3746a3811b434c349a2a46ddcb58fcbfb50fca98
[WebKit-https.git] / JSTests / ChangeLog
1 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Make Promise implementation faster
4         https://bugs.webkit.org/show_bug.cgi?id=200898
5
6         Reviewed by Saam Barati.
7
8         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
9         (assert.assert.return.throws):
10         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
11         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
12         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
13         (shouldThrow):
14         (new.Promise):
15         (shouldThrow.Promise):
16         * stress/create-promise-should-respect-promise-realm.js: Added.
17         (shouldBe):
18         (other.new.OtherPromise):
19         (DerivedOtherPromise):
20         (i.promise.new.DerivedOtherPromise):
21         (createPromise):
22         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
23         (shouldBe):
24         (DerivedPromise):
25         (i.array.push.new.DerivedPromise):
26         (promise.new.DerivedPromise):
27         * stress/derived-promise-constructor-inlined.js: Added.
28         (shouldBe):
29         (DerivedPromise):
30         (i.array.push.new.DerivedPromise):
31         (DerivedPromise.all.array.then):
32         * stress/derived-promise-prototype-replaced.js: Added.
33         (shouldBe):
34         (DerivedPromise):
35         (i.array.push.new.DerivedPromise):
36         (promise.new.DerivedPromise):
37         * stress/internal-promise-constructor-not-confusing.js: Added.
38         (shouldBe):
39         (InternalPromise.vm.createBuiltin):
40         (DerivedPromise):
41         * stress/internal-promise-is-not-exposed.js: Added.
42         (shouldBe):
43         * stress/new-promise-should-respect-promise-realm.js: Added.
44         (shouldBe):
45         (other.new.OtherPromise):
46         (createPromise):
47         * stress/promise-cannot-be-called.js:
48         (shouldThrow):
49         * stress/promise-capability-fast-path.js: Added.
50         (shouldBe):
51         (i.array.push.new.Promise):
52         (i.array.i.then):
53         * stress/promise-capability-slow-path.js: Added.
54         (shouldBe):
55         (Promise.prototype.then):
56         (i.array.push.new.Promise):
57         (i.array.i.then):
58         * stress/promise-capability-then-slow-path.js: Added.
59         (shouldBe):
60         (DerivedPromise):
61         (DerivedPromise.prototype.then):
62         (i.array.push.new.DerivedPromise):
63         (i.array.i.then):
64         * stress/promise-constructor-inlined.js: Added.
65         (shouldBe):
66         (i.array.push.new.Promise):
67         (Promise.all.array.then):
68         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
69         (shouldBe):
70         (DerivedPromise):
71         (DerivedPromise2):
72         (i.array.push.new.DerivedPromise):
73         (i.array2.push.new.DerivedPromise2):
74         * stress/without-promise-functions.js: Added.
75         (shouldBe):
76         (async):
77
78 2019-09-03  Mark Lam  <mark.lam@apple.com>
79
80         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
81         https://bugs.webkit.org/show_bug.cgi?id=201309
82         <rdar://problem/54832121>
83
84         Reviewed by Yusuke Suzuki.
85
86         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
87
88 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
89
90         [JSC] Generate new.target register only when it is used
91         https://bugs.webkit.org/show_bug.cgi?id=201335
92
93         Reviewed by Mark Lam.
94
95         * stress/ensure-new-register-allocated.js: Added.
96         (shouldBe):
97         (basic):
98         (arrow):
99         (Base):
100         (Derived):
101         (evaluate):
102
103 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
104
105         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
106         https://bugs.webkit.org/show_bug.cgi?id=201331
107
108         Reviewed by Mark Lam.
109
110         * stress/simple-jump-table-copy.js: Added.
111         (let.code):
112         (g2):
113
114 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
115
116         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
117         https://bugs.webkit.org/show_bug.cgi?id=201332
118
119         Reviewed by Mark Lam.
120
121         This test is very flaky, it is hard to reproduce.
122
123         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
124         (code):
125
126 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
127
128         [JSC] Repatch should construct CallCases and CasesValue at the same time
129         https://bugs.webkit.org/show_bug.cgi?id=201325
130
131         Reviewed by Saam Barati.
132
133         * stress/repatch-switch.js: Added.
134         (main.f2.f0):
135         (main.f2.f3):
136         (main.f2.f1):
137         (main.f2):
138         (main):
139
140 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
141
142         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
143         https://bugs.webkit.org/show_bug.cgi?id=198650
144
145         Reviewed by Saam Barati.
146
147         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
148         (main.v0):
149         (main):
150
151 2019-08-28  Mark Lam  <mark.lam@apple.com>
152
153         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
154         https://bugs.webkit.org/show_bug.cgi?id=201281
155         <rdar://problem/54028228>
156
157         Reviewed by Yusuke Suzuki and Saam Barati.
158
159         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
160
161 2019-08-28  Mark Lam  <mark.lam@apple.com>
162
163         Placate exception check validation in DFG's operationHasGenericProperty().
164         https://bugs.webkit.org/show_bug.cgi?id=201245
165         <rdar://problem/54777512>
166
167         Reviewed by Robin Morisset.
168
169         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
170
171 2019-08-27  Mark Lam  <mark.lam@apple.com>
172
173         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
174         https://bugs.webkit.org/show_bug.cgi?id=201196
175         <rdar://problem/54703775>
176
177         Reviewed by Yusuke Suzuki.
178
179         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
180
181 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
182
183         [JSC] Ensure x?.y ?? z is fast
184         https://bugs.webkit.org/show_bug.cgi?id=200875
185
186         Reviewed by Yusuke Suzuki.
187
188         * stress/nullish-coalescing.js:
189
190 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
191
192         Remove MaximalFlushInsertionPhase
193         https://bugs.webkit.org/show_bug.cgi?id=201036
194
195         Reviewed by Saam Barati.
196
197         Remove all the references to maximal flush
198
199         * stress/arith-ceil-on-various-types.js:
200         (checkCompileCountForUselessNegativeZero):
201         * stress/arith-floor-on-various-types.js:
202         (checkCompileCountForUselessNegativeZero):
203         * stress/arith-negate-on-various-types.js:
204         (checkCompileCountForUselessNegativeZero):
205         * stress/arith-round-on-various-types.js:
206         (checkCompileCountForUselessNegativeZero):
207         * stress/arith-trunc-on-various-types.js:
208         (checkCompileCountForUselessNegativeZero):
209         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
210         * stress/has-indexed-property-should-accept-non-int32.js:
211         * stress/has-indexed-property-with-worsening-array-mode.js:
212         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
213         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
214         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
215         * stress/rest-parameter-many-arguments.js:
216         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
217         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
218         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
219
220 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
221
222         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
223         https://bugs.webkit.org/show_bug.cgi?id=200952
224
225         Reviewed by Saam Barati.
226
227         * wasm/references/func_ref.js:
228         (assert.throws):
229
230 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
231
232         Add missing exception check in canonicalizeLocaleList
233         https://bugs.webkit.org/show_bug.cgi?id=201021
234
235         Reviewed by Mark Lam.
236
237         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
238         (catch):
239
240 2019-08-21  Mark Lam  <mark.lam@apple.com>
241
242         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
243         https://bugs.webkit.org/show_bug.cgi?id=201016
244         <rdar://problem/54579911>
245
246         Reviewed by Yusuke Suzuki.
247
248         * wasm/stress/too-many-locals.js: Added.
249         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
250
251 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
252
253         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
254         https://bugs.webkit.org/show_bug.cgi?id=200965
255
256         Reviewed by Saam Barati.
257
258         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
259         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
260
261         * stress/optional-chaining.js:
262
263 2019-08-21  Michael Saboff  <msaboff@apple.com>
264
265         [JSC] incorrent JIT lead to StackOverflow
266         https://bugs.webkit.org/show_bug.cgi?id=197823
267
268         Reviewed by Tadeu Zagallo.
269
270         New test.
271
272         * stress/bound-function-stack-overflow.js: Added.
273         (foo):
274         (catch):
275
276 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
277
278         Identify memcpy loops in b3
279         https://bugs.webkit.org/show_bug.cgi?id=200181
280
281         Reviewed by Saam Barati.
282
283         * microbenchmarks/memcpy-loop.js: Added.
284         (doTest):
285         (let.arr1):
286         * microbenchmarks/memcpy-typed-loop-large.js: Added.
287         (doTest):
288         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
289         (arr2):
290         * microbenchmarks/memcpy-typed-loop-small.js: Added.
291         (doTest):
292         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
293         (16.arr2):
294         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
295         (doTest):
296         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
297         (arr2):
298         * microbenchmarks/memcpy-wasm-large.js: Added.
299         (typeof.WebAssembly.string_appeared_here.eq):
300         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
301         * microbenchmarks/memcpy-wasm-medium.js: Added.
302         (typeof.WebAssembly.string_appeared_here.eq):
303         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
304         * microbenchmarks/memcpy-wasm-small.js: Added.
305         (typeof.WebAssembly.string_appeared_here.eq):
306         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
307         * microbenchmarks/memcpy-wasm.js: Added.
308         (typeof.WebAssembly.string_appeared_here.eq):
309         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
310         * stress/memcpy-typed-loops.js: Added.
311         (noLoop):
312         (invalidStart):
313         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
314         (arr2):
315         * wasm/function-tests/memcpy-wasm-loop.js: Added.
316         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
317         (string_appeared_here):
318
319 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
320
321         [JSC] Array.prototype.toString should not get "join" function each time
322         https://bugs.webkit.org/show_bug.cgi?id=200905
323
324         Reviewed by Mark Lam.
325
326         * stress/array-prototype-join-change.js: Added.
327         (shouldBe):
328         (array2.join):
329         (DerivedArray):
330         (DerivedArray.prototype.join):
331         (array3.__proto__.join):
332         (Array.prototype.join):
333
334 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
335
336         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
337         https://bugs.webkit.org/show_bug.cgi?id=200782
338
339         Reviewed by Saam Barati.
340
341         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
342
343         * microbenchmarks/memcpy-typed-loop.js:
344         * stress/int8-repeat-in-then-out-of-bounds.js:
345
346 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
347
348         Proxy constructor should throw if handler is revoked Proxy
349         https://bugs.webkit.org/show_bug.cgi?id=198755
350
351         Reviewed by Saam Barati.
352
353         * stress/proxy-revoke.js: Adjust error message.
354         * test262/expectations.yaml: Mark 2 test cases as passing.
355
356 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
357
358         [JSC] OSR entry to Wasm OMG
359         https://bugs.webkit.org/show_bug.cgi?id=200362
360
361         Reviewed by Michael Saboff.
362
363         * wasm/stress/osr-entry-basic.js: Added.
364         (instance.exports.loop):
365         * wasm/stress/osr-entry-many-locals-f32.js: Added.
366         * wasm/stress/osr-entry-many-locals-f64.js: Added.
367         * wasm/stress/osr-entry-many-locals-i32.js: Added.
368         * wasm/stress/osr-entry-many-locals-i64.js: Added.
369         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
370         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
371         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
372         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
373
374 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
375
376         Date.prototype.toJSON throws if toISOString returns an object
377         https://bugs.webkit.org/show_bug.cgi?id=198495
378
379         Reviewed by Ross Kirsling.
380
381         * test262/expectations.yaml: Mark 6 test cases as passing.
382
383 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
384
385         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
386         https://bugs.webkit.org/show_bug.cgi?id=200899
387         <rdar://problem/54073341>
388
389         Reviewed by Mark Lam.
390
391         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
392         (i.new.Promise):
393         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
394         (i.new.Promise):
395
396 2019-08-19  Michael Saboff  <msaboff@apple.com>
397
398         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
399         https://bugs.webkit.org/show_bug.cgi?id=197090
400
401         Reviewed by Yusuke Suzuki.
402
403         New test.
404
405         * stress/regexp-nonconsuming-counted-parens.js: Added.
406
407 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
408
409         [JSC] Correct a->an in error messages and API docblocks
410         https://bugs.webkit.org/show_bug.cgi?id=200833
411
412         Reviewed by Don Olmstead.
413
414         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
415         (assert.assert.return.throws):
416         * stress/promise-finally-should-accept-non-promise-objects.js:
417         * wasm/js-api/table.js:
418         (assert.throws):
419
420 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
421
422         [ESNext] Implement optional chaining
423         https://bugs.webkit.org/show_bug.cgi?id=200199
424
425         Reviewed by Yusuke Suzuki.
426
427         * stress/nullish-coalescing.js:
428         * stress/optional-chaining.js: Added.
429         * stress/tail-call-recognize.js:
430
431 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
432
433         [ESNext] Support hashbang.
434         https://bugs.webkit.org/show_bug.cgi?id=200865
435
436         Reviewed by Mark Lam.
437
438         * stress/hashbang.js: Added.
439         * test262/expectations.yaml: Mark 6 cases as passing.
440
441 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
442
443         [JSC] DFG ToNumber should support Boolean in fixup
444         https://bugs.webkit.org/show_bug.cgi?id=200864
445
446         Reviewed by Mark Lam.
447
448         * microbenchmarks/to-number-boolean.js: Added.
449         (test):
450         * stress/to-number-boolean-int32.js: Added.
451         (shouldBe):
452         (test):
453         (check):
454         * stress/to-number-boolean.js: Added.
455         (shouldBe):
456         (test):
457         (check):
458         * stress/to-number-int32.js: Added.
459         (shouldBe):
460         (test):
461         (check):
462
463 2019-08-16  Mark Lam  <mark.lam@apple.com>
464
465         More missing exception checks in string comparison operators.
466         https://bugs.webkit.org/show_bug.cgi?id=200844
467         <rdar://problem/54378684>
468
469         Reviewed by Saam Barati.
470
471         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
472         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
473         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
474         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
475
476 2019-08-16  Mark Lam  <mark.lam@apple.com>
477
478         CodeBlock destructor should clear all of its watchpoints.
479         https://bugs.webkit.org/show_bug.cgi?id=200792
480         <rdar://problem/53947800>
481
482         Reviewed by Yusuke Suzuki.
483
484         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
485
486 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
487
488         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
489         https://bugs.webkit.org/show_bug.cgi?id=200782
490
491         Reviewed by Saam Barati.
492
493         * microbenchmarks/int8-out-of-bounds.js: Added.
494         (foo):
495         * microbenchmarks/memcpy-typed-loop.js: Added.
496         (doTest):
497         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
498         (arr2):
499         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
500         (foo):
501
502 2019-08-16  Mark Lam  <mark.lam@apple.com>
503
504         [Re-land] ProxyObject should not be allow to access its target's private properties.
505         https://bugs.webkit.org/show_bug.cgi?id=200739
506         <rdar://problem/53972768>
507
508         Reviewed by Yusuke Suzuki.
509
510         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
511         * stress/proxy-with-private-symbols.js:
512
513 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
514
515         [JSC] Promise.prototype.finally should accept non-promise objects
516         https://bugs.webkit.org/show_bug.cgi?id=200829
517
518         Reviewed by Mark Lam.
519
520         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
521         (shouldBe):
522         (Thenable):
523         (Thenable.prototype.then):
524
525 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
526
527         Promise constructor should check argument before [[Construct]]
528         https://bugs.webkit.org/show_bug.cgi?id=198976
529
530         Reviewed by Ross Kirsling.
531
532         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
533         * stress/create-subclass-structure-might-throw.js: Fix test.
534         * test262/expectations.yaml: Mark 2 test cases as passing.
535
536 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
537
538         Unreviewed, rolling out r248709.
539
540         Caused test/built-ins/Promise/prototype/finally/this-value-
541         non-promise.js to fail on test262 bot
542
543         Reverted changeset:
544
545         "ProxyObject should not be allow to access its target's
546         private properties."
547         https://bugs.webkit.org/show_bug.cgi?id=200739
548         https://trac.webkit.org/changeset/248709
549
550 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
551
552         DateConversion::formatDateTime incorrectly formats negative years
553         https://bugs.webkit.org/show_bug.cgi?id=199964
554
555         Reviewed by Ross Kirsling.
556
557         * test262/expectations.yaml: Mark 6 test cases as passing.
558
559 2019-08-15  Mark Lam  <mark.lam@apple.com>
560
561         More missing exception checks in String.prototype.
562         https://bugs.webkit.org/show_bug.cgi?id=200762
563         <rdar://problem/54333896>
564
565         Reviewed by Michael Saboff.
566
567         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
568         * stress/missing-exception-check-in-string-toLower.js: Added.
569         * stress/missing-exception-check-in-string-toUpper.js: Added.
570
571 2019-08-14  Mark Lam  <mark.lam@apple.com>
572
573         ProxyObject should not be allow to access its target's private properties.
574         https://bugs.webkit.org/show_bug.cgi?id=200739
575         <rdar://problem/53972768>
576
577         Reviewed by Yusuke Suzuki.
578
579         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
580         * stress/proxy-with-private-symbols.js: Rebased.
581
582 2019-08-14  Mark Lam  <mark.lam@apple.com>
583
584         Missing exception check in string compare.
585         https://bugs.webkit.org/show_bug.cgi?id=200743
586         <rdar://problem/53975356>
587
588         Reviewed by Michael Saboff.
589
590         * stress/missing-exception-check-in-string-compare.js: Added.
591
592 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
593
594         [JSC] Add "jump if (not) undefined or null" bytecode ops
595         https://bugs.webkit.org/show_bug.cgi?id=200480
596
597         Reviewed by Saam Barati.
598
599         * stress/destructuring-assignment-require-object-coercible.js:
600         * stress/nullish-coalescing.js:
601
602 2019-08-05  Michael Saboff  <msaboff@apple.com>
603
604         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
605         https://bugs.webkit.org/show_bug.cgi?id=199997
606
607         Reviewed by Saam Barati.
608
609         New test.
610
611         * stress/typedarray-no-alreadyChecked-assert.js: Added.
612         (checkIntArray):
613         (checkFloatArray):
614
615 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
616
617         [JSC] Support WebAssembly in SamplingProfiler
618         https://bugs.webkit.org/show_bug.cgi?id=200329
619
620         Reviewed by Saam Barati.
621
622         * stress/sampling-profiler-wasm-name-section.js: Added.
623         (const.compile):
624         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
625         (platformSupportsSamplingProfiler.vm.isWasmSupported):
626         * stress/sampling-profiler-wasm.js: Added.
627         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
628         (platformSupportsSamplingProfiler.vm.isWasmSupported):
629         * stress/sampling-profiler/loop.wasm: Added.
630         * stress/sampling-profiler/loop.wast: Added.
631         * stress/sampling-profiler/nameSection.wasm: Added.
632
633 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
634
635         [JSC] LazyJSValue should be robust for empty JSValue
636         https://bugs.webkit.org/show_bug.cgi?id=200388
637
638         Reviewed by Saam Barati.
639
640         * stress/switch-constant-child-becomes-empty.js: Added.
641         (foo):
642
643 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
644
645         GetterSetter type confusion during DFG compilation
646         https://bugs.webkit.org/show_bug.cgi?id=199903
647
648         Reviewed by Mark Lam.
649
650         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
651
652 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
653
654         Update Test262 (2019.08.01)
655         https://bugs.webkit.org/show_bug.cgi?id=200351
656
657         Reviewed by Keith Miller.
658
659         * test262/expectations.yaml:
660         * test262/harness/testIntl.js:
661         * test262/latest-changes-summary.txt:
662         * test262/test/:
663         * test262/test262-Revision.txt:
664
665 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
666
667         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
668         https://bugs.webkit.org/show_bug.cgi?id=200192
669
670         Reviewed by Saam Barati.
671
672         * stress/structure-chain-stress.js: Added.
673         (keys):
674
675 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
676
677         [JSC] Increment bytecode age only when SlotVisitor is first-visit
678         https://bugs.webkit.org/show_bug.cgi?id=200196
679
680         Reviewed by Robin Morisset.
681
682         * stress/reparsing-unlinked-codeblock.js:
683
684 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
685
686         [X86] Emit BT instruction for shift + mask in B3
687         https://bugs.webkit.org/show_bug.cgi?id=199891
688
689         Reviewed by Robin Morisset.
690
691         Lower the number of iterations to fix debug timeouts.
692
693         * microbenchmarks/bit-test-load.js:
694         (i):
695
696 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
697
698         [X86] Emit BT instruction for shift + mask in B3
699         https://bugs.webkit.org/show_bug.cgi?id=199891
700
701         Reviewed by Keith Miller.
702
703         * microbenchmarks/bit-test-constant.js: Added.
704         (let.glob.0.doTest):
705         * microbenchmarks/bit-test-load.js: Added.
706         (let.glob.0.let.arr.new.Int32Array.8.doTest):
707         (i):
708         * microbenchmarks/bit-test-nonconstant.js: Added.
709         (let.glob.0.doTest):
710
711 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
712
713         [JSC] Potential GC fix for JSPropertyNameEnumerator
714         https://bugs.webkit.org/show_bug.cgi?id=200151
715
716         Reviewed by Mark Lam.
717
718         * stress/for-in-stress.js: Added.
719         (keys):
720
721 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
722
723         Legacy numeric literals should not permit separators or BigInt
724         https://bugs.webkit.org/show_bug.cgi?id=199984
725
726         Reviewed by Keith Miller.
727
728         * stress/big-int-literals.js:
729         * stress/numeric-literal-separators.js:
730
731 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
732
733         [ESNext] Implement nullish coalescing
734         https://bugs.webkit.org/show_bug.cgi?id=200072
735
736         Reviewed by Darin Adler.
737
738         * stress/nullish-coalescing.js: Added.
739
740 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
741
742         Three checks are missing in Proxy internal methods
743         https://bugs.webkit.org/show_bug.cgi?id=198630
744
745         Reviewed by Darin Adler.
746
747         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
748         * test262/expectations.yaml: Mark 6 test cases as passing.
749
750 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
751
752         Sometimes we miss removable CheckInBounds
753         https://bugs.webkit.org/show_bug.cgi?id=200018
754
755         Reviewed by Saam Barati.
756
757         * microbenchmarks/typed-array-sum.js: Added.
758         (doTest):
759
760 2019-07-16  Mark Lam  <mark.lam@apple.com>
761
762         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
763         https://bugs.webkit.org/show_bug.cgi?id=199821
764         <rdar://problem/52452328>
765
766         Reviewed by Filip Pizlo.
767
768         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
769
770 2019-07-16  Keith Miller  <keith_miller@apple.com>
771
772         Unreviewed, test262 gardening.
773
774         * test262/expectations.yaml:
775
776 2019-07-15  Keith Miller  <keith_miller@apple.com>
777
778         A Possible Issue of Object.create method
779         https://bugs.webkit.org/show_bug.cgi?id=199744
780
781         Reviewed by Yusuke Suzuki.
782
783         * stress/object-create-non-object-properties-parameter.js: Added.
784         (catch):
785
786 2019-07-15  Keith Miller  <keith_miller@apple.com>
787
788         Update test262
789         https://bugs.webkit.org/show_bug.cgi?id=199801
790
791         Rubber-stamped by Yusuke Suzuki.
792
793         * test262/expectations.yaml:
794         * test262/latest-changes-summary.txt:
795         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
796         (fg.new.FinalizationGroup):
797         (callback):
798         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
799         (fg.new.FinalizationGroup):
800         (callback):
801         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
802         (fg.new.FinalizationGroup):
803         (callback):
804         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
805         (fg.new.FinalizationGroup):
806         (callback):
807         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
808         (fg.new.FinalizationGroup):
809         (callback):
810         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
811         (fg.new.FinalizationGroup):
812         (callback):
813         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
814         (fg.new.FinalizationGroup):
815         (callback):
816         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
817         (callback):
818         (fg.new.FinalizationGroup):
819         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
820         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
821         (cb):
822         (fg.new.FinalizationGroup):
823         (emptyCells):
824         (async.fn):
825         (fn.then.async):
826         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
827         (fg.new.FinalizationGroup):
828         * test262/test/built-ins/FinalizationGroup/length.js: Added.
829         * test262/test/built-ins/FinalizationGroup/name.js: Added.
830         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
831         (newTarget):
832         (fn):
833         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
834         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
835         (fn):
836         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
837         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
838         (newTarget):
839         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
840         (newTarget):
841         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
842         (fg.new.FinalizationGroup):
843         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
844         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
845         (callback):
846         (fg.new.FinalizationGroup):
847         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
848         (fg.new.FinalizationGroup):
849         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
850         (cb):
851         (fg.new.FinalizationGroup):
852         (emptyCells):
853         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
854         (fg.new.FinalizationGroup):
855         (fg.cleanupSome.cb):
856         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
857         (callback):
858         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
859         (fn):
860         (cb):
861         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
862         (cb):
863         (fg.new.FinalizationGroup):
864         (emptyCells):
865         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
866         (fg.new.FinalizationGroup):
867         (callback):
868         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
869         (fg.new.FinalizationGroup):
870         (callback):
871         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
872         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
873         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
874         (poisoned):
875         (fg.new.FinalizationGroup):
876         (emptyCells):
877         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
878         (poisoned):
879         (emptyCells):
880         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
881         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
882         (fn):
883         (cb):
884         (emptyCells):
885         (prototype.assert.sameValue.fg.cleanupSome):
886         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
887         (fn):
888         (cb):
889         (poisoned):
890         (assert.sameValue.fg.cleanupSome):
891         (prototype.assert.sameValue.fg.cleanupSome):
892         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
893         (cb):
894         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
895         (cb):
896         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
897         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
898         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
899         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
900         (fn):
901         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
902         (fn):
903         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
904         (fg.new.FinalizationGroup):
905         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
906         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
907         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
908         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
909         (fn):
910         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
911         (fn):
912         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
913         (fg.new.FinalizationGroup):
914         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
915         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
916         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
917         (fg.new.FinalizationGroup):
918         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
919         (fg.new.FinalizationGroup):
920         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
921         (fg.new.FinalizationGroup):
922         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
923         (fg.new.FinalizationGroup):
924         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
925         (fn):
926         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
927         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
928         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
929         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
930         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
931         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
932         (fn):
933         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
934         (fg.new.FinalizationGroup):
935         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
936         (cleanupCallback):
937         (let.key.of.Object.getOwnPropertyNames):
938         (set for):
939         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
940         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
941         (FinalizationGroup):
942         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
943         (cleanupCallback):
944         (let.key.of.Object.getOwnPropertyNames):
945         (set for):
946         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
947         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
948         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
949         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
950         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
951         (asyncProxy.new.Proxy.async):
952         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
953         (asyncProxy.new.Proxy.async):
954         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
955         (setIter.set Symbol):
956         (set defaultTag):
957         (gen):
958         (get return):
959         (set new):
960         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
961         (generatorProxy.new.Proxy):
962         (asyncProxy.new.Proxy.async):
963         * test262/test/built-ins/Object/subclass-object-arg.js:
964         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
965         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
966         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
967         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
968         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
969         * test262/test/built-ins/Promise/executor-function-name.js:
970         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
971         * test262/test/built-ins/Promise/reject-function-name.js:
972         * test262/test/built-ins/Promise/resolve-function-name.js:
973         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
974         * test262/test/built-ins/WeakRef/constructor.js: Added.
975         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
976         * test262/test/built-ins/WeakRef/length.js: Added.
977         * test262/test/built-ins/WeakRef/name.js: Added.
978         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
979         (newTarget):
980         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
981         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
982         * test262/test/built-ins/WeakRef/proto.js: Added.
983         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
984         (newTarget):
985         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
986         (newTarget):
987         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
988         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
989         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
990         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
991         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
992         (emptyCells):
993         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
994         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
995         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
996         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
997         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
998         (fg.new.FinalizationGroup):
999         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1000         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1001         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1002         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1003         (let.key.of.Object.getOwnPropertyNames):
1004         (set for):
1005         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1006         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1007         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1008         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1009         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1010         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1011         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1012         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1013         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1014         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1015         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1016         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1017         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1018         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1019         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1020         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1021         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1022         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1023         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1024         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1025         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1026         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1027         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1028         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1029         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1030         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1031         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1032         (assertParts):
1033         (assertPartsNumeric):
1034         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1035         (assertParts):
1036         (assertPartsNumeric):
1037         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1038         (assertParts):
1039         (assertPartsNumeric):
1040         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1041         (assertParts):
1042         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1043         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1044         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1045         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1046         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1047         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1048         (C.prototype.method):
1049         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1050         (C.prototype.method.innerFunction):
1051         (C.prototype.method):
1052         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1053         (C):
1054         (C.method):
1055         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1056         (C):
1057         (C.method.innerFunction):
1058         (C.method):
1059         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1060         (C):
1061         (C.checkPrivateGetter):
1062         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1063         (C):
1064         (C.method):
1065         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1066         (C):
1067         (C.method.innerFunction):
1068         (C.method):
1069         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1070         (C):
1071         (C.checkPrivateMethod):
1072         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1073         (C):
1074         (C.method):
1075         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1076         (C):
1077         (C.method.innerFunction):
1078         (C.method):
1079         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1080         (C):
1081         (C.checkPrivateSetter):
1082         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1083         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1084         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1085         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1086         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1087         (let.classStringExpression):
1088         (let.classStringExpression.access):
1089         (let.createAndInstantiateClass):
1090         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1091         (let.classStringExpression):
1092         (let.classStringExpression.access):
1093         (let.createAndInstantiateClass):
1094         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1095         (const.C):
1096         (let.createAndInstantiateClass):
1097         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1098         (let.classStringExpression.return.prototype.m):
1099         (let.classStringExpression.return.prototype.access):
1100         (let.createAndInstantiateClass):
1101         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1102         (let.classStringExpression.return.prototype.m):
1103         (let.classStringExpression.return.prototype.access):
1104         (let.createAndInstantiateClass):
1105         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1106         (let.classStringExpression):
1107         (let.classStringExpression.access):
1108         (let.createAndInstantiateClass):
1109         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1110         (let.classStringExpression.prototype.m):
1111         (let.classStringExpression.prototype.access):
1112         (let.classStringExpression):
1113         (let.createAndInstantiateClass):
1114         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1115         (let.classStringExpression.prototype.m):
1116         (let.classStringExpression.prototype.access):
1117         (let.classStringExpression):
1118         (let.createAndInstantiateClass):
1119         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1120         (const.C):
1121         (let.createAndInstantiateClass):
1122         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1123         (let.classStringExpression.return.C.prototype.m):
1124         (let.classStringExpression.return.C.prototype.access):
1125         (let.classStringExpression.return.C):
1126         (let.createAndInstantiateClass):
1127         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1128         (let.classStringExpression.return.C.prototype.m):
1129         (let.classStringExpression.return.C.prototype.access):
1130         (let.classStringExpression.return.C):
1131         (let.createAndInstantiateClass):
1132         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1133         (let.classStringExpression):
1134         (let.classStringExpression.access):
1135         (let.createAndInstantiateClass):
1136         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1137         (let.classStringExpression):
1138         (let.classStringExpression.access):
1139         (let.createAndInstantiateClass):
1140         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1141         (let.classStringExpression):
1142         (let.classStringExpression.access):
1143         (let.createAndInstantiateClass):
1144         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1145         (const.C):
1146         (let.createAndInstantiateClass):
1147         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1148         (let.classStringExpression.return.prototype.m):
1149         (let.classStringExpression.return.prototype.access):
1150         (let.createAndInstantiateClass):
1151         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1152         (let.classStringExpression.return.prototype.m):
1153         (let.classStringExpression.return.prototype.access):
1154         (let.createAndInstantiateClass):
1155         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1156         (let.classStringExpression):
1157         (let.classStringExpression.access):
1158         (let.createAndInstantiateClass):
1159         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1160         (new):
1161         (async):
1162         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1163         (A):
1164         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1165         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1166         * test262/test/language/identifiers/vals-cjk.js: Added.
1167         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1168         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1169         (C.prototype.method):
1170         (C):
1171         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1172         (C.prototype.method.innerFunction):
1173         (C.prototype.method):
1174         (C):
1175         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1176         (C.prototype.checkPrivateField):
1177         (C):
1178         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1179         (C):
1180         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1181         (C.prototype.getWithEval):
1182         (C):
1183         (D):
1184         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1185         (C.prototype.get m):
1186         (C.prototype.method):
1187         (C):
1188         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1189         (C.prototype.get m):
1190         (C.prototype.method.innerFunction):
1191         (C.prototype.method):
1192         (C):
1193         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1194         (let.createAndInstantiateClass):
1195         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1196         (C.prototype.get m):
1197         (C.prototype.checkPrivateGetter):
1198         (C):
1199         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1200         (C.prototype.get m):
1201         (C.prototype.checkPrivateGetter):
1202         (C):
1203         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1204         (C.prototype.get m):
1205         (C):
1206         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1207         (C.prototype.get m):
1208         (C.prototype.getWithEval):
1209         (C):
1210         (D.prototype.get m):
1211         (D):
1212         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1213         (C.prototype.m):
1214         (C.prototype.method):
1215         (C):
1216         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1217         (C.prototype.m):
1218         (C.prototype.method.innerFunction):
1219         (C.prototype.method):
1220         (C):
1221         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1222         (C.prototype.m):
1223         (C.prototype.checkPrivateMethod):
1224         (C):
1225         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1226         (C.prototype.m):
1227         (C.prototype.checkPrivateMethod):
1228         (C):
1229         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1230         (C.prototype.m):
1231         (C):
1232         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1233         (C.prototype.m):
1234         (C.prototype.getWithEval):
1235         (C):
1236         (D.prototype.m):
1237         (D):
1238         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1239         (C.prototype.set m):
1240         (C.prototype.method):
1241         (C):
1242         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1243         (C.prototype.set m):
1244         (C.prototype.method.innerFunction):
1245         (C.prototype.method):
1246         (C):
1247         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1248         (C.prototype.set m):
1249         (C.prototype.checkPrivateSetter):
1250         (C):
1251         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1252         (C.prototype.set m):
1253         (C.prototype.checkPrivateSetter):
1254         (C):
1255         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1256         (C.prototype.set m):
1257         (C):
1258         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1259         (C.prototype.set m):
1260         (C.prototype.setWithEval):
1261         (C):
1262         (D.prototype.set m):
1263         (D):
1264         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1265         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1266         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1267         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
1268         (A.prototype.method):
1269         (A):
1270         (C.prototype.get m):
1271         (C.prototype.access):
1272         (C):
1273         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
1274         (A.prototype.method):
1275         (A):
1276         (C.prototype.m):
1277         (C.prototype.access):
1278         (C):
1279         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
1280         (A.prototype.method):
1281         (A):
1282         (C.prototype.set m):
1283         (C.prototype.access):
1284         (C):
1285         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
1286         (A):
1287         * test262/test/language/statements/function/13.2-30-s.js:
1288         * test262/test262-Revision.txt:
1289
1290 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1291
1292         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1293         https://bugs.webkit.org/show_bug.cgi?id=199783
1294
1295         Reviewed by Mark Lam.
1296
1297         Fix our spec tests.
1298
1299         * wasm/js-api/Module-compile.js:
1300         * wasm/js-api/test_basic_api.js:
1301         (const.c.in.constructorProperties.switch):
1302         * wasm/js-api/validate.js:
1303         * wasm/js-api/web-assembly-instantiate.js:
1304         * wasm/spec-tests/jsapi.js:
1305         (testJSAPI.get test):
1306         (testJSAPI.set test):
1307
1308 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1309
1310         Unreviewed, rolling out r247440.
1311
1312         Broke builds
1313
1314         Reverted changeset:
1315
1316         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1317         issues"
1318         https://bugs.webkit.org/show_bug.cgi?id=199783
1319         https://trac.webkit.org/changeset/247440
1320
1321 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1322
1323         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1324         https://bugs.webkit.org/show_bug.cgi?id=199783
1325
1326         Reviewed by Mark Lam.
1327
1328         Fix our spec tests.
1329
1330         * wasm/js-api/Module-compile.js:
1331         * wasm/js-api/test_basic_api.js:
1332         (const.c.in.constructorProperties.switch):
1333         * wasm/js-api/validate.js:
1334         * wasm/js-api/web-assembly-instantiate.js:
1335         * wasm/spec-tests/jsapi.js:
1336         (testJSAPI.get test):
1337         (testJSAPI.set test):
1338
1339 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1340
1341         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1342         https://bugs.webkit.org/show_bug.cgi?id=196371
1343
1344         Reviewed by Keith Miller.
1345
1346         * microbenchmarks/mul-immediate-sub.js: Added.
1347         (doTest):
1348
1349 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1350
1351         [BigInt] Add ValueBitLShift into DFG
1352         https://bugs.webkit.org/show_bug.cgi?id=192664
1353
1354         Reviewed by Saam Barati.
1355
1356         We are adding tests to cover ValueBitwise operations AI changes.
1357
1358         * stress/big-int-left-shift-untyped.js: Added.
1359         * stress/bit-op-with-object-returning-int32.js:
1360         * stress/value-bit-and-ai-rule.js: Added.
1361         * stress/value-bit-lshift-ai-rule.js: Added.
1362         * stress/value-bit-or-ai-rule.js: Added.
1363         * stress/value-bit-xor-ai-rule.js: Added.
1364
1365 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
1366
1367         Add b3 macro lowering for CheckMul on arm64
1368         https://bugs.webkit.org/show_bug.cgi?id=199251
1369
1370         Reviewed by Robin Morisset.
1371
1372         * microbenchmarks/check-mul-constant.js: Added.
1373         (doTest):
1374         * microbenchmarks/check-mul-no-constant.js: Added.
1375         (doTest):
1376         * microbenchmarks/check-mul-power-of-two.js: Added.
1377         (doTest):
1378
1379 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
1380
1381         Optimize join of large empty arrays
1382         https://bugs.webkit.org/show_bug.cgi?id=199636
1383
1384         Reviewed by Mark Lam.
1385
1386         * microbenchmarks/large-empty-array-join.js: Added.
1387         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
1388
1389 2019-07-06  Michael Saboff  <msaboff@apple.com>
1390
1391         switch(String) needs to check for exceptions when resolving the string
1392         https://bugs.webkit.org/show_bug.cgi?id=199541
1393
1394         Reviewed by Mark Lam.
1395
1396         New tests.
1397
1398         * stress/switch-string-oom.js: Added.
1399         (test):
1400         (testLowerTiers):
1401         (testFTL):
1402
1403 2019-07-05  Mark Lam  <mark.lam@apple.com>
1404
1405         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
1406         https://bugs.webkit.org/show_bug.cgi?id=199533
1407         <rdar://problem/52669111>
1408
1409         Reviewed by Filip Pizlo.
1410
1411         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
1412
1413 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1414
1415         [JSC] Clean up ArraySpeciesCreate
1416         https://bugs.webkit.org/show_bug.cgi?id=182434
1417
1418         Reviewed by Yusuke Suzuki.
1419
1420         Adjusts error message expectations in stress tests.
1421
1422         * stress/array-flatmap.js:
1423         * stress/array-flatten.js:
1424         * stress/array-species-create-should-handle-masquerader.js:
1425         * test262/expectations.yaml: Mark 4 test cases as passing.
1426
1427 2019-07-02  Michael Saboff  <msaboff@apple.com>
1428
1429         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
1430         https://bugs.webkit.org/show_bug.cgi?id=199395
1431
1432         Reviewed by Filip Pizlo.
1433
1434         New regession test.
1435
1436         * stress/for-of-tdz-with-try-catch.js: Added.
1437         (test):
1438         (i.catch):
1439
1440 2019-07-02  Keith Miller  <keith_miller@apple.com>
1441
1442         Frozen Arrays length assignment should throw in strict mode
1443         https://bugs.webkit.org/show_bug.cgi?id=199365
1444
1445         Reviewed by Yusuke Suzuki.
1446
1447         * stress/frozen-array-length-should-throw-strict.js: Added.
1448         (test):
1449
1450 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
1451
1452         [Wasm-References] Disable references by default
1453         https://bugs.webkit.org/show_bug.cgi?id=199390
1454
1455         Reviewed by Saam Barati.
1456
1457         * wasm/references-spec-tests/ref_is_null.js:
1458         * wasm/references-spec-tests/ref_null.js:
1459         * wasm/references/anyref_globals.js:
1460         * wasm/references/anyref_modules.js:
1461         * wasm/references/anyref_table.js:
1462         * wasm/references/anyref_table_import.js:
1463         * wasm/references/element_parsing.js:
1464         * wasm/references/func_ref.js:
1465         * wasm/references/is_null.js:
1466         * wasm/references/multitable.js:
1467         * wasm/references/table_misc.js:
1468         * wasm/references/validation.js:
1469
1470 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
1471
1472         Unreviewed, rolling out r246946.
1473
1474         Caused JSC test crashes on arm64
1475
1476         Reverted changeset:
1477
1478         "Add b3 macro lowering for CheckMul on arm64"
1479         https://bugs.webkit.org/show_bug.cgi?id=199251
1480         https://trac.webkit.org/changeset/246946
1481
1482 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
1483
1484         Add b3 macro lowering for CheckMul on arm64
1485         https://bugs.webkit.org/show_bug.cgi?id=199251
1486
1487         Reviewed by Robin Morisset.
1488
1489         * microbenchmarks/check-mul-constant.js: Added.
1490         (doTest):
1491         * microbenchmarks/check-mul-no-constant.js: Added.
1492         (doTest):
1493         * microbenchmarks/check-mul-power-of-two.js: Added.
1494         (doTest):
1495
1496 2019-06-26  Keith Miller  <keith_miller@apple.com>
1497
1498         speciesConstruct needs to throw if the result is a DataView
1499         https://bugs.webkit.org/show_bug.cgi?id=199231
1500
1501         Reviewed by Mark Lam.
1502
1503         * stress/typedarray-filter.js:
1504         (subclasses.forEach):
1505         * stress/typedarray-map.js:
1506         (subclasses.forEach):
1507         * stress/typedarray-slice.js:
1508         (typedArrays.forEach):
1509         * stress/typedarray-subarray.js:
1510         (subclasses.forEach):
1511
1512 2019-06-24  Commit Queue  <commit-queue@webkit.org>
1513
1514         Unreviewed, rolling out r246714.
1515         https://bugs.webkit.org/show_bug.cgi?id=199179
1516
1517         revert to do patch in a different way. (Requested by keith_mi_
1518         on #webkit).
1519
1520         Reverted changeset:
1521
1522         "All prototypes should call didBecomePrototype()"
1523         https://bugs.webkit.org/show_bug.cgi?id=196315
1524         https://trac.webkit.org/changeset/246714
1525
1526 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1527
1528         Add Array.prototype.{flat,flatMap} to unscopables
1529         https://bugs.webkit.org/show_bug.cgi?id=194322
1530
1531         Reviewed by Keith Miller.
1532
1533         * stress/unscopables.js: Fix test.
1534         * test262/expectations.yaml: Mark 2 test cases as passing.
1535
1536 2019-06-21  Mark Lam  <mark.lam@apple.com>
1537
1538         ArraySlice needs to keep the source array alive.
1539         https://bugs.webkit.org/show_bug.cgi?id=197374
1540         <rdar://problem/50304429>
1541
1542         Reviewed by Michael Saboff and Filip Pizlo.
1543
1544         * stress/array-slice-must-keep-source-array-alive.js: Added.
1545
1546 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1547
1548         All prototypes should call didBecomePrototype()
1549         https://bugs.webkit.org/show_bug.cgi?id=196315
1550
1551         Reviewed by Saam Barati.
1552
1553         * stress/function-prototype-indexed-accessor.js: Added.
1554
1555 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1556
1557         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1558         https://bugs.webkit.org/show_bug.cgi?id=197631
1559
1560         Reviewed by Saam Barati.
1561
1562         * stress/has-own-property-arguments.js: Added.
1563         (shouldBe):
1564         (A):
1565
1566 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1567
1568         [JSC] ClassExpr should not store result in the middle of evaluation
1569         https://bugs.webkit.org/show_bug.cgi?id=199106
1570
1571         Reviewed by Tadeu Zagallo.
1572
1573         * stress/class-expression-should-store-result-at-last.js: Added.
1574         (shouldThrow):
1575         (shouldThrow.let.a):
1576
1577 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
1578
1579         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
1580         https://bugs.webkit.org/show_bug.cgi?id=199044
1581
1582         Reviewed by Saam Barati.
1583
1584         Add wasm references spec tests as well as a worker test.
1585
1586         * wasm.yaml:
1587         * wasm/Builder_WebAssemblyBinary.js:
1588         (const.emitters.Element):
1589         * wasm/js-api/element.js:
1590         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1591         * wasm/references-spec-tests/ref_is_null.js: Added.
1592         (hostref):
1593         (is_hostref):
1594         (is_funcref):
1595         (eq_ref):
1596         (let.handler.get target):
1597         (register):
1598         (module):
1599         (instance):
1600         (call):
1601         (get instance):
1602         (exports):
1603         (run):
1604         (assert_malformed):
1605         (assert_invalid):
1606         (assert_unlinkable):
1607         (assert_uninstantiable):
1608         (assert_trap):
1609         (try.f):
1610         (catch):
1611         (assert_exhaustion):
1612         (assert_return):
1613         (assert_return_canonical_nan):
1614         (assert_return_arithmetic_nan):
1615         (assert_return_ref):
1616         (assert_return_func):
1617         * wasm/references-spec-tests/ref_null.js: Added.
1618         (hostref):
1619         (is_hostref):
1620         (is_funcref):
1621         (eq_ref):
1622         (let.handler.get target):
1623         (register):
1624         (module):
1625         (instance):
1626         (call):
1627         (get instance):
1628         (exports):
1629         (run):
1630         (assert_malformed):
1631         (assert_invalid):
1632         (assert_unlinkable):
1633         (assert_uninstantiable):
1634         (assert_trap):
1635         (try.f):
1636         (catch):
1637         (assert_exhaustion):
1638         (assert_return):
1639         (assert_return_canonical_nan):
1640         (assert_return_arithmetic_nan):
1641         (assert_return_ref):
1642         (assert_return_func):
1643         * wasm/references/element_parsing.js: Added.
1644         (module):
1645         * wasm/references/func_ref.js:
1646         * wasm/references/multitable.js:
1647         * wasm/references/table_misc.js:
1648         (TableSize.0.End.End.WebAssembly):
1649         * wasm/references/validation.js:
1650         (assert.throws):
1651
1652 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1653
1654         Optimize `resolve` method lookup in Promise static methods
1655         https://bugs.webkit.org/show_bug.cgi?id=198864
1656
1657         Reviewed by Yusuke Suzuki.
1658
1659         * test262/expectations.yaml: Mark 18 test cases as passing.
1660
1661 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
1662
1663         [WASM-References] Rename anyfunc to funcref
1664         https://bugs.webkit.org/show_bug.cgi?id=198983
1665
1666         Reviewed by Yusuke Suzuki.
1667
1668         * wasm/function-tests/basic-element.js:
1669         * wasm/function-tests/context-switch.js:
1670         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1671         (makeInstance):
1672         (assert.eq.makeInstance):
1673         * wasm/function-tests/exceptions.js:
1674         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1675         * wasm/function-tests/grow-memory-2.js:
1676         (assert.eq.instance.exports.foo):
1677         * wasm/function-tests/nameSection.js:
1678         (const.compile):
1679         * wasm/function-tests/stack-overflow.js:
1680         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1681         (assertOverflows.makeInstance):
1682         * wasm/function-tests/table-basic-2.js:
1683         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1684         * wasm/function-tests/table-basic.js:
1685         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1686         * wasm/function-tests/trap-from-start-async.js:
1687         * wasm/function-tests/trap-from-start.js:
1688         * wasm/js-api/Module.exports.js:
1689         (assert.truthy):
1690         * wasm/js-api/Module.imports.js:
1691         (assert.truthy):
1692         * wasm/js-api/call-indirect.js:
1693         (const.oneTable):
1694         (const.multiTable):
1695         (multiTable.const.makeTable):
1696         (multiTable):
1697         (multiTable.Polyphic2Import):
1698         (multiTable.VirtualImport):
1699         * wasm/js-api/element-data.js:
1700         * wasm/js-api/element.js:
1701         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1702         (assert.throws):
1703         (badInstantiation.makeModule):
1704         (badInstantiation.test):
1705         (badInstantiation):
1706         * wasm/js-api/extension-MemoryMode.js:
1707         * wasm/js-api/table.js:
1708         (new.WebAssembly.Module):
1709         (assert.throws):
1710         (assertBadTableImport):
1711         (assert.throws.WebAssembly.Table.prototype.grow):
1712         (new.WebAssembly.Table):
1713         (assertBadTable):
1714         (assert.truthy):
1715         * wasm/js-api/test_basic_api.js:
1716         (const.c.in.constructorProperties.switch):
1717         * wasm/js-api/unique-signature.js:
1718         (CallIndirectWithDuplicateSignatures):
1719         * wasm/js-api/wrapper-function.js:
1720         * wasm/modules/table.wat:
1721         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1722         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1723         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1724         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1725         * wasm/references/anyref_table.js:
1726         * wasm/references/anyref_table_import.js:
1727         (doSet):
1728         (assert.throws):
1729         * wasm/references/func_ref.js:
1730         (makeFuncrefIdent):
1731         (assert.eq.instance.exports.fix):
1732         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
1733         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
1734         (let.importedFun.of):
1735         (makeAnyfuncIdent): Deleted.
1736         (makeAnyfuncIdent.fun): Deleted.
1737         * wasm/references/multitable.js:
1738         (assert.eq):
1739         (assert.throws):
1740         * wasm/references/table_misc.js:
1741         (GetLocal.0.TableFill.0.End.End.WebAssembly):
1742         * wasm/references/validation.js:
1743         (assert.throws.new.WebAssembly.Module.bin):
1744         (assert.throws):
1745         * wasm/spec-harness/index.js:
1746         * wasm/spec-harness/wasm-constants.js:
1747         * wasm/spec-harness/wasm-module-builder.js:
1748         (WasmModuleBuilder.prototype.toArray):
1749         * wasm/spec-harness/wast.js:
1750         (elem_type):
1751         (string_of_elem_type):
1752         (string_of_table_type):
1753         * wasm/spec-tests/jsapi.js:
1754         * wasm/stress/wasm-table-grow-initialize.js:
1755         * wasm/wasm.json:
1756
1757 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1758
1759         [WASM-References] Add support for Table.size, grow and fill instructions
1760         https://bugs.webkit.org/show_bug.cgi?id=198761
1761
1762         Reviewed by Yusuke Suzuki.
1763
1764         * wasm/Builder_WebAssemblyBinary.js:
1765         (const.putOp):
1766         * wasm/references/table_misc.js: Added.
1767         (TableSize.End.End.WebAssembly):
1768         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
1769         * wasm/wasm.json:
1770
1771 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1772
1773         [WASM-References] Add support for multiple tables
1774         https://bugs.webkit.org/show_bug.cgi?id=198760
1775
1776         Reviewed by Saam Barati.
1777
1778         * wasm/Builder.js:
1779         * wasm/js-api/call-indirect.js:
1780         (const.oneTable):
1781         (const.multiTable):
1782         (multiTable):
1783         (multiTable.Polyphic2Import):
1784         (multiTable.VirtualImport):
1785         (const.wasmModuleWhichImportJS): Deleted.
1786         (const.makeTable): Deleted.
1787         (): Deleted.
1788         (Polyphic2Import): Deleted.
1789         (VirtualImport): Deleted.
1790         * wasm/js-api/table.js:
1791         (new.WebAssembly.Module):
1792         (assert.throws):
1793         (assertBadTableImport):
1794         (assert.truthy):
1795         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1796         * wasm/references/anyref_table.js:
1797         * wasm/references/anyref_table_import.js:
1798         (makeImport):
1799         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1800         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1801         * wasm/references/multitable.js: Added.
1802         (assert.throws.1.exports.set_tbl0):
1803         (assert.throws):
1804         (assert.eq):
1805         * wasm/references/validation.js:
1806         (assert.throws.new.WebAssembly.Module.bin):
1807         (assert.throws):
1808         * wasm/spec-tests/imports.wast.js:
1809         * wasm/wasm.json:
1810
1811         * wasm/Builder.js:
1812         * wasm/js-api/call-indirect.js:
1813         (const.oneTable):
1814         (const.multiTable):
1815         (multiTable):
1816         (multiTable.Polyphic2Import):
1817         (multiTable.VirtualImport):
1818         (const.wasmModuleWhichImportJS): Deleted.
1819         (const.makeTable): Deleted.
1820         (): Deleted.
1821         (Polyphic2Import): Deleted.
1822         (VirtualImport): Deleted.
1823         * wasm/js-api/table.js:
1824         (new.WebAssembly.Module):
1825         (assert.throws):
1826         (assertBadTableImport):
1827         (assert.truthy):
1828         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1829         * wasm/references/anyref_table.js:
1830         * wasm/references/anyref_table_import.js:
1831         (makeImport):
1832         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1833         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1834         * wasm/references/func_ref.js:
1835         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
1836         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
1837         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
1838         * wasm/references/multitable.js: Added.
1839         (assert.throws.1.exports.set_tbl0):
1840         (assert.throws):
1841         (assert.eq):
1842         (string_appeared_here.tableInsanity):
1843         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
1844         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
1845         * wasm/references/validation.js:
1846         (assert.throws.new.WebAssembly.Module.bin):
1847         (assert.throws):
1848         * wasm/spec-tests/imports.wast.js:
1849         * wasm/wasm.json:
1850
1851 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
1852
1853         [ESNExt] String.prototype.matchAll
1854         https://bugs.webkit.org/show_bug.cgi?id=186694
1855
1856         Reviewed by Yusuke Suzuki.
1857
1858         Implement String.prototype.matchAll.
1859         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
1860
1861         * test262/config.yaml:
1862
1863 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
1864
1865         DFG code should not reify the names of builtin functions with private names
1866         https://bugs.webkit.org/show_bug.cgi?id=198849
1867         <rdar://problem/51733890>
1868
1869         Reviewed by Filip Pizlo.
1870
1871         * stress/builtin-private-function-name.js: Added.
1872         (then):
1873         (PromiseLike):
1874
1875 2019-06-18  Keith Miller  <keith_miller@apple.com>
1876
1877         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
1878         https://bugs.webkit.org/show_bug.cgi?id=198969
1879         <rdar://problem/51620714>
1880
1881         Reviewed by Tadeu Zagallo.
1882
1883         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
1884         (catch):
1885
1886 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1887
1888         Validate that table element type is funcref if using an element section
1889         https://bugs.webkit.org/show_bug.cgi?id=198910
1890
1891         Reviewed by Yusuke Suzuki.
1892
1893         * wasm/references/anyref_table.js:
1894
1895 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
1896
1897         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
1898         https://bugs.webkit.org/show_bug.cgi?id=197378
1899
1900         Reviewed by Saam Barati.
1901
1902         * stress/disposable-call-site-index-with-call-and-this.js: Added.
1903         (foo):
1904         (bar):
1905         * stress/disposable-call-site-index.js: Added.
1906         (foo):
1907         (bar):
1908
1909 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1910
1911         [WASM-References] Add support for Funcref in parameters and return types
1912         https://bugs.webkit.org/show_bug.cgi?id=198157
1913
1914         Reviewed by Yusuke Suzuki.
1915
1916         * wasm/Builder.js:
1917         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1918         * wasm/references/anyref_globals.js:
1919         * wasm/references/func_ref.js: Added.
1920         (fullGC.gc.makeExportedFunction):
1921         (makeExportedIdent):
1922         (makeAnyfuncIdent):
1923         (fun):
1924         (assert.eq.instance.exports.fix.fun):
1925         (assert.eq.instance.exports.fix):
1926         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
1927         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
1928         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
1929         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
1930         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
1931         (assert.throws):
1932         (assert.throws.doTest):
1933         (let.importedFun.of):
1934         (makeAnyfuncIdent.fun):
1935         * wasm/references/validation.js:
1936         (assert.throws):
1937         * wasm/wasm.json:
1938
1939 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
1940
1941         Update test262 tests (2019.06.13)
1942         https://bugs.webkit.org/show_bug.cgi?id=198821
1943
1944         Reviewed by Konstantin Tokarev.
1945
1946         * test262/expectations.yaml:
1947         * test262/harness/:
1948         * test262/latest-changes-summary.txt:
1949         * test262/test/:
1950         * test262/test262-Revision.txt:
1951
1952 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
1953
1954         [JSC] Grown region of WasmTable should be initialized with null
1955         https://bugs.webkit.org/show_bug.cgi?id=198903
1956
1957         Reviewed by Saam Barati.
1958
1959         * wasm/stress/wasm-table-grow-initialize.js: Added.
1960         (shouldBe):
1961
1962 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
1963
1964         Yarr bytecode compilation failure should be gracefully handled
1965         https://bugs.webkit.org/show_bug.cgi?id=198700
1966
1967         Reviewed by Michael Saboff.
1968
1969         * stress/regexp-bytecode-compilation-fail.js: Added.
1970         (shouldThrow):
1971
1972 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
1973
1974         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
1975         https://bugs.webkit.org/show_bug.cgi?id=198770
1976
1977         Reviewed by Saam Barati.
1978
1979         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
1980         (test):
1981
1982 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1983
1984         JSC should throw if proxy set returns falsish in strict mode context
1985         https://bugs.webkit.org/show_bug.cgi?id=177398
1986
1987         Reviewed by Yusuke Suzuki.
1988
1989         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
1990         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
1991
1992         * stress/proxy-set.js: Add 2 test cases.
1993         * stress/regexp-match-proxy.js: Fix test.
1994         * stress/regexp-replace-proxy.js: Fix test.
1995
1996 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1997
1998         Error message for non-callable Proxy `construct` trap is misleading
1999         https://bugs.webkit.org/show_bug.cgi?id=198637
2000
2001         Reviewed by Saam Barati.
2002
2003         * stress/proxy-construct.js:
2004
2005 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2006
2007         AI BitURShift's result should not be unsigned
2008         https://bugs.webkit.org/show_bug.cgi?id=198689
2009         <rdar://problem/51550063>
2010
2011         Reviewed by Saam Barati.
2012
2013         * stress/urshift-int32-overflow.js: Added.
2014         (foo.):
2015         (foo):
2016
2017 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2018
2019         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2020
2021         Unreviewed gardening.
2022
2023         * stress/ftl-gettypedarrayoffset-wasteful.js:
2024         Skipped on arm/linux as it always times out on the bot since a change
2025         between r246270 and r246278 inclusive.
2026
2027 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2028
2029         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2030         https://bugs.webkit.org/show_bug.cgi?id=198023
2031
2032         Reviewed by Saam Barati.
2033
2034         * stress/reparsing-unlinked-codeblock.js: Added.
2035         (shouldBe):
2036         (hello):
2037
2038 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2039
2040         [JSC] Use mergePrediction in ValuePow prediction propagation
2041         https://bugs.webkit.org/show_bug.cgi?id=198648
2042
2043         Reviewed by Saam Barati.
2044
2045         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2046
2047 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2048
2049         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2050         https://bugs.webkit.org/show_bug.cgi?id=198581
2051         <rdar://problem/51099753>
2052
2053         Reviewed by Saam Barati.
2054
2055         * stress/global-object-proto-getter.js: Added.
2056         (f):
2057         (test):
2058
2059 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2060
2061         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2062         https://bugs.webkit.org/show_bug.cgi?id=198398
2063
2064         Reviewed by Saam Barati.
2065
2066         * wasm/references/anyref_table.js: Added.
2067         (string_appeared_here.doGCSet):
2068         (doGCTest):
2069         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2070         * wasm/references/anyref_table_import.js: Added.
2071         (makeImport):
2072         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2073         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2074         * wasm/references/is_null_error.js: Removed.
2075         * wasm/references/validation.js: Added.
2076         (assert.throws.new.WebAssembly.Module.bin):
2077         (assert.throws):
2078         * wasm/wasm.json:
2079
2080 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2081
2082         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2083         https://bugs.webkit.org/show_bug.cgi?id=198106
2084
2085         Reviewed by Saam Barati.
2086
2087         * wasm/regress/selectf64.js: Added.
2088         * wasm/regress/selectf64.wasm: Added.
2089         * wasm/regress/selectf64.wat: Added.
2090
2091 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2092
2093         Argument elimination should check transitive dependents for interference
2094         https://bugs.webkit.org/show_bug.cgi?id=198520
2095         <rdar://problem/50863343>
2096
2097         Reviewed by Filip Pizlo.
2098
2099         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2100         (f2):
2101         (f3):
2102
2103 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2104
2105         Argument elimination should check for negative indices in GetByVal
2106         https://bugs.webkit.org/show_bug.cgi?id=198302
2107         <rdar://problem/51188095>
2108
2109         Reviewed by Filip Pizlo.
2110
2111         * stress/eliminate-arguments-negative-rest-access.js: Added.
2112         (inlinee):
2113         (opt):
2114
2115 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2116
2117         [ESNext][BigInt] Implement support for "**"
2118         https://bugs.webkit.org/show_bug.cgi?id=190799
2119
2120         Reviewed by Saam Barati.
2121
2122         * stress/big-int-exp-basic.js: Added.
2123         * stress/big-int-exp-jit-osr.js: Added.
2124         * stress/big-int-exp-jit-untyped.js: Added.
2125         * stress/big-int-exp-jit.js: Added.
2126         * stress/big-int-exp-negative-exponent.js: Added.
2127         * stress/big-int-exp-to-primitive.js: Added.
2128         * stress/big-int-exp-type-error.js: Added.
2129         * stress/big-int-exp-wrapped-value.js: Added.
2130         * stress/value-pow-ai-rule.js: Added.
2131
2132 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2133
2134         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2135         https://bugs.webkit.org/show_bug.cgi?id=197979
2136
2137         Reviewed by Filip Pizlo.
2138
2139         * stress/16bit-code.js: Added.
2140         (shouldBe):
2141         * stress/32bit-code.js: Added.
2142         (shouldBe):
2143
2144 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2145
2146         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2147         https://bugs.webkit.org/show_bug.cgi?id=198355
2148
2149         Reviewed by Saam Barati.
2150
2151         * wasm/references/is_null.js:
2152
2153 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2154
2155         [PlayStation] Skip additional tests on PlayStation
2156         https://bugs.webkit.org/show_bug.cgi?id=198352
2157
2158         Reviewed by Don Olmstead.
2159
2160         Skip pow test on PlayStation due to behavior difference in standard library.
2161         Skip incremental marking test due to OOM on PlayStation systems.
2162
2163         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2164         * stress/math-pow-with-constants.js:
2165         * stress/pow-with-constants.js:
2166
2167 2019-05-28  Dean Jackson  <dino@apple.com>
2168
2169         Implement Promise.allSettled
2170         https://bugs.webkit.org/show_bug.cgi?id=197600
2171         <rdar://problem/50483885>
2172
2173         Reviewed by Keith Miller.
2174
2175         Start testing Promise.allSettled. We pass most of the tests.
2176         The ones that fail are similar to the Promise.all tests we already fail.
2177
2178         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2179         * test262/expectations.yaml: Add new expectations for allSettled tests.
2180
2181 2019-05-28  Michael Saboff  <msaboff@apple.com>
2182
2183         [YARR] Properly handle RegExp's that require large ParenContext space
2184         https://bugs.webkit.org/show_bug.cgi?id=198065
2185
2186         Reviewed by Keith Miller.
2187
2188         New test.
2189
2190         * stress/regexp-large-paren-context.js: Added.
2191         (testLargeRegExp):
2192
2193 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2194
2195         JITOperations putByVal should mark negative array indices as out-of-bounds
2196         https://bugs.webkit.org/show_bug.cgi?id=198271
2197
2198         Reviewed by Saam Barati.
2199
2200         * microbenchmarks/get-by-val-negative-array-index.js:
2201         (foo):
2202         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2203         is 4.2x faster than the previous commit.
2204
2205         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2206         (foo):
2207
2208 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2209
2210         JITOperations getByVal should mark negative array indices as out-of-bounds
2211         https://bugs.webkit.org/show_bug.cgi?id=198229
2212
2213         Reviewed by Saam Barati.
2214
2215         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2216         (foo):
2217
2218 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2219
2220         [WASM-References] Support Anyref in globals
2221         https://bugs.webkit.org/show_bug.cgi?id=198102
2222
2223         Reviewed by Saam Barati.
2224
2225         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2226
2227         * wasm/Builder.js:
2228         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2229         * wasm/Builder_WebAssemblyBinary.js:
2230         (const.putInitExpr):
2231         * wasm/references/anyref_globals.js: Added.
2232         (GetGlobal.0.End.End.WebAssembly):
2233         (5.doGCSet):
2234         (doGCTest):
2235         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2236
2237 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2238
2239         DFG::OSREntry should not perform arity check
2240         https://bugs.webkit.org/show_bug.cgi?id=198189
2241
2242         Reviewed by Saam Barati.
2243
2244         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2245         (foo):
2246
2247 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2248
2249         [PlayStation] Skip additional tests on PlayStation
2250         https://bugs.webkit.org/show_bug.cgi?id=198145
2251
2252         Reviewed by Ross Kirsling.
2253
2254         * exceptionFuzz.yaml:
2255         Add skip on hostOS playstation
2256         * executableAllocationFuzz.yaml:
2257         Add skip on hostOS playstation
2258
2259 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2260
2261         createListFromArrayLike should throw if value is not an object
2262         https://bugs.webkit.org/show_bug.cgi?id=198138
2263
2264         Reviewed by Yusuke Suzuki.
2265
2266         * stress/create-list-from-array-like-not-object.js: Added.
2267         (testValid):
2268         (testInvalid):
2269         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
2270         (opt):
2271         * stress/proxy-proto-enumerator.js: Added.
2272         (main):
2273         * stress/proxy-proto-own-keys.js: Added.
2274         (assert):
2275         (ownKeys):
2276
2277 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2278
2279         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
2280         https://bugs.webkit.org/show_bug.cgi?id=197809
2281
2282         Reviewed by Michael Saboff.
2283
2284         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
2285         (foo):
2286
2287 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2288
2289         [ESNext] Implement support for Numeric Separators
2290         https://bugs.webkit.org/show_bug.cgi?id=196351
2291
2292         Reviewed by Keith Miller.
2293
2294         * stress/numeric-literal-separators.js: Added.
2295         Add tests for feature.
2296
2297         * test262/expectations.yaml:
2298         Mark 60 test cases as passing.
2299
2300 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2301
2302         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
2303         https://bugs.webkit.org/show_bug.cgi?id=198120
2304         <rdar://problem/49668795>
2305
2306         Reviewed by Michael Saboff.
2307
2308         * stress/get-array-length-concurrently-change-mode.js: Added.
2309         (main):
2310
2311 2019-05-22  Commit Queue  <commit-queue@webkit.org>
2312
2313         Unreviewed, rolling out r245634.
2314         https://bugs.webkit.org/show_bug.cgi?id=198140
2315
2316         'This patch makes JSC crash on launch in debug builds'
2317         (Requested by tadeuzagallo on #webkit).
2318
2319         Reverted changeset:
2320
2321         "[ESNext] Implement support for Numeric Separators"
2322         https://bugs.webkit.org/show_bug.cgi?id=196351
2323         https://trac.webkit.org/changeset/245634
2324
2325 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2326
2327         Stack-buffer-overflow in decodeURIComponent
2328         https://bugs.webkit.org/show_bug.cgi?id=198109
2329         <rdar://problem/50397550>
2330
2331         Reviewed by Michael Saboff.
2332
2333         * stress/decode-uri-icu-count-trail-bytes.js: Added.
2334         (i.j.try.i.toString):
2335         (i.j.catch):
2336
2337 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2338
2339         Don't clear PropertyNameArray in Proxy code
2340         https://bugs.webkit.org/show_bug.cgi?id=197691
2341
2342         Reviewed by Saam Barati.
2343
2344         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
2345         (shouldBe):
2346         (opt):
2347
2348 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2349
2350         [ESNext] Implement support for Numeric Separators
2351         https://bugs.webkit.org/show_bug.cgi?id=196351
2352
2353         Reviewed by Keith Miller.
2354
2355         * stress/numeric-literal-separators.js: Added.
2356         Add tests for feature.
2357
2358         * test262/expectations.yaml:
2359         Mark 60 test cases as passing.
2360
2361 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2362
2363         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
2364         https://bugs.webkit.org/show_bug.cgi?id=198101
2365
2366         Reviewed by Michael Saboff.
2367
2368         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
2369         (shouldBe):
2370
2371 2019-05-20  Keith Miller  <keith_miller@apple.com>
2372
2373         Cleanup Yarr regexp code around paren contexts.
2374         https://bugs.webkit.org/show_bug.cgi?id=198063
2375
2376         Reviewed by Yusuke Suzuki.
2377
2378         * stress/regexp-many-named-sequential-capture-groups.js: Added.
2379         (i.s):
2380         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2381
2382 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
2383
2384         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
2385         https://bugs.webkit.org/show_bug.cgi?id=197969
2386
2387         Reviewed by Keith Miller.
2388
2389         Support the anyref type in Builder.js, plus add some extra error logging.
2390         Add new folder for wasm references tests.
2391
2392         * wasm.yaml:
2393         * wasm/Builder.js:
2394         (const._isValidValue):
2395         * wasm/references/anyref_modules.js: Added.
2396         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
2397         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
2398         (Call.3.RefIsNull.End.End.WebAssembly):
2399         (undefined):
2400         * wasm/references/is_null.js: Added.
2401         * wasm/references/is_null_error.js: Added.
2402         * wasm/spec-harness/index.js:
2403         * wasm/wasm.json:
2404
2405 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
2406
2407         [JSC] Invalid AssignmentTargetType should be an early error.
2408         https://bugs.webkit.org/show_bug.cgi?id=197603
2409
2410         Reviewed by Keith Miller.
2411
2412         * test262/expectations.yaml:
2413         Update expectations to reflect new SyntaxErrors.
2414         (Ideally, these should all be viewed as passing in the near future.)
2415
2416         * stress/async-await-basic.js:
2417         * stress/big-int-literals.js:
2418         Update tests to reflect new SyntaxErrors.
2419
2420         * ChakraCore.yaml:
2421         * ChakraCore/test/EH/try6.baseline-jsc:
2422         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
2423         Update baselines to reflect new SyntaxErrors.
2424
2425 2019-05-15  Saam Barati  <sbarati@apple.com>
2426
2427         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
2428         https://bugs.webkit.org/show_bug.cgi?id=197855
2429         <rdar://problem/50236506>
2430
2431         Reviewed by Michael Saboff.
2432
2433         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
2434         (f0):
2435         (bar):
2436         (foo):
2437         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
2438         (f1):
2439         (f2):
2440         (foo):
2441
2442 2019-05-14  Keith Miller  <keith_miller@apple.com>
2443
2444         Fix issue with byteOffset on ARM64E
2445         https://bugs.webkit.org/show_bug.cgi?id=197884
2446
2447         Reviewed by Saam Barati.
2448
2449         We didn't have any tests that run with non-byte/non-zero offset
2450         typed arrays.
2451
2452         * stress/ftl-gettypedarrayoffset-wasteful.js:
2453
2454 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2455
2456         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
2457         https://bugs.webkit.org/show_bug.cgi?id=197833
2458
2459         Reviewed by Darin Adler.
2460
2461         * stress/generator-name.js: Added.
2462         (shouldBe):
2463         (gen):
2464         (catch):
2465
2466 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
2467
2468         JSObject::getOwnPropertyDescriptor is missing an exception check
2469         https://bugs.webkit.org/show_bug.cgi?id=197693
2470         <rdar://problem/50441784>
2471
2472         Reviewed by Saam Barati.
2473
2474         * stress/proxy-spread.js: Added.
2475         (foo):
2476
2477 2019-05-10  Saam barati  <sbarati@apple.com>
2478
2479         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
2480         https://bugs.webkit.org/show_bug.cgi?id=197807
2481         <rdar://problem/50530400>
2482
2483         Reviewed by Yusuke Suzuki.
2484
2485         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
2486         (test.getInstance):
2487         (test):
2488
2489 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
2490
2491         [Test262] Unreviewed expectations update following r245188.
2492
2493         * test262/config.yaml:
2494         * test262/expectations.yaml:
2495
2496         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
2497         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
2498         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
2499         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
2500         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
2501         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
2502         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
2503         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
2504         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
2505         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
2506         These files have invalid YAML comments. Will also submit corrections back to Test262.
2507
2508 2019-05-10  Keith Miller  <keith_miller@apple.com>
2509
2510         Update test262 tests.
2511
2512         Rubber-stamped by Yusuke Suzuki.
2513
2514         * test262/*: mega-patch too many things to list individually.
2515
2516 2019-05-09  Keith Miller  <keith_miller@apple.com>
2517
2518         Unreview, fix test to have a try-catch.
2519
2520         * stress/many-nested-functions-parser-stack-overflow.js:
2521         (catch):
2522
2523 2019-05-09  Keith Miller  <keith_miller@apple.com>
2524
2525         parseStatementListItem needs a stack overflow check
2526         https://bugs.webkit.org/show_bug.cgi?id=197749
2527
2528         Reviewed by Saam Barati.
2529
2530         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2531
2532 2019-05-08  Saam barati  <sbarati@apple.com>
2533
2534         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2535         https://bugs.webkit.org/show_bug.cgi?id=197715
2536         <rdar://problem/50399252>
2537
2538         Reviewed by Filip Pizlo.
2539
2540         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2541         (foo):
2542         (bar):
2543
2544 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2545
2546         Unreviewed, rolling out r245068.
2547
2548         Caused debug layout tests to exit early due to an assertion
2549         failure.
2550
2551         Reverted changeset:
2552
2553         "All prototypes should call didBecomePrototype()"
2554         https://bugs.webkit.org/show_bug.cgi?id=196315
2555         https://trac.webkit.org/changeset/245068
2556
2557 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2558
2559         Invalid DFG JIT genereation in high CPU usage state
2560         https://bugs.webkit.org/show_bug.cgi?id=197453
2561
2562         Reviewed by Saam Barati.
2563
2564         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2565         (trigger):
2566         (main):
2567
2568 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2569
2570         All prototypes should call didBecomePrototype()
2571         https://bugs.webkit.org/show_bug.cgi?id=196315
2572
2573         Reviewed by Saam Barati.
2574
2575         This changelog already landed, but the commit was missing the actual changes.
2576
2577         * stress/function-prototype-indexed-accessor.js: Added.
2578
2579 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
2580
2581         [BigInt] Add ValueMod into DFG
2582         https://bugs.webkit.org/show_bug.cgi?id=186174
2583
2584         Reviewed by Saam Barati.
2585
2586         * microbenchmarks/mod-untyped.js: Added.
2587         * stress/big-int-mod-osr.js: Added.
2588         * stress/value-div-ai-rule.js: Added.
2589         * stress/value-mod-ai-rule.js: Added.
2590
2591 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2592
2593         [JSC] DFG_ASSERT failed in lowInt52
2594         https://bugs.webkit.org/show_bug.cgi?id=197569
2595
2596         Reviewed by Saam Barati.
2597
2598         * stress/getstack-int52.js: Added.
2599         (opt):
2600         (main):
2601
2602 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2603
2604         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
2605         https://bugs.webkit.org/show_bug.cgi?id=197479
2606
2607         Reviewed by Saam Barati.
2608
2609         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
2610         (shouldBe):
2611
2612 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2613
2614         TemplateObject passed to template literal tags are not always identical for the same source location.
2615         https://bugs.webkit.org/show_bug.cgi?id=190756
2616
2617         Reviewed by Saam Barati.
2618
2619         * complex.yaml:
2620         * complex/tagged-template-regeneration-after.js: Added.
2621         (shouldBe):
2622         * complex/tagged-template-regeneration.js: Added.
2623         (call):
2624         (test):
2625         * modules/tagged-template-inside-module.js: Added.
2626         (from.string_appeared_here.call):
2627         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2628         (call):
2629         (export.otherTaggedTemplates):
2630         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2631         (shouldBe):
2632         (call):
2633         (poly):
2634         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2635         (shouldBe):
2636         (call):
2637         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
2638         (shouldBe):
2639         (call):
2640         (test):
2641         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2642         (shouldBe):
2643         (call):
2644         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2645         (shouldBe):
2646         (call):
2647         * stress/tagged-templates-in-multiple-functions.js: Added.
2648         (shouldBe):
2649         (call):
2650         (a):
2651         (b):
2652         (c):
2653         * stress/tagged-templates-with-same-start-offset.js: Added.
2654         (shouldBe):
2655
2656 2019-05-07  Robin Morisset  <rmorisset@apple.com>
2657
2658         All prototypes should call didBecomePrototype()
2659         https://bugs.webkit.org/show_bug.cgi?id=196315
2660
2661         Reviewed by Saam Barati.
2662
2663         * stress/function-prototype-indexed-accessor.js: Added.
2664
2665 2019-05-07  Commit Queue  <commit-queue@webkit.org>
2666
2667         Unreviewed, rolling out r244978.
2668         https://bugs.webkit.org/show_bug.cgi?id=197671
2669
2670         TemplateObject map should use start/end offsets (Requested by
2671         yusukesuzuki on #webkit).
2672
2673         Reverted changeset:
2674
2675         "TemplateObject passed to template literal tags are not always
2676         identical for the same source location."
2677         https://bugs.webkit.org/show_bug.cgi?id=190756
2678         https://trac.webkit.org/changeset/244978
2679
2680 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
2681
2682         tryCachePutByID should not crash if target offset changes
2683         https://bugs.webkit.org/show_bug.cgi?id=197311
2684         <rdar://problem/48033612>
2685
2686         Reviewed by Filip Pizlo.
2687
2688         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
2689         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
2690
2691         * stress/cache-put-by-id-delete-prototype.js: Added.
2692         (A.prototype.set y):
2693         (A):
2694         (B.prototype.set y):
2695         (B):
2696         (C):
2697         * stress/cache-put-by-id-different-__proto__.js: Added.
2698         (A.prototype.set y):
2699         (A):
2700         (B1):
2701         (B2.prototype.set y):
2702         (B2):
2703         (C):
2704         (D):
2705         * stress/cache-put-by-id-different-attributes.js: Added.
2706         (Foo):
2707         (set x):
2708         * stress/cache-put-by-id-different-offset.js: Added.
2709         (Foo):
2710         (set x):
2711         * stress/cache-put-by-id-insert-prototype.js: Added.
2712         (A.prototype.set y):
2713         (A):
2714         (C):
2715         * stress/cache-put-by-id-poly-proto.js: Added.
2716         (Foo):
2717         (set _):
2718         (createBar.Bar):
2719         (createBar):
2720
2721 2019-05-07  Saam Barati  <sbarati@apple.com>
2722
2723         Don't OSR enter into an FTL CodeBlock that has been jettisoned
2724         https://bugs.webkit.org/show_bug.cgi?id=197531
2725         <rdar://problem/50162379>
2726
2727         Reviewed by Yusuke Suzuki.
2728
2729         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
2730
2731 2019-05-06  Dean Jackson  <dino@apple.com>
2732
2733         Update test262 expectations for Proxy passes
2734         https://bugs.webkit.org/show_bug.cgi?id=197628
2735
2736         Reviewed by Yusuke Suzuki.
2737
2738         There are two consistent passes in Proxy.ownKeys.
2739
2740         * test262/expectations.yaml:
2741
2742 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2743
2744         [JSC] We should check OOM for description string of Symbol
2745         https://bugs.webkit.org/show_bug.cgi?id=197634
2746
2747         Reviewed by Keith Miller.
2748
2749         * stress/check-symbol-description-oom.js: Added.
2750         (shouldThrow):
2751
2752 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2753
2754         Unreviewed, land one more test
2755         https://bugs.webkit.org/show_bug.cgi?id=197587
2756
2757         * stress/setter-frame-flush.js: Added.
2758         (setter):
2759         (foo):
2760         (bar):
2761
2762 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2763
2764         TemplateObject passed to template literal tags are not always identical for the same source location.
2765         https://bugs.webkit.org/show_bug.cgi?id=190756
2766
2767         Reviewed by Saam Barati.
2768
2769         * complex.yaml:
2770         * complex/tagged-template-regeneration-after.js: Added.
2771         (shouldBe):
2772         * complex/tagged-template-regeneration.js: Added.
2773         (call):
2774         (test):
2775         * modules/tagged-template-inside-module.js: Added.
2776         (from.string_appeared_here.call):
2777         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2778         (call):
2779         (export.otherTaggedTemplates):
2780         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2781         (shouldBe):
2782         (call):
2783         (poly):
2784         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2785         (shouldBe):
2786         (call):
2787         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2788         (shouldBe):
2789         (call):
2790         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2791         (shouldBe):
2792         (call):
2793         * stress/tagged-templates-in-multiple-functions.js: Added.
2794         (shouldBe):
2795         (call):
2796         (a):
2797         (b):
2798         (c):
2799
2800 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
2801
2802         [PlayStation] JSC Stress tests failing due to timezone printing
2803         https://bugs.webkit.org/show_bug.cgi?id=197615
2804
2805         PlayStation's strftime does not give timezone strings, which
2806         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
2807         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
2808         which causes diff failures with the expectations. Add expectations
2809         without the timezone string and use those on playstation.
2810
2811         Reviewed by Ross Kirsling.
2812
2813         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
2814         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
2815         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
2816         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
2817
2818 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2819
2820         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
2821         https://bugs.webkit.org/show_bug.cgi?id=197587
2822
2823         Reviewed by Sam Weinig.
2824
2825         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
2826
2827         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
2828
2829 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
2830
2831         TypedArrays should not store properties that are canonical numeric indices
2832         https://bugs.webkit.org/show_bug.cgi?id=197228
2833         <rdar://problem/49557381>
2834
2835         Reviewed by Saam Barati.
2836
2837         * stress/array-species-config-array-constructor.js:
2838         (test):
2839         * stress/put-direct-index-broken-2.js:
2840         * stress/typed-array-canonical-numeric-index-string.js: Added.
2841         (makeTest.assert):
2842         (makeTest):
2843         (const.testInvalidIndices.makeTest.set assert):
2844         (const.testInvalidIndices.makeTest):
2845         (const.makeTestValidIndex.configurable.set assert):
2846         (const.makeTestValidIndex.configurable):
2847         * stress/typedarray-access-monomorphic-neutered.js:
2848         (checkNoException):
2849         (testNoException):
2850         (testFTLNoException):
2851         * stress/typedarray-access-neutered.js:
2852         (testNoException):
2853         * stress/typedarray-getownproperty-not-configurable.js:
2854         (foo):
2855         * test262/expectations.yaml:
2856
2857 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2858
2859         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
2860         https://bugs.webkit.org/show_bug.cgi?id=197584
2861
2862         Reviewed by Saam Barati.
2863
2864         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
2865         (X):
2866         (foo):
2867
2868 2019-05-03  Michael Saboff  <msaboff@apple.com>
2869
2870         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
2871         https://bugs.webkit.org/show_bug.cgi?id=197586
2872
2873         Reviewed by Keith Miller.
2874
2875         We should only run one config of this test and only when we think we'll have the memory.
2876
2877         * stress/json-stringify-string-builder-overflow.js:
2878
2879 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2880
2881         [JSC] Generator CodeBlock generation should be idempotent
2882         https://bugs.webkit.org/show_bug.cgi?id=197552
2883
2884         Reviewed by Keith Miller.
2885
2886         Add complex.yaml, which controls how to run JSC shell more.
2887         We split test files into two to run macro task between them which allows debugger to be attached to VM.
2888
2889         * complex.yaml: Added.
2890         * complex/generator-regeneration-after.js: Added.
2891         * complex/generator-regeneration.js: Added.
2892         (gen):
2893
2894 2019-05-02  Michael Saboff  <msaboff@apple.com>
2895
2896         Unreviewed rollout of r244862.
2897
2898         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
2899
2900 2019-05-01  Saam barati  <sbarati@apple.com>
2901
2902         Baseline JIT should do argument value profiling after checking for stack overflow
2903         https://bugs.webkit.org/show_bug.cgi?id=197052
2904         <rdar://problem/50009602>
2905
2906         Reviewed by Yusuke Suzuki.
2907
2908         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
2909
2910 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
2911
2912         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
2913         https://bugs.webkit.org/show_bug.cgi?id=197405
2914
2915         Reviewed by Saam Barati.
2916
2917         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
2918         (foo):
2919         (test):
2920         (i.o.get f):
2921         (i.o.set f):
2922
2923 2019-05-01  Michael Saboff  <msaboff@apple.com>
2924
2925         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
2926         https://bugs.webkit.org/show_bug.cgi?id=197485
2927
2928         Reviewed by Saam Barati.
2929
2930         New test.
2931
2932         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
2933         (foo):
2934
2935 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
2936
2937         Unreviewed correction to Test262 expectations following r244828.
2938
2939         * test262/expectations.yaml:
2940
2941 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
2942
2943         Add memory-limited skipping to some tests generating very large strings
2944         https://bugs.webkit.org/show_bug.cgi?id=197437
2945
2946         Reviewed by Ross Kirsling.
2947
2948         * stress/StringObject-define-length-getter-rope-string-oom.js:
2949         * stress/create-error-out-of-memory-rope-string.js:
2950         * stress/string-16bit-repeat-overflow.js:
2951
2952 2019-04-30  Commit Queue  <commit-queue@webkit.org>
2953
2954         Unreviewed, rolling out r244806.
2955         https://bugs.webkit.org/show_bug.cgi?id=197446
2956
2957         Causing Test262 and JSC test failures on multiple builds
2958         (Requested by ShawnRoberts on #webkit).
2959
2960         Reverted changeset:
2961
2962         "TypeArrays should not store properties that are canonical
2963         numeric indices"
2964         https://bugs.webkit.org/show_bug.cgi?id=197228
2965         https://trac.webkit.org/changeset/244806
2966
2967 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
2968
2969         TypeArrays should not store properties that are canonical numeric indices
2970         https://bugs.webkit.org/show_bug.cgi?id=197228
2971         <rdar://problem/49557381>
2972
2973         Reviewed by Darin Adler.
2974
2975         * stress/typed-array-canonical-numeric-index-string.js: Added.
2976         (makeTest.assert):
2977         (makeTest):
2978         (const.testInvalidIndices.makeTest.set assert):
2979         (const.testInvalidIndices.makeTest):
2980         (const.testValidIndices.makeTest.set assert):
2981         (const.testValidIndices.makeTest):
2982
2983 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
2984
2985         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
2986         https://bugs.webkit.org/show_bug.cgi?id=197362
2987
2988         Reviewed by Saam Barati.
2989
2990         * stress/map-with-nan.js: Added.
2991         (shouldBe):
2992         (div):
2993         (NaN1):
2994         (NaN2):
2995         (NaN3):
2996         (NaN4):
2997         (NaN1NoInline):
2998         (NaN2NoInline):
2999         (NaN3NoInline):
3000         (NaN4NoInline):
3001         (test1):
3002         (test2):
3003         (test3):
3004         (test4):
3005         * stress/set-with-nan.js: Added.
3006         (shouldBe):
3007         (div):
3008         (NaN1):
3009         (NaN2):
3010         (NaN3):
3011         (NaN4):
3012         (NaN1NoInline):
3013         (NaN2NoInline):
3014         (NaN3NoInline):
3015         (NaN4NoInline):
3016         (test2):
3017         (test4):
3018
3019 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3020
3021         Unreviewed, rolling out r244708.
3022         https://bugs.webkit.org/show_bug.cgi?id=197334
3023
3024         "Broke the debug build" (Requested by rmorisset on #webkit).
3025
3026         Reverted changeset:
3027
3028         "All prototypes should call didBecomePrototype()"
3029         https://bugs.webkit.org/show_bug.cgi?id=196315
3030         https://trac.webkit.org/changeset/244708
3031
3032 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3033
3034         [JSC] linkPolymorphicCall now does GC
3035         https://bugs.webkit.org/show_bug.cgi?id=197306
3036
3037         Reviewed by Saam Barati.
3038
3039         * stress/link-polymorphic-call-can-gc.js: Added.
3040         (module):
3041         (instance):
3042
3043 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3044
3045         All prototypes should call didBecomePrototype()
3046         https://bugs.webkit.org/show_bug.cgi?id=196315
3047
3048         Reviewed by Saam Barati.
3049
3050         * stress/function-prototype-indexed-accessor.js: Added.
3051
3052 2019-04-23  Saam Barati  <sbarati@apple.com>
3053
3054         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3055         https://bugs.webkit.org/show_bug.cgi?id=196721
3056         <rdar://problem/49556479> 
3057
3058         Reviewed by Filip Pizlo.
3059
3060         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3061         (foo):
3062
3063 2019-04-19  Saam Barati  <sbarati@apple.com>
3064
3065         AbstractValue can represent more than int52
3066         https://bugs.webkit.org/show_bug.cgi?id=197118
3067         <rdar://problem/49969960>
3068
3069         Reviewed by Michael Saboff.
3070
3071         * stress/abstract-value-can-include-int52.js: Added.
3072         (foo):
3073         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3074
3075 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3076
3077         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3078         https://bugs.webkit.org/show_bug.cgi?id=197053
3079
3080         Reviewed by Saam Barati.
3081
3082         * stress/merge-string-builder-in-dfg.js: Added.
3083         (foo):
3084
3085 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3086
3087         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3088         https://bugs.webkit.org/show_bug.cgi?id=176810
3089
3090         Reviewed by Saam Barati.
3091
3092         Add tests for the DontEnum filtering, and variations of other tests
3093         take the DontEnum-filtering path.
3094
3095         * stress/proxy-own-keys.js:
3096         (i.catch):
3097         (set assert):
3098         (set add):
3099         (let.set new):
3100         (get let):
3101
3102 2019-04-15  Saam barati  <sbarati@apple.com>
3103
3104         Modify how we do SetArgument when we inline varargs calls
3105         https://bugs.webkit.org/show_bug.cgi?id=196712
3106         <rdar://problem/49605012>
3107
3108         Reviewed by Michael Saboff.
3109
3110         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3111         (foo):
3112
3113 2019-04-15  Saam barati  <sbarati@apple.com>
3114
3115         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3116         https://bugs.webkit.org/show_bug.cgi?id=196945
3117         <rdar://problem/49802750>
3118
3119         Reviewed by Filip Pizlo.
3120
3121         * stress/get-by-offset-should-use-correct-child.js: Added.
3122         (foo.bar):
3123         (foo):
3124
3125 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3126
3127         DFG should be able to constant fold Object.create() with a constant prototype operand
3128         https://bugs.webkit.org/show_bug.cgi?id=196886
3129
3130         Reviewed by Yusuke Suzuki.
3131
3132         Note that this new benchmark does not currently see a speedup with inlining removed.
3133         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3134
3135         * microbenchmarks/object-create-constant-prototype.js: Added.
3136         (test):
3137
3138 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3139
3140         Incremental bytecode cache should not append function updates when loaded from memory
3141         https://bugs.webkit.org/show_bug.cgi?id=196865
3142
3143         Reviewed by Filip Pizlo.
3144
3145         * stress/bytecode-cache-shared-code-block.js: Added.
3146         (b):
3147         (program):
3148
3149 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3150
3151         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3152         https://bugs.webkit.org/show_bug.cgi?id=196880
3153
3154         Reviewed by Yusuke Suzuki.
3155
3156         * stress/bytecode-cache-syntax-error.js: Added.
3157         (catch):
3158
3159 2019-04-12  Saam barati  <sbarati@apple.com>
3160
3161         r244079 logically broke shouldSpeculateInt52
3162         https://bugs.webkit.org/show_bug.cgi?id=196884
3163
3164         Reviewed by Yusuke Suzuki.
3165
3166         * microbenchmarks/int52-rand-function.js: Added.
3167         (Math.random):
3168
3169 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3170
3171         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3172         https://bugs.webkit.org/show_bug.cgi?id=196850
3173
3174         Reviewed by Saam Barati.
3175
3176         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3177         (foo):
3178
3179 2019-04-11  Saam barati  <sbarati@apple.com>
3180
3181         Remove invalid assertion in operationInstanceOfCustom
3182         https://bugs.webkit.org/show_bug.cgi?id=196842
3183         <rdar://problem/49725493>
3184
3185         Reviewed by Michael Saboff.
3186
3187         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3188
3189 2019-04-10  Saam Barati  <sbarati@apple.com>
3190
3191         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3192         https://bugs.webkit.org/show_bug.cgi?id=196801
3193         <rdar://problem/49771122>
3194
3195         Reviewed by Yusuke Suzuki.
3196
3197         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3198
3199 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3200
3201         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3202         https://bugs.webkit.org/show_bug.cgi?id=196746
3203
3204         Reviewed by Yusuke Suzuki.
3205
3206         * stress/cyclic-define-properties.js: Added.
3207         (foo):
3208
3209 2019-04-09  Saam barati  <sbarati@apple.com>
3210
3211         Clean up Int52 code and some bugs in it
3212         https://bugs.webkit.org/show_bug.cgi?id=196639
3213         <rdar://problem/49515757>
3214
3215         Reviewed by Yusuke Suzuki.
3216
3217         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3218
3219 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3220
3221         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3222         https://bugs.webkit.org/show_bug.cgi?id=196708
3223         <rdar://problem/49556803>
3224
3225         Reviewed by Yusuke Suzuki.
3226
3227         * stress/proxy-getter-stack-overflow.js: Added.
3228         (const.handler.get target):
3229         (const.handler.has):
3230         (try.with):
3231         (catch):
3232
3233 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3234
3235         [JSC] DFG should respect node's strict flag
3236         https://bugs.webkit.org/show_bug.cgi?id=196617
3237
3238         Reviewed by Saam Barati.
3239
3240         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3241         (shouldEqual):
3242         (makeUnwriteableUnconfigurableObject):
3243         (runTest):
3244         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3245         (shouldBe):
3246         (shouldThrow):
3247         (with.result):
3248         (with.putValueStrict):
3249         (with.putValueSloppy):
3250
3251 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3252
3253         [JSC] isRope jump in StringSlice should not jump over register allocations
3254         https://bugs.webkit.org/show_bug.cgi?id=196716
3255
3256         Reviewed by Saam Barati.
3257
3258         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3259         (foo.bar):
3260         (foo):
3261
3262 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3263
3264         [JSC] to_index_string should not assume incoming value is Uint32
3265         https://bugs.webkit.org/show_bug.cgi?id=196713
3266
3267         Reviewed by Saam Barati.
3268
3269         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
3270         (foo):
3271
3272 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3273
3274         [JSC] Add more tests for r243966
3275         https://bugs.webkit.org/show_bug.cgi?id=196711
3276
3277         Reviewed by Saam Barati.
3278
3279         Adding one more test for r243966 fix. The added test will not crash after r243966.
3280
3281         * stress/stress-cleared-calllinkinfo.js: Added.
3282         (runNearStackLimit.t):
3283         (runNearStackLimit):
3284         (repeat):
3285         (cls):
3286         (let.item.of.array.runNearStackLimit):
3287
3288 2019-04-08  Saam Barati  <sbarati@apple.com>
3289
3290         WebAssembly.RuntimeError missing exception check
3291         https://bugs.webkit.org/show_bug.cgi?id=196700
3292         <rdar://problem/49693932>
3293
3294         Reviewed by Yusuke Suzuki.
3295
3296         * wasm/js-api/runtime-error-should-exception-check.js: Added.
3297
3298 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3299
3300         Unreviewed, rolling in r243948 with test fix
3301         https://bugs.webkit.org/show_bug.cgi?id=196486
3302
3303         * stress/arrow-function-and-use-strict-directive.js: Added.
3304         * stress/arrow-function-syntax.js: Added.
3305         (checkSyntax):
3306         (checkSyntaxError):
3307
3308 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3309
3310         Unreviewed, rolling out r243948.
3311
3312         Caused inspector/runtime/parse.html to fail
3313
3314         Reverted changeset:
3315
3316         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
3317         https://bugs.webkit.org/show_bug.cgi?id=196486
3318         https://trac.webkit.org/changeset/243948
3319
3320 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3321
3322         Unreviewed, rolling out r243943.
3323
3324         Caused test262 failures.
3325
3326         Reverted changeset:
3327
3328         "[JSC] Filter DontEnum properties in
3329         ProxyObject::getOwnPropertyNames()"
3330         https://bugs.webkit.org/show_bug.cgi?id=176810
3331         https://trac.webkit.org/changeset/243943
3332
3333 2019-04-07  Michael Saboff  <msaboff@apple.com>
3334
3335         REGRESSION (r243642): Crash in reddit.com page
3336         https://bugs.webkit.org/show_bug.cgi?id=196684
3337
3338         Reviewed by Geoffrey Garen.
3339
3340         New regression test.
3341
3342         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
3343
3344 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
3345
3346         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
3347         https://bugs.webkit.org/show_bug.cgi?id=196683
3348
3349         Reviewed by Saam Barati.
3350
3351         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
3352         (foo):
3353
3354 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3355
3356         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
3357         https://bugs.webkit.org/show_bug.cgi?id=196582
3358
3359         Reviewed by Saam Barati.
3360
3361         * stress/add-overflow-check-with-three-same-registers.js: Added.
3362         (foo):
3363         (Number.prototype.valueOf):
3364         (runWithNumber):
3365
3366 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
3367
3368         Unreviewed, rolling out r243665.
3369
3370         Caused iOS JSC tests to exit with an exception.
3371
3372         Reverted changeset:
3373
3374         "Assertion failed in JSC::createError"
3375         https://bugs.webkit.org/show_bug.cgi?id=196305
3376         https://trac.webkit.org/changeset/243665
3377
3378 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3379
3380         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
3381         https://bugs.webkit.org/show_bug.cgi?id=196486
3382
3383         Reviewed by Saam Barati.
3384
3385         * stress/arrow-function-and-use-strict-directive.js: Added.
3386         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
3387         (checkSyntax):
3388         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
3389
3390 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3391
3392         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3393         https://bugs.webkit.org/show_bug.cgi?id=176810
3394
3395         Reviewed by Saam Barati.
3396
3397         Add tests for the DontEnum filtering, and variations of other tests
3398         take the DontEnum-filtering path.
3399
3400         * stress/proxy-own-keys.js:
3401         (i.catch):
3402         (set assert):
3403         (set add):
3404         (let.set new):
3405         (get let):
3406
3407 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3408
3409         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
3410         https://bugs.webkit.org/show_bug.cgi?id=185211
3411
3412         Reviewed by Saam Barati.
3413
3414         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
3415
3416         This changes several assertions to expect a TypeError to be thrown (in some cases,
3417         changing thee expected message).
3418
3419         * es6/Proxy_ownKeys_duplicates.js:
3420         (handler):
3421         (shouldThrow):
3422         (test):
3423         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3424         (shouldThrow):
3425         * stress/proxy-own-keys.js:
3426         (i.catch):
3427         (assert):
3428
3429 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3430
3431         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
3432         https://bugs.webkit.org/show_bug.cgi?id=196631
3433
3434         Reviewed by Saam Barati.
3435
3436         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
3437         (assert):
3438         (test):
3439         (foo):
3440
3441 2019-04-04  Saam Barati  <sbarati@apple.com>
3442
3443         Unreviewed. Make the test from r243906 catch the thrown exceptions.
3444
3445         * stress/inferred-types-regex-matches-array.js:
3446
3447 2019-04-04  Saam Barati  <sbarati@apple.com>
3448
3449         createRegExpMatchesArray does not respect inferred types
3450         https://bugs.webkit.org/show_bug.cgi?id=193287
3451
3452         Reviewed by Yusuke Suzuki.
3453
3454         This checks in the test case for 193287. This issue was discovered by
3455         Samuel GroƟ of Google Project Zero.
3456
3457         * stress/inferred-types-regex-matches-array.js: Added.
3458
3459 2019-04-04  Saam barati  <sbarati@apple.com>
3460
3461         Teach Call ICs how to call Wasm
3462         https://bugs.webkit.org/show_bug.cgi?id=196387
3463
3464         Reviewed by Filip Pizlo.
3465
3466         * wasm/function-tests/stack-trace.js:
3467
3468 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
3469
3470         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
3471         https://bugs.webkit.org/show_bug.cgi?id=194944
3472
3473         Reviewed by Keith Miller.
3474
3475         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
3476
3477 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3478
3479         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
3480         https://bugs.webkit.org/show_bug.cgi?id=196409
3481
3482         Reviewed by Saam Barati.
3483
3484         * stress/bytecode-cache-cached-string-impl.js: Added.
3485         (f):
3486         (g):
3487         * stress/bytecode-cache-run-string.js: Added.
3488
3489 2019-04-03  Robin Morisset  <rmorisset@apple.com>
3490
3491         B3 should use associativity to optimize expression trees
3492         https://bugs.webkit.org/show_bug.cgi?id=194081
3493
3494         Reviewed by Filip Pizlo.
3495
3496         Added three microbenchmarks:
3497         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
3498         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
3499           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
3500         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
3501
3502         * microbenchmarks/add-tree.js: Added.
3503         * microbenchmarks/bit-or-tree.js: Added.
3504         * microbenchmarks/bit-xor-tree.js: Added.
3505
3506 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3507
3508         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
3509         https://bugs.webkit.org/show_bug.cgi?id=196574
3510
3511         Reviewed by Saam Barati.
3512
3513         * stress/string-index-of-exception-check.js: Added.
3514         (blurType):
3515         (1.forEach):
3516
3517 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
3518
3519         Assertion failed in JSC::createError
3520         https://bugs.webkit.org/show_bug.cgi?id=196305
3521         <rdar://problem/49387382>
3522
3523         Reviewed by Saam Barati.
3524
3525         * stress/create-error-out-of-memory-rope-string-2.js: Added.
3526         (assert):
3527         (catch):
3528
3529 2019-03-28  Saam Barati  <sbarati@apple.com>
3530
3531         BackwardsGraph needs to consider back edges as the backward's root successor
3532         https://bugs.webkit.org/show_bug.cgi?id=195991
3533
3534         Reviewed by Filip Pizlo.
3535
3536         * stress/map-b3-licm-infinite-loop.js: Added.
3537
3538 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
3539
3540         CodeBlock::jettison() should disallow repatching its own calls
3541         https://bugs.webkit.org/show_bug.cgi?id=196359
3542         <rdar://problem/48973663>
3543
3544         Reviewed by Saam Barati.
3545
3546         * stress/call-link-info-osrexit-repatch.js: Added.
3547         (foo):
3548
3549 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
3550
3551         [JSC] imports-oom.js intermittently fails
3552         https://bugs.webkit.org/show_bug.cgi?id=196373
3553
3554         Reviewed by Saam Barati.
3555
3556         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
3557         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
3558         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
3559         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
3560         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
3561
3562         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
3563         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
3564
3565         * wasm/lowExecutableMemory/imports-oom.js:
3566
3567 2019-03-27  Saam Barati  <sbarati@apple.com>
3568
3569         validateOSREntryValue with Int52 should box the value being checked into double format
3570         https://bugs.webkit.org/show_bug.cgi?id=196313
3571         <rdar://problem/49306703>
3572
3573         Reviewed by Yusuke Suzuki.
3574
3575         * stress/validate-int-52-ai-state.js: Added.
3576
3577 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
3578
3579         [JSC] Owner of watchpoints should validate at GC finalizing phase
3580         https://bugs.webkit.org/show_bug.cgi?id=195827
3581
3582         Reviewed by Filip Pizlo.
3583
3584         * stress/gc-should-reap-dead-watchpoints.js: Added.
3585         (foo):
3586         (A.prototype.y):
3587         (A):
3588
3589 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
3590
3591         Skip WebAssembly test on 32-bit systems
3592         https://bugs.webkit.org/show_bug.cgi?id=196206
3593
3594         Reviewed by Saam Barati.
3595
3596         Invoking runDefault executes test immediately even though
3597         that test should be skipped due to missing WASM support.
3598         Therefore remove runDefault.
3599
3600         * wasm/regress/web-assembly-link-error-exception-check.js:
3601
3602 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
3603
3604         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
3605         https://bugs.webkit.org/show_bug.cgi?id=196217
3606
3607         Reviewed by Saam Barati.
3608
3609         Re-enable all NaN tests for f32.min, f64.min and f64.max.
3610
3611         * wasm/spec-tests/f32.wast.js:
3612         * wasm/spec-tests/f64.wast.js:
3613         * wasm/wasm.json:
3614
3615 2019-03-25  Keith Miller  <keith_miller@apple.com>
3616
3617         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
3618         https://bugs.webkit.org/show_bug.cgi?id=196176
3619
3620         Reviewed by Saam Barati.
3621
3622         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
3623         (main.v10):
3624         (main):
3625
3626 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
3627
3628         WebAssembly: f32.max with NaN generates incorrect result
3629         https://bugs.webkit.org/show_bug.cgi?id=175691
3630         <rdar://problem/33952228>
3631
3632         Reviewed by Saam Barati.
3633
3634         Enable all f32.max NaN tests
3635
3636         * wasm/spec-tests/f32.wast.js:
3637         * wasm/wasm.json:
3638
3639 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
3640
3641         [JSC] Move test into directory for WASM tests
3642         https://bugs.webkit.org/show_bug.cgi?id=196187
3643
3644         Reviewed by Mark Lam.
3645
3646         Move Test into wasm-directory. Otherwise this test
3647         is also executed on systems without WASM support.
3648
3649         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
3650
3651 2019-03-23  Mark Lam  <mark.lam@apple.com>
3652
3653         Rolling out r243032 and r243071 because the fix is incorrect.
3654         https://bugs.webkit.org/show_bug.cgi?id=195892
3655         <rdar://problem/48981239>
3656
3657         Not reviewed.
3658
3659         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
3660
3661 2019-03-22  Mark Lam  <mark.lam@apple.com>
3662
3663         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
3664         https://bugs.webkit.org/show_bug.cgi?id=196154
3665         <rdar://problem/49145307>
3666
3667         Reviewed by Filip Pizlo.
3668
3669         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
3670         There's no need to run this test on more than 1 test configuration.
3671
3672         * stress/typed-array-lastIndexOf-exception-check.js: Added.
3673         * stress/web-assembly-link-error-exception-check.js:
3674
3675 2019-03-22  Mark Lam  <mark.lam@apple.com>
3676
3677         Placate exception check validation in constructJSWebAssemblyLinkError().
3678         https://bugs.webkit.org/show_bug.cgi?id=196152
3679         <rdar://problem/49145257>
3680
3681         Reviewed by Michael Saboff.
3682
3683         * stress/web-assembly-link-error-exception-check.js: Added.
3684
3685 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
3686
3687         Skip tests running out of memory on ARM/MIPS
3688         https://bugs.webkit.org/show_bug.cgi?id=196131
3689
3690         Unreviewed. Skip test if memory is limited.
3691
3692         * microbenchmarks/put-by-val-direct-large-index.js:
3693
3694 2019-03-21  Mark Lam  <mark.lam@apple.com>
3695
3696         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
3697         https://bugs.webkit.org/show_bug.cgi?id=196116
3698         <rdar://problem/48976951>
3699
3700         Reviewed by Filip Pizlo.
3701
3702         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
3703
3704 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3705
3706         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3707         https://bugs.webkit.org/show_bug.cgi?id=196078
3708         <rdar://problem/35925380>
3709
3710         Reviewed by Mark Lam.
3711
3712         Add a new benchmark that allocates several objects and invokes put_by_val_direct
3713         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
3714
3715         * microbenchmarks/put-by-val-direct-large-index.js: Added.
3716
3717 2019-03-21  Mark Lam  <mark.lam@apple.com>
3718
3719         Placate exception check validation in operationArrayIndexOfString().
3720         https://bugs.webkit.org/show_bug.cgi?id=196067
3721         <rdar://problem/49056572>
3722
3723         Reviewed by Michael Saboff.
3724
3725         * stress/string-equal-exception-check.js: Added.
3726
3727 2019-03-21  Mark Lam  <mark.lam@apple.com>
3728
3729         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3730         https://bugs.webkit.org/show_bug.cgi?id=196055
3731         <rdar://problem/49067448>
3732
3733         Reviewed by Yusuke Suzuki.
3734
3735         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
3736
3737 2019-03-20  Saam Barati  <sbarati@apple.com>
3738
3739         typeOfDoubleSum is wrong for when NaN can be produced
3740         https://bugs.webkit.org/show_bug.cgi?id=196030
3741
3742         Reviewed by Filip Pizlo.
3743
3744         * stress/double-add-sub-mul-can-produce-nan.js: Added.
3745         (assert):
3746         (noInline.sub):
3747         (noInline):
3748         (assert.mul):
3749         (assert.add):
3750
3751 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3752
3753         Update the test to ensure OutOfMemoryError is thrown as intended
3754         https://bugs.webkit.org/show_bug.cgi?id=196032
3755         <rdar://problem/46842740>
3756
3757         Rubber stamped by Saam Barati.
3758
3759         * stress/create-error-out-of-memory-rope-string.js:
3760         (assert):
3761         (catch):
3762
3763 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3764
3765         JSC::createError needs to check for OOM in errorDescriptionForValue
3766         https://bugs.webkit.org/show_bug.cgi?id=196032
3767         <rdar://problem/46842740>
3768
3769         Reviewed by Mark Lam.
3770
3771         * stress/create-error-out-of-memory-rope-string.js: Added.
3772
3773 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
3774
3775         Unreviewed, reduce # of iterations to avoid timing out after r242991
3776         https://bugs.webkit.org/show_bug.cgi?id=195791
3777
3778         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
3779
3780         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
3781
3782 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3783
3784         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
3785         https://bugs.webkit.org/show_bug.cgi?id=195950
3786
3787         Unreviewed, reducing the amount of memory used on this test to avoid
3788         OOM on devices with memory restrictions.
3789
3790         * microbenchmarks/generate-multiple-llint-entrypoints.js:
3791
3792 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3793
3794         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
3795         https://bugs.webkit.org/show_bug.cgi?id=194648
3796
3797         Reviewed by Keith Miller.
3798
3799         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
3800
3801 2019-03-18  Mark Lam  <mark.lam@apple.com>
3802
3803         Missing a ThrowScope release in JSObject::toString().
3804         https://bugs.webkit.org/show_bug.cgi?id=195893
3805         <rdar://problem/48970986>
3806
3807         Reviewed by Michael Saboff.
3808
3809         * stress/to-string-exception-check-release.js: Added.
3810
3811 2019-03-18  Mark Lam  <mark.lam@apple.com>
3812
3813         Structure::flattenDictionary() should clear unused property slots.
3814         https://bugs.webkit.org/show_bug.cgi?id=195871
3815         <rdar://problem/48959497>
3816
3817         Reviewed by Michael Saboff.
3818
3819         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
3820
3821 2019-03-15  Mark Lam  <mark.lam@apple.com>
3822
3823         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
3824         https://bugs.webkit.org/show_bug.cgi?id=195827
3825         <rdar://problem/48845513>
3826
3827         Reviewed by Filip Pizlo.
3828
3829         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
3830
3831 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
3832
3833         [ARM,MIPS] Skip slow tests
3834         https://bugs.webkit.org/show_bug.cgi?id=195799
3835
3836         Unreviewed, test does not finish on ARM and MIPS within the
3837         timeout limit.
3838
3839         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
3840
3841 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
3842
3843         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
3844         https://bugs.webkit.org/show_bug.cgi?id=195791
3845         <rdar://problem/48806130>
3846
3847         Reviewed by Mark Lam.
3848
3849         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
3850         (foo):
3851
3852 2019-03-14  Saam barati  <sbarati@apple.com>
3853
3854         We can't remove code after ForceOSRExit until after FixupPhase
3855         https://bugs.webkit.org/show_bug.cgi?id=186916
3856         <rdar://problem/41396612>
3857
3858         Reviewed by Yusuke Suzuki.
3859
3860         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
3861         (foo):
3862         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
3863         (foo):
3864
3865 2019-03-13  Michael Saboff  <msaboff@apple.com>
3866
3867         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
3868         https://bugs.webkit.org/show_bug.cgi?id=195735
3869
3870         Reviewed by Mark Lam.
3871
3872         New regression test.
3873
3874         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
3875         (foo):
3876         (bar):
3877
3878 2019-03-14  Saam barati  <sbarati@apple.com>
3879
3880         Fixup uses KnownInt32 incorrectly in some nodes
3881         https://bugs.webkit.org/show_bug.cgi?id=195279
3882         <rdar://problem/47915654>
3883
3884         Reviewed by Yusuke Suzuki.
3885
3886         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
3887         (foo):
3888
3889 2019-03-14  Keith Miller  <keith_miller@apple.com>
3890
3891         DFG liveness can't skip tail caller inline frames
3892         https://bugs.webkit.org/show_bug.cgi?id=195715
3893
3894         Reviewed by Saam Barati.
3895
3896         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
3897         (i.foo):
3898
3899 2019-03-13  Mark Lam  <mark.lam@apple.com>
3900
3901         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
3902         https://bugs.webkit.org/show_bug.cgi?id=195415
3903
3904         Not reviewed.
3905
3906         Changed these tests to only run the default configuration.
3907         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
3908         There's no strong need to run this test on that variant.
3909
3910         * stress/dfg-to-string-on-int-does-gc.js:
3911         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
3912
3913 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
3914
3915         String overflow when using StringBuilder in JSC::createError
3916         https://bugs.webkit.org/show_bug.cgi?id=194957
3917
3918         Reviewed by Mark Lam.
3919
3920         Add test string-overflow-createError-bulder.js that overflows
3921         StringBuilder in notAFunctionSourceAppender. The second new test
3922         string-overflow-createError-fit.js has an error message that doesn't
3923         overflow, it still failed since the String's capacity can't be doubled.
3924         Run test string-overflow-createError.js only in the default
3925         configuration to reduce memory consumption when running the test
3926         in all configurations on multiple CPUs in parallel.
3927
3928         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
3929         (catch):
3930         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
3931         (catch):
3932         * stress/string-overflow-createError.js:
3933
3934 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
3935
3936         [JSC] OSR entry should respect abstract values in addition to flush formats
3937         https://bugs.webkit.org/show_bug.cgi?id=195653
3938
3939         Reviewed by Mark Lam.
3940
3941         * stress/osr-entry-locals-none.js: Added.
3942
3943 2019-03-12  Michael Saboff  <msaboff@apple.com>
3944
3945         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
3946         https://bugs.webkit.org/show_bug.cgi?id=195613
3947
3948         Reviewed by Mark Lam.
3949
3950         New regression test.
3951
3952         * stress/regexp-backref-inbounds.js: Added.
3953         (testRegExp):
3954
3955 2019-03-12  Mark Lam  <mark.lam@apple.com>
3956
3957         The HasIndexedProperty node does GC.
3958         https://bugs.webkit.org/show_bug.cgi?id=195559
3959         <rdar://problem/48767923>
3960
3961         Reviewed by Yusuke Suzuki.
3962
3963         * stress/HasIndexedProperty-does-gc.js: Added.
3964
3965 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
3966
3967         [ESNext][BigInt] Implement "~" unary operation
3968         https://bugs.webkit.org/show_bug.cgi?id=182216
3969
3970         Reviewed by Keith Miller.
3971
3972         * stress/big-int-bit-not-general.js: Added.
3973         * stress/big-int-bitwise-not-jit.js: Added.
3974         * stress/big-int-bitwise-not-wrapped-value.js: Added.
3975         * stress/bit-op-with-object-returning-int32.js:
3976         * stress/bitwise-not-fixup-rules.js: Added.
3977         * stress/value-bit-not-ai-rule.js: Added.
3978
3979 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
3980
3981         Invalid flags in a RegExp literal should be an early SyntaxError
3982         https://bugs.webkit.org/show_bug.cgi?id=195514
3983
3984         Reviewed by Darin Adler.
3985
3986         * test262/expectations.yaml:
3987         Mark 4 test cases as passing.
3988
3989         * stress/regexp-syntax-error-invalid-flags.js:
3990         * stress/regress-161995.js: Removed.
3991         Update existing test, merging in an older test for the same behavior.
3992
3993 2019-03-08  Mark Lam  <mark.lam@apple.com>
3994
3995         Stack overflow crash in JSC::JSObject::hasInstance.
3996         https://bugs.webkit.org/show_bug.cgi?id=195458
3997         <rdar://problem/48710195>
3998
3999         Reviewed by Yusuke Suzuki.
4000
4001         * stress/stack-overflow-in-custom-hasInstance.js: Added.
4002
4003 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
4004
4005         op_check_tdz does not def its argument
4006         https://bugs.webkit.org/show_bug.cgi?id=192880
4007         <rdar://problem/46221598>
4008
4009         Reviewed by Saam Barati.
4010
4011         * microbenchmarks/let-for-in.js: Added.
4012         (foo):
4013
4014 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
4015
4016         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
4017         https://bugs.webkit.org/show_bug.cgi?id=195429
4018
4019         Reviewed by Saam Barati.
4020
4021         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
4022         (foo):
4023         * stress/string-from-char-code-255.js: Added.
4024
4025 2019-03-06  Mark Lam  <mark.lam@apple.com>
4026
4027         Fix incorrect handling of try-finally completion values.
4028         https://bugs.webkit.org/show_bug.cgi?id=195131
4029         <rdar://problem/46222079>
4030
4031         Reviewed by Saam Barati and Yusuke Suzuki.
4032
4033         Added many permutations of new test case to test-finally.js.  test-finally.js has
4034         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
4035         tests passes there as well.
4036
4037         * stress/test-finally.js:
4038
4039 2019-03-06  Saam Barati  <sbarati@apple.com>
4040
4041         Air::reportUsedRegisters must padInterference
4042         https://bugs.webkit.org/show_bug.cgi?id=195303
4043         <rdar://problem/48270343>
4044
4045         Reviewed by Keith Miller.
4046
4047         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
4048
4049 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
4050
4051         [JSC] AI should not propagate AbstractValue relying on constant folding phase
4052         https://bugs.webkit.org/show_bug.cgi?id=195375
4053
4054         Reviewed by Saam Barati.
4055
4056         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
4057         (let.array):
4058
4059 2019-03-05  Saam barati  <sbarati@apple.com>
4060
4061         op_switch_char broken for rope strings after JSRopeString layout rewrite
4062         https://bugs.webkit.org/show_bug.cgi?id=195339
4063         <rdar://problem/48592545>
4064
4065         Reviewed by Yusuke Suzuki.
4066
4067         * stress/switch-on-char-llint-rope.js: Added.
4068
4069 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
4070
4071         [JSC] Store bits for JSRopeString in 3 stores
4072         https://bugs.webkit.org/show_bug.cgi?id=195234
4073
4074         Reviewed by Saam Barati.
4075
4076         * stress/null-rope-and-collectors.js: Added.
4077
4078 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
4079
4080         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
4081         https://bugs.webkit.org/show_bug.cgi?id=195207
4082
4083         Unreviewed. After test runtime was reduced in r242213, test can be
4084         run again on ARM/MIPS.
4085
4086         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
4087
4088 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
4089
4090         [JSC] sizeof(JSString) should be 16
4091         https://bugs.webkit.org/show_bug.cgi?id=194375
4092
4093         Reviewed by Saam Barati.
4094
4095         * microbenchmarks/make-rope.js: Added.
4096         (makeRope):
4097         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
4098         (returnRope.helper): Deleted.
4099         (returnRope): Deleted.
4100
4101 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
4102
4103         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
4104         https://bugs.webkit.org/show_bug.cgi?id=195144
4105
4106         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
4107         Change the number from 1e8 to 1e5.
4108
4109         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
4110         (foo):
4111
4112 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
4113
4114         Test times out on ARM/MIPS
4115         https://bugs.webkit.org/show_bug.cgi?id=195168
4116
4117         Unreviewed. Skip test on ARM/MIPS.
4118
4119         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
4120
4121 2019-02-27  Mark Lam  <mark.lam@apple.com>
4122
4123         The parser is failing to record the token location of new in new.target.
4124         https://bugs.webkit.org/show_bug.cgi?id=195127
4125         <rdar://problem/39645578>
4126
4127         Reviewed by Yusuke Suzuki.
4128
4129         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
4130
4131 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
4132
4133         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
4134         https://bugs.webkit.org/show_bug.cgi?id=195144
4135         <rdar://problem/47595961>
4136
4137         Reviewed by Mark Lam.
4138
4139         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
4140         (bar):
4141         (foo):
4142         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
4143         (bar):
4144         (foo):
4145
4146 2019-02-27  Robin Morisset  <rmorisset@apple.com>
4147
4148         DFG: Loop-invariant code motion (LICM) should not hoist dead code
4149         https://bugs.webkit.org/show_bug.cgi?id=194945
4150         <rdar://problem/48311657>
4151
4152         Reviewed by Mark Lam.
4153
4154         * stress/licm-dead-code.js: Added.
4155
4156 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
4157
4158         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
4159         https://bugs.webkit.org/show_bug.cgi?id=194677
4160         <rdar://problem/48112492>
4161
4162         Reviewed by Mark Lam.
4163
4164         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
4165         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
4166         it immediately fails due the large size.
4167
4168         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
4169         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
4170         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
4171         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
4172
4173         This patch changes the test to produce 16bit string from String.fromCharCode.
4174
4175         * stress/regress-178386.js:
4176
4177 2019-02-26  Mark Lam  <mark.lam@apple.com>
4178
4179         wasmToJS() should purify incoming NaNs.
4180         https://bugs.webkit.org/show_bug.cgi?id=194807
4181         <rdar://problem/48189132>
4182
4183         Reviewed by Saam Barati.
4184
4185         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
4186
4187 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
4188
4189         [JSC] Repeat string created from Array.prototype.join() take too much memory
4190         https://bugs.webkit.org/show_bug.cgi?id=193912
4191
4192         Reviewed by Saam Barati.
4193
4194         Added a test and a microbenchmark for corner cases of
4195         Array.prototype.join() with an uninitialized array.
4196
4197         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
4198         * stress/array-prototype-join-uninitialized.js: Added.
4199         (testArray):
4200         (testABC):
4201         (B):
4202         (C):
4203
4204 2019-02-22  Robin Morisset  <rmorisset@apple.com>
4205
4206         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
4207         https://bugs.webkit.org/show_bug.cgi?id=194953
4208         <rdar://problem/47595253>
4209
4210         Reviewed by Saam Barati.
4211
4212         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
4213
4214         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
4215
4216 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
4217
4218         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
4219         https://bugs.webkit.org/show_bug.cgi?id=172848
4220         <rdar://problem/25709212>
4221
4222         Reviewed by Mark Lam.
4223
4224         * typeProfiler/inheritance.js:
4225         Rewrite the test slightly for clarity. The hoisting was confusing.
4226
4227         * heapProfiler/class-names.js: Added.
4228         (MyES5Class):
4229         (MyES6Class):
4230         (MyES6Subclass):
4231         Test object types and improved class names.
4232
4233         * heapProfiler/driver/driver.js:
4234         (CheapHeapSnapshotNode):
4235         (CheapHeapSnapshot):
4236         (createCheapHeapSnapshot):
4237         (HeapSnapshot):
4238         (createHeapSnapshot):
4239         Update snapshot parsing from version 1 to version 2.
4240
4241 2019-02-19  Truitt Savell  <tsavell@apple.com>
4242
4243         Unreviewed, rolling out r241784.
4244
4245         Broke all OpenSource builds.
4246
4247         Reverted changeset:
4248
4249         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
4250         instances view"
4251         https://bugs.webkit.org/show_bug.cgi?id=172848
4252         https://trac.webkit.org/changeset/241784
4253
4254 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
4255
4256         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
4257         https://bugs.webkit.org/show_bug.cgi?id=172848
4258         <rdar://problem/25709212>
4259
4260         Reviewed by Mark Lam.
4261
4262         * typeProfiler/inheritance.js:
4263         Rewrite the test slightly for clarity. The hoisting was confusing.
4264
4265         * heapProfiler/class-names.js: Added.
4266         (MyES5Class):
4267         (MyES6Class):
4268         (MyES6Subclass):
4269         Test object types and improved class names.
4270
4271         * heapProfiler/driver/driver.js:
4272         (CheapHeapSnapshotNode):
4273         (CheapHeapSnapshot):
4274         (createCheapHeapSnapshot):
4275         (HeapSnapshot):
4276         (createHeapSnapshot):
4277         Update snapshot parsing from version 1 to version 2.
4278
4279 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
4280
4281         [ARM] Fix crash with sampling profiler
4282         https://bugs.webkit.org/show_bug.cgi?id=194772
4283
4284         Reviewed by Mark Lam.
4285
4286         Do not skip test since crash with sampling profiler is now fixed.
4287
4288         * stress/sampling-profiler-richards.js:
4289
4290 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
4291
4292         [JSC] Add LazyClassStructure::getInitializedOnMainThread
4293         https://bugs.webkit.org/show_bug.cgi?id=194784
4294         <rdar://problem/48154820>
4295
4296         Reviewed by Mark Lam.
4297
4298         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
4299         (getProperties):
4300         (getRandomProperty):
4301         (i.catch):
4302
4303 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
4304
4305         [ARM] Test gardening: Test running out of executable memory
4306         https://bugs.webkit.org/show_bug.cgi?id=194771
4307
4308         Unreviewed. Do not run test without LLInt, test is running out of executable
4309         memory on ARM otherwise.
4310
4311         * stress/tagged-template-object-collect.js:
4312
4313 2019-02-18  Tomas Popela  <tpopela@redhat.com>
4314
4315         Unreviewed, skip the test on platforms without sampling profiler
4316
4317         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
4318         (platformSupportsSamplingProfiler.foo):
4319         (platformSupportsSamplingProfiler.test):
4320         (platformSupportsSamplingProfiler):
4321         (foo): Deleted.
4322         (test): Deleted.
4323
4324 2019-02-17  Saam Barati  <sbarati@apple.com>
4325
4326         Deadlock when adding a Structure property transition and then doing incremental marking
4327         https://bugs.webkit.org/show_bug.cgi?id=194767
4328
4329         Reviewed by Mark Lam.
4330
4331         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
4332
4333 2019-02-15  Michael Saboff  <msaboff@apple.com>
4334
4335         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
4336         https://bugs.webkit.org/show_bug.cgi?id=194558
4337
4338         Reviewed by Saam Barati.
4339
4340         New regression test.
4341
4342         * stress/regexp-unicode-within-string.js: Added.
4343
4344 2019-02-15  Mark Lam  <mark.lam@apple.com>
4345
4346         SamplingProfiler::stackTracesAsJSON() should escape strings.
4347         https://bugs.webkit.org/show_bug.cgi?id=194649
4348         <rdar://problem/48072386>
4349
4350         Reviewed by Saam Barati.
4351
4352         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
4353         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
4354         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
4355         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
4356
4357 2019-02-15  Robin Morisset  <rmorisset@apple.com>
4358         CodeBlock::jettison should clear related watchpoints
4359         https://bugs.webkit.org/show_bug.cgi?id=194544
4360
4361         Reviewed by Mark Lam.
4362
4363         * stress/regexp-replace-double-watchpoint.js: Added.
4364         (foo):
4365
4366 2019-02-15  Saam barati  <sbarati@apple.com>
4367
4368         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
4369         https://bugs.webkit.org/show_bug.cgi?id=194036
4370
4371         Reviewed by Yusuke Suzuki.
4372
4373         * stress/tail-call-many-arguments.js: Added.
4374         (foo):
4375         (bar):
4376
4377 2019-02-14  Saam Barati  <sbarati@apple.com>
4378
4379         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
4380         https://bugs.webkit.org/show_bug.cgi?id=194583
4381         <rdar://problem/48028140>
4382
4383         Reviewed by Yusuke Suzuki.
4384
4385         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
4386
4387 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
4388
4389         [JSC] String.fromCharCode's slow path always generates 16bit string
4390         https://bugs.webkit.org/show_bug.cgi?id=194466
4391
4392         Reviewed by Keith Miller.
4393
4394         * stress/string-from-char-code-slow-path.js: Added.
4395         (shouldBe):
4396         (testWithLength):
4397
4398 2019-02-08  Saam barati  <sbarati@apple.com>
4399
4400         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
4401         https://bugs.webkit.org/show_bug.cgi?id=194334
4402         <rdar://problem/47844327>
4403
4404         Reviewed by Mark Lam.
4405
4406         * stress/check-in-bounds-should-be-a-child-use.js: Added.
4407         (func):
4408
4409 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
4410
4411         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
4412         https://bugs.webkit.org/show_bug.cgi?id=194369
4413         <rdar://problem/47813087>
4414
4415         Reviewed by Saam Barati.
4416
4417         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.