d397c5dea7d6a236f6d891feef32a22c8731d1b1
[WebKit-https.git] / JSTests / ChangeLog
1 2019-10-01  Keith Miller  <keith_miller@apple.com>
2
3         skip test until we figure out why it's timing out
4         https://bugs.webkit.org/show_bug.cgi?id=202423
5
6         Reviewed by Mark Lam.
7
8         new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
9         Let's skip it until we figure out what's going on.
10
11         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:
12
13 2019-10-01  Keith Miller  <keith_miller@apple.com>
14
15         Mark toctou test as skipped on debug builds
16         https://bugs.webkit.org/show_bug.cgi?id=202420
17
18         Reviewed by Saam Barati.
19
20         Keeps timing out... Let's just skip it.
21
22         * stress/toctou-having-a-bad-time-new-array.js:
23
24 2019-10-01  Keith Miller  <keith_miller@apple.com>
25
26         Test262 update
27
28         Rubber-stamped by Michael Saboff.
29
30         Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...
31
32         * test262/*:
33
34 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
35
36         [YARR] Properly handle surrogates when matching back references
37         https://bugs.webkit.org/show_bug.cgi?id=202041
38
39         Reviewed by Keith Miller.
40
41         Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.
42
43         Updated test.
44
45         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
46         (testRegExpNotMatch):
47
48 2019-10-01  Keith Miller  <keith_miller@apple.com>
49
50         Add support for the Wasm multi-value proposal
51         https://bugs.webkit.org/show_bug.cgi?id=202250
52
53         Reviewed by Saam Barati.
54
55         This patch adds a new way to run stress tests via the .wat text
56         format. By attaching an asm.js compiled version of the wabt tool
57         we can easily create wat files programatically and convert them
58         into a wasm blob to compile. To make this easy there is a
59         wabt-wrapper.js module file that exports two useful functions that
60         correspond to WebAssembly.compile and WebAssembly.instantiate.
61
62         * wasm.yaml:
63         * wasm/function-tests/if-no-else-non-void.js:
64         * wasm/js-api/web-assembly-instantiate.js:
65         (assert.asyncTest.async.test):
66         (assert.asyncTest):
67         * wasm/libwabt.js: Added.
68         (WabtModule):
69         (set get if):
70         * wasm/references/func_ref.js:
71         * wasm/references/validation.js:
72         (assert.throws):
73         * wasm/spec-harness/index.js:
74         * wasm/spec-tests/block.wast.js:
75         * wasm/spec-tests/br.wast.js:
76         * wasm/spec-tests/br_if.wast.js:
77         * wasm/spec-tests/call.wast.js:
78         * wasm/spec-tests/call_indirect.wast.js:
79         * wasm/spec-tests/func.wast.js:
80         * wasm/spec-tests/if.wast.js:
81         * wasm/spec-tests/loop.wast.js:
82         * wasm/spec-tests/type.wast.js:
83         * wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
84         (buildWat):
85         * wasm/stress/js-wasm-js-varying-arities.js: Added.
86         (paramForwarder):
87         * wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
88         (buildWat):
89         * wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
90         (buildWat.throwError):
91         (buildWat.throwErrorInIterator):
92         (buildWat.tooManyValues):
93         (buildWat.tooFewValues):
94         (buildWat):
95         * wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
96         (buildWat):
97         * wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
98         (buildWat):
99         * wasm/wabt-wrapper.js: Added.
100         (export.compile):
101         * wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
102         * wasm/wast-tests/br-if-at-end-of-block.wast: Added.
103         * wasm/wast-tests/harness.js:
104         (async.runWasmFile):
105         * wasm/wast-tests/single-param-loop-signature.wasm: Added.
106         * wasm/wast-tests/single-param-loop-signature.wast: Added.
107
108 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
109
110         Make assertion in JSObject::putOwnDataProperty more precise
111         https://bugs.webkit.org/show_bug.cgi?id=202379
112         <rdar://problem/49515980>
113
114         Reviewed by Yusuke Suzuki.
115
116         * stress/object-assign-target-proto-setter.js: Added.
117         (get Object):
118
119 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
120
121         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
122         https://bugs.webkit.org/show_bug.cgi?id=202389
123         <rdar://problem/50717564>
124
125         Reviewed by Mark Lam.
126
127         * stress/heap-analyzer-taking-lock.js: Added.
128
129 2019-09-30  Saam Barati  <sbarati@apple.com>
130
131         Inline caching is wrong for custom accessors and custom values
132         https://bugs.webkit.org/show_bug.cgi?id=201994
133         <rdar://problem/50850326>
134
135         Reviewed by Yusuke Suzuki.
136
137         * microbenchmarks/custom-accessor-materialized.js: Added.
138         (assert):
139         (test4.get const):
140         * microbenchmarks/custom-accessor-thin-air.js: Added.
141         (assert):
142         (test5.get const):
143         (test5.get proto):
144         * microbenchmarks/custom-accessor.js: Added.
145         (assert):
146         (test3.get const):
147         * microbenchmarks/custom-value-2.js: Added.
148         (assert):
149         (test1.getMultiline):
150         (test1):
151         * microbenchmarks/custom-value.js: Added.
152         (assert):
153         (test1.getMultiline):
154         (test1):
155         * stress/custom-accessor-delete-1.js: Added.
156         (assert):
157         (test3.get const):
158         * stress/custom-accessor-delete-2.js: Added.
159         (assert):
160         (test4.get const):
161         * stress/custom-accessor-delete-3.js: Added.
162         (assert):
163         (test5.get const):
164         (test5.get proto):
165         * stress/custom-value-delete-property-1.js: Added.
166         (assert):
167         (test1.getMultiline):
168         (test1):
169         * stress/custom-value-delete-property-2.js: Added.
170         (test2.foo):
171         (test2):
172         * stress/custom-value-delete-property-3.js: Added.
173         (test6.foo):
174         (test6):
175
176 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
177
178         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
179         https://bugs.webkit.org/show_bug.cgi?id=202382
180         <rdar://problem/52669112>
181
182         Reviewed by Saam Barati.
183
184         * stress/compare-eq-bool-number-folding.js: Added.
185         (test):
186
187 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
188
189         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
190         https://bugs.webkit.org/show_bug.cgi?id=202330
191
192         Reviewed by Saam Barati.
193
194         * stress/to-lower-case-gc-stress.js: Added.
195
196 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
197
198         Non-standard Error properties should not be enumerable
199         https://bugs.webkit.org/show_bug.cgi?id=198975
200
201         Reviewed by Ross Kirsling.
202
203         * ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
204         * microbenchmarks/let-for-in.js: Adjust test.
205         * test262/expectations.yaml: Mark 6 test cases as passing.
206
207 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
208
209         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
210         https://bugs.webkit.org/show_bug.cgi?id=202299
211         <rdar://problem/52669116>
212
213         Reviewed by Saam Barati.
214
215         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
216         (foo):
217         (test):
218         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
219         (foo):
220         (C1.prototype.baz):
221         (C1):
222         (bar):
223         (noInline.bar.goo):
224         (C2.prototype.baz):
225         (C2):
226         (test):
227
228 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
229
230         toExponential, toFixed, and toPrecision should allow arguments up to 100
231         https://bugs.webkit.org/show_bug.cgi?id=199163
232
233         Reviewed by Ross Kirsling.
234
235         * ChakraCore/test/Number/toString_3.baseline-jsc:
236         * ChakraCore/test/es5/exceptions3.baseline-jsc:
237         * test262/expectations.yaml: Mark 6 test cases as passing.
238
239 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
240
241         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
242         https://bugs.webkit.org/show_bug.cgi?id=154376
243
244         Reviewed by Ross Kirsling.
245
246         Adds 2 test cases:
247         1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
248         2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.
249
250         * stress/proxy-get-own-property.js:
251
252 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
253
254         [BigInt] Add ValueBitRShift into DFG
255         https://bugs.webkit.org/show_bug.cgi?id=192663
256
257         Reviewed by Robin Morisset.
258
259         * stress/big-int-right-shift-jit-osr.js: Added.
260         * stress/big-int-right-shift-jit-untyped.js: Added.
261         * stress/big-int-right-shift-jit.js: Added.
262         * stress/value-rshift-ai-rule.js: Added.
263
264 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
265
266         Array methods should throw TypeError upon attempting to modify a string
267         https://bugs.webkit.org/show_bug.cgi?id=201910
268
269         Reviewed by Keith Miller.
270
271         * stress/array-methods-should-not-modify-string.js: Added.
272
273         * mozilla/js1_6/Array/regress-304828.js:
274         Fix test. Original copy was changed similarly seven years ago:
275         https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js
276
277         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
278         Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.
279
280 2019-09-23  Mark Lam  <mark.lam@apple.com>
281
282         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
283         https://bugs.webkit.org/show_bug.cgi?id=202122
284         <rdar://problem/55535249>
285
286         Reviewed by Yusuke Suzuki.
287
288         * stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.
289
290 2019-09-23  Caio Lima  <ticaiolima@gmail.com>
291
292         Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
293         https://bugs.webkit.org/show_bug.cgi?id=202113
294
295         Unreviewed test gardening, skipped test in ARMv7 and MIPS.
296
297         It is going to be fixed in
298         https://bugs.webkit.org/show_bug.cgi?id=202041
299
300         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
301
302 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
303
304         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
305         https://bugs.webkit.org/show_bug.cgi?id=202072
306
307         Reviewed by Mark Lam.
308
309         * stress/int52rep-with-double-checks-int52-range.js: Added.
310         (shouldBe):
311         (test):
312
313 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
314
315         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
316         https://bugs.webkit.org/show_bug.cgi?id=202011
317
318         Reviewed by Mark Lam.
319
320         We are skipping this test into MIPS and ARMv7 because some of its assumptions
321         are not valid for them. The current behavior of the test in those architectures
322         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
323         because eden collection keeps happening between iterations. The collection
324         is triggered on those architectures because the amount of stress 
325         `new Promise` generates into GC limits is not enough to avoid them
326         while loop is executing.
327
328         Changing the size of `UInt8Array` from `80000000` to `160000000` can
329         be an alternative fix to avoid collection happening during `ArrayBuffer`
330         allocation loop, but we can't guarantee this test is always going to execute
331         without error when Gigacage is disabled, given we can reach an OOM state in
332         some allocations that need to succeed, making this test flaky for those
333         architectures.
334
335         * stress/test-out-of-memory.js:
336
337 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
338
339         AccessCase should strongly visit its dependencies while on stack
340         https://bugs.webkit.org/show_bug.cgi?id=201986
341         <rdar://problem/55521953>
342
343         Reviewed by Saam Barati and Yusuke Suzuki.
344
345         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
346         (foo):
347         (warmup):
348
349 2019-09-20  Saam Barati  <sbarati@apple.com>
350
351         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
352
353         * stress/toctou-having-a-bad-time-new-array.js:
354
355 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
356
357         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
358         https://bugs.webkit.org/show_bug.cgi?id=202014
359
360         Reviewed by Saam Barati.
361
362         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
363         (__v0):
364
365 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
366
367         Syntax checker should report duplicate __proto__ properties
368         https://bugs.webkit.org/show_bug.cgi?id=201897
369         <rdar://problem/53201788>
370
371         Reviewed by Mark Lam.
372
373         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
374         (catch):
375
376 2019-09-18  Saam Barati  <sbarati@apple.com>
377
378         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
379         https://bugs.webkit.org/show_bug.cgi?id=201953
380         <rdar://problem/53803524>
381
382         Reviewed by Yusuke Suzuki.
383
384         * stress/toctou-having-a-bad-time-new-array.js: Added.
385         (let.code):
386
387 2019-09-18  Saam Barati  <sbarati@apple.com>
388
389         Phantom insertion phase may disagree with arguments forwarding about live ranges
390         https://bugs.webkit.org/show_bug.cgi?id=200715
391         <rdar://problem/54301717>
392
393         Reviewed by Yusuke Suzuki.
394
395         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
396         (main.v23):
397         (main.try.v43):
398         (main.):
399         (main):
400
401 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
402
403         [JSC] Generator should have internal fields
404         https://bugs.webkit.org/show_bug.cgi?id=201159
405
406         Reviewed by Keith Miller.
407
408         * stress/create-generator.js: Added.
409         (shouldBe):
410         (test.generator):
411         (test):
412         * stress/generator-construct-failure.js: Added.
413         (shouldThrow):
414         (TypeError):
415         * stress/generator-prototype-change.js: Added.
416         (shouldBe):
417         (gen):
418         * stress/generator-prototype-closure.js: Added.
419         (shouldBe):
420         (test.gen):
421         (test):
422         * stress/object-assign-fast-path.js:
423
424 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
425
426         Follow-up after String.codePointAt optimization
427         https://bugs.webkit.org/show_bug.cgi?id=201889
428
429         Reviewed by Saam Barati.
430
431         * stress/string-char-at-bad-type.js: Added.
432         (shouldBe):
433         (object.toString):
434         (test):
435         * stress/string-char-code-at-bad-type.js: Added.
436         (shouldBe):
437         (object.toString):
438         (test):
439         * stress/string-code-point-at-bad-type.js: Added.
440         (shouldBe):
441         (object.toString):
442         (test):
443
444 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
445
446         [JSC] CheckArray+NonArray is not filtering out Array in AI
447         https://bugs.webkit.org/show_bug.cgi?id=201857
448         <rdar://problem/54194820>
449
450         Reviewed by Keith Miller.
451
452         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
453         (foo):
454
455 2019-09-17  Saam Barati  <sbarati@apple.com>
456
457         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
458         https://bugs.webkit.org/show_bug.cgi?id=201853
459         <rdar://problem/53805461>
460
461         Reviewed by Yusuke Suzuki.
462
463         * stress/direct-arguments-check-array-filter-type.js: Added.
464         (foo):
465
466 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
467
468         Wasm StreamingParser should validate that number of functions matches number of declarations
469         https://bugs.webkit.org/show_bug.cgi?id=201850
470         <rdar://problem/55290186>
471
472         Reviewed by Yusuke Suzuki.
473
474         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
475         (catch):
476
477 2019-09-16  Michael Saboff  <msaboff@apple.com>
478
479         [JSC] Perform check again when we found non-BMP characters
480         https://bugs.webkit.org/show_bug.cgi?id=201647
481
482         Reviewed by Yusuke Suzuki.
483
484         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
485         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
486         (testRegExpInbounds):
487
488 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
489
490         [JSC] Add missing syntax errors for await in function parameter default expressions
491         https://bugs.webkit.org/show_bug.cgi?id=201615
492
493         Reviewed by Darin Adler.
494
495         * stress/async-await-reserved-word.js:
496         * stress/async-await-syntax.js:
497         Add test cases.
498
499         * test262/expectations.yaml:
500         Mark newly-passing test cases.
501
502 2019-09-16  Saam Barati  <sbarati@apple.com>
503
504         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
505         https://bugs.webkit.org/show_bug.cgi?id=200386
506         <rdar://problem/53854946>
507
508         Reviewed by Yusuke Suzuki.
509
510         * stress/proxy-__proto__-in-prototype-chain.js: Added.
511         * stress/proxy-property-replace-structure-transition.js: Added.
512
513 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
514
515         Date.prototype.toJSON does not execute steps 1-2
516         https://bugs.webkit.org/show_bug.cgi?id=105282
517
518         Reviewed by Ross Kirsling.
519
520         * test262/expectations.yaml: Mark 2 test cases as passing.
521
522 2019-09-12  Mark Lam  <mark.lam@apple.com>
523
524         Harden JSC against the abuse of runtime options.
525         https://bugs.webkit.org/show_bug.cgi?id=201597
526         <rdar://problem/55167068>
527
528         Reviewed by Filip Pizlo.
529
530         Remove the call to forceGCSlowPaths().  This utility function will be removed.
531         The modern way to set the required option is to use //@ requireOptions.
532
533         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
534
535 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
536
537         [JSC] Add StringCodePointAt intrinsic
538         https://bugs.webkit.org/show_bug.cgi?id=201673
539
540         Reviewed by Michael Saboff.
541
542         * stress/string-char-at-constant-index-out-of-range.js: Added.
543         (shouldBe):
544         (test):
545         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
546         (shouldBe):
547         (test):
548         * stress/string-code-point-at--out-of-range.js: Added.
549         (shouldBe):
550         (test):
551         * stress/string-code-point-at-basic.js: Added.
552         (test):
553         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
554         (shouldBe):
555         (test):
556         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
557         (shouldBe):
558         (test):
559         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
560         (shouldBe):
561         (test):
562         (breaking):
563         * stress/string-code-point-at-surrogate-pair.js: Added.
564         (shouldBe):
565         * stress/string-code-point-at.js: Added.
566         (shouldBe):
567
568 2019-09-10  Michael Saboff  <msaboff@apple.com>
569
570         JSC crashes due to stack overflow while building RegExp
571         https://bugs.webkit.org/show_bug.cgi?id=201649
572
573         Reviewed by Yusuke Suzuki.
574
575         New regression test.
576
577         * stress/regexp-bol-optimize-out-of-stack.js: Added.
578         (test):
579         (catch):
580
581 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
582
583         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
584         https://bugs.webkit.org/show_bug.cgi?id=189043
585
586         Reviewed by Keith Miller.
587
588         The offset performing the validation becomes a bit different.
589         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
590
591         * wasm/js-api/version.js:
592
593 2019-09-07  Keith Miller  <keith_miller@apple.com>
594
595         OSR entry into wasm misses some contexts
596         https://bugs.webkit.org/show_bug.cgi?id=201569
597
598         Reviewed by Yusuke Suzuki.
599
600         Add a new harness and wast and the generated wasm file for
601         testing. The idea long term is to make it easy to test by creating
602         a C file and converting it to a wast then modify that to produce a
603         test.
604
605         * wasm.yaml:
606         * wasm/wast-tests/harness.js: Added.
607         (async.runWasmFile):
608         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
609         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
610         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
611         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
612         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
613         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
614         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
615         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
616
617 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
618
619         [JSC] Promise resolve/reject functions should be created more efficiently
620         https://bugs.webkit.org/show_bug.cgi?id=201488
621
622         Reviewed by Mark Lam.
623
624         * microbenchmarks/promise-creation-many.js: Added.
625         (executor):
626
627 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
628
629         Unreviewed JSC test gardening.
630
631         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
632         This test allocates a 2GB string before it goes out and tests
633         out-of-memory exception when appending other strings to it. As such,
634         skip the test on memory-limited platforms.
635
636 2019-09-07  Mark Lam  <mark.lam@apple.com>
637
638         The jsc shell should allow disabling of the Gigacage for testing purposes.
639         https://bugs.webkit.org/show_bug.cgi?id=201579
640
641         Reviewed by Michael Saboff.
642
643         Unskip the tests now.
644
645         * stress/disable-gigacage-arrays.js:
646         * stress/disable-gigacage-strings.js:
647         * stress/disable-gigacage-typed-arrays.js:
648
649 2019-09-07  Mark Lam  <mark.lam@apple.com>
650
651         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
652
653         Not reviewed.
654
655         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
656
657         * stress/disable-gigacage-arrays.js:
658         * stress/disable-gigacage-strings.js:
659         * stress/disable-gigacage-typed-arrays.js:
660
661 2019-09-07  Mark Lam  <mark.lam@apple.com>
662
663         Gardening: speculative test fix to green bots [attempt #2].
664         https://bugs.webkit.org/show_bug.cgi?id=201529
665         <rdar://problem/53935772>
666
667         Not reviewed.
668
669         * stress/test-out-of-memory.js:
670
671 2019-09-06  Mark Lam  <mark.lam@apple.com>
672
673         Gardening: speculative test fix to green bots.
674         https://bugs.webkit.org/show_bug.cgi?id=201529
675         <rdar://problem/53935772>
676
677         Not reviewed.
678
679         * stress/test-out-of-memory.js:
680
681 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
682
683         Math.round() produces wrong result for value prior to 0.5
684         https://bugs.webkit.org/show_bug.cgi?id=185115
685
686         Reviewed by Saam Barati.
687
688         * stress/math-round-basics.js:
689         Add positive/negative test cases.
690
691         * test262/expectations.yaml:
692         Mark test passing.
693
694 2019-09-06  Mark Lam  <mark.lam@apple.com>
695
696         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
697         https://bugs.webkit.org/show_bug.cgi?id=201551
698
699         Reviewed by Tadeu Zagallo.
700
701         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
702
703         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
704         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
705
706 2019-09-06  Mark Lam  <mark.lam@apple.com>
707
708         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
709         https://bugs.webkit.org/show_bug.cgi?id=201529
710         <rdar://problem/53935772>
711
712         Reviewed by Yusuke Suzuki.
713
714         * stress/test-out-of-memory.js: Added.
715
716 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
717
718         LazyClassStructure::setConstructor should not store the constructor to the global object
719         https://bugs.webkit.org/show_bug.cgi?id=201484
720         <rdar://problem/50400451>
721
722         Reviewed by Yusuke Suzuki.
723
724         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
725
726 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
727
728         [JSC] Do not use FTLOutput::weakPointer directly
729         https://bugs.webkit.org/show_bug.cgi?id=201495
730
731         Reviewed by Filip Pizlo.
732
733         * stress/create-promise-weak-pointer.js: Added.
734         (foo):
735
736 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
737
738         [JSC] Make Promise implementation faster
739         https://bugs.webkit.org/show_bug.cgi?id=200898
740
741         Reviewed by Saam Barati.
742
743         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
744         (assert.assert.return.throws):
745         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
746         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
747         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
748         (shouldThrow):
749         (new.Promise):
750         (shouldThrow.Promise):
751         * stress/create-promise-should-respect-promise-realm.js: Added.
752         (shouldBe):
753         (other.new.OtherPromise):
754         (DerivedOtherPromise):
755         (i.promise.new.DerivedOtherPromise):
756         (createPromise):
757         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
758         (shouldBe):
759         (DerivedPromise):
760         (i.array.push.new.DerivedPromise):
761         (promise.new.DerivedPromise):
762         * stress/derived-promise-constructor-inlined.js: Added.
763         (shouldBe):
764         (DerivedPromise):
765         (i.array.push.new.DerivedPromise):
766         (DerivedPromise.all.array.then):
767         * stress/derived-promise-prototype-replaced.js: Added.
768         (shouldBe):
769         (DerivedPromise):
770         (i.array.push.new.DerivedPromise):
771         (promise.new.DerivedPromise):
772         * stress/internal-promise-constructor-not-confusing.js: Added.
773         (shouldBe):
774         (InternalPromise.vm.createBuiltin):
775         (DerivedPromise):
776         * stress/internal-promise-is-not-exposed.js: Added.
777         (shouldBe):
778         * stress/new-promise-should-respect-promise-realm.js: Added.
779         (shouldBe):
780         (other.new.OtherPromise):
781         (createPromise):
782         * stress/promise-cannot-be-called.js:
783         (shouldThrow):
784         * stress/promise-capability-fast-path.js: Added.
785         (shouldBe):
786         (i.array.push.new.Promise):
787         (i.array.i.then):
788         * stress/promise-capability-slow-path.js: Added.
789         (shouldBe):
790         (Promise.prototype.then):
791         (i.array.push.new.Promise):
792         (i.array.i.then):
793         * stress/promise-capability-then-slow-path.js: Added.
794         (shouldBe):
795         (DerivedPromise):
796         (DerivedPromise.prototype.then):
797         (i.array.push.new.DerivedPromise):
798         (i.array.i.then):
799         * stress/promise-constructor-inlined.js: Added.
800         (shouldBe):
801         (i.array.push.new.Promise):
802         (Promise.all.array.then):
803         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
804         (shouldBe):
805         (DerivedPromise):
806         (DerivedPromise2):
807         (i.array.push.new.DerivedPromise):
808         (i.array2.push.new.DerivedPromise2):
809         * stress/without-promise-functions.js: Added.
810         (shouldBe):
811         (async):
812
813 2019-09-03  Mark Lam  <mark.lam@apple.com>
814
815         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
816         https://bugs.webkit.org/show_bug.cgi?id=201309
817         <rdar://problem/54832121>
818
819         Reviewed by Yusuke Suzuki.
820
821         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
822
823 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
824
825         [JSC] Generate new.target register only when it is used
826         https://bugs.webkit.org/show_bug.cgi?id=201335
827
828         Reviewed by Mark Lam.
829
830         * stress/ensure-new-register-allocated.js: Added.
831         (shouldBe):
832         (basic):
833         (arrow):
834         (Base):
835         (Derived):
836         (evaluate):
837
838 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
839
840         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
841         https://bugs.webkit.org/show_bug.cgi?id=201331
842
843         Reviewed by Mark Lam.
844
845         * stress/simple-jump-table-copy.js: Added.
846         (let.code):
847         (g2):
848
849 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
850
851         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
852         https://bugs.webkit.org/show_bug.cgi?id=201332
853
854         Reviewed by Mark Lam.
855
856         This test is very flaky, it is hard to reproduce.
857
858         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
859         (code):
860
861 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
862
863         [JSC] Repatch should construct CallCases and CasesValue at the same time
864         https://bugs.webkit.org/show_bug.cgi?id=201325
865
866         Reviewed by Saam Barati.
867
868         * stress/repatch-switch.js: Added.
869         (main.f2.f0):
870         (main.f2.f3):
871         (main.f2.f1):
872         (main.f2):
873         (main):
874
875 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
876
877         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
878         https://bugs.webkit.org/show_bug.cgi?id=198650
879
880         Reviewed by Saam Barati.
881
882         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
883         (main.v0):
884         (main):
885
886 2019-08-28  Mark Lam  <mark.lam@apple.com>
887
888         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
889         https://bugs.webkit.org/show_bug.cgi?id=201281
890         <rdar://problem/54028228>
891
892         Reviewed by Yusuke Suzuki and Saam Barati.
893
894         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
895
896 2019-08-28  Mark Lam  <mark.lam@apple.com>
897
898         Placate exception check validation in DFG's operationHasGenericProperty().
899         https://bugs.webkit.org/show_bug.cgi?id=201245
900         <rdar://problem/54777512>
901
902         Reviewed by Robin Morisset.
903
904         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
905
906 2019-08-27  Mark Lam  <mark.lam@apple.com>
907
908         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
909         https://bugs.webkit.org/show_bug.cgi?id=201196
910         <rdar://problem/54703775>
911
912         Reviewed by Yusuke Suzuki.
913
914         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
915
916 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
917
918         [JSC] Ensure x?.y ?? z is fast
919         https://bugs.webkit.org/show_bug.cgi?id=200875
920
921         Reviewed by Yusuke Suzuki.
922
923         * stress/nullish-coalescing.js:
924
925 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
926
927         Remove MaximalFlushInsertionPhase
928         https://bugs.webkit.org/show_bug.cgi?id=201036
929
930         Reviewed by Saam Barati.
931
932         Remove all the references to maximal flush
933
934         * stress/arith-ceil-on-various-types.js:
935         (checkCompileCountForUselessNegativeZero):
936         * stress/arith-floor-on-various-types.js:
937         (checkCompileCountForUselessNegativeZero):
938         * stress/arith-negate-on-various-types.js:
939         (checkCompileCountForUselessNegativeZero):
940         * stress/arith-round-on-various-types.js:
941         (checkCompileCountForUselessNegativeZero):
942         * stress/arith-trunc-on-various-types.js:
943         (checkCompileCountForUselessNegativeZero):
944         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
945         * stress/has-indexed-property-should-accept-non-int32.js:
946         * stress/has-indexed-property-with-worsening-array-mode.js:
947         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
948         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
949         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
950         * stress/rest-parameter-many-arguments.js:
951         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
952         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
953         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
954
955 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
956
957         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
958         https://bugs.webkit.org/show_bug.cgi?id=200952
959
960         Reviewed by Saam Barati.
961
962         * wasm/references/func_ref.js:
963         (assert.throws):
964
965 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
966
967         Add missing exception check in canonicalizeLocaleList
968         https://bugs.webkit.org/show_bug.cgi?id=201021
969
970         Reviewed by Mark Lam.
971
972         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
973         (catch):
974
975 2019-08-21  Mark Lam  <mark.lam@apple.com>
976
977         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
978         https://bugs.webkit.org/show_bug.cgi?id=201016
979         <rdar://problem/54579911>
980
981         Reviewed by Yusuke Suzuki.
982
983         * wasm/stress/too-many-locals.js: Added.
984         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
985
986 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
987
988         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
989         https://bugs.webkit.org/show_bug.cgi?id=200965
990
991         Reviewed by Saam Barati.
992
993         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
994         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
995
996         * stress/optional-chaining.js:
997
998 2019-08-21  Michael Saboff  <msaboff@apple.com>
999
1000         [JSC] incorrent JIT lead to StackOverflow
1001         https://bugs.webkit.org/show_bug.cgi?id=197823
1002
1003         Reviewed by Tadeu Zagallo.
1004
1005         New test.
1006
1007         * stress/bound-function-stack-overflow.js: Added.
1008         (foo):
1009         (catch):
1010
1011 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1012
1013         Identify memcpy loops in b3
1014         https://bugs.webkit.org/show_bug.cgi?id=200181
1015
1016         Reviewed by Saam Barati.
1017
1018         * microbenchmarks/memcpy-loop.js: Added.
1019         (doTest):
1020         (let.arr1):
1021         * microbenchmarks/memcpy-typed-loop-large.js: Added.
1022         (doTest):
1023         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
1024         (arr2):
1025         * microbenchmarks/memcpy-typed-loop-small.js: Added.
1026         (doTest):
1027         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1028         (16.arr2):
1029         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
1030         (doTest):
1031         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
1032         (arr2):
1033         * microbenchmarks/memcpy-wasm-large.js: Added.
1034         (typeof.WebAssembly.string_appeared_here.eq):
1035         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1036         * microbenchmarks/memcpy-wasm-medium.js: Added.
1037         (typeof.WebAssembly.string_appeared_here.eq):
1038         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1039         * microbenchmarks/memcpy-wasm-small.js: Added.
1040         (typeof.WebAssembly.string_appeared_here.eq):
1041         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1042         * microbenchmarks/memcpy-wasm.js: Added.
1043         (typeof.WebAssembly.string_appeared_here.eq):
1044         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1045         * stress/memcpy-typed-loops.js: Added.
1046         (noLoop):
1047         (invalidStart):
1048         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1049         (arr2):
1050         * wasm/function-tests/memcpy-wasm-loop.js: Added.
1051         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
1052         (string_appeared_here):
1053
1054 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
1055
1056         [JSC] Array.prototype.toString should not get "join" function each time
1057         https://bugs.webkit.org/show_bug.cgi?id=200905
1058
1059         Reviewed by Mark Lam.
1060
1061         * stress/array-prototype-join-change.js: Added.
1062         (shouldBe):
1063         (array2.join):
1064         (DerivedArray):
1065         (DerivedArray.prototype.join):
1066         (array3.__proto__.join):
1067         (Array.prototype.join):
1068
1069 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1070
1071         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1072         https://bugs.webkit.org/show_bug.cgi?id=200782
1073
1074         Reviewed by Saam Barati.
1075
1076         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
1077
1078         * microbenchmarks/memcpy-typed-loop.js:
1079         * stress/int8-repeat-in-then-out-of-bounds.js:
1080
1081 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1082
1083         Proxy constructor should throw if handler is revoked Proxy
1084         https://bugs.webkit.org/show_bug.cgi?id=198755
1085
1086         Reviewed by Saam Barati.
1087
1088         * stress/proxy-revoke.js: Adjust error message.
1089         * test262/expectations.yaml: Mark 2 test cases as passing.
1090
1091 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1092
1093         [JSC] OSR entry to Wasm OMG
1094         https://bugs.webkit.org/show_bug.cgi?id=200362
1095
1096         Reviewed by Michael Saboff.
1097
1098         * wasm/stress/osr-entry-basic.js: Added.
1099         (instance.exports.loop):
1100         * wasm/stress/osr-entry-many-locals-f32.js: Added.
1101         * wasm/stress/osr-entry-many-locals-f64.js: Added.
1102         * wasm/stress/osr-entry-many-locals-i32.js: Added.
1103         * wasm/stress/osr-entry-many-locals-i64.js: Added.
1104         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
1105         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
1106         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
1107         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
1108
1109 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1110
1111         Date.prototype.toJSON throws if toISOString returns an object
1112         https://bugs.webkit.org/show_bug.cgi?id=198495
1113
1114         Reviewed by Ross Kirsling.
1115
1116         * test262/expectations.yaml: Mark 6 test cases as passing.
1117
1118 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1119
1120         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
1121         https://bugs.webkit.org/show_bug.cgi?id=200899
1122         <rdar://problem/54073341>
1123
1124         Reviewed by Mark Lam.
1125
1126         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
1127         (i.new.Promise):
1128         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
1129         (i.new.Promise):
1130
1131 2019-08-19  Michael Saboff  <msaboff@apple.com>
1132
1133         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
1134         https://bugs.webkit.org/show_bug.cgi?id=197090
1135
1136         Reviewed by Yusuke Suzuki.
1137
1138         New test.
1139
1140         * stress/regexp-nonconsuming-counted-parens.js: Added.
1141
1142 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
1143
1144         [JSC] Correct a->an in error messages and API docblocks
1145         https://bugs.webkit.org/show_bug.cgi?id=200833
1146
1147         Reviewed by Don Olmstead.
1148
1149         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1150         (assert.assert.return.throws):
1151         * stress/promise-finally-should-accept-non-promise-objects.js:
1152         * wasm/js-api/table.js:
1153         (assert.throws):
1154
1155 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1156
1157         [ESNext] Implement optional chaining
1158         https://bugs.webkit.org/show_bug.cgi?id=200199
1159
1160         Reviewed by Yusuke Suzuki.
1161
1162         * stress/nullish-coalescing.js:
1163         * stress/optional-chaining.js: Added.
1164         * stress/tail-call-recognize.js:
1165
1166 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1167
1168         [ESNext] Support hashbang.
1169         https://bugs.webkit.org/show_bug.cgi?id=200865
1170
1171         Reviewed by Mark Lam.
1172
1173         * stress/hashbang.js: Added.
1174         * test262/expectations.yaml: Mark 6 cases as passing.
1175
1176 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
1177
1178         [JSC] DFG ToNumber should support Boolean in fixup
1179         https://bugs.webkit.org/show_bug.cgi?id=200864
1180
1181         Reviewed by Mark Lam.
1182
1183         * microbenchmarks/to-number-boolean.js: Added.
1184         (test):
1185         * stress/to-number-boolean-int32.js: Added.
1186         (shouldBe):
1187         (test):
1188         (check):
1189         * stress/to-number-boolean.js: Added.
1190         (shouldBe):
1191         (test):
1192         (check):
1193         * stress/to-number-int32.js: Added.
1194         (shouldBe):
1195         (test):
1196         (check):
1197
1198 2019-08-16  Mark Lam  <mark.lam@apple.com>
1199
1200         More missing exception checks in string comparison operators.
1201         https://bugs.webkit.org/show_bug.cgi?id=200844
1202         <rdar://problem/54378684>
1203
1204         Reviewed by Saam Barati.
1205
1206         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
1207         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
1208         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
1209         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
1210
1211 2019-08-16  Mark Lam  <mark.lam@apple.com>
1212
1213         CodeBlock destructor should clear all of its watchpoints.
1214         https://bugs.webkit.org/show_bug.cgi?id=200792
1215         <rdar://problem/53947800>
1216
1217         Reviewed by Yusuke Suzuki.
1218
1219         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
1220
1221 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
1222
1223         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1224         https://bugs.webkit.org/show_bug.cgi?id=200782
1225
1226         Reviewed by Saam Barati.
1227
1228         * microbenchmarks/int8-out-of-bounds.js: Added.
1229         (foo):
1230         * microbenchmarks/memcpy-typed-loop.js: Added.
1231         (doTest):
1232         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
1233         (arr2):
1234         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
1235         (foo):
1236
1237 2019-08-16  Mark Lam  <mark.lam@apple.com>
1238
1239         [Re-land] ProxyObject should not be allow to access its target's private properties.
1240         https://bugs.webkit.org/show_bug.cgi?id=200739
1241         <rdar://problem/53972768>
1242
1243         Reviewed by Yusuke Suzuki.
1244
1245         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
1246         * stress/proxy-with-private-symbols.js:
1247
1248 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
1249
1250         [JSC] Promise.prototype.finally should accept non-promise objects
1251         https://bugs.webkit.org/show_bug.cgi?id=200829
1252
1253         Reviewed by Mark Lam.
1254
1255         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
1256         (shouldBe):
1257         (Thenable):
1258         (Thenable.prototype.then):
1259
1260 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
1261
1262         Promise constructor should check argument before [[Construct]]
1263         https://bugs.webkit.org/show_bug.cgi?id=198976
1264
1265         Reviewed by Ross Kirsling.
1266
1267         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
1268         * stress/create-subclass-structure-might-throw.js: Fix test.
1269         * test262/expectations.yaml: Mark 2 test cases as passing.
1270
1271 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
1272
1273         Unreviewed, rolling out r248709.
1274
1275         Caused test/built-ins/Promise/prototype/finally/this-value-
1276         non-promise.js to fail on test262 bot
1277
1278         Reverted changeset:
1279
1280         "ProxyObject should not be allow to access its target's
1281         private properties."
1282         https://bugs.webkit.org/show_bug.cgi?id=200739
1283         https://trac.webkit.org/changeset/248709
1284
1285 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1286
1287         DateConversion::formatDateTime incorrectly formats negative years
1288         https://bugs.webkit.org/show_bug.cgi?id=199964
1289
1290         Reviewed by Ross Kirsling.
1291
1292         * test262/expectations.yaml: Mark 6 test cases as passing.
1293
1294 2019-08-15  Mark Lam  <mark.lam@apple.com>
1295
1296         More missing exception checks in String.prototype.
1297         https://bugs.webkit.org/show_bug.cgi?id=200762
1298         <rdar://problem/54333896>
1299
1300         Reviewed by Michael Saboff.
1301
1302         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1303         * stress/missing-exception-check-in-string-toLower.js: Added.
1304         * stress/missing-exception-check-in-string-toUpper.js: Added.
1305
1306 2019-08-14  Mark Lam  <mark.lam@apple.com>
1307
1308         ProxyObject should not be allow to access its target's private properties.
1309         https://bugs.webkit.org/show_bug.cgi?id=200739
1310         <rdar://problem/53972768>
1311
1312         Reviewed by Yusuke Suzuki.
1313
1314         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1315         * stress/proxy-with-private-symbols.js: Rebased.
1316
1317 2019-08-14  Mark Lam  <mark.lam@apple.com>
1318
1319         Missing exception check in string compare.
1320         https://bugs.webkit.org/show_bug.cgi?id=200743
1321         <rdar://problem/53975356>
1322
1323         Reviewed by Michael Saboff.
1324
1325         * stress/missing-exception-check-in-string-compare.js: Added.
1326
1327 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1328
1329         [JSC] Add "jump if (not) undefined or null" bytecode ops
1330         https://bugs.webkit.org/show_bug.cgi?id=200480
1331
1332         Reviewed by Saam Barati.
1333
1334         * stress/destructuring-assignment-require-object-coercible.js:
1335         * stress/nullish-coalescing.js:
1336
1337 2019-08-05  Michael Saboff  <msaboff@apple.com>
1338
1339         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1340         https://bugs.webkit.org/show_bug.cgi?id=199997
1341
1342         Reviewed by Saam Barati.
1343
1344         New test.
1345
1346         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1347         (checkIntArray):
1348         (checkFloatArray):
1349
1350 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1351
1352         [JSC] Support WebAssembly in SamplingProfiler
1353         https://bugs.webkit.org/show_bug.cgi?id=200329
1354
1355         Reviewed by Saam Barati.
1356
1357         * stress/sampling-profiler-wasm-name-section.js: Added.
1358         (const.compile):
1359         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1360         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1361         * stress/sampling-profiler-wasm.js: Added.
1362         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1363         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1364         * stress/sampling-profiler/loop.wasm: Added.
1365         * stress/sampling-profiler/loop.wast: Added.
1366         * stress/sampling-profiler/nameSection.wasm: Added.
1367
1368 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1369
1370         [JSC] LazyJSValue should be robust for empty JSValue
1371         https://bugs.webkit.org/show_bug.cgi?id=200388
1372
1373         Reviewed by Saam Barati.
1374
1375         * stress/switch-constant-child-becomes-empty.js: Added.
1376         (foo):
1377
1378 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1379
1380         GetterSetter type confusion during DFG compilation
1381         https://bugs.webkit.org/show_bug.cgi?id=199903
1382
1383         Reviewed by Mark Lam.
1384
1385         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1386
1387 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1388
1389         Update Test262 (2019.08.01)
1390         https://bugs.webkit.org/show_bug.cgi?id=200351
1391
1392         Reviewed by Keith Miller.
1393
1394         * test262/expectations.yaml:
1395         * test262/harness/testIntl.js:
1396         * test262/latest-changes-summary.txt:
1397         * test262/test/:
1398         * test262/test262-Revision.txt:
1399
1400 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1401
1402         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1403         https://bugs.webkit.org/show_bug.cgi?id=200192
1404
1405         Reviewed by Saam Barati.
1406
1407         * stress/structure-chain-stress.js: Added.
1408         (keys):
1409
1410 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1411
1412         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1413         https://bugs.webkit.org/show_bug.cgi?id=200196
1414
1415         Reviewed by Robin Morisset.
1416
1417         * stress/reparsing-unlinked-codeblock.js:
1418
1419 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1420
1421         [X86] Emit BT instruction for shift + mask in B3
1422         https://bugs.webkit.org/show_bug.cgi?id=199891
1423
1424         Reviewed by Robin Morisset.
1425
1426         Lower the number of iterations to fix debug timeouts.
1427
1428         * microbenchmarks/bit-test-load.js:
1429         (i):
1430
1431 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1432
1433         [X86] Emit BT instruction for shift + mask in B3
1434         https://bugs.webkit.org/show_bug.cgi?id=199891
1435
1436         Reviewed by Keith Miller.
1437
1438         * microbenchmarks/bit-test-constant.js: Added.
1439         (let.glob.0.doTest):
1440         * microbenchmarks/bit-test-load.js: Added.
1441         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1442         (i):
1443         * microbenchmarks/bit-test-nonconstant.js: Added.
1444         (let.glob.0.doTest):
1445
1446 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1447
1448         [JSC] Potential GC fix for JSPropertyNameEnumerator
1449         https://bugs.webkit.org/show_bug.cgi?id=200151
1450
1451         Reviewed by Mark Lam.
1452
1453         * stress/for-in-stress.js: Added.
1454         (keys):
1455
1456 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1457
1458         Legacy numeric literals should not permit separators or BigInt
1459         https://bugs.webkit.org/show_bug.cgi?id=199984
1460
1461         Reviewed by Keith Miller.
1462
1463         * stress/big-int-literals.js:
1464         * stress/numeric-literal-separators.js:
1465
1466 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1467
1468         [ESNext] Implement nullish coalescing
1469         https://bugs.webkit.org/show_bug.cgi?id=200072
1470
1471         Reviewed by Darin Adler.
1472
1473         * stress/nullish-coalescing.js: Added.
1474
1475 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1476
1477         Three checks are missing in Proxy internal methods
1478         https://bugs.webkit.org/show_bug.cgi?id=198630
1479
1480         Reviewed by Darin Adler.
1481
1482         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1483         * test262/expectations.yaml: Mark 6 test cases as passing.
1484
1485 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1486
1487         Sometimes we miss removable CheckInBounds
1488         https://bugs.webkit.org/show_bug.cgi?id=200018
1489
1490         Reviewed by Saam Barati.
1491
1492         * microbenchmarks/typed-array-sum.js: Added.
1493         (doTest):
1494
1495 2019-07-16  Mark Lam  <mark.lam@apple.com>
1496
1497         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1498         https://bugs.webkit.org/show_bug.cgi?id=199821
1499         <rdar://problem/52452328>
1500
1501         Reviewed by Filip Pizlo.
1502
1503         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1504
1505 2019-07-16  Keith Miller  <keith_miller@apple.com>
1506
1507         Unreviewed, test262 gardening.
1508
1509         * test262/expectations.yaml:
1510
1511 2019-07-15  Keith Miller  <keith_miller@apple.com>
1512
1513         A Possible Issue of Object.create method
1514         https://bugs.webkit.org/show_bug.cgi?id=199744
1515
1516         Reviewed by Yusuke Suzuki.
1517
1518         * stress/object-create-non-object-properties-parameter.js: Added.
1519         (catch):
1520
1521 2019-07-15  Keith Miller  <keith_miller@apple.com>
1522
1523         Update test262
1524         https://bugs.webkit.org/show_bug.cgi?id=199801
1525
1526         Rubber-stamped by Yusuke Suzuki.
1527
1528         * test262/expectations.yaml:
1529         * test262/latest-changes-summary.txt:
1530         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1531         (fg.new.FinalizationGroup):
1532         (callback):
1533         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1534         (fg.new.FinalizationGroup):
1535         (callback):
1536         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1537         (fg.new.FinalizationGroup):
1538         (callback):
1539         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1540         (fg.new.FinalizationGroup):
1541         (callback):
1542         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1543         (fg.new.FinalizationGroup):
1544         (callback):
1545         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1546         (fg.new.FinalizationGroup):
1547         (callback):
1548         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1549         (fg.new.FinalizationGroup):
1550         (callback):
1551         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1552         (callback):
1553         (fg.new.FinalizationGroup):
1554         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1555         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1556         (cb):
1557         (fg.new.FinalizationGroup):
1558         (emptyCells):
1559         (async.fn):
1560         (fn.then.async):
1561         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1562         (fg.new.FinalizationGroup):
1563         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1564         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1565         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1566         (newTarget):
1567         (fn):
1568         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1569         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1570         (fn):
1571         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1572         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1573         (newTarget):
1574         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1575         (newTarget):
1576         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1577         (fg.new.FinalizationGroup):
1578         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1579         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1580         (callback):
1581         (fg.new.FinalizationGroup):
1582         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1583         (fg.new.FinalizationGroup):
1584         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1585         (cb):
1586         (fg.new.FinalizationGroup):
1587         (emptyCells):
1588         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1589         (fg.new.FinalizationGroup):
1590         (fg.cleanupSome.cb):
1591         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1592         (callback):
1593         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1594         (fn):
1595         (cb):
1596         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1597         (cb):
1598         (fg.new.FinalizationGroup):
1599         (emptyCells):
1600         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1601         (fg.new.FinalizationGroup):
1602         (callback):
1603         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1604         (fg.new.FinalizationGroup):
1605         (callback):
1606         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1607         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1608         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1609         (poisoned):
1610         (fg.new.FinalizationGroup):
1611         (emptyCells):
1612         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1613         (poisoned):
1614         (emptyCells):
1615         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1616         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1617         (fn):
1618         (cb):
1619         (emptyCells):
1620         (prototype.assert.sameValue.fg.cleanupSome):
1621         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1622         (fn):
1623         (cb):
1624         (poisoned):
1625         (assert.sameValue.fg.cleanupSome):
1626         (prototype.assert.sameValue.fg.cleanupSome):
1627         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1628         (cb):
1629         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1630         (cb):
1631         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1632         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1633         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1634         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1635         (fn):
1636         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1637         (fn):
1638         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1639         (fg.new.FinalizationGroup):
1640         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1641         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1642         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1643         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1644         (fn):
1645         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1646         (fn):
1647         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1648         (fg.new.FinalizationGroup):
1649         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1650         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1651         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1652         (fg.new.FinalizationGroup):
1653         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1654         (fg.new.FinalizationGroup):
1655         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1656         (fg.new.FinalizationGroup):
1657         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1658         (fg.new.FinalizationGroup):
1659         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1660         (fn):
1661         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1662         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1663         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1664         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1665         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1666         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1667         (fn):
1668         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1669         (fg.new.FinalizationGroup):
1670         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1671         (cleanupCallback):
1672         (let.key.of.Object.getOwnPropertyNames):
1673         (set for):
1674         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1675         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1676         (FinalizationGroup):
1677         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1678         (cleanupCallback):
1679         (let.key.of.Object.getOwnPropertyNames):
1680         (set for):
1681         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1682         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1683         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1684         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1685         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1686         (asyncProxy.new.Proxy.async):
1687         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1688         (asyncProxy.new.Proxy.async):
1689         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1690         (setIter.set Symbol):
1691         (set defaultTag):
1692         (gen):
1693         (get return):
1694         (set new):
1695         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1696         (generatorProxy.new.Proxy):
1697         (asyncProxy.new.Proxy.async):
1698         * test262/test/built-ins/Object/subclass-object-arg.js:
1699         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1700         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1701         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1702         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1703         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1704         * test262/test/built-ins/Promise/executor-function-name.js:
1705         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1706         * test262/test/built-ins/Promise/reject-function-name.js:
1707         * test262/test/built-ins/Promise/resolve-function-name.js:
1708         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1709         * test262/test/built-ins/WeakRef/constructor.js: Added.
1710         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1711         * test262/test/built-ins/WeakRef/length.js: Added.
1712         * test262/test/built-ins/WeakRef/name.js: Added.
1713         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1714         (newTarget):
1715         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1716         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1717         * test262/test/built-ins/WeakRef/proto.js: Added.
1718         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1719         (newTarget):
1720         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1721         (newTarget):
1722         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1723         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1724         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1725         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1726         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1727         (emptyCells):
1728         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1729         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1730         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1731         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1732         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1733         (fg.new.FinalizationGroup):
1734         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1735         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1736         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1737         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1738         (let.key.of.Object.getOwnPropertyNames):
1739         (set for):
1740         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1741         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1742         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1743         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1744         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1745         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1746         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1747         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1748         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1749         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1750         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1751         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1752         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1753         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1754         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1755         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1756         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1757         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1758         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1759         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1760         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1761         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1762         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1763         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1764         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1765         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1766         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1767         (assertParts):
1768         (assertPartsNumeric):
1769         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1770         (assertParts):
1771         (assertPartsNumeric):
1772         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1773         (assertParts):
1774         (assertPartsNumeric):
1775         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1776         (assertParts):
1777         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1778         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1779         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1780         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1781         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1782         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1783         (C.prototype.method):
1784         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1785         (C.prototype.method.innerFunction):
1786         (C.prototype.method):
1787         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1788         (C):
1789         (C.method):
1790         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1791         (C):
1792         (C.method.innerFunction):
1793         (C.method):
1794         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1795         (C):
1796         (C.checkPrivateGetter):
1797         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1798         (C):
1799         (C.method):
1800         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1801         (C):
1802         (C.method.innerFunction):
1803         (C.method):
1804         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1805         (C):
1806         (C.checkPrivateMethod):
1807         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1808         (C):
1809         (C.method):
1810         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1811         (C):
1812         (C.method.innerFunction):
1813         (C.method):
1814         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1815         (C):
1816         (C.checkPrivateSetter):
1817         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1818         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1819         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1820         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1821         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1822         (let.classStringExpression):
1823         (let.classStringExpression.access):
1824         (let.createAndInstantiateClass):
1825         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1826         (let.classStringExpression):
1827         (let.classStringExpression.access):
1828         (let.createAndInstantiateClass):
1829         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1830         (const.C):
1831         (let.createAndInstantiateClass):
1832         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1833         (let.classStringExpression.return.prototype.m):
1834         (let.classStringExpression.return.prototype.access):
1835         (let.createAndInstantiateClass):
1836         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1837         (let.classStringExpression.return.prototype.m):
1838         (let.classStringExpression.return.prototype.access):
1839         (let.createAndInstantiateClass):
1840         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1841         (let.classStringExpression):
1842         (let.classStringExpression.access):
1843         (let.createAndInstantiateClass):
1844         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1845         (let.classStringExpression.prototype.m):
1846         (let.classStringExpression.prototype.access):
1847         (let.classStringExpression):
1848         (let.createAndInstantiateClass):
1849         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1850         (let.classStringExpression.prototype.m):
1851         (let.classStringExpression.prototype.access):
1852         (let.classStringExpression):
1853         (let.createAndInstantiateClass):
1854         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1855         (const.C):
1856         (let.createAndInstantiateClass):
1857         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1858         (let.classStringExpression.return.C.prototype.m):
1859         (let.classStringExpression.return.C.prototype.access):
1860         (let.classStringExpression.return.C):
1861         (let.createAndInstantiateClass):
1862         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1863         (let.classStringExpression.return.C.prototype.m):
1864         (let.classStringExpression.return.C.prototype.access):
1865         (let.classStringExpression.return.C):
1866         (let.createAndInstantiateClass):
1867         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1868         (let.classStringExpression):
1869         (let.classStringExpression.access):
1870         (let.createAndInstantiateClass):
1871         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1872         (let.classStringExpression):
1873         (let.classStringExpression.access):
1874         (let.createAndInstantiateClass):
1875         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1876         (let.classStringExpression):
1877         (let.classStringExpression.access):
1878         (let.createAndInstantiateClass):
1879         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1880         (const.C):
1881         (let.createAndInstantiateClass):
1882         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1883         (let.classStringExpression.return.prototype.m):
1884         (let.classStringExpression.return.prototype.access):
1885         (let.createAndInstantiateClass):
1886         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1887         (let.classStringExpression.return.prototype.m):
1888         (let.classStringExpression.return.prototype.access):
1889         (let.createAndInstantiateClass):
1890         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1891         (let.classStringExpression):
1892         (let.classStringExpression.access):
1893         (let.createAndInstantiateClass):
1894         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1895         (new):
1896         (async):
1897         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1898         (A):
1899         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1900         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1901         * test262/test/language/identifiers/vals-cjk.js: Added.
1902         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1903         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1904         (C.prototype.method):
1905         (C):
1906         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1907         (C.prototype.method.innerFunction):
1908         (C.prototype.method):
1909         (C):
1910         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1911         (C.prototype.checkPrivateField):
1912         (C):
1913         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1914         (C):
1915         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1916         (C.prototype.getWithEval):
1917         (C):
1918         (D):
1919         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1920         (C.prototype.get m):
1921         (C.prototype.method):
1922         (C):
1923         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1924         (C.prototype.get m):
1925         (C.prototype.method.innerFunction):
1926         (C.prototype.method):
1927         (C):
1928         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1929         (let.createAndInstantiateClass):
1930         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1931         (C.prototype.get m):
1932         (C.prototype.checkPrivateGetter):
1933         (C):
1934         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1935         (C.prototype.get m):
1936         (C.prototype.checkPrivateGetter):
1937         (C):
1938         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1939         (C.prototype.get m):
1940         (C):
1941         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1942         (C.prototype.get m):
1943         (C.prototype.getWithEval):
1944         (C):
1945         (D.prototype.get m):
1946         (D):
1947         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1948         (C.prototype.m):
1949         (C.prototype.method):
1950         (C):
1951         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1952         (C.prototype.m):
1953         (C.prototype.method.innerFunction):
1954         (C.prototype.method):
1955         (C):
1956         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1957         (C.prototype.m):
1958         (C.prototype.checkPrivateMethod):
1959         (C):
1960         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1961         (C.prototype.m):
1962         (C.prototype.checkPrivateMethod):
1963         (C):
1964         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1965         (C.prototype.m):
1966         (C):
1967         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1968         (C.prototype.m):
1969         (C.prototype.getWithEval):
1970         (C):
1971         (D.prototype.m):
1972         (D):
1973         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1974         (C.prototype.set m):
1975         (C.prototype.method):
1976         (C):
1977         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1978         (C.prototype.set m):
1979         (C.prototype.method.innerFunction):
1980         (C.prototype.method):
1981         (C):
1982         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1983         (C.prototype.set m):
1984         (C.prototype.checkPrivateSetter):
1985         (C):
1986         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1987         (C.prototype.set m):
1988         (C.prototype.checkPrivateSetter):
1989         (C):
1990         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1991         (C.prototype.set m):
1992         (C):
1993         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1994         (C.prototype.set m):
1995         (C.prototype.setWithEval):
1996         (C):
1997         (D.prototype.set m):
1998         (D):
1999         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2000         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2001         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2002         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
2003         (A.prototype.method):
2004         (A):
2005         (C.prototype.get m):
2006         (C.prototype.access):
2007         (C):
2008         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
2009         (A.prototype.method):
2010         (A):
2011         (C.prototype.m):
2012         (C.prototype.access):
2013         (C):
2014         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
2015         (A.prototype.method):
2016         (A):
2017         (C.prototype.set m):
2018         (C.prototype.access):
2019         (C):
2020         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
2021         (A):
2022         * test262/test/language/statements/function/13.2-30-s.js:
2023         * test262/test262-Revision.txt:
2024
2025 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2026
2027         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2028         https://bugs.webkit.org/show_bug.cgi?id=199783
2029
2030         Reviewed by Mark Lam.
2031
2032         Fix our spec tests.
2033
2034         * wasm/js-api/Module-compile.js:
2035         * wasm/js-api/test_basic_api.js:
2036         (const.c.in.constructorProperties.switch):
2037         * wasm/js-api/validate.js:
2038         * wasm/js-api/web-assembly-instantiate.js:
2039         * wasm/spec-tests/jsapi.js:
2040         (testJSAPI.get test):
2041         (testJSAPI.set test):
2042
2043 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2044
2045         Unreviewed, rolling out r247440.
2046
2047         Broke builds
2048
2049         Reverted changeset:
2050
2051         "[JSC] Improve wasm wpt test results by fixing miscellaneous
2052         issues"
2053         https://bugs.webkit.org/show_bug.cgi?id=199783
2054         https://trac.webkit.org/changeset/247440
2055
2056 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2057
2058         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2059         https://bugs.webkit.org/show_bug.cgi?id=199783
2060
2061         Reviewed by Mark Lam.
2062
2063         Fix our spec tests.
2064
2065         * wasm/js-api/Module-compile.js:
2066         * wasm/js-api/test_basic_api.js:
2067         (const.c.in.constructorProperties.switch):
2068         * wasm/js-api/validate.js:
2069         * wasm/js-api/web-assembly-instantiate.js:
2070         * wasm/spec-tests/jsapi.js:
2071         (testJSAPI.get test):
2072         (testJSAPI.set test):
2073
2074 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
2075
2076         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
2077         https://bugs.webkit.org/show_bug.cgi?id=196371
2078
2079         Reviewed by Keith Miller.
2080
2081         * microbenchmarks/mul-immediate-sub.js: Added.
2082         (doTest):
2083
2084 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
2085
2086         [BigInt] Add ValueBitLShift into DFG
2087         https://bugs.webkit.org/show_bug.cgi?id=192664
2088
2089         Reviewed by Saam Barati.
2090
2091         We are adding tests to cover ValueBitwise operations AI changes.
2092
2093         * stress/big-int-left-shift-untyped.js: Added.
2094         * stress/bit-op-with-object-returning-int32.js:
2095         * stress/value-bit-and-ai-rule.js: Added.
2096         * stress/value-bit-lshift-ai-rule.js: Added.
2097         * stress/value-bit-or-ai-rule.js: Added.
2098         * stress/value-bit-xor-ai-rule.js: Added.
2099
2100 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2101
2102         Add b3 macro lowering for CheckMul on arm64
2103         https://bugs.webkit.org/show_bug.cgi?id=199251
2104
2105         Reviewed by Robin Morisset.
2106
2107         * microbenchmarks/check-mul-constant.js: Added.
2108         (doTest):
2109         * microbenchmarks/check-mul-no-constant.js: Added.
2110         (doTest):
2111         * microbenchmarks/check-mul-power-of-two.js: Added.
2112         (doTest):
2113
2114 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
2115
2116         Optimize join of large empty arrays
2117         https://bugs.webkit.org/show_bug.cgi?id=199636
2118
2119         Reviewed by Mark Lam.
2120
2121         * microbenchmarks/large-empty-array-join.js: Added.
2122         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
2123
2124 2019-07-06  Michael Saboff  <msaboff@apple.com>
2125
2126         switch(String) needs to check for exceptions when resolving the string
2127         https://bugs.webkit.org/show_bug.cgi?id=199541
2128
2129         Reviewed by Mark Lam.
2130
2131         New tests.
2132
2133         * stress/switch-string-oom.js: Added.
2134         (test):
2135         (testLowerTiers):
2136         (testFTL):
2137
2138 2019-07-05  Mark Lam  <mark.lam@apple.com>
2139
2140         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
2141         https://bugs.webkit.org/show_bug.cgi?id=199533
2142         <rdar://problem/52669111>
2143
2144         Reviewed by Filip Pizlo.
2145
2146         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
2147
2148 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
2149
2150         [JSC] Clean up ArraySpeciesCreate
2151         https://bugs.webkit.org/show_bug.cgi?id=182434
2152
2153         Reviewed by Yusuke Suzuki.
2154
2155         Adjusts error message expectations in stress tests.
2156
2157         * stress/array-flatmap.js:
2158         * stress/array-flatten.js:
2159         * stress/array-species-create-should-handle-masquerader.js:
2160         * test262/expectations.yaml: Mark 4 test cases as passing.
2161
2162 2019-07-02  Michael Saboff  <msaboff@apple.com>
2163
2164         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
2165         https://bugs.webkit.org/show_bug.cgi?id=199395
2166
2167         Reviewed by Filip Pizlo.
2168
2169         New regession test.
2170
2171         * stress/for-of-tdz-with-try-catch.js: Added.
2172         (test):
2173         (i.catch):
2174
2175 2019-07-02  Keith Miller  <keith_miller@apple.com>
2176
2177         Frozen Arrays length assignment should throw in strict mode
2178         https://bugs.webkit.org/show_bug.cgi?id=199365
2179
2180         Reviewed by Yusuke Suzuki.
2181
2182         * stress/frozen-array-length-should-throw-strict.js: Added.
2183         (test):
2184
2185 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
2186
2187         [Wasm-References] Disable references by default
2188         https://bugs.webkit.org/show_bug.cgi?id=199390
2189
2190         Reviewed by Saam Barati.
2191
2192         * wasm/references-spec-tests/ref_is_null.js:
2193         * wasm/references-spec-tests/ref_null.js:
2194         * wasm/references/anyref_globals.js:
2195         * wasm/references/anyref_modules.js:
2196         * wasm/references/anyref_table.js:
2197         * wasm/references/anyref_table_import.js:
2198         * wasm/references/element_parsing.js:
2199         * wasm/references/func_ref.js:
2200         * wasm/references/is_null.js:
2201         * wasm/references/multitable.js:
2202         * wasm/references/table_misc.js:
2203         * wasm/references/validation.js:
2204
2205 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
2206
2207         Unreviewed, rolling out r246946.
2208
2209         Caused JSC test crashes on arm64
2210
2211         Reverted changeset:
2212
2213         "Add b3 macro lowering for CheckMul on arm64"
2214         https://bugs.webkit.org/show_bug.cgi?id=199251
2215         https://trac.webkit.org/changeset/246946
2216
2217 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
2218
2219         Add b3 macro lowering for CheckMul on arm64
2220         https://bugs.webkit.org/show_bug.cgi?id=199251
2221
2222         Reviewed by Robin Morisset.
2223
2224         * microbenchmarks/check-mul-constant.js: Added.
2225         (doTest):
2226         * microbenchmarks/check-mul-no-constant.js: Added.
2227         (doTest):
2228         * microbenchmarks/check-mul-power-of-two.js: Added.
2229         (doTest):
2230
2231 2019-06-26  Keith Miller  <keith_miller@apple.com>
2232
2233         speciesConstruct needs to throw if the result is a DataView
2234         https://bugs.webkit.org/show_bug.cgi?id=199231
2235
2236         Reviewed by Mark Lam.
2237
2238         * stress/typedarray-filter.js:
2239         (subclasses.forEach):
2240         * stress/typedarray-map.js:
2241         (subclasses.forEach):
2242         * stress/typedarray-slice.js:
2243         (typedArrays.forEach):
2244         * stress/typedarray-subarray.js:
2245         (subclasses.forEach):
2246
2247 2019-06-24  Commit Queue  <commit-queue@webkit.org>
2248
2249         Unreviewed, rolling out r246714.
2250         https://bugs.webkit.org/show_bug.cgi?id=199179
2251
2252         revert to do patch in a different way. (Requested by keith_mi_
2253         on #webkit).
2254
2255         Reverted changeset:
2256
2257         "All prototypes should call didBecomePrototype()"
2258         https://bugs.webkit.org/show_bug.cgi?id=196315
2259         https://trac.webkit.org/changeset/246714
2260
2261 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
2262
2263         Add Array.prototype.{flat,flatMap} to unscopables
2264         https://bugs.webkit.org/show_bug.cgi?id=194322
2265
2266         Reviewed by Keith Miller.
2267
2268         * stress/unscopables.js: Fix test.
2269         * test262/expectations.yaml: Mark 2 test cases as passing.
2270
2271 2019-06-21  Mark Lam  <mark.lam@apple.com>
2272
2273         ArraySlice needs to keep the source array alive.
2274         https://bugs.webkit.org/show_bug.cgi?id=197374
2275         <rdar://problem/50304429>
2276
2277         Reviewed by Michael Saboff and Filip Pizlo.
2278
2279         * stress/array-slice-must-keep-source-array-alive.js: Added.
2280
2281 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2282
2283         All prototypes should call didBecomePrototype()
2284         https://bugs.webkit.org/show_bug.cgi?id=196315
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/function-prototype-indexed-accessor.js: Added.
2289
2290 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2291
2292         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
2293         https://bugs.webkit.org/show_bug.cgi?id=197631
2294
2295         Reviewed by Saam Barati.
2296
2297         * stress/has-own-property-arguments.js: Added.
2298         (shouldBe):
2299         (A):
2300
2301 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2302
2303         [JSC] ClassExpr should not store result in the middle of evaluation
2304         https://bugs.webkit.org/show_bug.cgi?id=199106
2305
2306         Reviewed by Tadeu Zagallo.
2307
2308         * stress/class-expression-should-store-result-at-last.js: Added.
2309         (shouldThrow):
2310         (shouldThrow.let.a):
2311
2312 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2313
2314         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2315         https://bugs.webkit.org/show_bug.cgi?id=199044
2316
2317         Reviewed by Saam Barati.
2318
2319         Add wasm references spec tests as well as a worker test.
2320
2321         * wasm.yaml:
2322         * wasm/Builder_WebAssemblyBinary.js:
2323         (const.emitters.Element):
2324         * wasm/js-api/element.js:
2325         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2326         * wasm/references-spec-tests/ref_is_null.js: Added.
2327         (hostref):
2328         (is_hostref):
2329         (is_funcref):
2330         (eq_ref):
2331         (let.handler.get target):
2332         (register):
2333         (module):
2334         (instance):
2335         (call):
2336         (get instance):
2337         (exports):
2338         (run):
2339         (assert_malformed):
2340         (assert_invalid):
2341         (assert_unlinkable):
2342         (assert_uninstantiable):
2343         (assert_trap):
2344         (try.f):
2345         (catch):
2346         (assert_exhaustion):
2347         (assert_return):
2348         (assert_return_canonical_nan):
2349         (assert_return_arithmetic_nan):
2350         (assert_return_ref):
2351         (assert_return_func):
2352         * wasm/references-spec-tests/ref_null.js: Added.
2353         (hostref):
2354         (is_hostref):
2355         (is_funcref):
2356         (eq_ref):
2357         (let.handler.get target):
2358         (register):
2359         (module):
2360         (instance):
2361         (call):
2362         (get instance):
2363         (exports):
2364         (run):
2365         (assert_malformed):
2366         (assert_invalid):
2367         (assert_unlinkable):
2368         (assert_uninstantiable):
2369         (assert_trap):
2370         (try.f):
2371         (catch):
2372         (assert_exhaustion):
2373         (assert_return):
2374         (assert_return_canonical_nan):
2375         (assert_return_arithmetic_nan):
2376         (assert_return_ref):
2377         (assert_return_func):
2378         * wasm/references/element_parsing.js: Added.
2379         (module):
2380         * wasm/references/func_ref.js:
2381         * wasm/references/multitable.js:
2382         * wasm/references/table_misc.js:
2383         (TableSize.0.End.End.WebAssembly):
2384         * wasm/references/validation.js:
2385         (assert.throws):
2386
2387 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2388
2389         Optimize `resolve` method lookup in Promise static methods
2390         https://bugs.webkit.org/show_bug.cgi?id=198864
2391
2392         Reviewed by Yusuke Suzuki.
2393
2394         * test262/expectations.yaml: Mark 18 test cases as passing.
2395
2396 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2397
2398         [WASM-References] Rename anyfunc to funcref
2399         https://bugs.webkit.org/show_bug.cgi?id=198983
2400
2401         Reviewed by Yusuke Suzuki.
2402
2403         * wasm/function-tests/basic-element.js:
2404         * wasm/function-tests/context-switch.js:
2405         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2406         (makeInstance):
2407         (assert.eq.makeInstance):
2408         * wasm/function-tests/exceptions.js:
2409         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2410         * wasm/function-tests/grow-memory-2.js:
2411         (assert.eq.instance.exports.foo):
2412         * wasm/function-tests/nameSection.js:
2413         (const.compile):
2414         * wasm/function-tests/stack-overflow.js:
2415         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2416         (assertOverflows.makeInstance):
2417         * wasm/function-tests/table-basic-2.js:
2418         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2419         * wasm/function-tests/table-basic.js:
2420         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2421         * wasm/function-tests/trap-from-start-async.js:
2422         * wasm/function-tests/trap-from-start.js:
2423         * wasm/js-api/Module.exports.js:
2424         (assert.truthy):
2425         * wasm/js-api/Module.imports.js:
2426         (assert.truthy):
2427         * wasm/js-api/call-indirect.js:
2428         (const.oneTable):
2429         (const.multiTable):
2430         (multiTable.const.makeTable):
2431         (multiTable):
2432         (multiTable.Polyphic2Import):
2433         (multiTable.VirtualImport):
2434         * wasm/js-api/element-data.js:
2435         * wasm/js-api/element.js:
2436         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2437         (assert.throws):
2438         (badInstantiation.makeModule):
2439         (badInstantiation.test):
2440         (badInstantiation):
2441         * wasm/js-api/extension-MemoryMode.js:
2442         * wasm/js-api/table.js:
2443         (new.WebAssembly.Module):
2444         (assert.throws):
2445         (assertBadTableImport):
2446         (assert.throws.WebAssembly.Table.prototype.grow):
2447         (new.WebAssembly.Table):
2448         (assertBadTable):
2449         (assert.truthy):
2450         * wasm/js-api/test_basic_api.js:
2451         (const.c.in.constructorProperties.switch):
2452         * wasm/js-api/unique-signature.js:
2453         (CallIndirectWithDuplicateSignatures):
2454         * wasm/js-api/wrapper-function.js:
2455         * wasm/modules/table.wat:
2456         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2457         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2458         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2459         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2460         * wasm/references/anyref_table.js:
2461         * wasm/references/anyref_table_import.js:
2462         (doSet):
2463         (assert.throws):
2464         * wasm/references/func_ref.js:
2465         (makeFuncrefIdent):
2466         (assert.eq.instance.exports.fix):
2467         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2468         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2469         (let.importedFun.of):
2470         (makeAnyfuncIdent): Deleted.
2471         (makeAnyfuncIdent.fun): Deleted.
2472         * wasm/references/multitable.js:
2473         (assert.eq):
2474         (assert.throws):
2475         * wasm/references/table_misc.js:
2476         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2477         * wasm/references/validation.js:
2478         (assert.throws.new.WebAssembly.Module.bin):
2479         (assert.throws):
2480         * wasm/spec-harness/index.js:
2481         * wasm/spec-harness/wasm-constants.js:
2482         * wasm/spec-harness/wasm-module-builder.js:
2483         (WasmModuleBuilder.prototype.toArray):
2484         * wasm/spec-harness/wast.js:
2485         (elem_type):
2486         (string_of_elem_type):
2487         (string_of_table_type):
2488         * wasm/spec-tests/jsapi.js:
2489         * wasm/stress/wasm-table-grow-initialize.js:
2490         * wasm/wasm.json:
2491
2492 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2493
2494         [WASM-References] Add support for Table.size, grow and fill instructions
2495         https://bugs.webkit.org/show_bug.cgi?id=198761
2496
2497         Reviewed by Yusuke Suzuki.
2498
2499         * wasm/Builder_WebAssemblyBinary.js:
2500         (const.putOp):
2501         * wasm/references/table_misc.js: Added.
2502         (TableSize.End.End.WebAssembly):
2503         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2504         * wasm/wasm.json:
2505
2506 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2507
2508         [WASM-References] Add support for multiple tables
2509         https://bugs.webkit.org/show_bug.cgi?id=198760
2510
2511         Reviewed by Saam Barati.
2512
2513         * wasm/Builder.js:
2514         * wasm/js-api/call-indirect.js:
2515         (const.oneTable):
2516         (const.multiTable):
2517         (multiTable):
2518         (multiTable.Polyphic2Import):
2519         (multiTable.VirtualImport):
2520         (const.wasmModuleWhichImportJS): Deleted.
2521         (const.makeTable): Deleted.
2522         (): Deleted.
2523         (Polyphic2Import): Deleted.
2524         (VirtualImport): Deleted.
2525         * wasm/js-api/table.js:
2526         (new.WebAssembly.Module):
2527         (assert.throws):
2528         (assertBadTableImport):
2529         (assert.truthy):
2530         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2531         * wasm/references/anyref_table.js:
2532         * wasm/references/anyref_table_import.js:
2533         (makeImport):
2534         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2535         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2536         * wasm/references/multitable.js: Added.
2537         (assert.throws.1.exports.set_tbl0):
2538         (assert.throws):
2539         (assert.eq):
2540         * wasm/references/validation.js:
2541         (assert.throws.new.WebAssembly.Module.bin):
2542         (assert.throws):
2543         * wasm/spec-tests/imports.wast.js:
2544         * wasm/wasm.json:
2545
2546         * wasm/Builder.js:
2547         * wasm/js-api/call-indirect.js:
2548         (const.oneTable):
2549         (const.multiTable):
2550         (multiTable):
2551         (multiTable.Polyphic2Import):
2552         (multiTable.VirtualImport):
2553         (const.wasmModuleWhichImportJS): Deleted.
2554         (const.makeTable): Deleted.
2555         (): Deleted.
2556         (Polyphic2Import): Deleted.
2557         (VirtualImport): Deleted.
2558         * wasm/js-api/table.js:
2559         (new.WebAssembly.Module):
2560         (assert.throws):
2561         (assertBadTableImport):
2562         (assert.truthy):
2563         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2564         * wasm/references/anyref_table.js:
2565         * wasm/references/anyref_table_import.js:
2566         (makeImport):
2567         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2568         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2569         * wasm/references/func_ref.js:
2570         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2571         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2572         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2573         * wasm/references/multitable.js: Added.
2574         (assert.throws.1.exports.set_tbl0):
2575         (assert.throws):
2576         (assert.eq):
2577         (string_appeared_here.tableInsanity):
2578         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2579         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2580         * wasm/references/validation.js:
2581         (assert.throws.new.WebAssembly.Module.bin):
2582         (assert.throws):
2583         * wasm/spec-tests/imports.wast.js:
2584         * wasm/wasm.json:
2585
2586 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2587
2588         [ESNExt] String.prototype.matchAll
2589         https://bugs.webkit.org/show_bug.cgi?id=186694
2590
2591         Reviewed by Yusuke Suzuki.
2592
2593         Implement String.prototype.matchAll.
2594         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2595
2596         * test262/config.yaml:
2597
2598 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2599
2600         DFG code should not reify the names of builtin functions with private names
2601         https://bugs.webkit.org/show_bug.cgi?id=198849
2602         <rdar://problem/51733890>
2603
2604         Reviewed by Filip Pizlo.
2605
2606         * stress/builtin-private-function-name.js: Added.
2607         (then):
2608         (PromiseLike):
2609
2610 2019-06-18  Keith Miller  <keith_miller@apple.com>
2611
2612         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2613         https://bugs.webkit.org/show_bug.cgi?id=198969
2614         <rdar://problem/51620714>
2615
2616         Reviewed by Tadeu Zagallo.
2617
2618         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2619         (catch):
2620
2621 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2622
2623         Validate that table element type is funcref if using an element section
2624         https://bugs.webkit.org/show_bug.cgi?id=198910
2625
2626         Reviewed by Yusuke Suzuki.
2627
2628         * wasm/references/anyref_table.js:
2629
2630 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2631
2632         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2633         https://bugs.webkit.org/show_bug.cgi?id=197378
2634
2635         Reviewed by Saam Barati.
2636
2637         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2638         (foo):
2639         (bar):
2640         * stress/disposable-call-site-index.js: Added.
2641         (foo):
2642         (bar):
2643
2644 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2645
2646         [WASM-References] Add support for Funcref in parameters and return types
2647         https://bugs.webkit.org/show_bug.cgi?id=198157
2648
2649         Reviewed by Yusuke Suzuki.
2650
2651         * wasm/Builder.js:
2652         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2653         * wasm/references/anyref_globals.js:
2654         * wasm/references/func_ref.js: Added.
2655         (fullGC.gc.makeExportedFunction):
2656         (makeExportedIdent):
2657         (makeAnyfuncIdent):
2658         (fun):
2659         (assert.eq.instance.exports.fix.fun):
2660         (assert.eq.instance.exports.fix):
2661         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2662         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2663         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2664         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2665         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2666         (assert.throws):
2667         (assert.throws.doTest):
2668         (let.importedFun.of):
2669         (makeAnyfuncIdent.fun):
2670         * wasm/references/validation.js:
2671         (assert.throws):
2672         * wasm/wasm.json:
2673
2674 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2675
2676         Update test262 tests (2019.06.13)
2677         https://bugs.webkit.org/show_bug.cgi?id=198821
2678
2679         Reviewed by Konstantin Tokarev.
2680
2681         * test262/expectations.yaml:
2682         * test262/harness/:
2683         * test262/latest-changes-summary.txt:
2684         * test262/test/:
2685         * test262/test262-Revision.txt:
2686
2687 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2688
2689         [JSC] Grown region of WasmTable should be initialized with null
2690         https://bugs.webkit.org/show_bug.cgi?id=198903
2691
2692         Reviewed by Saam Barati.
2693
2694         * wasm/stress/wasm-table-grow-initialize.js: Added.
2695         (shouldBe):
2696
2697 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2698
2699         Yarr bytecode compilation failure should be gracefully handled
2700         https://bugs.webkit.org/show_bug.cgi?id=198700
2701
2702         Reviewed by Michael Saboff.
2703
2704         * stress/regexp-bytecode-compilation-fail.js: Added.
2705         (shouldThrow):
2706
2707 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2708
2709         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2710         https://bugs.webkit.org/show_bug.cgi?id=198770
2711
2712         Reviewed by Saam Barati.
2713
2714         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2715         (test):
2716
2717 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2718
2719         JSC should throw if proxy set returns falsish in strict mode context
2720         https://bugs.webkit.org/show_bug.cgi?id=177398
2721
2722         Reviewed by Yusuke Suzuki.
2723
2724         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2725         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2726
2727         * stress/proxy-set.js: Add 2 test cases.
2728         * stress/regexp-match-proxy.js: Fix test.
2729         * stress/regexp-replace-proxy.js: Fix test.
2730
2731 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2732
2733         Error message for non-callable Proxy `construct` trap is misleading
2734         https://bugs.webkit.org/show_bug.cgi?id=198637
2735
2736         Reviewed by Saam Barati.
2737
2738         * stress/proxy-construct.js:
2739
2740 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2741
2742         AI BitURShift's result should not be unsigned
2743         https://bugs.webkit.org/show_bug.cgi?id=198689
2744         <rdar://problem/51550063>
2745
2746         Reviewed by Saam Barati.
2747
2748         * stress/urshift-int32-overflow.js: Added.
2749         (foo.):
2750         (foo):
2751
2752 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2753
2754         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2755
2756         Unreviewed gardening.
2757
2758         * stress/ftl-gettypedarrayoffset-wasteful.js:
2759         Skipped on arm/linux as it always times out on the bot since a change
2760         between r246270 and r246278 inclusive.
2761
2762 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2763
2764         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2765         https://bugs.webkit.org/show_bug.cgi?id=198023
2766
2767         Reviewed by Saam Barati.
2768
2769         * stress/reparsing-unlinked-codeblock.js: Added.
2770         (shouldBe):
2771         (hello):
2772
2773 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2774
2775         [JSC] Use mergePrediction in ValuePow prediction propagation
2776         https://bugs.webkit.org/show_bug.cgi?id=198648
2777
2778         Reviewed by Saam Barati.
2779
2780         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2781
2782 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2783
2784         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2785         https://bugs.webkit.org/show_bug.cgi?id=198581
2786         <rdar://problem/51099753>
2787
2788         Reviewed by Saam Barati.
2789
2790         * stress/global-object-proto-getter.js: Added.
2791         (f):
2792         (test):
2793
2794 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2795
2796         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2797         https://bugs.webkit.org/show_bug.cgi?id=198398
2798
2799         Reviewed by Saam Barati.
2800
2801         * wasm/references/anyref_table.js: Added.
2802         (string_appeared_here.doGCSet):
2803         (doGCTest):
2804         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2805         * wasm/references/anyref_table_import.js: Added.
2806         (makeImport):
2807         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2808         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2809         * wasm/references/is_null_error.js: Removed.
2810         * wasm/references/validation.js: Added.
2811         (assert.throws.new.WebAssembly.Module.bin):
2812         (assert.throws):
2813         * wasm/wasm.json:
2814
2815 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2816
2817         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2818         https://bugs.webkit.org/show_bug.cgi?id=198106
2819
2820         Reviewed by Saam Barati.
2821
2822         * wasm/regress/selectf64.js: Added.
2823         * wasm/regress/selectf64.wasm: Added.
2824         * wasm/regress/selectf64.wat: Added.
2825
2826 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2827
2828         Argument elimination should check transitive dependents for interference
2829         https://bugs.webkit.org/show_bug.cgi?id=198520
2830         <rdar://problem/50863343>
2831
2832         Reviewed by Filip Pizlo.
2833
2834         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2835         (f2):
2836         (f3):
2837
2838 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2839
2840         Argument elimination should check for negative indices in GetByVal
2841         https://bugs.webkit.org/show_bug.cgi?id=198302
2842         <rdar://problem/51188095>
2843
2844         Reviewed by Filip Pizlo.
2845
2846         * stress/eliminate-arguments-negative-rest-access.js: Added.
2847         (inlinee):
2848         (opt):
2849
2850 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2851
2852         [ESNext][BigInt] Implement support for "**"
2853         https://bugs.webkit.org/show_bug.cgi?id=190799
2854
2855         Reviewed by Saam Barati.
2856
2857         * stress/big-int-exp-basic.js: Added.
2858         * stress/big-int-exp-jit-osr.js: Added.
2859         * stress/big-int-exp-jit-untyped.js: Added.
2860         * stress/big-int-exp-jit.js: Added.
2861         * stress/big-int-exp-negative-exponent.js: Added.
2862         * stress/big-int-exp-to-primitive.js: Added.
2863         * stress/big-int-exp-type-error.js: Added.
2864         * stress/big-int-exp-wrapped-value.js: Added.
2865         * stress/value-pow-ai-rule.js: Added.
2866
2867 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2868
2869         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2870         https://bugs.webkit.org/show_bug.cgi?id=197979
2871
2872         Reviewed by Filip Pizlo.
2873
2874         * stress/16bit-code.js: Added.
2875         (shouldBe):
2876         * stress/32bit-code.js: Added.
2877         (shouldBe):
2878
2879 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2880
2881         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2882         https://bugs.webkit.org/show_bug.cgi?id=198355
2883
2884         Reviewed by Saam Barati.
2885
2886         * wasm/references/is_null.js:
2887
2888 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2889
2890         [PlayStation] Skip additional tests on PlayStation
2891         https://bugs.webkit.org/show_bug.cgi?id=198352
2892
2893         Reviewed by Don Olmstead.
2894
2895         Skip pow test on PlayStation due to behavior difference in standard library.
2896         Skip incremental marking test due to OOM on PlayStation systems.
2897
2898         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2899         * stress/math-pow-with-constants.js:
2900         * stress/pow-with-constants.js:
2901
2902 2019-05-28  Dean Jackson  <dino@apple.com>
2903
2904         Implement Promise.allSettled
2905         https://bugs.webkit.org/show_bug.cgi?id=197600
2906         <rdar://problem/50483885>
2907
2908         Reviewed by Keith Miller.
2909
2910         Start testing Promise.allSettled. We pass most of the tests.
2911         The ones that fail are similar to the Promise.all tests we already fail.
2912
2913         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2914         * test262/expectations.yaml: Add new expectations for allSettled tests.
2915
2916 2019-05-28  Michael Saboff  <msaboff@apple.com>
2917
2918         [YARR] Properly handle RegExp's that require large ParenContext space
2919         https://bugs.webkit.org/show_bug.cgi?id=198065
2920
2921         Reviewed by Keith Miller.
2922
2923         New test.
2924
2925         * stress/regexp-large-paren-context.js: Added.
2926         (testLargeRegExp):
2927
2928 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2929
2930         JITOperations putByVal should mark negative array indices as out-of-bounds
2931         https://bugs.webkit.org/show_bug.cgi?id=198271
2932
2933         Reviewed by Saam Barati.
2934
2935         * microbenchmarks/get-by-val-negative-array-index.js:
2936         (foo):
2937         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2938         is 4.2x faster than the previous commit.
2939
2940         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2941         (foo):
2942
2943 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2944
2945         JITOperations getByVal should mark negative array indices as out-of-bounds
2946         https://bugs.webkit.org/show_bug.cgi?id=198229
2947
2948         Reviewed by Saam Barati.
2949
2950         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2951         (foo):
2952
2953 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2954
2955         [WASM-References] Support Anyref in globals
2956         https://bugs.webkit.org/show_bug.cgi?id=198102
2957
2958         Reviewed by Saam Barati.
2959
2960         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2961
2962         * wasm/Builder.js:
2963         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2964         * wasm/Builder_WebAssemblyBinary.js:
2965         (const.putInitExpr):
2966         * wasm/references/anyref_globals.js: Added.
2967         (GetGlobal.0.End.End.WebAssembly):
2968         (5.doGCSet):
2969         (doGCTest):
2970         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2971
2972 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2973
2974         DFG::OSREntry should not perform arity check
2975         https://bugs.webkit.org/show_bug.cgi?id=198189
2976
2977         Reviewed by Saam Barati.
2978
2979         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2980         (foo):
2981
2982 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2983
2984         [PlayStation] Skip additional tests on PlayStation
2985         https://bugs.webkit.org/show_bug.cgi?id=198145
2986
2987         Reviewed by Ross Kirsling.
2988
2989         * exceptionFuzz.yaml:
2990         Add skip on hostOS playstation
2991         * executableAllocationFuzz.yaml:
2992         Add skip on hostOS playstation
2993
2994 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2995
2996         createListFromArrayLike should throw if value is not an object
2997         https://bugs.webkit.org/show_bug.cgi?id=198138
2998
2999         Reviewed by Yusuke Suzuki.
3000
3001         * stress/create-list-from-array-like-not-object.js: Added.
3002         (testValid):
3003         (testInvalid):
3004         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
3005         (opt):
3006         * stress/proxy-proto-enumerator.js: Added.
3007         (main):
3008         * stress/proxy-proto-own-keys.js: Added.
3009         (assert):
3010         (ownKeys):
3011
3012 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3013
3014         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
3015         https://bugs.webkit.org/show_bug.cgi?id=197809
3016
3017         Reviewed by Michael Saboff.
3018
3019         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
3020         (foo):
3021
3022 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3023
3024         [ESNext] Implement support for Numeric Separators
3025         https://bugs.webkit.org/show_bug.cgi?id=196351
3026
3027         Reviewed by Keith Miller.
3028
3029         * stress/numeric-literal-separators.js: Added.
3030         Add tests for feature.
3031
3032         * test262/expectations.yaml:
3033         Mark 60 test cases as passing.
3034
3035 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3036
3037         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
3038         https://bugs.webkit.org/show_bug.cgi?id=198120
3039         <rdar://problem/49668795>
3040
3041         Reviewed by Michael Saboff.
3042
3043         * stress/get-array-length-concurrently-change-mode.js: Added.
3044         (main):
3045
3046 2019-05-22  Commit Queue  <commit-queue@webkit.org>
3047
3048         Unreviewed, rolling out r245634.
3049         https://bugs.webkit.org/show_bug.cgi?id=198140
3050
3051         'This patch makes JSC crash on launch in debug builds'
3052         (Requested by tadeuzagallo on #webkit).
3053
3054         Reverted changeset:
3055
3056         "[ESNext] Implement support for Numeric Separators"
3057         https://bugs.webkit.org/show_bug.cgi?id=196351
3058         https://trac.webkit.org/changeset/245634
3059
3060 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3061
3062         Stack-buffer-overflow in decodeURIComponent
3063         https://bugs.webkit.org/show_bug.cgi?id=198109
3064         <rdar://problem/50397550>
3065
3066         Reviewed by Michael Saboff.
3067
3068         * stress/decode-uri-icu-count-trail-bytes.js: Added.
3069         (i.j.try.i.toString):
3070         (i.j.catch):
3071
3072 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3073
3074         Don't clear PropertyNameArray in Proxy code
3075         https://bugs.webkit.org/show_bug.cgi?id=197691
3076
3077         Reviewed by Saam Barati.
3078
3079         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
3080         (shouldBe):
3081         (opt):
3082
3083 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3084
3085         [ESNext] Implement support for Numeric Separators
3086         https://bugs.webkit.org/show_bug.cgi?id=196351
3087
3088         Reviewed by Keith Miller.
3089
3090         * stress/numeric-literal-separators.js: Added.
3091         Add tests for feature.
3092
3093         * test262/expectations.yaml:
3094         Mark 60 test cases as passing.
3095
3096 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3097
3098         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
3099         https://bugs.webkit.org/show_bug.cgi?id=198101
3100
3101         Reviewed by Michael Saboff.
3102
3103         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
3104         (shouldBe):
3105
3106 2019-05-20  Keith Miller  <keith_miller@apple.com>
3107
3108         Cleanup Yarr regexp code around paren contexts.
3109         https://bugs.webkit.org/show_bug.cgi?id=198063
3110
3111         Reviewed by Yusuke Suzuki.
3112
3113         * stress/regexp-many-named-sequential-capture-groups.js: Added.
3114         (i.s):
3115         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
3116
3117 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
3118
3119         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
3120         https://bugs.webkit.org/show_bug.cgi?id=197969
3121
3122         Reviewed by Keith Miller.
3123
3124         Support the anyref type in Builder.js, plus add some extra error logging.
3125         Add new folder for wasm references tests.
3126
3127         * wasm.yaml:
3128         * wasm/Builder.js:
3129         (const._isValidValue):
3130         * wasm/references/anyref_modules.js: Added.
3131         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
3132         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
3133         (Call.3.RefIsNull.End.End.WebAssembly):
3134         (undefined):
3135         * wasm/references/is_null.js: Added.
3136         * wasm/references/is_null_error.js: Added.
3137         * wasm/spec-harness/index.js:
3138         * wasm/wasm.json:
3139
3140 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
3141
3142         [JSC] Invalid AssignmentTargetType should be an early error.
3143         https://bugs.webkit.org/show_bug.cgi?id=197603
3144
3145         Reviewed by Keith Miller.
3146
3147         * test262/expectations.yaml:
3148         Update expectations to reflect new SyntaxErrors.
3149         (Ideally, these should all be viewed as passing in the near future.)
3150
3151         * stress/async-await-basic.js:
3152         * stress/big-int-literals.js:
3153         Update tests to reflect new SyntaxErrors.
3154
3155         * ChakraCore.yaml:
3156         * ChakraCore/test/EH/try6.baseline-jsc:
3157         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
3158         Update baselines to reflect new SyntaxErrors.
3159
3160 2019-05-15  Saam Barati  <sbarati@apple.com>
3161
3162         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
3163         https://bugs.webkit.org/show_bug.cgi?id=197855
3164         <rdar://problem/50236506>
3165
3166         Reviewed by Michael Saboff.
3167
3168         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
3169         (f0):
3170         (bar):
3171         (foo):
3172         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
3173         (f1):
3174         (f2):
3175         (foo):
3176
3177 2019-05-14  Keith Miller  <keith_miller@apple.com>
3178
3179         Fix issue with byteOffset on ARM64E
3180         https://bugs.webkit.org/show_bug.cgi?id=197884
3181
3182         Reviewed by Saam Barati.
3183
3184         We didn't have any tests that run with non-byte/non-zero offset
3185         typed arrays.
3186
3187         * stress/ftl-gettypedarrayoffset-wasteful.js:
3188
3189 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
3190
3191         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
3192         https://bugs.webkit.org/show_bug.cgi?id=197833
3193
3194         Reviewed by Darin Adler.
3195
3196         * stress/generator-name.js: Added.
3197         (shouldBe):
3198         (gen):
3199         (catch):
3200
3201 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
3202
3203         JSObject::getOwnPropertyDescriptor is missing an exception check
3204         https://bugs.webkit.org/show_bug.cgi?id=197693
3205         <rdar://problem/50441784>
3206
3207         Reviewed by Saam Barati.
3208
3209         * stress/proxy-spread.js: Added.
3210         (foo):
3211
3212 2019-05-10  Saam barati  <sbarati@apple.com>
3213
3214         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
3215         https://bugs.webkit.org/show_bug.cgi?id=197807
3216         <rdar://problem/50530400>
3217
3218         Reviewed by Yusuke Suzuki.
3219
3220         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
3221         (test.getInstance):
3222         (test):
3223
3224 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
3225
3226         [Test262] Unreviewed expectations update following r245188.
3227
3228         * test262/config.yaml:
3229         * test262/expectations.yaml:
3230
3231         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
3232         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
3233         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
3234         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
3235         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
3236         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
3237         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
3238         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
3239         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
3240         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
3241         These files have invalid YAML comments. Will also submit corrections back to Test262.
3242
3243 2019-05-10  Keith Miller  <keith_miller@apple.com>
3244
3245         Update test262 tests.
3246
3247         Rubber-stamped by Yusuke Suzuki.
3248
3249         * test262/*: mega-patch too many things to list individually.
3250
3251 2019-05-09  Keith Miller  <keith_miller@apple.com>
3252
3253         Unreview, fix test to have a try-catch.
3254
3255         * stress/many-nested-functions-parser-stack-overflow.js:
3256         (catch):
3257
3258 2019-05-09  Keith Miller  <keith_miller@apple.com>
3259
3260         parseStatementListItem needs a stack overflow check
3261         https://bugs.webkit.org/show_bug.cgi?id=197749
3262
3263         Reviewed by Saam Barati.
3264
3265         * stress/many-nested-functions-parser-stack-overflow.js: Added.
3266
3267 2019-05-08  Saam barati  <sbarati@apple.com>
3268
3269         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
3270         https://bugs.webkit.org/show_bug.cgi?id=197715
3271         <rdar://problem/50399252>
3272
3273         Reviewed by Filip Pizlo.
3274
3275         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
3276         (foo):
3277         (bar):
3278
3279 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
3280
3281         Unreviewed, rolling out r245068.
3282
3283         Caused debug layout tests to exit early due to an assertion
3284         failure.
3285
3286         Reverted changeset:
3287
3288         "All prototypes should call didBecomePrototype()"
3289         https://bugs.webkit.org/show_bug.cgi?id=196315
3290         https://trac.webkit.org/changeset/245068
3291
3292 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
3293
3294         Invalid DFG JIT genereation in high CPU usage state
3295         https://bugs.webkit.org/show_bug.cgi?id=197453
3296
3297         Reviewed by Saam Barati.
3298
3299         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
3300         (trigger):
3301         (main):
3302
3303 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3304
3305         All prototypes should call didBecomePrototype()
3306         https://bugs.webkit.org/show_bug.cgi?id=196315
3307
3308         Reviewed by Saam Barati.
3309
3310         This changelog already landed, but the commit was missing the actual changes.
3311
3312         * stress/function-prototype-indexed-accessor.js: Added.
3313
3314 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3315
3316         [BigInt] Add ValueMod into DFG
3317         https://bugs.webkit.org/show_bug.cgi?id=186174
3318
3319         Reviewed by Saam Barati.
3320
3321         * microbenchmarks/mod-untyped.js: Added.
3322         * stress/big-int-mod-osr.js: Added.
3323         * stress/value-div-ai-rule.js: Added.
3324         * stress/value-mod-ai-rule.js: Added.
3325
3326 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3327
3328         [JSC] DFG_ASSERT failed in lowInt52
3329         https://bugs.webkit.org/show_bug.cgi?id=197569
3330
3331         Reviewed by Saam Barati.
3332
3333         * stress/getstack-int52.js: Added.
3334         (opt):
3335         (main):
3336
3337 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3338
3339         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3340         https://bugs.webkit.org/show_bug.cgi?id=197479
3341
3342         Reviewed by Saam Barati.
3343
3344         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3345         (shouldBe):
3346
3347 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3348
3349         TemplateObject passed to template literal tags are not always identical for the same source location.
3350         https://bugs.webkit.org/show_bug.cgi?id=190756
3351
3352         Reviewed by Saam Barati.
3353
3354         * complex.yaml:
3355         * complex/tagged-template-regeneration-after.js: Added.
3356         (shouldBe):
3357         * complex/tagged-template-regeneration.js: Added.
3358         (call):
3359         (test):
3360         * modules/tagged-template-inside-module.js: Added.
3361         (from.string_appeared_here.call):
3362         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3363         (call):
3364         (export.otherTaggedTemplates):
3365         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3366         (shouldBe):
3367         (call):
3368         (poly):
3369         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3370         (shouldBe):
3371         (call):
3372         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3373         (shouldBe):
3374         (call):
3375         (test):
3376         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3377         (shouldBe):
3378         (call):
3379         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3380         (shouldBe):
3381         (call):
3382         * stress/tagged-templates-in-multiple-functions.js: Added.
3383         (shouldBe):
3384         (call):
3385         (a):
3386         (b):
3387         (c):
3388         * stress/tagged-templates-with-same-start-offset.js: Added.
3389         (shouldBe):
3390
3391 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3392
3393         All prototypes should call didBecomePrototype()
3394         https://bugs.webkit.org/show_bug.cgi?id=196315
3395
3396         Reviewed by Saam Barati.
3397
3398         * stress/function-prototype-indexed-accessor.js: Added.
3399
3400 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3401
3402         Unreviewed, rolling out r244978.
3403         https://bugs.webkit.org/show_bug.cgi?id=197671
3404
3405         TemplateObject map should use start/end offsets (Requested by
3406         yusukesuzuki on #webkit).
3407
3408         Reverted changeset:
3409
3410         "TemplateObject passed to template literal tags are not always
3411         identical for the same source location."
3412         https://bugs.webkit.org/show_bug.cgi?id=190756
3413         https://trac.webkit.org/changeset/244978
3414
3415 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3416
3417         tryCachePutByID should not crash if target offset changes
3418         https://bugs.webkit.org/show_bug.cgi?id=197311
3419         <rdar://problem/48033612>
3420
3421         Reviewed by Filip Pizlo.
3422
3423         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3424         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3425
3426         * stress/cache-put-by-id-delete-prototype.js: Added.
3427         (A.prototype.set y):
3428         (A):
3429         (B.prototype.set y):
3430         (B):
3431         (C):
3432         * stress/cache-put-by-id-different-__proto__.js: Added.
3433         (A.prototype.set y):
3434         (A):
3435         (B1):
3436         (B2.prototype.set y):
3437         (B2):
3438         (C):
3439         (D):
3440         * stress/cache-put-by-id-different-attributes.js: Added.
3441         (Foo):
3442         (set x):
3443         * stress/cache-put-by-id-different-offset.js: Added.
3444         (Foo):
3445         (set x):
3446         * stress/cache-put-by-id-insert-prototype.js: Added.
3447         (A.prototype.set y):
3448         (A):
3449         (C):
3450         * stress/cache-put-by-id-poly-proto.js: Added.
3451         (Foo):
3452         (set _):
3453         (createBar.Bar):
3454         (createBar):
3455
3456 2019-05-07  Saam Barati  <sbarati@apple.com>
3457
3458         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3459         https://bugs.webkit.org/show_bug.cgi?id=197531
3460         <rdar://problem/50162379>
3461
3462         Reviewed by Yusuke Suzuki.
3463
3464         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3465
3466 2019-05-06  Dean Jackson  <dino@apple.com>
3467
3468         Update test262 expectations for Proxy passes
3469         https://bugs.webkit.org/show_bug.cgi?id=197628
3470
3471         Reviewed by Yusuke Suzuki.
3472
3473         There are two consistent passes in Proxy.ownKeys.
3474
3475         * test262/expectations.yaml:
3476
3477 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3478
3479         [JSC] We should check OOM for description string of Symbol
3480         https://bugs.webkit.org/show_bug.cgi?id=197634
3481
3482         Reviewed by Keith Miller.
3483
3484         * stress/check-symbol-description-oom.js: Added.
3485         (shouldThrow):
3486
3487 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3488
3489         Unreviewed, land one more test
3490         https://bugs.webkit.org/show_bug.cgi?id=197587
3491
3492         * stress/setter-frame-flush.js: Added.
3493         (setter):
3494         (foo):
3495         (bar):
3496
3497 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3498
3499         TemplateObject passed to template literal tags are not always identical for the same source location.
3500         https://bugs.webkit.org/show_bug.cgi?id=190756
3501
3502         Reviewed by Saam Barati.
3503
3504         * complex.yaml:
3505         * complex/tagged-template-regeneration-after.js: Added.
3506         (shouldBe):
3507         * complex/tagged-template-regeneration.js: Added.
3508         (call):
3509         (test):
3510         * modules/tagged-template-inside-module.js: Added.
3511         (from.string_appeared_here.call):
3512         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3513         (call):
3514         (export.otherTaggedTemplates):
3515         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3516         (shouldBe):
3517         (call):
3518         (poly):
3519         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3520         (shouldBe):
3521         (call):
3522         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3523         (shouldBe):
3524         (call):
3525         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3526         (shouldBe):
3527         (call):
3528         * stress/tagged-templates-in-multiple-functions.js: Added.
3529         (shouldBe):
3530         (call):
3531         (a):
3532         (b):
3533         (c):
3534
3535 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3536
3537         [PlayStation] JSC Stress tests failing due to timezone printing
3538         https://bugs.webkit.org/show_bug.cgi?id=197615
3539
3540         PlayStation's strftime does not give timezone strings, which
3541         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3542         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3543         which causes diff failures with the expectations. Add expectations
3544         without the timezone string and use those on playstation.
3545
3546         Reviewed by Ross Kirsling.
3547
3548         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3549         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3550         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3551         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3552
3553 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3554
3555         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3556         https://bugs.webkit.org/show_bug.cgi?id=197587
3557
3558         Reviewed by Sam Weinig.
3559
3560         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3561
3562         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3563
3564 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3565
3566         TypedArrays should not store properties that are canonical numeric indices
3567         https://bugs.webkit.org/show_bug.cgi?id=197228
3568         <rdar://problem/49557381>
3569
3570         Reviewed by Saam Barati.
3571
3572         * stress/array-species-config-array-constructor.js:
3573         (test):
3574         * stress/put-direct-index-broken-2.js:
3575         * stress/typed-array-canonical-numeric-index-string.js: Added.
3576         (makeTest.assert):
3577         (makeTest):
3578         (const.testInvalidIndices.makeTest.set assert):
3579         (const.testInvalidIndices.makeTest):
3580         (const.makeTestValidIndex.configurable.set assert):
3581         (const.makeTestValidIndex.configurable):
3582         * stress/typedarray-access-monomorphic-neutered.js:
3583         (checkNoException):
3584         (testNoException):
3585         (testFTLNoException):
3586         * stress/typedarray-access-neutered.js:
3587         (testNoException):
3588         * stress/typedarray-getownproperty-not-configurable.js:
3589         (foo):
3590         * test262/expectations.yaml:
3591
3592 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3593
3594         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3595         https://bugs.webkit.org/show_bug.cgi?id=197584
3596
3597         Reviewed by Saam Barati.
3598
3599         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3600         (X):
3601         (foo):
3602
3603 2019-05-03  Michael Saboff  <msaboff@apple.com>
3604
3605         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3606         https://bugs.webkit.org/show_bug.cgi?id=197586
3607
3608         Reviewed by Keith Miller.
3609
3610         We should only run one config of this test and only when we think we'll have the memory.
3611
3612         * stress/json-stringify-string-builder-overflow.js:
3613
3614 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3615
3616         [JSC] Generator CodeBlock generation should be idempotent
3617         https://bugs.webkit.org/show_bug.cgi?id=197552
3618
3619         Reviewed by Keith Miller.
3620
3621         Add complex.yaml, which controls how to run JSC shell more.
3622         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3623
3624         * complex.yaml: Added.
3625         * complex/generator-regeneration-after.js: Added.
3626         * complex/generator-regeneration.js: Added.
3627         (gen):
3628
3629 2019-05-02  Michael Saboff  <msaboff@apple.com>
3630
3631         Unreviewed rollout of r244862.
3632
3633         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3634
3635 2019-05-01  Saam barati  <sbarati@apple.com>
3636
3637         Baseline JIT should do argument value profiling after checking for stack overflow
3638         https://bugs.webkit.org/show_bug.cgi?id=197052
3639         <rdar://problem/50009602>
3640
3641         Reviewed by Yusuke Suzuki.
3642
3643         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3644
3645 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3646
3647         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3648         https://bugs.webkit.org/show_bug.cgi?id=197405
3649
3650         Reviewed by Saam Barati.
3651
3652         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3653         (foo):
3654         (test):
3655         (i.o.get f):
3656         (i.o.set f):
3657
3658 2019-05-01  Michael Saboff  <msaboff@apple.com>
3659
3660         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3661         https://bugs.webkit.org/show_bug.cgi?id=197485
3662
3663         Reviewed by Saam Barati.
3664
3665         New test.
3666
3667         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3668         (foo):
3669
3670 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3671
3672         Unreviewed correction to Test262 expectations following r244828.
3673
3674         * test262/expectations.yaml:
3675
3676 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3677
3678         Add memory-limited skipping to some tests generating very large strings
3679         https://bugs.webkit.org/show_bug.cgi?id=197437
3680
3681         Reviewed by Ross Kirsling.
3682
3683         * stress/StringObject-define-length-getter-rope-string-oom.js:
3684         * stress/create-error-out-of-memory-rope-string.js:
3685         * stress/string-16bit-repeat-overflow.js:
3686
3687 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3688
3689         Unreviewed, rolling out r244806.
3690         https://bugs.webkit.org/show_bug.cgi?id=197446
3691
3692         Causing Test262 and JSC test failures on multiple builds
3693         (Requested by ShawnRoberts on #webkit).
3694
3695         Reverted changeset:
3696
3697         "TypeArrays should not store properties that are canonical
3698         numeric indices"
3699         https://bugs.webkit.org/show_bug.cgi?id=197228
3700         https://trac.webkit.org/changeset/244806
3701
3702 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3703
3704         TypeArrays should not store properties that are canonical numeric indices
3705         https://bugs.webkit.org/show_bug.cgi?id=197228
3706         <rdar://problem/49557381>
3707
3708         Reviewed by Darin Adler.
3709
3710         * stress/typed-array-canonical-numeric-index-string.js: Added.
3711         (makeTest.assert):
3712         (makeTest):
3713         (const.testInvalidIndices.makeTest.set assert):
3714         (const.testInvalidIndices.makeTest):
3715         (const.testValidIndices.makeTest.set assert):
3716         (const.testValidIndices.makeTest):
3717
3718 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3719
3720         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3721         https://bugs.webkit.org/show_bug.cgi?id=197362
3722
3723         Reviewed by Saam Barati.
3724
3725         * stress/map-with-nan.js: Added.
3726         (shouldBe):
3727         (div):
3728         (NaN1):
3729         (NaN2):
3730         (NaN3):
3731         (NaN4):
3732         (NaN1NoInline):
3733         (NaN2NoInline):
3734         (NaN3NoInline):
3735         (NaN4NoInline):
3736         (test1):
3737         (test2):
3738         (test3):
3739         (test4):
3740         * stress/set-with-nan.js: Added.
3741         (shouldBe):
3742         (div):
3743         (NaN1):
3744         (NaN2):
3745         (NaN3):
3746         (NaN4):
3747         (NaN1NoInline):
3748         (NaN2NoInline):
3749         (NaN3NoInline):
3750         (NaN4NoInline):
3751         (test2):
3752         (test4):
3753
3754 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3755
3756         Unreviewed, rolling out r244708.
3757         https://bugs.webkit.org/show_bug.cgi?id=197334
3758
3759         "Broke the debug build" (Requested by rmorisset on #webkit).
3760
3761         Reverted changeset:
3762
3763         "All prototypes should call didBecomePrototype()"
3764         https://bugs.webkit.org/show_bug.cgi?id=196315
3765         https://trac.webkit.org/changeset/244708
3766
3767 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3768
3769         [JSC] linkPolymorphicCall now does GC
3770         https://bugs.webkit.org/show_bug.cgi?id=197306
3771
3772         Reviewed by Saam Barati.
3773
3774         * stress/link-polymorphic-call-can-gc.js: Added.
3775         (module):
3776         (instance):
3777
3778 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3779
3780         All prototypes should call didBecomePrototype()
3781         https://bugs.webkit.org/show_bug.cgi?id=196315
3782
3783         Reviewed by Saam Barati.
3784
3785         * stress/function-prototype-indexed-accessor.js: Added.
3786
3787 2019-04-23  Saam Barati  <sbarati@apple.com>
3788
3789         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3790         https://bugs.webkit.org/show_bug.cgi?id=196721
3791         <rdar://problem/49556479> 
3792
3793         Reviewed by Filip Pizlo.
3794
3795         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3796         (foo):
3797
3798 2019-04-19  Saam Barati  <sbarati@apple.com>
3799
3800         AbstractValue can represent more than int52
3801         https://bugs.webkit.org/show_bug.cgi?id=197118
3802         <rdar://problem/49969960>
3803
3804         Reviewed by Michael Saboff.
3805
3806         * stress/abstract-value-can-include-int52.js: Added.
3807         (foo):
3808         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3809
3810 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3811
3812         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3813         https://bugs.webkit.org/show_bug.cgi?id=197053
3814
3815         Reviewed by Saam Barati.
3816
3817         * stress/merge-string-builder-in-dfg.js: Added.
3818         (foo):
3819
3820 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3821
3822         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3823         https://bugs.webkit.org/show_bug.cgi?id=176810
3824
3825         Reviewed by Saam Barati.
3826
3827         Add tests for the DontEnum filtering, and variations of other tests
3828         take the DontEnum-filtering path.
3829
3830         * stress/proxy-own-keys.js:
3831         (i.catch):
3832         (set assert):
3833         (set add):
3834         (let.set new):
3835         (get let):
3836
3837 2019-04-15  Saam barati  <sbarati@apple.com>
3838
3839         Modify how we do SetArgument when we inline varargs calls
3840         https://bugs.webkit.org/show_bug.cgi?id=196712
3841         <rdar://problem/49605012>
3842
3843         Reviewed by Michael Saboff.
3844
3845         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3846         (foo):
3847
3848 2019-04-15  Saam barati  <sbarati@apple.com>
3849
3850         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3851         https://bugs.webkit.org/show_bug.cgi?id=196945
3852         <rdar://problem/49802750>
3853
3854         Reviewed by Filip Pizlo.
3855
3856         * stress/get-by-offset-should-use-correct-child.js: Added.
3857         (foo.bar):
3858         (foo):
3859
3860 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3861
3862         DFG should be able to constant fold Object.create() with a constant prototype operand
3863         https://bugs.webkit.org/show_bug.cgi?id=196886
3864
3865         Reviewed by Yusuke Suzuki.
3866
3867         Note that this new benchmark does not currently see a speedup with inlining removed.
3868         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3869
3870         * microbenchmarks/object-create-constant-prototype.js: Added.
3871         (test):
3872
3873 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3874
3875         Incremental bytecode cache should not append function updates when loaded from memory
3876         https://bugs.webkit.org/show_bug.cgi?id=196865
3877
3878         Reviewed by Filip Pizlo.
3879
3880         * stress/bytecode-cache-shared-code-block.js: Added.
3881         (b):
3882         (program):
3883
3884 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3885
3886         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3887         https://bugs.webkit.org/show_bug.cgi?id=196880
3888
3889         Reviewed by Yusuke Suzuki.
3890
3891         * stress/bytecode-cache-syntax-error.js: Added.
3892         (catch):
3893
3894 2019-04-12  Saam barati  <sbarati@apple.com>
3895
3896         r244079 logically broke shouldSpeculateInt52
3897         https://bugs.webkit.org/show_bug.cgi?id=196884
3898
3899         Reviewed by Yusuke Suzuki.
3900
3901         * microbenchmarks/int52-rand-function.js: Added.
3902         (Math.random):
3903
3904 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3905
3906         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3907         https://bugs.webkit.org/show_bug.cgi?id=196850
3908
3909         Reviewed by Saam Barati.
3910
3911         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3912         (foo):
3913
3914 2019-04-11  Saam barati  <sbarati@apple.com>
3915
3916         Remove invalid assertion in operationInstanceOfCustom
3917         https://bugs.webkit.org/show_bug.cgi?id=196842
3918         <rdar://problem/49725493>
3919
3920         Reviewed by Michael Saboff.
3921
3922         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3923
3924 2019-04-10  Saam Barati  <sbarati@apple.com>
3925
3926         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3927         https://bugs.webkit.org/show_bug.cgi?id=196801
3928         <rdar://problem/49771122>
3929
3930         Reviewed by Yusuke Suzuki.
3931
3932         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3933
3934 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3935
3936         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3937         https://bugs.webkit.org/show_bug.cgi?id=196746
3938
3939         Reviewed by Yusuke Suzuki.
3940
3941         * stress/cyclic-define-properties.js: Added.
3942         (foo):
3943
3944 2019-04-09  Saam barati  <sbarati@apple.com>
3945
3946         Clean up Int52 code and some bugs in it
3947         https://bugs.webkit.org/show_bug.cgi?id=196639
3948         <rdar://problem/49515757>
3949
3950         Reviewed by Yusuke Suzuki.
3951
3952         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3953
3954 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3955
3956         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3957         https://bugs.webkit.org/show_bug.cgi?id=196708
3958         <rdar://problem/49556803>
3959
3960         Reviewed by Yusuke Suzuki.
3961
3962         * stress/proxy-getter-stack-overflow.js: Added.
3963         (const.handler.get target):
3964         (const.handler.has):
3965         (try.with):
3966         (catch):
3967
3968 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3969
3970         [JSC] DFG should respect node's strict flag
3971         https://bugs.webkit.org/show_bug.cgi?id=196617
3972
3973         Reviewed by Saam Barati.
3974
3975         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3976         (shouldEqual):
3977         (makeUnwriteableUnconfigurableObject):
3978         (runTest):
3979         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3980         (shouldBe):
3981         (shouldThrow):
3982         (with.result):
3983         (with.putValueStrict):
3984         (with.putValueSloppy):
3985
3986 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3987
3988         [JSC] isRope jump in StringSlice should not jump over register allocations
3989         https://bugs.webkit.org/show_bug.cgi?id=196716
3990
3991         Reviewed by Saam Barati.
3992
3993         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3994         (foo.bar):
3995         (foo):
3996
3997 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3998
3999         [JSC] to_index_string should not assume incoming value is Uint32
4000         https://bugs.webkit.org/show_bug.cgi?id=196713
4001
4002         Reviewed by Saam Barati.
4003
4004         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
4005         (foo):
4006
4007 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4008
4009         [JSC] Add more tests for r243966
4010         https://bugs.webkit.org/show_bug.cgi?id=196711
4011
4012         Reviewed by Saam Barati.
4013
4014         Adding one more test for r243966 fix. The added test will not crash after r243966.
4015
4016         * stress/stress-cleared-calllinkinfo.js: Added.
4017         (runNearStackLimit.t):
4018         (runNearStackLimit):
4019         (repeat):
4020         (cls):
4021         (let.item.of.array.runNearStackLimit):
4022
4023 2019-04-08  Saam Barati  <sbarati@apple.com>
4024
4025         WebAssembly.RuntimeError missing exception check
4026         https://bugs.webkit.org/show_bug.cgi?id=196700
4027         <rdar://problem/49693932>
4028
4029         Reviewed by Yusuke Suzuki.
4030
4031         * wasm/js-api/runtime-error-should-exception-check.js: Added.
4032
4033 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4034
4035         Unreviewed, rolling in r243948 with test fix
4036         https://bugs.webkit.org/show_bug.cgi?id=196486
4037
4038         * stress/arrow-function-and-use-strict-directive.js: Added.
4039         * stress/arrow-function-syntax.js: Added.
4040         (checkSyntax):
4041         (checkSyntaxError):
4042
4043 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
4044
4045         Unreviewed, rolling out r243948.
4046
4047         Caused inspector/runtime/parse.html to fail
4048
4049         Reverted changeset:
4050
4051         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
4052         https://bugs.webkit.org/show_bug.cgi?id=196486
4053         https://trac.webkit.org/changeset/243948
4054
4055 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
4056
4057         Unreviewed, rolling out r243943.
4058
4059         Caused test262 failures.
4060
4061         Reverted changeset:
4062
4063         "[JSC] Filter DontEnum properties in
4064         ProxyObject::getOwnPropertyNames()"
4065         https://bugs.webkit.org/show_bug.cgi?id=176810
4066         https://trac.webkit.org/changeset/243943
4067
4068 2019-04-07  Michael Saboff  <msaboff@apple.com>
4069
4070         REGRESSION (r243642): Crash in reddit.com page
4071         https://bugs.webkit.org/show_bug.cgi?id=196684
4072
4073         Reviewed by Geoffrey Garen.
4074
4075         New regression test.
4076
4077         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
4078
4079 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
4080
4081         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
4082         https://bugs.webkit.org/show_bug.cgi?id=196683
4083
4084         Reviewed by Saam Barati.
4085
4086         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
4087         (foo):
4088
4089 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
4090
4091         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
4092         https://bugs.webkit.org/show_bug.cgi?id=196582
4093
4094         Reviewed by Saam Barati.
4095
4096         * stress/add-overflow-check-with-three-same-registers.js: Added.
4097         (foo):
4098         (Number.prototype.valueOf):
4099         (runWithNumber):
4100
4101 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
4102
4103         Unreviewed, rolling out r243665.
4104
4105         Caused iOS JSC tests to exit with an exception.
4106
4107         Reverted changeset:
4108
4109         "Assertion failed in JSC::createError"
4110         https://bugs.webkit.org/show_bug.cgi?id=196305
4111         https://trac.webkit.org/changeset/243665
4112
4113 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
4114
4115         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
4116         https://bugs.webkit.org/show_bug.cgi?id=196486
4117
4118         Reviewed by Saam Barati.
4119
4120         * stress/arrow-function-and-use-strict-directive.js: Added.
4121         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
4122         (checkSyntax):
4123         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
4124
4125 2019-04-05  Caitlin Potter  <caitp@igalia.com>
4126
4127         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
4128         https://bugs.webkit.org/show_bug.cgi?id=176810
4129
4130         Reviewed by Saam Barati.
4131
4132         Add tests for the DontEnum filtering, and variations of other tests
4133         take the DontEnum-filtering path.
4134
4135         * stress/proxy-own-keys.js:
4136         (i.catch):
4137         (set assert):
4138         (set add):
4139         (let.set new):
4140         (get let):
4141
4142 2019-04-05  Caitlin Potter  <caitp@igalia.com>
4143
4144         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
4145         https://bugs.webkit.org/show_bug.cgi?id=185211
4146
4147         Reviewed by Saam Barati.
4148
4149         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
4150
4151         This changes several assertions to expect a TypeError to be thrown (in some cases,
4152         changing thee expected message).
4153
4154         * es6/Proxy_ownKeys_duplicates.js:
4155         (handler):
4156         (shouldThrow):
4157         (test):
4158         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
4159         (shouldThrow):
4160         * stress/proxy-own-keys.js:
4161         (i.catch):
4162         (assert):
4163
4164 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
4165
4166         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
4167         https://bugs.webkit.org/show_bug.cgi?id=196631
4168
4169         Reviewed by Saam Barati.
4170
4171         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
4172         (assert):
4173         (test):
4174         (foo):
4175
4176 2019-04-04  Saam Barati  <sbarati@apple.com>
4177
4178         Unreviewed. Make the test from r243906 catch the thrown exceptions.
4179
4180         * stress/inferred-types-regex-matches-array.js:
4181
4182 2019-04-04  Saam Barati  <sbarati@apple.com>
4183
4184         createRegExpMatchesArray does not respect inferred types
4185         https://bugs.webkit.org/show_bug.cgi?id=193287
4186
4187         Reviewed by Yusuke Suzuki.
4188
4189         This checks in the test case for 193287. This issue was discovered by
4190         Samuel GroƟ of Google Project Zero.
4191
4192         * stress/inferred-types-regex-matches-array.js: Added.
4193
4194 2019-04-04  Saam barati  <sbarati@apple.com>
4195
4196         Teach Call ICs how to call Wasm
4197         https://bugs.webkit.org/show_bug.cgi?id=196387
4198
4199         Reviewed by Filip Pizlo.
4200
4201         * wasm/function-tests/stack-trace.js:
4202
4203 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
4204
4205         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
4206         https://bugs.webkit.org/show_bug.cgi?id=194944
4207
4208         Reviewed by Keith Miller.
4209
4210         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
4211
4212 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
4213
4214         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
4215         https://bugs.webkit.org/show_bug.cgi?id=196409
4216
4217         Reviewed by Saam Barati.
4218
4219         * stress/bytecode-cache-cached-string-impl.js: Added.
4220         (f):
4221         (g):
4222         * stress/bytecode-cache-run-string.js: Added.
4223
4224 2019-04-03  Robin Morisset  <rmorisset@apple.com>
4225
4226         B3 should use associativity to optimize expression trees
4227         https://bugs.webkit.org/show_bug.cgi?id=194081
4228
4229         Reviewed by Filip Pizlo.
4230
4231         Added three microbenchmarks:
4232         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
4233         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
4234           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
4235         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
4236
4237         * microbenchmarks/add-tree.js: Added.
4238         * microbenchmarks/bit-or-tree.js: Added.
4239         * microbenchmarks/bit-xor-tree.js: Added.
4240
4241 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
4242
4243         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
4244         https://bugs.webkit.org/show_bug.cgi?id=196574
4245
4246         Reviewed by Saam Barati.
4247
4248         * stress/string-index-of-exception-check.js: Added.
4249         (blurType):
4250         (1.forEach):
4251
4252 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
4253
4254         Assertion failed in JSC::createError
4255         https://bugs.webkit.org/show_bug.cgi?id=196305
4256         <rdar://problem/49387382>
4257
4258         Reviewed by Saam Barati.
4259
4260         * stress/create-error-out-of-memory-rope-string-2.js: Added.
4261         (assert):
4262         (catch):
4263
4264 2019-03-28  Saam Barati  <sbarati@apple.com>
4265
4266         BackwardsGraph needs to consider back edges as the backward's root successor
4267         https://bugs.webkit.org/show_bug.cgi?id=195991
4268
4269         Reviewed by Filip Pizlo.
4270
4271         * stress/map-b3-licm-infinite-loop.js: Added.
4272
4273 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
4274
4275         CodeBlock::jettison() should disallow repatching its own calls
4276         https://bugs.webkit.org/show_bug.cgi?id=196359
4277         <rdar://problem/48973663>
4278
4279         Reviewed by Saam Barati.
4280
4281         * stress/call-link-info-osrexit-repatch.js: Added.
4282         (foo):
4283
4284 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
4285
4286         [JSC] imports-oom.js intermittently fails
4287         https://bugs.webkit.org/show_bug.cgi?id=196373
4288
4289         Reviewed by Saam Barati.
4290
4291         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
4292         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
4293         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
4294         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
4295         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
4296
4297         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
4298         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
4299
4300         * wasm/lowExecutableMemory/imports-oom.js:
4301
4302 2019-03-27  Saam Barati  <sbarati@apple.com>
4303
4304         validateOSREntryValue with Int52 should box the value being checked into double format
4305         https://bugs.webkit.org/show_bug.cgi?id=196313
4306         <rdar://problem/49306703>
4307
4308         Reviewed by Yusuke Suzuki.
4309
4310         * stress/validate-int-52-ai-state.js: Added.
4311
4312 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
4313
4314         [JSC] Owner of watchpoints should validate at GC finalizing phase
4315         https://bugs.webkit.org/show_bug.cgi?id=195827
4316
4317         Reviewed by Filip Pizlo.
4318
4319         * stress/gc-should-reap-dead-watchpoints.js: Added.
4320         (foo):
4321         (A.prototype.y):
4322         (A):
4323
4324 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
4325
4326         Skip WebAssembly test on 32-bit systems
4327         https://bugs.webkit.org/show_bug.cgi?id=196206
4328
4329         Reviewed by Saam Barati.
4330
4331         Invoking runDefault executes test immediately even though
4332         that test should be skipped due to missing WASM support.
4333         Therefore remove runDefault.
4334
4335         * wasm/regress/web-assembly-link-error-exception-check.js:
4336
4337 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
4338
4339         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
4340         https://bugs.webkit.org/show_bug.cgi?id=196217
4341
4342         Reviewed by Saam Barati.
4343
4344         Re-enable all NaN tests for f32.min, f64.min and f64.max.
4345
4346         * wasm/spec-tests/f32.wast.js:
4347         * wasm/spec-tests/f64.wast.js:
4348         * wasm/wasm.json:
4349
4350 2019-03-25  Keith Miller  <keith_miller@apple.com>
4351
4352         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
4353         https://bugs.webkit.org/show_bug.cgi?id=196176
4354
4355         Reviewed by Saam Barati.
4356
4357         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
4358         (main.v10):
4359         (main):
4360
4361 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
4362
4363         WebAssembly: f32.max with NaN generates incorrect result
4364         https://bugs.webkit.org/show_bug.cgi?id=175691
4365         <rdar://problem/33952228>
4366
4367         Reviewed by Saam Barati.
4368
4369         Enable all f32.max NaN tests
4370
4371         * wasm/spec-tests/f32.wast.js:
4372         * wasm/wasm.json:
4373
4374 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
4375
4376         [JSC] Move test into directory for WASM tests
4377         https://bugs.webkit.org/show_bug.cgi?id=196187
4378
4379         Reviewed by Mark Lam.
4380
4381         Move Test into wasm-directory. Otherwise this test
4382         is also executed on systems without WASM support.
4383
4384         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
4385
4386 2019-03-23  Mark Lam  <mark.lam@apple.com>
4387
4388         Rolling out r243032 and r243071 because the fix is incorrect.
4389         https://bugs.webkit.org/show_bug.cgi?id=195892
4390         <rdar://problem/48981239>
4391
4392         Not reviewed.
4393
4394         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
4395
4396 2019-03-22  Mark Lam  <mark.lam@apple.com>
4397
4398         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
4399         https://bugs.webkit.org/show_bug.cgi?id=196154
4400         <rdar://problem/49145307>
4401
4402         Reviewed by Filip Pizlo.
4403
4404         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
4405         There's no need to run this test on more than 1 test configuration.
4406
4407</