.
* microbenchmarks/mod-untyped.js: Added.
* stress/big-int-mod-osr.js: Added.
* stress/value-div-ai-rule.js: Added.
* stress/value-mod-ai-rule.js: Added.
2019-05-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG_ASSERT failed in lowInt52
https://bugs.webkit.org/show_bug.cgi?id=197569
Reviewed by Saam Barati.
* stress/getstack-int52.js: Added.
(opt):
(main):
2019-05-07 Yusuke Suzuki <ysuzuki@apple.com>
JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
https://bugs.webkit.org/show_bug.cgi?id=197479
Reviewed by Saam Barati.
* stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
(shouldBe):
2019-05-07 Yusuke Suzuki <ysuzuki@apple.com>
TemplateObject passed to template literal tags are not always identical for the same source location.
https://bugs.webkit.org/show_bug.cgi?id=190756
Reviewed by Saam Barati.
* complex.yaml:
* complex/tagged-template-regeneration-after.js: Added.
(shouldBe):
* complex/tagged-template-regeneration.js: Added.
(call):
(test):
* modules/tagged-template-inside-module.js: Added.
(from.string_appeared_here.call):
* modules/tagged-template-inside-module/other-tagged-templates.js: Added.
(call):
(export.otherTaggedTemplates):
* stress/call-and-construct-should-return-same-tagged-templates.js: Added.
(shouldBe):
(call):
(poly):
* stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
(shouldBe):
(call):
* stress/tagged-templates-in-function-in-direct-eval.js: Added.
(shouldBe):
(call):
(test):
* stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
(shouldBe):
(call):
* stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
(shouldBe):
(call):
* stress/tagged-templates-in-multiple-functions.js: Added.
(shouldBe):
(call):
(a):
(b):
(c):
* stress/tagged-templates-with-same-start-offset.js: Added.
(shouldBe):
2019-05-07 Robin Morisset <rmorisset@apple.com>
All prototypes should call didBecomePrototype()
https://bugs.webkit.org/show_bug.cgi?id=196315
Reviewed by Saam Barati.
* stress/function-prototype-indexed-accessor.js: Added.
2019-05-07 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r244978.
https://bugs.webkit.org/show_bug.cgi?id=197671
TemplateObject map should use start/end offsets (Requested by
yusukesuzuki on #webkit).
Reverted changeset:
"TemplateObject passed to template literal tags are not always
identical for the same source location."
https://bugs.webkit.org/show_bug.cgi?id=190756
https://trac.webkit.org/changeset/244978
2019-05-07 Tadeu Zagallo <tzagallo@apple.com>
tryCachePutByID should not crash if target offset changes
https://bugs.webkit.org/show_bug.cgi?id=197311
<rdar://problem/48033612>
Reviewed by Filip Pizlo.
Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
* stress/cache-put-by-id-delete-prototype.js: Added.
(A.prototype.set y):
(A):
(B.prototype.set y):
(B):
(C):
* stress/cache-put-by-id-different-__proto__.js: Added.
(A.prototype.set y):
(A):
(B1):
(B2.prototype.set y):
(B2):
(C):
(D):
* stress/cache-put-by-id-different-attributes.js: Added.
(Foo):
(set x):
* stress/cache-put-by-id-different-offset.js: Added.
(Foo):
(set x):
* stress/cache-put-by-id-insert-prototype.js: Added.
(A.prototype.set y):
(A):
(C):
* stress/cache-put-by-id-poly-proto.js: Added.
(Foo):
(set _):
(createBar.Bar):
(createBar):
2019-05-07 Saam Barati <sbarati@apple.com>
Don't OSR enter into an FTL CodeBlock that has been jettisoned
https://bugs.webkit.org/show_bug.cgi?id=197531
<rdar://problem/50162379>
Reviewed by Yusuke Suzuki.
* stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
2019-05-06 Dean Jackson <dino@apple.com>
Update test262 expectations for Proxy passes
https://bugs.webkit.org/show_bug.cgi?id=197628
Reviewed by Yusuke Suzuki.
There are two consistent passes in Proxy.ownKeys.
* test262/expectations.yaml:
2019-05-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] We should check OOM for description string of Symbol
https://bugs.webkit.org/show_bug.cgi?id=197634
Reviewed by Keith Miller.
* stress/check-symbol-description-oom.js: Added.
(shouldThrow):
2019-05-06 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, land one more test
https://bugs.webkit.org/show_bug.cgi?id=197587
* stress/setter-frame-flush.js: Added.
(setter):
(foo):
(bar):
2019-05-06 Yusuke Suzuki <ysuzuki@apple.com>
TemplateObject passed to template literal tags are not always identical for the same source location.
https://bugs.webkit.org/show_bug.cgi?id=190756
Reviewed by Saam Barati.
* complex.yaml:
* complex/tagged-template-regeneration-after.js: Added.
(shouldBe):
* complex/tagged-template-regeneration.js: Added.
(call):
(test):
* modules/tagged-template-inside-module.js: Added.
(from.string_appeared_here.call):
* modules/tagged-template-inside-module/other-tagged-templates.js: Added.
(call):
(export.otherTaggedTemplates):
* stress/call-and-construct-should-return-same-tagged-templates.js: Added.
(shouldBe):
(call):
(poly):
* stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
(shouldBe):
(call):
* stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
(shouldBe):
(call):
* stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
(shouldBe):
(call):
* stress/tagged-templates-in-multiple-functions.js: Added.
(shouldBe):
(call):
(a):
(b):
(c):
2019-05-06 Stephan Szabo <stephan.szabo@sony.com>
[PlayStation] JSC Stress tests failing due to timezone printing
https://bugs.webkit.org/show_bug.cgi?id=197615
PlayStation's strftime does not give timezone strings, which
results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
which causes diff failures with the expectations. Add expectations
without the timezone string and use those on playstation.
Reviewed by Ross Kirsling.
* ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
* ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
* ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
* ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
2019-05-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
https://bugs.webkit.org/show_bug.cgi?id=197587
Reviewed by Sam Weinig.
This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
* stress/adhoc-setter-frame-should-not-be-killed.js: Added.
2019-05-04 Tadeu Zagallo <tzagallo@apple.com>
TypedArrays should not store properties that are canonical numeric indices
https://bugs.webkit.org/show_bug.cgi?id=197228
<rdar://problem/49557381>
Reviewed by Saam Barati.
* stress/array-species-config-array-constructor.js:
(test):
* stress/put-direct-index-broken-2.js:
* stress/typed-array-canonical-numeric-index-string.js: Added.
(makeTest.assert):
(makeTest):
(const.testInvalidIndices.makeTest.set assert):
(const.testInvalidIndices.makeTest):
(const.makeTestValidIndex.configurable.set assert):
(const.makeTestValidIndex.configurable):
* stress/typedarray-access-monomorphic-neutered.js:
(checkNoException):
(testNoException):
(testFTLNoException):
* stress/typedarray-access-neutered.js:
(testNoException):
* stress/typedarray-getownproperty-not-configurable.js:
(foo):
* test262/expectations.yaml:
2019-05-03 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
https://bugs.webkit.org/show_bug.cgi?id=197584
Reviewed by Saam Barati.
* stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
(X):
(foo):
2019-05-03 Michael Saboff <msaboff@apple.com>
iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
https://bugs.webkit.org/show_bug.cgi?id=197586
Reviewed by Keith Miller.
We should only run one config of this test and only when we think we'll have the memory.
* stress/json-stringify-string-builder-overflow.js:
2019-05-03 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Generator CodeBlock generation should be idempotent
https://bugs.webkit.org/show_bug.cgi?id=197552
Reviewed by Keith Miller.
Add complex.yaml, which controls how to run JSC shell more.
We split test files into two to run macro task between them which allows debugger to be attached to VM.
* complex.yaml: Added.
* complex/generator-regeneration-after.js: Added.
* complex/generator-regeneration.js: Added.
(gen):
2019-05-02 Michael Saboff <msaboff@apple.com>
Unreviewed rollout of r244862.
* stress/proxy-getOwnPropertySlots-exceptionChecks.js:
2019-05-01 Saam barati <sbarati@apple.com>
Baseline JIT should do argument value profiling after checking for stack overflow
https://bugs.webkit.org/show_bug.cgi?id=197052
<rdar://problem/50009602>
Reviewed by Yusuke Suzuki.
* stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
2019-05-01 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
https://bugs.webkit.org/show_bug.cgi?id=197405
Reviewed by Saam Barati.
* stress/getter-setter-inlining-should-emit-movhint.js: Added.
(foo):
(test):
(i.o.get f):
(i.o.set f):
2019-05-01 Michael Saboff <msaboff@apple.com>
ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
https://bugs.webkit.org/show_bug.cgi?id=197485
Reviewed by Saam Barati.
New test.
* stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
(foo):
2019-05-01 Ross Kirsling <ross.kirsling@sony.com>
Unreviewed correction to Test262 expectations following r244828.
* test262/expectations.yaml:
2019-05-01 Stephan Szabo <stephan.szabo@sony.com>
Add memory-limited skipping to some tests generating very large strings
https://bugs.webkit.org/show_bug.cgi?id=197437
Reviewed by Ross Kirsling.
* stress/StringObject-define-length-getter-rope-string-oom.js:
* stress/create-error-out-of-memory-rope-string.js:
* stress/string-16bit-repeat-overflow.js:
2019-04-30 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r244806.
https://bugs.webkit.org/show_bug.cgi?id=197446
Causing Test262 and JSC test failures on multiple builds
(Requested by ShawnRoberts on #webkit).
Reverted changeset:
"TypeArrays should not store properties that are canonical
numeric indices"
https://bugs.webkit.org/show_bug.cgi?id=197228
https://trac.webkit.org/changeset/244806
2019-04-30 Tadeu Zagallo <tzagallo@apple.com>
TypeArrays should not store properties that are canonical numeric indices
https://bugs.webkit.org/show_bug.cgi?id=197228
<rdar://problem/49557381>
Reviewed by Darin Adler.
* stress/typed-array-canonical-numeric-index-string.js: Added.
(makeTest.assert):
(makeTest):
(const.testInvalidIndices.makeTest.set assert):
(const.testInvalidIndices.makeTest):
(const.testValidIndices.makeTest.set assert):
(const.testValidIndices.makeTest):
2019-04-29 Yusuke Suzuki <ysuzuki@apple.com>
normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
https://bugs.webkit.org/show_bug.cgi?id=197362
Reviewed by Saam Barati.
* stress/map-with-nan.js: Added.
(shouldBe):
(div):
(NaN1):
(NaN2):
(NaN3):
(NaN4):
(NaN1NoInline):
(NaN2NoInline):
(NaN3NoInline):
(NaN4NoInline):
(test1):
(test2):
(test3):
(test4):
* stress/set-with-nan.js: Added.
(shouldBe):
(div):
(NaN1):
(NaN2):
(NaN3):
(NaN4):
(NaN1NoInline):
(NaN2NoInline):
(NaN3NoInline):
(NaN4NoInline):
(test2):
(test4):
2019-04-26 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r244708.
https://bugs.webkit.org/show_bug.cgi?id=197334
"Broke the debug build" (Requested by rmorisset on #webkit).
Reverted changeset:
"All prototypes should call didBecomePrototype()"
https://bugs.webkit.org/show_bug.cgi?id=196315
https://trac.webkit.org/changeset/244708
2019-04-25 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] linkPolymorphicCall now does GC
https://bugs.webkit.org/show_bug.cgi?id=197306
Reviewed by Saam Barati.
* stress/link-polymorphic-call-can-gc.js: Added.
(module):
(instance):
2019-04-26 Robin Morisset <rmorisset@apple.com>
All prototypes should call didBecomePrototype()
https://bugs.webkit.org/show_bug.cgi?id=196315
Reviewed by Saam Barati.
* stress/function-prototype-indexed-accessor.js: Added.
2019-04-23 Saam Barati <sbarati@apple.com>
LICM incorrectly assumes it'll never insert a node which provably OSR exits
https://bugs.webkit.org/show_bug.cgi?id=196721
<rdar://problem/49556479>
Reviewed by Filip Pizlo.
* stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
(foo):
2019-04-19 Saam Barati <sbarati@apple.com>
AbstractValue can represent more than int52
https://bugs.webkit.org/show_bug.cgi?id=197118
<rdar://problem/49969960>
Reviewed by Michael Saboff.
* stress/abstract-value-can-include-int52.js: Added.
(foo):
(index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
2019-04-18 Yusuke Suzuki <ysuzuki@apple.com>
[WTF] StringBuilder should set correct m_is8Bit flag when merging
https://bugs.webkit.org/show_bug.cgi?id=197053
Reviewed by Saam Barati.
* stress/merge-string-builder-in-dfg.js: Added.
(foo):
2019-04-16 Caitlin Potter <caitp@igalia.com>
[JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
https://bugs.webkit.org/show_bug.cgi?id=176810
Reviewed by Saam Barati.
Add tests for the DontEnum filtering, and variations of other tests
take the DontEnum-filtering path.
* stress/proxy-own-keys.js:
(i.catch):
(set assert):
(set add):
(let.set new):
(get let):
2019-04-15 Saam barati <sbarati@apple.com>
Modify how we do SetArgument when we inline varargs calls
https://bugs.webkit.org/show_bug.cgi?id=196712
<rdar://problem/49605012>
Reviewed by Michael Saboff.
* stress/get-stack-wrong-type-when-inline-varargs.js: Added.
(foo):
2019-04-15 Saam barati <sbarati@apple.com>
SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
https://bugs.webkit.org/show_bug.cgi?id=196945
<rdar://problem/49802750>
Reviewed by Filip Pizlo.
* stress/get-by-offset-should-use-correct-child.js: Added.
(foo.bar):
(foo):
2019-04-15 Robin Morisset <rmorisset@apple.com>
DFG should be able to constant fold Object.create() with a constant prototype operand
https://bugs.webkit.org/show_bug.cgi?id=196886
Reviewed by Yusuke Suzuki.
Note that this new benchmark does not currently see a speedup with inlining removed.
The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
* microbenchmarks/object-create-constant-prototype.js: Added.
(test):
2019-04-15 Tadeu Zagallo <tzagallo@apple.com>
Incremental bytecode cache should not append function updates when loaded from memory
https://bugs.webkit.org/show_bug.cgi?id=196865
Reviewed by Filip Pizlo.
* stress/bytecode-cache-shared-code-block.js: Added.
(b):
(program):
2019-04-13 Tadeu Zagallo <tzagallo@apple.com>
CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
https://bugs.webkit.org/show_bug.cgi?id=196880
Reviewed by Yusuke Suzuki.
* stress/bytecode-cache-syntax-error.js: Added.
(catch):
2019-04-12 Saam barati <sbarati@apple.com>
r244079 logically broke shouldSpeculateInt52
https://bugs.webkit.org/show_bug.cgi?id=196884
Reviewed by Yusuke Suzuki.
* microbenchmarks/int52-rand-function.js: Added.
(Math.random):
2019-04-11 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] op_has_indexed_property should not assume subscript part is Uint32
https://bugs.webkit.org/show_bug.cgi?id=196850
Reviewed by Saam Barati.
* stress/has-indexed-property-should-accept-non-int32.js: Added.
(foo):
2019-04-11 Saam barati <sbarati@apple.com>
Remove invalid assertion in operationInstanceOfCustom
https://bugs.webkit.org/show_bug.cgi?id=196842
<rdar://problem/49725493>
Reviewed by Michael Saboff.
* stress/operationInstanceOfCustom-bad-assertion.js: Added.
2019-04-10 Saam Barati <sbarati@apple.com>
AbstractValue::validateOSREntryValue is wrong for Int52 constants
https://bugs.webkit.org/show_bug.cgi?id=196801
<rdar://problem/49771122>
Reviewed by Yusuke Suzuki.
* stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
2019-04-10 Robin Morisset <rmorisset@apple.com>
We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
https://bugs.webkit.org/show_bug.cgi?id=196746
Reviewed by Yusuke Suzuki.
* stress/cyclic-define-properties.js: Added.
(foo):
2019-04-09 Saam barati <sbarati@apple.com>
Clean up Int52 code and some bugs in it
https://bugs.webkit.org/show_bug.cgi?id=196639
<rdar://problem/49515757>
Reviewed by Yusuke Suzuki.
* stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
2019-04-09 Tadeu Zagallo <tzagallo@apple.com>
ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
https://bugs.webkit.org/show_bug.cgi?id=196708
<rdar://problem/49556803>
Reviewed by Yusuke Suzuki.
* stress/proxy-getter-stack-overflow.js: Added.
(const.handler.get target):
(const.handler.has):
(try.with):
(catch):
2019-04-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DFG should respect node's strict flag
https://bugs.webkit.org/show_bug.cgi?id=196617
Reviewed by Saam Barati.
* stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
(shouldEqual):
(makeUnwriteableUnconfigurableObject):
(runTest):
* stress/put-dynamic-var-strict-and-sloppy.js: Added.
(shouldBe):
(shouldThrow):
(with.result):
(with.putValueStrict):
(with.putValueSloppy):
2019-04-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] isRope jump in StringSlice should not jump over register allocations
https://bugs.webkit.org/show_bug.cgi?id=196716
Reviewed by Saam Barati.
* stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
(foo.bar):
(foo):
2019-04-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] to_index_string should not assume incoming value is Uint32
https://bugs.webkit.org/show_bug.cgi?id=196713
Reviewed by Saam Barati.
* stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
(foo):
2019-04-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Add more tests for r243966
https://bugs.webkit.org/show_bug.cgi?id=196711
Reviewed by Saam Barati.
Adding one more test for r243966 fix. The added test will not crash after r243966.
* stress/stress-cleared-calllinkinfo.js: Added.
(runNearStackLimit.t):
(runNearStackLimit):
(repeat):
(cls):
(let.item.of.array.runNearStackLimit):
2019-04-08 Saam Barati <sbarati@apple.com>
WebAssembly.RuntimeError missing exception check
https://bugs.webkit.org/show_bug.cgi?id=196700
<rdar://problem/49693932>
Reviewed by Yusuke Suzuki.
* wasm/js-api/runtime-error-should-exception-check.js: Added.
2019-04-08 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, rolling in r243948 with test fix
https://bugs.webkit.org/show_bug.cgi?id=196486
* stress/arrow-function-and-use-strict-directive.js: Added.
* stress/arrow-function-syntax.js: Added.
(checkSyntax):
(checkSyntaxError):
2019-04-08 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r243948.
Caused inspector/runtime/parse.html to fail
Reverted changeset:
"SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
https://bugs.webkit.org/show_bug.cgi?id=196486
https://trac.webkit.org/changeset/243948
2019-04-08 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r243943.
Caused test262 failures.
Reverted changeset:
"[JSC] Filter DontEnum properties in
ProxyObject::getOwnPropertyNames()"
https://bugs.webkit.org/show_bug.cgi?id=176810
https://trac.webkit.org/changeset/243943
2019-04-07 Michael Saboff <msaboff@apple.com>
REGRESSION (r243642): Crash in reddit.com page
https://bugs.webkit.org/show_bug.cgi?id=196684
Reviewed by Geoffrey Garen.
New regression test.
* stress/regexp-nongreedy-charclass-backtracks.js: Added.
2019-04-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
https://bugs.webkit.org/show_bug.cgi?id=196683
Reviewed by Saam Barati.
* stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
(foo):
2019-04-05 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
https://bugs.webkit.org/show_bug.cgi?id=196582
Reviewed by Saam Barati.
* stress/add-overflow-check-with-three-same-registers.js: Added.
(foo):
(Number.prototype.valueOf):
(runWithNumber):
2019-04-05 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r243665.
Caused iOS JSC tests to exit with an exception.
Reverted changeset:
"Assertion failed in JSC::createError"
https://bugs.webkit.org/show_bug.cgi?id=196305
https://trac.webkit.org/changeset/243665
2019-04-05 Yusuke Suzuki <ysuzuki@apple.com>
SIGSEGV in JSC::BytecodeGenerator::addStringConstant
https://bugs.webkit.org/show_bug.cgi?id=196486
Reviewed by Saam Barati.
* stress/arrow-function-and-use-strict-directive.js: Added.
* stress/arrow-function-syntax.js: Added. Checking EOF token handling.
(checkSyntax):
(checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
2019-04-05 Caitlin Potter <caitp@igalia.com>
[JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
https://bugs.webkit.org/show_bug.cgi?id=176810
Reviewed by Saam Barati.
Add tests for the DontEnum filtering, and variations of other tests
take the DontEnum-filtering path.
* stress/proxy-own-keys.js:
(i.catch):
(set assert):
(set add):
(let.set new):
(get let):
2019-04-05 Caitlin Potter <caitp@igalia.com>
[JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
https://bugs.webkit.org/show_bug.cgi?id=185211
Reviewed by Saam Barati.
This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
This changes several assertions to expect a TypeError to be thrown (in some cases,
changing thee expected message).
* es6/Proxy_ownKeys_duplicates.js:
(handler):
(shouldThrow):
(test):
* stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
(shouldThrow):
* stress/proxy-own-keys.js:
(i.catch):
(assert):
2019-04-04 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
https://bugs.webkit.org/show_bug.cgi?id=196631
Reviewed by Saam Barati.
* stress/make-bound-function-should-not-assume-int32-length.js: Added.
(assert):
(test):
(foo):
2019-04-04 Saam Barati <sbarati@apple.com>
Unreviewed. Make the test from r243906 catch the thrown exceptions.
* stress/inferred-types-regex-matches-array.js:
2019-04-04 Saam Barati <sbarati@apple.com>
createRegExpMatchesArray does not respect inferred types
https://bugs.webkit.org/show_bug.cgi?id=193287
Reviewed by Yusuke Suzuki.
This checks in the test case for 193287. This issue was discovered by
Samuel Groß of Google Project Zero.
* stress/inferred-types-regex-matches-array.js: Added.
2019-04-04 Saam barati <sbarati@apple.com>
Teach Call ICs how to call Wasm
https://bugs.webkit.org/show_bug.cgi?id=196387
Reviewed by Filip Pizlo.
* wasm/function-tests/stack-trace.js:
2019-04-04 Caio Lima <ticaiolima@gmail.com>
[JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
https://bugs.webkit.org/show_bug.cgi?id=194944
Reviewed by Keith Miller.
* stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
2019-04-04 Tadeu Zagallo <tzagallo@apple.com>
Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
https://bugs.webkit.org/show_bug.cgi?id=196409
Reviewed by Saam Barati.
* stress/bytecode-cache-cached-string-impl.js: Added.
(f):
(g):
* stress/bytecode-cache-run-string.js: Added.
2019-04-03 Robin Morisset <rmorisset@apple.com>
B3 should use associativity to optimize expression trees
https://bugs.webkit.org/show_bug.cgi?id=194081
Reviewed by Filip Pizlo.
Added three microbenchmarks:
- add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
- bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
- bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
* microbenchmarks/add-tree.js: Added.
* microbenchmarks/bit-or-tree.js: Added.
* microbenchmarks/bit-xor-tree.js: Added.
2019-04-03 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
https://bugs.webkit.org/show_bug.cgi?id=196574
Reviewed by Saam Barati.
* stress/string-index-of-exception-check.js: Added.
(blurType):
(1.forEach):
2019-03-29 Tadeu Zagallo <tzagallo@apple.com>
Assertion failed in JSC::createError
https://bugs.webkit.org/show_bug.cgi?id=196305
<rdar://problem/49387382>
Reviewed by Saam Barati.
* stress/create-error-out-of-memory-rope-string-2.js: Added.
(assert):
(catch):
2019-03-28 Saam Barati <sbarati@apple.com>
BackwardsGraph needs to consider back edges as the backward's root successor
https://bugs.webkit.org/show_bug.cgi?id=195991
Reviewed by Filip Pizlo.
* stress/map-b3-licm-infinite-loop.js: Added.
2019-03-28 Tadeu Zagallo <tzagallo@apple.com>
CodeBlock::jettison() should disallow repatching its own calls
https://bugs.webkit.org/show_bug.cgi?id=196359
<rdar://problem/48973663>
Reviewed by Saam Barati.
* stress/call-link-info-osrexit-repatch.js: Added.
(foo):
2019-03-28 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] imports-oom.js intermittently fails
https://bugs.webkit.org/show_bug.cgi?id=196373
Reviewed by Saam Barati.
imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
* wasm/lowExecutableMemory/imports-oom.js:
2019-03-27 Saam Barati <sbarati@apple.com>
validateOSREntryValue with Int52 should box the value being checked into double format
https://bugs.webkit.org/show_bug.cgi?id=196313
<rdar://problem/49306703>
Reviewed by Yusuke Suzuki.
* stress/validate-int-52-ai-state.js: Added.
2019-03-27 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Owner of watchpoints should validate at GC finalizing phase
https://bugs.webkit.org/show_bug.cgi?id=195827
Reviewed by Filip Pizlo.
* stress/gc-should-reap-dead-watchpoints.js: Added.
(foo):
(A.prototype.y):
(A):
2019-03-26 Dominik Infuehr <dinfuehr@igalia.com>
Skip WebAssembly test on 32-bit systems
https://bugs.webkit.org/show_bug.cgi?id=196206
Reviewed by Saam Barati.
Invoking runDefault executes test immediately even though
that test should be skipped due to missing WASM support.
Therefore remove runDefault.
* wasm/regress/web-assembly-link-error-exception-check.js:
2019-03-26 Tadeu Zagallo <tzagallo@apple.com>
WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
https://bugs.webkit.org/show_bug.cgi?id=196217
Reviewed by Saam Barati.
Re-enable all NaN tests for f32.min, f64.min and f64.max.
* wasm/spec-tests/f32.wast.js:
* wasm/spec-tests/f64.wast.js:
* wasm/wasm.json:
2019-03-25 Keith Miller <keith_miller@apple.com>
ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
https://bugs.webkit.org/show_bug.cgi?id=196176
Reviewed by Saam Barati.
* stress/object-is-fold-to-compare-eq-ptr.js: Added.
(main.v10):
(main):
2019-03-25 Tadeu Zagallo <tzagallo@apple.com>
WebAssembly: f32.max with NaN generates incorrect result
https://bugs.webkit.org/show_bug.cgi?id=175691
<rdar://problem/33952228>
Reviewed by Saam Barati.
Enable all f32.max NaN tests
* wasm/spec-tests/f32.wast.js:
* wasm/wasm.json:
2019-03-24 Dominik Infuehr <dinfuehr@igalia.com>
[JSC] Move test into directory for WASM tests
https://bugs.webkit.org/show_bug.cgi?id=196187
Reviewed by Mark Lam.
Move Test into wasm-directory. Otherwise this test
is also executed on systems without WASM support.
* wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
2019-03-23 Mark Lam <mark.lam@apple.com>
Rolling out r243032 and r243071 because the fix is incorrect.
https://bugs.webkit.org/show_bug.cgi?id=195892
<rdar://problem/48981239>
Not reviewed.
* stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
2019-03-22 Mark Lam <mark.lam@apple.com>
Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
https://bugs.webkit.org/show_bug.cgi?id=196154
<rdar://problem/49145307>
Reviewed by Filip Pizlo.
Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
There's no need to run this test on more than 1 test configuration.
* stress/typed-array-lastIndexOf-exception-check.js: Added.
* stress/web-assembly-link-error-exception-check.js:
2019-03-22 Mark Lam <mark.lam@apple.com>
Placate exception check validation in constructJSWebAssemblyLinkError().
https://bugs.webkit.org/show_bug.cgi?id=196152
<rdar://problem/49145257>
Reviewed by Michael Saboff.
* stress/web-assembly-link-error-exception-check.js: Added.
2019-03-22 Dominik Infuehr <dinfuehr@igalia.com>
Skip tests running out of memory on ARM/MIPS
https://bugs.webkit.org/show_bug.cgi?id=196131
Unreviewed. Skip test if memory is limited.
* microbenchmarks/put-by-val-direct-large-index.js:
2019-03-21 Mark Lam <mark.lam@apple.com>
Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
https://bugs.webkit.org/show_bug.cgi?id=196116
<rdar://problem/48976951>
Reviewed by Filip Pizlo.
* stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
2019-03-21 Tadeu Zagallo <tzagallo@apple.com>
JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
https://bugs.webkit.org/show_bug.cgi?id=196078
<rdar://problem/35925380>
Reviewed by Mark Lam.
Add a new benchmark that allocates several objects and invokes put_by_val_direct
with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
* microbenchmarks/put-by-val-direct-large-index.js: Added.
2019-03-21 Mark Lam <mark.lam@apple.com>
Placate exception check validation in operationArrayIndexOfString().
https://bugs.webkit.org/show_bug.cgi?id=196067
<rdar://problem/49056572>
Reviewed by Michael Saboff.
* stress/string-equal-exception-check.js: Added.
2019-03-21 Mark Lam <mark.lam@apple.com>
Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
https://bugs.webkit.org/show_bug.cgi?id=196055
<rdar://problem/49067448>
Reviewed by Yusuke Suzuki.
* stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
2019-03-20 Saam Barati <sbarati@apple.com>
typeOfDoubleSum is wrong for when NaN can be produced
https://bugs.webkit.org/show_bug.cgi?id=196030
Reviewed by Filip Pizlo.
* stress/double-add-sub-mul-can-produce-nan.js: Added.
(assert):
(noInline.sub):
(noInline):
(assert.mul):
(assert.add):
2019-03-20 Yusuke Suzuki <ysuzuki@apple.com>
Update the test to ensure OutOfMemoryError is thrown as intended
https://bugs.webkit.org/show_bug.cgi?id=196032
<rdar://problem/46842740>
Rubber stamped by Saam Barati.
* stress/create-error-out-of-memory-rope-string.js:
(assert):
(catch):
2019-03-20 Tadeu Zagallo <tzagallo@apple.com>
JSC::createError needs to check for OOM in errorDescriptionForValue
https://bugs.webkit.org/show_bug.cgi?id=196032
<rdar://problem/46842740>
Reviewed by Mark Lam.
* stress/create-error-out-of-memory-rope-string.js: Added.
2019-03-19 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, reduce # of iterations to avoid timing out after r242991
https://bugs.webkit.org/show_bug.cgi?id=195791
To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
* stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
2019-03-19 Caio Lima <ticaiolima@gmail.com>
[JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
https://bugs.webkit.org/show_bug.cgi?id=195950
Unreviewed, reducing the amount of memory used on this test to avoid
OOM on devices with memory restrictions.
* microbenchmarks/generate-multiple-llint-entrypoints.js:
2019-03-19 Caio Lima <ticaiolima@gmail.com>
[JSC] LLIntEntryPoint creates same DirectJITCode for all functions
https://bugs.webkit.org/show_bug.cgi?id=194648
Reviewed by Keith Miller.
* microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
2019-03-18 Mark Lam <mark.lam@apple.com>
Missing a ThrowScope release in JSObject::toString().
https://bugs.webkit.org/show_bug.cgi?id=195893
<rdar://problem/48970986>
Reviewed by Michael Saboff.
* stress/to-string-exception-check-release.js: Added.
2019-03-18 Mark Lam <mark.lam@apple.com>
Structure::flattenDictionary() should clear unused property slots.
https://bugs.webkit.org/show_bug.cgi?id=195871
<rdar://problem/48959497>
Reviewed by Michael Saboff.
* stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
2019-03-15 Mark Lam <mark.lam@apple.com>
Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
https://bugs.webkit.org/show_bug.cgi?id=195827
<rdar://problem/48845513>
Reviewed by Filip Pizlo.
* stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
2019-03-15 Dominik Infuehr <dinfuehr@igalia.com>
[ARM,MIPS] Skip slow tests
https://bugs.webkit.org/show_bug.cgi?id=195799
Unreviewed, test does not finish on ARM and MIPS within the
timeout limit.
* stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
2019-03-14 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
https://bugs.webkit.org/show_bug.cgi?id=195791
<rdar://problem/48806130>
Reviewed by Mark Lam.
* stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
(foo):
2019-03-14 Saam barati <sbarati@apple.com>
We can't remove code after ForceOSRExit until after FixupPhase
https://bugs.webkit.org/show_bug.cgi?id=186916
<rdar://problem/41396612>
Reviewed by Yusuke Suzuki.
* stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
(foo):
* stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
(foo):
2019-03-13 Michael Saboff <msaboff@apple.com>
ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
https://bugs.webkit.org/show_bug.cgi?id=195735
Reviewed by Mark Lam.
New regression test.
* stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
(foo):
(bar):
2019-03-14 Saam barati <sbarati@apple.com>
Fixup uses KnownInt32 incorrectly in some nodes
https://bugs.webkit.org/show_bug.cgi?id=195279
<rdar://problem/47915654>
Reviewed by Yusuke Suzuki.
* stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
(foo):
2019-03-14 Keith Miller <keith_miller@apple.com>
DFG liveness can't skip tail caller inline frames
https://bugs.webkit.org/show_bug.cgi?id=195715
Reviewed by Saam Barati.
* stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
(i.foo):
2019-03-13 Mark Lam <mark.lam@apple.com>
Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
https://bugs.webkit.org/show_bug.cgi?id=195415
Not reviewed.
Changed these tests to only run the default configuration.
The ftl-no-cjit-validate-sampling-profiler variant was timing out.
There's no strong need to run this test on that variant.
* stress/dfg-to-string-on-int-does-gc.js:
* stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
2019-03-13 Dominik Infuehr <dinfuehr@igalia.com>
String overflow when using StringBuilder in JSC::createError
https://bugs.webkit.org/show_bug.cgi?id=194957
Reviewed by Mark Lam.
Add test string-overflow-createError-bulder.js that overflows
StringBuilder in notAFunctionSourceAppender. The second new test
string-overflow-createError-fit.js has an error message that doesn't
overflow, it still failed since the String's capacity can't be doubled.
Run test string-overflow-createError.js only in the default
configuration to reduce memory consumption when running the test
in all configurations on multiple CPUs in parallel.
* stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
(catch):
* stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
(catch):
* stress/string-overflow-createError.js:
2019-03-12 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] OSR entry should respect abstract values in addition to flush formats
https://bugs.webkit.org/show_bug.cgi?id=195653
Reviewed by Mark Lam.
* stress/osr-entry-locals-none.js: Added.
2019-03-12 Michael Saboff <msaboff@apple.com>
REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
https://bugs.webkit.org/show_bug.cgi?id=195613
Reviewed by Mark Lam.
New regression test.
* stress/regexp-backref-inbounds.js: Added.
(testRegExp):
2019-03-12 Mark Lam <mark.lam@apple.com>
The HasIndexedProperty node does GC.
https://bugs.webkit.org/show_bug.cgi?id=195559
<rdar://problem/48767923>
Reviewed by Yusuke Suzuki.
* stress/HasIndexedProperty-does-gc.js: Added.
2019-03-11 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement "~" unary operation
https://bugs.webkit.org/show_bug.cgi?id=182216
Reviewed by Keith Miller.
* stress/big-int-bit-not-general.js: Added.
* stress/big-int-bitwise-not-jit.js: Added.
* stress/big-int-bitwise-not-wrapped-value.js: Added.
* stress/bit-op-with-object-returning-int32.js:
* stress/bitwise-not-fixup-rules.js: Added.
* stress/value-bit-not-ai-rule.js: Added.
2019-03-10 Ross Kirsling <ross.kirsling@sony.com>
Invalid flags in a RegExp literal should be an early SyntaxError
https://bugs.webkit.org/show_bug.cgi?id=195514
Reviewed by Darin Adler.
* test262/expectations.yaml:
Mark 4 test cases as passing.
* stress/regexp-syntax-error-invalid-flags.js:
* stress/regress-161995.js: Removed.
Update existing test, merging in an older test for the same behavior.
2019-03-08 Mark Lam <mark.lam@apple.com>
Stack overflow crash in JSC::JSObject::hasInstance.
https://bugs.webkit.org/show_bug.cgi?id=195458
<rdar://problem/48710195>
Reviewed by Yusuke Suzuki.
* stress/stack-overflow-in-custom-hasInstance.js: Added.
2019-03-08 Tadeu Zagallo <tzagallo@apple.com>
op_check_tdz does not def its argument
https://bugs.webkit.org/show_bug.cgi?id=192880
<rdar://problem/46221598>
Reviewed by Saam Barati.
* microbenchmarks/let-for-in.js: Added.
(foo):
2019-03-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
https://bugs.webkit.org/show_bug.cgi?id=195429
Reviewed by Saam Barati.
* stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
(foo):
* stress/string-from-char-code-255.js: Added.
2019-03-06 Mark Lam <mark.lam@apple.com>
Fix incorrect handling of try-finally completion values.
https://bugs.webkit.org/show_bug.cgi?id=195131
<rdar://problem/46222079>
Reviewed by Saam Barati and Yusuke Suzuki.
Added many permutations of new test case to test-finally.js. test-finally.js has
been run on Chrome and Firefox as a sanity check, and we confirmed that all the
tests passes there as well.
* stress/test-finally.js:
2019-03-06 Saam Barati <sbarati@apple.com>
Air::reportUsedRegisters must padInterference
https://bugs.webkit.org/show_bug.cgi?id=195303
<rdar://problem/48270343>
Reviewed by Keith Miller.
* stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
2019-03-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] AI should not propagate AbstractValue relying on constant folding phase
https://bugs.webkit.org/show_bug.cgi?id=195375
Reviewed by Saam Barati.
* stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
(let.array):
2019-03-05 Saam barati <sbarati@apple.com>
op_switch_char broken for rope strings after JSRopeString layout rewrite
https://bugs.webkit.org/show_bug.cgi?id=195339
<rdar://problem/48592545>
Reviewed by Yusuke Suzuki.
* stress/switch-on-char-llint-rope.js: Added.
2019-03-04 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Store bits for JSRopeString in 3 stores
https://bugs.webkit.org/show_bug.cgi?id=195234
Reviewed by Saam Barati.
* stress/null-rope-and-collectors.js: Added.
2019-03-01 Dominik Infuehr <dinfuehr@igalia.com>
Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
https://bugs.webkit.org/show_bug.cgi?id=195207
Unreviewed. After test runtime was reduced in r242213, test can be
run again on ARM/MIPS.
* stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2019-02-28 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] sizeof(JSString) should be 16
https://bugs.webkit.org/show_bug.cgi?id=194375
Reviewed by Saam Barati.
* microbenchmarks/make-rope.js: Added.
(makeRope):
* stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
(returnRope.helper): Deleted.
(returnRope): Deleted.
2019-02-28 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
https://bugs.webkit.org/show_bug.cgi?id=195144
1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
Change the number from 1e8 to 1e5.
* stress/read-dead-bytecode-locals-in-must-handle-values2.js:
(foo):
2019-02-28 Dominik Infuehr <dinfuehr@igalia.com>
Test times out on ARM/MIPS
https://bugs.webkit.org/show_bug.cgi?id=195168
Unreviewed. Skip test on ARM/MIPS.
* stress/read-dead-bytecode-locals-in-must-handle-values2.js:
2019-02-27 Mark Lam <mark.lam@apple.com>
The parser is failing to record the token location of new in new.target.
https://bugs.webkit.org/show_bug.cgi?id=195127
<rdar://problem/39645578>
Reviewed by Yusuke Suzuki.
* stress/parser-should-record-token-location-of-new-dot-target.js: Added.
2019-02-27 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
https://bugs.webkit.org/show_bug.cgi?id=195144
<rdar://problem/47595961>
Reviewed by Mark Lam.
* stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
(bar):
(foo):
* stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
(bar):
(foo):
2019-02-27 Robin Morisset <rmorisset@apple.com>
DFG: Loop-invariant code motion (LICM) should not hoist dead code
https://bugs.webkit.org/show_bug.cgi?id=194945
<rdar://problem/48311657>
Reviewed by Mark Lam.
* stress/licm-dead-code.js: Added.
2019-02-26 Yusuke Suzuki <ysuzuki@apple.com>
REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
https://bugs.webkit.org/show_bug.cgi?id=194677
<rdar://problem/48112492>
Reviewed by Mark Lam.
Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
it immediately fails due the large size.
After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
OOM error anyway because JSON.stringify's builder overflows with such a large string input.
This patch changes the test to produce 16bit string from String.fromCharCode.
* stress/regress-178386.js:
2019-02-26 Mark Lam <mark.lam@apple.com>
wasmToJS() should purify incoming NaNs.
https://bugs.webkit.org/show_bug.cgi?id=194807
<rdar://problem/48189132>
Reviewed by Saam Barati.
* wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
2019-02-26 Guillaume Emont <guijemont@igalia.com>
[JSC] Repeat string created from Array.prototype.join() take too much memory
https://bugs.webkit.org/show_bug.cgi?id=193912
Reviewed by Saam Barati.
Added a test and a microbenchmark for corner cases of
Array.prototype.join() with an uninitialized array.
* microbenchmarks/array-prototype-join-uninitialized.js: Added.
* stress/array-prototype-join-uninitialized.js: Added.
(testArray):
(testABC):
(B):
(C):
2019-02-22 Robin Morisset <rmorisset@apple.com>
DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
https://bugs.webkit.org/show_bug.cgi?id=194953
<rdar://problem/47595253>
Reviewed by Saam Barati.
I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
* stress/has-indexed-property-with-worsening-array-mode.js: Added.
2019-02-19 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
https://bugs.webkit.org/show_bug.cgi?id=172848
<rdar://problem/25709212>
Reviewed by Mark Lam.
* typeProfiler/inheritance.js:
Rewrite the test slightly for clarity. The hoisting was confusing.
* heapProfiler/class-names.js: Added.
(MyES5Class):
(MyES6Class):
(MyES6Subclass):
Test object types and improved class names.
* heapProfiler/driver/driver.js:
(CheapHeapSnapshotNode):
(CheapHeapSnapshot):
(createCheapHeapSnapshot):
(HeapSnapshot):
(createHeapSnapshot):
Update snapshot parsing from version 1 to version 2.
2019-02-19 Truitt Savell <tsavell@apple.com>
Unreviewed, rolling out r241784.
Broke all OpenSource builds.
Reverted changeset:
"Web Inspector: Improve ES6 Class instances in Heap Snapshot
instances view"
https://bugs.webkit.org/show_bug.cgi?id=172848
https://trac.webkit.org/changeset/241784
2019-02-19 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
https://bugs.webkit.org/show_bug.cgi?id=172848
<rdar://problem/25709212>
Reviewed by Mark Lam.
* typeProfiler/inheritance.js:
Rewrite the test slightly for clarity. The hoisting was confusing.
* heapProfiler/class-names.js: Added.
(MyES5Class):
(MyES6Class):
(MyES6Subclass):
Test object types and improved class names.
* heapProfiler/driver/driver.js:
(CheapHeapSnapshotNode):
(CheapHeapSnapshot):
(createCheapHeapSnapshot):
(HeapSnapshot):
(createHeapSnapshot):
Update snapshot parsing from version 1 to version 2.
2019-02-18 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Fix crash with sampling profiler
https://bugs.webkit.org/show_bug.cgi?id=194772
Reviewed by Mark Lam.
Do not skip test since crash with sampling profiler is now fixed.
* stress/sampling-profiler-richards.js:
2019-02-18 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Add LazyClassStructure::getInitializedOnMainThread
https://bugs.webkit.org/show_bug.cgi?id=194784
<rdar://problem/48154820>
Reviewed by Mark Lam.
* stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
(getProperties):
(getRandomProperty):
(i.catch):
2019-02-18 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Test gardening: Test running out of executable memory
https://bugs.webkit.org/show_bug.cgi?id=194771
Unreviewed. Do not run test without LLInt, test is running out of executable
memory on ARM otherwise.
* stress/tagged-template-object-collect.js:
2019-02-18 Tomas Popela <tpopela@redhat.com>
Unreviewed, skip the test on platforms without sampling profiler
* stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
(platformSupportsSamplingProfiler.foo):
(platformSupportsSamplingProfiler.test):
(platformSupportsSamplingProfiler):
(foo): Deleted.
(test): Deleted.
2019-02-17 Saam Barati <sbarati@apple.com>
Deadlock when adding a Structure property transition and then doing incremental marking
https://bugs.webkit.org/show_bug.cgi?id=194767
Reviewed by Mark Lam.
* stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
2019-02-15 Michael Saboff <msaboff@apple.com>
RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
https://bugs.webkit.org/show_bug.cgi?id=194558
Reviewed by Saam Barati.
New regression test.
* stress/regexp-unicode-within-string.js: Added.
2019-02-15 Mark Lam <mark.lam@apple.com>
SamplingProfiler::stackTracesAsJSON() should escape strings.
https://bugs.webkit.org/show_bug.cgi?id=194649
<rdar://problem/48072386>
Reviewed by Saam Barati.
* stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
* stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
* stress/type-profiler-with-double-quote-in-field-name.js: Added.
* stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
2019-02-15 Robin Morisset <rmorisset@apple.com>
CodeBlock::jettison should clear related watchpoints
https://bugs.webkit.org/show_bug.cgi?id=194544
Reviewed by Mark Lam.
* stress/regexp-replace-double-watchpoint.js: Added.
(foo):
2019-02-15 Saam barati <sbarati@apple.com>
[WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
https://bugs.webkit.org/show_bug.cgi?id=194036
Reviewed by Yusuke Suzuki.
* stress/tail-call-many-arguments.js: Added.
(foo):
(bar):
2019-02-14 Saam Barati <sbarati@apple.com>
Cache the results of BytecodeGenerator::getVariablesUnderTDZ
https://bugs.webkit.org/show_bug.cgi?id=194583
<rdar://problem/48028140>
Reviewed by Yusuke Suzuki.
* microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
2019-02-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] String.fromCharCode's slow path always generates 16bit string
https://bugs.webkit.org/show_bug.cgi?id=194466
Reviewed by Keith Miller.
* stress/string-from-char-code-slow-path.js: Added.
(shouldBe):
(testWithLength):
2019-02-08 Saam barati <sbarati@apple.com>
Nodes that rely on being dominated by CheckInBounds should have a child edge to it
https://bugs.webkit.org/show_bug.cgi?id=194334
<rdar://problem/47844327>
Reviewed by Mark Lam.
* stress/check-in-bounds-should-be-a-child-use.js: Added.
(func):
2019-02-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
https://bugs.webkit.org/show_bug.cgi?id=194369
<rdar://problem/47813087>
Reviewed by Saam Barati.
* stress/initialize-entrypoint-arguments-with-tdz.js: Added.
(A):
2019-02-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] PrivateName to PublicName hash table is wasteful
https://bugs.webkit.org/show_bug.cgi?id=194277
Reviewed by Michael Saboff.
This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
* ChakraCore.yaml:
2019-02-05 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Test running out of executable memory
https://bugs.webkit.org/show_bug.cgi?id=194285
Unreviewed. Do no execute test with LLInt disabled, test runs out of
executable memory otherwise.
* stress/class-subclassing-function.js:
2019-02-04 Robin Morisset <rmorisset@apple.com>
when lowering AssertNotEmpty, create the value before creating the patchpoint
https://bugs.webkit.org/show_bug.cgi?id=194231
Reviewed by Saam Barati.
This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
So even tiny changes to this test can change the path code taken.
* stress/assert-not-empty.js: Added.
(foo):
2019-02-01 Mark Lam <mark.lam@apple.com>
Remove invalid assertion in DFG's compileDoubleRep().
https://bugs.webkit.org/show_bug.cgi?id=194130
<rdar://problem/47699474>
Reviewed by Saam Barati.
* stress/constant-fold-double-rep-into-double-constant.js: Added.
2019-01-30 Ross Kirsling <ross.kirsling@sony.com>
Import latest Test262 updates.
Rubber-stamped by Keith Miller.
* test262.yaml: Deleted.
* test262/config.yaml:
* test262/expectations.yaml:
* test262/latest-changes-summary.txt:
* test262/test/:
* test262/test262-Revision.txt:
2019-01-30 Robin Morisset <rmorisset@apple.com>
Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
https://bugs.webkit.org/show_bug.cgi?id=194050
<rdar://problem/47595592>
Reviewed by Yusuke Suzuki.
* stress/object-keys-osr-exit.js: Added.
(foo):
(catch):
2019-01-29 Mark Lam <mark.lam@apple.com>
ValueRecovery::recover() should purify NaN values it recovers.
https://bugs.webkit.org/show_bug.cgi?id=193978
<rdar://problem/47625488>
Reviewed by Saam Barati.
* stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
2019-01-28 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
https://bugs.webkit.org/show_bug.cgi?id=193713
* stress/try-get-by-id-should-spill-registers-dfg.js:
(let.f.createBuiltin):
2019-01-28 Mark Lam <mark.lam@apple.com>
ToString node actually does GC.
https://bugs.webkit.org/show_bug.cgi?id=193920
<rdar://problem/46695900>
Reviewed by Yusuke Suzuki.
* stress/dfg-to-string-on-int-does-gc.js: Added.
* stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
* stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
2019-01-25 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] NativeErrorConstructor should not have own IsoSubspace
https://bugs.webkit.org/show_bug.cgi?id=193713
Reviewed by Saam Barati.
Remove @Error use.
* stress/try-get-by-id-should-spill-registers-dfg.js:
(let.f.createBuiltin):
2019-01-24 Yusuke Suzuki <ysuzuki@apple.com>
stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
https://bugs.webkit.org/show_bug.cgi?id=190693
Reviewed by Michael Saboff.
* stress/regress-190693.js: Added.
(truth):
(assert):
(shouldThrowInvalidConstAssignment):
(taz):
2019-01-24 Saam Barati <sbarati@apple.com>
Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
https://bugs.webkit.org/show_bug.cgi?id=193751
<rdar://problem/47280215>
Reviewed by Michael Saboff.
* stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
(let.thing):
(foo.let.hello):
(foo):
2019-01-24 Guillaume Emont <guijemont@igalia.com>
[JSC] Reenable baseline JIT on mips
https://bugs.webkit.org/show_bug.cgi?id=192983
Reviewed by Mark Lam.
Added a new test for a case that was triggering a RELEASE_ASSERT when
testing.
Disable some slow tests that were already disabled for arm and x86.
* stress/json-parse-big-object.js: Added.
* stress/new-largeish-contiguous-array-with-size.js:
* stress/op_add.js:
* stress/op_bitand.js:
* stress/op_bitor.js:
* stress/op_bitxor.js:
* stress/op_lshift-ConstVar.js:
* stress/op_lshift-VarConst.js:
* stress/op_lshift-VarVar.js:
* stress/op_mod-ConstVar.js:
* stress/op_mod-VarConst.js:
* stress/op_mod-VarVar.js:
* stress/op_mul-ConstVar.js:
* stress/op_mul-VarConst.js:
* stress/op_mul-VarVar.js:
* stress/op_rshift-ConstVar.js:
* stress/op_rshift-VarConst.js:
* stress/op_rshift-VarVar.js:
* stress/op_sub-ConstVar.js:
* stress/op_sub-VarConst.js:
* stress/op_sub-VarVar.js:
* stress/op_urshift-ConstVar.js:
* stress/op_urshift-VarConst.js:
* stress/op_urshift-VarVar.js:
* stress/sampling-profiler-richards.js:
* stress/spread-forward-call-varargs-stack-overflow.js:
2019-01-23 Yusuke Suzuki <ysuzuki@apple.com>
[DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
https://bugs.webkit.org/show_bug.cgi?id=193711
<rdar://problem/47250262>
Reviewed by Saam Barati.
* stress/availability-was-cleared-when-locals-are-not-live.js: Added.
(shouldBe):
(foo):
(bar):
(baz):
2019-01-22 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, fix initial global lexical binding epoch
https://bugs.webkit.org/show_bug.cgi?id=193603
<rdar://problem/47380869>
* stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
(f1.f2.f3.f4):
(f1.f2.f3):
(f1.f2):
(f1):
2019-01-22 Yusuke Suzuki <ysuzuki@apple.com>
REGRESSION(r239612) Crash at runtime due to broken DFG assumption
https://bugs.webkit.org/show_bug.cgi?id=193709
<rdar://problem/47363838>
Unreviewed, rollout to watch the tests.
* stress/object-tostring-changed-proto.js: Removed.
* stress/object-tostring-changed.js: Removed.
* stress/object-tostring-misc.js: Removed.
* stress/object-tostring-other.js: Removed.
* stress/object-tostring-untyped.js: Removed.
2019-01-22 Saam Barati <sbarati@apple.com>
Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
* stress/arith-abs-to-arith-negate-range-optimizaton.js:
(testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
(testUncheckedLessThanZero):
(testUncheckedLessThanOrEqualZero):
* stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
* stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
2019-01-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Invalidate old scope operations using global lexical binding epoch
https://bugs.webkit.org/show_bug.cgi?id=193603
<rdar://problem/47380869>
Reviewed by Saam Barati.
* stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
* stress/scope-operation-cache-global-property-before-deleting.js: Added.
(shouldThrow):
(bar):
* stress/scope-operation-cache-global-property-bump-counter.js: Added.
(shouldBe):
(get1):
(get2):
(get1If):
(get2If):
* stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
(shouldThrow):
(foo):
2019-01-21 Yusuke Suzuki <ysuzuki@apple.com>
Unreviewed, roll out r240220 due to date-format-xparb regression
https://bugs.webkit.org/show_bug.cgi?id=193603
* stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
* stress/scope-operation-cache-global-property-before-deleting.js: Removed.
* stress/scope-operation-cache-global-property-bump-counter.js: Removed.
* stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
2019-01-21 Caio Lima <ticaiolima@gmail.com>
DoesGC rule is wrong for nodes with BigIntUse
https://bugs.webkit.org/show_bug.cgi?id=193652
Reviewed by Saam Barati.
* stress/big-int-value-op-update-gc-rules.js: Added.
(assert):
(doesGCAdd):
(doesGCSub):
(doesGCDiv):
(doesGCMul):
(doesGCBitAnd):
(doesGCBitOr):
(doesGCBitXor):
2019-01-20 Saam Barati <sbarati@apple.com>
DFG: When inlining DataView set* intrinsics we need to set undefined as our result
https://bugs.webkit.org/show_bug.cgi?id=193644
<rdar://problem/46209745>
Reviewed by Yusuke Suzuki.
* stress/data-view-set-intrinsic-undefined-result-2.js: Added.
(foo):
* stress/data-view-set-intrinsic-undefined-result.js: Added.
(foo):
(bar):
2019-01-20 Saam Barati <sbarati@apple.com>
MovHint must merge NodeBytecodeUsesAsValue for its child
https://bugs.webkit.org/show_bug.cgi?id=186916
<rdar://problem/41396612>
Reviewed by Yusuke Suzuki.
* stress/arith-abs-to-arith-negate-range-optimizaton.js:
* stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
2019-01-20 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Invalidate old scope operations using global lexical binding epoch
https://bugs.webkit.org/show_bug.cgi?id=193603
<rdar://problem/47380869>
Reviewed by Saam Barati.
* stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
* stress/scope-operation-cache-global-property-before-deleting.js: Added.
(shouldThrow):
(bar):
* stress/scope-operation-cache-global-property-bump-counter.js: Added.
(shouldBe):
(get1):
(get2):
(get1If):
(get2If):
* stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
(shouldThrow):
(foo):
2019-01-17 Saam barati <sbarati@apple.com>
StringObjectUse should not be a structure check for the original string object structure
https://bugs.webkit.org/show_bug.cgi?id=193483
<rdar://problem/47280522>
Reviewed by Yusuke Suzuki.
* stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
(foo):
(a.valueOf.0):
2019-01-17 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] ToThis omission in DFGByteCodeParser is wrong
https://bugs.webkit.org/show_bug.cgi?id=193513
<rdar://problem/45842236>
Reviewed by Saam Barati.
* stress/to-this-omission-with-different-strict-modes.js: Added.
(thisA):
(thisAStrictWrapper):
2019-01-15 Mark Lam <mark.lam@apple.com>
JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
https://bugs.webkit.org/show_bug.cgi?id=193423
<rdar://problem/46209355>
Reviewed by Saam Barati.
* microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
* stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
* stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
* stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
2019-01-15 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
https://bugs.webkit.org/show_bug.cgi?id=193438
<rdar://problem/45581249>
Reviewed by Saam Barati and Keith Miller.
Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
Then, GetByVal(String) crashed.
* stress/string-get-by-val-lowering.js: Added.
(shouldBe):
(test):
* stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
(Hello):
(foo):
2019-01-15 Tomas Popela <tpopela@redhat.com>
Unreviewed, skip JIT tests if it's not enabled
* stress/bit-op-with-object-returning-int32.js:
2019-01-15 Caio Lima <ticaiolima@gmail.com>
DFGByteCodeParser rules for bitwise operations should consider type of their operands
https://bugs.webkit.org/show_bug.cgi?id=192966
Reviewed by Yusuke Suzuki.
* stress/bit-op-with-object-returning-int32.js: Added.
2019-01-15 Guillaume Emont <guijemont@igalia.com>
Skip a slow test and a flakey test on arm
Unreviewed gardening.
* typeProfiler/getter-richards.js:
this test always times out, it used to be always skipped on arm and
mips, but got accidentally enabled by r237919 now that we have DFG on
arm. Also skipping on mips as we plan to soon enable DFG for it too.
2019-01-14 Keith Miller <keith_miller@apple.com>
Skip type-check-hoisting-phase-hoist... with no jit
https://bugs.webkit.org/show_bug.cgi?id=193421
Reviewed by Mark Lam.
It's timing out the 32-bit bots and takes 330 seconds
on my machine when run by itself.
* stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
2019-01-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] AI should check the given constant's array type when folding GetByVal into constant
https://bugs.webkit.org/show_bug.cgi?id=193413
<rdar://problem/46092389>
Reviewed by Keith Miller.
This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
but GetByVal does not have appropriate ArrayModes, JSC crashes.
* stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
(compareArray):
2019-01-14 Caio Lima <ticaiolima@gmail.com>
[BigInt] Literal parsing is crashing when used inside a Object Literal
https://bugs.webkit.org/show_bug.cgi?id=193404
Reviewed by Yusuke Suzuki.
* stress/big-int-literal-inside-literal-object.js: Added.
2019-01-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
https://bugs.webkit.org/show_bug.cgi?id=193372
Reviewed by Saam Barati.
* stress/typed-array-array-modes-profile.js: Added.
(foo):
2019-01-14 Mark Lam <mark.lam@apple.com>
Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
https://bugs.webkit.org/show_bug.cgi?id=193402
<rdar://problem/46012309>
Reviewed by Keith Miller.
* stress/regexp-compile-oom.js:
- Skip this test for !$jitTests because it is tuned for stack usage when the JIT
is enabled. As a result, it will fail on cloop builds though there is no bug.
2019-01-11 Saam barati <sbarati@apple.com>
DFG combined liveness can be wrong for terminal basic blocks
https://bugs.webkit.org/show_bug.cgi?id=193304
<rdar://problem/45268632>
Reviewed by Yusuke Suzuki.
* stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
2019-01-11 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
https://bugs.webkit.org/show_bug.cgi?id=193308
<rdar://problem/45546542>
Reviewed by Saam Barati.
* stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldThrow):
* stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldBe):
(get shouldThrow):
(get return):
* stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldBe):
(get shouldThrow):
* stress/const-lexical-binding-shadow-existing-global-property.js: Added.
(shouldThrow):
(shouldBe):
(foo):
* stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
(shouldThrow):
(shouldBe):
(foo):
* stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
(shouldThrow):
* stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
(shouldThrow):
* stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
(shouldThrow):
(shouldBe):
(foo):
* stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldBe):
(get shouldThrow):
(get return):
* stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldBe):
(get shouldThrow):
* stress/let-lexical-binding-shadow-existing-global-property.js: Added.
(shouldThrow):
(shouldBe):
(foo):
* stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
(shouldThrow):
(shouldBe):
(foo):
2019-01-11 Dominik Infuehr <dinfuehr@igalia.com>
Enable DFG on ARM/Linux again
https://bugs.webkit.org/show_bug.cgi?id=192496
Reviewed by Yusuke Suzuki.
Test wasn't really skipped before moving the line with skip
to the top.
* stress/regress-192717.js:
2019-01-10 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r239825.
https://bugs.webkit.org/show_bug.cgi?id=193330
Broke tests on armv7/linux bots (Requested by guijemont on
#webkit).
Reverted changeset:
"Enable DFG on ARM/Linux again"
https://bugs.webkit.org/show_bug.cgi?id=192496
https://trac.webkit.org/changeset/239825
2019-01-10 Dominik Infuehr <dinfuehr@igalia.com>
Enable DFG on ARM/Linux again
https://bugs.webkit.org/show_bug.cgi?id=192496
Reviewed by Yusuke Suzuki.
Test wasn't really skipped before moving the line with skip
to the top.
* stress/regress-192717.js:
2019-01-08 Yusuke Suzuki <yusukesuzuki@slowstart.org>
Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
https://bugs.webkit.org/show_bug.cgi?id=193127
Reviewed by Saam Barati.
* stress/array-species-create-should-handle-masquerader.js: Added.
(shouldThrow):
* stress/is-undefined-or-null-builtin.js: Added.
(shouldBe):
(isUndefinedOrNull.vm.createBuiltin):
2019-01-08 Tadeu Zagallo <tzagallo@apple.com>
LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
https://bugs.webkit.org/show_bug.cgi?id=193221
Reviewed by Mark Lam.
* stress/put-by-id-flags.js: Added.
(f):
(g):
(numberOfDFGCompiles):
2019-01-04 Tadeu Zagallo <tzagallo@apple.com>
Baseline version of get_by_id may corrupt metadata
https://bugs.webkit.org/show_bug.cgi?id=193085
<rdar://problem/23453006>
Reviewed by Saam Barati.
* stress/get-by-id-change-mode.js: Added.
(forEach):
2019-01-02 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Optimize Object.prototype.toString
https://bugs.webkit.org/show_bug.cgi?id=193031
Reviewed by Saam Barati.
* stress/object-tostring-changed-proto.js: Added.
(shouldBe):
(test):
* stress/object-tostring-changed.js: Added.
(shouldBe):
(test):
* stress/object-tostring-misc.js: Added.
(shouldBe):
(test):
(i.switch):
* stress/object-tostring-other.js: Added.
(shouldBe):
(test):
* stress/object-tostring-untyped.js: Added.
(shouldBe):
(test):
(i.switch):
2019-01-03 Ross Kirsling <ross.kirsling@sony.com>
test262-runner misbehaves when test file YAML has a trailing space
https://bugs.webkit.org/show_bug.cgi?id=193053
Reviewed by Yusuke Suzuki.
* test262/expectations.yaml:
Mark two dozen tests as passing (and correct the output of another).
2018-12-30 Yusuke Suzuki <yusukesuzuki@slowstart.org>
Unreviewed, JSTests gardening with memoryLimited
* stress/string-overflow-createError.js:
2018-12-30 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Identifier validity should be based on ID_Start / ID_Continue properties
https://bugs.webkit.org/show_bug.cgi?id=193050
Reviewed by Yusuke Suzuki.
* test262.yaml:
* test262/expectations.yaml:
Mark 16 tests as passing.
2018-12-13 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[BigInt] Support BigInt in JSON.stringify
https://bugs.webkit.org/show_bug.cgi?id=192624
Reviewed by Saam Barati.
* stress/big-int-json-stringify-to-json.js: Added.
(shouldBe):
(shouldThrow):
(BigInt.prototype.toJSON):
(shouldBe.JSON.stringify):
* stress/big-int-json-stringify.js: Added.
(shouldBe):
(shouldThrow):
2018-12-20 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Implement "well-formed JSON.stringify" proposal
https://bugs.webkit.org/show_bug.cgi?id=191677
Reviewed by Darin Adler.
* stress/json-surrogate-pair.js: Added.
(shouldBe):
* test262/expectations.yaml:
2018-12-20 Keith Miller <keith_miller@apple.com>
Add support for globalThis
https://bugs.webkit.org/show_bug.cgi?id=165171
Reviewed by Mark Lam.
* test262/config.yaml:
2018-12-19 Keith Miller <keith_miller@apple.com>
Update test262 configuration to not run tests dependent on ICU version.
https://bugs.webkit.org/show_bug.cgi?id=192920
Reviewed by Saam Barati.
* test262/expectations.yaml:
2018-12-20 Mark Lam <mark.lam@apple.com>
Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
https://bugs.webkit.org/show_bug.cgi?id=192939
<rdar://problem/46869516>
Reviewed by Keith Miller.
* stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
2018-12-20 Tadeu Zagallo <tzagallo@apple.com>
WTF::String and StringImpl overflow MaxLength
https://bugs.webkit.org/show_bug.cgi?id=192853
<rdar://problem/45726906>
Reviewed by Mark Lam.
* stress/string-16bit-repeat-overflow.js: Added.
(catch):
2018-12-19 Ross Kirsling <ross.kirsling@sony.com>
Unreviewed follow-up to r192914.
* test262/expectations.yaml:
Add the last 20 missing expectations.
2018-12-19 Keith Miller <keith_miller@apple.com>
Fix test262 expectations
https://bugs.webkit.org/show_bug.cgi?id=192914
Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
* test262/expectations.yaml:
2018-12-19 Keith Miller <keith_miller@apple.com>
Update test262 tests.
https://bugs.webkit.org/show_bug.cgi?id=192907
Rubber stamped by Mark Lam.
* test262/*: Omitted because prepare-changelog crashes.
2018-12-19 Mark Lam <mark.lam@apple.com>
JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
https://bugs.webkit.org/show_bug.cgi?id=192464
<rdar://problem/46519455>
Reviewed by Saam Barati.
This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
microbenchmark.
* microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
* stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
2018-12-19 Tadeu Zagallo <tzagallo@apple.com>
String overflow in JSC::createError results in ASSERT in WTF::makeString
https://bugs.webkit.org/show_bug.cgi?id=192833
<rdar://problem/45706868>
Reviewed by Mark Lam.
* stress/string-overflow-createError.js: Added.
2018-12-18 Ross Kirsling <ross.kirsling@sony.com>
Error message for `-x ** y` contains a typo.
https://bugs.webkit.org/show_bug.cgi?id=192832
Reviewed by Saam Barati.
* ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
(assert.assert.return.throws):
* stress/pow-expects-update-expression-on-lhs.js:
(throw.new.Error):
Update test expectations which match against the exact error message.
2018-12-18 Mark Lam <mark.lam@apple.com>
Gardening: test options fix.
https://bugs.webkit.org/show_bug.cgi?id=192822
Unreviewed.
* stress/json-stringify-string-builder-overflow.js:
2018-12-18 Mark Lam <mark.lam@apple.com>
JSON.stringify() should throw OOM on StringBuilder overflows.
https://bugs.webkit.org/show_bug.cgi?id=192822
<rdar://problem/46670577>
Reviewed by Saam Barati.
* stress/json-stringify-string-builder-overflow.js: Added.
2018-12-18 Ross Kirsling <ross.kirsling@sony.com>
Redeclaration of var over let/const/class should be a syntax error.
https://bugs.webkit.org/show_bug.cgi?id=192298
Reviewed by Keith Miller.
* test262.yaml:
* test262/expectations.yaml:
Mark 46 tests as passing.
* stress/block-scope-redeclarations.js:
Add some new tests.
* stress/for-in-invalidate-context-weird-assignments.js:
* stress/for-in-tests.js:
Replace tests for outdated behavior with tests for SyntaxError.
* ChakraCore/test/LetConst/defer3.baseline-jsc:
* ChakraCore/test/LetConst/letvar.baseline-jsc:
Update expectations.
2018-12-18 Mark Lam <mark.lam@apple.com>
Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
https://bugs.webkit.org/show_bug.cgi?id=191374
<rdar://problem/46525447>
Reviewed by Yusuke Suzuki.
This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
* stress/elidable-new-object-roflcopter-then-exit.js:
2018-12-17 Mark Lam <mark.lam@apple.com>
Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
https://bugs.webkit.org/show_bug.cgi?id=192019
<rdar://problem/46525456>
Reviewed by Yusuke Suzuki.
The test runs too slow on 32-bit.
* stress/materialized-regexp-has-correct-last-index-set-by-match.js:
2018-12-17 Mark Lam <mark.lam@apple.com>
Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
https://bugs.webkit.org/show_bug.cgi?id=191373
<rdar://problem/46525458>
Reviewed by Yusuke Suzuki.
The test is already slow running with a JIT on 64-bit. It will always timeout
on 32-bit without a JIT.
* stress/materialize-regexp-cyclic-regexp.js:
2018-12-17 Mark Lam <mark.lam@apple.com>
Array unshift/shift should not race against the AI in the compiler thread.
https://bugs.webkit.org/show_bug.cgi?id=192795
<rdar://problem/46724263>
Reviewed by Saam Barati.
* stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
2018-12-16 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Optimize Object.keys by caching own keys results in StructureRareData
https://bugs.webkit.org/show_bug.cgi?id=190047
Reviewed by Saam Barati.
* stress/object-keys-cached-zero.js: Added.
(shouldBe):
(test):
* stress/object-keys-changed-attribute.js: Added.
(shouldBe):
(test):
* stress/object-keys-changed-index.js: Added.
(shouldBe):
(test):
* stress/object-keys-changed.js: Added.
(shouldBe):
(test):
* stress/object-keys-indexed-non-cache.js: Added.
(shouldBe):
(test):
* stress/object-keys-overrides-get-property-names.js: Added.
(shouldBe):
(test):
(noInline):
2018-12-17 Mark Lam <mark.lam@apple.com>
SamplingProfiler's isValidFramePointer() should reject address at stack origin.
https://bugs.webkit.org/show_bug.cgi?id=192779
<rdar://problem/46775869>
Reviewed by Saam Barati.
* stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
2018-12-17 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed test gardening, address a syntax error in a new test.
* stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
2018-12-17 Mark Lam <mark.lam@apple.com>
Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
https://bugs.webkit.org/show_bug.cgi?id=192776
<rdar://problem/46772368>
Reviewed by Keith Miller.
* stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
2018-12-17 Mark Lam <mark.lam@apple.com>
Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
https://bugs.webkit.org/show_bug.cgi?id=192770
<rdar://problem/46449037>
Reviewed by Keith Miller.
* stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
2018-12-14 Mark Lam <mark.lam@apple.com>
CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
https://bugs.webkit.org/show_bug.cgi?id=192717
<rdar://problem/46660677>
Reviewed by Saam Barati.
* stress/regress-192717.js: Added.
2018-12-14 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r239153, r239154, and r239155.
https://bugs.webkit.org/show_bug.cgi?id=192715
Caused flaky GC-related crashes seen with layout tests
(Requested by ryanhaddad on #webkit).
Reverted changesets:
"[JSC] Optimize Object.keys by caching own keys results in
StructureRareData"
https://bugs.webkit.org/show_bug.cgi?id=190047
https://trac.webkit.org/changeset/239153
"Unreviewed, build fix after r239153"
https://bugs.webkit.org/show_bug.cgi?id=190047
https://trac.webkit.org/changeset/239154
"Unreviewed, build fix after r239153, part 2"
https://bugs.webkit.org/show_bug.cgi?id=190047
https://trac.webkit.org/changeset/239155
2018-12-14 Keith Miller <keith_miller@apple.com>
Callers of JSString::getIndex should check for OOM exceptions
https://bugs.webkit.org/show_bug.cgi?id=192709
Reviewed by Mark Lam.
* stress/StringObject-define-length-getter-rope-string-oom.js: Added.
2018-12-13 Mark Lam <mark.lam@apple.com>
Add a missing exception check.
https://bugs.webkit.org/show_bug.cgi?id=192626
<rdar://problem/46662163>
Reviewed by Keith Miller.
* stress/regress-192626.js: Added.
2018-12-13 Caio Lima <ticaiolima@gmail.com>
[BigInt] Add ValueDiv into DFG
https://bugs.webkit.org/show_bug.cgi?id=186178
Reviewed by Yusuke Suzuki.
* stress/big-int-div-jit-osr.js: Added.
* stress/big-int-div-jit-untyped.js: Added.
* stress/value-div-fixup-int32-big-int.js: Added.
2018-12-10 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Optimize Object.keys by caching own keys results in StructureRareData
https://bugs.webkit.org/show_bug.cgi?id=190047
Reviewed by Keith Miller.
* stress/object-keys-cached-zero.js: Added.
(shouldBe):
(test):
* stress/object-keys-changed-attribute.js: Added.
(shouldBe):
(test):
* stress/object-keys-changed-index.js: Added.
(shouldBe):
(test):
* stress/object-keys-changed.js: Added.
(shouldBe):
(test):
* stress/object-keys-indexed-non-cache.js: Added.
(shouldBe):
(test):
* stress/object-keys-overrides-get-property-names.js: Added.
(shouldBe):
(test):
(noInline):
2018-12-12 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[DFG][FTL] Add NewSymbol
https://bugs.webkit.org/show_bug.cgi?id=192620
Reviewed by Saam Barati.
* microbenchmarks/symbol-creation.js: Added.
(test):
* stress/symbol-description-identity.js: Added.
(shouldBe):
(test):
* stress/symbol-identity.js: Added.
(shouldBe):
(test):
* stress/symbol-with-description-throw-error.js: Added.
(shouldBe):
(shouldThrow):
(test):
(object.toString):
2018-12-12 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[BigInt] Implement DFG/FTL typeof for BigInt
https://bugs.webkit.org/show_bug.cgi?id=192619
Reviewed by Keith Miller.
* stress/big-int-boolean-proven-type.js: Added.
(assert):
(bool):
* stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
(assert):
(typeOf):
(i.switch):
* stress/big-int-type-of-proven-type-non-constant.js: Added.
(assert):
(typeOf):
* stress/big-int-type-of.js:
(typeOf):
(func):
2018-12-10 Mark Lam <mark.lam@apple.com>
PropertyAttribute needs a CustomValue bit.
https://bugs.webkit.org/show_bug.cgi?id=191993
<rdar://problem/46264467>
Reviewed by Saam Barati.
* stress/regress-191993.js: Added.
2018-12-10 Caio Lima <ticaiolima@gmail.com>
[BigInt] Add ValueMul into DFG
https://bugs.webkit.org/show_bug.cgi?id=186175
Reviewed by Yusuke Suzuki.
* stress/big-int-mul-jit-osr.js: Added.
* stress/big-int-mul-jit-untyped.js: Added.
* stress/value-mul-fixup-int32-big-int.js: Added.
2018-12-06 Keith Miller <keith_miller@apple.com>
stress/big-wasm-memory tests failing on 32-bit JSC bot
https://bugs.webkit.org/show_bug.cgi?id=192020
Reviewed by Saam Barati.
Not every platform has WebAssembly, e.g. 32-bit, so we should exit
the wasm stress tests if the WebAssembly object does not exist.
* stress/big-wasm-memory-grow-no-max.js:
(test.foo):
(test):
(foo): Deleted.
(catch): Deleted.
* stress/big-wasm-memory-grow.js:
(test.foo):
(test):
(foo): Deleted.
(catch): Deleted.
* stress/big-wasm-memory.js:
(test.foo):
(test):
(foo): Deleted.
(catch): Deleted.
2018-12-05 Mark Lam <mark.lam@apple.com>
speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
https://bugs.webkit.org/show_bug.cgi?id=192441
<rdar://problem/46480355>
Reviewed by Saam Barati.
* stress/regress-192441.js: Added.
2018-12-04 Mark Lam <mark.lam@apple.com>
DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
https://bugs.webkit.org/show_bug.cgi?id=192386
<rdar://problem/46445516>
Reviewed by Saam Barati.
* stress/regress-192386.js: Added.
2018-12-04 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Support logic operations
https://bugs.webkit.org/show_bug.cgi?id=179903
Reviewed by Yusuke Suzuki.
* stress/big-int-branch-usage.js: Added.
* stress/big-int-logical-and.js: Added.
* stress/big-int-logical-not.js: Added.
* stress/big-int-logical-or.js: Added.
2018-12-03 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r238833.
Breaks macOS and iOS debug builds.
Reverted changeset:
"[ESNext][BigInt] Support logic operations"
https://bugs.webkit.org/show_bug.cgi?id=179903
https://trac.webkit.org/changeset/238833
2018-12-03 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Support logic operations
https://bugs.webkit.org/show_bug.cgi?id=179903
Reviewed by Yusuke Suzuki.
* stress/big-int-branch-usage.js: Added.
* stress/big-int-logical-and.js: Added.
* stress/big-int-logical-not.js: Added.
* stress/big-int-logical-or.js: Added.
2018-12-02 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "<<" and ">>"
https://bugs.webkit.org/show_bug.cgi?id=186233
Reviewed by Yusuke Suzuki.
* stress/big-int-left-shift-general.js: Added.
* stress/big-int-left-shift-range-error.js: Added.
* stress/big-int-left-shift-type-error.js: Added.
* stress/big-int-left-shift-wrapped-value.js: Added.
* stress/big-int-right-shift-general.js: Added.
* stress/big-int-right-shift-type-error.js: Added.
* stress/big-int-right-shift-wrapped-value.js: Added.
* stress/left-shift-to-primitive-precedence.js: Added.
* stress/right-shift-to-primitive-precedence.js: Added.
2018-11-30 Dean Jackson <dino@apple.com>
Add first-class support for .mjs files in jsc binary
https://bugs.webkit.org/show_bug.cgi?id=192190
<rdar://problem/46375715>
Reviewed by Keith Miller.
* stress/simple-module.mjs: Added.
* stress/simple-script.js: Added.
2018-11-30 Caio Lima <ticaiolima@gmail.com>
[BigInt] Implement ValueBitXor into DFG
https://bugs.webkit.org/show_bug.cgi?id=190264
Reviewed by Yusuke Suzuki.
* stress/big-int-bitwise-xor-jit.js: Added.
* stress/big-int-bitwise-xor-memory-stress.js: Added.
* stress/big-int-bitwise-xor-untyped.js: Added.
2018-11-27 Saam barati <sbarati@apple.com>
r238510 broke scopes of size zero
https://bugs.webkit.org/show_bug.cgi?id=192033
<rdar://problem/46281734>
Reviewed by Keith Miller.
* stress/r238510-bad-loop.js: Added.
(foo):
2018-11-27 Mark Lam <mark.lam@apple.com>
[Re-landing] NaNs read from Wasm code needs to be be purified.
https://bugs.webkit.org/show_bug.cgi?id=191056
<rdar://problem/45660341>
Reviewed by Filip Pizlo.
* wasm/regress/regress-191056.js: Added.
2018-11-27 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r238509.
Causes JSC tests to fail on iOS.
Reverted changeset:
"NaNs read from Wasm code needs to be be purified."
https://bugs.webkit.org/show_bug.cgi?id=191056
https://trac.webkit.org/changeset/238509
2018-11-26 Caio Lima <ticaiolima@gmail.com>
Re-introduce op_bitnot
https://bugs.webkit.org/show_bug.cgi?id=190923
Reviewed by Yusuke Suzuki.
* stress/bit-not-must-generate.js: Added.
* stress/bitwise-not-no-int32.js: Added.
2018-11-26 Saam barati <sbarati@apple.com>
InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
https://bugs.webkit.org/show_bug.cgi?id=191956
<rdar://problem/45665806>
Reviewed by Yusuke Suzuki.
* stress/end-basic-block-set-local-should-filter-type.js: Added.
(bar):
(foo):
2018-11-26 Saam barati <sbarati@apple.com>
Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
https://bugs.webkit.org/show_bug.cgi?id=191958
<rdar://problem/46221877>
Reviewed by Yusuke Suzuki.
* stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
(x):
(foo):
2018-11-26 Mark Lam <mark.lam@apple.com>
NaNs read from Wasm code needs to be be purified.
https://bugs.webkit.org/show_bug.cgi?id=191056
<rdar://problem/45660341>
Reviewed by Filip Pizlo.
* wasm/regress/regress-191056.js: Added.
2018-11-26 Michael Saboff <msaboff@apple.com>
32-bit JSC test failure: stress/regexp-compile-oom.js
https://bugs.webkit.org/show_bug.cgi?id=191375
Reviewed by Mark Lam.
Disabled the test for 32 bit platforms.
* stress/regexp-compile-oom.js:
2018-11-26 Tadeu Zagallo <tzagallo@apple.com>
ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
https://bugs.webkit.org/show_bug.cgi?id=191716
<rdar://problem/45723878>
Reviewed by Saam Barati.
* stress/regress-187373.js: Added.
(async.fn):
2018-11-21 Saam barati <sbarati@apple.com>
DFGSpeculativeJIT should not &= exitOK with mayExit(node)
https://bugs.webkit.org/show_bug.cgi?id=191897
<rdar://problem/45871998>
Reviewed by Mark Lam.
* stress/exitok-is-not-the-same-as-mayExit.js: Added.
(bar):
(foo):
2018-11-21 Saam barati <sbarati@apple.com>
Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
https://bugs.webkit.org/show_bug.cgi?id=191895
<rdar://problem/46167406>
Reviewed by Mark Lam.
* stress/known-cell-use-needs-type-check-assertion.js: Added.
(foo):
(bar):
2018-11-21 Mark Lam <mark.lam@apple.com>
Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
https://bugs.webkit.org/show_bug.cgi?id=191776
<rdar://problem/46152851>
Reviewed by Saam Barati.
* stress/big-wasm-memory-grow-no-max.js:
* stress/big-wasm-memory-grow.js:
* stress/big-wasm-memory.js:
- updated these to expect an OutOfMemoryError.
* wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
(Binary.prototype.emit_u8):
(Binary.prototype.emit_u32v):
(Binary.prototype.emit_header):
(Binary.prototype.emit_section):
(Binary):
(WasmModuleBuilder):
(WasmModuleBuilder.prototype.addMemory):
(WasmModuleBuilder.prototype.toArray):
(WasmModuleBuilder.prototype.toBuffer):
(WasmModuleBuilder.prototype.instantiate):
(catch):
* wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
(catch):
2018-11-21 Caio Lima <ticaiolima@gmail.com>
[BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
https://bugs.webkit.org/show_bug.cgi?id=190836
Reviewed by Saam Barati and Yusuke Suzuki.
* stress/big-int-out-of-memory-tests.js: Added.
2018-11-20 Mark Lam <mark.lam@apple.com>
Remove invalid assertion in VMTraps::SignalSender's SignalAction.
https://bugs.webkit.org/show_bug.cgi?id=191856
<rdar://problem/46089992>
Reviewed by Yusuke Suzuki.
* stress/regress-191856.js: Added.
- this test is skipped for now until we have a fix for webkit.org/b/191855.
2018-11-21 Dominik Infuehr <dinfuehr@igalia.com>
Enable JIT on ARM/Linux
https://bugs.webkit.org/show_bug.cgi?id=191548
Reviewed by Yusuke Suzuki.
Disable test on system with limited memory. Program was killed by
the OS before the exception was thrown.
* slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2018-11-20 Saam barati <sbarati@apple.com>
Merging an IC variant may lead to the IC status containing overlapping structure sets
https://bugs.webkit.org/show_bug.cgi?id=191869
<rdar://problem/45403453>
Reviewed by Mark Lam.
* stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2018-11-19 Mark Lam <mark.lam@apple.com>
globalFuncImportModule() should return a promise when it clears exceptions.
https://bugs.webkit.org/show_bug.cgi?id=191792
<rdar://problem/46090763>
Reviewed by Michael Saboff.
* stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2018-11-19 Guillaume Emont <guijemont@igalia.com>
Skip new memory-hungry tests on memory limited devices
Unreviewed gardening.
* stress/big-wasm-memory-grow-no-max.js:
* stress/big-wasm-memory-grow.js:
* stress/big-wasm-memory.js:
2018-11-18 Yusuke Suzuki <yusukesuzuki@slowstart.org>
Unreviewed, rolling in the rest of r237254
https://bugs.webkit.org/show_bug.cgi?id=190340
* ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
* stress/function-cache-with-parameters-end-position.js: Added.
(shouldBe):
(shouldThrow):
(i.anonymous):
* stress/function-constructor-name.js: Added.
(shouldBe):
(GeneratorFunction):
(AsyncFunction.async):
(AsyncGeneratorFunction.async):
(anonymous):
(async.anonymous):
* test262/expectations.yaml:
2018-11-16 Filip Pizlo <fpizlo@apple.com>
All users of ArrayBuffer should agree on the same max size
https://bugs.webkit.org/show_bug.cgi?id=191771
Reviewed by Mark Lam.
* stress/big-wasm-memory-grow-no-max.js: Added.
(foo):
(catch):
* stress/big-wasm-memory-grow.js: Added.
(foo):
(catch):
* stress/big-wasm-memory.js: Added.
(foo):
(catch):
2018-11-16 Filip Pizlo <fpizlo@apple.com>
Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
run for each JSC config since they're regression tests for runtime bugs.
* stress/json-stringified-overflow-2.js:
* stress/json-stringified-overflow.js:
2018-11-16 Filip Pizlo <fpizlo@apple.com>
Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
config since they're regression tests for runtime bugs.
* stress/large-unshift-splice.js:
* stress/regress-185888.js:
2018-11-16 Saam Barati <sbarati@apple.com>
KnownCellUse should also have SpecCellCheck as its type filter
https://bugs.webkit.org/show_bug.cgi?id=191729
<rdar://problem/45872852>
Reviewed by Filip Pizlo.
* stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
(C):
2018-11-16 Tadeu Zagallo <tzagallo@apple.com>
Fix assertion failure on BytecodeGenerator::recordOpcode
https://bugs.webkit.org/show_bug.cgi?id=191724
<rdar://problem/45724395>
Reviewed by Saam Barati.
* stress/regress-187373-2.js: Added.
(foo):
2018-11-15 Mark Lam <mark.lam@apple.com>
RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
https://bugs.webkit.org/show_bug.cgi?id=191730
<rdar://problem/46048517>
Reviewed by Saam Barati.
* stress/regress-187006.js: Removed.
- this test is invalid because its sole purpose is to test for the non-spec
compliant behavior that we just fixed.
* stress/regress-191730.js: Added.
2018-11-15 Mark Lam <mark.lam@apple.com>
RegExp operations should not take fast patch if lastIndex is not numeric.
https://bugs.webkit.org/show_bug.cgi?id=191731
<rdar://problem/46017305>
Reviewed by Saam Barati.
* stress/regress-191731.js: Added.
2018-11-13 Saam Barati <sbarati@apple.com>
TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
https://bugs.webkit.org/show_bug.cgi?id=191600
Reviewed by Mark Lam.
* stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
(foo):
(test):
(bar):
2018-11-13 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r238132.
The test added with this change is timing out on Debug JSC
bots.
Reverted changeset:
"[BigInt] JSBigInt::createWithLength should throw when length
is greater than JSBigInt::maxLength"
https://bugs.webkit.org/show_bug.cgi?id=190836
https://trac.webkit.org/changeset/238132
2018-11-13 Mark Lam <mark.lam@apple.com>
Add OOM detection to StringPrototype's substituteBackreferences().
https://bugs.webkit.org/show_bug.cgi?id=191563
<rdar://problem/45720428>
Reviewed by Saam Barati.
* stress/regress-191563.js: Added.
2018-11-13 Mark Lam <mark.lam@apple.com>
LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
https://bugs.webkit.org/show_bug.cgi?id=191579
<rdar://problem/45942472>
Reviewed by Saam Barati.
* stress/regress-191579.js: Added.
2018-11-13 Caio Lima <ticaiolima@gmail.com>
[BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
https://bugs.webkit.org/show_bug.cgi?id=190836
Reviewed by Saam Barati.
* stress/big-int-out-of-memory-tests.js: Added.
2018-11-08 Ross Kirsling <ross.kirsling@sony.com>
U+180E is no longer a whitespace character
https://bugs.webkit.org/show_bug.cgi?id=191415
Reviewed by Saam Barati.
* ChakraCore/test/es5/regexSpace.baseline:
* ChakraCore/test/es6/unicode_whitespace.js:
Update tests to latest version.
(See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
* test262.yaml:
* test262/config.yaml:
* test262/expectations.yaml:
Update expectations.
2018-11-07 Caio Lima <ticaiolima@gmail.com>
[BigInt] Add support to BigInt into ValueAdd
https://bugs.webkit.org/show_bug.cgi?id=186177
Reviewed by Keith Miller.
* stress/big-int-negate-jit.js:
* stress/value-add-big-int-and-string.js: Added.
* stress/value-add-big-int-prediction-propagation.js: Added.
* stress/value-add-big-int-untyped.js: Added.
2018-11-07 Tadeu Zagallo <tzagallo@apple.com>
REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
https://bugs.webkit.org/show_bug.cgi?id=191184
Reviewed by Saam Barati.
Most tests were failing due to timeouts, since they are too slow to
run on CLoop. The exceptions are:
proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
dont-crash-on-stack-overflow-when-parsing-builtin.js and
dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
to change the stack size since CLoop requires it to be page aligned.
* microbenchmarks/array-push-1.js:
* microbenchmarks/array-push-2.js:
* microbenchmarks/elidable-new-object-dag.js:
* microbenchmarks/elidable-new-object-roflcopter.js:
* microbenchmarks/elidable-new-object-tree.js:
* microbenchmarks/getter-richards.js:
* microbenchmarks/sinkable-new-object-dag.js:
* microbenchmarks/string-concat-long-convert.js:
* microbenchmarks/typed-array-get-set-by-val-profiling.js:
* slowMicrobenchmarks/array-push-3.js:
* slowMicrobenchmarks/large-map-iteration-with-additions.js:
* slowMicrobenchmarks/spread-small-array.js:
* slowMicrobenchmarks/undefined-property-access.js:
* stress/activation-sink-default-value-tdz-error.js:
* stress/activation-sink-default-value.js:
* stress/activation-sink-osrexit-default-value-tdz-error.js:
* stress/activation-sink-osrexit-default-value.js:
* stress/activation-sink-osrexit.js:
* stress/activation-sink.js:
* stress/allow-math-ic-b3-code-duplication.js:
* stress/array-push-multiple-int32.js:
* stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
* stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
* stress/arrowfunction-lexical-this-activation-sink.js:
* stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
* stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
* stress/elide-new-object-dag-then-exit.js:
* stress/materialize-regexp-cyclic.js:
* stress/new-regex-inline.js:
* stress/op_add.js:
* stress/op_bitand.js:
* stress/op_bitor.js:
* stress/op_bitxor.js:
* stress/op_div-ConstVar.js:
* stress/op_div-VarConst.js:
* stress/op_div-VarVar.js:
* stress/op_lshift-ConstVar.js:
* stress/op_lshift-VarConst.js:
* stress/op_lshift-VarVar.js:
* stress/op_mod-ConstVar.js:
* stress/op_mod-VarConst.js:
* stress/op_mod-VarVar.js:
* stress/op_mul-ConstVar.js:
* stress/op_mul-VarConst.js:
* stress/op_mul-VarVar.js:
* stress/op_rshift-ConstVar.js:
* stress/op_rshift-VarConst.js:
* stress/op_rshift-VarVar.js:
* stress/op_sub-ConstVar.js:
* stress/op_sub-VarConst.js:
* stress/op_sub-VarVar.js:
* stress/op_urshift-ConstVar.js:
* stress/op_urshift-VarConst.js:
* stress/op_urshift-VarVar.js:
* stress/proxy-get-set-correct-receiver.js:
* stress/regress-179562.js:
* stress/rest-parameter-many-arguments.js:
* stress/sampling-profiler-richards.js:
* stress/splay-flash-access-1ms.js:
* stress/tailCallForwardArguments.js:
* stress/typed-array-get-by-val-profiling.js:
* typeProfiler/getter-richards.js:
2018-11-06 Michael Saboff <msaboff@apple.com>
Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
https://bugs.webkit.org/show_bug.cgi?id=191271
Reviewed by Saam Barati.
Added more test cases and made all test cases run with the same deeply recursive stack
instead of finding that same point for each test case.
* stress/regexp-compile-oom.js:
(prototype.runTest):
(recurseAndTest):
(testList.push.new.TestAndExpectedException):
2018-11-05 Michael Saboff <msaboff@apple.com>
Unreviewed build fix for linux.
* stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2018-11-02 Michael Saboff <msaboff@apple.com>
Rolling in r237753 with unreviewed build fix.
Fixed issues with DECLARE_THROW_SCOPE placement.
2018-11-02 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r237753.
Introduced JSC test failures
Reverted changeset:
"Running out of stack space not properly handled in
RegExp::compile() and its callers"
https://bugs.webkit.org/show_bug.cgi?id=191206
https://trac.webkit.org/changeset/237753
2018-11-02 Michael Saboff <msaboff@apple.com>
Running out of stack space not properly handled in RegExp::compile() and its callers
https://bugs.webkit.org/show_bug.cgi?id=191206
Reviewed by Filip Pizlo.
New regression test.
* stress/regexp-compile-oom.js: Added.
(recurseAndTest):
2018-11-01 Guillaume Emont <guijemont@igalia.com>
Skip tests on arm/mips that time out now we're running on CLoop
Unreviewed gardening.
Since the JIT is temporarily disabled on 32-bit platforms, these tests
time out on the bots and need to be disabled. There's more tests
disabled on arm because the timeout is longer on the mips bot (as the
device is slower to start with), so many of the tests don't time out
there.
* microbenchmarks/getter-richards.js: disable on arm and mips.
* stress/op_add.js: disable on arm.
* stress/op_bitand.js: disable on arm.
* stress/op_bitor.js: disable on arm.
* stress/op_bitxor.js: disable on arm.
* stress/op_lshift-ConstVar.js: disable on arm.
* stress/op_lshift-VarConst.js: disable on arm.
* stress/op_lshift-VarVar.js: disable on arm.
* stress/op_mod-ConstVar.js: disable on arm.
* stress/op_mod-VarConst.js: disable on arm.
* stress/op_mod-VarVar.js: disable on arm.
* stress/op_mul-ConstVar.js: disable on arm.
* stress/op_mul-VarConst.js: disable on arm.
* stress/op_mul-VarVar.js: disable on arm.
* stress/op_rshift-ConstVar.js: disable on arm.
* stress/op_rshift-VarConst.js: disable on arm.
* stress/op_rshift-VarVar.js: disable on arm.
* stress/op_sub-ConstVar.js: disable on arm.
* stress/op_sub-VarConst.js: disable on arm.
* stress/op_sub-VarVar.js: disable on arm.
* stress/op_urshift-ConstVar.js: disable on arm.
* stress/op_urshift-VarConst.js: disable on arm.
* stress/op_urshift-VarVar.js: disable on arm.
* stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
* stress/value-to-boolean.js: disable on arm and mips.
2018-10-31 Tadeu Zagallo <tzagallo@apple.com>
REGRESSION(r237547): Exception handlers should be aware of wide opcodes
https://bugs.webkit.org/show_bug.cgi?id=191108
<rdar://problem/45690700>
Reviewed by Saam Barati.
* stress/wide-op_catch.js: Added.
(catch):
2018-10-29 Mark Lam <mark.lam@apple.com>
Correctly detect string overflow when using the 'Function' constructor.
https://bugs.webkit.org/show_bug.cgi?id=184883
<rdar://problem/36320331>
Reviewed by Saam Barati.
I've verified that this passes on 32-bit as well.
* slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2018-10-29 Tadeu Zagallo <tzagallo@apple.com>
Add support for GetStack FlushedDouble
https://bugs.webkit.org/show_bug.cgi?id=191012
<rdar://problem/45265141>
Reviewed by Saam Barati.
* stress/get-stack-double.js: Added.
(bar):
(noInline):
2018-10-29 Tadeu Zagallo <tzagallo@apple.com>
New bytecode format for JSC
https://bugs.webkit.org/show_bug.cgi?id=187373
<rdar://problem/44186758>
Reviewed by Filip Pizlo.
Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
* stress/maximum-inline-capacity.js: Added.
(test1):
(test3.Foo):
(test3):
2018-10-26 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r237479 and r237484.
https://bugs.webkit.org/show_bug.cgi?id=190978
broke JSC on iOS (Requested by tadeuzagallo on #webkit).
Reverted changesets:
"New bytecode format for JSC"
https://bugs.webkit.org/show_bug.cgi?id=187373
https://trac.webkit.org/changeset/237479
"Gardening: Build fix after r237479."
https://bugs.webkit.org/show_bug.cgi?id=187373
https://trac.webkit.org/changeset/237484
2018-10-26 Tadeu Zagallo <tzagallo@apple.com>
New bytecode format for JSC
https://bugs.webkit.org/show_bug.cgi?id=187373
<rdar://problem/44186758>
Reviewed by Filip Pizlo.
Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
* stress/maximum-inline-capacity.js: Added.
(test1):
(test3.Foo):
(test3):
2018-10-26 Mark Lam <mark.lam@apple.com>
Fix missing edge cases with JSGlobalObjects having a bad time.
https://bugs.webkit.org/show_bug.cgi?id=189028
<rdar://problem/45204939>
Reviewed by Saam Barati.
* stress/regress-189028.js: Added.
2018-10-22 Mark Lam <mark.lam@apple.com>
DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
https://bugs.webkit.org/show_bug.cgi?id=190515
<rdar://problem/45222379>
Rubber-stamped by Saam Barati.
Adding another test.
* stress/regress-190515-2.js: Added.
2018-10-22 Mark Lam <mark.lam@apple.com>
DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
https://bugs.webkit.org/show_bug.cgi?id=190515
<rdar://problem/45222379>
Reviewed by Saam Barati.
* stress/regress-190515.js: Added.
2018-10-19 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r237254.
https://bugs.webkit.org/show_bug.cgi?id=190760
"It regresses JetStream 2 by 5% on some iOS devices"
(Requested by saamyjoon on #webkit).
Reverted changeset:
"[JSC] JSC should have "parseFunction" to optimize Function
constructor"
https://bugs.webkit.org/show_bug.cgi?id=190340
https://trac.webkit.org/changeset/237254
2018-10-19 Saam Barati <sbarati@apple.com>
vmCall should check if we exit before emitting an OSR exit due to exceptions
https://bugs.webkit.org/show_bug.cgi?id=190740
<rdar://problem/45220139>
Reviewed by Mark Lam.
* stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
(foo):
2018-10-19 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "^"
https://bugs.webkit.org/show_bug.cgi?id=186235
Reviewed by Yusuke Suzuki.
* stress/big-int-bitwise-xor-general.js: Added.
* stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
* stress/big-int-bitwise-xor-type-error.js: Added.
* stress/big-int-bitwise-xor-wrapped-value.js: Added.
2018-10-19 Caio Lima <ticaiolima@gmail.com>
[BigInt] Add ValueSub into DFG
https://bugs.webkit.org/show_bug.cgi?id=186176
Reviewed by Yusuke Suzuki.
* stress/big-int-subtraction-jit.js:
* stress/value-sub-big-int-prediction-propagation.js: Added.
* stress/value-sub-big-int-untyped.js: Added.
* stress/value-sub-spec-none-case.js: Added.
2018-10-18 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] JSC should have "parseFunction" to optimize Function constructor
https://bugs.webkit.org/show_bug.cgi?id=190340
Reviewed by Mark Lam.
This patch fixes the line number of syntax errors raised by the Function constructor,
since we now parse the final code only once. And we no longer use block statement
for Function constructor's parsing.
* ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
* stress/function-cache-with-parameters-end-position.js: Added.
(shouldBe):
(shouldThrow):
(i.anonymous):
* stress/function-constructor-name.js: Added.
(shouldBe):
(GeneratorFunction):
(AsyncFunction.async):
(AsyncGeneratorFunction.async):
(anonymous):
(async.anonymous):
* test262/expectations.yaml:
2018-10-18 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r237242.
https://bugs.webkit.org/show_bug.cgi?id=190701
it breaks "stress/sampling-profiler-basic.js" (Requested by
caiolima on #webkit).
Reverted changeset:
"[BigInt] Add ValueSub into DFG"
https://bugs.webkit.org/show_bug.cgi?id=186176
https://trac.webkit.org/changeset/237242
2018-10-17 Keith Miller <keith_miller@apple.com>
AI does not clear Phantom allocation nodes.
https://bugs.webkit.org/show_bug.cgi?id=190694
Reviewed by Saam Barati.
* stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
(Day):
(DaysInYear):
(TimeInYear):
(TimeFromYear):
(DayFromYear):
(InLeapYear):
(YearFromTime):
(WeekDay):
(DaylightSavingTA):
(GetSecondSundayInMarch):
(TimeInMonth):
2018-10-17 Caio Lima <ticaiolima@gmail.com>
[BigInt] Add ValueSub into DFG
https://bugs.webkit.org/show_bug.cgi?id=186176
Reviewed by Yusuke Suzuki.
* stress/big-int-subtraction-jit.js:
* stress/value-sub-big-int-prediction-propagation.js: Added.
* stress/value-sub-big-int-untyped.js: Added.
2018-10-16 Dominik Infuehr <dinfuehr@igalia.com>
[JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
https://bugs.webkit.org/show_bug.cgi?id=190611
Reviewed by Saam Barati.
Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
to improve test runtime. On ARM/MIPS this test even timed out when running all
tests.
* stress/array-prototype-concat-of-long-spliced-arrays2.js:
(test):
2018-10-15 Guillaume Emont <guijemont@igalia.com>
Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
Unreviewed gardening.
* stress/array-prototype-concat-of-long-spliced-arrays2.js:
2018-10-15 Saam barati <sbarati@apple.com>
Emit fjcvtzs on ARM64E on Darwin
https://bugs.webkit.org/show_bug.cgi?id=184023
Reviewed by Yusuke Suzuki and Filip Pizlo.
* stress/double-to-int32-NaN.js: Added.
(assert):
(foo):
2018-10-15 Saam Barati <sbarati@apple.com>
JSArray::shiftCountWithArrayStorage is wrong when an array has holes
https://bugs.webkit.org/show_bug.cgi?id=190262
<rdar://problem/44986241>
Reviewed by Mark Lam.
* stress/array-prototype-concat-of-long-spliced-arrays.js:
(test):
* stress/slice-array-storage-with-holes.js: Added.
(main):
2018-10-15 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r237054.
https://bugs.webkit.org/show_bug.cgi?id=190593
"this regressed JetStream 2 by 6% on iOS" (Requested by
saamyjoon on #webkit).
Reverted changeset:
"[JSC] JSC should have "parseFunction" to optimize Function
constructor"
https://bugs.webkit.org/show_bug.cgi?id=190340
https://trac.webkit.org/changeset/237054
2018-10-13 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] JSON.stringify can accept call-with-no-arguments
https://bugs.webkit.org/show_bug.cgi?id=190343
Reviewed by Mark Lam.
* stress/json-stringify-no-arguments.js: Added.
(shouldBe):
2018-10-08 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] JSC should have "parseFunction" to optimize Function constructor
https://bugs.webkit.org/show_bug.cgi?id=190340
Reviewed by Mark Lam.
This patch fixes the line number of syntax errors raised by the Function constructor,
since we now parse the final code only once. And we no longer use block statement
for Function constructor's parsing.
* ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
* stress/function-cache-with-parameters-end-position.js: Added.
(shouldBe):
(shouldThrow):
(i.anonymous):
* stress/function-constructor-name.js: Added.
(shouldBe):
(GeneratorFunction):
(AsyncFunction.async):
(AsyncGeneratorFunction.async):
(anonymous):
(async.anonymous):
* test262/expectations.yaml:
2018-10-10 Guillaume Emont <guijemont@igalia.com>
Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
https://bugs.webkit.org/show_bug.cgi?id=190426
Unreviewed gardening.
* stress/sampling-profiler-richards.js:
2018-10-06 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "|"
https://bugs.webkit.org/show_bug.cgi?id=186229
Reviewed by Yusuke Suzuki.
* stress/big-int-bitwise-and-jit.js:
* stress/big-int-bitwise-or-general.js: Added.
* stress/big-int-bitwise-or-jit-untyped.js: Added.
* stress/big-int-bitwise-or-jit.js: Added.
* stress/big-int-bitwise-or-memory-stress.js: Added.
* stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
* stress/big-int-bitwise-or-type-error.js: Added.
* stress/big-int-bitwise-or-wrapped-value.js: Added.
2018-10-05 Dominik Infuehr <dominik.infuehr@gmail.com>
Skip test on systems with limited memory
https://bugs.webkit.org/show_bug.cgi?id=190310
Invoking runDefault adds test to runlist, skipping the test in the next
line does not prevent the test from executing. Change order of lines such
that runDefault is only executed if test is not executed.
Reviewed by Mark Lam.
* stress/regress-190187.js:
2018-10-03 Saam barati <sbarati@apple.com>
lowXYZ in FTLLower should always filter the type of the incoming edge
https://bugs.webkit.org/show_bug.cgi?id=189939
<rdar://problem/44407030>
Reviewed by Michael Saboff.
* stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
(foo):
(test):
2018-10-03 Mark Lam <mark.lam@apple.com>
Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
https://bugs.webkit.org/show_bug.cgi?id=190187
<rdar://problem/42512909>
Reviewed by Michael Saboff.
* stress/regress-190187.js: Added.
2018-10-02 Caio Lima <ticaiolima@gmail.com>
[BigInt] BigInt.proptotype.toString is broken when radix is power of 2
https://bugs.webkit.org/show_bug.cgi?id=190033
Reviewed by Yusuke Suzuki.
* stress/big-int-to-string.js:
2018-10-01 Mark Lam <mark.lam@apple.com>
Function.toString() should also copy the source code Functions that are class definitions.
https://bugs.webkit.org/show_bug.cgi?id=190186
<rdar://problem/44733360>
Reviewed by Saam Barati.
* stress/regress-190186.js: Added.
2018-10-01 Dominik Infuehr <dinfuehr@igalia.com>
Split NaN-check into separate test
https://bugs.webkit.org/show_bug.cgi?id=190010
Reviewed by Saam Barati.
DataView exposes NaN-representation, which is not necessarily the same on each
architecture. Therefore move the check of the NaN-representation into its own
file such that we can disable this test on MIPS where NaN-representation can be
different on older CPUs.
* stress/dataview-jit-set-nan.js: Added.
(assert):
(test.storeLittleEndian):
(test.storeBigEndian):
(test.store):
(test):
* stress/dataview-jit-set.js:
(test5):
2018-10-01 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r236647.
https://bugs.webkit.org/show_bug.cgi?id=190124
Breaking test stress/big-int-to-string.js (Requested by
caiolima_ on #webkit).
Reverted changeset:
"[BigInt] BigInt.proptotype.toString is broken when radix is
power of 2"
https://bugs.webkit.org/show_bug.cgi?id=190033
https://trac.webkit.org/changeset/236647
2018-09-30 Caio Lima <ticaiolima@gmail.com>
[BigInt] BigInt.proptotype.toString is broken when radix is power of 2
https://bugs.webkit.org/show_bug.cgi?id=190033
Reviewed by Yusuke Suzuki.
* stress/big-int-to-string.js:
2018-09-28 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "&"
https://bugs.webkit.org/show_bug.cgi?id=186228
Reviewed by Yusuke Suzuki.
* stress/big-int-bitwise-and-general.js: Added.
(assert):
(assert.sameValue):
* stress/big-int-bitwise-and-jit.js: Added.
(let.assert.sameValue):
(bigIntBitAnd):
* stress/big-int-bitwise-and-memory-stress.js: Added.
(assert):
* stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
(assert.sameValue):
(let.o.Symbol.toPrimitive):
(catch):
* stress/big-int-bitwise-and-type-error.js: Added.
(assert):
(assertThrowTypeError):
(let.o.valueOf):
(o.valueOf):
(o.toString):
(o.Symbol.toPrimitive):
* stress/big-int-bitwise-and-wrapped-value.js: Added.
(assert.sameValue):
(testBitAnd):
(let.o.Symbol.toPrimitive):
(o.valueOf):
(o.toString):
2018-09-28 Ross Kirsling <ross.kirsling@sony.com>
JSC test stress/jsc-read.js doesn't support CRLF
https://bugs.webkit.org/show_bug.cgi?id=190063
Reviewed by Yusuke Suzuki.
In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
* stress/jsc-read.js:
(test):
2018-09-27 Saam barati <sbarati@apple.com>
Verify the contents of AssemblerBuffer on arm64e
https://bugs.webkit.org/show_bug.cgi?id=190057
<rdar://problem/38916630>
Reviewed by Mark Lam.
* stress/regress-189132.js:
2018-09-27 Dominik Infuehr <dinfuehr@igalia.com>
Disable test without LLInt on ARMv7
https://bugs.webkit.org/show_bug.cgi?id=190037
Reviewed by Mark Lam.
Test runs out of executable memory on ARMv7, do not run
this test without LLInt enabled.
* stress/regress-169445.js:
2018-09-26 Keith Miller <keith_miller@apple.com>
We should zero unused property storage when rebalancing array storage.
https://bugs.webkit.org/show_bug.cgi?id=188151
Reviewed by Michael Saboff.
* stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
2018-09-20 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Optimize Array#lastIndexOf
https://bugs.webkit.org/show_bug.cgi?id=189780
Reviewed by Saam Barati.
* stress/array-lastindexof-array-prototype-trap.js: Added.
(shouldBe):
(AncestorArray.prototype.get 2):
(AncestorArray):
* stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
(shouldBe):
* stress/array-lastindexof-hole-nan.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-lastindexof-infinity.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-lastindexof-negative-zero.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-lastindexof-own-getter.js: Added.
(shouldBe):
(throw.new.Error.get array):
(get array):
* stress/array-lastindexof-prototype-trap.js: Added.
(shouldBe):
(DerivedArray.prototype.get 2):
(DerivedArray):
2018-09-25 Saam Barati <sbarati@apple.com>
Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
https://bugs.webkit.org/show_bug.cgi?id=189940
<rdar://problem/43640987>
Reviewed by Mark Lam.
* stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
2018-09-24 Saam Barati <sbarati@apple.com>
Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
https://bugs.webkit.org/show_bug.cgi?id=189922
<rdar://problem/44651275>
Reviewed by Mark Lam.
* stress/array-indexof-fast-path-effects.js: Added.
* stress/array-indexof-cached-length.js: Added.
2018-09-24 Saam barati <sbarati@apple.com>
ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
https://bugs.webkit.org/show_bug.cgi?id=189682
<rdar://problem/43557315>
Reviewed by Mark Lam.
* stress/arguments-elimination-will-generate-edge-without-result.js: Added.
(foo):
2018-09-22 Saam barati <sbarati@apple.com>
The sampling should not use Strong<CodeBlock> in its machineLocation field
https://bugs.webkit.org/show_bug.cgi?id=189319
Reviewed by Filip Pizlo.
* stress/sampling-profiler-richards.js: Added.
2018-09-19 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Optimize Array#indexOf in C++ runtime
https://bugs.webkit.org/show_bug.cgi?id=189507
Reviewed by Saam Barati.
* stress/array-indexof-array-prototype-trap.js: Added.
(shouldBe):
(AncestorArray.prototype.get 2):
(AncestorArray):
* stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
(shouldBe):
* stress/array-indexof-hole-nan.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-indexof-infinity.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-indexof-negative-zero.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-indexof-own-getter.js: Added.
(shouldBe):
(throw.new.Error.get array):
(get array):
* stress/array-indexof-prototype-trap.js: Added.
(shouldBe):
(DerivedArray.prototype.get 2):
(DerivedArray):
2018-09-19 Saam barati <sbarati@apple.com>
AI rule for MultiPutByOffset executes its effects in the wrong order
https://bugs.webkit.org/show_bug.cgi?id=189757
<rdar://problem/43535257>
Reviewed by Michael Saboff.
* stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
(foo):
(Foo):
(g):
2018-09-17 Mark Lam <mark.lam@apple.com>
Ensure that ForInContexts are invalidated if their loop local is over-written.
https://bugs.webkit.org/show_bug.cgi?id=189571
<rdar://problem/44402277>
Reviewed by Saam Barati.
* stress/regress-189571.js: Added.
2018-09-17 Saam barati <sbarati@apple.com>
We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
https://bugs.webkit.org/show_bug.cgi?id=189676
<rdar://problem/39682897>
Reviewed by Michael Saboff.
* typeProfiler/check-structure-or-empty-in-fixup.js: Added.
(A):
(K):
(i.catch):
2018-09-14 Saam barati <sbarati@apple.com>
Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
https://bugs.webkit.org/show_bug.cgi?id=189628
<rdar://problem/39481690>
Reviewed by Mark Lam.
* stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
(foo):
2018-09-11 Mark Lam <mark.lam@apple.com>
Test for array initialization in arrayProtoFuncSplice.
https://bugs.webkit.org/show_bug.cgi?id=170253
<rdar://problem/31328773>
Rubber-stamped by Saam Barati.
* stress/regress-170253.js: Added.
2018-09-11 Mark Lam <mark.lam@apple.com>
Test for IntlObject initialization.
https://bugs.webkit.org/show_bug.cgi?id=170251
<rdar://problem/31328419>
Rubber-stamped by Saam Barati.
* stress/regress-170251.js: Added.
2018-09-11 Mark Lam <mark.lam@apple.com>
Test for array memcpy'ing when JSGlobalObject::haveABadTime.
https://bugs.webkit.org/show_bug.cgi?id=169889
<rdar://problem/31155607>
Reviewed by Saam Barati.
* stress/regress-169889-array-concat.js: Added.
* stress/regress-169889-array-concat1.js: Added.
* stress/regress-169889-array-slice.js: Added.
2018-09-11 Mark Lam <mark.lam@apple.com>
Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
https://bugs.webkit.org/show_bug.cgi?id=169445
<rdar://problem/30957435>
Reviewed by Saam Barati.
* stress/regress-169445.js: Added.
(let.gun.eval.A):
(let.gun.eval.B.C):
(let.gun.eval.B.C.prototype.trigger):
(let.gun.eval.B.C.prototype.triggerWithRestParameters):
(let.gun.eval.B):
(let.gun.eval):
== Rolled over to ChangeLog-2018-09-11 ==