DateConversion::formatDateTime incorrectly formats negative years
[WebKit-https.git] / JSTests / ChangeLog
1 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
2
3         DateConversion::formatDateTime incorrectly formats negative years
4         https://bugs.webkit.org/show_bug.cgi?id=199964
5
6         Reviewed by Ross Kirsling.
7
8         * test262/expectations.yaml: Mark 6 test cases as passing.
9
10 2019-08-15  Mark Lam  <mark.lam@apple.com>
11
12         More missing exception checks in String.prototype.
13         https://bugs.webkit.org/show_bug.cgi?id=200762
14         <rdar://problem/54333896>
15
16         Reviewed by Michael Saboff.
17
18         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
19         * stress/missing-exception-check-in-string-toLower.js: Added.
20         * stress/missing-exception-check-in-string-toUpper.js: Added.
21
22 2019-08-14  Mark Lam  <mark.lam@apple.com>
23
24         ProxyObject should not be allow to access its target's private properties.
25         https://bugs.webkit.org/show_bug.cgi?id=200739
26         <rdar://problem/53972768>
27
28         Reviewed by Yusuke Suzuki.
29
30         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
31         * stress/proxy-with-private-symbols.js: Rebased.
32
33 2019-08-14  Mark Lam  <mark.lam@apple.com>
34
35         Missing exception check in string compare.
36         https://bugs.webkit.org/show_bug.cgi?id=200743
37         <rdar://problem/53975356>
38
39         Reviewed by Michael Saboff.
40
41         * stress/missing-exception-check-in-string-compare.js: Added.
42
43 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
44
45         [JSC] Add "jump if (not) undefined or null" bytecode ops
46         https://bugs.webkit.org/show_bug.cgi?id=200480
47
48         Reviewed by Saam Barati.
49
50         * stress/destructuring-assignment-require-object-coercible.js:
51         * stress/nullish-coalescing.js:
52
53 2019-08-05  Michael Saboff  <msaboff@apple.com>
54
55         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
56         https://bugs.webkit.org/show_bug.cgi?id=199997
57
58         Reviewed by Saam Barati.
59
60         New test.
61
62         * stress/typedarray-no-alreadyChecked-assert.js: Added.
63         (checkIntArray):
64         (checkFloatArray):
65
66 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
67
68         [JSC] Support WebAssembly in SamplingProfiler
69         https://bugs.webkit.org/show_bug.cgi?id=200329
70
71         Reviewed by Saam Barati.
72
73         * stress/sampling-profiler-wasm-name-section.js: Added.
74         (const.compile):
75         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
76         (platformSupportsSamplingProfiler.vm.isWasmSupported):
77         * stress/sampling-profiler-wasm.js: Added.
78         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
79         (platformSupportsSamplingProfiler.vm.isWasmSupported):
80         * stress/sampling-profiler/loop.wasm: Added.
81         * stress/sampling-profiler/loop.wast: Added.
82         * stress/sampling-profiler/nameSection.wasm: Added.
83
84 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
85
86         [JSC] LazyJSValue should be robust for empty JSValue
87         https://bugs.webkit.org/show_bug.cgi?id=200388
88
89         Reviewed by Saam Barati.
90
91         * stress/switch-constant-child-becomes-empty.js: Added.
92         (foo):
93
94 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
95
96         GetterSetter type confusion during DFG compilation
97         https://bugs.webkit.org/show_bug.cgi?id=199903
98
99         Reviewed by Mark Lam.
100
101         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
102
103 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
104
105         Update Test262 (2019.08.01)
106         https://bugs.webkit.org/show_bug.cgi?id=200351
107
108         Reviewed by Keith Miller.
109
110         * test262/expectations.yaml:
111         * test262/harness/testIntl.js:
112         * test262/latest-changes-summary.txt:
113         * test262/test/:
114         * test262/test262-Revision.txt:
115
116 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
117
118         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
119         https://bugs.webkit.org/show_bug.cgi?id=200192
120
121         Reviewed by Saam Barati.
122
123         * stress/structure-chain-stress.js: Added.
124         (keys):
125
126 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
127
128         [JSC] Increment bytecode age only when SlotVisitor is first-visit
129         https://bugs.webkit.org/show_bug.cgi?id=200196
130
131         Reviewed by Robin Morisset.
132
133         * stress/reparsing-unlinked-codeblock.js:
134
135 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
136
137         [X86] Emit BT instruction for shift + mask in B3
138         https://bugs.webkit.org/show_bug.cgi?id=199891
139
140         Reviewed by Robin Morisset.
141
142         Lower the number of iterations to fix debug timeouts.
143
144         * microbenchmarks/bit-test-load.js:
145         (i):
146
147 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
148
149         [X86] Emit BT instruction for shift + mask in B3
150         https://bugs.webkit.org/show_bug.cgi?id=199891
151
152         Reviewed by Keith Miller.
153
154         * microbenchmarks/bit-test-constant.js: Added.
155         (let.glob.0.doTest):
156         * microbenchmarks/bit-test-load.js: Added.
157         (let.glob.0.let.arr.new.Int32Array.8.doTest):
158         (i):
159         * microbenchmarks/bit-test-nonconstant.js: Added.
160         (let.glob.0.doTest):
161
162 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
163
164         [JSC] Potential GC fix for JSPropertyNameEnumerator
165         https://bugs.webkit.org/show_bug.cgi?id=200151
166
167         Reviewed by Mark Lam.
168
169         * stress/for-in-stress.js: Added.
170         (keys):
171
172 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
173
174         Legacy numeric literals should not permit separators or BigInt
175         https://bugs.webkit.org/show_bug.cgi?id=199984
176
177         Reviewed by Keith Miller.
178
179         * stress/big-int-literals.js:
180         * stress/numeric-literal-separators.js:
181
182 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
183
184         [ESNext] Implement nullish coalescing
185         https://bugs.webkit.org/show_bug.cgi?id=200072
186
187         Reviewed by Darin Adler.
188
189         * stress/nullish-coalescing.js: Added.
190
191 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
192
193         Three checks are missing in Proxy internal methods
194         https://bugs.webkit.org/show_bug.cgi?id=198630
195
196         Reviewed by Darin Adler.
197
198         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
199         * test262/expectations.yaml: Mark 6 test cases as passing.
200
201 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
202
203         Sometimes we miss removable CheckInBounds
204         https://bugs.webkit.org/show_bug.cgi?id=200018
205
206         Reviewed by Saam Barati.
207
208         * microbenchmarks/typed-array-sum.js: Added.
209         (doTest):
210
211 2019-07-16  Mark Lam  <mark.lam@apple.com>
212
213         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
214         https://bugs.webkit.org/show_bug.cgi?id=199821
215         <rdar://problem/52452328>
216
217         Reviewed by Filip Pizlo.
218
219         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
220
221 2019-07-16  Keith Miller  <keith_miller@apple.com>
222
223         Unreviewed, test262 gardening.
224
225         * test262/expectations.yaml:
226
227 2019-07-15  Keith Miller  <keith_miller@apple.com>
228
229         A Possible Issue of Object.create method
230         https://bugs.webkit.org/show_bug.cgi?id=199744
231
232         Reviewed by Yusuke Suzuki.
233
234         * stress/object-create-non-object-properties-parameter.js: Added.
235         (catch):
236
237 2019-07-15  Keith Miller  <keith_miller@apple.com>
238
239         Update test262
240         https://bugs.webkit.org/show_bug.cgi?id=199801
241
242         Rubber-stamped by Yusuke Suzuki.
243
244         * test262/expectations.yaml:
245         * test262/latest-changes-summary.txt:
246         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
247         (fg.new.FinalizationGroup):
248         (callback):
249         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
250         (fg.new.FinalizationGroup):
251         (callback):
252         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
253         (fg.new.FinalizationGroup):
254         (callback):
255         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
256         (fg.new.FinalizationGroup):
257         (callback):
258         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
259         (fg.new.FinalizationGroup):
260         (callback):
261         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
262         (fg.new.FinalizationGroup):
263         (callback):
264         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
265         (fg.new.FinalizationGroup):
266         (callback):
267         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
268         (callback):
269         (fg.new.FinalizationGroup):
270         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
271         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
272         (cb):
273         (fg.new.FinalizationGroup):
274         (emptyCells):
275         (async.fn):
276         (fn.then.async):
277         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
278         (fg.new.FinalizationGroup):
279         * test262/test/built-ins/FinalizationGroup/length.js: Added.
280         * test262/test/built-ins/FinalizationGroup/name.js: Added.
281         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
282         (newTarget):
283         (fn):
284         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
285         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
286         (fn):
287         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
288         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
289         (newTarget):
290         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
291         (newTarget):
292         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
293         (fg.new.FinalizationGroup):
294         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
295         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
296         (callback):
297         (fg.new.FinalizationGroup):
298         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
299         (fg.new.FinalizationGroup):
300         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
301         (cb):
302         (fg.new.FinalizationGroup):
303         (emptyCells):
304         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
305         (fg.new.FinalizationGroup):
306         (fg.cleanupSome.cb):
307         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
308         (callback):
309         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
310         (fn):
311         (cb):
312         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
313         (cb):
314         (fg.new.FinalizationGroup):
315         (emptyCells):
316         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
317         (fg.new.FinalizationGroup):
318         (callback):
319         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
320         (fg.new.FinalizationGroup):
321         (callback):
322         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
323         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
324         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
325         (poisoned):
326         (fg.new.FinalizationGroup):
327         (emptyCells):
328         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
329         (poisoned):
330         (emptyCells):
331         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
332         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
333         (fn):
334         (cb):
335         (emptyCells):
336         (prototype.assert.sameValue.fg.cleanupSome):
337         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
338         (fn):
339         (cb):
340         (poisoned):
341         (assert.sameValue.fg.cleanupSome):
342         (prototype.assert.sameValue.fg.cleanupSome):
343         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
344         (cb):
345         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
346         (cb):
347         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
348         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
349         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
350         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
351         (fn):
352         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
353         (fn):
354         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
355         (fg.new.FinalizationGroup):
356         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
357         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
358         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
359         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
360         (fn):
361         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
362         (fn):
363         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
364         (fg.new.FinalizationGroup):
365         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
366         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
367         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
368         (fg.new.FinalizationGroup):
369         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
370         (fg.new.FinalizationGroup):
371         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
372         (fg.new.FinalizationGroup):
373         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
374         (fg.new.FinalizationGroup):
375         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
376         (fn):
377         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
378         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
379         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
380         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
381         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
382         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
383         (fn):
384         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
385         (fg.new.FinalizationGroup):
386         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
387         (cleanupCallback):
388         (let.key.of.Object.getOwnPropertyNames):
389         (set for):
390         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
391         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
392         (FinalizationGroup):
393         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
394         (cleanupCallback):
395         (let.key.of.Object.getOwnPropertyNames):
396         (set for):
397         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
398         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
399         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
400         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
401         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
402         (asyncProxy.new.Proxy.async):
403         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
404         (asyncProxy.new.Proxy.async):
405         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
406         (setIter.set Symbol):
407         (set defaultTag):
408         (gen):
409         (get return):
410         (set new):
411         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
412         (generatorProxy.new.Proxy):
413         (asyncProxy.new.Proxy.async):
414         * test262/test/built-ins/Object/subclass-object-arg.js:
415         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
416         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
417         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
418         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
419         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
420         * test262/test/built-ins/Promise/executor-function-name.js:
421         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
422         * test262/test/built-ins/Promise/reject-function-name.js:
423         * test262/test/built-ins/Promise/resolve-function-name.js:
424         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
425         * test262/test/built-ins/WeakRef/constructor.js: Added.
426         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
427         * test262/test/built-ins/WeakRef/length.js: Added.
428         * test262/test/built-ins/WeakRef/name.js: Added.
429         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
430         (newTarget):
431         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
432         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
433         * test262/test/built-ins/WeakRef/proto.js: Added.
434         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
435         (newTarget):
436         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
437         (newTarget):
438         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
439         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
440         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
441         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
442         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
443         (emptyCells):
444         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
445         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
446         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
447         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
448         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
449         (fg.new.FinalizationGroup):
450         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
451         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
452         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
453         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
454         (let.key.of.Object.getOwnPropertyNames):
455         (set for):
456         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
457         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
458         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
459         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
460         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
461         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
462         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
463         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
464         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
465         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
466         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
467         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
468         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
469         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
470         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
471         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
472         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
473         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
474         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
475         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
476         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
477         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
478         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
479         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
480         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
481         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
482         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
483         (assertParts):
484         (assertPartsNumeric):
485         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
486         (assertParts):
487         (assertPartsNumeric):
488         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
489         (assertParts):
490         (assertPartsNumeric):
491         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
492         (assertParts):
493         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
494         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
495         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
496         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
497         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
498         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
499         (C.prototype.method):
500         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
501         (C.prototype.method.innerFunction):
502         (C.prototype.method):
503         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
504         (C):
505         (C.method):
506         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
507         (C):
508         (C.method.innerFunction):
509         (C.method):
510         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
511         (C):
512         (C.checkPrivateGetter):
513         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
514         (C):
515         (C.method):
516         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
517         (C):
518         (C.method.innerFunction):
519         (C.method):
520         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
521         (C):
522         (C.checkPrivateMethod):
523         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
524         (C):
525         (C.method):
526         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
527         (C):
528         (C.method.innerFunction):
529         (C.method):
530         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
531         (C):
532         (C.checkPrivateSetter):
533         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
534         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
535         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
536         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
537         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
538         (let.classStringExpression):
539         (let.classStringExpression.access):
540         (let.createAndInstantiateClass):
541         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
542         (let.classStringExpression):
543         (let.classStringExpression.access):
544         (let.createAndInstantiateClass):
545         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
546         (const.C):
547         (let.createAndInstantiateClass):
548         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
549         (let.classStringExpression.return.prototype.m):
550         (let.classStringExpression.return.prototype.access):
551         (let.createAndInstantiateClass):
552         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
553         (let.classStringExpression.return.prototype.m):
554         (let.classStringExpression.return.prototype.access):
555         (let.createAndInstantiateClass):
556         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
557         (let.classStringExpression):
558         (let.classStringExpression.access):
559         (let.createAndInstantiateClass):
560         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
561         (let.classStringExpression.prototype.m):
562         (let.classStringExpression.prototype.access):
563         (let.classStringExpression):
564         (let.createAndInstantiateClass):
565         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
566         (let.classStringExpression.prototype.m):
567         (let.classStringExpression.prototype.access):
568         (let.classStringExpression):
569         (let.createAndInstantiateClass):
570         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
571         (const.C):
572         (let.createAndInstantiateClass):
573         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
574         (let.classStringExpression.return.C.prototype.m):
575         (let.classStringExpression.return.C.prototype.access):
576         (let.classStringExpression.return.C):
577         (let.createAndInstantiateClass):
578         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
579         (let.classStringExpression.return.C.prototype.m):
580         (let.classStringExpression.return.C.prototype.access):
581         (let.classStringExpression.return.C):
582         (let.createAndInstantiateClass):
583         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
584         (let.classStringExpression):
585         (let.classStringExpression.access):
586         (let.createAndInstantiateClass):
587         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
588         (let.classStringExpression):
589         (let.classStringExpression.access):
590         (let.createAndInstantiateClass):
591         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
592         (let.classStringExpression):
593         (let.classStringExpression.access):
594         (let.createAndInstantiateClass):
595         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
596         (const.C):
597         (let.createAndInstantiateClass):
598         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
599         (let.classStringExpression.return.prototype.m):
600         (let.classStringExpression.return.prototype.access):
601         (let.createAndInstantiateClass):
602         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
603         (let.classStringExpression.return.prototype.m):
604         (let.classStringExpression.return.prototype.access):
605         (let.createAndInstantiateClass):
606         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
607         (let.classStringExpression):
608         (let.classStringExpression.access):
609         (let.createAndInstantiateClass):
610         * test262/test/language/expressions/new.target/unary-expr.js: Added.
611         (new):
612         (async):
613         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
614         (A):
615         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
616         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
617         * test262/test/language/identifiers/vals-cjk.js: Added.
618         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
619         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
620         (C.prototype.method):
621         (C):
622         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
623         (C.prototype.method.innerFunction):
624         (C.prototype.method):
625         (C):
626         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
627         (C.prototype.checkPrivateField):
628         (C):
629         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
630         (C):
631         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
632         (C.prototype.getWithEval):
633         (C):
634         (D):
635         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
636         (C.prototype.get m):
637         (C.prototype.method):
638         (C):
639         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
640         (C.prototype.get m):
641         (C.prototype.method.innerFunction):
642         (C.prototype.method):
643         (C):
644         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
645         (let.createAndInstantiateClass):
646         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
647         (C.prototype.get m):
648         (C.prototype.checkPrivateGetter):
649         (C):
650         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
651         (C.prototype.get m):
652         (C.prototype.checkPrivateGetter):
653         (C):
654         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
655         (C.prototype.get m):
656         (C):
657         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
658         (C.prototype.get m):
659         (C.prototype.getWithEval):
660         (C):
661         (D.prototype.get m):
662         (D):
663         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
664         (C.prototype.m):
665         (C.prototype.method):
666         (C):
667         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
668         (C.prototype.m):
669         (C.prototype.method.innerFunction):
670         (C.prototype.method):
671         (C):
672         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
673         (C.prototype.m):
674         (C.prototype.checkPrivateMethod):
675         (C):
676         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
677         (C.prototype.m):
678         (C.prototype.checkPrivateMethod):
679         (C):
680         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
681         (C.prototype.m):
682         (C):
683         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
684         (C.prototype.m):
685         (C.prototype.getWithEval):
686         (C):
687         (D.prototype.m):
688         (D):
689         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
690         (C.prototype.set m):
691         (C.prototype.method):
692         (C):
693         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
694         (C.prototype.set m):
695         (C.prototype.method.innerFunction):
696         (C.prototype.method):
697         (C):
698         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
699         (C.prototype.set m):
700         (C.prototype.checkPrivateSetter):
701         (C):
702         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
703         (C.prototype.set m):
704         (C.prototype.checkPrivateSetter):
705         (C):
706         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
707         (C.prototype.set m):
708         (C):
709         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
710         (C.prototype.set m):
711         (C.prototype.setWithEval):
712         (C):
713         (D.prototype.set m):
714         (D):
715         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
716         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
717         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
718         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
719         (A.prototype.method):
720         (A):
721         (C.prototype.get m):
722         (C.prototype.access):
723         (C):
724         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
725         (A.prototype.method):
726         (A):
727         (C.prototype.m):
728         (C.prototype.access):
729         (C):
730         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
731         (A.prototype.method):
732         (A):
733         (C.prototype.set m):
734         (C.prototype.access):
735         (C):
736         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
737         (A):
738         * test262/test/language/statements/function/13.2-30-s.js:
739         * test262/test262-Revision.txt:
740
741 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
742
743         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
744         https://bugs.webkit.org/show_bug.cgi?id=199783
745
746         Reviewed by Mark Lam.
747
748         Fix our spec tests.
749
750         * wasm/js-api/Module-compile.js:
751         * wasm/js-api/test_basic_api.js:
752         (const.c.in.constructorProperties.switch):
753         * wasm/js-api/validate.js:
754         * wasm/js-api/web-assembly-instantiate.js:
755         * wasm/spec-tests/jsapi.js:
756         (testJSAPI.get test):
757         (testJSAPI.set test):
758
759 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
760
761         Unreviewed, rolling out r247440.
762
763         Broke builds
764
765         Reverted changeset:
766
767         "[JSC] Improve wasm wpt test results by fixing miscellaneous
768         issues"
769         https://bugs.webkit.org/show_bug.cgi?id=199783
770         https://trac.webkit.org/changeset/247440
771
772 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
773
774         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
775         https://bugs.webkit.org/show_bug.cgi?id=199783
776
777         Reviewed by Mark Lam.
778
779         Fix our spec tests.
780
781         * wasm/js-api/Module-compile.js:
782         * wasm/js-api/test_basic_api.js:
783         (const.c.in.constructorProperties.switch):
784         * wasm/js-api/validate.js:
785         * wasm/js-api/web-assembly-instantiate.js:
786         * wasm/spec-tests/jsapi.js:
787         (testJSAPI.get test):
788         (testJSAPI.set test):
789
790 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
791
792         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
793         https://bugs.webkit.org/show_bug.cgi?id=196371
794
795         Reviewed by Keith Miller.
796
797         * microbenchmarks/mul-immediate-sub.js: Added.
798         (doTest):
799
800 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
801
802         [BigInt] Add ValueBitLShift into DFG
803         https://bugs.webkit.org/show_bug.cgi?id=192664
804
805         Reviewed by Saam Barati.
806
807         We are adding tests to cover ValueBitwise operations AI changes.
808
809         * stress/big-int-left-shift-untyped.js: Added.
810         * stress/bit-op-with-object-returning-int32.js:
811         * stress/value-bit-and-ai-rule.js: Added.
812         * stress/value-bit-lshift-ai-rule.js: Added.
813         * stress/value-bit-or-ai-rule.js: Added.
814         * stress/value-bit-xor-ai-rule.js: Added.
815
816 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
817
818         Add b3 macro lowering for CheckMul on arm64
819         https://bugs.webkit.org/show_bug.cgi?id=199251
820
821         Reviewed by Robin Morisset.
822
823         * microbenchmarks/check-mul-constant.js: Added.
824         (doTest):
825         * microbenchmarks/check-mul-no-constant.js: Added.
826         (doTest):
827         * microbenchmarks/check-mul-power-of-two.js: Added.
828         (doTest):
829
830 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
831
832         Optimize join of large empty arrays
833         https://bugs.webkit.org/show_bug.cgi?id=199636
834
835         Reviewed by Mark Lam.
836
837         * microbenchmarks/large-empty-array-join.js: Added.
838         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
839
840 2019-07-06  Michael Saboff  <msaboff@apple.com>
841
842         switch(String) needs to check for exceptions when resolving the string
843         https://bugs.webkit.org/show_bug.cgi?id=199541
844
845         Reviewed by Mark Lam.
846
847         New tests.
848
849         * stress/switch-string-oom.js: Added.
850         (test):
851         (testLowerTiers):
852         (testFTL):
853
854 2019-07-05  Mark Lam  <mark.lam@apple.com>
855
856         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
857         https://bugs.webkit.org/show_bug.cgi?id=199533
858         <rdar://problem/52669111>
859
860         Reviewed by Filip Pizlo.
861
862         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
863
864 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
865
866         [JSC] Clean up ArraySpeciesCreate
867         https://bugs.webkit.org/show_bug.cgi?id=182434
868
869         Reviewed by Yusuke Suzuki.
870
871         Adjusts error message expectations in stress tests.
872
873         * stress/array-flatmap.js:
874         * stress/array-flatten.js:
875         * stress/array-species-create-should-handle-masquerader.js:
876         * test262/expectations.yaml: Mark 4 test cases as passing.
877
878 2019-07-02  Michael Saboff  <msaboff@apple.com>
879
880         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
881         https://bugs.webkit.org/show_bug.cgi?id=199395
882
883         Reviewed by Filip Pizlo.
884
885         New regession test.
886
887         * stress/for-of-tdz-with-try-catch.js: Added.
888         (test):
889         (i.catch):
890
891 2019-07-02  Keith Miller  <keith_miller@apple.com>
892
893         Frozen Arrays length assignment should throw in strict mode
894         https://bugs.webkit.org/show_bug.cgi?id=199365
895
896         Reviewed by Yusuke Suzuki.
897
898         * stress/frozen-array-length-should-throw-strict.js: Added.
899         (test):
900
901 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
902
903         [Wasm-References] Disable references by default
904         https://bugs.webkit.org/show_bug.cgi?id=199390
905
906         Reviewed by Saam Barati.
907
908         * wasm/references-spec-tests/ref_is_null.js:
909         * wasm/references-spec-tests/ref_null.js:
910         * wasm/references/anyref_globals.js:
911         * wasm/references/anyref_modules.js:
912         * wasm/references/anyref_table.js:
913         * wasm/references/anyref_table_import.js:
914         * wasm/references/element_parsing.js:
915         * wasm/references/func_ref.js:
916         * wasm/references/is_null.js:
917         * wasm/references/multitable.js:
918         * wasm/references/table_misc.js:
919         * wasm/references/validation.js:
920
921 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
922
923         Unreviewed, rolling out r246946.
924
925         Caused JSC test crashes on arm64
926
927         Reverted changeset:
928
929         "Add b3 macro lowering for CheckMul on arm64"
930         https://bugs.webkit.org/show_bug.cgi?id=199251
931         https://trac.webkit.org/changeset/246946
932
933 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
934
935         Add b3 macro lowering for CheckMul on arm64
936         https://bugs.webkit.org/show_bug.cgi?id=199251
937
938         Reviewed by Robin Morisset.
939
940         * microbenchmarks/check-mul-constant.js: Added.
941         (doTest):
942         * microbenchmarks/check-mul-no-constant.js: Added.
943         (doTest):
944         * microbenchmarks/check-mul-power-of-two.js: Added.
945         (doTest):
946
947 2019-06-26  Keith Miller  <keith_miller@apple.com>
948
949         speciesConstruct needs to throw if the result is a DataView
950         https://bugs.webkit.org/show_bug.cgi?id=199231
951
952         Reviewed by Mark Lam.
953
954         * stress/typedarray-filter.js:
955         (subclasses.forEach):
956         * stress/typedarray-map.js:
957         (subclasses.forEach):
958         * stress/typedarray-slice.js:
959         (typedArrays.forEach):
960         * stress/typedarray-subarray.js:
961         (subclasses.forEach):
962
963 2019-06-24  Commit Queue  <commit-queue@webkit.org>
964
965         Unreviewed, rolling out r246714.
966         https://bugs.webkit.org/show_bug.cgi?id=199179
967
968         revert to do patch in a different way. (Requested by keith_mi_
969         on #webkit).
970
971         Reverted changeset:
972
973         "All prototypes should call didBecomePrototype()"
974         https://bugs.webkit.org/show_bug.cgi?id=196315
975         https://trac.webkit.org/changeset/246714
976
977 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
978
979         Add Array.prototype.{flat,flatMap} to unscopables
980         https://bugs.webkit.org/show_bug.cgi?id=194322
981
982         Reviewed by Keith Miller.
983
984         * stress/unscopables.js: Fix test.
985         * test262/expectations.yaml: Mark 2 test cases as passing.
986
987 2019-06-21  Mark Lam  <mark.lam@apple.com>
988
989         ArraySlice needs to keep the source array alive.
990         https://bugs.webkit.org/show_bug.cgi?id=197374
991         <rdar://problem/50304429>
992
993         Reviewed by Michael Saboff and Filip Pizlo.
994
995         * stress/array-slice-must-keep-source-array-alive.js: Added.
996
997 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
998
999         All prototypes should call didBecomePrototype()
1000         https://bugs.webkit.org/show_bug.cgi?id=196315
1001
1002         Reviewed by Saam Barati.
1003
1004         * stress/function-prototype-indexed-accessor.js: Added.
1005
1006 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1007
1008         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1009         https://bugs.webkit.org/show_bug.cgi?id=197631
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/has-own-property-arguments.js: Added.
1014         (shouldBe):
1015         (A):
1016
1017 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1018
1019         [JSC] ClassExpr should not store result in the middle of evaluation
1020         https://bugs.webkit.org/show_bug.cgi?id=199106
1021
1022         Reviewed by Tadeu Zagallo.
1023
1024         * stress/class-expression-should-store-result-at-last.js: Added.
1025         (shouldThrow):
1026         (shouldThrow.let.a):
1027
1028 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
1029
1030         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
1031         https://bugs.webkit.org/show_bug.cgi?id=199044
1032
1033         Reviewed by Saam Barati.
1034
1035         Add wasm references spec tests as well as a worker test.
1036
1037         * wasm.yaml:
1038         * wasm/Builder_WebAssemblyBinary.js:
1039         (const.emitters.Element):
1040         * wasm/js-api/element.js:
1041         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1042         * wasm/references-spec-tests/ref_is_null.js: Added.
1043         (hostref):
1044         (is_hostref):
1045         (is_funcref):
1046         (eq_ref):
1047         (let.handler.get target):
1048         (register):
1049         (module):
1050         (instance):
1051         (call):
1052         (get instance):
1053         (exports):
1054         (run):
1055         (assert_malformed):
1056         (assert_invalid):
1057         (assert_unlinkable):
1058         (assert_uninstantiable):
1059         (assert_trap):
1060         (try.f):
1061         (catch):
1062         (assert_exhaustion):
1063         (assert_return):
1064         (assert_return_canonical_nan):
1065         (assert_return_arithmetic_nan):
1066         (assert_return_ref):
1067         (assert_return_func):
1068         * wasm/references-spec-tests/ref_null.js: Added.
1069         (hostref):
1070         (is_hostref):
1071         (is_funcref):
1072         (eq_ref):
1073         (let.handler.get target):
1074         (register):
1075         (module):
1076         (instance):
1077         (call):
1078         (get instance):
1079         (exports):
1080         (run):
1081         (assert_malformed):
1082         (assert_invalid):
1083         (assert_unlinkable):
1084         (assert_uninstantiable):
1085         (assert_trap):
1086         (try.f):
1087         (catch):
1088         (assert_exhaustion):
1089         (assert_return):
1090         (assert_return_canonical_nan):
1091         (assert_return_arithmetic_nan):
1092         (assert_return_ref):
1093         (assert_return_func):
1094         * wasm/references/element_parsing.js: Added.
1095         (module):
1096         * wasm/references/func_ref.js:
1097         * wasm/references/multitable.js:
1098         * wasm/references/table_misc.js:
1099         (TableSize.0.End.End.WebAssembly):
1100         * wasm/references/validation.js:
1101         (assert.throws):
1102
1103 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1104
1105         Optimize `resolve` method lookup in Promise static methods
1106         https://bugs.webkit.org/show_bug.cgi?id=198864
1107
1108         Reviewed by Yusuke Suzuki.
1109
1110         * test262/expectations.yaml: Mark 18 test cases as passing.
1111
1112 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
1113
1114         [WASM-References] Rename anyfunc to funcref
1115         https://bugs.webkit.org/show_bug.cgi?id=198983
1116
1117         Reviewed by Yusuke Suzuki.
1118
1119         * wasm/function-tests/basic-element.js:
1120         * wasm/function-tests/context-switch.js:
1121         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1122         (makeInstance):
1123         (assert.eq.makeInstance):
1124         * wasm/function-tests/exceptions.js:
1125         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1126         * wasm/function-tests/grow-memory-2.js:
1127         (assert.eq.instance.exports.foo):
1128         * wasm/function-tests/nameSection.js:
1129         (const.compile):
1130         * wasm/function-tests/stack-overflow.js:
1131         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1132         (assertOverflows.makeInstance):
1133         * wasm/function-tests/table-basic-2.js:
1134         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1135         * wasm/function-tests/table-basic.js:
1136         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1137         * wasm/function-tests/trap-from-start-async.js:
1138         * wasm/function-tests/trap-from-start.js:
1139         * wasm/js-api/Module.exports.js:
1140         (assert.truthy):
1141         * wasm/js-api/Module.imports.js:
1142         (assert.truthy):
1143         * wasm/js-api/call-indirect.js:
1144         (const.oneTable):
1145         (const.multiTable):
1146         (multiTable.const.makeTable):
1147         (multiTable):
1148         (multiTable.Polyphic2Import):
1149         (multiTable.VirtualImport):
1150         * wasm/js-api/element-data.js:
1151         * wasm/js-api/element.js:
1152         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1153         (assert.throws):
1154         (badInstantiation.makeModule):
1155         (badInstantiation.test):
1156         (badInstantiation):
1157         * wasm/js-api/extension-MemoryMode.js:
1158         * wasm/js-api/table.js:
1159         (new.WebAssembly.Module):
1160         (assert.throws):
1161         (assertBadTableImport):
1162         (assert.throws.WebAssembly.Table.prototype.grow):
1163         (new.WebAssembly.Table):
1164         (assertBadTable):
1165         (assert.truthy):
1166         * wasm/js-api/test_basic_api.js:
1167         (const.c.in.constructorProperties.switch):
1168         * wasm/js-api/unique-signature.js:
1169         (CallIndirectWithDuplicateSignatures):
1170         * wasm/js-api/wrapper-function.js:
1171         * wasm/modules/table.wat:
1172         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1173         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1174         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1175         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1176         * wasm/references/anyref_table.js:
1177         * wasm/references/anyref_table_import.js:
1178         (doSet):
1179         (assert.throws):
1180         * wasm/references/func_ref.js:
1181         (makeFuncrefIdent):
1182         (assert.eq.instance.exports.fix):
1183         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
1184         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
1185         (let.importedFun.of):
1186         (makeAnyfuncIdent): Deleted.
1187         (makeAnyfuncIdent.fun): Deleted.
1188         * wasm/references/multitable.js:
1189         (assert.eq):
1190         (assert.throws):
1191         * wasm/references/table_misc.js:
1192         (GetLocal.0.TableFill.0.End.End.WebAssembly):
1193         * wasm/references/validation.js:
1194         (assert.throws.new.WebAssembly.Module.bin):
1195         (assert.throws):
1196         * wasm/spec-harness/index.js:
1197         * wasm/spec-harness/wasm-constants.js:
1198         * wasm/spec-harness/wasm-module-builder.js:
1199         (WasmModuleBuilder.prototype.toArray):
1200         * wasm/spec-harness/wast.js:
1201         (elem_type):
1202         (string_of_elem_type):
1203         (string_of_table_type):
1204         * wasm/spec-tests/jsapi.js:
1205         * wasm/stress/wasm-table-grow-initialize.js:
1206         * wasm/wasm.json:
1207
1208 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1209
1210         [WASM-References] Add support for Table.size, grow and fill instructions
1211         https://bugs.webkit.org/show_bug.cgi?id=198761
1212
1213         Reviewed by Yusuke Suzuki.
1214
1215         * wasm/Builder_WebAssemblyBinary.js:
1216         (const.putOp):
1217         * wasm/references/table_misc.js: Added.
1218         (TableSize.End.End.WebAssembly):
1219         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
1220         * wasm/wasm.json:
1221
1222 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1223
1224         [WASM-References] Add support for multiple tables
1225         https://bugs.webkit.org/show_bug.cgi?id=198760
1226
1227         Reviewed by Saam Barati.
1228
1229         * wasm/Builder.js:
1230         * wasm/js-api/call-indirect.js:
1231         (const.oneTable):
1232         (const.multiTable):
1233         (multiTable):
1234         (multiTable.Polyphic2Import):
1235         (multiTable.VirtualImport):
1236         (const.wasmModuleWhichImportJS): Deleted.
1237         (const.makeTable): Deleted.
1238         (): Deleted.
1239         (Polyphic2Import): Deleted.
1240         (VirtualImport): Deleted.
1241         * wasm/js-api/table.js:
1242         (new.WebAssembly.Module):
1243         (assert.throws):
1244         (assertBadTableImport):
1245         (assert.truthy):
1246         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1247         * wasm/references/anyref_table.js:
1248         * wasm/references/anyref_table_import.js:
1249         (makeImport):
1250         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1251         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1252         * wasm/references/multitable.js: Added.
1253         (assert.throws.1.exports.set_tbl0):
1254         (assert.throws):
1255         (assert.eq):
1256         * wasm/references/validation.js:
1257         (assert.throws.new.WebAssembly.Module.bin):
1258         (assert.throws):
1259         * wasm/spec-tests/imports.wast.js:
1260         * wasm/wasm.json:
1261
1262         * wasm/Builder.js:
1263         * wasm/js-api/call-indirect.js:
1264         (const.oneTable):
1265         (const.multiTable):
1266         (multiTable):
1267         (multiTable.Polyphic2Import):
1268         (multiTable.VirtualImport):
1269         (const.wasmModuleWhichImportJS): Deleted.
1270         (const.makeTable): Deleted.
1271         (): Deleted.
1272         (Polyphic2Import): Deleted.
1273         (VirtualImport): Deleted.
1274         * wasm/js-api/table.js:
1275         (new.WebAssembly.Module):
1276         (assert.throws):
1277         (assertBadTableImport):
1278         (assert.truthy):
1279         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1280         * wasm/references/anyref_table.js:
1281         * wasm/references/anyref_table_import.js:
1282         (makeImport):
1283         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1284         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1285         * wasm/references/func_ref.js:
1286         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
1287         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
1288         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
1289         * wasm/references/multitable.js: Added.
1290         (assert.throws.1.exports.set_tbl0):
1291         (assert.throws):
1292         (assert.eq):
1293         (string_appeared_here.tableInsanity):
1294         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
1295         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
1296         * wasm/references/validation.js:
1297         (assert.throws.new.WebAssembly.Module.bin):
1298         (assert.throws):
1299         * wasm/spec-tests/imports.wast.js:
1300         * wasm/wasm.json:
1301
1302 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
1303
1304         [ESNExt] String.prototype.matchAll
1305         https://bugs.webkit.org/show_bug.cgi?id=186694
1306
1307         Reviewed by Yusuke Suzuki.
1308
1309         Implement String.prototype.matchAll.
1310         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
1311
1312         * test262/config.yaml:
1313
1314 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
1315
1316         DFG code should not reify the names of builtin functions with private names
1317         https://bugs.webkit.org/show_bug.cgi?id=198849
1318         <rdar://problem/51733890>
1319
1320         Reviewed by Filip Pizlo.
1321
1322         * stress/builtin-private-function-name.js: Added.
1323         (then):
1324         (PromiseLike):
1325
1326 2019-06-18  Keith Miller  <keith_miller@apple.com>
1327
1328         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
1329         https://bugs.webkit.org/show_bug.cgi?id=198969
1330         <rdar://problem/51620714>
1331
1332         Reviewed by Tadeu Zagallo.
1333
1334         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
1335         (catch):
1336
1337 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1338
1339         Validate that table element type is funcref if using an element section
1340         https://bugs.webkit.org/show_bug.cgi?id=198910
1341
1342         Reviewed by Yusuke Suzuki.
1343
1344         * wasm/references/anyref_table.js:
1345
1346 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
1347
1348         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
1349         https://bugs.webkit.org/show_bug.cgi?id=197378
1350
1351         Reviewed by Saam Barati.
1352
1353         * stress/disposable-call-site-index-with-call-and-this.js: Added.
1354         (foo):
1355         (bar):
1356         * stress/disposable-call-site-index.js: Added.
1357         (foo):
1358         (bar):
1359
1360 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1361
1362         [WASM-References] Add support for Funcref in parameters and return types
1363         https://bugs.webkit.org/show_bug.cgi?id=198157
1364
1365         Reviewed by Yusuke Suzuki.
1366
1367         * wasm/Builder.js:
1368         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1369         * wasm/references/anyref_globals.js:
1370         * wasm/references/func_ref.js: Added.
1371         (fullGC.gc.makeExportedFunction):
1372         (makeExportedIdent):
1373         (makeAnyfuncIdent):
1374         (fun):
1375         (assert.eq.instance.exports.fix.fun):
1376         (assert.eq.instance.exports.fix):
1377         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
1378         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
1379         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
1380         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
1381         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
1382         (assert.throws):
1383         (assert.throws.doTest):
1384         (let.importedFun.of):
1385         (makeAnyfuncIdent.fun):
1386         * wasm/references/validation.js:
1387         (assert.throws):
1388         * wasm/wasm.json:
1389
1390 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
1391
1392         Update test262 tests (2019.06.13)
1393         https://bugs.webkit.org/show_bug.cgi?id=198821
1394
1395         Reviewed by Konstantin Tokarev.
1396
1397         * test262/expectations.yaml:
1398         * test262/harness/:
1399         * test262/latest-changes-summary.txt:
1400         * test262/test/:
1401         * test262/test262-Revision.txt:
1402
1403 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
1404
1405         [JSC] Grown region of WasmTable should be initialized with null
1406         https://bugs.webkit.org/show_bug.cgi?id=198903
1407
1408         Reviewed by Saam Barati.
1409
1410         * wasm/stress/wasm-table-grow-initialize.js: Added.
1411         (shouldBe):
1412
1413 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
1414
1415         Yarr bytecode compilation failure should be gracefully handled
1416         https://bugs.webkit.org/show_bug.cgi?id=198700
1417
1418         Reviewed by Michael Saboff.
1419
1420         * stress/regexp-bytecode-compilation-fail.js: Added.
1421         (shouldThrow):
1422
1423 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
1424
1425         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
1426         https://bugs.webkit.org/show_bug.cgi?id=198770
1427
1428         Reviewed by Saam Barati.
1429
1430         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
1431         (test):
1432
1433 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1434
1435         JSC should throw if proxy set returns falsish in strict mode context
1436         https://bugs.webkit.org/show_bug.cgi?id=177398
1437
1438         Reviewed by Yusuke Suzuki.
1439
1440         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
1441         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
1442
1443         * stress/proxy-set.js: Add 2 test cases.
1444         * stress/regexp-match-proxy.js: Fix test.
1445         * stress/regexp-replace-proxy.js: Fix test.
1446
1447 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1448
1449         Error message for non-callable Proxy `construct` trap is misleading
1450         https://bugs.webkit.org/show_bug.cgi?id=198637
1451
1452         Reviewed by Saam Barati.
1453
1454         * stress/proxy-construct.js:
1455
1456 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
1457
1458         AI BitURShift's result should not be unsigned
1459         https://bugs.webkit.org/show_bug.cgi?id=198689
1460         <rdar://problem/51550063>
1461
1462         Reviewed by Saam Barati.
1463
1464         * stress/urshift-int32-overflow.js: Added.
1465         (foo.):
1466         (foo):
1467
1468 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
1469
1470         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
1471
1472         Unreviewed gardening.
1473
1474         * stress/ftl-gettypedarrayoffset-wasteful.js:
1475         Skipped on arm/linux as it always times out on the bot since a change
1476         between r246270 and r246278 inclusive.
1477
1478 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
1479
1480         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
1481         https://bugs.webkit.org/show_bug.cgi?id=198023
1482
1483         Reviewed by Saam Barati.
1484
1485         * stress/reparsing-unlinked-codeblock.js: Added.
1486         (shouldBe):
1487         (hello):
1488
1489 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
1490
1491         [JSC] Use mergePrediction in ValuePow prediction propagation
1492         https://bugs.webkit.org/show_bug.cgi?id=198648
1493
1494         Reviewed by Saam Barati.
1495
1496         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
1497
1498 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
1499
1500         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
1501         https://bugs.webkit.org/show_bug.cgi?id=198581
1502         <rdar://problem/51099753>
1503
1504         Reviewed by Saam Barati.
1505
1506         * stress/global-object-proto-getter.js: Added.
1507         (f):
1508         (test):
1509
1510 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
1511
1512         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
1513         https://bugs.webkit.org/show_bug.cgi?id=198398
1514
1515         Reviewed by Saam Barati.
1516
1517         * wasm/references/anyref_table.js: Added.
1518         (string_appeared_here.doGCSet):
1519         (doGCTest):
1520         (doGCSet.doGCTest.let.count.0.doBarrierSet):
1521         * wasm/references/anyref_table_import.js: Added.
1522         (makeImport):
1523         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1524         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1525         * wasm/references/is_null_error.js: Removed.
1526         * wasm/references/validation.js: Added.
1527         (assert.throws.new.WebAssembly.Module.bin):
1528         (assert.throws):
1529         * wasm/wasm.json:
1530
1531 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
1532
1533         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
1534         https://bugs.webkit.org/show_bug.cgi?id=198106
1535
1536         Reviewed by Saam Barati.
1537
1538         * wasm/regress/selectf64.js: Added.
1539         * wasm/regress/selectf64.wasm: Added.
1540         * wasm/regress/selectf64.wat: Added.
1541
1542 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
1543
1544         Argument elimination should check transitive dependents for interference
1545         https://bugs.webkit.org/show_bug.cgi?id=198520
1546         <rdar://problem/50863343>
1547
1548         Reviewed by Filip Pizlo.
1549
1550         * stress/argument-elimination-inline-rest-past-kill.js: Added.
1551         (f2):
1552         (f3):
1553
1554 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
1555
1556         Argument elimination should check for negative indices in GetByVal
1557         https://bugs.webkit.org/show_bug.cgi?id=198302
1558         <rdar://problem/51188095>
1559
1560         Reviewed by Filip Pizlo.
1561
1562         * stress/eliminate-arguments-negative-rest-access.js: Added.
1563         (inlinee):
1564         (opt):
1565
1566 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
1567
1568         [ESNext][BigInt] Implement support for "**"
1569         https://bugs.webkit.org/show_bug.cgi?id=190799
1570
1571         Reviewed by Saam Barati.
1572
1573         * stress/big-int-exp-basic.js: Added.
1574         * stress/big-int-exp-jit-osr.js: Added.
1575         * stress/big-int-exp-jit-untyped.js: Added.
1576         * stress/big-int-exp-jit.js: Added.
1577         * stress/big-int-exp-negative-exponent.js: Added.
1578         * stress/big-int-exp-to-primitive.js: Added.
1579         * stress/big-int-exp-type-error.js: Added.
1580         * stress/big-int-exp-wrapped-value.js: Added.
1581         * stress/value-pow-ai-rule.js: Added.
1582
1583 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1584
1585         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
1586         https://bugs.webkit.org/show_bug.cgi?id=197979
1587
1588         Reviewed by Filip Pizlo.
1589
1590         * stress/16bit-code.js: Added.
1591         (shouldBe):
1592         * stress/32bit-code.js: Added.
1593         (shouldBe):
1594
1595 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
1596
1597         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
1598         https://bugs.webkit.org/show_bug.cgi?id=198355
1599
1600         Reviewed by Saam Barati.
1601
1602         * wasm/references/is_null.js:
1603
1604 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
1605
1606         [PlayStation] Skip additional tests on PlayStation
1607         https://bugs.webkit.org/show_bug.cgi?id=198352
1608
1609         Reviewed by Don Olmstead.
1610
1611         Skip pow test on PlayStation due to behavior difference in standard library.
1612         Skip incremental marking test due to OOM on PlayStation systems.
1613
1614         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
1615         * stress/math-pow-with-constants.js:
1616         * stress/pow-with-constants.js:
1617
1618 2019-05-28  Dean Jackson  <dino@apple.com>
1619
1620         Implement Promise.allSettled
1621         https://bugs.webkit.org/show_bug.cgi?id=197600
1622         <rdar://problem/50483885>
1623
1624         Reviewed by Keith Miller.
1625
1626         Start testing Promise.allSettled. We pass most of the tests.
1627         The ones that fail are similar to the Promise.all tests we already fail.
1628
1629         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
1630         * test262/expectations.yaml: Add new expectations for allSettled tests.
1631
1632 2019-05-28  Michael Saboff  <msaboff@apple.com>
1633
1634         [YARR] Properly handle RegExp's that require large ParenContext space
1635         https://bugs.webkit.org/show_bug.cgi?id=198065
1636
1637         Reviewed by Keith Miller.
1638
1639         New test.
1640
1641         * stress/regexp-large-paren-context.js: Added.
1642         (testLargeRegExp):
1643
1644 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
1645
1646         JITOperations putByVal should mark negative array indices as out-of-bounds
1647         https://bugs.webkit.org/show_bug.cgi?id=198271
1648
1649         Reviewed by Saam Barati.
1650
1651         * microbenchmarks/get-by-val-negative-array-index.js:
1652         (foo):
1653         Update the getByVal microbenchmark added in r245769. This now shows that r245769
1654         is 4.2x faster than the previous commit.
1655
1656         * microbenchmarks/put-by-val-negative-array-index.js: Added.
1657         (foo):
1658
1659 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
1660
1661         JITOperations getByVal should mark negative array indices as out-of-bounds
1662         https://bugs.webkit.org/show_bug.cgi?id=198229
1663
1664         Reviewed by Saam Barati.
1665
1666         * microbenchmarks/get-by-val-negative-array-index.js: Added.
1667         (foo):
1668
1669 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
1670
1671         [WASM-References] Support Anyref in globals
1672         https://bugs.webkit.org/show_bug.cgi?id=198102
1673
1674         Reviewed by Saam Barati.
1675
1676         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
1677
1678         * wasm/Builder.js:
1679         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1680         * wasm/Builder_WebAssemblyBinary.js:
1681         (const.putInitExpr):
1682         * wasm/references/anyref_globals.js: Added.
1683         (GetGlobal.0.End.End.WebAssembly):
1684         (5.doGCSet):
1685         (doGCTest):
1686         (doGCSet.doGCTest.let.count.0.doBarrierSet):
1687
1688 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
1689
1690         DFG::OSREntry should not perform arity check
1691         https://bugs.webkit.org/show_bug.cgi?id=198189
1692
1693         Reviewed by Saam Barati.
1694
1695         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
1696         (foo):
1697
1698 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
1699
1700         [PlayStation] Skip additional tests on PlayStation
1701         https://bugs.webkit.org/show_bug.cgi?id=198145
1702
1703         Reviewed by Ross Kirsling.
1704
1705         * exceptionFuzz.yaml:
1706         Add skip on hostOS playstation
1707         * executableAllocationFuzz.yaml:
1708         Add skip on hostOS playstation
1709
1710 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
1711
1712         createListFromArrayLike should throw if value is not an object
1713         https://bugs.webkit.org/show_bug.cgi?id=198138
1714
1715         Reviewed by Yusuke Suzuki.
1716
1717         * stress/create-list-from-array-like-not-object.js: Added.
1718         (testValid):
1719         (testInvalid):
1720         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
1721         (opt):
1722         * stress/proxy-proto-enumerator.js: Added.
1723         (main):
1724         * stress/proxy-proto-own-keys.js: Added.
1725         (assert):
1726         (ownKeys):
1727
1728 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1729
1730         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
1731         https://bugs.webkit.org/show_bug.cgi?id=197809
1732
1733         Reviewed by Michael Saboff.
1734
1735         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
1736         (foo):
1737
1738 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
1739
1740         [ESNext] Implement support for Numeric Separators
1741         https://bugs.webkit.org/show_bug.cgi?id=196351
1742
1743         Reviewed by Keith Miller.
1744
1745         * stress/numeric-literal-separators.js: Added.
1746         Add tests for feature.
1747
1748         * test262/expectations.yaml:
1749         Mark 60 test cases as passing.
1750
1751 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
1752
1753         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
1754         https://bugs.webkit.org/show_bug.cgi?id=198120
1755         <rdar://problem/49668795>
1756
1757         Reviewed by Michael Saboff.
1758
1759         * stress/get-array-length-concurrently-change-mode.js: Added.
1760         (main):
1761
1762 2019-05-22  Commit Queue  <commit-queue@webkit.org>
1763
1764         Unreviewed, rolling out r245634.
1765         https://bugs.webkit.org/show_bug.cgi?id=198140
1766
1767         'This patch makes JSC crash on launch in debug builds'
1768         (Requested by tadeuzagallo on #webkit).
1769
1770         Reverted changeset:
1771
1772         "[ESNext] Implement support for Numeric Separators"
1773         https://bugs.webkit.org/show_bug.cgi?id=196351
1774         https://trac.webkit.org/changeset/245634
1775
1776 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
1777
1778         Stack-buffer-overflow in decodeURIComponent
1779         https://bugs.webkit.org/show_bug.cgi?id=198109
1780         <rdar://problem/50397550>
1781
1782         Reviewed by Michael Saboff.
1783
1784         * stress/decode-uri-icu-count-trail-bytes.js: Added.
1785         (i.j.try.i.toString):
1786         (i.j.catch):
1787
1788 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1789
1790         Don't clear PropertyNameArray in Proxy code
1791         https://bugs.webkit.org/show_bug.cgi?id=197691
1792
1793         Reviewed by Saam Barati.
1794
1795         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
1796         (shouldBe):
1797         (opt):
1798
1799 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
1800
1801         [ESNext] Implement support for Numeric Separators
1802         https://bugs.webkit.org/show_bug.cgi?id=196351
1803
1804         Reviewed by Keith Miller.
1805
1806         * stress/numeric-literal-separators.js: Added.
1807         Add tests for feature.
1808
1809         * test262/expectations.yaml:
1810         Mark 60 test cases as passing.
1811
1812 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1813
1814         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
1815         https://bugs.webkit.org/show_bug.cgi?id=198101
1816
1817         Reviewed by Michael Saboff.
1818
1819         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
1820         (shouldBe):
1821
1822 2019-05-20  Keith Miller  <keith_miller@apple.com>
1823
1824         Cleanup Yarr regexp code around paren contexts.
1825         https://bugs.webkit.org/show_bug.cgi?id=198063
1826
1827         Reviewed by Yusuke Suzuki.
1828
1829         * stress/regexp-many-named-sequential-capture-groups.js: Added.
1830         (i.s):
1831         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
1832
1833 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
1834
1835         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
1836         https://bugs.webkit.org/show_bug.cgi?id=197969
1837
1838         Reviewed by Keith Miller.
1839
1840         Support the anyref type in Builder.js, plus add some extra error logging.
1841         Add new folder for wasm references tests.
1842
1843         * wasm.yaml:
1844         * wasm/Builder.js:
1845         (const._isValidValue):
1846         * wasm/references/anyref_modules.js: Added.
1847         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
1848         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
1849         (Call.3.RefIsNull.End.End.WebAssembly):
1850         (undefined):
1851         * wasm/references/is_null.js: Added.
1852         * wasm/references/is_null_error.js: Added.
1853         * wasm/spec-harness/index.js:
1854         * wasm/wasm.json:
1855
1856 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
1857
1858         [JSC] Invalid AssignmentTargetType should be an early error.
1859         https://bugs.webkit.org/show_bug.cgi?id=197603
1860
1861         Reviewed by Keith Miller.
1862
1863         * test262/expectations.yaml:
1864         Update expectations to reflect new SyntaxErrors.
1865         (Ideally, these should all be viewed as passing in the near future.)
1866
1867         * stress/async-await-basic.js:
1868         * stress/big-int-literals.js:
1869         Update tests to reflect new SyntaxErrors.
1870
1871         * ChakraCore.yaml:
1872         * ChakraCore/test/EH/try6.baseline-jsc:
1873         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
1874         Update baselines to reflect new SyntaxErrors.
1875
1876 2019-05-15  Saam Barati  <sbarati@apple.com>
1877
1878         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
1879         https://bugs.webkit.org/show_bug.cgi?id=197855
1880         <rdar://problem/50236506>
1881
1882         Reviewed by Michael Saboff.
1883
1884         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
1885         (f0):
1886         (bar):
1887         (foo):
1888         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
1889         (f1):
1890         (f2):
1891         (foo):
1892
1893 2019-05-14  Keith Miller  <keith_miller@apple.com>
1894
1895         Fix issue with byteOffset on ARM64E
1896         https://bugs.webkit.org/show_bug.cgi?id=197884
1897
1898         Reviewed by Saam Barati.
1899
1900         We didn't have any tests that run with non-byte/non-zero offset
1901         typed arrays.
1902
1903         * stress/ftl-gettypedarrayoffset-wasteful.js:
1904
1905 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
1906
1907         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
1908         https://bugs.webkit.org/show_bug.cgi?id=197833
1909
1910         Reviewed by Darin Adler.
1911
1912         * stress/generator-name.js: Added.
1913         (shouldBe):
1914         (gen):
1915         (catch):
1916
1917 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
1918
1919         JSObject::getOwnPropertyDescriptor is missing an exception check
1920         https://bugs.webkit.org/show_bug.cgi?id=197693
1921         <rdar://problem/50441784>
1922
1923         Reviewed by Saam Barati.
1924
1925         * stress/proxy-spread.js: Added.
1926         (foo):
1927
1928 2019-05-10  Saam barati  <sbarati@apple.com>
1929
1930         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
1931         https://bugs.webkit.org/show_bug.cgi?id=197807
1932         <rdar://problem/50530400>
1933
1934         Reviewed by Yusuke Suzuki.
1935
1936         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
1937         (test.getInstance):
1938         (test):
1939
1940 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
1941
1942         [Test262] Unreviewed expectations update following r245188.
1943
1944         * test262/config.yaml:
1945         * test262/expectations.yaml:
1946
1947         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
1948         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
1949         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
1950         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
1951         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
1952         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
1953         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
1954         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
1955         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
1956         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
1957         These files have invalid YAML comments. Will also submit corrections back to Test262.
1958
1959 2019-05-10  Keith Miller  <keith_miller@apple.com>
1960
1961         Update test262 tests.
1962
1963         Rubber-stamped by Yusuke Suzuki.
1964
1965         * test262/*: mega-patch too many things to list individually.
1966
1967 2019-05-09  Keith Miller  <keith_miller@apple.com>
1968
1969         Unreview, fix test to have a try-catch.
1970
1971         * stress/many-nested-functions-parser-stack-overflow.js:
1972         (catch):
1973
1974 2019-05-09  Keith Miller  <keith_miller@apple.com>
1975
1976         parseStatementListItem needs a stack overflow check
1977         https://bugs.webkit.org/show_bug.cgi?id=197749
1978
1979         Reviewed by Saam Barati.
1980
1981         * stress/many-nested-functions-parser-stack-overflow.js: Added.
1982
1983 2019-05-08  Saam barati  <sbarati@apple.com>
1984
1985         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
1986         https://bugs.webkit.org/show_bug.cgi?id=197715
1987         <rdar://problem/50399252>
1988
1989         Reviewed by Filip Pizlo.
1990
1991         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
1992         (foo):
1993         (bar):
1994
1995 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
1996
1997         Unreviewed, rolling out r245068.
1998
1999         Caused debug layout tests to exit early due to an assertion
2000         failure.
2001
2002         Reverted changeset:
2003
2004         "All prototypes should call didBecomePrototype()"
2005         https://bugs.webkit.org/show_bug.cgi?id=196315
2006         https://trac.webkit.org/changeset/245068
2007
2008 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2009
2010         Invalid DFG JIT genereation in high CPU usage state
2011         https://bugs.webkit.org/show_bug.cgi?id=197453
2012
2013         Reviewed by Saam Barati.
2014
2015         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2016         (trigger):
2017         (main):
2018
2019 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2020
2021         All prototypes should call didBecomePrototype()
2022         https://bugs.webkit.org/show_bug.cgi?id=196315
2023
2024         Reviewed by Saam Barati.
2025
2026         This changelog already landed, but the commit was missing the actual changes.
2027
2028         * stress/function-prototype-indexed-accessor.js: Added.
2029
2030 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
2031
2032         [BigInt] Add ValueMod into DFG
2033         https://bugs.webkit.org/show_bug.cgi?id=186174
2034
2035         Reviewed by Saam Barati.
2036
2037         * microbenchmarks/mod-untyped.js: Added.
2038         * stress/big-int-mod-osr.js: Added.
2039         * stress/value-div-ai-rule.js: Added.
2040         * stress/value-mod-ai-rule.js: Added.
2041
2042 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2043
2044         [JSC] DFG_ASSERT failed in lowInt52
2045         https://bugs.webkit.org/show_bug.cgi?id=197569
2046
2047         Reviewed by Saam Barati.
2048
2049         * stress/getstack-int52.js: Added.
2050         (opt):
2051         (main):
2052
2053 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2054
2055         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
2056         https://bugs.webkit.org/show_bug.cgi?id=197479
2057
2058         Reviewed by Saam Barati.
2059
2060         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
2061         (shouldBe):
2062
2063 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2064
2065         TemplateObject passed to template literal tags are not always identical for the same source location.
2066         https://bugs.webkit.org/show_bug.cgi?id=190756
2067
2068         Reviewed by Saam Barati.
2069
2070         * complex.yaml:
2071         * complex/tagged-template-regeneration-after.js: Added.
2072         (shouldBe):
2073         * complex/tagged-template-regeneration.js: Added.
2074         (call):
2075         (test):
2076         * modules/tagged-template-inside-module.js: Added.
2077         (from.string_appeared_here.call):
2078         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2079         (call):
2080         (export.otherTaggedTemplates):
2081         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2082         (shouldBe):
2083         (call):
2084         (poly):
2085         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2086         (shouldBe):
2087         (call):
2088         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
2089         (shouldBe):
2090         (call):
2091         (test):
2092         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2093         (shouldBe):
2094         (call):
2095         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2096         (shouldBe):
2097         (call):
2098         * stress/tagged-templates-in-multiple-functions.js: Added.
2099         (shouldBe):
2100         (call):
2101         (a):
2102         (b):
2103         (c):
2104         * stress/tagged-templates-with-same-start-offset.js: Added.
2105         (shouldBe):
2106
2107 2019-05-07  Robin Morisset  <rmorisset@apple.com>
2108
2109         All prototypes should call didBecomePrototype()
2110         https://bugs.webkit.org/show_bug.cgi?id=196315
2111
2112         Reviewed by Saam Barati.
2113
2114         * stress/function-prototype-indexed-accessor.js: Added.
2115
2116 2019-05-07  Commit Queue  <commit-queue@webkit.org>
2117
2118         Unreviewed, rolling out r244978.
2119         https://bugs.webkit.org/show_bug.cgi?id=197671
2120
2121         TemplateObject map should use start/end offsets (Requested by
2122         yusukesuzuki on #webkit).
2123
2124         Reverted changeset:
2125
2126         "TemplateObject passed to template literal tags are not always
2127         identical for the same source location."
2128         https://bugs.webkit.org/show_bug.cgi?id=190756
2129         https://trac.webkit.org/changeset/244978
2130
2131 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
2132
2133         tryCachePutByID should not crash if target offset changes
2134         https://bugs.webkit.org/show_bug.cgi?id=197311
2135         <rdar://problem/48033612>
2136
2137         Reviewed by Filip Pizlo.
2138
2139         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
2140         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
2141
2142         * stress/cache-put-by-id-delete-prototype.js: Added.
2143         (A.prototype.set y):
2144         (A):
2145         (B.prototype.set y):
2146         (B):
2147         (C):
2148         * stress/cache-put-by-id-different-__proto__.js: Added.
2149         (A.prototype.set y):
2150         (A):
2151         (B1):
2152         (B2.prototype.set y):
2153         (B2):
2154         (C):
2155         (D):
2156         * stress/cache-put-by-id-different-attributes.js: Added.
2157         (Foo):
2158         (set x):
2159         * stress/cache-put-by-id-different-offset.js: Added.
2160         (Foo):
2161         (set x):
2162         * stress/cache-put-by-id-insert-prototype.js: Added.
2163         (A.prototype.set y):
2164         (A):
2165         (C):
2166         * stress/cache-put-by-id-poly-proto.js: Added.
2167         (Foo):
2168         (set _):
2169         (createBar.Bar):
2170         (createBar):
2171
2172 2019-05-07  Saam Barati  <sbarati@apple.com>
2173
2174         Don't OSR enter into an FTL CodeBlock that has been jettisoned
2175         https://bugs.webkit.org/show_bug.cgi?id=197531
2176         <rdar://problem/50162379>
2177
2178         Reviewed by Yusuke Suzuki.
2179
2180         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
2181
2182 2019-05-06  Dean Jackson  <dino@apple.com>
2183
2184         Update test262 expectations for Proxy passes
2185         https://bugs.webkit.org/show_bug.cgi?id=197628
2186
2187         Reviewed by Yusuke Suzuki.
2188
2189         There are two consistent passes in Proxy.ownKeys.
2190
2191         * test262/expectations.yaml:
2192
2193 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2194
2195         [JSC] We should check OOM for description string of Symbol
2196         https://bugs.webkit.org/show_bug.cgi?id=197634
2197
2198         Reviewed by Keith Miller.
2199
2200         * stress/check-symbol-description-oom.js: Added.
2201         (shouldThrow):
2202
2203 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2204
2205         Unreviewed, land one more test
2206         https://bugs.webkit.org/show_bug.cgi?id=197587
2207
2208         * stress/setter-frame-flush.js: Added.
2209         (setter):
2210         (foo):
2211         (bar):
2212
2213 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2214
2215         TemplateObject passed to template literal tags are not always identical for the same source location.
2216         https://bugs.webkit.org/show_bug.cgi?id=190756
2217
2218         Reviewed by Saam Barati.
2219
2220         * complex.yaml:
2221         * complex/tagged-template-regeneration-after.js: Added.
2222         (shouldBe):
2223         * complex/tagged-template-regeneration.js: Added.
2224         (call):
2225         (test):
2226         * modules/tagged-template-inside-module.js: Added.
2227         (from.string_appeared_here.call):
2228         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2229         (call):
2230         (export.otherTaggedTemplates):
2231         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2232         (shouldBe):
2233         (call):
2234         (poly):
2235         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2236         (shouldBe):
2237         (call):
2238         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2239         (shouldBe):
2240         (call):
2241         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2242         (shouldBe):
2243         (call):
2244         * stress/tagged-templates-in-multiple-functions.js: Added.
2245         (shouldBe):
2246         (call):
2247         (a):
2248         (b):
2249         (c):
2250
2251 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
2252
2253         [PlayStation] JSC Stress tests failing due to timezone printing
2254         https://bugs.webkit.org/show_bug.cgi?id=197615
2255
2256         PlayStation's strftime does not give timezone strings, which
2257         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
2258         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
2259         which causes diff failures with the expectations. Add expectations
2260         without the timezone string and use those on playstation.
2261
2262         Reviewed by Ross Kirsling.
2263
2264         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
2265         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
2266         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
2267         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
2268
2269 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2270
2271         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
2272         https://bugs.webkit.org/show_bug.cgi?id=197587
2273
2274         Reviewed by Sam Weinig.
2275
2276         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
2277
2278         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
2279
2280 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
2281
2282         TypedArrays should not store properties that are canonical numeric indices
2283         https://bugs.webkit.org/show_bug.cgi?id=197228
2284         <rdar://problem/49557381>
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/array-species-config-array-constructor.js:
2289         (test):
2290         * stress/put-direct-index-broken-2.js:
2291         * stress/typed-array-canonical-numeric-index-string.js: Added.
2292         (makeTest.assert):
2293         (makeTest):
2294         (const.testInvalidIndices.makeTest.set assert):
2295         (const.testInvalidIndices.makeTest):
2296         (const.makeTestValidIndex.configurable.set assert):
2297         (const.makeTestValidIndex.configurable):
2298         * stress/typedarray-access-monomorphic-neutered.js:
2299         (checkNoException):
2300         (testNoException):
2301         (testFTLNoException):
2302         * stress/typedarray-access-neutered.js:
2303         (testNoException):
2304         * stress/typedarray-getownproperty-not-configurable.js:
2305         (foo):
2306         * test262/expectations.yaml:
2307
2308 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2309
2310         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
2311         https://bugs.webkit.org/show_bug.cgi?id=197584
2312
2313         Reviewed by Saam Barati.
2314
2315         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
2316         (X):
2317         (foo):
2318
2319 2019-05-03  Michael Saboff  <msaboff@apple.com>
2320
2321         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
2322         https://bugs.webkit.org/show_bug.cgi?id=197586
2323
2324         Reviewed by Keith Miller.
2325
2326         We should only run one config of this test and only when we think we'll have the memory.
2327
2328         * stress/json-stringify-string-builder-overflow.js:
2329
2330 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2331
2332         [JSC] Generator CodeBlock generation should be idempotent
2333         https://bugs.webkit.org/show_bug.cgi?id=197552
2334
2335         Reviewed by Keith Miller.
2336
2337         Add complex.yaml, which controls how to run JSC shell more.
2338         We split test files into two to run macro task between them which allows debugger to be attached to VM.
2339
2340         * complex.yaml: Added.
2341         * complex/generator-regeneration-after.js: Added.
2342         * complex/generator-regeneration.js: Added.
2343         (gen):
2344
2345 2019-05-02  Michael Saboff  <msaboff@apple.com>
2346
2347         Unreviewed rollout of r244862.
2348
2349         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
2350
2351 2019-05-01  Saam barati  <sbarati@apple.com>
2352
2353         Baseline JIT should do argument value profiling after checking for stack overflow
2354         https://bugs.webkit.org/show_bug.cgi?id=197052
2355         <rdar://problem/50009602>
2356
2357         Reviewed by Yusuke Suzuki.
2358
2359         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
2360
2361 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
2362
2363         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
2364         https://bugs.webkit.org/show_bug.cgi?id=197405
2365
2366         Reviewed by Saam Barati.
2367
2368         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
2369         (foo):
2370         (test):
2371         (i.o.get f):
2372         (i.o.set f):
2373
2374 2019-05-01  Michael Saboff  <msaboff@apple.com>
2375
2376         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
2377         https://bugs.webkit.org/show_bug.cgi?id=197485
2378
2379         Reviewed by Saam Barati.
2380
2381         New test.
2382
2383         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
2384         (foo):
2385
2386 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
2387
2388         Unreviewed correction to Test262 expectations following r244828.
2389
2390         * test262/expectations.yaml:
2391
2392 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
2393
2394         Add memory-limited skipping to some tests generating very large strings
2395         https://bugs.webkit.org/show_bug.cgi?id=197437
2396
2397         Reviewed by Ross Kirsling.
2398
2399         * stress/StringObject-define-length-getter-rope-string-oom.js:
2400         * stress/create-error-out-of-memory-rope-string.js:
2401         * stress/string-16bit-repeat-overflow.js:
2402
2403 2019-04-30  Commit Queue  <commit-queue@webkit.org>
2404
2405         Unreviewed, rolling out r244806.
2406         https://bugs.webkit.org/show_bug.cgi?id=197446
2407
2408         Causing Test262 and JSC test failures on multiple builds
2409         (Requested by ShawnRoberts on #webkit).
2410
2411         Reverted changeset:
2412
2413         "TypeArrays should not store properties that are canonical
2414         numeric indices"
2415         https://bugs.webkit.org/show_bug.cgi?id=197228
2416         https://trac.webkit.org/changeset/244806
2417
2418 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
2419
2420         TypeArrays should not store properties that are canonical numeric indices
2421         https://bugs.webkit.org/show_bug.cgi?id=197228
2422         <rdar://problem/49557381>
2423
2424         Reviewed by Darin Adler.
2425
2426         * stress/typed-array-canonical-numeric-index-string.js: Added.
2427         (makeTest.assert):
2428         (makeTest):
2429         (const.testInvalidIndices.makeTest.set assert):
2430         (const.testInvalidIndices.makeTest):
2431         (const.testValidIndices.makeTest.set assert):
2432         (const.testValidIndices.makeTest):
2433
2434 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
2435
2436         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
2437         https://bugs.webkit.org/show_bug.cgi?id=197362
2438
2439         Reviewed by Saam Barati.
2440
2441         * stress/map-with-nan.js: Added.
2442         (shouldBe):
2443         (div):
2444         (NaN1):
2445         (NaN2):
2446         (NaN3):
2447         (NaN4):
2448         (NaN1NoInline):
2449         (NaN2NoInline):
2450         (NaN3NoInline):
2451         (NaN4NoInline):
2452         (test1):
2453         (test2):
2454         (test3):
2455         (test4):
2456         * stress/set-with-nan.js: Added.
2457         (shouldBe):
2458         (div):
2459         (NaN1):
2460         (NaN2):
2461         (NaN3):
2462         (NaN4):
2463         (NaN1NoInline):
2464         (NaN2NoInline):
2465         (NaN3NoInline):
2466         (NaN4NoInline):
2467         (test2):
2468         (test4):
2469
2470 2019-04-26  Commit Queue  <commit-queue@webkit.org>
2471
2472         Unreviewed, rolling out r244708.
2473         https://bugs.webkit.org/show_bug.cgi?id=197334
2474
2475         "Broke the debug build" (Requested by rmorisset on #webkit).
2476
2477         Reverted changeset:
2478
2479         "All prototypes should call didBecomePrototype()"
2480         https://bugs.webkit.org/show_bug.cgi?id=196315
2481         https://trac.webkit.org/changeset/244708
2482
2483 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
2484
2485         [JSC] linkPolymorphicCall now does GC
2486         https://bugs.webkit.org/show_bug.cgi?id=197306
2487
2488         Reviewed by Saam Barati.
2489
2490         * stress/link-polymorphic-call-can-gc.js: Added.
2491         (module):
2492         (instance):
2493
2494 2019-04-26  Robin Morisset  <rmorisset@apple.com>
2495
2496         All prototypes should call didBecomePrototype()
2497         https://bugs.webkit.org/show_bug.cgi?id=196315
2498
2499         Reviewed by Saam Barati.
2500
2501         * stress/function-prototype-indexed-accessor.js: Added.
2502
2503 2019-04-23  Saam Barati  <sbarati@apple.com>
2504
2505         LICM incorrectly assumes it'll never insert a node which provably OSR exits
2506         https://bugs.webkit.org/show_bug.cgi?id=196721
2507         <rdar://problem/49556479> 
2508
2509         Reviewed by Filip Pizlo.
2510
2511         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
2512         (foo):
2513
2514 2019-04-19  Saam Barati  <sbarati@apple.com>
2515
2516         AbstractValue can represent more than int52
2517         https://bugs.webkit.org/show_bug.cgi?id=197118
2518         <rdar://problem/49969960>
2519
2520         Reviewed by Michael Saboff.
2521
2522         * stress/abstract-value-can-include-int52.js: Added.
2523         (foo):
2524         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
2525
2526 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
2527
2528         [WTF] StringBuilder should set correct m_is8Bit flag when merging
2529         https://bugs.webkit.org/show_bug.cgi?id=197053
2530
2531         Reviewed by Saam Barati.
2532
2533         * stress/merge-string-builder-in-dfg.js: Added.
2534         (foo):
2535
2536 2019-04-16  Caitlin Potter  <caitp@igalia.com>
2537
2538         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2539         https://bugs.webkit.org/show_bug.cgi?id=176810
2540
2541         Reviewed by Saam Barati.
2542
2543         Add tests for the DontEnum filtering, and variations of other tests
2544         take the DontEnum-filtering path.
2545
2546         * stress/proxy-own-keys.js:
2547         (i.catch):
2548         (set assert):
2549         (set add):
2550         (let.set new):
2551         (get let):
2552
2553 2019-04-15  Saam barati  <sbarati@apple.com>
2554
2555         Modify how we do SetArgument when we inline varargs calls
2556         https://bugs.webkit.org/show_bug.cgi?id=196712
2557         <rdar://problem/49605012>
2558
2559         Reviewed by Michael Saboff.
2560
2561         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
2562         (foo):
2563
2564 2019-04-15  Saam barati  <sbarati@apple.com>
2565
2566         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
2567         https://bugs.webkit.org/show_bug.cgi?id=196945
2568         <rdar://problem/49802750>
2569
2570         Reviewed by Filip Pizlo.
2571
2572         * stress/get-by-offset-should-use-correct-child.js: Added.
2573         (foo.bar):
2574         (foo):
2575
2576 2019-04-15  Robin Morisset  <rmorisset@apple.com>
2577
2578         DFG should be able to constant fold Object.create() with a constant prototype operand
2579         https://bugs.webkit.org/show_bug.cgi?id=196886
2580
2581         Reviewed by Yusuke Suzuki.
2582
2583         Note that this new benchmark does not currently see a speedup with inlining removed.
2584         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
2585
2586         * microbenchmarks/object-create-constant-prototype.js: Added.
2587         (test):
2588
2589 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
2590
2591         Incremental bytecode cache should not append function updates when loaded from memory
2592         https://bugs.webkit.org/show_bug.cgi?id=196865
2593
2594         Reviewed by Filip Pizlo.
2595
2596         * stress/bytecode-cache-shared-code-block.js: Added.
2597         (b):
2598         (program):
2599
2600 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
2601
2602         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
2603         https://bugs.webkit.org/show_bug.cgi?id=196880
2604
2605         Reviewed by Yusuke Suzuki.
2606
2607         * stress/bytecode-cache-syntax-error.js: Added.
2608         (catch):
2609
2610 2019-04-12  Saam barati  <sbarati@apple.com>
2611
2612         r244079 logically broke shouldSpeculateInt52
2613         https://bugs.webkit.org/show_bug.cgi?id=196884
2614
2615         Reviewed by Yusuke Suzuki.
2616
2617         * microbenchmarks/int52-rand-function.js: Added.
2618         (Math.random):
2619
2620 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
2621
2622         [JSC] op_has_indexed_property should not assume subscript part is Uint32
2623         https://bugs.webkit.org/show_bug.cgi?id=196850
2624
2625         Reviewed by Saam Barati.
2626
2627         * stress/has-indexed-property-should-accept-non-int32.js: Added.
2628         (foo):
2629
2630 2019-04-11  Saam barati  <sbarati@apple.com>
2631
2632         Remove invalid assertion in operationInstanceOfCustom
2633         https://bugs.webkit.org/show_bug.cgi?id=196842
2634         <rdar://problem/49725493>
2635
2636         Reviewed by Michael Saboff.
2637
2638         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
2639
2640 2019-04-10  Saam Barati  <sbarati@apple.com>
2641
2642         AbstractValue::validateOSREntryValue is wrong for Int52 constants
2643         https://bugs.webkit.org/show_bug.cgi?id=196801
2644         <rdar://problem/49771122>
2645
2646         Reviewed by Yusuke Suzuki.
2647
2648         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
2649
2650 2019-04-10  Robin Morisset  <rmorisset@apple.com>
2651
2652         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
2653         https://bugs.webkit.org/show_bug.cgi?id=196746
2654
2655         Reviewed by Yusuke Suzuki.
2656
2657         * stress/cyclic-define-properties.js: Added.
2658         (foo):
2659
2660 2019-04-09  Saam barati  <sbarati@apple.com>
2661
2662         Clean up Int52 code and some bugs in it
2663         https://bugs.webkit.org/show_bug.cgi?id=196639
2664         <rdar://problem/49515757>
2665
2666         Reviewed by Yusuke Suzuki.
2667
2668         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
2669
2670 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
2671
2672         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
2673         https://bugs.webkit.org/show_bug.cgi?id=196708
2674         <rdar://problem/49556803>
2675
2676         Reviewed by Yusuke Suzuki.
2677
2678         * stress/proxy-getter-stack-overflow.js: Added.
2679         (const.handler.get target):
2680         (const.handler.has):
2681         (try.with):
2682         (catch):
2683
2684 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2685
2686         [JSC] DFG should respect node's strict flag
2687         https://bugs.webkit.org/show_bug.cgi?id=196617
2688
2689         Reviewed by Saam Barati.
2690
2691         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
2692         (shouldEqual):
2693         (makeUnwriteableUnconfigurableObject):
2694         (runTest):
2695         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
2696         (shouldBe):
2697         (shouldThrow):
2698         (with.result):
2699         (with.putValueStrict):
2700         (with.putValueSloppy):
2701
2702 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2703
2704         [JSC] isRope jump in StringSlice should not jump over register allocations
2705         https://bugs.webkit.org/show_bug.cgi?id=196716
2706
2707         Reviewed by Saam Barati.
2708
2709         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
2710         (foo.bar):
2711         (foo):
2712
2713 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2714
2715         [JSC] to_index_string should not assume incoming value is Uint32
2716         https://bugs.webkit.org/show_bug.cgi?id=196713
2717
2718         Reviewed by Saam Barati.
2719
2720         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
2721         (foo):
2722
2723 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2724
2725         [JSC] Add more tests for r243966
2726         https://bugs.webkit.org/show_bug.cgi?id=196711
2727
2728         Reviewed by Saam Barati.
2729
2730         Adding one more test for r243966 fix. The added test will not crash after r243966.
2731
2732         * stress/stress-cleared-calllinkinfo.js: Added.
2733         (runNearStackLimit.t):
2734         (runNearStackLimit):
2735         (repeat):
2736         (cls):
2737         (let.item.of.array.runNearStackLimit):
2738
2739 2019-04-08  Saam Barati  <sbarati@apple.com>
2740
2741         WebAssembly.RuntimeError missing exception check
2742         https://bugs.webkit.org/show_bug.cgi?id=196700
2743         <rdar://problem/49693932>
2744
2745         Reviewed by Yusuke Suzuki.
2746
2747         * wasm/js-api/runtime-error-should-exception-check.js: Added.
2748
2749 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2750
2751         Unreviewed, rolling in r243948 with test fix
2752         https://bugs.webkit.org/show_bug.cgi?id=196486
2753
2754         * stress/arrow-function-and-use-strict-directive.js: Added.
2755         * stress/arrow-function-syntax.js: Added.
2756         (checkSyntax):
2757         (checkSyntaxError):
2758
2759 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2760
2761         Unreviewed, rolling out r243948.
2762
2763         Caused inspector/runtime/parse.html to fail
2764
2765         Reverted changeset:
2766
2767         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
2768         https://bugs.webkit.org/show_bug.cgi?id=196486
2769         https://trac.webkit.org/changeset/243948
2770
2771 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2772
2773         Unreviewed, rolling out r243943.
2774
2775         Caused test262 failures.
2776
2777         Reverted changeset:
2778
2779         "[JSC] Filter DontEnum properties in
2780         ProxyObject::getOwnPropertyNames()"
2781         https://bugs.webkit.org/show_bug.cgi?id=176810
2782         https://trac.webkit.org/changeset/243943
2783
2784 2019-04-07  Michael Saboff  <msaboff@apple.com>
2785
2786         REGRESSION (r243642): Crash in reddit.com page
2787         https://bugs.webkit.org/show_bug.cgi?id=196684
2788
2789         Reviewed by Geoffrey Garen.
2790
2791         New regression test.
2792
2793         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
2794
2795 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
2796
2797         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
2798         https://bugs.webkit.org/show_bug.cgi?id=196683
2799
2800         Reviewed by Saam Barati.
2801
2802         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
2803         (foo):
2804
2805 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2806
2807         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
2808         https://bugs.webkit.org/show_bug.cgi?id=196582
2809
2810         Reviewed by Saam Barati.
2811
2812         * stress/add-overflow-check-with-three-same-registers.js: Added.
2813         (foo):
2814         (Number.prototype.valueOf):
2815         (runWithNumber):
2816
2817 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
2818
2819         Unreviewed, rolling out r243665.
2820
2821         Caused iOS JSC tests to exit with an exception.
2822
2823         Reverted changeset:
2824
2825         "Assertion failed in JSC::createError"
2826         https://bugs.webkit.org/show_bug.cgi?id=196305
2827         https://trac.webkit.org/changeset/243665
2828
2829 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2830
2831         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
2832         https://bugs.webkit.org/show_bug.cgi?id=196486
2833
2834         Reviewed by Saam Barati.
2835
2836         * stress/arrow-function-and-use-strict-directive.js: Added.
2837         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
2838         (checkSyntax):
2839         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
2840
2841 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2842
2843         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2844         https://bugs.webkit.org/show_bug.cgi?id=176810
2845
2846         Reviewed by Saam Barati.
2847
2848         Add tests for the DontEnum filtering, and variations of other tests
2849         take the DontEnum-filtering path.
2850
2851         * stress/proxy-own-keys.js:
2852         (i.catch):
2853         (set assert):
2854         (set add):
2855         (let.set new):
2856         (get let):
2857
2858 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2859
2860         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
2861         https://bugs.webkit.org/show_bug.cgi?id=185211
2862
2863         Reviewed by Saam Barati.
2864
2865         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
2866
2867         This changes several assertions to expect a TypeError to be thrown (in some cases,
2868         changing thee expected message).
2869
2870         * es6/Proxy_ownKeys_duplicates.js:
2871         (handler):
2872         (shouldThrow):
2873         (test):
2874         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
2875         (shouldThrow):
2876         * stress/proxy-own-keys.js:
2877         (i.catch):
2878         (assert):
2879
2880 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2881
2882         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
2883         https://bugs.webkit.org/show_bug.cgi?id=196631
2884
2885         Reviewed by Saam Barati.
2886
2887         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
2888         (assert):
2889         (test):
2890         (foo):
2891
2892 2019-04-04  Saam Barati  <sbarati@apple.com>
2893
2894         Unreviewed. Make the test from r243906 catch the thrown exceptions.
2895
2896         * stress/inferred-types-regex-matches-array.js:
2897
2898 2019-04-04  Saam Barati  <sbarati@apple.com>
2899
2900         createRegExpMatchesArray does not respect inferred types
2901         https://bugs.webkit.org/show_bug.cgi?id=193287
2902
2903         Reviewed by Yusuke Suzuki.
2904
2905         This checks in the test case for 193287. This issue was discovered by
2906         Samuel GroƟ of Google Project Zero.
2907
2908         * stress/inferred-types-regex-matches-array.js: Added.
2909
2910 2019-04-04  Saam barati  <sbarati@apple.com>
2911
2912         Teach Call ICs how to call Wasm
2913         https://bugs.webkit.org/show_bug.cgi?id=196387
2914
2915         Reviewed by Filip Pizlo.
2916
2917         * wasm/function-tests/stack-trace.js:
2918
2919 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
2920
2921         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
2922         https://bugs.webkit.org/show_bug.cgi?id=194944
2923
2924         Reviewed by Keith Miller.
2925
2926         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
2927
2928 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
2929
2930         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
2931         https://bugs.webkit.org/show_bug.cgi?id=196409
2932
2933         Reviewed by Saam Barati.
2934
2935         * stress/bytecode-cache-cached-string-impl.js: Added.
2936         (f):
2937         (g):
2938         * stress/bytecode-cache-run-string.js: Added.
2939
2940 2019-04-03  Robin Morisset  <rmorisset@apple.com>
2941
2942         B3 should use associativity to optimize expression trees
2943         https://bugs.webkit.org/show_bug.cgi?id=194081
2944
2945         Reviewed by Filip Pizlo.
2946
2947         Added three microbenchmarks:
2948         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
2949         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
2950           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
2951         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
2952
2953         * microbenchmarks/add-tree.js: Added.
2954         * microbenchmarks/bit-or-tree.js: Added.
2955         * microbenchmarks/bit-xor-tree.js: Added.
2956
2957 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2958
2959         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
2960         https://bugs.webkit.org/show_bug.cgi?id=196574
2961
2962         Reviewed by Saam Barati.
2963
2964         * stress/string-index-of-exception-check.js: Added.
2965         (blurType):
2966         (1.forEach):
2967
2968 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2969
2970         Assertion failed in JSC::createError
2971         https://bugs.webkit.org/show_bug.cgi?id=196305
2972         <rdar://problem/49387382>
2973
2974         Reviewed by Saam Barati.
2975
2976         * stress/create-error-out-of-memory-rope-string-2.js: Added.
2977         (assert):
2978         (catch):
2979
2980 2019-03-28  Saam Barati  <sbarati@apple.com>
2981
2982         BackwardsGraph needs to consider back edges as the backward's root successor
2983         https://bugs.webkit.org/show_bug.cgi?id=195991
2984
2985         Reviewed by Filip Pizlo.
2986
2987         * stress/map-b3-licm-infinite-loop.js: Added.
2988
2989 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
2990
2991         CodeBlock::jettison() should disallow repatching its own calls
2992         https://bugs.webkit.org/show_bug.cgi?id=196359
2993         <rdar://problem/48973663>
2994
2995         Reviewed by Saam Barati.
2996
2997         * stress/call-link-info-osrexit-repatch.js: Added.
2998         (foo):
2999
3000 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
3001
3002         [JSC] imports-oom.js intermittently fails
3003         https://bugs.webkit.org/show_bug.cgi?id=196373
3004
3005         Reviewed by Saam Barati.
3006
3007         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
3008         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
3009         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
3010         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
3011         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
3012
3013         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
3014         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
3015
3016         * wasm/lowExecutableMemory/imports-oom.js:
3017
3018 2019-03-27  Saam Barati  <sbarati@apple.com>
3019
3020         validateOSREntryValue with Int52 should box the value being checked into double format
3021         https://bugs.webkit.org/show_bug.cgi?id=196313
3022         <rdar://problem/49306703>
3023
3024         Reviewed by Yusuke Suzuki.
3025
3026         * stress/validate-int-52-ai-state.js: Added.
3027
3028 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
3029
3030         [JSC] Owner of watchpoints should validate at GC finalizing phase
3031         https://bugs.webkit.org/show_bug.cgi?id=195827
3032
3033         Reviewed by Filip Pizlo.
3034
3035         * stress/gc-should-reap-dead-watchpoints.js: Added.
3036         (foo):
3037         (A.prototype.y):
3038         (A):
3039
3040 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
3041
3042         Skip WebAssembly test on 32-bit systems
3043         https://bugs.webkit.org/show_bug.cgi?id=196206
3044
3045         Reviewed by Saam Barati.
3046
3047         Invoking runDefault executes test immediately even though
3048         that test should be skipped due to missing WASM support.
3049         Therefore remove runDefault.
3050
3051         * wasm/regress/web-assembly-link-error-exception-check.js:
3052
3053 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
3054
3055         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
3056         https://bugs.webkit.org/show_bug.cgi?id=196217
3057
3058         Reviewed by Saam Barati.
3059
3060         Re-enable all NaN tests for f32.min, f64.min and f64.max.
3061
3062         * wasm/spec-tests/f32.wast.js:
3063         * wasm/spec-tests/f64.wast.js:
3064         * wasm/wasm.json:
3065
3066 2019-03-25  Keith Miller  <keith_miller@apple.com>
3067
3068         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
3069         https://bugs.webkit.org/show_bug.cgi?id=196176
3070
3071         Reviewed by Saam Barati.
3072
3073         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
3074         (main.v10):
3075         (main):
3076
3077 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
3078
3079         WebAssembly: f32.max with NaN generates incorrect result
3080         https://bugs.webkit.org/show_bug.cgi?id=175691
3081         <rdar://problem/33952228>
3082
3083         Reviewed by Saam Barati.
3084
3085         Enable all f32.max NaN tests
3086
3087         * wasm/spec-tests/f32.wast.js:
3088         * wasm/wasm.json:
3089
3090 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
3091
3092         [JSC] Move test into directory for WASM tests
3093         https://bugs.webkit.org/show_bug.cgi?id=196187
3094
3095         Reviewed by Mark Lam.
3096
3097         Move Test into wasm-directory. Otherwise this test
3098         is also executed on systems without WASM support.
3099
3100         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
3101
3102 2019-03-23  Mark Lam  <mark.lam@apple.com>
3103
3104         Rolling out r243032 and r243071 because the fix is incorrect.
3105         https://bugs.webkit.org/show_bug.cgi?id=195892
3106         <rdar://problem/48981239>
3107
3108         Not reviewed.
3109
3110         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
3111
3112 2019-03-22  Mark Lam  <mark.lam@apple.com>
3113
3114         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
3115         https://bugs.webkit.org/show_bug.cgi?id=196154
3116         <rdar://problem/49145307>
3117
3118         Reviewed by Filip Pizlo.
3119
3120         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
3121         There's no need to run this test on more than 1 test configuration.
3122
3123         * stress/typed-array-lastIndexOf-exception-check.js: Added.
3124         * stress/web-assembly-link-error-exception-check.js:
3125
3126 2019-03-22  Mark Lam  <mark.lam@apple.com>
3127
3128         Placate exception check validation in constructJSWebAssemblyLinkError().
3129         https://bugs.webkit.org/show_bug.cgi?id=196152
3130         <rdar://problem/49145257>
3131
3132         Reviewed by Michael Saboff.
3133
3134         * stress/web-assembly-link-error-exception-check.js: Added.
3135
3136 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
3137
3138         Skip tests running out of memory on ARM/MIPS
3139         https://bugs.webkit.org/show_bug.cgi?id=196131
3140
3141         Unreviewed. Skip test if memory is limited.
3142
3143         * microbenchmarks/put-by-val-direct-large-index.js:
3144
3145 2019-03-21  Mark Lam  <mark.lam@apple.com>
3146
3147         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
3148         https://bugs.webkit.org/show_bug.cgi?id=196116
3149         <rdar://problem/48976951>
3150
3151         Reviewed by Filip Pizlo.
3152
3153         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
3154
3155 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3156
3157         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3158         https://bugs.webkit.org/show_bug.cgi?id=196078
3159         <rdar://problem/35925380>
3160
3161         Reviewed by Mark Lam.
3162
3163         Add a new benchmark that allocates several objects and invokes put_by_val_direct
3164         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
3165
3166         * microbenchmarks/put-by-val-direct-large-index.js: Added.
3167
3168 2019-03-21  Mark Lam  <mark.lam@apple.com>
3169
3170         Placate exception check validation in operationArrayIndexOfString().
3171         https://bugs.webkit.org/show_bug.cgi?id=196067
3172         <rdar://problem/49056572>
3173
3174         Reviewed by Michael Saboff.
3175
3176         * stress/string-equal-exception-check.js: Added.
3177
3178 2019-03-21  Mark Lam  <mark.lam@apple.com>
3179
3180         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3181         https://bugs.webkit.org/show_bug.cgi?id=196055
3182         <rdar://problem/49067448>
3183
3184         Reviewed by Yusuke Suzuki.
3185
3186         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
3187
3188 2019-03-20  Saam Barati  <sbarati@apple.com>
3189
3190         typeOfDoubleSum is wrong for when NaN can be produced
3191         https://bugs.webkit.org/show_bug.cgi?id=196030
3192
3193         Reviewed by Filip Pizlo.
3194
3195         * stress/double-add-sub-mul-can-produce-nan.js: Added.
3196         (assert):
3197         (noInline.sub):
3198         (noInline):
3199         (assert.mul):
3200         (assert.add):
3201
3202 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3203
3204         Update the test to ensure OutOfMemoryError is thrown as intended
3205         https://bugs.webkit.org/show_bug.cgi?id=196032
3206         <rdar://problem/46842740>
3207
3208         Rubber stamped by Saam Barati.
3209
3210         * stress/create-error-out-of-memory-rope-string.js:
3211         (assert):
3212         (catch):
3213
3214 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3215
3216         JSC::createError needs to check for OOM in errorDescriptionForValue
3217         https://bugs.webkit.org/show_bug.cgi?id=196032
3218         <rdar://problem/46842740>
3219
3220         Reviewed by Mark Lam.
3221
3222         * stress/create-error-out-of-memory-rope-string.js: Added.
3223
3224 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
3225
3226         Unreviewed, reduce # of iterations to avoid timing out after r242991
3227         https://bugs.webkit.org/show_bug.cgi?id=195791
3228
3229         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
3230
3231         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
3232
3233 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3234
3235         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
3236         https://bugs.webkit.org/show_bug.cgi?id=195950
3237
3238         Unreviewed, reducing the amount of memory used on this test to avoid
3239         OOM on devices with memory restrictions.
3240
3241         * microbenchmarks/generate-multiple-llint-entrypoints.js:
3242
3243 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3244
3245         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
3246         https://bugs.webkit.org/show_bug.cgi?id=194648
3247
3248         Reviewed by Keith Miller.
3249
3250         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
3251
3252 2019-03-18  Mark Lam  <mark.lam@apple.com>
3253
3254         Missing a ThrowScope release in JSObject::toString().
3255         https://bugs.webkit.org/show_bug.cgi?id=195893
3256         <rdar://problem/48970986>
3257
3258         Reviewed by Michael Saboff.
3259
3260         * stress/to-string-exception-check-release.js: Added.
3261
3262 2019-03-18  Mark Lam  <mark.lam@apple.com>
3263
3264         Structure::flattenDictionary() should clear unused property slots.
3265         https://bugs.webkit.org/show_bug.cgi?id=195871
3266         <rdar://problem/48959497>
3267
3268         Reviewed by Michael Saboff.
3269
3270         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
3271
3272 2019-03-15  Mark Lam  <mark.lam@apple.com>
3273
3274         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
3275         https://bugs.webkit.org/show_bug.cgi?id=195827
3276         <rdar://problem/48845513>
3277
3278         Reviewed by Filip Pizlo.
3279
3280         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
3281
3282 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
3283
3284         [ARM,MIPS] Skip slow tests
3285         https://bugs.webkit.org/show_bug.cgi?id=195799
3286
3287         Unreviewed, test does not finish on ARM and MIPS within the
3288         timeout limit.
3289
3290         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
3291
3292 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
3293
3294         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
3295         https://bugs.webkit.org/show_bug.cgi?id=195791
3296         <rdar://problem/48806130>
3297
3298         Reviewed by Mark Lam.
3299
3300         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
3301         (foo):
3302
3303 2019-03-14  Saam barati  <sbarati@apple.com>
3304
3305         We can't remove code after ForceOSRExit until after FixupPhase
3306         https://bugs.webkit.org/show_bug.cgi?id=186916
3307         <rdar://problem/41396612>
3308
3309         Reviewed by Yusuke Suzuki.
3310
3311         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
3312         (foo):
3313         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
3314         (foo):
3315
3316 2019-03-13  Michael Saboff  <msaboff@apple.com>
3317
3318         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
3319         https://bugs.webkit.org/show_bug.cgi?id=195735
3320
3321         Reviewed by Mark Lam.
3322
3323         New regression test.
3324
3325         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
3326         (foo):
3327         (bar):
3328
3329 2019-03-14  Saam barati  <sbarati@apple.com>
3330
3331         Fixup uses KnownInt32 incorrectly in some nodes
3332         https://bugs.webkit.org/show_bug.cgi?id=195279
3333         <rdar://problem/47915654>
3334
3335         Reviewed by Yusuke Suzuki.
3336
3337         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
3338         (foo):
3339
3340 2019-03-14  Keith Miller  <keith_miller@apple.com>
3341
3342         DFG liveness can't skip tail caller inline frames
3343         https://bugs.webkit.org/show_bug.cgi?id=195715
3344
3345         Reviewed by Saam Barati.
3346
3347         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
3348         (i.foo):
3349
3350 2019-03-13  Mark Lam  <mark.lam@apple.com>
3351
3352         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
3353         https://bugs.webkit.org/show_bug.cgi?id=195415
3354
3355         Not reviewed.
3356
3357         Changed these tests to only run the default configuration.
3358         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
3359         There's no strong need to run this test on that variant.
3360
3361         * stress/dfg-to-string-on-int-does-gc.js:
3362         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
3363
3364 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
3365
3366         String overflow when using StringBuilder in JSC::createError
3367         https://bugs.webkit.org/show_bug.cgi?id=194957
3368
3369         Reviewed by Mark Lam.
3370
3371         Add test string-overflow-createError-bulder.js that overflows
3372         StringBuilder in notAFunctionSourceAppender. The second new test
3373         string-overflow-createError-fit.js has an error message that doesn't
3374         overflow, it still failed since the String's capacity can't be doubled.
3375         Run test string-overflow-createError.js only in the default
3376         configuration to reduce memory consumption when running the test
3377         in all configurations on multiple CPUs in parallel.
3378
3379         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
3380         (catch):
3381         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
3382         (catch):
3383         * stress/string-overflow-createError.js:
3384
3385 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
3386
3387         [JSC] OSR entry should respect abstract values in addition to flush formats
3388         https://bugs.webkit.org/show_bug.cgi?id=195653
3389
3390         Reviewed by Mark Lam.
3391
3392         * stress/osr-entry-locals-none.js: Added.
3393
3394 2019-03-12  Michael Saboff  <msaboff@apple.com>
3395
3396         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
3397         https://bugs.webkit.org/show_bug.cgi?id=195613
3398
3399         Reviewed by Mark Lam.
3400
3401         New regression test.
3402
3403         * stress/regexp-backref-inbounds.js: Added.
3404         (testRegExp):
3405
3406 2019-03-12  Mark Lam  <mark.lam@apple.com>
3407
3408         The HasIndexedProperty node does GC.
3409         https://bugs.webkit.org/show_bug.cgi?id=195559
3410         <rdar://problem/48767923>
3411
3412         Reviewed by Yusuke Suzuki.
3413
3414         * stress/HasIndexedProperty-does-gc.js: Added.
3415
3416 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
3417
3418         [ESNext][BigInt] Implement "~" unary operation
3419         https://bugs.webkit.org/show_bug.cgi?id=182216
3420
3421         Reviewed by Keith Miller.
3422
3423         * stress/big-int-bit-not-general.js: Added.
3424         * stress/big-int-bitwise-not-jit.js: Added.
3425         * stress/big-int-bitwise-not-wrapped-value.js: Added.
3426         * stress/bit-op-with-object-returning-int32.js:
3427         * stress/bitwise-not-fixup-rules.js: Added.
3428         * stress/value-bit-not-ai-rule.js: Added.
3429
3430 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
3431
3432         Invalid flags in a RegExp literal should be an early SyntaxError
3433         https://bugs.webkit.org/show_bug.cgi?id=195514
3434
3435         Reviewed by Darin Adler.
3436
3437         * test262/expectations.yaml:
3438         Mark 4 test cases as passing.
3439
3440         * stress/regexp-syntax-error-invalid-flags.js:
3441         * stress/regress-161995.js: Removed.
3442         Update existing test, merging in an older test for the same behavior.
3443
3444 2019-03-08  Mark Lam  <mark.lam@apple.com>
3445
3446         Stack overflow crash in JSC::JSObject::hasInstance.
3447         https://bugs.webkit.org/show_bug.cgi?id=195458
3448         <rdar://problem/48710195>
3449
3450         Reviewed by Yusuke Suzuki.
3451
3452         * stress/stack-overflow-in-custom-hasInstance.js: Added.
3453
3454 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
3455
3456         op_check_tdz does not def its argument
3457         https://bugs.webkit.org/show_bug.cgi?id=192880
3458         <rdar://problem/46221598>
3459
3460         Reviewed by Saam Barati.
3461
3462         * microbenchmarks/let-for-in.js: Added.
3463         (foo):
3464
3465 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
3466
3467         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
3468         https://bugs.webkit.org/show_bug.cgi?id=195429
3469
3470         Reviewed by Saam Barati.
3471
3472         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
3473         (foo):
3474         * stress/string-from-char-code-255.js: Added.
3475
3476 2019-03-06  Mark Lam  <mark.lam@apple.com>
3477
3478         Fix incorrect handling of try-finally completion values.
3479         https://bugs.webkit.org/show_bug.cgi?id=195131
3480         <rdar://problem/46222079>
3481
3482         Reviewed by Saam Barati and Yusuke Suzuki.
3483
3484         Added many permutations of new test case to test-finally.js.  test-finally.js has
3485         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
3486         tests passes there as well.
3487
3488         * stress/test-finally.js:
3489
3490 2019-03-06  Saam Barati  <sbarati@apple.com>
3491
3492         Air::reportUsedRegisters must padInterference
3493         https://bugs.webkit.org/show_bug.cgi?id=195303
3494         <rdar://problem/48270343>
3495
3496         Reviewed by Keith Miller.
3497
3498         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
3499
3500 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
3501
3502         [JSC] AI should not propagate AbstractValue relying on constant folding phase
3503         https://bugs.webkit.org/show_bug.cgi?id=195375
3504
3505         Reviewed by Saam Barati.
3506
3507         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
3508         (let.array):
3509
3510 2019-03-05  Saam barati  <sbarati@apple.com>
3511
3512         op_switch_char broken for rope strings after JSRopeString layout rewrite
3513         https://bugs.webkit.org/show_bug.cgi?id=195339
3514         <rdar://problem/48592545>
3515
3516         Reviewed by Yusuke Suzuki.
3517
3518         * stress/switch-on-char-llint-rope.js: Added.
3519
3520 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
3521
3522         [JSC] Store bits for JSRopeString in 3 stores
3523         https://bugs.webkit.org/show_bug.cgi?id=195234
3524
3525         Reviewed by Saam Barati.
3526
3527         * stress/null-rope-and-collectors.js: Added.
3528
3529 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
3530
3531         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
3532         https://bugs.webkit.org/show_bug.cgi?id=195207
3533
3534         Unreviewed. After test runtime was reduced in r242213, test can be
3535         run again on ARM/MIPS.
3536
3537         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3538
3539 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
3540
3541         [JSC] sizeof(JSString) should be 16
3542         https://bugs.webkit.org/show_bug.cgi?id=194375
3543
3544         Reviewed by Saam Barati.
3545
3546         * microbenchmarks/make-rope.js: Added.
3547         (makeRope):
3548         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
3549         (returnRope.helper): Deleted.
3550         (returnRope): Deleted.
3551
3552 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
3553
3554         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
3555         https://bugs.webkit.org/show_bug.cgi?id=195144
3556
3557         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
3558         Change the number from 1e8 to 1e5.
3559
3560         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3561         (foo):
3562
3563 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
3564
3565         Test times out on ARM/MIPS
3566         https://bugs.webkit.org/show_bug.cgi?id=195168
3567
3568         Unreviewed. Skip test on ARM/MIPS.
3569
3570         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3571
3572 2019-02-27  Mark Lam  <mark.lam@apple.com>
3573
3574         The parser is failing to record the token location of new in new.target.
3575         https://bugs.webkit.org/show_bug.cgi?id=195127
3576         <rdar://problem/39645578>
3577
3578         Reviewed by Yusuke Suzuki.
3579
3580         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
3581
3582 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
3583
3584         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
3585         https://bugs.webkit.org/show_bug.cgi?id=195144
3586         <rdar://problem/47595961>
3587
3588         Reviewed by Mark Lam.
3589
3590         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
3591         (bar):
3592         (foo):
3593         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
3594         (bar):
3595         (foo):
3596
3597 2019-02-27  Robin Morisset  <rmorisset@apple.com>
3598
3599         DFG: Loop-invariant code motion (LICM) should not hoist dead code
3600         https://bugs.webkit.org/show_bug.cgi?id=194945
3601         <rdar://problem/48311657>
3602
3603         Reviewed by Mark Lam.
3604
3605         * stress/licm-dead-code.js: Added.
3606
3607 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
3608
3609         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
3610         https://bugs.webkit.org/show_bug.cgi?id=194677
3611         <rdar://problem/48112492>
3612
3613         Reviewed by Mark Lam.
3614
3615         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
3616         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
3617         it immediately fails due the large size.
3618
3619         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
3620         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
3621         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
3622         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
3623
3624         This patch changes the test to produce 16bit string from String.fromCharCode.
3625
3626         * stress/regress-178386.js:
3627
3628 2019-02-26  Mark Lam  <mark.lam@apple.com>
3629
3630         wasmToJS() should purify incoming NaNs.
3631         https://bugs.webkit.org/show_bug.cgi?id=194807
3632         <rdar://problem/48189132>
3633
3634         Reviewed by Saam Barati.
3635
3636         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
3637
3638 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
3639
3640         [JSC] Repeat string created from Array.prototype.join() take too much memory
3641         https://bugs.webkit.org/show_bug.cgi?id=193912
3642
3643         Reviewed by Saam Barati.
3644
3645         Added a test and a microbenchmark for corner cases of
3646         Array.prototype.join() with an uninitialized array.
3647
3648         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
3649         * stress/array-prototype-join-uninitialized.js: Added.
3650         (testArray):
3651         (testABC):
3652         (B):
3653         (C):
3654
3655 2019-02-22  Robin Morisset  <rmorisset@apple.com>
3656
3657         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
3658         https://bugs.webkit.org/show_bug.cgi?id=194953
3659         <rdar://problem/47595253>
3660
3661         Reviewed by Saam Barati.
3662
3663         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
3664
3665         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
3666
3667 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
3668
3669         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3670         https://bugs.webkit.org/show_bug.cgi?id=172848
3671         <rdar://problem/25709212>
3672
3673         Reviewed by Mark Lam.
3674
3675         * typeProfiler/inheritance.js:
3676         Rewrite the test slightly for clarity. The hoisting was confusing.
3677
3678         * heapProfiler/class-names.js: Added.
3679         (MyES5Class):
3680         (MyES6Class):
3681         (MyES6Subclass):
3682         Test object types and improved class names.
3683
3684         * heapProfiler/driver/driver.js:
3685         (CheapHeapSnapshotNode):
3686         (CheapHeapSnapshot):
3687         (createCheapHeapSnapshot):
3688         (HeapSnapshot):
3689         (createHeapSnapshot):
3690         Update snapshot parsing from version 1 to version 2.
3691
3692 2019-02-19  Truitt Savell  <tsavell@apple.com>
3693
3694         Unreviewed, rolling out r241784.
3695
3696         Broke all OpenSource builds.
3697
3698         Reverted changeset:
3699
3700         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
3701         instances view"
3702         https://bugs.webkit.org/show_bug.cgi?id=172848
3703         https://trac.webkit.org/changeset/241784
3704
3705 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
3706
3707         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3708         https://bugs.webkit.org/show_bug.cgi?id=172848
3709         <rdar://problem/25709212>
3710
3711         Reviewed by Mark Lam.
3712
3713         * typeProfiler/inheritance.js:
3714         Rewrite the test slightly for clarity. The hoisting was confusing.