[JSC] Do not use FTLOutput::weakPointer directly
[WebKit-https.git] / JSTests / ChangeLog
1 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Do not use FTLOutput::weakPointer directly
4         https://bugs.webkit.org/show_bug.cgi?id=201495
5
6         Reviewed by Filip Pizlo.
7
8         * stress/create-promise-weak-pointer.js: Added.
9         (foo):
10
11 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
12
13         [JSC] Make Promise implementation faster
14         https://bugs.webkit.org/show_bug.cgi?id=200898
15
16         Reviewed by Saam Barati.
17
18         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
19         (assert.assert.return.throws):
20         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
21         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
22         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
23         (shouldThrow):
24         (new.Promise):
25         (shouldThrow.Promise):
26         * stress/create-promise-should-respect-promise-realm.js: Added.
27         (shouldBe):
28         (other.new.OtherPromise):
29         (DerivedOtherPromise):
30         (i.promise.new.DerivedOtherPromise):
31         (createPromise):
32         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
33         (shouldBe):
34         (DerivedPromise):
35         (i.array.push.new.DerivedPromise):
36         (promise.new.DerivedPromise):
37         * stress/derived-promise-constructor-inlined.js: Added.
38         (shouldBe):
39         (DerivedPromise):
40         (i.array.push.new.DerivedPromise):
41         (DerivedPromise.all.array.then):
42         * stress/derived-promise-prototype-replaced.js: Added.
43         (shouldBe):
44         (DerivedPromise):
45         (i.array.push.new.DerivedPromise):
46         (promise.new.DerivedPromise):
47         * stress/internal-promise-constructor-not-confusing.js: Added.
48         (shouldBe):
49         (InternalPromise.vm.createBuiltin):
50         (DerivedPromise):
51         * stress/internal-promise-is-not-exposed.js: Added.
52         (shouldBe):
53         * stress/new-promise-should-respect-promise-realm.js: Added.
54         (shouldBe):
55         (other.new.OtherPromise):
56         (createPromise):
57         * stress/promise-cannot-be-called.js:
58         (shouldThrow):
59         * stress/promise-capability-fast-path.js: Added.
60         (shouldBe):
61         (i.array.push.new.Promise):
62         (i.array.i.then):
63         * stress/promise-capability-slow-path.js: Added.
64         (shouldBe):
65         (Promise.prototype.then):
66         (i.array.push.new.Promise):
67         (i.array.i.then):
68         * stress/promise-capability-then-slow-path.js: Added.
69         (shouldBe):
70         (DerivedPromise):
71         (DerivedPromise.prototype.then):
72         (i.array.push.new.DerivedPromise):
73         (i.array.i.then):
74         * stress/promise-constructor-inlined.js: Added.
75         (shouldBe):
76         (i.array.push.new.Promise):
77         (Promise.all.array.then):
78         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
79         (shouldBe):
80         (DerivedPromise):
81         (DerivedPromise2):
82         (i.array.push.new.DerivedPromise):
83         (i.array2.push.new.DerivedPromise2):
84         * stress/without-promise-functions.js: Added.
85         (shouldBe):
86         (async):
87
88 2019-09-03  Mark Lam  <mark.lam@apple.com>
89
90         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
91         https://bugs.webkit.org/show_bug.cgi?id=201309
92         <rdar://problem/54832121>
93
94         Reviewed by Yusuke Suzuki.
95
96         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
97
98 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
99
100         [JSC] Generate new.target register only when it is used
101         https://bugs.webkit.org/show_bug.cgi?id=201335
102
103         Reviewed by Mark Lam.
104
105         * stress/ensure-new-register-allocated.js: Added.
106         (shouldBe):
107         (basic):
108         (arrow):
109         (Base):
110         (Derived):
111         (evaluate):
112
113 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
114
115         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
116         https://bugs.webkit.org/show_bug.cgi?id=201331
117
118         Reviewed by Mark Lam.
119
120         * stress/simple-jump-table-copy.js: Added.
121         (let.code):
122         (g2):
123
124 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
125
126         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
127         https://bugs.webkit.org/show_bug.cgi?id=201332
128
129         Reviewed by Mark Lam.
130
131         This test is very flaky, it is hard to reproduce.
132
133         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
134         (code):
135
136 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
137
138         [JSC] Repatch should construct CallCases and CasesValue at the same time
139         https://bugs.webkit.org/show_bug.cgi?id=201325
140
141         Reviewed by Saam Barati.
142
143         * stress/repatch-switch.js: Added.
144         (main.f2.f0):
145         (main.f2.f3):
146         (main.f2.f1):
147         (main.f2):
148         (main):
149
150 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
151
152         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
153         https://bugs.webkit.org/show_bug.cgi?id=198650
154
155         Reviewed by Saam Barati.
156
157         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
158         (main.v0):
159         (main):
160
161 2019-08-28  Mark Lam  <mark.lam@apple.com>
162
163         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
164         https://bugs.webkit.org/show_bug.cgi?id=201281
165         <rdar://problem/54028228>
166
167         Reviewed by Yusuke Suzuki and Saam Barati.
168
169         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
170
171 2019-08-28  Mark Lam  <mark.lam@apple.com>
172
173         Placate exception check validation in DFG's operationHasGenericProperty().
174         https://bugs.webkit.org/show_bug.cgi?id=201245
175         <rdar://problem/54777512>
176
177         Reviewed by Robin Morisset.
178
179         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
180
181 2019-08-27  Mark Lam  <mark.lam@apple.com>
182
183         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
184         https://bugs.webkit.org/show_bug.cgi?id=201196
185         <rdar://problem/54703775>
186
187         Reviewed by Yusuke Suzuki.
188
189         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
190
191 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
192
193         [JSC] Ensure x?.y ?? z is fast
194         https://bugs.webkit.org/show_bug.cgi?id=200875
195
196         Reviewed by Yusuke Suzuki.
197
198         * stress/nullish-coalescing.js:
199
200 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
201
202         Remove MaximalFlushInsertionPhase
203         https://bugs.webkit.org/show_bug.cgi?id=201036
204
205         Reviewed by Saam Barati.
206
207         Remove all the references to maximal flush
208
209         * stress/arith-ceil-on-various-types.js:
210         (checkCompileCountForUselessNegativeZero):
211         * stress/arith-floor-on-various-types.js:
212         (checkCompileCountForUselessNegativeZero):
213         * stress/arith-negate-on-various-types.js:
214         (checkCompileCountForUselessNegativeZero):
215         * stress/arith-round-on-various-types.js:
216         (checkCompileCountForUselessNegativeZero):
217         * stress/arith-trunc-on-various-types.js:
218         (checkCompileCountForUselessNegativeZero):
219         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
220         * stress/has-indexed-property-should-accept-non-int32.js:
221         * stress/has-indexed-property-with-worsening-array-mode.js:
222         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
223         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
224         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
225         * stress/rest-parameter-many-arguments.js:
226         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
227         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
228         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
229
230 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
231
232         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
233         https://bugs.webkit.org/show_bug.cgi?id=200952
234
235         Reviewed by Saam Barati.
236
237         * wasm/references/func_ref.js:
238         (assert.throws):
239
240 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
241
242         Add missing exception check in canonicalizeLocaleList
243         https://bugs.webkit.org/show_bug.cgi?id=201021
244
245         Reviewed by Mark Lam.
246
247         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
248         (catch):
249
250 2019-08-21  Mark Lam  <mark.lam@apple.com>
251
252         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
253         https://bugs.webkit.org/show_bug.cgi?id=201016
254         <rdar://problem/54579911>
255
256         Reviewed by Yusuke Suzuki.
257
258         * wasm/stress/too-many-locals.js: Added.
259         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
260
261 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
262
263         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
264         https://bugs.webkit.org/show_bug.cgi?id=200965
265
266         Reviewed by Saam Barati.
267
268         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
269         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
270
271         * stress/optional-chaining.js:
272
273 2019-08-21  Michael Saboff  <msaboff@apple.com>
274
275         [JSC] incorrent JIT lead to StackOverflow
276         https://bugs.webkit.org/show_bug.cgi?id=197823
277
278         Reviewed by Tadeu Zagallo.
279
280         New test.
281
282         * stress/bound-function-stack-overflow.js: Added.
283         (foo):
284         (catch):
285
286 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
287
288         Identify memcpy loops in b3
289         https://bugs.webkit.org/show_bug.cgi?id=200181
290
291         Reviewed by Saam Barati.
292
293         * microbenchmarks/memcpy-loop.js: Added.
294         (doTest):
295         (let.arr1):
296         * microbenchmarks/memcpy-typed-loop-large.js: Added.
297         (doTest):
298         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
299         (arr2):
300         * microbenchmarks/memcpy-typed-loop-small.js: Added.
301         (doTest):
302         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
303         (16.arr2):
304         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
305         (doTest):
306         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
307         (arr2):
308         * microbenchmarks/memcpy-wasm-large.js: Added.
309         (typeof.WebAssembly.string_appeared_here.eq):
310         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
311         * microbenchmarks/memcpy-wasm-medium.js: Added.
312         (typeof.WebAssembly.string_appeared_here.eq):
313         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
314         * microbenchmarks/memcpy-wasm-small.js: Added.
315         (typeof.WebAssembly.string_appeared_here.eq):
316         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
317         * microbenchmarks/memcpy-wasm.js: Added.
318         (typeof.WebAssembly.string_appeared_here.eq):
319         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
320         * stress/memcpy-typed-loops.js: Added.
321         (noLoop):
322         (invalidStart):
323         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
324         (arr2):
325         * wasm/function-tests/memcpy-wasm-loop.js: Added.
326         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
327         (string_appeared_here):
328
329 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
330
331         [JSC] Array.prototype.toString should not get "join" function each time
332         https://bugs.webkit.org/show_bug.cgi?id=200905
333
334         Reviewed by Mark Lam.
335
336         * stress/array-prototype-join-change.js: Added.
337         (shouldBe):
338         (array2.join):
339         (DerivedArray):
340         (DerivedArray.prototype.join):
341         (array3.__proto__.join):
342         (Array.prototype.join):
343
344 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
345
346         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
347         https://bugs.webkit.org/show_bug.cgi?id=200782
348
349         Reviewed by Saam Barati.
350
351         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
352
353         * microbenchmarks/memcpy-typed-loop.js:
354         * stress/int8-repeat-in-then-out-of-bounds.js:
355
356 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
357
358         Proxy constructor should throw if handler is revoked Proxy
359         https://bugs.webkit.org/show_bug.cgi?id=198755
360
361         Reviewed by Saam Barati.
362
363         * stress/proxy-revoke.js: Adjust error message.
364         * test262/expectations.yaml: Mark 2 test cases as passing.
365
366 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
367
368         [JSC] OSR entry to Wasm OMG
369         https://bugs.webkit.org/show_bug.cgi?id=200362
370
371         Reviewed by Michael Saboff.
372
373         * wasm/stress/osr-entry-basic.js: Added.
374         (instance.exports.loop):
375         * wasm/stress/osr-entry-many-locals-f32.js: Added.
376         * wasm/stress/osr-entry-many-locals-f64.js: Added.
377         * wasm/stress/osr-entry-many-locals-i32.js: Added.
378         * wasm/stress/osr-entry-many-locals-i64.js: Added.
379         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
380         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
381         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
382         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
383
384 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
385
386         Date.prototype.toJSON throws if toISOString returns an object
387         https://bugs.webkit.org/show_bug.cgi?id=198495
388
389         Reviewed by Ross Kirsling.
390
391         * test262/expectations.yaml: Mark 6 test cases as passing.
392
393 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
394
395         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
396         https://bugs.webkit.org/show_bug.cgi?id=200899
397         <rdar://problem/54073341>
398
399         Reviewed by Mark Lam.
400
401         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
402         (i.new.Promise):
403         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
404         (i.new.Promise):
405
406 2019-08-19  Michael Saboff  <msaboff@apple.com>
407
408         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
409         https://bugs.webkit.org/show_bug.cgi?id=197090
410
411         Reviewed by Yusuke Suzuki.
412
413         New test.
414
415         * stress/regexp-nonconsuming-counted-parens.js: Added.
416
417 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
418
419         [JSC] Correct a->an in error messages and API docblocks
420         https://bugs.webkit.org/show_bug.cgi?id=200833
421
422         Reviewed by Don Olmstead.
423
424         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
425         (assert.assert.return.throws):
426         * stress/promise-finally-should-accept-non-promise-objects.js:
427         * wasm/js-api/table.js:
428         (assert.throws):
429
430 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
431
432         [ESNext] Implement optional chaining
433         https://bugs.webkit.org/show_bug.cgi?id=200199
434
435         Reviewed by Yusuke Suzuki.
436
437         * stress/nullish-coalescing.js:
438         * stress/optional-chaining.js: Added.
439         * stress/tail-call-recognize.js:
440
441 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
442
443         [ESNext] Support hashbang.
444         https://bugs.webkit.org/show_bug.cgi?id=200865
445
446         Reviewed by Mark Lam.
447
448         * stress/hashbang.js: Added.
449         * test262/expectations.yaml: Mark 6 cases as passing.
450
451 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
452
453         [JSC] DFG ToNumber should support Boolean in fixup
454         https://bugs.webkit.org/show_bug.cgi?id=200864
455
456         Reviewed by Mark Lam.
457
458         * microbenchmarks/to-number-boolean.js: Added.
459         (test):
460         * stress/to-number-boolean-int32.js: Added.
461         (shouldBe):
462         (test):
463         (check):
464         * stress/to-number-boolean.js: Added.
465         (shouldBe):
466         (test):
467         (check):
468         * stress/to-number-int32.js: Added.
469         (shouldBe):
470         (test):
471         (check):
472
473 2019-08-16  Mark Lam  <mark.lam@apple.com>
474
475         More missing exception checks in string comparison operators.
476         https://bugs.webkit.org/show_bug.cgi?id=200844
477         <rdar://problem/54378684>
478
479         Reviewed by Saam Barati.
480
481         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
482         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
483         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
484         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
485
486 2019-08-16  Mark Lam  <mark.lam@apple.com>
487
488         CodeBlock destructor should clear all of its watchpoints.
489         https://bugs.webkit.org/show_bug.cgi?id=200792
490         <rdar://problem/53947800>
491
492         Reviewed by Yusuke Suzuki.
493
494         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
495
496 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
497
498         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
499         https://bugs.webkit.org/show_bug.cgi?id=200782
500
501         Reviewed by Saam Barati.
502
503         * microbenchmarks/int8-out-of-bounds.js: Added.
504         (foo):
505         * microbenchmarks/memcpy-typed-loop.js: Added.
506         (doTest):
507         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
508         (arr2):
509         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
510         (foo):
511
512 2019-08-16  Mark Lam  <mark.lam@apple.com>
513
514         [Re-land] ProxyObject should not be allow to access its target's private properties.
515         https://bugs.webkit.org/show_bug.cgi?id=200739
516         <rdar://problem/53972768>
517
518         Reviewed by Yusuke Suzuki.
519
520         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
521         * stress/proxy-with-private-symbols.js:
522
523 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
524
525         [JSC] Promise.prototype.finally should accept non-promise objects
526         https://bugs.webkit.org/show_bug.cgi?id=200829
527
528         Reviewed by Mark Lam.
529
530         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
531         (shouldBe):
532         (Thenable):
533         (Thenable.prototype.then):
534
535 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
536
537         Promise constructor should check argument before [[Construct]]
538         https://bugs.webkit.org/show_bug.cgi?id=198976
539
540         Reviewed by Ross Kirsling.
541
542         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
543         * stress/create-subclass-structure-might-throw.js: Fix test.
544         * test262/expectations.yaml: Mark 2 test cases as passing.
545
546 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
547
548         Unreviewed, rolling out r248709.
549
550         Caused test/built-ins/Promise/prototype/finally/this-value-
551         non-promise.js to fail on test262 bot
552
553         Reverted changeset:
554
555         "ProxyObject should not be allow to access its target's
556         private properties."
557         https://bugs.webkit.org/show_bug.cgi?id=200739
558         https://trac.webkit.org/changeset/248709
559
560 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
561
562         DateConversion::formatDateTime incorrectly formats negative years
563         https://bugs.webkit.org/show_bug.cgi?id=199964
564
565         Reviewed by Ross Kirsling.
566
567         * test262/expectations.yaml: Mark 6 test cases as passing.
568
569 2019-08-15  Mark Lam  <mark.lam@apple.com>
570
571         More missing exception checks in String.prototype.
572         https://bugs.webkit.org/show_bug.cgi?id=200762
573         <rdar://problem/54333896>
574
575         Reviewed by Michael Saboff.
576
577         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
578         * stress/missing-exception-check-in-string-toLower.js: Added.
579         * stress/missing-exception-check-in-string-toUpper.js: Added.
580
581 2019-08-14  Mark Lam  <mark.lam@apple.com>
582
583         ProxyObject should not be allow to access its target's private properties.
584         https://bugs.webkit.org/show_bug.cgi?id=200739
585         <rdar://problem/53972768>
586
587         Reviewed by Yusuke Suzuki.
588
589         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
590         * stress/proxy-with-private-symbols.js: Rebased.
591
592 2019-08-14  Mark Lam  <mark.lam@apple.com>
593
594         Missing exception check in string compare.
595         https://bugs.webkit.org/show_bug.cgi?id=200743
596         <rdar://problem/53975356>
597
598         Reviewed by Michael Saboff.
599
600         * stress/missing-exception-check-in-string-compare.js: Added.
601
602 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
603
604         [JSC] Add "jump if (not) undefined or null" bytecode ops
605         https://bugs.webkit.org/show_bug.cgi?id=200480
606
607         Reviewed by Saam Barati.
608
609         * stress/destructuring-assignment-require-object-coercible.js:
610         * stress/nullish-coalescing.js:
611
612 2019-08-05  Michael Saboff  <msaboff@apple.com>
613
614         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
615         https://bugs.webkit.org/show_bug.cgi?id=199997
616
617         Reviewed by Saam Barati.
618
619         New test.
620
621         * stress/typedarray-no-alreadyChecked-assert.js: Added.
622         (checkIntArray):
623         (checkFloatArray):
624
625 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
626
627         [JSC] Support WebAssembly in SamplingProfiler
628         https://bugs.webkit.org/show_bug.cgi?id=200329
629
630         Reviewed by Saam Barati.
631
632         * stress/sampling-profiler-wasm-name-section.js: Added.
633         (const.compile):
634         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
635         (platformSupportsSamplingProfiler.vm.isWasmSupported):
636         * stress/sampling-profiler-wasm.js: Added.
637         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
638         (platformSupportsSamplingProfiler.vm.isWasmSupported):
639         * stress/sampling-profiler/loop.wasm: Added.
640         * stress/sampling-profiler/loop.wast: Added.
641         * stress/sampling-profiler/nameSection.wasm: Added.
642
643 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
644
645         [JSC] LazyJSValue should be robust for empty JSValue
646         https://bugs.webkit.org/show_bug.cgi?id=200388
647
648         Reviewed by Saam Barati.
649
650         * stress/switch-constant-child-becomes-empty.js: Added.
651         (foo):
652
653 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
654
655         GetterSetter type confusion during DFG compilation
656         https://bugs.webkit.org/show_bug.cgi?id=199903
657
658         Reviewed by Mark Lam.
659
660         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
661
662 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
663
664         Update Test262 (2019.08.01)
665         https://bugs.webkit.org/show_bug.cgi?id=200351
666
667         Reviewed by Keith Miller.
668
669         * test262/expectations.yaml:
670         * test262/harness/testIntl.js:
671         * test262/latest-changes-summary.txt:
672         * test262/test/:
673         * test262/test262-Revision.txt:
674
675 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
676
677         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
678         https://bugs.webkit.org/show_bug.cgi?id=200192
679
680         Reviewed by Saam Barati.
681
682         * stress/structure-chain-stress.js: Added.
683         (keys):
684
685 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
686
687         [JSC] Increment bytecode age only when SlotVisitor is first-visit
688         https://bugs.webkit.org/show_bug.cgi?id=200196
689
690         Reviewed by Robin Morisset.
691
692         * stress/reparsing-unlinked-codeblock.js:
693
694 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
695
696         [X86] Emit BT instruction for shift + mask in B3
697         https://bugs.webkit.org/show_bug.cgi?id=199891
698
699         Reviewed by Robin Morisset.
700
701         Lower the number of iterations to fix debug timeouts.
702
703         * microbenchmarks/bit-test-load.js:
704         (i):
705
706 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
707
708         [X86] Emit BT instruction for shift + mask in B3
709         https://bugs.webkit.org/show_bug.cgi?id=199891
710
711         Reviewed by Keith Miller.
712
713         * microbenchmarks/bit-test-constant.js: Added.
714         (let.glob.0.doTest):
715         * microbenchmarks/bit-test-load.js: Added.
716         (let.glob.0.let.arr.new.Int32Array.8.doTest):
717         (i):
718         * microbenchmarks/bit-test-nonconstant.js: Added.
719         (let.glob.0.doTest):
720
721 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
722
723         [JSC] Potential GC fix for JSPropertyNameEnumerator
724         https://bugs.webkit.org/show_bug.cgi?id=200151
725
726         Reviewed by Mark Lam.
727
728         * stress/for-in-stress.js: Added.
729         (keys):
730
731 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
732
733         Legacy numeric literals should not permit separators or BigInt
734         https://bugs.webkit.org/show_bug.cgi?id=199984
735
736         Reviewed by Keith Miller.
737
738         * stress/big-int-literals.js:
739         * stress/numeric-literal-separators.js:
740
741 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
742
743         [ESNext] Implement nullish coalescing
744         https://bugs.webkit.org/show_bug.cgi?id=200072
745
746         Reviewed by Darin Adler.
747
748         * stress/nullish-coalescing.js: Added.
749
750 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
751
752         Three checks are missing in Proxy internal methods
753         https://bugs.webkit.org/show_bug.cgi?id=198630
754
755         Reviewed by Darin Adler.
756
757         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
758         * test262/expectations.yaml: Mark 6 test cases as passing.
759
760 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
761
762         Sometimes we miss removable CheckInBounds
763         https://bugs.webkit.org/show_bug.cgi?id=200018
764
765         Reviewed by Saam Barati.
766
767         * microbenchmarks/typed-array-sum.js: Added.
768         (doTest):
769
770 2019-07-16  Mark Lam  <mark.lam@apple.com>
771
772         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
773         https://bugs.webkit.org/show_bug.cgi?id=199821
774         <rdar://problem/52452328>
775
776         Reviewed by Filip Pizlo.
777
778         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
779
780 2019-07-16  Keith Miller  <keith_miller@apple.com>
781
782         Unreviewed, test262 gardening.
783
784         * test262/expectations.yaml:
785
786 2019-07-15  Keith Miller  <keith_miller@apple.com>
787
788         A Possible Issue of Object.create method
789         https://bugs.webkit.org/show_bug.cgi?id=199744
790
791         Reviewed by Yusuke Suzuki.
792
793         * stress/object-create-non-object-properties-parameter.js: Added.
794         (catch):
795
796 2019-07-15  Keith Miller  <keith_miller@apple.com>
797
798         Update test262
799         https://bugs.webkit.org/show_bug.cgi?id=199801
800
801         Rubber-stamped by Yusuke Suzuki.
802
803         * test262/expectations.yaml:
804         * test262/latest-changes-summary.txt:
805         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
806         (fg.new.FinalizationGroup):
807         (callback):
808         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
809         (fg.new.FinalizationGroup):
810         (callback):
811         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
812         (fg.new.FinalizationGroup):
813         (callback):
814         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
815         (fg.new.FinalizationGroup):
816         (callback):
817         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
818         (fg.new.FinalizationGroup):
819         (callback):
820         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
821         (fg.new.FinalizationGroup):
822         (callback):
823         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
824         (fg.new.FinalizationGroup):
825         (callback):
826         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
827         (callback):
828         (fg.new.FinalizationGroup):
829         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
830         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
831         (cb):
832         (fg.new.FinalizationGroup):
833         (emptyCells):
834         (async.fn):
835         (fn.then.async):
836         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
837         (fg.new.FinalizationGroup):
838         * test262/test/built-ins/FinalizationGroup/length.js: Added.
839         * test262/test/built-ins/FinalizationGroup/name.js: Added.
840         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
841         (newTarget):
842         (fn):
843         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
844         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
845         (fn):
846         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
847         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
848         (newTarget):
849         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
850         (newTarget):
851         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
852         (fg.new.FinalizationGroup):
853         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
854         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
855         (callback):
856         (fg.new.FinalizationGroup):
857         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
858         (fg.new.FinalizationGroup):
859         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
860         (cb):
861         (fg.new.FinalizationGroup):
862         (emptyCells):
863         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
864         (fg.new.FinalizationGroup):
865         (fg.cleanupSome.cb):
866         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
867         (callback):
868         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
869         (fn):
870         (cb):
871         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
872         (cb):
873         (fg.new.FinalizationGroup):
874         (emptyCells):
875         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
876         (fg.new.FinalizationGroup):
877         (callback):
878         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
879         (fg.new.FinalizationGroup):
880         (callback):
881         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
882         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
883         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
884         (poisoned):
885         (fg.new.FinalizationGroup):
886         (emptyCells):
887         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
888         (poisoned):
889         (emptyCells):
890         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
891         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
892         (fn):
893         (cb):
894         (emptyCells):
895         (prototype.assert.sameValue.fg.cleanupSome):
896         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
897         (fn):
898         (cb):
899         (poisoned):
900         (assert.sameValue.fg.cleanupSome):
901         (prototype.assert.sameValue.fg.cleanupSome):
902         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
903         (cb):
904         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
905         (cb):
906         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
907         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
908         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
909         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
910         (fn):
911         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
912         (fn):
913         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
914         (fg.new.FinalizationGroup):
915         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
916         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
917         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
918         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
919         (fn):
920         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
921         (fn):
922         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
923         (fg.new.FinalizationGroup):
924         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
925         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
926         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
927         (fg.new.FinalizationGroup):
928         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
929         (fg.new.FinalizationGroup):
930         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
931         (fg.new.FinalizationGroup):
932         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
933         (fg.new.FinalizationGroup):
934         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
935         (fn):
936         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
937         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
938         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
939         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
940         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
941         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
942         (fn):
943         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
944         (fg.new.FinalizationGroup):
945         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
946         (cleanupCallback):
947         (let.key.of.Object.getOwnPropertyNames):
948         (set for):
949         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
950         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
951         (FinalizationGroup):
952         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
953         (cleanupCallback):
954         (let.key.of.Object.getOwnPropertyNames):
955         (set for):
956         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
957         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
958         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
959         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
960         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
961         (asyncProxy.new.Proxy.async):
962         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
963         (asyncProxy.new.Proxy.async):
964         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
965         (setIter.set Symbol):
966         (set defaultTag):
967         (gen):
968         (get return):
969         (set new):
970         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
971         (generatorProxy.new.Proxy):
972         (asyncProxy.new.Proxy.async):
973         * test262/test/built-ins/Object/subclass-object-arg.js:
974         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
975         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
976         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
977         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
978         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
979         * test262/test/built-ins/Promise/executor-function-name.js:
980         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
981         * test262/test/built-ins/Promise/reject-function-name.js:
982         * test262/test/built-ins/Promise/resolve-function-name.js:
983         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
984         * test262/test/built-ins/WeakRef/constructor.js: Added.
985         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
986         * test262/test/built-ins/WeakRef/length.js: Added.
987         * test262/test/built-ins/WeakRef/name.js: Added.
988         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
989         (newTarget):
990         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
991         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
992         * test262/test/built-ins/WeakRef/proto.js: Added.
993         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
994         (newTarget):
995         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
996         (newTarget):
997         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
998         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
999         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1000         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1001         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1002         (emptyCells):
1003         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1004         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1005         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1006         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1007         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1008         (fg.new.FinalizationGroup):
1009         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1010         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1011         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1012         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1013         (let.key.of.Object.getOwnPropertyNames):
1014         (set for):
1015         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1016         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1017         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1018         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1019         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1020         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1021         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1022         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1023         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1024         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1025         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1026         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1027         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1028         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1029         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1030         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1031         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1032         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1033         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1034         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1035         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1036         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1037         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1038         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1039         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1040         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1041         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1042         (assertParts):
1043         (assertPartsNumeric):
1044         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1045         (assertParts):
1046         (assertPartsNumeric):
1047         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1048         (assertParts):
1049         (assertPartsNumeric):
1050         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1051         (assertParts):
1052         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1053         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1054         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1055         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1056         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1057         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1058         (C.prototype.method):
1059         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1060         (C.prototype.method.innerFunction):
1061         (C.prototype.method):
1062         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1063         (C):
1064         (C.method):
1065         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1066         (C):
1067         (C.method.innerFunction):
1068         (C.method):
1069         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1070         (C):
1071         (C.checkPrivateGetter):
1072         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1073         (C):
1074         (C.method):
1075         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1076         (C):
1077         (C.method.innerFunction):
1078         (C.method):
1079         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1080         (C):
1081         (C.checkPrivateMethod):
1082         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1083         (C):
1084         (C.method):
1085         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1086         (C):
1087         (C.method.innerFunction):
1088         (C.method):
1089         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1090         (C):
1091         (C.checkPrivateSetter):
1092         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1093         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1094         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1095         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1096         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1097         (let.classStringExpression):
1098         (let.classStringExpression.access):
1099         (let.createAndInstantiateClass):
1100         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1101         (let.classStringExpression):
1102         (let.classStringExpression.access):
1103         (let.createAndInstantiateClass):
1104         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1105         (const.C):
1106         (let.createAndInstantiateClass):
1107         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1108         (let.classStringExpression.return.prototype.m):
1109         (let.classStringExpression.return.prototype.access):
1110         (let.createAndInstantiateClass):
1111         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1112         (let.classStringExpression.return.prototype.m):
1113         (let.classStringExpression.return.prototype.access):
1114         (let.createAndInstantiateClass):
1115         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1116         (let.classStringExpression):
1117         (let.classStringExpression.access):
1118         (let.createAndInstantiateClass):
1119         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1120         (let.classStringExpression.prototype.m):
1121         (let.classStringExpression.prototype.access):
1122         (let.classStringExpression):
1123         (let.createAndInstantiateClass):
1124         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1125         (let.classStringExpression.prototype.m):
1126         (let.classStringExpression.prototype.access):
1127         (let.classStringExpression):
1128         (let.createAndInstantiateClass):
1129         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1130         (const.C):
1131         (let.createAndInstantiateClass):
1132         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1133         (let.classStringExpression.return.C.prototype.m):
1134         (let.classStringExpression.return.C.prototype.access):
1135         (let.classStringExpression.return.C):
1136         (let.createAndInstantiateClass):
1137         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1138         (let.classStringExpression.return.C.prototype.m):
1139         (let.classStringExpression.return.C.prototype.access):
1140         (let.classStringExpression.return.C):
1141         (let.createAndInstantiateClass):
1142         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1143         (let.classStringExpression):
1144         (let.classStringExpression.access):
1145         (let.createAndInstantiateClass):
1146         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1147         (let.classStringExpression):
1148         (let.classStringExpression.access):
1149         (let.createAndInstantiateClass):
1150         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1151         (let.classStringExpression):
1152         (let.classStringExpression.access):
1153         (let.createAndInstantiateClass):
1154         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1155         (const.C):
1156         (let.createAndInstantiateClass):
1157         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1158         (let.classStringExpression.return.prototype.m):
1159         (let.classStringExpression.return.prototype.access):
1160         (let.createAndInstantiateClass):
1161         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1162         (let.classStringExpression.return.prototype.m):
1163         (let.classStringExpression.return.prototype.access):
1164         (let.createAndInstantiateClass):
1165         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1166         (let.classStringExpression):
1167         (let.classStringExpression.access):
1168         (let.createAndInstantiateClass):
1169         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1170         (new):
1171         (async):
1172         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1173         (A):
1174         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1175         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1176         * test262/test/language/identifiers/vals-cjk.js: Added.
1177         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1178         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1179         (C.prototype.method):
1180         (C):
1181         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1182         (C.prototype.method.innerFunction):
1183         (C.prototype.method):
1184         (C):
1185         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1186         (C.prototype.checkPrivateField):
1187         (C):
1188         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1189         (C):
1190         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1191         (C.prototype.getWithEval):
1192         (C):
1193         (D):
1194         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1195         (C.prototype.get m):
1196         (C.prototype.method):
1197         (C):
1198         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1199         (C.prototype.get m):
1200         (C.prototype.method.innerFunction):
1201         (C.prototype.method):
1202         (C):
1203         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1204         (let.createAndInstantiateClass):
1205         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1206         (C.prototype.get m):
1207         (C.prototype.checkPrivateGetter):
1208         (C):
1209         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1210         (C.prototype.get m):
1211         (C.prototype.checkPrivateGetter):
1212         (C):
1213         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1214         (C.prototype.get m):
1215         (C):
1216         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1217         (C.prototype.get m):
1218         (C.prototype.getWithEval):
1219         (C):
1220         (D.prototype.get m):
1221         (D):
1222         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1223         (C.prototype.m):
1224         (C.prototype.method):
1225         (C):
1226         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1227         (C.prototype.m):
1228         (C.prototype.method.innerFunction):
1229         (C.prototype.method):
1230         (C):
1231         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1232         (C.prototype.m):
1233         (C.prototype.checkPrivateMethod):
1234         (C):
1235         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1236         (C.prototype.m):
1237         (C.prototype.checkPrivateMethod):
1238         (C):
1239         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1240         (C.prototype.m):
1241         (C):
1242         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1243         (C.prototype.m):
1244         (C.prototype.getWithEval):
1245         (C):
1246         (D.prototype.m):
1247         (D):
1248         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1249         (C.prototype.set m):
1250         (C.prototype.method):
1251         (C):
1252         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1253         (C.prototype.set m):
1254         (C.prototype.method.innerFunction):
1255         (C.prototype.method):
1256         (C):
1257         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1258         (C.prototype.set m):
1259         (C.prototype.checkPrivateSetter):
1260         (C):
1261         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1262         (C.prototype.set m):
1263         (C.prototype.checkPrivateSetter):
1264         (C):
1265         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1266         (C.prototype.set m):
1267         (C):
1268         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1269         (C.prototype.set m):
1270         (C.prototype.setWithEval):
1271         (C):
1272         (D.prototype.set m):
1273         (D):
1274         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1275         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1276         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1277         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
1278         (A.prototype.method):
1279         (A):
1280         (C.prototype.get m):
1281         (C.prototype.access):
1282         (C):
1283         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
1284         (A.prototype.method):
1285         (A):
1286         (C.prototype.m):
1287         (C.prototype.access):
1288         (C):
1289         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
1290         (A.prototype.method):
1291         (A):
1292         (C.prototype.set m):
1293         (C.prototype.access):
1294         (C):
1295         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
1296         (A):
1297         * test262/test/language/statements/function/13.2-30-s.js:
1298         * test262/test262-Revision.txt:
1299
1300 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1301
1302         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1303         https://bugs.webkit.org/show_bug.cgi?id=199783
1304
1305         Reviewed by Mark Lam.
1306
1307         Fix our spec tests.
1308
1309         * wasm/js-api/Module-compile.js:
1310         * wasm/js-api/test_basic_api.js:
1311         (const.c.in.constructorProperties.switch):
1312         * wasm/js-api/validate.js:
1313         * wasm/js-api/web-assembly-instantiate.js:
1314         * wasm/spec-tests/jsapi.js:
1315         (testJSAPI.get test):
1316         (testJSAPI.set test):
1317
1318 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1319
1320         Unreviewed, rolling out r247440.
1321
1322         Broke builds
1323
1324         Reverted changeset:
1325
1326         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1327         issues"
1328         https://bugs.webkit.org/show_bug.cgi?id=199783
1329         https://trac.webkit.org/changeset/247440
1330
1331 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1332
1333         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1334         https://bugs.webkit.org/show_bug.cgi?id=199783
1335
1336         Reviewed by Mark Lam.
1337
1338         Fix our spec tests.
1339
1340         * wasm/js-api/Module-compile.js:
1341         * wasm/js-api/test_basic_api.js:
1342         (const.c.in.constructorProperties.switch):
1343         * wasm/js-api/validate.js:
1344         * wasm/js-api/web-assembly-instantiate.js:
1345         * wasm/spec-tests/jsapi.js:
1346         (testJSAPI.get test):
1347         (testJSAPI.set test):
1348
1349 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1350
1351         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1352         https://bugs.webkit.org/show_bug.cgi?id=196371
1353
1354         Reviewed by Keith Miller.
1355
1356         * microbenchmarks/mul-immediate-sub.js: Added.
1357         (doTest):
1358
1359 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1360
1361         [BigInt] Add ValueBitLShift into DFG
1362         https://bugs.webkit.org/show_bug.cgi?id=192664
1363
1364         Reviewed by Saam Barati.
1365
1366         We are adding tests to cover ValueBitwise operations AI changes.
1367
1368         * stress/big-int-left-shift-untyped.js: Added.
1369         * stress/bit-op-with-object-returning-int32.js:
1370         * stress/value-bit-and-ai-rule.js: Added.
1371         * stress/value-bit-lshift-ai-rule.js: Added.
1372         * stress/value-bit-or-ai-rule.js: Added.
1373         * stress/value-bit-xor-ai-rule.js: Added.
1374
1375 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
1376
1377         Add b3 macro lowering for CheckMul on arm64
1378         https://bugs.webkit.org/show_bug.cgi?id=199251
1379
1380         Reviewed by Robin Morisset.
1381
1382         * microbenchmarks/check-mul-constant.js: Added.
1383         (doTest):
1384         * microbenchmarks/check-mul-no-constant.js: Added.
1385         (doTest):
1386         * microbenchmarks/check-mul-power-of-two.js: Added.
1387         (doTest):
1388
1389 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
1390
1391         Optimize join of large empty arrays
1392         https://bugs.webkit.org/show_bug.cgi?id=199636
1393
1394         Reviewed by Mark Lam.
1395
1396         * microbenchmarks/large-empty-array-join.js: Added.
1397         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
1398
1399 2019-07-06  Michael Saboff  <msaboff@apple.com>
1400
1401         switch(String) needs to check for exceptions when resolving the string
1402         https://bugs.webkit.org/show_bug.cgi?id=199541
1403
1404         Reviewed by Mark Lam.
1405
1406         New tests.
1407
1408         * stress/switch-string-oom.js: Added.
1409         (test):
1410         (testLowerTiers):
1411         (testFTL):
1412
1413 2019-07-05  Mark Lam  <mark.lam@apple.com>
1414
1415         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
1416         https://bugs.webkit.org/show_bug.cgi?id=199533
1417         <rdar://problem/52669111>
1418
1419         Reviewed by Filip Pizlo.
1420
1421         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
1422
1423 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1424
1425         [JSC] Clean up ArraySpeciesCreate
1426         https://bugs.webkit.org/show_bug.cgi?id=182434
1427
1428         Reviewed by Yusuke Suzuki.
1429
1430         Adjusts error message expectations in stress tests.
1431
1432         * stress/array-flatmap.js:
1433         * stress/array-flatten.js:
1434         * stress/array-species-create-should-handle-masquerader.js:
1435         * test262/expectations.yaml: Mark 4 test cases as passing.
1436
1437 2019-07-02  Michael Saboff  <msaboff@apple.com>
1438
1439         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
1440         https://bugs.webkit.org/show_bug.cgi?id=199395
1441
1442         Reviewed by Filip Pizlo.
1443
1444         New regession test.
1445
1446         * stress/for-of-tdz-with-try-catch.js: Added.
1447         (test):
1448         (i.catch):
1449
1450 2019-07-02  Keith Miller  <keith_miller@apple.com>
1451
1452         Frozen Arrays length assignment should throw in strict mode
1453         https://bugs.webkit.org/show_bug.cgi?id=199365
1454
1455         Reviewed by Yusuke Suzuki.
1456
1457         * stress/frozen-array-length-should-throw-strict.js: Added.
1458         (test):
1459
1460 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
1461
1462         [Wasm-References] Disable references by default
1463         https://bugs.webkit.org/show_bug.cgi?id=199390
1464
1465         Reviewed by Saam Barati.
1466
1467         * wasm/references-spec-tests/ref_is_null.js:
1468         * wasm/references-spec-tests/ref_null.js:
1469         * wasm/references/anyref_globals.js:
1470         * wasm/references/anyref_modules.js:
1471         * wasm/references/anyref_table.js:
1472         * wasm/references/anyref_table_import.js:
1473         * wasm/references/element_parsing.js:
1474         * wasm/references/func_ref.js:
1475         * wasm/references/is_null.js:
1476         * wasm/references/multitable.js:
1477         * wasm/references/table_misc.js:
1478         * wasm/references/validation.js:
1479
1480 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
1481
1482         Unreviewed, rolling out r246946.
1483
1484         Caused JSC test crashes on arm64
1485
1486         Reverted changeset:
1487
1488         "Add b3 macro lowering for CheckMul on arm64"
1489         https://bugs.webkit.org/show_bug.cgi?id=199251
1490         https://trac.webkit.org/changeset/246946
1491
1492 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
1493
1494         Add b3 macro lowering for CheckMul on arm64
1495         https://bugs.webkit.org/show_bug.cgi?id=199251
1496
1497         Reviewed by Robin Morisset.
1498
1499         * microbenchmarks/check-mul-constant.js: Added.
1500         (doTest):
1501         * microbenchmarks/check-mul-no-constant.js: Added.
1502         (doTest):
1503         * microbenchmarks/check-mul-power-of-two.js: Added.
1504         (doTest):
1505
1506 2019-06-26  Keith Miller  <keith_miller@apple.com>
1507
1508         speciesConstruct needs to throw if the result is a DataView
1509         https://bugs.webkit.org/show_bug.cgi?id=199231
1510
1511         Reviewed by Mark Lam.
1512
1513         * stress/typedarray-filter.js:
1514         (subclasses.forEach):
1515         * stress/typedarray-map.js:
1516         (subclasses.forEach):
1517         * stress/typedarray-slice.js:
1518         (typedArrays.forEach):
1519         * stress/typedarray-subarray.js:
1520         (subclasses.forEach):
1521
1522 2019-06-24  Commit Queue  <commit-queue@webkit.org>
1523
1524         Unreviewed, rolling out r246714.
1525         https://bugs.webkit.org/show_bug.cgi?id=199179
1526
1527         revert to do patch in a different way. (Requested by keith_mi_
1528         on #webkit).
1529
1530         Reverted changeset:
1531
1532         "All prototypes should call didBecomePrototype()"
1533         https://bugs.webkit.org/show_bug.cgi?id=196315
1534         https://trac.webkit.org/changeset/246714
1535
1536 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1537
1538         Add Array.prototype.{flat,flatMap} to unscopables
1539         https://bugs.webkit.org/show_bug.cgi?id=194322
1540
1541         Reviewed by Keith Miller.
1542
1543         * stress/unscopables.js: Fix test.
1544         * test262/expectations.yaml: Mark 2 test cases as passing.
1545
1546 2019-06-21  Mark Lam  <mark.lam@apple.com>
1547
1548         ArraySlice needs to keep the source array alive.
1549         https://bugs.webkit.org/show_bug.cgi?id=197374
1550         <rdar://problem/50304429>
1551
1552         Reviewed by Michael Saboff and Filip Pizlo.
1553
1554         * stress/array-slice-must-keep-source-array-alive.js: Added.
1555
1556 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1557
1558         All prototypes should call didBecomePrototype()
1559         https://bugs.webkit.org/show_bug.cgi?id=196315
1560
1561         Reviewed by Saam Barati.
1562
1563         * stress/function-prototype-indexed-accessor.js: Added.
1564
1565 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1566
1567         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1568         https://bugs.webkit.org/show_bug.cgi?id=197631
1569
1570         Reviewed by Saam Barati.
1571
1572         * stress/has-own-property-arguments.js: Added.
1573         (shouldBe):
1574         (A):
1575
1576 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1577
1578         [JSC] ClassExpr should not store result in the middle of evaluation
1579         https://bugs.webkit.org/show_bug.cgi?id=199106
1580
1581         Reviewed by Tadeu Zagallo.
1582
1583         * stress/class-expression-should-store-result-at-last.js: Added.
1584         (shouldThrow):
1585         (shouldThrow.let.a):
1586
1587 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
1588
1589         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
1590         https://bugs.webkit.org/show_bug.cgi?id=199044
1591
1592         Reviewed by Saam Barati.
1593
1594         Add wasm references spec tests as well as a worker test.
1595
1596         * wasm.yaml:
1597         * wasm/Builder_WebAssemblyBinary.js:
1598         (const.emitters.Element):
1599         * wasm/js-api/element.js:
1600         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1601         * wasm/references-spec-tests/ref_is_null.js: Added.
1602         (hostref):
1603         (is_hostref):
1604         (is_funcref):
1605         (eq_ref):
1606         (let.handler.get target):
1607         (register):
1608         (module):
1609         (instance):
1610         (call):
1611         (get instance):
1612         (exports):
1613         (run):
1614         (assert_malformed):
1615         (assert_invalid):
1616         (assert_unlinkable):
1617         (assert_uninstantiable):
1618         (assert_trap):
1619         (try.f):
1620         (catch):
1621         (assert_exhaustion):
1622         (assert_return):
1623         (assert_return_canonical_nan):
1624         (assert_return_arithmetic_nan):
1625         (assert_return_ref):
1626         (assert_return_func):
1627         * wasm/references-spec-tests/ref_null.js: Added.
1628         (hostref):
1629         (is_hostref):
1630         (is_funcref):
1631         (eq_ref):
1632         (let.handler.get target):
1633         (register):
1634         (module):
1635         (instance):
1636         (call):
1637         (get instance):
1638         (exports):
1639         (run):
1640         (assert_malformed):
1641         (assert_invalid):
1642         (assert_unlinkable):
1643         (assert_uninstantiable):
1644         (assert_trap):
1645         (try.f):
1646         (catch):
1647         (assert_exhaustion):
1648         (assert_return):
1649         (assert_return_canonical_nan):
1650         (assert_return_arithmetic_nan):
1651         (assert_return_ref):
1652         (assert_return_func):
1653         * wasm/references/element_parsing.js: Added.
1654         (module):
1655         * wasm/references/func_ref.js:
1656         * wasm/references/multitable.js:
1657         * wasm/references/table_misc.js:
1658         (TableSize.0.End.End.WebAssembly):
1659         * wasm/references/validation.js:
1660         (assert.throws):
1661
1662 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1663
1664         Optimize `resolve` method lookup in Promise static methods
1665         https://bugs.webkit.org/show_bug.cgi?id=198864
1666
1667         Reviewed by Yusuke Suzuki.
1668
1669         * test262/expectations.yaml: Mark 18 test cases as passing.
1670
1671 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
1672
1673         [WASM-References] Rename anyfunc to funcref
1674         https://bugs.webkit.org/show_bug.cgi?id=198983
1675
1676         Reviewed by Yusuke Suzuki.
1677
1678         * wasm/function-tests/basic-element.js:
1679         * wasm/function-tests/context-switch.js:
1680         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1681         (makeInstance):
1682         (assert.eq.makeInstance):
1683         * wasm/function-tests/exceptions.js:
1684         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1685         * wasm/function-tests/grow-memory-2.js:
1686         (assert.eq.instance.exports.foo):
1687         * wasm/function-tests/nameSection.js:
1688         (const.compile):
1689         * wasm/function-tests/stack-overflow.js:
1690         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1691         (assertOverflows.makeInstance):
1692         * wasm/function-tests/table-basic-2.js:
1693         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1694         * wasm/function-tests/table-basic.js:
1695         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1696         * wasm/function-tests/trap-from-start-async.js:
1697         * wasm/function-tests/trap-from-start.js:
1698         * wasm/js-api/Module.exports.js:
1699         (assert.truthy):
1700         * wasm/js-api/Module.imports.js:
1701         (assert.truthy):
1702         * wasm/js-api/call-indirect.js:
1703         (const.oneTable):
1704         (const.multiTable):
1705         (multiTable.const.makeTable):
1706         (multiTable):
1707         (multiTable.Polyphic2Import):
1708         (multiTable.VirtualImport):
1709         * wasm/js-api/element-data.js:
1710         * wasm/js-api/element.js:
1711         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1712         (assert.throws):
1713         (badInstantiation.makeModule):
1714         (badInstantiation.test):
1715         (badInstantiation):
1716         * wasm/js-api/extension-MemoryMode.js:
1717         * wasm/js-api/table.js:
1718         (new.WebAssembly.Module):
1719         (assert.throws):
1720         (assertBadTableImport):
1721         (assert.throws.WebAssembly.Table.prototype.grow):
1722         (new.WebAssembly.Table):
1723         (assertBadTable):
1724         (assert.truthy):
1725         * wasm/js-api/test_basic_api.js:
1726         (const.c.in.constructorProperties.switch):
1727         * wasm/js-api/unique-signature.js:
1728         (CallIndirectWithDuplicateSignatures):
1729         * wasm/js-api/wrapper-function.js:
1730         * wasm/modules/table.wat:
1731         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1732         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1733         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1734         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1735         * wasm/references/anyref_table.js:
1736         * wasm/references/anyref_table_import.js:
1737         (doSet):
1738         (assert.throws):
1739         * wasm/references/func_ref.js:
1740         (makeFuncrefIdent):
1741         (assert.eq.instance.exports.fix):
1742         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
1743         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
1744         (let.importedFun.of):
1745         (makeAnyfuncIdent): Deleted.
1746         (makeAnyfuncIdent.fun): Deleted.
1747         * wasm/references/multitable.js:
1748         (assert.eq):
1749         (assert.throws):
1750         * wasm/references/table_misc.js:
1751         (GetLocal.0.TableFill.0.End.End.WebAssembly):
1752         * wasm/references/validation.js:
1753         (assert.throws.new.WebAssembly.Module.bin):
1754         (assert.throws):
1755         * wasm/spec-harness/index.js:
1756         * wasm/spec-harness/wasm-constants.js:
1757         * wasm/spec-harness/wasm-module-builder.js:
1758         (WasmModuleBuilder.prototype.toArray):
1759         * wasm/spec-harness/wast.js:
1760         (elem_type):
1761         (string_of_elem_type):
1762         (string_of_table_type):
1763         * wasm/spec-tests/jsapi.js:
1764         * wasm/stress/wasm-table-grow-initialize.js:
1765         * wasm/wasm.json:
1766
1767 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1768
1769         [WASM-References] Add support for Table.size, grow and fill instructions
1770         https://bugs.webkit.org/show_bug.cgi?id=198761
1771
1772         Reviewed by Yusuke Suzuki.
1773
1774         * wasm/Builder_WebAssemblyBinary.js:
1775         (const.putOp):
1776         * wasm/references/table_misc.js: Added.
1777         (TableSize.End.End.WebAssembly):
1778         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
1779         * wasm/wasm.json:
1780
1781 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1782
1783         [WASM-References] Add support for multiple tables
1784         https://bugs.webkit.org/show_bug.cgi?id=198760
1785
1786         Reviewed by Saam Barati.
1787
1788         * wasm/Builder.js:
1789         * wasm/js-api/call-indirect.js:
1790         (const.oneTable):
1791         (const.multiTable):
1792         (multiTable):
1793         (multiTable.Polyphic2Import):
1794         (multiTable.VirtualImport):
1795         (const.wasmModuleWhichImportJS): Deleted.
1796         (const.makeTable): Deleted.
1797         (): Deleted.
1798         (Polyphic2Import): Deleted.
1799         (VirtualImport): Deleted.
1800         * wasm/js-api/table.js:
1801         (new.WebAssembly.Module):
1802         (assert.throws):
1803         (assertBadTableImport):
1804         (assert.truthy):
1805         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1806         * wasm/references/anyref_table.js:
1807         * wasm/references/anyref_table_import.js:
1808         (makeImport):
1809         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1810         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1811         * wasm/references/multitable.js: Added.
1812         (assert.throws.1.exports.set_tbl0):
1813         (assert.throws):
1814         (assert.eq):
1815         * wasm/references/validation.js:
1816         (assert.throws.new.WebAssembly.Module.bin):
1817         (assert.throws):
1818         * wasm/spec-tests/imports.wast.js:
1819         * wasm/wasm.json:
1820
1821         * wasm/Builder.js:
1822         * wasm/js-api/call-indirect.js:
1823         (const.oneTable):
1824         (const.multiTable):
1825         (multiTable):
1826         (multiTable.Polyphic2Import):
1827         (multiTable.VirtualImport):
1828         (const.wasmModuleWhichImportJS): Deleted.
1829         (const.makeTable): Deleted.
1830         (): Deleted.
1831         (Polyphic2Import): Deleted.
1832         (VirtualImport): Deleted.
1833         * wasm/js-api/table.js:
1834         (new.WebAssembly.Module):
1835         (assert.throws):
1836         (assertBadTableImport):
1837         (assert.truthy):
1838         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1839         * wasm/references/anyref_table.js:
1840         * wasm/references/anyref_table_import.js:
1841         (makeImport):
1842         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1843         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1844         * wasm/references/func_ref.js:
1845         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
1846         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
1847         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
1848         * wasm/references/multitable.js: Added.
1849         (assert.throws.1.exports.set_tbl0):
1850         (assert.throws):
1851         (assert.eq):
1852         (string_appeared_here.tableInsanity):
1853         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
1854         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
1855         * wasm/references/validation.js:
1856         (assert.throws.new.WebAssembly.Module.bin):
1857         (assert.throws):
1858         * wasm/spec-tests/imports.wast.js:
1859         * wasm/wasm.json:
1860
1861 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
1862
1863         [ESNExt] String.prototype.matchAll
1864         https://bugs.webkit.org/show_bug.cgi?id=186694
1865
1866         Reviewed by Yusuke Suzuki.
1867
1868         Implement String.prototype.matchAll.
1869         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
1870
1871         * test262/config.yaml:
1872
1873 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
1874
1875         DFG code should not reify the names of builtin functions with private names
1876         https://bugs.webkit.org/show_bug.cgi?id=198849
1877         <rdar://problem/51733890>
1878
1879         Reviewed by Filip Pizlo.
1880
1881         * stress/builtin-private-function-name.js: Added.
1882         (then):
1883         (PromiseLike):
1884
1885 2019-06-18  Keith Miller  <keith_miller@apple.com>
1886
1887         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
1888         https://bugs.webkit.org/show_bug.cgi?id=198969
1889         <rdar://problem/51620714>
1890
1891         Reviewed by Tadeu Zagallo.
1892
1893         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
1894         (catch):
1895
1896 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1897
1898         Validate that table element type is funcref if using an element section
1899         https://bugs.webkit.org/show_bug.cgi?id=198910
1900
1901         Reviewed by Yusuke Suzuki.
1902
1903         * wasm/references/anyref_table.js:
1904
1905 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
1906
1907         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
1908         https://bugs.webkit.org/show_bug.cgi?id=197378
1909
1910         Reviewed by Saam Barati.
1911
1912         * stress/disposable-call-site-index-with-call-and-this.js: Added.
1913         (foo):
1914         (bar):
1915         * stress/disposable-call-site-index.js: Added.
1916         (foo):
1917         (bar):
1918
1919 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1920
1921         [WASM-References] Add support for Funcref in parameters and return types
1922         https://bugs.webkit.org/show_bug.cgi?id=198157
1923
1924         Reviewed by Yusuke Suzuki.
1925
1926         * wasm/Builder.js:
1927         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1928         * wasm/references/anyref_globals.js:
1929         * wasm/references/func_ref.js: Added.
1930         (fullGC.gc.makeExportedFunction):
1931         (makeExportedIdent):
1932         (makeAnyfuncIdent):
1933         (fun):
1934         (assert.eq.instance.exports.fix.fun):
1935         (assert.eq.instance.exports.fix):
1936         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
1937         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
1938         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
1939         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
1940         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
1941         (assert.throws):
1942         (assert.throws.doTest):
1943         (let.importedFun.of):
1944         (makeAnyfuncIdent.fun):
1945         * wasm/references/validation.js:
1946         (assert.throws):
1947         * wasm/wasm.json:
1948
1949 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
1950
1951         Update test262 tests (2019.06.13)
1952         https://bugs.webkit.org/show_bug.cgi?id=198821
1953
1954         Reviewed by Konstantin Tokarev.
1955
1956         * test262/expectations.yaml:
1957         * test262/harness/:
1958         * test262/latest-changes-summary.txt:
1959         * test262/test/:
1960         * test262/test262-Revision.txt:
1961
1962 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
1963
1964         [JSC] Grown region of WasmTable should be initialized with null
1965         https://bugs.webkit.org/show_bug.cgi?id=198903
1966
1967         Reviewed by Saam Barati.
1968
1969         * wasm/stress/wasm-table-grow-initialize.js: Added.
1970         (shouldBe):
1971
1972 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
1973
1974         Yarr bytecode compilation failure should be gracefully handled
1975         https://bugs.webkit.org/show_bug.cgi?id=198700
1976
1977         Reviewed by Michael Saboff.
1978
1979         * stress/regexp-bytecode-compilation-fail.js: Added.
1980         (shouldThrow):
1981
1982 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
1983
1984         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
1985         https://bugs.webkit.org/show_bug.cgi?id=198770
1986
1987         Reviewed by Saam Barati.
1988
1989         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
1990         (test):
1991
1992 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1993
1994         JSC should throw if proxy set returns falsish in strict mode context
1995         https://bugs.webkit.org/show_bug.cgi?id=177398
1996
1997         Reviewed by Yusuke Suzuki.
1998
1999         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2000         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2001
2002         * stress/proxy-set.js: Add 2 test cases.
2003         * stress/regexp-match-proxy.js: Fix test.
2004         * stress/regexp-replace-proxy.js: Fix test.
2005
2006 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2007
2008         Error message for non-callable Proxy `construct` trap is misleading
2009         https://bugs.webkit.org/show_bug.cgi?id=198637
2010
2011         Reviewed by Saam Barati.
2012
2013         * stress/proxy-construct.js:
2014
2015 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2016
2017         AI BitURShift's result should not be unsigned
2018         https://bugs.webkit.org/show_bug.cgi?id=198689
2019         <rdar://problem/51550063>
2020
2021         Reviewed by Saam Barati.
2022
2023         * stress/urshift-int32-overflow.js: Added.
2024         (foo.):
2025         (foo):
2026
2027 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2028
2029         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2030
2031         Unreviewed gardening.
2032
2033         * stress/ftl-gettypedarrayoffset-wasteful.js:
2034         Skipped on arm/linux as it always times out on the bot since a change
2035         between r246270 and r246278 inclusive.
2036
2037 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2038
2039         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2040         https://bugs.webkit.org/show_bug.cgi?id=198023
2041
2042         Reviewed by Saam Barati.
2043
2044         * stress/reparsing-unlinked-codeblock.js: Added.
2045         (shouldBe):
2046         (hello):
2047
2048 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2049
2050         [JSC] Use mergePrediction in ValuePow prediction propagation
2051         https://bugs.webkit.org/show_bug.cgi?id=198648
2052
2053         Reviewed by Saam Barati.
2054
2055         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2056
2057 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2058
2059         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2060         https://bugs.webkit.org/show_bug.cgi?id=198581
2061         <rdar://problem/51099753>
2062
2063         Reviewed by Saam Barati.
2064
2065         * stress/global-object-proto-getter.js: Added.
2066         (f):
2067         (test):
2068
2069 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2070
2071         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2072         https://bugs.webkit.org/show_bug.cgi?id=198398
2073
2074         Reviewed by Saam Barati.
2075
2076         * wasm/references/anyref_table.js: Added.
2077         (string_appeared_here.doGCSet):
2078         (doGCTest):
2079         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2080         * wasm/references/anyref_table_import.js: Added.
2081         (makeImport):
2082         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2083         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2084         * wasm/references/is_null_error.js: Removed.
2085         * wasm/references/validation.js: Added.
2086         (assert.throws.new.WebAssembly.Module.bin):
2087         (assert.throws):
2088         * wasm/wasm.json:
2089
2090 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2091
2092         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2093         https://bugs.webkit.org/show_bug.cgi?id=198106
2094
2095         Reviewed by Saam Barati.
2096
2097         * wasm/regress/selectf64.js: Added.
2098         * wasm/regress/selectf64.wasm: Added.
2099         * wasm/regress/selectf64.wat: Added.
2100
2101 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2102
2103         Argument elimination should check transitive dependents for interference
2104         https://bugs.webkit.org/show_bug.cgi?id=198520
2105         <rdar://problem/50863343>
2106
2107         Reviewed by Filip Pizlo.
2108
2109         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2110         (f2):
2111         (f3):
2112
2113 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2114
2115         Argument elimination should check for negative indices in GetByVal
2116         https://bugs.webkit.org/show_bug.cgi?id=198302
2117         <rdar://problem/51188095>
2118
2119         Reviewed by Filip Pizlo.
2120
2121         * stress/eliminate-arguments-negative-rest-access.js: Added.
2122         (inlinee):
2123         (opt):
2124
2125 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2126
2127         [ESNext][BigInt] Implement support for "**"
2128         https://bugs.webkit.org/show_bug.cgi?id=190799
2129
2130         Reviewed by Saam Barati.
2131
2132         * stress/big-int-exp-basic.js: Added.
2133         * stress/big-int-exp-jit-osr.js: Added.
2134         * stress/big-int-exp-jit-untyped.js: Added.
2135         * stress/big-int-exp-jit.js: Added.
2136         * stress/big-int-exp-negative-exponent.js: Added.
2137         * stress/big-int-exp-to-primitive.js: Added.
2138         * stress/big-int-exp-type-error.js: Added.
2139         * stress/big-int-exp-wrapped-value.js: Added.
2140         * stress/value-pow-ai-rule.js: Added.
2141
2142 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2143
2144         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2145         https://bugs.webkit.org/show_bug.cgi?id=197979
2146
2147         Reviewed by Filip Pizlo.
2148
2149         * stress/16bit-code.js: Added.
2150         (shouldBe):
2151         * stress/32bit-code.js: Added.
2152         (shouldBe):
2153
2154 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2155
2156         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2157         https://bugs.webkit.org/show_bug.cgi?id=198355
2158
2159         Reviewed by Saam Barati.
2160
2161         * wasm/references/is_null.js:
2162
2163 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2164
2165         [PlayStation] Skip additional tests on PlayStation
2166         https://bugs.webkit.org/show_bug.cgi?id=198352
2167
2168         Reviewed by Don Olmstead.
2169
2170         Skip pow test on PlayStation due to behavior difference in standard library.
2171         Skip incremental marking test due to OOM on PlayStation systems.
2172
2173         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2174         * stress/math-pow-with-constants.js:
2175         * stress/pow-with-constants.js:
2176
2177 2019-05-28  Dean Jackson  <dino@apple.com>
2178
2179         Implement Promise.allSettled
2180         https://bugs.webkit.org/show_bug.cgi?id=197600
2181         <rdar://problem/50483885>
2182
2183         Reviewed by Keith Miller.
2184
2185         Start testing Promise.allSettled. We pass most of the tests.
2186         The ones that fail are similar to the Promise.all tests we already fail.
2187
2188         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2189         * test262/expectations.yaml: Add new expectations for allSettled tests.
2190
2191 2019-05-28  Michael Saboff  <msaboff@apple.com>
2192
2193         [YARR] Properly handle RegExp's that require large ParenContext space
2194         https://bugs.webkit.org/show_bug.cgi?id=198065
2195
2196         Reviewed by Keith Miller.
2197
2198         New test.
2199
2200         * stress/regexp-large-paren-context.js: Added.
2201         (testLargeRegExp):
2202
2203 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2204
2205         JITOperations putByVal should mark negative array indices as out-of-bounds
2206         https://bugs.webkit.org/show_bug.cgi?id=198271
2207
2208         Reviewed by Saam Barati.
2209
2210         * microbenchmarks/get-by-val-negative-array-index.js:
2211         (foo):
2212         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2213         is 4.2x faster than the previous commit.
2214
2215         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2216         (foo):
2217
2218 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2219
2220         JITOperations getByVal should mark negative array indices as out-of-bounds
2221         https://bugs.webkit.org/show_bug.cgi?id=198229
2222
2223         Reviewed by Saam Barati.
2224
2225         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2226         (foo):
2227
2228 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2229
2230         [WASM-References] Support Anyref in globals
2231         https://bugs.webkit.org/show_bug.cgi?id=198102
2232
2233         Reviewed by Saam Barati.
2234
2235         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2236
2237         * wasm/Builder.js:
2238         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2239         * wasm/Builder_WebAssemblyBinary.js:
2240         (const.putInitExpr):
2241         * wasm/references/anyref_globals.js: Added.
2242         (GetGlobal.0.End.End.WebAssembly):
2243         (5.doGCSet):
2244         (doGCTest):
2245         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2246
2247 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2248
2249         DFG::OSREntry should not perform arity check
2250         https://bugs.webkit.org/show_bug.cgi?id=198189
2251
2252         Reviewed by Saam Barati.
2253
2254         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2255         (foo):
2256
2257 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2258
2259         [PlayStation] Skip additional tests on PlayStation
2260         https://bugs.webkit.org/show_bug.cgi?id=198145
2261
2262         Reviewed by Ross Kirsling.
2263
2264         * exceptionFuzz.yaml:
2265         Add skip on hostOS playstation
2266         * executableAllocationFuzz.yaml:
2267         Add skip on hostOS playstation
2268
2269 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2270
2271         createListFromArrayLike should throw if value is not an object
2272         https://bugs.webkit.org/show_bug.cgi?id=198138
2273
2274         Reviewed by Yusuke Suzuki.
2275
2276         * stress/create-list-from-array-like-not-object.js: Added.
2277         (testValid):
2278         (testInvalid):
2279         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
2280         (opt):
2281         * stress/proxy-proto-enumerator.js: Added.
2282         (main):
2283         * stress/proxy-proto-own-keys.js: Added.
2284         (assert):
2285         (ownKeys):
2286
2287 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2288
2289         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
2290         https://bugs.webkit.org/show_bug.cgi?id=197809
2291
2292         Reviewed by Michael Saboff.
2293
2294         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
2295         (foo):
2296
2297 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2298
2299         [ESNext] Implement support for Numeric Separators
2300         https://bugs.webkit.org/show_bug.cgi?id=196351
2301
2302         Reviewed by Keith Miller.
2303
2304         * stress/numeric-literal-separators.js: Added.
2305         Add tests for feature.
2306
2307         * test262/expectations.yaml:
2308         Mark 60 test cases as passing.
2309
2310 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2311
2312         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
2313         https://bugs.webkit.org/show_bug.cgi?id=198120
2314         <rdar://problem/49668795>
2315
2316         Reviewed by Michael Saboff.
2317
2318         * stress/get-array-length-concurrently-change-mode.js: Added.
2319         (main):
2320
2321 2019-05-22  Commit Queue  <commit-queue@webkit.org>
2322
2323         Unreviewed, rolling out r245634.
2324         https://bugs.webkit.org/show_bug.cgi?id=198140
2325
2326         'This patch makes JSC crash on launch in debug builds'
2327         (Requested by tadeuzagallo on #webkit).
2328
2329         Reverted changeset:
2330
2331         "[ESNext] Implement support for Numeric Separators"
2332         https://bugs.webkit.org/show_bug.cgi?id=196351
2333         https://trac.webkit.org/changeset/245634
2334
2335 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2336
2337         Stack-buffer-overflow in decodeURIComponent
2338         https://bugs.webkit.org/show_bug.cgi?id=198109
2339         <rdar://problem/50397550>
2340
2341         Reviewed by Michael Saboff.
2342
2343         * stress/decode-uri-icu-count-trail-bytes.js: Added.
2344         (i.j.try.i.toString):
2345         (i.j.catch):
2346
2347 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2348
2349         Don't clear PropertyNameArray in Proxy code
2350         https://bugs.webkit.org/show_bug.cgi?id=197691
2351
2352         Reviewed by Saam Barati.
2353
2354         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
2355         (shouldBe):
2356         (opt):
2357
2358 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2359
2360         [ESNext] Implement support for Numeric Separators
2361         https://bugs.webkit.org/show_bug.cgi?id=196351
2362
2363         Reviewed by Keith Miller.
2364
2365         * stress/numeric-literal-separators.js: Added.
2366         Add tests for feature.
2367
2368         * test262/expectations.yaml:
2369         Mark 60 test cases as passing.
2370
2371 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2372
2373         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
2374         https://bugs.webkit.org/show_bug.cgi?id=198101
2375
2376         Reviewed by Michael Saboff.
2377
2378         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
2379         (shouldBe):
2380
2381 2019-05-20  Keith Miller  <keith_miller@apple.com>
2382
2383         Cleanup Yarr regexp code around paren contexts.
2384         https://bugs.webkit.org/show_bug.cgi?id=198063
2385
2386         Reviewed by Yusuke Suzuki.
2387
2388         * stress/regexp-many-named-sequential-capture-groups.js: Added.
2389         (i.s):
2390         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2391
2392 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
2393
2394         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
2395         https://bugs.webkit.org/show_bug.cgi?id=197969
2396
2397         Reviewed by Keith Miller.
2398
2399         Support the anyref type in Builder.js, plus add some extra error logging.
2400         Add new folder for wasm references tests.
2401
2402         * wasm.yaml:
2403         * wasm/Builder.js:
2404         (const._isValidValue):
2405         * wasm/references/anyref_modules.js: Added.
2406         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
2407         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
2408         (Call.3.RefIsNull.End.End.WebAssembly):
2409         (undefined):
2410         * wasm/references/is_null.js: Added.
2411         * wasm/references/is_null_error.js: Added.
2412         * wasm/spec-harness/index.js:
2413         * wasm/wasm.json:
2414
2415 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
2416
2417         [JSC] Invalid AssignmentTargetType should be an early error.
2418         https://bugs.webkit.org/show_bug.cgi?id=197603
2419
2420         Reviewed by Keith Miller.
2421
2422         * test262/expectations.yaml:
2423         Update expectations to reflect new SyntaxErrors.
2424         (Ideally, these should all be viewed as passing in the near future.)
2425
2426         * stress/async-await-basic.js:
2427         * stress/big-int-literals.js:
2428         Update tests to reflect new SyntaxErrors.
2429
2430         * ChakraCore.yaml:
2431         * ChakraCore/test/EH/try6.baseline-jsc:
2432         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
2433         Update baselines to reflect new SyntaxErrors.
2434
2435 2019-05-15  Saam Barati  <sbarati@apple.com>
2436
2437         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
2438         https://bugs.webkit.org/show_bug.cgi?id=197855
2439         <rdar://problem/50236506>
2440
2441         Reviewed by Michael Saboff.
2442
2443         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
2444         (f0):
2445         (bar):
2446         (foo):
2447         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
2448         (f1):
2449         (f2):
2450         (foo):
2451
2452 2019-05-14  Keith Miller  <keith_miller@apple.com>
2453
2454         Fix issue with byteOffset on ARM64E
2455         https://bugs.webkit.org/show_bug.cgi?id=197884
2456
2457         Reviewed by Saam Barati.
2458
2459         We didn't have any tests that run with non-byte/non-zero offset
2460         typed arrays.
2461
2462         * stress/ftl-gettypedarrayoffset-wasteful.js:
2463
2464 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2465
2466         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
2467         https://bugs.webkit.org/show_bug.cgi?id=197833
2468
2469         Reviewed by Darin Adler.
2470
2471         * stress/generator-name.js: Added.
2472         (shouldBe):
2473         (gen):
2474         (catch):
2475
2476 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
2477
2478         JSObject::getOwnPropertyDescriptor is missing an exception check
2479         https://bugs.webkit.org/show_bug.cgi?id=197693
2480         <rdar://problem/50441784>
2481
2482         Reviewed by Saam Barati.
2483
2484         * stress/proxy-spread.js: Added.
2485         (foo):
2486
2487 2019-05-10  Saam barati  <sbarati@apple.com>
2488
2489         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
2490         https://bugs.webkit.org/show_bug.cgi?id=197807
2491         <rdar://problem/50530400>
2492
2493         Reviewed by Yusuke Suzuki.
2494
2495         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
2496         (test.getInstance):
2497         (test):
2498
2499 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
2500
2501         [Test262] Unreviewed expectations update following r245188.
2502
2503         * test262/config.yaml:
2504         * test262/expectations.yaml:
2505
2506         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
2507         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
2508         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
2509         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
2510         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
2511         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
2512         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
2513         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
2514         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
2515         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
2516         These files have invalid YAML comments. Will also submit corrections back to Test262.
2517
2518 2019-05-10  Keith Miller  <keith_miller@apple.com>
2519
2520         Update test262 tests.
2521
2522         Rubber-stamped by Yusuke Suzuki.
2523
2524         * test262/*: mega-patch too many things to list individually.
2525
2526 2019-05-09  Keith Miller  <keith_miller@apple.com>
2527
2528         Unreview, fix test to have a try-catch.
2529
2530         * stress/many-nested-functions-parser-stack-overflow.js:
2531         (catch):
2532
2533 2019-05-09  Keith Miller  <keith_miller@apple.com>
2534
2535         parseStatementListItem needs a stack overflow check
2536         https://bugs.webkit.org/show_bug.cgi?id=197749
2537
2538         Reviewed by Saam Barati.
2539
2540         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2541
2542 2019-05-08  Saam barati  <sbarati@apple.com>
2543
2544         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2545         https://bugs.webkit.org/show_bug.cgi?id=197715
2546         <rdar://problem/50399252>
2547
2548         Reviewed by Filip Pizlo.
2549
2550         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2551         (foo):
2552         (bar):
2553
2554 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2555
2556         Unreviewed, rolling out r245068.
2557
2558         Caused debug layout tests to exit early due to an assertion
2559         failure.
2560
2561         Reverted changeset:
2562
2563         "All prototypes should call didBecomePrototype()"
2564         https://bugs.webkit.org/show_bug.cgi?id=196315
2565         https://trac.webkit.org/changeset/245068
2566
2567 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2568
2569         Invalid DFG JIT genereation in high CPU usage state
2570         https://bugs.webkit.org/show_bug.cgi?id=197453
2571
2572         Reviewed by Saam Barati.
2573
2574         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2575         (trigger):
2576         (main):
2577
2578 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2579
2580         All prototypes should call didBecomePrototype()
2581         https://bugs.webkit.org/show_bug.cgi?id=196315
2582
2583         Reviewed by Saam Barati.
2584
2585         This changelog already landed, but the commit was missing the actual changes.
2586
2587         * stress/function-prototype-indexed-accessor.js: Added.
2588
2589 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
2590
2591         [BigInt] Add ValueMod into DFG
2592         https://bugs.webkit.org/show_bug.cgi?id=186174
2593
2594         Reviewed by Saam Barati.
2595
2596         * microbenchmarks/mod-untyped.js: Added.
2597         * stress/big-int-mod-osr.js: Added.
2598         * stress/value-div-ai-rule.js: Added.
2599         * stress/value-mod-ai-rule.js: Added.
2600
2601 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2602
2603         [JSC] DFG_ASSERT failed in lowInt52
2604         https://bugs.webkit.org/show_bug.cgi?id=197569
2605
2606         Reviewed by Saam Barati.
2607
2608         * stress/getstack-int52.js: Added.
2609         (opt):
2610         (main):
2611
2612 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2613
2614         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
2615         https://bugs.webkit.org/show_bug.cgi?id=197479
2616
2617         Reviewed by Saam Barati.
2618
2619         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
2620         (shouldBe):
2621
2622 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2623
2624         TemplateObject passed to template literal tags are not always identical for the same source location.
2625         https://bugs.webkit.org/show_bug.cgi?id=190756
2626
2627         Reviewed by Saam Barati.
2628
2629         * complex.yaml:
2630         * complex/tagged-template-regeneration-after.js: Added.
2631         (shouldBe):
2632         * complex/tagged-template-regeneration.js: Added.
2633         (call):
2634         (test):
2635         * modules/tagged-template-inside-module.js: Added.
2636         (from.string_appeared_here.call):
2637         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2638         (call):
2639         (export.otherTaggedTemplates):
2640         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2641         (shouldBe):
2642         (call):
2643         (poly):
2644         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2645         (shouldBe):
2646         (call):
2647         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
2648         (shouldBe):
2649         (call):
2650         (test):
2651         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2652         (shouldBe):
2653         (call):
2654         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2655         (shouldBe):
2656         (call):
2657         * stress/tagged-templates-in-multiple-functions.js: Added.
2658         (shouldBe):
2659         (call):
2660         (a):
2661         (b):
2662         (c):
2663         * stress/tagged-templates-with-same-start-offset.js: Added.
2664         (shouldBe):
2665
2666 2019-05-07  Robin Morisset  <rmorisset@apple.com>
2667
2668         All prototypes should call didBecomePrototype()
2669         https://bugs.webkit.org/show_bug.cgi?id=196315
2670
2671         Reviewed by Saam Barati.
2672
2673         * stress/function-prototype-indexed-accessor.js: Added.
2674
2675 2019-05-07  Commit Queue  <commit-queue@webkit.org>
2676
2677         Unreviewed, rolling out r244978.
2678         https://bugs.webkit.org/show_bug.cgi?id=197671
2679
2680         TemplateObject map should use start/end offsets (Requested by
2681         yusukesuzuki on #webkit).
2682
2683         Reverted changeset:
2684
2685         "TemplateObject passed to template literal tags are not always
2686         identical for the same source location."
2687         https://bugs.webkit.org/show_bug.cgi?id=190756
2688         https://trac.webkit.org/changeset/244978
2689
2690 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
2691
2692         tryCachePutByID should not crash if target offset changes
2693         https://bugs.webkit.org/show_bug.cgi?id=197311
2694         <rdar://problem/48033612>
2695
2696         Reviewed by Filip Pizlo.
2697
2698         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
2699         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
2700
2701         * stress/cache-put-by-id-delete-prototype.js: Added.
2702         (A.prototype.set y):
2703         (A):
2704         (B.prototype.set y):
2705         (B):
2706         (C):
2707         * stress/cache-put-by-id-different-__proto__.js: Added.
2708         (A.prototype.set y):
2709         (A):
2710         (B1):
2711         (B2.prototype.set y):
2712         (B2):
2713         (C):
2714         (D):
2715         * stress/cache-put-by-id-different-attributes.js: Added.
2716         (Foo):
2717         (set x):
2718         * stress/cache-put-by-id-different-offset.js: Added.
2719         (Foo):
2720         (set x):
2721         * stress/cache-put-by-id-insert-prototype.js: Added.
2722         (A.prototype.set y):
2723         (A):
2724         (C):
2725         * stress/cache-put-by-id-poly-proto.js: Added.
2726         (Foo):
2727         (set _):
2728         (createBar.Bar):
2729         (createBar):
2730
2731 2019-05-07  Saam Barati  <sbarati@apple.com>
2732
2733         Don't OSR enter into an FTL CodeBlock that has been jettisoned
2734         https://bugs.webkit.org/show_bug.cgi?id=197531
2735         <rdar://problem/50162379>
2736
2737         Reviewed by Yusuke Suzuki.
2738
2739         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
2740
2741 2019-05-06  Dean Jackson  <dino@apple.com>
2742
2743         Update test262 expectations for Proxy passes
2744         https://bugs.webkit.org/show_bug.cgi?id=197628
2745
2746         Reviewed by Yusuke Suzuki.
2747
2748         There are two consistent passes in Proxy.ownKeys.
2749
2750         * test262/expectations.yaml:
2751
2752 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2753
2754         [JSC] We should check OOM for description string of Symbol
2755         https://bugs.webkit.org/show_bug.cgi?id=197634
2756
2757         Reviewed by Keith Miller.
2758
2759         * stress/check-symbol-description-oom.js: Added.
2760         (shouldThrow):
2761
2762 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2763
2764         Unreviewed, land one more test
2765         https://bugs.webkit.org/show_bug.cgi?id=197587
2766
2767         * stress/setter-frame-flush.js: Added.
2768         (setter):
2769         (foo):
2770         (bar):
2771
2772 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2773
2774         TemplateObject passed to template literal tags are not always identical for the same source location.
2775         https://bugs.webkit.org/show_bug.cgi?id=190756
2776
2777         Reviewed by Saam Barati.
2778
2779         * complex.yaml:
2780         * complex/tagged-template-regeneration-after.js: Added.
2781         (shouldBe):
2782         * complex/tagged-template-regeneration.js: Added.
2783         (call):
2784         (test):
2785         * modules/tagged-template-inside-module.js: Added.
2786         (from.string_appeared_here.call):
2787         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2788         (call):
2789         (export.otherTaggedTemplates):
2790         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2791         (shouldBe):
2792         (call):
2793         (poly):
2794         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2795         (shouldBe):
2796         (call):
2797         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2798         (shouldBe):
2799         (call):
2800         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2801         (shouldBe):
2802         (call):
2803         * stress/tagged-templates-in-multiple-functions.js: Added.
2804         (shouldBe):
2805         (call):
2806         (a):
2807         (b):
2808         (c):
2809
2810 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
2811
2812         [PlayStation] JSC Stress tests failing due to timezone printing
2813         https://bugs.webkit.org/show_bug.cgi?id=197615
2814
2815         PlayStation's strftime does not give timezone strings, which
2816         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
2817         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
2818         which causes diff failures with the expectations. Add expectations
2819         without the timezone string and use those on playstation.
2820
2821         Reviewed by Ross Kirsling.
2822
2823         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
2824         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
2825         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
2826         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
2827
2828 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2829
2830         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
2831         https://bugs.webkit.org/show_bug.cgi?id=197587
2832
2833         Reviewed by Sam Weinig.
2834
2835         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
2836
2837         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
2838
2839 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
2840
2841         TypedArrays should not store properties that are canonical numeric indices
2842         https://bugs.webkit.org/show_bug.cgi?id=197228
2843         <rdar://problem/49557381>
2844
2845         Reviewed by Saam Barati.
2846
2847         * stress/array-species-config-array-constructor.js:
2848         (test):
2849         * stress/put-direct-index-broken-2.js:
2850         * stress/typed-array-canonical-numeric-index-string.js: Added.
2851         (makeTest.assert):
2852         (makeTest):
2853         (const.testInvalidIndices.makeTest.set assert):
2854         (const.testInvalidIndices.makeTest):
2855         (const.makeTestValidIndex.configurable.set assert):
2856         (const.makeTestValidIndex.configurable):
2857         * stress/typedarray-access-monomorphic-neutered.js:
2858         (checkNoException):
2859         (testNoException):
2860         (testFTLNoException):
2861         * stress/typedarray-access-neutered.js:
2862         (testNoException):
2863         * stress/typedarray-getownproperty-not-configurable.js:
2864         (foo):
2865         * test262/expectations.yaml:
2866
2867 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2868
2869         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
2870         https://bugs.webkit.org/show_bug.cgi?id=197584
2871
2872         Reviewed by Saam Barati.
2873
2874         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
2875         (X):
2876         (foo):
2877
2878 2019-05-03  Michael Saboff  <msaboff@apple.com>
2879
2880         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
2881         https://bugs.webkit.org/show_bug.cgi?id=197586
2882
2883         Reviewed by Keith Miller.
2884
2885         We should only run one config of this test and only when we think we'll have the memory.
2886
2887         * stress/json-stringify-string-builder-overflow.js:
2888
2889 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2890
2891         [JSC] Generator CodeBlock generation should be idempotent
2892         https://bugs.webkit.org/show_bug.cgi?id=197552
2893
2894         Reviewed by Keith Miller.
2895
2896         Add complex.yaml, which controls how to run JSC shell more.
2897         We split test files into two to run macro task between them which allows debugger to be attached to VM.
2898
2899         * complex.yaml: Added.
2900         * complex/generator-regeneration-after.js: Added.
2901         * complex/generator-regeneration.js: Added.
2902         (gen):
2903
2904 2019-05-02  Michael Saboff  <msaboff@apple.com>
2905
2906         Unreviewed rollout of r244862.
2907
2908         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
2909
2910 2019-05-01  Saam barati  <sbarati@apple.com>
2911
2912         Baseline JIT should do argument value profiling after checking for stack overflow
2913         https://bugs.webkit.org/show_bug.cgi?id=197052
2914         <rdar://problem/50009602>
2915
2916         Reviewed by Yusuke Suzuki.
2917
2918         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
2919
2920 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
2921
2922         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
2923         https://bugs.webkit.org/show_bug.cgi?id=197405
2924
2925         Reviewed by Saam Barati.
2926
2927         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
2928         (foo):
2929         (test):
2930         (i.o.get f):
2931         (i.o.set f):
2932
2933 2019-05-01  Michael Saboff  <msaboff@apple.com>
2934
2935         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
2936         https://bugs.webkit.org/show_bug.cgi?id=197485
2937
2938         Reviewed by Saam Barati.
2939
2940         New test.
2941
2942         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
2943         (foo):
2944
2945 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
2946
2947         Unreviewed correction to Test262 expectations following r244828.
2948
2949         * test262/expectations.yaml:
2950
2951 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
2952
2953         Add memory-limited skipping to some tests generating very large strings
2954         https://bugs.webkit.org/show_bug.cgi?id=197437
2955
2956         Reviewed by Ross Kirsling.
2957
2958         * stress/StringObject-define-length-getter-rope-string-oom.js:
2959         * stress/create-error-out-of-memory-rope-string.js:
2960         * stress/string-16bit-repeat-overflow.js:
2961
2962 2019-04-30  Commit Queue  <commit-queue@webkit.org>
2963
2964         Unreviewed, rolling out r244806.
2965         https://bugs.webkit.org/show_bug.cgi?id=197446
2966
2967         Causing Test262 and JSC test failures on multiple builds
2968         (Requested by ShawnRoberts on #webkit).
2969
2970         Reverted changeset:
2971
2972         "TypeArrays should not store properties that are canonical
2973         numeric indices"
2974         https://bugs.webkit.org/show_bug.cgi?id=197228
2975         https://trac.webkit.org/changeset/244806
2976
2977 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
2978
2979         TypeArrays should not store properties that are canonical numeric indices
2980         https://bugs.webkit.org/show_bug.cgi?id=197228
2981         <rdar://problem/49557381>
2982
2983         Reviewed by Darin Adler.
2984
2985         * stress/typed-array-canonical-numeric-index-string.js: Added.
2986         (makeTest.assert):
2987         (makeTest):
2988         (const.testInvalidIndices.makeTest.set assert):
2989         (const.testInvalidIndices.makeTest):
2990         (const.testValidIndices.makeTest.set assert):
2991         (const.testValidIndices.makeTest):
2992
2993 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
2994
2995         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
2996         https://bugs.webkit.org/show_bug.cgi?id=197362
2997
2998         Reviewed by Saam Barati.
2999
3000         * stress/map-with-nan.js: Added.
3001         (shouldBe):
3002         (div):
3003         (NaN1):
3004         (NaN2):
3005         (NaN3):
3006         (NaN4):
3007         (NaN1NoInline):
3008         (NaN2NoInline):
3009         (NaN3NoInline):
3010         (NaN4NoInline):
3011         (test1):
3012         (test2):
3013         (test3):
3014         (test4):
3015         * stress/set-with-nan.js: Added.
3016         (shouldBe):
3017         (div):
3018         (NaN1):
3019         (NaN2):
3020         (NaN3):
3021         (NaN4):
3022         (NaN1NoInline):
3023         (NaN2NoInline):
3024         (NaN3NoInline):
3025         (NaN4NoInline):
3026         (test2):
3027         (test4):
3028
3029 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3030
3031         Unreviewed, rolling out r244708.
3032         https://bugs.webkit.org/show_bug.cgi?id=197334
3033
3034         "Broke the debug build" (Requested by rmorisset on #webkit).
3035
3036         Reverted changeset:
3037
3038         "All prototypes should call didBecomePrototype()"
3039         https://bugs.webkit.org/show_bug.cgi?id=196315
3040         https://trac.webkit.org/changeset/244708
3041
3042 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3043
3044         [JSC] linkPolymorphicCall now does GC
3045         https://bugs.webkit.org/show_bug.cgi?id=197306
3046
3047         Reviewed by Saam Barati.
3048
3049         * stress/link-polymorphic-call-can-gc.js: Added.
3050         (module):
3051         (instance):
3052
3053 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3054
3055         All prototypes should call didBecomePrototype()
3056         https://bugs.webkit.org/show_bug.cgi?id=196315
3057
3058         Reviewed by Saam Barati.
3059
3060         * stress/function-prototype-indexed-accessor.js: Added.
3061
3062 2019-04-23  Saam Barati  <sbarati@apple.com>
3063
3064         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3065         https://bugs.webkit.org/show_bug.cgi?id=196721
3066         <rdar://problem/49556479> 
3067
3068         Reviewed by Filip Pizlo.
3069
3070         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3071         (foo):
3072
3073 2019-04-19  Saam Barati  <sbarati@apple.com>
3074
3075         AbstractValue can represent more than int52
3076         https://bugs.webkit.org/show_bug.cgi?id=197118
3077         <rdar://problem/49969960>
3078
3079         Reviewed by Michael Saboff.
3080
3081         * stress/abstract-value-can-include-int52.js: Added.
3082         (foo):
3083         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3084
3085 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3086
3087         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3088         https://bugs.webkit.org/show_bug.cgi?id=197053
3089
3090         Reviewed by Saam Barati.
3091
3092         * stress/merge-string-builder-in-dfg.js: Added.
3093         (foo):
3094
3095 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3096
3097         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3098         https://bugs.webkit.org/show_bug.cgi?id=176810
3099
3100         Reviewed by Saam Barati.
3101
3102         Add tests for the DontEnum filtering, and variations of other tests
3103         take the DontEnum-filtering path.
3104
3105         * stress/proxy-own-keys.js:
3106         (i.catch):
3107         (set assert):
3108         (set add):
3109         (let.set new):
3110         (get let):
3111
3112 2019-04-15  Saam barati  <sbarati@apple.com>
3113
3114         Modify how we do SetArgument when we inline varargs calls
3115         https://bugs.webkit.org/show_bug.cgi?id=196712
3116         <rdar://problem/49605012>
3117
3118         Reviewed by Michael Saboff.
3119
3120         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3121         (foo):
3122
3123 2019-04-15  Saam barati  <sbarati@apple.com>
3124
3125         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3126         https://bugs.webkit.org/show_bug.cgi?id=196945
3127         <rdar://problem/49802750>
3128
3129         Reviewed by Filip Pizlo.
3130
3131         * stress/get-by-offset-should-use-correct-child.js: Added.
3132         (foo.bar):
3133         (foo):
3134
3135 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3136
3137         DFG should be able to constant fold Object.create() with a constant prototype operand
3138         https://bugs.webkit.org/show_bug.cgi?id=196886
3139
3140         Reviewed by Yusuke Suzuki.
3141
3142         Note that this new benchmark does not currently see a speedup with inlining removed.
3143         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3144
3145         * microbenchmarks/object-create-constant-prototype.js: Added.
3146         (test):
3147
3148 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3149
3150         Incremental bytecode cache should not append function updates when loaded from memory
3151         https://bugs.webkit.org/show_bug.cgi?id=196865
3152
3153         Reviewed by Filip Pizlo.
3154
3155         * stress/bytecode-cache-shared-code-block.js: Added.
3156         (b):
3157         (program):
3158
3159 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3160
3161         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3162         https://bugs.webkit.org/show_bug.cgi?id=196880
3163
3164         Reviewed by Yusuke Suzuki.
3165
3166         * stress/bytecode-cache-syntax-error.js: Added.
3167         (catch):
3168
3169 2019-04-12  Saam barati  <sbarati@apple.com>
3170
3171         r244079 logically broke shouldSpeculateInt52
3172         https://bugs.webkit.org/show_bug.cgi?id=196884
3173
3174         Reviewed by Yusuke Suzuki.
3175
3176         * microbenchmarks/int52-rand-function.js: Added.
3177         (Math.random):
3178
3179 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3180
3181         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3182         https://bugs.webkit.org/show_bug.cgi?id=196850
3183
3184         Reviewed by Saam Barati.
3185
3186         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3187         (foo):
3188
3189 2019-04-11  Saam barati  <sbarati@apple.com>
3190
3191         Remove invalid assertion in operationInstanceOfCustom
3192         https://bugs.webkit.org/show_bug.cgi?id=196842
3193         <rdar://problem/49725493>
3194
3195         Reviewed by Michael Saboff.
3196
3197         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3198
3199 2019-04-10  Saam Barati  <sbarati@apple.com>
3200
3201         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3202         https://bugs.webkit.org/show_bug.cgi?id=196801
3203         <rdar://problem/49771122>
3204
3205         Reviewed by Yusuke Suzuki.
3206
3207         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3208
3209 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3210
3211         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3212         https://bugs.webkit.org/show_bug.cgi?id=196746
3213
3214         Reviewed by Yusuke Suzuki.
3215
3216         * stress/cyclic-define-properties.js: Added.
3217         (foo):
3218
3219 2019-04-09  Saam barati  <sbarati@apple.com>
3220
3221         Clean up Int52 code and some bugs in it
3222         https://bugs.webkit.org/show_bug.cgi?id=196639
3223         <rdar://problem/49515757>
3224
3225         Reviewed by Yusuke Suzuki.
3226
3227         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3228
3229 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3230
3231         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3232         https://bugs.webkit.org/show_bug.cgi?id=196708
3233         <rdar://problem/49556803>
3234
3235         Reviewed by Yusuke Suzuki.
3236
3237         * stress/proxy-getter-stack-overflow.js: Added.
3238         (const.handler.get target):
3239         (const.handler.has):
3240         (try.with):
3241         (catch):
3242
3243 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3244
3245         [JSC] DFG should respect node's strict flag
3246         https://bugs.webkit.org/show_bug.cgi?id=196617
3247
3248         Reviewed by Saam Barati.
3249
3250         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3251         (shouldEqual):
3252         (makeUnwriteableUnconfigurableObject):
3253         (runTest):
3254         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3255         (shouldBe):
3256         (shouldThrow):
3257         (with.result):
3258         (with.putValueStrict):
3259         (with.putValueSloppy):
3260
3261 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3262
3263         [JSC] isRope jump in StringSlice should not jump over register allocations
3264         https://bugs.webkit.org/show_bug.cgi?id=196716
3265
3266         Reviewed by Saam Barati.
3267
3268         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3269         (foo.bar):
3270         (foo):
3271
3272 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3273
3274         [JSC] to_index_string should not assume incoming value is Uint32
3275         https://bugs.webkit.org/show_bug.cgi?id=196713
3276
3277         Reviewed by Saam Barati.
3278
3279         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
3280         (foo):
3281
3282 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3283
3284         [JSC] Add more tests for r243966
3285         https://bugs.webkit.org/show_bug.cgi?id=196711
3286
3287         Reviewed by Saam Barati.
3288
3289         Adding one more test for r243966 fix. The added test will not crash after r243966.
3290
3291         * stress/stress-cleared-calllinkinfo.js: Added.
3292         (runNearStackLimit.t):
3293         (runNearStackLimit):
3294         (repeat):
3295         (cls):
3296         (let.item.of.array.runNearStackLimit):
3297
3298 2019-04-08  Saam Barati  <sbarati@apple.com>
3299
3300         WebAssembly.RuntimeError missing exception check
3301         https://bugs.webkit.org/show_bug.cgi?id=196700
3302         <rdar://problem/49693932>
3303
3304         Reviewed by Yusuke Suzuki.
3305
3306         * wasm/js-api/runtime-error-should-exception-check.js: Added.
3307
3308 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3309
3310         Unreviewed, rolling in r243948 with test fix
3311         https://bugs.webkit.org/show_bug.cgi?id=196486
3312
3313         * stress/arrow-function-and-use-strict-directive.js: Added.
3314         * stress/arrow-function-syntax.js: Added.
3315         (checkSyntax):
3316         (checkSyntaxError):
3317
3318 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3319
3320         Unreviewed, rolling out r243948.
3321
3322         Caused inspector/runtime/parse.html to fail
3323
3324         Reverted changeset:
3325
3326         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
3327         https://bugs.webkit.org/show_bug.cgi?id=196486
3328         https://trac.webkit.org/changeset/243948
3329
3330 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3331
3332         Unreviewed, rolling out r243943.
3333
3334         Caused test262 failures.
3335
3336         Reverted changeset:
3337
3338         "[JSC] Filter DontEnum properties in
3339         ProxyObject::getOwnPropertyNames()"
3340         https://bugs.webkit.org/show_bug.cgi?id=176810
3341         https://trac.webkit.org/changeset/243943
3342
3343 2019-04-07  Michael Saboff  <msaboff@apple.com>
3344
3345         REGRESSION (r243642): Crash in reddit.com page
3346         https://bugs.webkit.org/show_bug.cgi?id=196684
3347
3348         Reviewed by Geoffrey Garen.
3349
3350         New regression test.
3351
3352         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
3353
3354 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
3355
3356         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
3357         https://bugs.webkit.org/show_bug.cgi?id=196683
3358
3359         Reviewed by Saam Barati.
3360
3361         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
3362         (foo):
3363
3364 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3365
3366         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
3367         https://bugs.webkit.org/show_bug.cgi?id=196582
3368
3369         Reviewed by Saam Barati.
3370
3371         * stress/add-overflow-check-with-three-same-registers.js: Added.
3372         (foo):
3373         (Number.prototype.valueOf):
3374         (runWithNumber):
3375
3376 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
3377
3378         Unreviewed, rolling out r243665.
3379
3380         Caused iOS JSC tests to exit with an exception.
3381
3382         Reverted changeset:
3383
3384         "Assertion failed in JSC::createError"
3385         https://bugs.webkit.org/show_bug.cgi?id=196305
3386         https://trac.webkit.org/changeset/243665
3387
3388 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3389
3390         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
3391         https://bugs.webkit.org/show_bug.cgi?id=196486
3392
3393         Reviewed by Saam Barati.
3394
3395         * stress/arrow-function-and-use-strict-directive.js: Added.
3396         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
3397         (checkSyntax):
3398         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
3399
3400 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3401
3402         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3403         https://bugs.webkit.org/show_bug.cgi?id=176810
3404
3405         Reviewed by Saam Barati.
3406
3407         Add tests for the DontEnum filtering, and variations of other tests
3408         take the DontEnum-filtering path.
3409
3410         * stress/proxy-own-keys.js:
3411         (i.catch):
3412         (set assert):
3413         (set add):
3414         (let.set new):
3415         (get let):
3416
3417 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3418
3419         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
3420         https://bugs.webkit.org/show_bug.cgi?id=185211
3421
3422         Reviewed by Saam Barati.
3423
3424         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
3425
3426         This changes several assertions to expect a TypeError to be thrown (in some cases,
3427         changing thee expected message).
3428
3429         * es6/Proxy_ownKeys_duplicates.js:
3430         (handler):
3431         (shouldThrow):
3432         (test):
3433         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3434         (shouldThrow):
3435         * stress/proxy-own-keys.js:
3436         (i.catch):
3437         (assert):
3438
3439 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3440
3441         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
3442         https://bugs.webkit.org/show_bug.cgi?id=196631
3443
3444         Reviewed by Saam Barati.
3445
3446         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
3447         (assert):
3448         (test):
3449         (foo):
3450
3451 2019-04-04  Saam Barati  <sbarati@apple.com>
3452
3453         Unreviewed. Make the test from r243906 catch the thrown exceptions.
3454
3455         * stress/inferred-types-regex-matches-array.js:
3456
3457 2019-04-04  Saam Barati  <sbarati@apple.com>
3458
3459         createRegExpMatchesArray does not respect inferred types
3460         https://bugs.webkit.org/show_bug.cgi?id=193287
3461
3462         Reviewed by Yusuke Suzuki.
3463
3464         This checks in the test case for 193287. This issue was discovered by
3465         Samuel GroƟ of Google Project Zero.
3466
3467         * stress/inferred-types-regex-matches-array.js: Added.
3468
3469 2019-04-04  Saam barati  <sbarati@apple.com>
3470
3471         Teach Call ICs how to call Wasm
3472         https://bugs.webkit.org/show_bug.cgi?id=196387
3473
3474         Reviewed by Filip Pizlo.
3475
3476         * wasm/function-tests/stack-trace.js:
3477
3478 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
3479
3480         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
3481         https://bugs.webkit.org/show_bug.cgi?id=194944
3482
3483         Reviewed by Keith Miller.
3484
3485         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
3486
3487 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3488
3489         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
3490         https://bugs.webkit.org/show_bug.cgi?id=196409
3491
3492         Reviewed by Saam Barati.
3493
3494         * stress/bytecode-cache-cached-string-impl.js: Added.
3495         (f):
3496         (g):
3497         * stress/bytecode-cache-run-string.js: Added.
3498
3499 2019-04-03  Robin Morisset  <rmorisset@apple.com>
3500
3501         B3 should use associativity to optimize expression trees
3502         https://bugs.webkit.org/show_bug.cgi?id=194081
3503
3504         Reviewed by Filip Pizlo.
3505
3506         Added three microbenchmarks:
3507         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
3508         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
3509           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
3510         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
3511
3512         * microbenchmarks/add-tree.js: Added.
3513         * microbenchmarks/bit-or-tree.js: Added.
3514         * microbenchmarks/bit-xor-tree.js: Added.
3515
3516 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3517
3518         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
3519         https://bugs.webkit.org/show_bug.cgi?id=196574
3520
3521         Reviewed by Saam Barati.
3522
3523         * stress/string-index-of-exception-check.js: Added.
3524         (blurType):
3525         (1.forEach):
3526
3527 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
3528
3529         Assertion failed in JSC::createError
3530         https://bugs.webkit.org/show_bug.cgi?id=196305
3531         <rdar://problem/49387382>
3532
3533         Reviewed by Saam Barati.
3534
3535         * stress/create-error-out-of-memory-rope-string-2.js: Added.
3536         (assert):
3537         (catch):
3538
3539 2019-03-28  Saam Barati  <sbarati@apple.com>
3540
3541         BackwardsGraph needs to consider back edges as the backward's root successor
3542         https://bugs.webkit.org/show_bug.cgi?id=195991
3543
3544         Reviewed by Filip Pizlo.
3545
3546         * stress/map-b3-licm-infinite-loop.js: Added.
3547
3548 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
3549
3550         CodeBlock::jettison() should disallow repatching its own calls
3551         https://bugs.webkit.org/show_bug.cgi?id=196359
3552         <rdar://problem/48973663>
3553
3554         Reviewed by Saam Barati.
3555
3556         * stress/call-link-info-osrexit-repatch.js: Added.
3557         (foo):
3558
3559 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
3560
3561         [JSC] imports-oom.js intermittently fails
3562         https://bugs.webkit.org/show_bug.cgi?id=196373
3563
3564         Reviewed by Saam Barati.
3565
3566         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
3567         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
3568         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
3569         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
3570         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
3571
3572         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
3573         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
3574
3575         * wasm/lowExecutableMemory/imports-oom.js:
3576
3577 2019-03-27  Saam Barati  <sbarati@apple.com>
3578
3579         validateOSREntryValue with Int52 should box the value being checked into double format
3580         https://bugs.webkit.org/show_bug.cgi?id=196313
3581         <rdar://problem/49306703>
3582
3583         Reviewed by Yusuke Suzuki.
3584
3585         * stress/validate-int-52-ai-state.js: Added.
3586
3587 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
3588
3589         [JSC] Owner of watchpoints should validate at GC finalizing phase
3590         https://bugs.webkit.org/show_bug.cgi?id=195827
3591
3592         Reviewed by Filip Pizlo.
3593
3594         * stress/gc-should-reap-dead-watchpoints.js: Added.
3595         (foo):
3596         (A.prototype.y):
3597         (A):
3598
3599 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
3600
3601         Skip WebAssembly test on 32-bit systems
3602         https://bugs.webkit.org/show_bug.cgi?id=196206
3603
3604         Reviewed by Saam Barati.
3605
3606         Invoking runDefault executes test immediately even though
3607         that test should be skipped due to missing WASM support.
3608         Therefore remove runDefault.
3609
3610         * wasm/regress/web-assembly-link-error-exception-check.js:
3611
3612 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
3613
3614         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
3615         https://bugs.webkit.org/show_bug.cgi?id=196217
3616
3617         Reviewed by Saam Barati.
3618
3619         Re-enable all NaN tests for f32.min, f64.min and f64.max.
3620
3621         * wasm/spec-tests/f32.wast.js:
3622         * wasm/spec-tests/f64.wast.js:
3623         * wasm/wasm.json:
3624
3625 2019-03-25  Keith Miller  <keith_miller@apple.com>
3626
3627         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
3628         https://bugs.webkit.org/show_bug.cgi?id=196176
3629
3630         Reviewed by Saam Barati.
3631
3632         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
3633         (main.v10):
3634         (main):
3635
3636 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
3637
3638         WebAssembly: f32.max with NaN generates incorrect result
3639         https://bugs.webkit.org/show_bug.cgi?id=175691
3640         <rdar://problem/33952228>
3641
3642         Reviewed by Saam Barati.
3643
3644         Enable all f32.max NaN tests
3645
3646         * wasm/spec-tests/f32.wast.js:
3647         * wasm/wasm.json:
3648
3649 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
3650
3651         [JSC] Move test into directory for WASM tests
3652         https://bugs.webkit.org/show_bug.cgi?id=196187
3653
3654         Reviewed by Mark Lam.
3655
3656         Move Test into wasm-directory. Otherwise this test
3657         is also executed on systems without WASM support.
3658
3659         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
3660
3661 2019-03-23  Mark Lam  <mark.lam@apple.com>
3662
3663         Rolling out r243032 and r243071 because the fix is incorrect.
3664         https://bugs.webkit.org/show_bug.cgi?id=195892
3665         <rdar://problem/48981239>
3666
3667         Not reviewed.
3668
3669         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
3670
3671 2019-03-22  Mark Lam  <mark.lam@apple.com>
3672
3673         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
3674         https://bugs.webkit.org/show_bug.cgi?id=196154
3675         <rdar://problem/49145307>
3676
3677         Reviewed by Filip Pizlo.
3678
3679         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
3680         There's no need to run this test on more than 1 test configuration.
3681
3682         * stress/typed-array-lastIndexOf-exception-check.js: Added.
3683         * stress/web-assembly-link-error-exception-check.js:
3684
3685 2019-03-22  Mark Lam  <mark.lam@apple.com>
3686
3687         Placate exception check validation in constructJSWebAssemblyLinkError().
3688         https://bugs.webkit.org/show_bug.cgi?id=196152
3689         <rdar://problem/49145257>
3690
3691         Reviewed by Michael Saboff.
3692
3693         * stress/web-assembly-link-error-exception-check.js: Added.
3694
3695 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
3696
3697         Skip tests running out of memory on ARM/MIPS
3698         https://bugs.webkit.org/show_bug.cgi?id=196131
3699
3700         Unreviewed. Skip test if memory is limited.
3701
3702         * microbenchmarks/put-by-val-direct-large-index.js:
3703
3704 2019-03-21  Mark Lam  <mark.lam@apple.com>
3705
3706         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
3707         https://bugs.webkit.org/show_bug.cgi?id=196116
3708         <rdar://problem/48976951>
3709
3710     &nb