ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-10-01  Saam Barati  <sbarati@apple.com>
2
3         ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
4         https://bugs.webkit.org/show_bug.cgi?id=199361
5         <rdar://problem/52454940>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
10         (main.fn):
11         (main.executor):
12         (main):
13         * stress/allocation-sinking-hints-are-valid-ssa.js: Added.
14         (main.fn):
15         (main.executor):
16         (main):
17
18 2019-10-01  Keith Miller  <keith_miller@apple.com>
19
20         skip test until we figure out why it's timing out
21         https://bugs.webkit.org/show_bug.cgi?id=202423
22
23         Reviewed by Mark Lam.
24
25         new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
26         Let's skip it until we figure out what's going on.
27
28         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:
29
30 2019-10-01  Keith Miller  <keith_miller@apple.com>
31
32         Mark toctou test as skipped on debug builds
33         https://bugs.webkit.org/show_bug.cgi?id=202420
34
35         Reviewed by Saam Barati.
36
37         Keeps timing out... Let's just skip it.
38
39         * stress/toctou-having-a-bad-time-new-array.js:
40
41 2019-10-01  Keith Miller  <keith_miller@apple.com>
42
43         Test262 update
44
45         Rubber-stamped by Michael Saboff.
46
47         Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...
48
49         * test262/*:
50
51 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
52
53         [YARR] Properly handle surrogates when matching back references
54         https://bugs.webkit.org/show_bug.cgi?id=202041
55
56         Reviewed by Keith Miller.
57
58         Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.
59
60         Updated test.
61
62         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
63         (testRegExpNotMatch):
64
65 2019-10-01  Keith Miller  <keith_miller@apple.com>
66
67         Add support for the Wasm multi-value proposal
68         https://bugs.webkit.org/show_bug.cgi?id=202250
69
70         Reviewed by Saam Barati.
71
72         This patch adds a new way to run stress tests via the .wat text
73         format. By attaching an asm.js compiled version of the wabt tool
74         we can easily create wat files programatically and convert them
75         into a wasm blob to compile. To make this easy there is a
76         wabt-wrapper.js module file that exports two useful functions that
77         correspond to WebAssembly.compile and WebAssembly.instantiate.
78
79         * wasm.yaml:
80         * wasm/function-tests/if-no-else-non-void.js:
81         * wasm/js-api/web-assembly-instantiate.js:
82         (assert.asyncTest.async.test):
83         (assert.asyncTest):
84         * wasm/libwabt.js: Added.
85         (WabtModule):
86         (set get if):
87         * wasm/references/func_ref.js:
88         * wasm/references/validation.js:
89         (assert.throws):
90         * wasm/spec-harness/index.js:
91         * wasm/spec-tests/block.wast.js:
92         * wasm/spec-tests/br.wast.js:
93         * wasm/spec-tests/br_if.wast.js:
94         * wasm/spec-tests/call.wast.js:
95         * wasm/spec-tests/call_indirect.wast.js:
96         * wasm/spec-tests/func.wast.js:
97         * wasm/spec-tests/if.wast.js:
98         * wasm/spec-tests/loop.wast.js:
99         * wasm/spec-tests/type.wast.js:
100         * wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
101         (buildWat):
102         * wasm/stress/js-wasm-js-varying-arities.js: Added.
103         (paramForwarder):
104         * wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
105         (buildWat):
106         * wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
107         (buildWat.throwError):
108         (buildWat.throwErrorInIterator):
109         (buildWat.tooManyValues):
110         (buildWat.tooFewValues):
111         (buildWat):
112         * wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
113         (buildWat):
114         * wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
115         (buildWat):
116         * wasm/wabt-wrapper.js: Added.
117         (export.compile):
118         * wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
119         * wasm/wast-tests/br-if-at-end-of-block.wast: Added.
120         * wasm/wast-tests/harness.js:
121         (async.runWasmFile):
122         * wasm/wast-tests/single-param-loop-signature.wasm: Added.
123         * wasm/wast-tests/single-param-loop-signature.wast: Added.
124
125 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
126
127         Make assertion in JSObject::putOwnDataProperty more precise
128         https://bugs.webkit.org/show_bug.cgi?id=202379
129         <rdar://problem/49515980>
130
131         Reviewed by Yusuke Suzuki.
132
133         * stress/object-assign-target-proto-setter.js: Added.
134         (get Object):
135
136 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
137
138         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
139         https://bugs.webkit.org/show_bug.cgi?id=202389
140         <rdar://problem/50717564>
141
142         Reviewed by Mark Lam.
143
144         * stress/heap-analyzer-taking-lock.js: Added.
145
146 2019-09-30  Saam Barati  <sbarati@apple.com>
147
148         Inline caching is wrong for custom accessors and custom values
149         https://bugs.webkit.org/show_bug.cgi?id=201994
150         <rdar://problem/50850326>
151
152         Reviewed by Yusuke Suzuki.
153
154         * microbenchmarks/custom-accessor-materialized.js: Added.
155         (assert):
156         (test4.get const):
157         * microbenchmarks/custom-accessor-thin-air.js: Added.
158         (assert):
159         (test5.get const):
160         (test5.get proto):
161         * microbenchmarks/custom-accessor.js: Added.
162         (assert):
163         (test3.get const):
164         * microbenchmarks/custom-value-2.js: Added.
165         (assert):
166         (test1.getMultiline):
167         (test1):
168         * microbenchmarks/custom-value.js: Added.
169         (assert):
170         (test1.getMultiline):
171         (test1):
172         * stress/custom-accessor-delete-1.js: Added.
173         (assert):
174         (test3.get const):
175         * stress/custom-accessor-delete-2.js: Added.
176         (assert):
177         (test4.get const):
178         * stress/custom-accessor-delete-3.js: Added.
179         (assert):
180         (test5.get const):
181         (test5.get proto):
182         * stress/custom-value-delete-property-1.js: Added.
183         (assert):
184         (test1.getMultiline):
185         (test1):
186         * stress/custom-value-delete-property-2.js: Added.
187         (test2.foo):
188         (test2):
189         * stress/custom-value-delete-property-3.js: Added.
190         (test6.foo):
191         (test6):
192
193 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
194
195         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
196         https://bugs.webkit.org/show_bug.cgi?id=202382
197         <rdar://problem/52669112>
198
199         Reviewed by Saam Barati.
200
201         * stress/compare-eq-bool-number-folding.js: Added.
202         (test):
203
204 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
205
206         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
207         https://bugs.webkit.org/show_bug.cgi?id=202330
208
209         Reviewed by Saam Barati.
210
211         * stress/to-lower-case-gc-stress.js: Added.
212
213 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
214
215         Non-standard Error properties should not be enumerable
216         https://bugs.webkit.org/show_bug.cgi?id=198975
217
218         Reviewed by Ross Kirsling.
219
220         * ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
221         * microbenchmarks/let-for-in.js: Adjust test.
222         * test262/expectations.yaml: Mark 6 test cases as passing.
223
224 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
225
226         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
227         https://bugs.webkit.org/show_bug.cgi?id=202299
228         <rdar://problem/52669116>
229
230         Reviewed by Saam Barati.
231
232         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
233         (foo):
234         (test):
235         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
236         (foo):
237         (C1.prototype.baz):
238         (C1):
239         (bar):
240         (noInline.bar.goo):
241         (C2.prototype.baz):
242         (C2):
243         (test):
244
245 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
246
247         toExponential, toFixed, and toPrecision should allow arguments up to 100
248         https://bugs.webkit.org/show_bug.cgi?id=199163
249
250         Reviewed by Ross Kirsling.
251
252         * ChakraCore/test/Number/toString_3.baseline-jsc:
253         * ChakraCore/test/es5/exceptions3.baseline-jsc:
254         * test262/expectations.yaml: Mark 6 test cases as passing.
255
256 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
257
258         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
259         https://bugs.webkit.org/show_bug.cgi?id=154376
260
261         Reviewed by Ross Kirsling.
262
263         Adds 2 test cases:
264         1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
265         2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.
266
267         * stress/proxy-get-own-property.js:
268
269 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
270
271         [BigInt] Add ValueBitRShift into DFG
272         https://bugs.webkit.org/show_bug.cgi?id=192663
273
274         Reviewed by Robin Morisset.
275
276         * stress/big-int-right-shift-jit-osr.js: Added.
277         * stress/big-int-right-shift-jit-untyped.js: Added.
278         * stress/big-int-right-shift-jit.js: Added.
279         * stress/value-rshift-ai-rule.js: Added.
280
281 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
282
283         Array methods should throw TypeError upon attempting to modify a string
284         https://bugs.webkit.org/show_bug.cgi?id=201910
285
286         Reviewed by Keith Miller.
287
288         * stress/array-methods-should-not-modify-string.js: Added.
289
290         * mozilla/js1_6/Array/regress-304828.js:
291         Fix test. Original copy was changed similarly seven years ago:
292         https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js
293
294         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
295         Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.
296
297 2019-09-23  Mark Lam  <mark.lam@apple.com>
298
299         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
300         https://bugs.webkit.org/show_bug.cgi?id=202122
301         <rdar://problem/55535249>
302
303         Reviewed by Yusuke Suzuki.
304
305         * stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.
306
307 2019-09-23  Caio Lima  <ticaiolima@gmail.com>
308
309         Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
310         https://bugs.webkit.org/show_bug.cgi?id=202113
311
312         Unreviewed test gardening, skipped test in ARMv7 and MIPS.
313
314         It is going to be fixed in
315         https://bugs.webkit.org/show_bug.cgi?id=202041
316
317         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
318
319 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
320
321         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
322         https://bugs.webkit.org/show_bug.cgi?id=202072
323
324         Reviewed by Mark Lam.
325
326         * stress/int52rep-with-double-checks-int52-range.js: Added.
327         (shouldBe):
328         (test):
329
330 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
331
332         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
333         https://bugs.webkit.org/show_bug.cgi?id=202011
334
335         Reviewed by Mark Lam.
336
337         We are skipping this test into MIPS and ARMv7 because some of its assumptions
338         are not valid for them. The current behavior of the test in those architectures
339         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
340         because eden collection keeps happening between iterations. The collection
341         is triggered on those architectures because the amount of stress 
342         `new Promise` generates into GC limits is not enough to avoid them
343         while loop is executing.
344
345         Changing the size of `UInt8Array` from `80000000` to `160000000` can
346         be an alternative fix to avoid collection happening during `ArrayBuffer`
347         allocation loop, but we can't guarantee this test is always going to execute
348         without error when Gigacage is disabled, given we can reach an OOM state in
349         some allocations that need to succeed, making this test flaky for those
350         architectures.
351
352         * stress/test-out-of-memory.js:
353
354 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
355
356         AccessCase should strongly visit its dependencies while on stack
357         https://bugs.webkit.org/show_bug.cgi?id=201986
358         <rdar://problem/55521953>
359
360         Reviewed by Saam Barati and Yusuke Suzuki.
361
362         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
363         (foo):
364         (warmup):
365
366 2019-09-20  Saam Barati  <sbarati@apple.com>
367
368         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
369
370         * stress/toctou-having-a-bad-time-new-array.js:
371
372 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
373
374         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
375         https://bugs.webkit.org/show_bug.cgi?id=202014
376
377         Reviewed by Saam Barati.
378
379         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
380         (__v0):
381
382 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
383
384         Syntax checker should report duplicate __proto__ properties
385         https://bugs.webkit.org/show_bug.cgi?id=201897
386         <rdar://problem/53201788>
387
388         Reviewed by Mark Lam.
389
390         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
391         (catch):
392
393 2019-09-18  Saam Barati  <sbarati@apple.com>
394
395         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
396         https://bugs.webkit.org/show_bug.cgi?id=201953
397         <rdar://problem/53803524>
398
399         Reviewed by Yusuke Suzuki.
400
401         * stress/toctou-having-a-bad-time-new-array.js: Added.
402         (let.code):
403
404 2019-09-18  Saam Barati  <sbarati@apple.com>
405
406         Phantom insertion phase may disagree with arguments forwarding about live ranges
407         https://bugs.webkit.org/show_bug.cgi?id=200715
408         <rdar://problem/54301717>
409
410         Reviewed by Yusuke Suzuki.
411
412         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
413         (main.v23):
414         (main.try.v43):
415         (main.):
416         (main):
417
418 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
419
420         [JSC] Generator should have internal fields
421         https://bugs.webkit.org/show_bug.cgi?id=201159
422
423         Reviewed by Keith Miller.
424
425         * stress/create-generator.js: Added.
426         (shouldBe):
427         (test.generator):
428         (test):
429         * stress/generator-construct-failure.js: Added.
430         (shouldThrow):
431         (TypeError):
432         * stress/generator-prototype-change.js: Added.
433         (shouldBe):
434         (gen):
435         * stress/generator-prototype-closure.js: Added.
436         (shouldBe):
437         (test.gen):
438         (test):
439         * stress/object-assign-fast-path.js:
440
441 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
442
443         Follow-up after String.codePointAt optimization
444         https://bugs.webkit.org/show_bug.cgi?id=201889
445
446         Reviewed by Saam Barati.
447
448         * stress/string-char-at-bad-type.js: Added.
449         (shouldBe):
450         (object.toString):
451         (test):
452         * stress/string-char-code-at-bad-type.js: Added.
453         (shouldBe):
454         (object.toString):
455         (test):
456         * stress/string-code-point-at-bad-type.js: Added.
457         (shouldBe):
458         (object.toString):
459         (test):
460
461 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
462
463         [JSC] CheckArray+NonArray is not filtering out Array in AI
464         https://bugs.webkit.org/show_bug.cgi?id=201857
465         <rdar://problem/54194820>
466
467         Reviewed by Keith Miller.
468
469         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
470         (foo):
471
472 2019-09-17  Saam Barati  <sbarati@apple.com>
473
474         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
475         https://bugs.webkit.org/show_bug.cgi?id=201853
476         <rdar://problem/53805461>
477
478         Reviewed by Yusuke Suzuki.
479
480         * stress/direct-arguments-check-array-filter-type.js: Added.
481         (foo):
482
483 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
484
485         Wasm StreamingParser should validate that number of functions matches number of declarations
486         https://bugs.webkit.org/show_bug.cgi?id=201850
487         <rdar://problem/55290186>
488
489         Reviewed by Yusuke Suzuki.
490
491         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
492         (catch):
493
494 2019-09-16  Michael Saboff  <msaboff@apple.com>
495
496         [JSC] Perform check again when we found non-BMP characters
497         https://bugs.webkit.org/show_bug.cgi?id=201647
498
499         Reviewed by Yusuke Suzuki.
500
501         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
502         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
503         (testRegExpInbounds):
504
505 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
506
507         [JSC] Add missing syntax errors for await in function parameter default expressions
508         https://bugs.webkit.org/show_bug.cgi?id=201615
509
510         Reviewed by Darin Adler.
511
512         * stress/async-await-reserved-word.js:
513         * stress/async-await-syntax.js:
514         Add test cases.
515
516         * test262/expectations.yaml:
517         Mark newly-passing test cases.
518
519 2019-09-16  Saam Barati  <sbarati@apple.com>
520
521         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
522         https://bugs.webkit.org/show_bug.cgi?id=200386
523         <rdar://problem/53854946>
524
525         Reviewed by Yusuke Suzuki.
526
527         * stress/proxy-__proto__-in-prototype-chain.js: Added.
528         * stress/proxy-property-replace-structure-transition.js: Added.
529
530 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
531
532         Date.prototype.toJSON does not execute steps 1-2
533         https://bugs.webkit.org/show_bug.cgi?id=105282
534
535         Reviewed by Ross Kirsling.
536
537         * test262/expectations.yaml: Mark 2 test cases as passing.
538
539 2019-09-12  Mark Lam  <mark.lam@apple.com>
540
541         Harden JSC against the abuse of runtime options.
542         https://bugs.webkit.org/show_bug.cgi?id=201597
543         <rdar://problem/55167068>
544
545         Reviewed by Filip Pizlo.
546
547         Remove the call to forceGCSlowPaths().  This utility function will be removed.
548         The modern way to set the required option is to use //@ requireOptions.
549
550         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
551
552 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
553
554         [JSC] Add StringCodePointAt intrinsic
555         https://bugs.webkit.org/show_bug.cgi?id=201673
556
557         Reviewed by Michael Saboff.
558
559         * stress/string-char-at-constant-index-out-of-range.js: Added.
560         (shouldBe):
561         (test):
562         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
563         (shouldBe):
564         (test):
565         * stress/string-code-point-at--out-of-range.js: Added.
566         (shouldBe):
567         (test):
568         * stress/string-code-point-at-basic.js: Added.
569         (test):
570         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
571         (shouldBe):
572         (test):
573         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
574         (shouldBe):
575         (test):
576         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
577         (shouldBe):
578         (test):
579         (breaking):
580         * stress/string-code-point-at-surrogate-pair.js: Added.
581         (shouldBe):
582         * stress/string-code-point-at.js: Added.
583         (shouldBe):
584
585 2019-09-10  Michael Saboff  <msaboff@apple.com>
586
587         JSC crashes due to stack overflow while building RegExp
588         https://bugs.webkit.org/show_bug.cgi?id=201649
589
590         Reviewed by Yusuke Suzuki.
591
592         New regression test.
593
594         * stress/regexp-bol-optimize-out-of-stack.js: Added.
595         (test):
596         (catch):
597
598 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
599
600         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
601         https://bugs.webkit.org/show_bug.cgi?id=189043
602
603         Reviewed by Keith Miller.
604
605         The offset performing the validation becomes a bit different.
606         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
607
608         * wasm/js-api/version.js:
609
610 2019-09-07  Keith Miller  <keith_miller@apple.com>
611
612         OSR entry into wasm misses some contexts
613         https://bugs.webkit.org/show_bug.cgi?id=201569
614
615         Reviewed by Yusuke Suzuki.
616
617         Add a new harness and wast and the generated wasm file for
618         testing. The idea long term is to make it easy to test by creating
619         a C file and converting it to a wast then modify that to produce a
620         test.
621
622         * wasm.yaml:
623         * wasm/wast-tests/harness.js: Added.
624         (async.runWasmFile):
625         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
626         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
627         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
628         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
629         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
630         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
631         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
632         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
633
634 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
635
636         [JSC] Promise resolve/reject functions should be created more efficiently
637         https://bugs.webkit.org/show_bug.cgi?id=201488
638
639         Reviewed by Mark Lam.
640
641         * microbenchmarks/promise-creation-many.js: Added.
642         (executor):
643
644 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
645
646         Unreviewed JSC test gardening.
647
648         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
649         This test allocates a 2GB string before it goes out and tests
650         out-of-memory exception when appending other strings to it. As such,
651         skip the test on memory-limited platforms.
652
653 2019-09-07  Mark Lam  <mark.lam@apple.com>
654
655         The jsc shell should allow disabling of the Gigacage for testing purposes.
656         https://bugs.webkit.org/show_bug.cgi?id=201579
657
658         Reviewed by Michael Saboff.
659
660         Unskip the tests now.
661
662         * stress/disable-gigacage-arrays.js:
663         * stress/disable-gigacage-strings.js:
664         * stress/disable-gigacage-typed-arrays.js:
665
666 2019-09-07  Mark Lam  <mark.lam@apple.com>
667
668         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
669
670         Not reviewed.
671
672         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
673
674         * stress/disable-gigacage-arrays.js:
675         * stress/disable-gigacage-strings.js:
676         * stress/disable-gigacage-typed-arrays.js:
677
678 2019-09-07  Mark Lam  <mark.lam@apple.com>
679
680         Gardening: speculative test fix to green bots [attempt #2].
681         https://bugs.webkit.org/show_bug.cgi?id=201529
682         <rdar://problem/53935772>
683
684         Not reviewed.
685
686         * stress/test-out-of-memory.js:
687
688 2019-09-06  Mark Lam  <mark.lam@apple.com>
689
690         Gardening: speculative test fix to green bots.
691         https://bugs.webkit.org/show_bug.cgi?id=201529
692         <rdar://problem/53935772>
693
694         Not reviewed.
695
696         * stress/test-out-of-memory.js:
697
698 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
699
700         Math.round() produces wrong result for value prior to 0.5
701         https://bugs.webkit.org/show_bug.cgi?id=185115
702
703         Reviewed by Saam Barati.
704
705         * stress/math-round-basics.js:
706         Add positive/negative test cases.
707
708         * test262/expectations.yaml:
709         Mark test passing.
710
711 2019-09-06  Mark Lam  <mark.lam@apple.com>
712
713         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
714         https://bugs.webkit.org/show_bug.cgi?id=201551
715
716         Reviewed by Tadeu Zagallo.
717
718         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
719
720         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
721         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
722
723 2019-09-06  Mark Lam  <mark.lam@apple.com>
724
725         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
726         https://bugs.webkit.org/show_bug.cgi?id=201529
727         <rdar://problem/53935772>
728
729         Reviewed by Yusuke Suzuki.
730
731         * stress/test-out-of-memory.js: Added.
732
733 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
734
735         LazyClassStructure::setConstructor should not store the constructor to the global object
736         https://bugs.webkit.org/show_bug.cgi?id=201484
737         <rdar://problem/50400451>
738
739         Reviewed by Yusuke Suzuki.
740
741         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
742
743 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
744
745         [JSC] Do not use FTLOutput::weakPointer directly
746         https://bugs.webkit.org/show_bug.cgi?id=201495
747
748         Reviewed by Filip Pizlo.
749
750         * stress/create-promise-weak-pointer.js: Added.
751         (foo):
752
753 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
754
755         [JSC] Make Promise implementation faster
756         https://bugs.webkit.org/show_bug.cgi?id=200898
757
758         Reviewed by Saam Barati.
759
760         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
761         (assert.assert.return.throws):
762         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
763         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
764         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
765         (shouldThrow):
766         (new.Promise):
767         (shouldThrow.Promise):
768         * stress/create-promise-should-respect-promise-realm.js: Added.
769         (shouldBe):
770         (other.new.OtherPromise):
771         (DerivedOtherPromise):
772         (i.promise.new.DerivedOtherPromise):
773         (createPromise):
774         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
775         (shouldBe):
776         (DerivedPromise):
777         (i.array.push.new.DerivedPromise):
778         (promise.new.DerivedPromise):
779         * stress/derived-promise-constructor-inlined.js: Added.
780         (shouldBe):
781         (DerivedPromise):
782         (i.array.push.new.DerivedPromise):
783         (DerivedPromise.all.array.then):
784         * stress/derived-promise-prototype-replaced.js: Added.
785         (shouldBe):
786         (DerivedPromise):
787         (i.array.push.new.DerivedPromise):
788         (promise.new.DerivedPromise):
789         * stress/internal-promise-constructor-not-confusing.js: Added.
790         (shouldBe):
791         (InternalPromise.vm.createBuiltin):
792         (DerivedPromise):
793         * stress/internal-promise-is-not-exposed.js: Added.
794         (shouldBe):
795         * stress/new-promise-should-respect-promise-realm.js: Added.
796         (shouldBe):
797         (other.new.OtherPromise):
798         (createPromise):
799         * stress/promise-cannot-be-called.js:
800         (shouldThrow):
801         * stress/promise-capability-fast-path.js: Added.
802         (shouldBe):
803         (i.array.push.new.Promise):
804         (i.array.i.then):
805         * stress/promise-capability-slow-path.js: Added.
806         (shouldBe):
807         (Promise.prototype.then):
808         (i.array.push.new.Promise):
809         (i.array.i.then):
810         * stress/promise-capability-then-slow-path.js: Added.
811         (shouldBe):
812         (DerivedPromise):
813         (DerivedPromise.prototype.then):
814         (i.array.push.new.DerivedPromise):
815         (i.array.i.then):
816         * stress/promise-constructor-inlined.js: Added.
817         (shouldBe):
818         (i.array.push.new.Promise):
819         (Promise.all.array.then):
820         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
821         (shouldBe):
822         (DerivedPromise):
823         (DerivedPromise2):
824         (i.array.push.new.DerivedPromise):
825         (i.array2.push.new.DerivedPromise2):
826         * stress/without-promise-functions.js: Added.
827         (shouldBe):
828         (async):
829
830 2019-09-03  Mark Lam  <mark.lam@apple.com>
831
832         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
833         https://bugs.webkit.org/show_bug.cgi?id=201309
834         <rdar://problem/54832121>
835
836         Reviewed by Yusuke Suzuki.
837
838         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
839
840 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
841
842         [JSC] Generate new.target register only when it is used
843         https://bugs.webkit.org/show_bug.cgi?id=201335
844
845         Reviewed by Mark Lam.
846
847         * stress/ensure-new-register-allocated.js: Added.
848         (shouldBe):
849         (basic):
850         (arrow):
851         (Base):
852         (Derived):
853         (evaluate):
854
855 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
856
857         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
858         https://bugs.webkit.org/show_bug.cgi?id=201331
859
860         Reviewed by Mark Lam.
861
862         * stress/simple-jump-table-copy.js: Added.
863         (let.code):
864         (g2):
865
866 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
867
868         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
869         https://bugs.webkit.org/show_bug.cgi?id=201332
870
871         Reviewed by Mark Lam.
872
873         This test is very flaky, it is hard to reproduce.
874
875         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
876         (code):
877
878 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
879
880         [JSC] Repatch should construct CallCases and CasesValue at the same time
881         https://bugs.webkit.org/show_bug.cgi?id=201325
882
883         Reviewed by Saam Barati.
884
885         * stress/repatch-switch.js: Added.
886         (main.f2.f0):
887         (main.f2.f3):
888         (main.f2.f1):
889         (main.f2):
890         (main):
891
892 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
893
894         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
895         https://bugs.webkit.org/show_bug.cgi?id=198650
896
897         Reviewed by Saam Barati.
898
899         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
900         (main.v0):
901         (main):
902
903 2019-08-28  Mark Lam  <mark.lam@apple.com>
904
905         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
906         https://bugs.webkit.org/show_bug.cgi?id=201281
907         <rdar://problem/54028228>
908
909         Reviewed by Yusuke Suzuki and Saam Barati.
910
911         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
912
913 2019-08-28  Mark Lam  <mark.lam@apple.com>
914
915         Placate exception check validation in DFG's operationHasGenericProperty().
916         https://bugs.webkit.org/show_bug.cgi?id=201245
917         <rdar://problem/54777512>
918
919         Reviewed by Robin Morisset.
920
921         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
922
923 2019-08-27  Mark Lam  <mark.lam@apple.com>
924
925         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
926         https://bugs.webkit.org/show_bug.cgi?id=201196
927         <rdar://problem/54703775>
928
929         Reviewed by Yusuke Suzuki.
930
931         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
932
933 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
934
935         [JSC] Ensure x?.y ?? z is fast
936         https://bugs.webkit.org/show_bug.cgi?id=200875
937
938         Reviewed by Yusuke Suzuki.
939
940         * stress/nullish-coalescing.js:
941
942 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
943
944         Remove MaximalFlushInsertionPhase
945         https://bugs.webkit.org/show_bug.cgi?id=201036
946
947         Reviewed by Saam Barati.
948
949         Remove all the references to maximal flush
950
951         * stress/arith-ceil-on-various-types.js:
952         (checkCompileCountForUselessNegativeZero):
953         * stress/arith-floor-on-various-types.js:
954         (checkCompileCountForUselessNegativeZero):
955         * stress/arith-negate-on-various-types.js:
956         (checkCompileCountForUselessNegativeZero):
957         * stress/arith-round-on-various-types.js:
958         (checkCompileCountForUselessNegativeZero):
959         * stress/arith-trunc-on-various-types.js:
960         (checkCompileCountForUselessNegativeZero):
961         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
962         * stress/has-indexed-property-should-accept-non-int32.js:
963         * stress/has-indexed-property-with-worsening-array-mode.js:
964         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
965         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
966         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
967         * stress/rest-parameter-many-arguments.js:
968         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
969         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
970         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
971
972 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
973
974         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
975         https://bugs.webkit.org/show_bug.cgi?id=200952
976
977         Reviewed by Saam Barati.
978
979         * wasm/references/func_ref.js:
980         (assert.throws):
981
982 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
983
984         Add missing exception check in canonicalizeLocaleList
985         https://bugs.webkit.org/show_bug.cgi?id=201021
986
987         Reviewed by Mark Lam.
988
989         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
990         (catch):
991
992 2019-08-21  Mark Lam  <mark.lam@apple.com>
993
994         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
995         https://bugs.webkit.org/show_bug.cgi?id=201016
996         <rdar://problem/54579911>
997
998         Reviewed by Yusuke Suzuki.
999
1000         * wasm/stress/too-many-locals.js: Added.
1001         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
1002
1003 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
1004
1005         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
1006         https://bugs.webkit.org/show_bug.cgi?id=200965
1007
1008         Reviewed by Saam Barati.
1009
1010         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
1011         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
1012
1013         * stress/optional-chaining.js:
1014
1015 2019-08-21  Michael Saboff  <msaboff@apple.com>
1016
1017         [JSC] incorrent JIT lead to StackOverflow
1018         https://bugs.webkit.org/show_bug.cgi?id=197823
1019
1020         Reviewed by Tadeu Zagallo.
1021
1022         New test.
1023
1024         * stress/bound-function-stack-overflow.js: Added.
1025         (foo):
1026         (catch):
1027
1028 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1029
1030         Identify memcpy loops in b3
1031         https://bugs.webkit.org/show_bug.cgi?id=200181
1032
1033         Reviewed by Saam Barati.
1034
1035         * microbenchmarks/memcpy-loop.js: Added.
1036         (doTest):
1037         (let.arr1):
1038         * microbenchmarks/memcpy-typed-loop-large.js: Added.
1039         (doTest):
1040         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
1041         (arr2):
1042         * microbenchmarks/memcpy-typed-loop-small.js: Added.
1043         (doTest):
1044         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1045         (16.arr2):
1046         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
1047         (doTest):
1048         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
1049         (arr2):
1050         * microbenchmarks/memcpy-wasm-large.js: Added.
1051         (typeof.WebAssembly.string_appeared_here.eq):
1052         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1053         * microbenchmarks/memcpy-wasm-medium.js: Added.
1054         (typeof.WebAssembly.string_appeared_here.eq):
1055         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1056         * microbenchmarks/memcpy-wasm-small.js: Added.
1057         (typeof.WebAssembly.string_appeared_here.eq):
1058         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1059         * microbenchmarks/memcpy-wasm.js: Added.
1060         (typeof.WebAssembly.string_appeared_here.eq):
1061         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1062         * stress/memcpy-typed-loops.js: Added.
1063         (noLoop):
1064         (invalidStart):
1065         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1066         (arr2):
1067         * wasm/function-tests/memcpy-wasm-loop.js: Added.
1068         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
1069         (string_appeared_here):
1070
1071 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
1072
1073         [JSC] Array.prototype.toString should not get "join" function each time
1074         https://bugs.webkit.org/show_bug.cgi?id=200905
1075
1076         Reviewed by Mark Lam.
1077
1078         * stress/array-prototype-join-change.js: Added.
1079         (shouldBe):
1080         (array2.join):
1081         (DerivedArray):
1082         (DerivedArray.prototype.join):
1083         (array3.__proto__.join):
1084         (Array.prototype.join):
1085
1086 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1087
1088         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1089         https://bugs.webkit.org/show_bug.cgi?id=200782
1090
1091         Reviewed by Saam Barati.
1092
1093         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
1094
1095         * microbenchmarks/memcpy-typed-loop.js:
1096         * stress/int8-repeat-in-then-out-of-bounds.js:
1097
1098 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1099
1100         Proxy constructor should throw if handler is revoked Proxy
1101         https://bugs.webkit.org/show_bug.cgi?id=198755
1102
1103         Reviewed by Saam Barati.
1104
1105         * stress/proxy-revoke.js: Adjust error message.
1106         * test262/expectations.yaml: Mark 2 test cases as passing.
1107
1108 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1109
1110         [JSC] OSR entry to Wasm OMG
1111         https://bugs.webkit.org/show_bug.cgi?id=200362
1112
1113         Reviewed by Michael Saboff.
1114
1115         * wasm/stress/osr-entry-basic.js: Added.
1116         (instance.exports.loop):
1117         * wasm/stress/osr-entry-many-locals-f32.js: Added.
1118         * wasm/stress/osr-entry-many-locals-f64.js: Added.
1119         * wasm/stress/osr-entry-many-locals-i32.js: Added.
1120         * wasm/stress/osr-entry-many-locals-i64.js: Added.
1121         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
1122         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
1123         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
1124         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
1125
1126 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1127
1128         Date.prototype.toJSON throws if toISOString returns an object
1129         https://bugs.webkit.org/show_bug.cgi?id=198495
1130
1131         Reviewed by Ross Kirsling.
1132
1133         * test262/expectations.yaml: Mark 6 test cases as passing.
1134
1135 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1136
1137         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
1138         https://bugs.webkit.org/show_bug.cgi?id=200899
1139         <rdar://problem/54073341>
1140
1141         Reviewed by Mark Lam.
1142
1143         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
1144         (i.new.Promise):
1145         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
1146         (i.new.Promise):
1147
1148 2019-08-19  Michael Saboff  <msaboff@apple.com>
1149
1150         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
1151         https://bugs.webkit.org/show_bug.cgi?id=197090
1152
1153         Reviewed by Yusuke Suzuki.
1154
1155         New test.
1156
1157         * stress/regexp-nonconsuming-counted-parens.js: Added.
1158
1159 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
1160
1161         [JSC] Correct a->an in error messages and API docblocks
1162         https://bugs.webkit.org/show_bug.cgi?id=200833
1163
1164         Reviewed by Don Olmstead.
1165
1166         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1167         (assert.assert.return.throws):
1168         * stress/promise-finally-should-accept-non-promise-objects.js:
1169         * wasm/js-api/table.js:
1170         (assert.throws):
1171
1172 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1173
1174         [ESNext] Implement optional chaining
1175         https://bugs.webkit.org/show_bug.cgi?id=200199
1176
1177         Reviewed by Yusuke Suzuki.
1178
1179         * stress/nullish-coalescing.js:
1180         * stress/optional-chaining.js: Added.
1181         * stress/tail-call-recognize.js:
1182
1183 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1184
1185         [ESNext] Support hashbang.
1186         https://bugs.webkit.org/show_bug.cgi?id=200865
1187
1188         Reviewed by Mark Lam.
1189
1190         * stress/hashbang.js: Added.
1191         * test262/expectations.yaml: Mark 6 cases as passing.
1192
1193 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
1194
1195         [JSC] DFG ToNumber should support Boolean in fixup
1196         https://bugs.webkit.org/show_bug.cgi?id=200864
1197
1198         Reviewed by Mark Lam.
1199
1200         * microbenchmarks/to-number-boolean.js: Added.
1201         (test):
1202         * stress/to-number-boolean-int32.js: Added.
1203         (shouldBe):
1204         (test):
1205         (check):
1206         * stress/to-number-boolean.js: Added.
1207         (shouldBe):
1208         (test):
1209         (check):
1210         * stress/to-number-int32.js: Added.
1211         (shouldBe):
1212         (test):
1213         (check):
1214
1215 2019-08-16  Mark Lam  <mark.lam@apple.com>
1216
1217         More missing exception checks in string comparison operators.
1218         https://bugs.webkit.org/show_bug.cgi?id=200844
1219         <rdar://problem/54378684>
1220
1221         Reviewed by Saam Barati.
1222
1223         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
1224         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
1225         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
1226         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
1227
1228 2019-08-16  Mark Lam  <mark.lam@apple.com>
1229
1230         CodeBlock destructor should clear all of its watchpoints.
1231         https://bugs.webkit.org/show_bug.cgi?id=200792
1232         <rdar://problem/53947800>
1233
1234         Reviewed by Yusuke Suzuki.
1235
1236         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
1237
1238 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
1239
1240         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1241         https://bugs.webkit.org/show_bug.cgi?id=200782
1242
1243         Reviewed by Saam Barati.
1244
1245         * microbenchmarks/int8-out-of-bounds.js: Added.
1246         (foo):
1247         * microbenchmarks/memcpy-typed-loop.js: Added.
1248         (doTest):
1249         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
1250         (arr2):
1251         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
1252         (foo):
1253
1254 2019-08-16  Mark Lam  <mark.lam@apple.com>
1255
1256         [Re-land] ProxyObject should not be allow to access its target's private properties.
1257         https://bugs.webkit.org/show_bug.cgi?id=200739
1258         <rdar://problem/53972768>
1259
1260         Reviewed by Yusuke Suzuki.
1261
1262         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
1263         * stress/proxy-with-private-symbols.js:
1264
1265 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
1266
1267         [JSC] Promise.prototype.finally should accept non-promise objects
1268         https://bugs.webkit.org/show_bug.cgi?id=200829
1269
1270         Reviewed by Mark Lam.
1271
1272         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
1273         (shouldBe):
1274         (Thenable):
1275         (Thenable.prototype.then):
1276
1277 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
1278
1279         Promise constructor should check argument before [[Construct]]
1280         https://bugs.webkit.org/show_bug.cgi?id=198976
1281
1282         Reviewed by Ross Kirsling.
1283
1284         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
1285         * stress/create-subclass-structure-might-throw.js: Fix test.
1286         * test262/expectations.yaml: Mark 2 test cases as passing.
1287
1288 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
1289
1290         Unreviewed, rolling out r248709.
1291
1292         Caused test/built-ins/Promise/prototype/finally/this-value-
1293         non-promise.js to fail on test262 bot
1294
1295         Reverted changeset:
1296
1297         "ProxyObject should not be allow to access its target's
1298         private properties."
1299         https://bugs.webkit.org/show_bug.cgi?id=200739
1300         https://trac.webkit.org/changeset/248709
1301
1302 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1303
1304         DateConversion::formatDateTime incorrectly formats negative years
1305         https://bugs.webkit.org/show_bug.cgi?id=199964
1306
1307         Reviewed by Ross Kirsling.
1308
1309         * test262/expectations.yaml: Mark 6 test cases as passing.
1310
1311 2019-08-15  Mark Lam  <mark.lam@apple.com>
1312
1313         More missing exception checks in String.prototype.
1314         https://bugs.webkit.org/show_bug.cgi?id=200762
1315         <rdar://problem/54333896>
1316
1317         Reviewed by Michael Saboff.
1318
1319         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1320         * stress/missing-exception-check-in-string-toLower.js: Added.
1321         * stress/missing-exception-check-in-string-toUpper.js: Added.
1322
1323 2019-08-14  Mark Lam  <mark.lam@apple.com>
1324
1325         ProxyObject should not be allow to access its target's private properties.
1326         https://bugs.webkit.org/show_bug.cgi?id=200739
1327         <rdar://problem/53972768>
1328
1329         Reviewed by Yusuke Suzuki.
1330
1331         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1332         * stress/proxy-with-private-symbols.js: Rebased.
1333
1334 2019-08-14  Mark Lam  <mark.lam@apple.com>
1335
1336         Missing exception check in string compare.
1337         https://bugs.webkit.org/show_bug.cgi?id=200743
1338         <rdar://problem/53975356>
1339
1340         Reviewed by Michael Saboff.
1341
1342         * stress/missing-exception-check-in-string-compare.js: Added.
1343
1344 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1345
1346         [JSC] Add "jump if (not) undefined or null" bytecode ops
1347         https://bugs.webkit.org/show_bug.cgi?id=200480
1348
1349         Reviewed by Saam Barati.
1350
1351         * stress/destructuring-assignment-require-object-coercible.js:
1352         * stress/nullish-coalescing.js:
1353
1354 2019-08-05  Michael Saboff  <msaboff@apple.com>
1355
1356         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1357         https://bugs.webkit.org/show_bug.cgi?id=199997
1358
1359         Reviewed by Saam Barati.
1360
1361         New test.
1362
1363         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1364         (checkIntArray):
1365         (checkFloatArray):
1366
1367 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1368
1369         [JSC] Support WebAssembly in SamplingProfiler
1370         https://bugs.webkit.org/show_bug.cgi?id=200329
1371
1372         Reviewed by Saam Barati.
1373
1374         * stress/sampling-profiler-wasm-name-section.js: Added.
1375         (const.compile):
1376         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1377         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1378         * stress/sampling-profiler-wasm.js: Added.
1379         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1380         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1381         * stress/sampling-profiler/loop.wasm: Added.
1382         * stress/sampling-profiler/loop.wast: Added.
1383         * stress/sampling-profiler/nameSection.wasm: Added.
1384
1385 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1386
1387         [JSC] LazyJSValue should be robust for empty JSValue
1388         https://bugs.webkit.org/show_bug.cgi?id=200388
1389
1390         Reviewed by Saam Barati.
1391
1392         * stress/switch-constant-child-becomes-empty.js: Added.
1393         (foo):
1394
1395 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1396
1397         GetterSetter type confusion during DFG compilation
1398         https://bugs.webkit.org/show_bug.cgi?id=199903
1399
1400         Reviewed by Mark Lam.
1401
1402         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1403
1404 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1405
1406         Update Test262 (2019.08.01)
1407         https://bugs.webkit.org/show_bug.cgi?id=200351
1408
1409         Reviewed by Keith Miller.
1410
1411         * test262/expectations.yaml:
1412         * test262/harness/testIntl.js:
1413         * test262/latest-changes-summary.txt:
1414         * test262/test/:
1415         * test262/test262-Revision.txt:
1416
1417 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1418
1419         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1420         https://bugs.webkit.org/show_bug.cgi?id=200192
1421
1422         Reviewed by Saam Barati.
1423
1424         * stress/structure-chain-stress.js: Added.
1425         (keys):
1426
1427 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1428
1429         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1430         https://bugs.webkit.org/show_bug.cgi?id=200196
1431
1432         Reviewed by Robin Morisset.
1433
1434         * stress/reparsing-unlinked-codeblock.js:
1435
1436 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1437
1438         [X86] Emit BT instruction for shift + mask in B3
1439         https://bugs.webkit.org/show_bug.cgi?id=199891
1440
1441         Reviewed by Robin Morisset.
1442
1443         Lower the number of iterations to fix debug timeouts.
1444
1445         * microbenchmarks/bit-test-load.js:
1446         (i):
1447
1448 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1449
1450         [X86] Emit BT instruction for shift + mask in B3
1451         https://bugs.webkit.org/show_bug.cgi?id=199891
1452
1453         Reviewed by Keith Miller.
1454
1455         * microbenchmarks/bit-test-constant.js: Added.
1456         (let.glob.0.doTest):
1457         * microbenchmarks/bit-test-load.js: Added.
1458         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1459         (i):
1460         * microbenchmarks/bit-test-nonconstant.js: Added.
1461         (let.glob.0.doTest):
1462
1463 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1464
1465         [JSC] Potential GC fix for JSPropertyNameEnumerator
1466         https://bugs.webkit.org/show_bug.cgi?id=200151
1467
1468         Reviewed by Mark Lam.
1469
1470         * stress/for-in-stress.js: Added.
1471         (keys):
1472
1473 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1474
1475         Legacy numeric literals should not permit separators or BigInt
1476         https://bugs.webkit.org/show_bug.cgi?id=199984
1477
1478         Reviewed by Keith Miller.
1479
1480         * stress/big-int-literals.js:
1481         * stress/numeric-literal-separators.js:
1482
1483 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1484
1485         [ESNext] Implement nullish coalescing
1486         https://bugs.webkit.org/show_bug.cgi?id=200072
1487
1488         Reviewed by Darin Adler.
1489
1490         * stress/nullish-coalescing.js: Added.
1491
1492 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1493
1494         Three checks are missing in Proxy internal methods
1495         https://bugs.webkit.org/show_bug.cgi?id=198630
1496
1497         Reviewed by Darin Adler.
1498
1499         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1500         * test262/expectations.yaml: Mark 6 test cases as passing.
1501
1502 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1503
1504         Sometimes we miss removable CheckInBounds
1505         https://bugs.webkit.org/show_bug.cgi?id=200018
1506
1507         Reviewed by Saam Barati.
1508
1509         * microbenchmarks/typed-array-sum.js: Added.
1510         (doTest):
1511
1512 2019-07-16  Mark Lam  <mark.lam@apple.com>
1513
1514         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1515         https://bugs.webkit.org/show_bug.cgi?id=199821
1516         <rdar://problem/52452328>
1517
1518         Reviewed by Filip Pizlo.
1519
1520         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1521
1522 2019-07-16  Keith Miller  <keith_miller@apple.com>
1523
1524         Unreviewed, test262 gardening.
1525
1526         * test262/expectations.yaml:
1527
1528 2019-07-15  Keith Miller  <keith_miller@apple.com>
1529
1530         A Possible Issue of Object.create method
1531         https://bugs.webkit.org/show_bug.cgi?id=199744
1532
1533         Reviewed by Yusuke Suzuki.
1534
1535         * stress/object-create-non-object-properties-parameter.js: Added.
1536         (catch):
1537
1538 2019-07-15  Keith Miller  <keith_miller@apple.com>
1539
1540         Update test262
1541         https://bugs.webkit.org/show_bug.cgi?id=199801
1542
1543         Rubber-stamped by Yusuke Suzuki.
1544
1545         * test262/expectations.yaml:
1546         * test262/latest-changes-summary.txt:
1547         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1548         (fg.new.FinalizationGroup):
1549         (callback):
1550         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1551         (fg.new.FinalizationGroup):
1552         (callback):
1553         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1554         (fg.new.FinalizationGroup):
1555         (callback):
1556         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1557         (fg.new.FinalizationGroup):
1558         (callback):
1559         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1560         (fg.new.FinalizationGroup):
1561         (callback):
1562         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1563         (fg.new.FinalizationGroup):
1564         (callback):
1565         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1566         (fg.new.FinalizationGroup):
1567         (callback):
1568         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1569         (callback):
1570         (fg.new.FinalizationGroup):
1571         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1572         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1573         (cb):
1574         (fg.new.FinalizationGroup):
1575         (emptyCells):
1576         (async.fn):
1577         (fn.then.async):
1578         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1579         (fg.new.FinalizationGroup):
1580         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1581         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1582         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1583         (newTarget):
1584         (fn):
1585         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1586         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1587         (fn):
1588         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1589         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1590         (newTarget):
1591         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1592         (newTarget):
1593         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1594         (fg.new.FinalizationGroup):
1595         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1596         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1597         (callback):
1598         (fg.new.FinalizationGroup):
1599         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1600         (fg.new.FinalizationGroup):
1601         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1602         (cb):
1603         (fg.new.FinalizationGroup):
1604         (emptyCells):
1605         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1606         (fg.new.FinalizationGroup):
1607         (fg.cleanupSome.cb):
1608         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1609         (callback):
1610         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1611         (fn):
1612         (cb):
1613         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1614         (cb):
1615         (fg.new.FinalizationGroup):
1616         (emptyCells):
1617         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1618         (fg.new.FinalizationGroup):
1619         (callback):
1620         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1621         (fg.new.FinalizationGroup):
1622         (callback):
1623         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1624         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1625         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1626         (poisoned):
1627         (fg.new.FinalizationGroup):
1628         (emptyCells):
1629         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1630         (poisoned):
1631         (emptyCells):
1632         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1633         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1634         (fn):
1635         (cb):
1636         (emptyCells):
1637         (prototype.assert.sameValue.fg.cleanupSome):
1638         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1639         (fn):
1640         (cb):
1641         (poisoned):
1642         (assert.sameValue.fg.cleanupSome):
1643         (prototype.assert.sameValue.fg.cleanupSome):
1644         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1645         (cb):
1646         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1647         (cb):
1648         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1649         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1650         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1651         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1652         (fn):
1653         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1654         (fn):
1655         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1656         (fg.new.FinalizationGroup):
1657         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1658         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1659         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1660         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1661         (fn):
1662         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1663         (fn):
1664         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1665         (fg.new.FinalizationGroup):
1666         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1667         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1668         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1669         (fg.new.FinalizationGroup):
1670         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1671         (fg.new.FinalizationGroup):
1672         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1673         (fg.new.FinalizationGroup):
1674         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1675         (fg.new.FinalizationGroup):
1676         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1677         (fn):
1678         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1679         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1680         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1681         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1682         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1683         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1684         (fn):
1685         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1686         (fg.new.FinalizationGroup):
1687         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1688         (cleanupCallback):
1689         (let.key.of.Object.getOwnPropertyNames):
1690         (set for):
1691         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1692         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1693         (FinalizationGroup):
1694         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1695         (cleanupCallback):
1696         (let.key.of.Object.getOwnPropertyNames):
1697         (set for):
1698         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1699         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1700         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1701         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1702         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1703         (asyncProxy.new.Proxy.async):
1704         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1705         (asyncProxy.new.Proxy.async):
1706         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1707         (setIter.set Symbol):
1708         (set defaultTag):
1709         (gen):
1710         (get return):
1711         (set new):
1712         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1713         (generatorProxy.new.Proxy):
1714         (asyncProxy.new.Proxy.async):
1715         * test262/test/built-ins/Object/subclass-object-arg.js:
1716         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1717         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1718         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1719         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1720         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1721         * test262/test/built-ins/Promise/executor-function-name.js:
1722         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1723         * test262/test/built-ins/Promise/reject-function-name.js:
1724         * test262/test/built-ins/Promise/resolve-function-name.js:
1725         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1726         * test262/test/built-ins/WeakRef/constructor.js: Added.
1727         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1728         * test262/test/built-ins/WeakRef/length.js: Added.
1729         * test262/test/built-ins/WeakRef/name.js: Added.
1730         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1731         (newTarget):
1732         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1733         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1734         * test262/test/built-ins/WeakRef/proto.js: Added.
1735         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1736         (newTarget):
1737         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1738         (newTarget):
1739         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1740         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1741         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1742         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1743         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1744         (emptyCells):
1745         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1746         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1747         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1748         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1749         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1750         (fg.new.FinalizationGroup):
1751         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1752         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1753         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1754         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1755         (let.key.of.Object.getOwnPropertyNames):
1756         (set for):
1757         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1758         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1759         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1760         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1761         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1762         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1763         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1764         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1765         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1766         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1767         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1768         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1769         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1770         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1771         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1772         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1773         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1774         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1775         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1776         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1777         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1778         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1779         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1780         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1781         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1782         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1783         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1784         (assertParts):
1785         (assertPartsNumeric):
1786         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1787         (assertParts):
1788         (assertPartsNumeric):
1789         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1790         (assertParts):
1791         (assertPartsNumeric):
1792         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1793         (assertParts):
1794         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1795         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1796         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1797         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1798         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1799         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1800         (C.prototype.method):
1801         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1802         (C.prototype.method.innerFunction):
1803         (C.prototype.method):
1804         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1805         (C):
1806         (C.method):
1807         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1808         (C):
1809         (C.method.innerFunction):
1810         (C.method):
1811         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1812         (C):
1813         (C.checkPrivateGetter):
1814         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1815         (C):
1816         (C.method):
1817         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1818         (C):
1819         (C.method.innerFunction):
1820         (C.method):
1821         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1822         (C):
1823         (C.checkPrivateMethod):
1824         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1825         (C):
1826         (C.method):
1827         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1828         (C):
1829         (C.method.innerFunction):
1830         (C.method):
1831         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1832         (C):
1833         (C.checkPrivateSetter):
1834         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1835         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1836         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1837         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1838         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1839         (let.classStringExpression):
1840         (let.classStringExpression.access):
1841         (let.createAndInstantiateClass):
1842         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1843         (let.classStringExpression):
1844         (let.classStringExpression.access):
1845         (let.createAndInstantiateClass):
1846         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1847         (const.C):
1848         (let.createAndInstantiateClass):
1849         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1850         (let.classStringExpression.return.prototype.m):
1851         (let.classStringExpression.return.prototype.access):
1852         (let.createAndInstantiateClass):
1853         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1854         (let.classStringExpression.return.prototype.m):
1855         (let.classStringExpression.return.prototype.access):
1856         (let.createAndInstantiateClass):
1857         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1858         (let.classStringExpression):
1859         (let.classStringExpression.access):
1860         (let.createAndInstantiateClass):
1861         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1862         (let.classStringExpression.prototype.m):
1863         (let.classStringExpression.prototype.access):
1864         (let.classStringExpression):
1865         (let.createAndInstantiateClass):
1866         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1867         (let.classStringExpression.prototype.m):
1868         (let.classStringExpression.prototype.access):
1869         (let.classStringExpression):
1870         (let.createAndInstantiateClass):
1871         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1872         (const.C):
1873         (let.createAndInstantiateClass):
1874         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1875         (let.classStringExpression.return.C.prototype.m):
1876         (let.classStringExpression.return.C.prototype.access):
1877         (let.classStringExpression.return.C):
1878         (let.createAndInstantiateClass):
1879         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1880         (let.classStringExpression.return.C.prototype.m):
1881         (let.classStringExpression.return.C.prototype.access):
1882         (let.classStringExpression.return.C):
1883         (let.createAndInstantiateClass):
1884         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1885         (let.classStringExpression):
1886         (let.classStringExpression.access):
1887         (let.createAndInstantiateClass):
1888         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1889         (let.classStringExpression):
1890         (let.classStringExpression.access):
1891         (let.createAndInstantiateClass):
1892         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1893         (let.classStringExpression):
1894         (let.classStringExpression.access):
1895         (let.createAndInstantiateClass):
1896         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1897         (const.C):
1898         (let.createAndInstantiateClass):
1899         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1900         (let.classStringExpression.return.prototype.m):
1901         (let.classStringExpression.return.prototype.access):
1902         (let.createAndInstantiateClass):
1903         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1904         (let.classStringExpression.return.prototype.m):
1905         (let.classStringExpression.return.prototype.access):
1906         (let.createAndInstantiateClass):
1907         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1908         (let.classStringExpression):
1909         (let.classStringExpression.access):
1910         (let.createAndInstantiateClass):
1911         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1912         (new):
1913         (async):
1914         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1915         (A):
1916         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1917         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1918         * test262/test/language/identifiers/vals-cjk.js: Added.
1919         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1920         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1921         (C.prototype.method):
1922         (C):
1923         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1924         (C.prototype.method.innerFunction):
1925         (C.prototype.method):
1926         (C):
1927         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1928         (C.prototype.checkPrivateField):
1929         (C):
1930         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1931         (C):
1932         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1933         (C.prototype.getWithEval):
1934         (C):
1935         (D):
1936         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1937         (C.prototype.get m):
1938         (C.prototype.method):
1939         (C):
1940         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1941         (C.prototype.get m):
1942         (C.prototype.method.innerFunction):
1943         (C.prototype.method):
1944         (C):
1945         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1946         (let.createAndInstantiateClass):
1947         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1948         (C.prototype.get m):
1949         (C.prototype.checkPrivateGetter):
1950         (C):
1951         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1952         (C.prototype.get m):
1953         (C.prototype.checkPrivateGetter):
1954         (C):
1955         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1956         (C.prototype.get m):
1957         (C):
1958         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1959         (C.prototype.get m):
1960         (C.prototype.getWithEval):
1961         (C):
1962         (D.prototype.get m):
1963         (D):
1964         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1965         (C.prototype.m):
1966         (C.prototype.method):
1967         (C):
1968         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1969         (C.prototype.m):
1970         (C.prototype.method.innerFunction):
1971         (C.prototype.method):
1972         (C):
1973         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1974         (C.prototype.m):
1975         (C.prototype.checkPrivateMethod):
1976         (C):
1977         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1978         (C.prototype.m):
1979         (C.prototype.checkPrivateMethod):
1980         (C):
1981         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1982         (C.prototype.m):
1983         (C):
1984         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1985         (C.prototype.m):
1986         (C.prototype.getWithEval):
1987         (C):
1988         (D.prototype.m):
1989         (D):
1990         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1991         (C.prototype.set m):
1992         (C.prototype.method):
1993         (C):
1994         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1995         (C.prototype.set m):
1996         (C.prototype.method.innerFunction):
1997         (C.prototype.method):
1998         (C):
1999         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
2000         (C.prototype.set m):
2001         (C.prototype.checkPrivateSetter):
2002         (C):
2003         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
2004         (C.prototype.set m):
2005         (C.prototype.checkPrivateSetter):
2006         (C):
2007         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
2008         (C.prototype.set m):
2009         (C):
2010         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
2011         (C.prototype.set m):
2012         (C.prototype.setWithEval):
2013         (C):
2014         (D.prototype.set m):
2015         (D):
2016         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2017         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2018         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2019         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
2020         (A.prototype.method):
2021         (A):
2022         (C.prototype.get m):
2023         (C.prototype.access):
2024         (C):
2025         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
2026         (A.prototype.method):
2027         (A):
2028         (C.prototype.m):
2029         (C.prototype.access):
2030         (C):
2031         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
2032         (A.prototype.method):
2033         (A):
2034         (C.prototype.set m):
2035         (C.prototype.access):
2036         (C):
2037         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
2038         (A):
2039         * test262/test/language/statements/function/13.2-30-s.js:
2040         * test262/test262-Revision.txt:
2041
2042 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2043
2044         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2045         https://bugs.webkit.org/show_bug.cgi?id=199783
2046
2047         Reviewed by Mark Lam.
2048
2049         Fix our spec tests.
2050
2051         * wasm/js-api/Module-compile.js:
2052         * wasm/js-api/test_basic_api.js:
2053         (const.c.in.constructorProperties.switch):
2054         * wasm/js-api/validate.js:
2055         * wasm/js-api/web-assembly-instantiate.js:
2056         * wasm/spec-tests/jsapi.js:
2057         (testJSAPI.get test):
2058         (testJSAPI.set test):
2059
2060 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2061
2062         Unreviewed, rolling out r247440.
2063
2064         Broke builds
2065
2066         Reverted changeset:
2067
2068         "[JSC] Improve wasm wpt test results by fixing miscellaneous
2069         issues"
2070         https://bugs.webkit.org/show_bug.cgi?id=199783
2071         https://trac.webkit.org/changeset/247440
2072
2073 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2074
2075         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2076         https://bugs.webkit.org/show_bug.cgi?id=199783
2077
2078         Reviewed by Mark Lam.
2079
2080         Fix our spec tests.
2081
2082         * wasm/js-api/Module-compile.js:
2083         * wasm/js-api/test_basic_api.js:
2084         (const.c.in.constructorProperties.switch):
2085         * wasm/js-api/validate.js:
2086         * wasm/js-api/web-assembly-instantiate.js:
2087         * wasm/spec-tests/jsapi.js:
2088         (testJSAPI.get test):
2089         (testJSAPI.set test):
2090
2091 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
2092
2093         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
2094         https://bugs.webkit.org/show_bug.cgi?id=196371
2095
2096         Reviewed by Keith Miller.
2097
2098         * microbenchmarks/mul-immediate-sub.js: Added.
2099         (doTest):
2100
2101 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
2102
2103         [BigInt] Add ValueBitLShift into DFG
2104         https://bugs.webkit.org/show_bug.cgi?id=192664
2105
2106         Reviewed by Saam Barati.
2107
2108         We are adding tests to cover ValueBitwise operations AI changes.
2109
2110         * stress/big-int-left-shift-untyped.js: Added.
2111         * stress/bit-op-with-object-returning-int32.js:
2112         * stress/value-bit-and-ai-rule.js: Added.
2113         * stress/value-bit-lshift-ai-rule.js: Added.
2114         * stress/value-bit-or-ai-rule.js: Added.
2115         * stress/value-bit-xor-ai-rule.js: Added.
2116
2117 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2118
2119         Add b3 macro lowering for CheckMul on arm64
2120         https://bugs.webkit.org/show_bug.cgi?id=199251
2121
2122         Reviewed by Robin Morisset.
2123
2124         * microbenchmarks/check-mul-constant.js: Added.
2125         (doTest):
2126         * microbenchmarks/check-mul-no-constant.js: Added.
2127         (doTest):
2128         * microbenchmarks/check-mul-power-of-two.js: Added.
2129         (doTest):
2130
2131 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
2132
2133         Optimize join of large empty arrays
2134         https://bugs.webkit.org/show_bug.cgi?id=199636
2135
2136         Reviewed by Mark Lam.
2137
2138         * microbenchmarks/large-empty-array-join.js: Added.
2139         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
2140
2141 2019-07-06  Michael Saboff  <msaboff@apple.com>
2142
2143         switch(String) needs to check for exceptions when resolving the string
2144         https://bugs.webkit.org/show_bug.cgi?id=199541
2145
2146         Reviewed by Mark Lam.
2147
2148         New tests.
2149
2150         * stress/switch-string-oom.js: Added.
2151         (test):
2152         (testLowerTiers):
2153         (testFTL):
2154
2155 2019-07-05  Mark Lam  <mark.lam@apple.com>
2156
2157         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
2158         https://bugs.webkit.org/show_bug.cgi?id=199533
2159         <rdar://problem/52669111>
2160
2161         Reviewed by Filip Pizlo.
2162
2163         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
2164
2165 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
2166
2167         [JSC] Clean up ArraySpeciesCreate
2168         https://bugs.webkit.org/show_bug.cgi?id=182434
2169
2170         Reviewed by Yusuke Suzuki.
2171
2172         Adjusts error message expectations in stress tests.
2173
2174         * stress/array-flatmap.js:
2175         * stress/array-flatten.js:
2176         * stress/array-species-create-should-handle-masquerader.js:
2177         * test262/expectations.yaml: Mark 4 test cases as passing.
2178
2179 2019-07-02  Michael Saboff  <msaboff@apple.com>
2180
2181         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
2182         https://bugs.webkit.org/show_bug.cgi?id=199395
2183
2184         Reviewed by Filip Pizlo.
2185
2186         New regession test.
2187
2188         * stress/for-of-tdz-with-try-catch.js: Added.
2189         (test):
2190         (i.catch):
2191
2192 2019-07-02  Keith Miller  <keith_miller@apple.com>
2193
2194         Frozen Arrays length assignment should throw in strict mode
2195         https://bugs.webkit.org/show_bug.cgi?id=199365
2196
2197         Reviewed by Yusuke Suzuki.
2198
2199         * stress/frozen-array-length-should-throw-strict.js: Added.
2200         (test):
2201
2202 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
2203
2204         [Wasm-References] Disable references by default
2205         https://bugs.webkit.org/show_bug.cgi?id=199390
2206
2207         Reviewed by Saam Barati.
2208
2209         * wasm/references-spec-tests/ref_is_null.js:
2210         * wasm/references-spec-tests/ref_null.js:
2211         * wasm/references/anyref_globals.js:
2212         * wasm/references/anyref_modules.js:
2213         * wasm/references/anyref_table.js:
2214         * wasm/references/anyref_table_import.js:
2215         * wasm/references/element_parsing.js:
2216         * wasm/references/func_ref.js:
2217         * wasm/references/is_null.js:
2218         * wasm/references/multitable.js:
2219         * wasm/references/table_misc.js:
2220         * wasm/references/validation.js:
2221
2222 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
2223
2224         Unreviewed, rolling out r246946.
2225
2226         Caused JSC test crashes on arm64
2227
2228         Reverted changeset:
2229
2230         "Add b3 macro lowering for CheckMul on arm64"
2231         https://bugs.webkit.org/show_bug.cgi?id=199251
2232         https://trac.webkit.org/changeset/246946
2233
2234 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
2235
2236         Add b3 macro lowering for CheckMul on arm64
2237         https://bugs.webkit.org/show_bug.cgi?id=199251
2238
2239         Reviewed by Robin Morisset.
2240
2241         * microbenchmarks/check-mul-constant.js: Added.
2242         (doTest):
2243         * microbenchmarks/check-mul-no-constant.js: Added.
2244         (doTest):
2245         * microbenchmarks/check-mul-power-of-two.js: Added.
2246         (doTest):
2247
2248 2019-06-26  Keith Miller  <keith_miller@apple.com>
2249
2250         speciesConstruct needs to throw if the result is a DataView
2251         https://bugs.webkit.org/show_bug.cgi?id=199231
2252
2253         Reviewed by Mark Lam.
2254
2255         * stress/typedarray-filter.js:
2256         (subclasses.forEach):
2257         * stress/typedarray-map.js:
2258         (subclasses.forEach):
2259         * stress/typedarray-slice.js:
2260         (typedArrays.forEach):
2261         * stress/typedarray-subarray.js:
2262         (subclasses.forEach):
2263
2264 2019-06-24  Commit Queue  <commit-queue@webkit.org>
2265
2266         Unreviewed, rolling out r246714.
2267         https://bugs.webkit.org/show_bug.cgi?id=199179
2268
2269         revert to do patch in a different way. (Requested by keith_mi_
2270         on #webkit).
2271
2272         Reverted changeset:
2273
2274         "All prototypes should call didBecomePrototype()"
2275         https://bugs.webkit.org/show_bug.cgi?id=196315
2276         https://trac.webkit.org/changeset/246714
2277
2278 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
2279
2280         Add Array.prototype.{flat,flatMap} to unscopables
2281         https://bugs.webkit.org/show_bug.cgi?id=194322
2282
2283         Reviewed by Keith Miller.
2284
2285         * stress/unscopables.js: Fix test.
2286         * test262/expectations.yaml: Mark 2 test cases as passing.
2287
2288 2019-06-21  Mark Lam  <mark.lam@apple.com>
2289
2290         ArraySlice needs to keep the source array alive.
2291         https://bugs.webkit.org/show_bug.cgi?id=197374
2292         <rdar://problem/50304429>
2293
2294         Reviewed by Michael Saboff and Filip Pizlo.
2295
2296         * stress/array-slice-must-keep-source-array-alive.js: Added.
2297
2298 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2299
2300         All prototypes should call didBecomePrototype()
2301         https://bugs.webkit.org/show_bug.cgi?id=196315
2302
2303         Reviewed by Saam Barati.
2304
2305         * stress/function-prototype-indexed-accessor.js: Added.
2306
2307 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2308
2309         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
2310         https://bugs.webkit.org/show_bug.cgi?id=197631
2311
2312         Reviewed by Saam Barati.
2313
2314         * stress/has-own-property-arguments.js: Added.
2315         (shouldBe):
2316         (A):
2317
2318 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2319
2320         [JSC] ClassExpr should not store result in the middle of evaluation
2321         https://bugs.webkit.org/show_bug.cgi?id=199106
2322
2323         Reviewed by Tadeu Zagallo.
2324
2325         * stress/class-expression-should-store-result-at-last.js: Added.
2326         (shouldThrow):
2327         (shouldThrow.let.a):
2328
2329 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2330
2331         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2332         https://bugs.webkit.org/show_bug.cgi?id=199044
2333
2334         Reviewed by Saam Barati.
2335
2336         Add wasm references spec tests as well as a worker test.
2337
2338         * wasm.yaml:
2339         * wasm/Builder_WebAssemblyBinary.js:
2340         (const.emitters.Element):
2341         * wasm/js-api/element.js:
2342         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2343         * wasm/references-spec-tests/ref_is_null.js: Added.
2344         (hostref):
2345         (is_hostref):
2346         (is_funcref):
2347         (eq_ref):
2348         (let.handler.get target):
2349         (register):
2350         (module):
2351         (instance):
2352         (call):
2353         (get instance):
2354         (exports):
2355         (run):
2356         (assert_malformed):
2357         (assert_invalid):
2358         (assert_unlinkable):
2359         (assert_uninstantiable):
2360         (assert_trap):
2361         (try.f):
2362         (catch):
2363         (assert_exhaustion):
2364         (assert_return):
2365         (assert_return_canonical_nan):
2366         (assert_return_arithmetic_nan):
2367         (assert_return_ref):
2368         (assert_return_func):
2369         * wasm/references-spec-tests/ref_null.js: Added.
2370         (hostref):
2371         (is_hostref):
2372         (is_funcref):
2373         (eq_ref):
2374         (let.handler.get target):
2375         (register):
2376         (module):
2377         (instance):
2378         (call):
2379         (get instance):
2380         (exports):
2381         (run):
2382         (assert_malformed):
2383         (assert_invalid):
2384         (assert_unlinkable):
2385         (assert_uninstantiable):
2386         (assert_trap):
2387         (try.f):
2388         (catch):
2389         (assert_exhaustion):
2390         (assert_return):
2391         (assert_return_canonical_nan):
2392         (assert_return_arithmetic_nan):
2393         (assert_return_ref):
2394         (assert_return_func):
2395         * wasm/references/element_parsing.js: Added.
2396         (module):
2397         * wasm/references/func_ref.js:
2398         * wasm/references/multitable.js:
2399         * wasm/references/table_misc.js:
2400         (TableSize.0.End.End.WebAssembly):
2401         * wasm/references/validation.js:
2402         (assert.throws):
2403
2404 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2405
2406         Optimize `resolve` method lookup in Promise static methods
2407         https://bugs.webkit.org/show_bug.cgi?id=198864
2408
2409         Reviewed by Yusuke Suzuki.
2410
2411         * test262/expectations.yaml: Mark 18 test cases as passing.
2412
2413 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2414
2415         [WASM-References] Rename anyfunc to funcref
2416         https://bugs.webkit.org/show_bug.cgi?id=198983
2417
2418         Reviewed by Yusuke Suzuki.
2419
2420         * wasm/function-tests/basic-element.js:
2421         * wasm/function-tests/context-switch.js:
2422         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2423         (makeInstance):
2424         (assert.eq.makeInstance):
2425         * wasm/function-tests/exceptions.js:
2426         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2427         * wasm/function-tests/grow-memory-2.js:
2428         (assert.eq.instance.exports.foo):
2429         * wasm/function-tests/nameSection.js:
2430         (const.compile):
2431         * wasm/function-tests/stack-overflow.js:
2432         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2433         (assertOverflows.makeInstance):
2434         * wasm/function-tests/table-basic-2.js:
2435         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2436         * wasm/function-tests/table-basic.js:
2437         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2438         * wasm/function-tests/trap-from-start-async.js:
2439         * wasm/function-tests/trap-from-start.js:
2440         * wasm/js-api/Module.exports.js:
2441         (assert.truthy):
2442         * wasm/js-api/Module.imports.js:
2443         (assert.truthy):
2444         * wasm/js-api/call-indirect.js:
2445         (const.oneTable):
2446         (const.multiTable):
2447         (multiTable.const.makeTable):
2448         (multiTable):
2449         (multiTable.Polyphic2Import):
2450         (multiTable.VirtualImport):
2451         * wasm/js-api/element-data.js:
2452         * wasm/js-api/element.js:
2453         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2454         (assert.throws):
2455         (badInstantiation.makeModule):
2456         (badInstantiation.test):
2457         (badInstantiation):
2458         * wasm/js-api/extension-MemoryMode.js:
2459         * wasm/js-api/table.js:
2460         (new.WebAssembly.Module):
2461         (assert.throws):
2462         (assertBadTableImport):
2463         (assert.throws.WebAssembly.Table.prototype.grow):
2464         (new.WebAssembly.Table):
2465         (assertBadTable):
2466         (assert.truthy):
2467         * wasm/js-api/test_basic_api.js:
2468         (const.c.in.constructorProperties.switch):
2469         * wasm/js-api/unique-signature.js:
2470         (CallIndirectWithDuplicateSignatures):
2471         * wasm/js-api/wrapper-function.js:
2472         * wasm/modules/table.wat:
2473         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2474         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2475         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2476         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2477         * wasm/references/anyref_table.js:
2478         * wasm/references/anyref_table_import.js:
2479         (doSet):
2480         (assert.throws):
2481         * wasm/references/func_ref.js:
2482         (makeFuncrefIdent):
2483         (assert.eq.instance.exports.fix):
2484         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2485         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2486         (let.importedFun.of):
2487         (makeAnyfuncIdent): Deleted.
2488         (makeAnyfuncIdent.fun): Deleted.
2489         * wasm/references/multitable.js:
2490         (assert.eq):
2491         (assert.throws):
2492         * wasm/references/table_misc.js:
2493         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2494         * wasm/references/validation.js:
2495         (assert.throws.new.WebAssembly.Module.bin):
2496         (assert.throws):
2497         * wasm/spec-harness/index.js:
2498         * wasm/spec-harness/wasm-constants.js:
2499         * wasm/spec-harness/wasm-module-builder.js:
2500         (WasmModuleBuilder.prototype.toArray):
2501         * wasm/spec-harness/wast.js:
2502         (elem_type):
2503         (string_of_elem_type):
2504         (string_of_table_type):
2505         * wasm/spec-tests/jsapi.js:
2506         * wasm/stress/wasm-table-grow-initialize.js:
2507         * wasm/wasm.json:
2508
2509 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2510
2511         [WASM-References] Add support for Table.size, grow and fill instructions
2512         https://bugs.webkit.org/show_bug.cgi?id=198761
2513
2514         Reviewed by Yusuke Suzuki.
2515
2516         * wasm/Builder_WebAssemblyBinary.js:
2517         (const.putOp):
2518         * wasm/references/table_misc.js: Added.
2519         (TableSize.End.End.WebAssembly):
2520         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2521         * wasm/wasm.json:
2522
2523 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2524
2525         [WASM-References] Add support for multiple tables
2526         https://bugs.webkit.org/show_bug.cgi?id=198760
2527
2528         Reviewed by Saam Barati.
2529
2530         * wasm/Builder.js:
2531         * wasm/js-api/call-indirect.js:
2532         (const.oneTable):
2533         (const.multiTable):
2534         (multiTable):
2535         (multiTable.Polyphic2Import):
2536         (multiTable.VirtualImport):
2537         (const.wasmModuleWhichImportJS): Deleted.
2538         (const.makeTable): Deleted.
2539         (): Deleted.
2540         (Polyphic2Import): Deleted.
2541         (VirtualImport): Deleted.
2542         * wasm/js-api/table.js:
2543         (new.WebAssembly.Module):
2544         (assert.throws):
2545         (assertBadTableImport):
2546         (assert.truthy):
2547         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2548         * wasm/references/anyref_table.js:
2549         * wasm/references/anyref_table_import.js:
2550         (makeImport):
2551         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2552         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2553         * wasm/references/multitable.js: Added.
2554         (assert.throws.1.exports.set_tbl0):
2555         (assert.throws):
2556         (assert.eq):
2557         * wasm/references/validation.js:
2558         (assert.throws.new.WebAssembly.Module.bin):
2559         (assert.throws):
2560         * wasm/spec-tests/imports.wast.js:
2561         * wasm/wasm.json:
2562
2563         * wasm/Builder.js:
2564         * wasm/js-api/call-indirect.js:
2565         (const.oneTable):
2566         (const.multiTable):
2567         (multiTable):
2568         (multiTable.Polyphic2Import):
2569         (multiTable.VirtualImport):
2570         (const.wasmModuleWhichImportJS): Deleted.
2571         (const.makeTable): Deleted.
2572         (): Deleted.
2573         (Polyphic2Import): Deleted.
2574         (VirtualImport): Deleted.
2575         * wasm/js-api/table.js:
2576         (new.WebAssembly.Module):
2577         (assert.throws):
2578         (assertBadTableImport):
2579         (assert.truthy):
2580         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2581         * wasm/references/anyref_table.js:
2582         * wasm/references/anyref_table_import.js:
2583         (makeImport):
2584         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2585         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2586         * wasm/references/func_ref.js:
2587         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2588         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2589         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2590         * wasm/references/multitable.js: Added.
2591         (assert.throws.1.exports.set_tbl0):
2592         (assert.throws):
2593         (assert.eq):
2594         (string_appeared_here.tableInsanity):
2595         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2596         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2597         * wasm/references/validation.js:
2598         (assert.throws.new.WebAssembly.Module.bin):
2599         (assert.throws):
2600         * wasm/spec-tests/imports.wast.js:
2601         * wasm/wasm.json:
2602
2603 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2604
2605         [ESNExt] String.prototype.matchAll
2606         https://bugs.webkit.org/show_bug.cgi?id=186694
2607
2608         Reviewed by Yusuke Suzuki.
2609
2610         Implement String.prototype.matchAll.
2611         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2612
2613         * test262/config.yaml:
2614
2615 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2616
2617         DFG code should not reify the names of builtin functions with private names
2618         https://bugs.webkit.org/show_bug.cgi?id=198849
2619         <rdar://problem/51733890>
2620
2621         Reviewed by Filip Pizlo.
2622
2623         * stress/builtin-private-function-name.js: Added.
2624         (then):
2625         (PromiseLike):
2626
2627 2019-06-18  Keith Miller  <keith_miller@apple.com>
2628
2629         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2630         https://bugs.webkit.org/show_bug.cgi?id=198969
2631         <rdar://problem/51620714>
2632
2633         Reviewed by Tadeu Zagallo.
2634
2635         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2636         (catch):
2637
2638 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2639
2640         Validate that table element type is funcref if using an element section
2641         https://bugs.webkit.org/show_bug.cgi?id=198910
2642
2643         Reviewed by Yusuke Suzuki.
2644
2645         * wasm/references/anyref_table.js:
2646
2647 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2648
2649         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2650         https://bugs.webkit.org/show_bug.cgi?id=197378
2651
2652         Reviewed by Saam Barati.
2653
2654         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2655         (foo):
2656         (bar):
2657         * stress/disposable-call-site-index.js: Added.
2658         (foo):
2659         (bar):
2660
2661 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2662
2663         [WASM-References] Add support for Funcref in parameters and return types
2664         https://bugs.webkit.org/show_bug.cgi?id=198157
2665
2666         Reviewed by Yusuke Suzuki.
2667
2668         * wasm/Builder.js:
2669         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2670         * wasm/references/anyref_globals.js:
2671         * wasm/references/func_ref.js: Added.
2672         (fullGC.gc.makeExportedFunction):
2673         (makeExportedIdent):
2674         (makeAnyfuncIdent):
2675         (fun):
2676         (assert.eq.instance.exports.fix.fun):
2677         (assert.eq.instance.exports.fix):
2678         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2679         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2680         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2681         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2682         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2683         (assert.throws):
2684         (assert.throws.doTest):
2685         (let.importedFun.of):
2686         (makeAnyfuncIdent.fun):
2687         * wasm/references/validation.js:
2688         (assert.throws):
2689         * wasm/wasm.json:
2690
2691 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2692
2693         Update test262 tests (2019.06.13)
2694         https://bugs.webkit.org/show_bug.cgi?id=198821
2695
2696         Reviewed by Konstantin Tokarev.
2697
2698         * test262/expectations.yaml:
2699         * test262/harness/:
2700         * test262/latest-changes-summary.txt:
2701         * test262/test/:
2702         * test262/test262-Revision.txt:
2703
2704 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2705
2706         [JSC] Grown region of WasmTable should be initialized with null
2707         https://bugs.webkit.org/show_bug.cgi?id=198903
2708
2709         Reviewed by Saam Barati.
2710
2711         * wasm/stress/wasm-table-grow-initialize.js: Added.
2712         (shouldBe):
2713
2714 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2715
2716         Yarr bytecode compilation failure should be gracefully handled
2717         https://bugs.webkit.org/show_bug.cgi?id=198700
2718
2719         Reviewed by Michael Saboff.
2720
2721         * stress/regexp-bytecode-compilation-fail.js: Added.
2722         (shouldThrow):
2723
2724 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2725
2726         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2727         https://bugs.webkit.org/show_bug.cgi?id=198770
2728
2729         Reviewed by Saam Barati.
2730
2731         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2732         (test):
2733
2734 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2735
2736         JSC should throw if proxy set returns falsish in strict mode context
2737         https://bugs.webkit.org/show_bug.cgi?id=177398
2738
2739         Reviewed by Yusuke Suzuki.
2740
2741         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2742         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2743
2744         * stress/proxy-set.js: Add 2 test cases.
2745         * stress/regexp-match-proxy.js: Fix test.
2746         * stress/regexp-replace-proxy.js: Fix test.
2747
2748 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2749
2750         Error message for non-callable Proxy `construct` trap is misleading
2751         https://bugs.webkit.org/show_bug.cgi?id=198637
2752
2753         Reviewed by Saam Barati.
2754
2755         * stress/proxy-construct.js:
2756
2757 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2758
2759         AI BitURShift's result should not be unsigned
2760         https://bugs.webkit.org/show_bug.cgi?id=198689
2761         <rdar://problem/51550063>
2762
2763         Reviewed by Saam Barati.
2764
2765         * stress/urshift-int32-overflow.js: Added.
2766         (foo.):
2767         (foo):
2768
2769 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2770
2771         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2772
2773         Unreviewed gardening.
2774
2775         * stress/ftl-gettypedarrayoffset-wasteful.js:
2776         Skipped on arm/linux as it always times out on the bot since a change
2777         between r246270 and r246278 inclusive.
2778
2779 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2780
2781         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2782         https://bugs.webkit.org/show_bug.cgi?id=198023
2783
2784         Reviewed by Saam Barati.
2785
2786         * stress/reparsing-unlinked-codeblock.js: Added.
2787         (shouldBe):
2788         (hello):
2789
2790 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2791
2792         [JSC] Use mergePrediction in ValuePow prediction propagation
2793         https://bugs.webkit.org/show_bug.cgi?id=198648
2794
2795         Reviewed by Saam Barati.
2796
2797         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2798
2799 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2800
2801         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2802         https://bugs.webkit.org/show_bug.cgi?id=198581
2803         <rdar://problem/51099753>
2804
2805         Reviewed by Saam Barati.
2806
2807         * stress/global-object-proto-getter.js: Added.
2808         (f):
2809         (test):
2810
2811 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2812
2813         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2814         https://bugs.webkit.org/show_bug.cgi?id=198398
2815
2816         Reviewed by Saam Barati.
2817
2818         * wasm/references/anyref_table.js: Added.
2819         (string_appeared_here.doGCSet):
2820         (doGCTest):
2821         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2822         * wasm/references/anyref_table_import.js: Added.
2823         (makeImport):
2824         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2825         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2826         * wasm/references/is_null_error.js: Removed.
2827         * wasm/references/validation.js: Added.
2828         (assert.throws.new.WebAssembly.Module.bin):
2829         (assert.throws):
2830         * wasm/wasm.json:
2831
2832 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2833
2834         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2835         https://bugs.webkit.org/show_bug.cgi?id=198106
2836
2837         Reviewed by Saam Barati.
2838
2839         * wasm/regress/selectf64.js: Added.
2840         * wasm/regress/selectf64.wasm: Added.
2841         * wasm/regress/selectf64.wat: Added.
2842
2843 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2844
2845         Argument elimination should check transitive dependents for interference
2846         https://bugs.webkit.org/show_bug.cgi?id=198520
2847         <rdar://problem/50863343>
2848
2849         Reviewed by Filip Pizlo.
2850
2851         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2852         (f2):
2853         (f3):
2854
2855 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2856
2857         Argument elimination should check for negative indices in GetByVal
2858         https://bugs.webkit.org/show_bug.cgi?id=198302
2859         <rdar://problem/51188095>
2860
2861         Reviewed by Filip Pizlo.
2862
2863         * stress/eliminate-arguments-negative-rest-access.js: Added.
2864         (inlinee):
2865         (opt):
2866
2867 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2868
2869         [ESNext][BigInt] Implement support for "**"
2870         https://bugs.webkit.org/show_bug.cgi?id=190799
2871
2872         Reviewed by Saam Barati.
2873
2874         * stress/big-int-exp-basic.js: Added.
2875         * stress/big-int-exp-jit-osr.js: Added.
2876         * stress/big-int-exp-jit-untyped.js: Added.
2877         * stress/big-int-exp-jit.js: Added.
2878         * stress/big-int-exp-negative-exponent.js: Added.
2879         * stress/big-int-exp-to-primitive.js: Added.
2880         * stress/big-int-exp-type-error.js: Added.
2881         * stress/big-int-exp-wrapped-value.js: Added.
2882         * stress/value-pow-ai-rule.js: Added.
2883
2884 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2885
2886         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2887         https://bugs.webkit.org/show_bug.cgi?id=197979
2888
2889         Reviewed by Filip Pizlo.
2890
2891         * stress/16bit-code.js: Added.
2892         (shouldBe):
2893         * stress/32bit-code.js: Added.
2894         (shouldBe):
2895
2896 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2897
2898         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2899         https://bugs.webkit.org/show_bug.cgi?id=198355
2900
2901         Reviewed by Saam Barati.
2902
2903         * wasm/references/is_null.js:
2904
2905 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2906
2907         [PlayStation] Skip additional tests on PlayStation
2908         https://bugs.webkit.org/show_bug.cgi?id=198352
2909
2910         Reviewed by Don Olmstead.
2911
2912         Skip pow test on PlayStation due to behavior difference in standard library.
2913         Skip incremental marking test due to OOM on PlayStation systems.
2914
2915         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2916         * stress/math-pow-with-constants.js:
2917         * stress/pow-with-constants.js:
2918
2919 2019-05-28  Dean Jackson  <dino@apple.com>
2920
2921         Implement Promise.allSettled
2922         https://bugs.webkit.org/show_bug.cgi?id=197600
2923         <rdar://problem/50483885>
2924
2925         Reviewed by Keith Miller.
2926
2927         Start testing Promise.allSettled. We pass most of the tests.
2928         The ones that fail are similar to the Promise.all tests we already fail.
2929
2930         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2931         * test262/expectations.yaml: Add new expectations for allSettled tests.
2932
2933 2019-05-28  Michael Saboff  <msaboff@apple.com>
2934
2935         [YARR] Properly handle RegExp's that require large ParenContext space
2936         https://bugs.webkit.org/show_bug.cgi?id=198065
2937
2938         Reviewed by Keith Miller.
2939
2940         New test.
2941
2942         * stress/regexp-large-paren-context.js: Added.
2943         (testLargeRegExp):
2944
2945 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2946
2947         JITOperations putByVal should mark negative array indices as out-of-bounds
2948         https://bugs.webkit.org/show_bug.cgi?id=198271
2949
2950         Reviewed by Saam Barati.
2951
2952         * microbenchmarks/get-by-val-negative-array-index.js:
2953         (foo):
2954         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2955         is 4.2x faster than the previous commit.
2956
2957         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2958         (foo):
2959
2960 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2961
2962         JITOperations getByVal should mark negative array indices as out-of-bounds
2963         https://bugs.webkit.org/show_bug.cgi?id=198229
2964
2965         Reviewed by Saam Barati.
2966
2967         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2968         (foo):
2969
2970 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2971
2972         [WASM-References] Support Anyref in globals
2973         https://bugs.webkit.org/show_bug.cgi?id=198102
2974
2975         Reviewed by Saam Barati.
2976
2977         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2978
2979         * wasm/Builder.js:
2980         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2981         * wasm/Builder_WebAssemblyBinary.js:
2982         (const.putInitExpr):
2983         * wasm/references/anyref_globals.js: Added.
2984         (GetGlobal.0.End.End.WebAssembly):
2985         (5.doGCSet):
2986         (doGCTest):
2987         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2988
2989 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2990
2991         DFG::OSREntry should not perform arity check
2992         https://bugs.webkit.org/show_bug.cgi?id=198189
2993
2994         Reviewed by Saam Barati.
2995
2996         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2997         (foo):
2998
2999 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
3000
3001         [PlayStation] Skip additional tests on PlayStation
3002         https://bugs.webkit.org/show_bug.cgi?id=198145
3003
3004         Reviewed by Ross Kirsling.
3005
3006         * exceptionFuzz.yaml:
3007         Add skip on hostOS playstation
3008         * executableAllocationFuzz.yaml:
3009         Add skip on hostOS playstation
3010
3011 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3012
3013         createListFromArrayLike should throw if value is not an object
3014         https://bugs.webkit.org/show_bug.cgi?id=198138
3015
3016         Reviewed by Yusuke Suzuki.
3017
3018         * stress/create-list-from-array-like-not-object.js: Added.
3019         (testValid):
3020         (testInvalid):
3021         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
3022         (opt):
3023         * stress/proxy-proto-enumerator.js: Added.
3024         (main):
3025         * stress/proxy-proto-own-keys.js: Added.
3026         (assert):
3027         (ownKeys):
3028
3029 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3030
3031         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
3032         https://bugs.webkit.org/show_bug.cgi?id=197809
3033
3034         Reviewed by Michael Saboff.
3035
3036         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
3037         (foo):
3038
3039 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3040
3041         [ESNext] Implement support for Numeric Separators
3042         https://bugs.webkit.org/show_bug.cgi?id=196351
3043
3044         Reviewed by Keith Miller.
3045
3046         * stress/numeric-literal-separators.js: Added.
3047         Add tests for feature.
3048
3049         * test262/expectations.yaml:
3050         Mark 60 test cases as passing.
3051
3052 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3053
3054         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
3055         https://bugs.webkit.org/show_bug.cgi?id=198120
3056         <rdar://problem/49668795>
3057
3058         Reviewed by Michael Saboff.
3059
3060         * stress/get-array-length-concurrently-change-mode.js: Added.
3061         (main):
3062
3063 2019-05-22  Commit Queue  <commit-queue@webkit.org>
3064
3065         Unreviewed, rolling out r245634.
3066         https://bugs.webkit.org/show_bug.cgi?id=198140
3067
3068         'This patch makes JSC crash on launch in debug builds'
3069         (Requested by tadeuzagallo on #webkit).
3070
3071         Reverted changeset:
3072
3073         "[ESNext] Implement support for Numeric Separators"
3074         https://bugs.webkit.org/show_bug.cgi?id=196351
3075         https://trac.webkit.org/changeset/245634
3076
3077 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3078
3079         Stack-buffer-overflow in decodeURIComponent
3080         https://bugs.webkit.org/show_bug.cgi?id=198109
3081         <rdar://problem/50397550>
3082
3083         Reviewed by Michael Saboff.
3084
3085         * stress/decode-uri-icu-count-trail-bytes.js: Added.
3086         (i.j.try.i.toString):
3087         (i.j.catch):
3088
3089 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3090
3091         Don't clear PropertyNameArray in Proxy code
3092         https://bugs.webkit.org/show_bug.cgi?id=197691
3093
3094         Reviewed by Saam Barati.
3095
3096         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
3097         (shouldBe):
3098         (opt):
3099
3100 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3101
3102         [ESNext] Implement support for Numeric Separators
3103         https://bugs.webkit.org/show_bug.cgi?id=196351
3104
3105         Reviewed by Keith Miller.
3106
3107         * stress/numeric-literal-separators.js: Added.
3108         Add tests for feature.
3109
3110         * test262/expectations.yaml:
3111         Mark 60 test cases as passing.
3112
3113 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3114
3115         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
3116         https://bugs.webkit.org/show_bug.cgi?id=198101
3117
3118         Reviewed by Michael Saboff.
3119
3120         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
3121         (shouldBe):
3122
3123 2019-05-20  Keith Miller  <keith_miller@apple.com>
3124
3125         Cleanup Yarr regexp code around paren contexts.
3126         https://bugs.webkit.org/show_bug.cgi?id=198063
3127
3128         Reviewed by Yusuke Suzuki.
3129
3130         * stress/regexp-many-named-sequential-capture-groups.js: Added.
3131         (i.s):
3132         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
3133
3134 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
3135
3136         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
3137         https://bugs.webkit.org/show_bug.cgi?id=197969
3138
3139         Reviewed by Keith Miller.
3140
3141         Support the anyref type in Builder.js, plus add some extra error logging.
3142         Add new folder for wasm references tests.
3143
3144         * wasm.yaml:
3145         * wasm/Builder.js:
3146         (const._isValidValue):
3147         * wasm/references/anyref_modules.js: Added.
3148         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
3149         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
3150         (Call.3.RefIsNull.End.End.WebAssembly):
3151         (undefined):
3152         * wasm/references/is_null.js: Added.
3153         * wasm/references/is_null_error.js: Added.
3154         * wasm/spec-harness/index.js:
3155         * wasm/wasm.json:
3156
3157 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
3158
3159         [JSC] Invalid AssignmentTargetType should be an early error.
3160         https://bugs.webkit.org/show_bug.cgi?id=197603
3161
3162         Reviewed by Keith Miller.
3163
3164         * test262/expectations.yaml:
3165         Update expectations to reflect new SyntaxErrors.
3166         (Ideally, these should all be viewed as passing in the near future.)
3167
3168         * stress/async-await-basic.js:
3169         * stress/big-int-literals.js:
3170         Update tests to reflect new SyntaxErrors.
3171
3172         * ChakraCore.yaml:
3173         * ChakraCore/test/EH/try6.baseline-jsc:
3174         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
3175         Update baselines to reflect new SyntaxErrors.
3176
3177 2019-05-15  Saam Barati  <sbarati@apple.com>
3178
3179         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
3180         https://bugs.webkit.org/show_bug.cgi?id=197855
3181         <rdar://problem/50236506>
3182
3183         Reviewed by Michael Saboff.
3184
3185         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
3186         (f0):
3187         (bar):
3188         (foo):
3189         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
3190         (f1):
3191         (f2):
3192         (foo):
3193
3194 2019-05-14  Keith Miller  <keith_miller@apple.com>
3195
3196         Fix issue with byteOffset on ARM64E
3197         https://bugs.webkit.org/show_bug.cgi?id=197884
3198
3199         Reviewed by Saam Barati.
3200
3201         We didn't have any tests that run with non-byte/non-zero offset
3202         typed arrays.
3203
3204         * stress/ftl-gettypedarrayoffset-wasteful.js:
3205
3206 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
3207
3208         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
3209         https://bugs.webkit.org/show_bug.cgi?id=197833
3210
3211         Reviewed by Darin Adler.
3212
3213         * stress/generator-name.js: Added.
3214         (shouldBe):
3215         (gen):
3216         (catch):
3217
3218 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
3219
3220         JSObject::getOwnPropertyDescriptor is missing an exception check
3221         https://bugs.webkit.org/show_bug.cgi?id=197693
3222         <rdar://problem/50441784>
3223
3224         Reviewed by Saam Barati.
3225
3226         * stress/proxy-spread.js: Added.
3227         (foo):
3228
3229 2019-05-10  Saam barati  <sbarati@apple.com>
3230
3231         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
3232         https://bugs.webkit.org/show_bug.cgi?id=197807
3233         <rdar://problem/50530400>
3234
3235         Reviewed by Yusuke Suzuki.
3236
3237         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
3238         (test.getInstance):
3239         (test):
3240
3241 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
3242
3243         [Test262] Unreviewed expectations update following r245188.
3244
3245         * test262/config.yaml:
3246         * test262/expectations.yaml:
3247
3248         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
3249         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
3250         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
3251         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
3252         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
3253         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
3254         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
3255         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
3256         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
3257         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
3258         These files have invalid YAML comments. Will also submit corrections back to Test262.
3259
3260 2019-05-10  Keith Miller  <keith_miller@apple.com>
3261
3262         Update test262 tests.
3263
3264         Rubber-stamped by Yusuke Suzuki.
3265
3266         * test262/*: mega-patch too many things to list individually.
3267
3268 2019-05-09  Keith Miller  <keith_miller@apple.com>
3269
3270         Unreview, fix test to have a try-catch.
3271
3272         * stress/many-nested-functions-parser-stack-overflow.js:
3273         (catch):
3274
3275 2019-05-09  Keith Miller  <keith_miller@apple.com>
3276
3277         parseStatementListItem needs a stack overflow check
3278         https://bugs.webkit.org/show_bug.cgi?id=197749
3279
3280         Reviewed by Saam Barati.
3281
3282         * stress/many-nested-functions-parser-stack-overflow.js: Added.
3283
3284 2019-05-08  Saam barati  <sbarati@apple.com>
3285
3286         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
3287         https://bugs.webkit.org/show_bug.cgi?id=197715
3288         <rdar://problem/50399252>
3289
3290         Reviewed by Filip Pizlo.
3291
3292         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
3293         (foo):
3294         (bar):
3295
3296 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
3297
3298         Unreviewed, rolling out r245068.
3299
3300         Caused debug layout tests to exit early due to an assertion
3301         failure.
3302
3303         Reverted changeset:
3304
3305         "All prototypes should call didBecomePrototype()"
3306         https://bugs.webkit.org/show_bug.cgi?id=196315
3307         https://trac.webkit.org/changeset/245068
3308
3309 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
3310
3311         Invalid DFG JIT genereation in high CPU usage state
3312         https://bugs.webkit.org/show_bug.cgi?id=197453
3313
3314         Reviewed by Saam Barati.
3315
3316         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
3317         (trigger):
3318         (main):
3319
3320 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3321
3322         All prototypes should call didBecomePrototype()
3323         https://bugs.webkit.org/show_bug.cgi?id=196315
3324
3325         Reviewed by Saam Barati.
3326
3327         This changelog already landed, but the commit was missing the actual changes.
3328
3329         * stress/function-prototype-indexed-accessor.js: Added.
3330
3331 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3332
3333         [BigInt] Add ValueMod into DFG
3334         https://bugs.webkit.org/show_bug.cgi?id=186174
3335
3336         Reviewed by Saam Barati.
3337
3338         * microbenchmarks/mod-untyped.js: Added.
3339         * stress/big-int-mod-osr.js: Added.
3340         * stress/value-div-ai-rule.js: Added.
3341         * stress/value-mod-ai-rule.js: Added.
3342
3343 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3344
3345         [JSC] DFG_ASSERT failed in lowInt52
3346         https://bugs.webkit.org/show_bug.cgi?id=197569
3347
3348         Reviewed by Saam Barati.
3349
3350         * stress/getstack-int52.js: Added.
3351         (opt):
3352         (main):
3353
3354 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3355
3356         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3357         https://bugs.webkit.org/show_bug.cgi?id=197479
3358
3359         Reviewed by Saam Barati.
3360
3361         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3362         (shouldBe):
3363
3364 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3365
3366         TemplateObject passed to template literal tags are not always identical for the same source location.
3367         https://bugs.webkit.org/show_bug.cgi?id=190756
3368
3369         Reviewed by Saam Barati.
3370
3371         * complex.yaml:
3372         * complex/tagged-template-regeneration-after.js: Added.
3373         (shouldBe):
3374         * complex/tagged-template-regeneration.js: Added.
3375         (call):
3376         (test):
3377         * modules/tagged-template-inside-module.js: Added.
3378         (from.string_appeared_here.call):
3379         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3380         (call):
3381         (export.otherTaggedTemplates):
3382         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3383         (shouldBe):
3384         (call):
3385         (poly):
3386         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3387         (shouldBe):
3388         (call):
3389         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3390         (shouldBe):
3391         (call):
3392         (test):
3393         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3394         (shouldBe):
3395         (call):
3396         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3397         (shouldBe):
3398         (call):
3399         * stress/tagged-templates-in-multiple-functions.js: Added.
3400         (shouldBe):
3401         (call):
3402         (a):
3403         (b):
3404         (c):
3405         * stress/tagged-templates-with-same-start-offset.js: Added.
3406         (shouldBe):
3407
3408 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3409
3410         All prototypes should call didBecomePrototype()
3411         https://bugs.webkit.org/show_bug.cgi?id=196315
3412
3413         Reviewed by Saam Barati.
3414
3415         * stress/function-prototype-indexed-accessor.js: Added.
3416
3417 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3418
3419         Unreviewed, rolling out r244978.
3420         https://bugs.webkit.org/show_bug.cgi?id=197671
3421
3422         TemplateObject map should use start/end offsets (Requested by
3423         yusukesuzuki on #webkit).
3424
3425         Reverted changeset:
3426
3427         "TemplateObject passed to template literal tags are not always
3428         identical for the same source location."
3429         https://bugs.webkit.org/show_bug.cgi?id=190756
3430         https://trac.webkit.org/changeset/244978
3431
3432 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3433
3434         tryCachePutByID should not crash if target offset changes
3435         https://bugs.webkit.org/show_bug.cgi?id=197311
3436         <rdar://problem/48033612>
3437
3438         Reviewed by Filip Pizlo.
3439
3440         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3441         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3442
3443         * stress/cache-put-by-id-delete-prototype.js: Added.
3444         (A.prototype.set y):
3445         (A):
3446         (B.prototype.set y):
3447         (B):
3448         (C):
3449         * stress/cache-put-by-id-different-__proto__.js: Added.
3450         (A.prototype.set y):
3451         (A):
3452         (B1):
3453         (B2.prototype.set y):
3454         (B2):
3455         (C):
3456         (D):
3457         * stress/cache-put-by-id-different-attributes.js: Added.
3458         (Foo):
3459         (set x):
3460         * stress/cache-put-by-id-different-offset.js: Added.
3461         (Foo):
3462         (set x):
3463         * stress/cache-put-by-id-insert-prototype.js: Added.
3464         (A.prototype.set y):
3465         (A):
3466         (C):
3467         * stress/cache-put-by-id-poly-proto.js: Added.
3468         (Foo):
3469         (set _):
3470         (createBar.Bar):
3471         (createBar):
3472
3473 2019-05-07  Saam Barati  <sbarati@apple.com>
3474
3475         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3476         https://bugs.webkit.org/show_bug.cgi?id=197531
3477         <rdar://problem/50162379>
3478
3479         Reviewed by Yusuke Suzuki.
3480
3481         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3482
3483 2019-05-06  Dean Jackson  <dino@apple.com>
3484
3485         Update test262 expectations for Proxy passes
3486         https://bugs.webkit.org/show_bug.cgi?id=197628
3487
3488         Reviewed by Yusuke Suzuki.
3489
3490         There are two consistent passes in Proxy.ownKeys.
3491
3492         * test262/expectations.yaml:
3493
3494 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3495
3496         [JSC] We should check OOM for description string of Symbol
3497         https://bugs.webkit.org/show_bug.cgi?id=197634
3498
3499         Reviewed by Keith Miller.
3500
3501         * stress/check-symbol-description-oom.js: Added.
3502         (shouldThrow):
3503
3504 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3505
3506         Unreviewed, land one more test
3507         https://bugs.webkit.org/show_bug.cgi?id=197587
3508
3509         * stress/setter-frame-flush.js: Added.
3510         (setter):
3511         (foo):
3512         (bar):
3513
3514 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3515
3516         TemplateObject passed to template literal tags are not always identical for the same source location.
3517         https://bugs.webkit.org/show_bug.cgi?id=190756
3518
3519         Reviewed by Saam Barati.
3520
3521         * complex.yaml:
3522         * complex/tagged-template-regeneration-after.js: Added.
3523         (shouldBe):
3524         * complex/tagged-template-regeneration.js: Added.
3525         (call):
3526         (test):
3527         * modules/tagged-template-inside-module.js: Added.
3528         (from.string_appeared_here.call):
3529         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3530         (call):
3531         (export.otherTaggedTemplates):
3532         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3533         (shouldBe):
3534         (call):
3535         (poly):
3536         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3537         (shouldBe):
3538         (call):
3539         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3540         (shouldBe):
3541         (call):
3542         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3543         (shouldBe):
3544         (call):
3545         * stress/tagged-templates-in-multiple-functions.js: Added.
3546         (shouldBe):
3547         (call):
3548         (a):
3549         (b):
3550         (c):
3551
3552 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3553
3554         [PlayStation] JSC Stress tests failing due to timezone printing
3555         https://bugs.webkit.org/show_bug.cgi?id=197615
3556
3557         PlayStation's strftime does not give timezone strings, which
3558         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3559         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3560         which causes diff failures with the expectations. Add expectations
3561         without the timezone string and use those on playstation.
3562
3563         Reviewed by Ross Kirsling.
3564
3565         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3566         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3567         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3568         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3569
3570 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3571
3572         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3573         https://bugs.webkit.org/show_bug.cgi?id=197587
3574
3575         Reviewed by Sam Weinig.
3576
3577         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3578
3579         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3580
3581 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3582
3583         TypedArrays should not store properties that are canonical numeric indices
3584         https://bugs.webkit.org/show_bug.cgi?id=197228
3585         <rdar://problem/49557381>
3586
3587         Reviewed by Saam Barati.
3588
3589         * stress/array-species-config-array-constructor.js:
3590         (test):
3591         * stress/put-direct-index-broken-2.js:
3592         * stress/typed-array-canonical-numeric-index-string.js: Added.
3593         (makeTest.assert):
3594         (makeTest):
3595         (const.testInvalidIndices.makeTest.set assert):
3596         (const.testInvalidIndices.makeTest):
3597         (const.makeTestValidIndex.configurable.set assert):
3598         (const.makeTestValidIndex.configurable):
3599         * stress/typedarray-access-monomorphic-neutered.js:
3600         (checkNoException):
3601         (testNoException):
3602         (testFTLNoException):
3603         * stress/typedarray-access-neutered.js:
3604         (testNoException):
3605         * stress/typedarray-getownproperty-not-configurable.js:
3606         (foo):
3607         * test262/expectations.yaml:
3608
3609 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3610
3611         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3612         https://bugs.webkit.org/show_bug.cgi?id=197584
3613
3614         Reviewed by Saam Barati.
3615
3616         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3617         (X):
3618         (foo):
3619
3620 2019-05-03  Michael Saboff  <msaboff@apple.com>
3621
3622         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3623         https://bugs.webkit.org/show_bug.cgi?id=197586
3624
3625         Reviewed by Keith Miller.
3626
3627         We should only run one config of this test and only when we think we'll have the memory.
3628
3629         * stress/json-stringify-string-builder-overflow.js:
3630
3631 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3632
3633         [JSC] Generator CodeBlock generation should be idempotent
3634         https://bugs.webkit.org/show_bug.cgi?id=197552
3635
3636         Reviewed by Keith Miller.
3637
3638         Add complex.yaml, which controls how to run JSC shell more.
3639         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3640
3641         * complex.yaml: Added.
3642         * complex/generator-regeneration-after.js: Added.
3643         * complex/generator-regeneration.js: Added.
3644         (gen):
3645
3646 2019-05-02  Michael Saboff  <msaboff@apple.com>
3647
3648         Unreviewed rollout of r244862.
3649
3650         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3651
3652 2019-05-01  Saam barati  <sbarati@apple.com>
3653
3654         Baseline JIT should do argument value profiling after checking for stack overflow
3655         https://bugs.webkit.org/show_bug.cgi?id=197052
3656         <rdar://problem/50009602>
3657
3658         Reviewed by Yusuke Suzuki.
3659
3660         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3661
3662 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3663
3664         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3665         https://bugs.webkit.org/show_bug.cgi?id=197405
3666
3667         Reviewed by Saam Barati.
3668
3669         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3670         (foo):
3671         (test):
3672         (i.o.get f):
3673         (i.o.set f):
3674
3675 2019-05-01  Michael Saboff  <msaboff@apple.com>
3676
3677         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3678         https://bugs.webkit.org/show_bug.cgi?id=197485
3679
3680         Reviewed by Saam Barati.
3681
3682         New test.
3683
3684         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3685         (foo):
3686
3687 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3688
3689         Unreviewed correction to Test262 expectations following r244828.
3690
3691         * test262/expectations.yaml:
3692
3693 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3694
3695         Add memory-limited skipping to some tests generating very large strings
3696         https://bugs.webkit.org/show_bug.cgi?id=197437
3697
3698         Reviewed by Ross Kirsling.