Promise constructor should check argument before [[Construct]]
[WebKit.git] / JSTests / ChangeLog
1 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
2
3         Promise constructor should check argument before [[Construct]]
4         https://bugs.webkit.org/show_bug.cgi?id=198976
5
6         Reviewed by Ross Kirsling.
7
8         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
9         * stress/create-subclass-structure-might-throw.js: Fix test.
10         * test262/expectations.yaml: Mark 2 test cases as passing.
11
12 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
13
14         Unreviewed, rolling out r248709.
15
16         Caused test/built-ins/Promise/prototype/finally/this-value-
17         non-promise.js to fail on test262 bot
18
19         Reverted changeset:
20
21         "ProxyObject should not be allow to access its target's
22         private properties."
23         https://bugs.webkit.org/show_bug.cgi?id=200739
24         https://trac.webkit.org/changeset/248709
25
26 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
27
28         DateConversion::formatDateTime incorrectly formats negative years
29         https://bugs.webkit.org/show_bug.cgi?id=199964
30
31         Reviewed by Ross Kirsling.
32
33         * test262/expectations.yaml: Mark 6 test cases as passing.
34
35 2019-08-15  Mark Lam  <mark.lam@apple.com>
36
37         More missing exception checks in String.prototype.
38         https://bugs.webkit.org/show_bug.cgi?id=200762
39         <rdar://problem/54333896>
40
41         Reviewed by Michael Saboff.
42
43         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
44         * stress/missing-exception-check-in-string-toLower.js: Added.
45         * stress/missing-exception-check-in-string-toUpper.js: Added.
46
47 2019-08-14  Mark Lam  <mark.lam@apple.com>
48
49         ProxyObject should not be allow to access its target's private properties.
50         https://bugs.webkit.org/show_bug.cgi?id=200739
51         <rdar://problem/53972768>
52
53         Reviewed by Yusuke Suzuki.
54
55         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
56         * stress/proxy-with-private-symbols.js: Rebased.
57
58 2019-08-14  Mark Lam  <mark.lam@apple.com>
59
60         Missing exception check in string compare.
61         https://bugs.webkit.org/show_bug.cgi?id=200743
62         <rdar://problem/53975356>
63
64         Reviewed by Michael Saboff.
65
66         * stress/missing-exception-check-in-string-compare.js: Added.
67
68 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
69
70         [JSC] Add "jump if (not) undefined or null" bytecode ops
71         https://bugs.webkit.org/show_bug.cgi?id=200480
72
73         Reviewed by Saam Barati.
74
75         * stress/destructuring-assignment-require-object-coercible.js:
76         * stress/nullish-coalescing.js:
77
78 2019-08-05  Michael Saboff  <msaboff@apple.com>
79
80         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
81         https://bugs.webkit.org/show_bug.cgi?id=199997
82
83         Reviewed by Saam Barati.
84
85         New test.
86
87         * stress/typedarray-no-alreadyChecked-assert.js: Added.
88         (checkIntArray):
89         (checkFloatArray):
90
91 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
92
93         [JSC] Support WebAssembly in SamplingProfiler
94         https://bugs.webkit.org/show_bug.cgi?id=200329
95
96         Reviewed by Saam Barati.
97
98         * stress/sampling-profiler-wasm-name-section.js: Added.
99         (const.compile):
100         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
101         (platformSupportsSamplingProfiler.vm.isWasmSupported):
102         * stress/sampling-profiler-wasm.js: Added.
103         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
104         (platformSupportsSamplingProfiler.vm.isWasmSupported):
105         * stress/sampling-profiler/loop.wasm: Added.
106         * stress/sampling-profiler/loop.wast: Added.
107         * stress/sampling-profiler/nameSection.wasm: Added.
108
109 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
110
111         [JSC] LazyJSValue should be robust for empty JSValue
112         https://bugs.webkit.org/show_bug.cgi?id=200388
113
114         Reviewed by Saam Barati.
115
116         * stress/switch-constant-child-becomes-empty.js: Added.
117         (foo):
118
119 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
120
121         GetterSetter type confusion during DFG compilation
122         https://bugs.webkit.org/show_bug.cgi?id=199903
123
124         Reviewed by Mark Lam.
125
126         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
127
128 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
129
130         Update Test262 (2019.08.01)
131         https://bugs.webkit.org/show_bug.cgi?id=200351
132
133         Reviewed by Keith Miller.
134
135         * test262/expectations.yaml:
136         * test262/harness/testIntl.js:
137         * test262/latest-changes-summary.txt:
138         * test262/test/:
139         * test262/test262-Revision.txt:
140
141 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
142
143         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
144         https://bugs.webkit.org/show_bug.cgi?id=200192
145
146         Reviewed by Saam Barati.
147
148         * stress/structure-chain-stress.js: Added.
149         (keys):
150
151 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
152
153         [JSC] Increment bytecode age only when SlotVisitor is first-visit
154         https://bugs.webkit.org/show_bug.cgi?id=200196
155
156         Reviewed by Robin Morisset.
157
158         * stress/reparsing-unlinked-codeblock.js:
159
160 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
161
162         [X86] Emit BT instruction for shift + mask in B3
163         https://bugs.webkit.org/show_bug.cgi?id=199891
164
165         Reviewed by Robin Morisset.
166
167         Lower the number of iterations to fix debug timeouts.
168
169         * microbenchmarks/bit-test-load.js:
170         (i):
171
172 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
173
174         [X86] Emit BT instruction for shift + mask in B3
175         https://bugs.webkit.org/show_bug.cgi?id=199891
176
177         Reviewed by Keith Miller.
178
179         * microbenchmarks/bit-test-constant.js: Added.
180         (let.glob.0.doTest):
181         * microbenchmarks/bit-test-load.js: Added.
182         (let.glob.0.let.arr.new.Int32Array.8.doTest):
183         (i):
184         * microbenchmarks/bit-test-nonconstant.js: Added.
185         (let.glob.0.doTest):
186
187 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
188
189         [JSC] Potential GC fix for JSPropertyNameEnumerator
190         https://bugs.webkit.org/show_bug.cgi?id=200151
191
192         Reviewed by Mark Lam.
193
194         * stress/for-in-stress.js: Added.
195         (keys):
196
197 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
198
199         Legacy numeric literals should not permit separators or BigInt
200         https://bugs.webkit.org/show_bug.cgi?id=199984
201
202         Reviewed by Keith Miller.
203
204         * stress/big-int-literals.js:
205         * stress/numeric-literal-separators.js:
206
207 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
208
209         [ESNext] Implement nullish coalescing
210         https://bugs.webkit.org/show_bug.cgi?id=200072
211
212         Reviewed by Darin Adler.
213
214         * stress/nullish-coalescing.js: Added.
215
216 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
217
218         Three checks are missing in Proxy internal methods
219         https://bugs.webkit.org/show_bug.cgi?id=198630
220
221         Reviewed by Darin Adler.
222
223         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
224         * test262/expectations.yaml: Mark 6 test cases as passing.
225
226 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
227
228         Sometimes we miss removable CheckInBounds
229         https://bugs.webkit.org/show_bug.cgi?id=200018
230
231         Reviewed by Saam Barati.
232
233         * microbenchmarks/typed-array-sum.js: Added.
234         (doTest):
235
236 2019-07-16  Mark Lam  <mark.lam@apple.com>
237
238         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
239         https://bugs.webkit.org/show_bug.cgi?id=199821
240         <rdar://problem/52452328>
241
242         Reviewed by Filip Pizlo.
243
244         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
245
246 2019-07-16  Keith Miller  <keith_miller@apple.com>
247
248         Unreviewed, test262 gardening.
249
250         * test262/expectations.yaml:
251
252 2019-07-15  Keith Miller  <keith_miller@apple.com>
253
254         A Possible Issue of Object.create method
255         https://bugs.webkit.org/show_bug.cgi?id=199744
256
257         Reviewed by Yusuke Suzuki.
258
259         * stress/object-create-non-object-properties-parameter.js: Added.
260         (catch):
261
262 2019-07-15  Keith Miller  <keith_miller@apple.com>
263
264         Update test262
265         https://bugs.webkit.org/show_bug.cgi?id=199801
266
267         Rubber-stamped by Yusuke Suzuki.
268
269         * test262/expectations.yaml:
270         * test262/latest-changes-summary.txt:
271         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
272         (fg.new.FinalizationGroup):
273         (callback):
274         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
275         (fg.new.FinalizationGroup):
276         (callback):
277         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
278         (fg.new.FinalizationGroup):
279         (callback):
280         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
281         (fg.new.FinalizationGroup):
282         (callback):
283         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
284         (fg.new.FinalizationGroup):
285         (callback):
286         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
287         (fg.new.FinalizationGroup):
288         (callback):
289         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
290         (fg.new.FinalizationGroup):
291         (callback):
292         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
293         (callback):
294         (fg.new.FinalizationGroup):
295         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
296         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
297         (cb):
298         (fg.new.FinalizationGroup):
299         (emptyCells):
300         (async.fn):
301         (fn.then.async):
302         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
303         (fg.new.FinalizationGroup):
304         * test262/test/built-ins/FinalizationGroup/length.js: Added.
305         * test262/test/built-ins/FinalizationGroup/name.js: Added.
306         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
307         (newTarget):
308         (fn):
309         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
310         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
311         (fn):
312         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
313         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
314         (newTarget):
315         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
316         (newTarget):
317         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
318         (fg.new.FinalizationGroup):
319         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
320         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
321         (callback):
322         (fg.new.FinalizationGroup):
323         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
324         (fg.new.FinalizationGroup):
325         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
326         (cb):
327         (fg.new.FinalizationGroup):
328         (emptyCells):
329         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
330         (fg.new.FinalizationGroup):
331         (fg.cleanupSome.cb):
332         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
333         (callback):
334         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
335         (fn):
336         (cb):
337         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
338         (cb):
339         (fg.new.FinalizationGroup):
340         (emptyCells):
341         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
342         (fg.new.FinalizationGroup):
343         (callback):
344         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
345         (fg.new.FinalizationGroup):
346         (callback):
347         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
348         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
349         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
350         (poisoned):
351         (fg.new.FinalizationGroup):
352         (emptyCells):
353         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
354         (poisoned):
355         (emptyCells):
356         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
357         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
358         (fn):
359         (cb):
360         (emptyCells):
361         (prototype.assert.sameValue.fg.cleanupSome):
362         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
363         (fn):
364         (cb):
365         (poisoned):
366         (assert.sameValue.fg.cleanupSome):
367         (prototype.assert.sameValue.fg.cleanupSome):
368         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
369         (cb):
370         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
371         (cb):
372         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
373         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
374         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
375         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
376         (fn):
377         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
378         (fn):
379         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
380         (fg.new.FinalizationGroup):
381         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
382         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
383         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
384         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
385         (fn):
386         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
387         (fn):
388         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
389         (fg.new.FinalizationGroup):
390         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
391         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
392         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
393         (fg.new.FinalizationGroup):
394         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
395         (fg.new.FinalizationGroup):
396         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
397         (fg.new.FinalizationGroup):
398         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
399         (fg.new.FinalizationGroup):
400         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
401         (fn):
402         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
403         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
404         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
405         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
406         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
407         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
408         (fn):
409         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
410         (fg.new.FinalizationGroup):
411         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
412         (cleanupCallback):
413         (let.key.of.Object.getOwnPropertyNames):
414         (set for):
415         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
416         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
417         (FinalizationGroup):
418         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
419         (cleanupCallback):
420         (let.key.of.Object.getOwnPropertyNames):
421         (set for):
422         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
423         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
424         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
425         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
426         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
427         (asyncProxy.new.Proxy.async):
428         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
429         (asyncProxy.new.Proxy.async):
430         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
431         (setIter.set Symbol):
432         (set defaultTag):
433         (gen):
434         (get return):
435         (set new):
436         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
437         (generatorProxy.new.Proxy):
438         (asyncProxy.new.Proxy.async):
439         * test262/test/built-ins/Object/subclass-object-arg.js:
440         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
441         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
442         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
443         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
444         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
445         * test262/test/built-ins/Promise/executor-function-name.js:
446         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
447         * test262/test/built-ins/Promise/reject-function-name.js:
448         * test262/test/built-ins/Promise/resolve-function-name.js:
449         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
450         * test262/test/built-ins/WeakRef/constructor.js: Added.
451         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
452         * test262/test/built-ins/WeakRef/length.js: Added.
453         * test262/test/built-ins/WeakRef/name.js: Added.
454         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
455         (newTarget):
456         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
457         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
458         * test262/test/built-ins/WeakRef/proto.js: Added.
459         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
460         (newTarget):
461         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
462         (newTarget):
463         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
464         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
465         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
466         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
467         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
468         (emptyCells):
469         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
470         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
471         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
472         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
473         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
474         (fg.new.FinalizationGroup):
475         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
476         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
477         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
478         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
479         (let.key.of.Object.getOwnPropertyNames):
480         (set for):
481         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
482         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
483         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
484         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
485         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
486         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
487         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
488         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
489         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
490         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
491         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
492         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
493         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
494         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
495         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
496         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
497         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
498         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
499         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
500         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
501         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
502         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
503         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
504         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
505         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
506         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
507         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
508         (assertParts):
509         (assertPartsNumeric):
510         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
511         (assertParts):
512         (assertPartsNumeric):
513         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
514         (assertParts):
515         (assertPartsNumeric):
516         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
517         (assertParts):
518         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
519         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
520         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
521         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
522         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
523         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
524         (C.prototype.method):
525         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
526         (C.prototype.method.innerFunction):
527         (C.prototype.method):
528         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
529         (C):
530         (C.method):
531         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
532         (C):
533         (C.method.innerFunction):
534         (C.method):
535         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
536         (C):
537         (C.checkPrivateGetter):
538         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
539         (C):
540         (C.method):
541         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
542         (C):
543         (C.method.innerFunction):
544         (C.method):
545         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
546         (C):
547         (C.checkPrivateMethod):
548         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
549         (C):
550         (C.method):
551         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
552         (C):
553         (C.method.innerFunction):
554         (C.method):
555         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
556         (C):
557         (C.checkPrivateSetter):
558         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
559         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
560         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
561         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
562         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
563         (let.classStringExpression):
564         (let.classStringExpression.access):
565         (let.createAndInstantiateClass):
566         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
567         (let.classStringExpression):
568         (let.classStringExpression.access):
569         (let.createAndInstantiateClass):
570         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
571         (const.C):
572         (let.createAndInstantiateClass):
573         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
574         (let.classStringExpression.return.prototype.m):
575         (let.classStringExpression.return.prototype.access):
576         (let.createAndInstantiateClass):
577         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
578         (let.classStringExpression.return.prototype.m):
579         (let.classStringExpression.return.prototype.access):
580         (let.createAndInstantiateClass):
581         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
582         (let.classStringExpression):
583         (let.classStringExpression.access):
584         (let.createAndInstantiateClass):
585         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
586         (let.classStringExpression.prototype.m):
587         (let.classStringExpression.prototype.access):
588         (let.classStringExpression):
589         (let.createAndInstantiateClass):
590         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
591         (let.classStringExpression.prototype.m):
592         (let.classStringExpression.prototype.access):
593         (let.classStringExpression):
594         (let.createAndInstantiateClass):
595         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
596         (const.C):
597         (let.createAndInstantiateClass):
598         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
599         (let.classStringExpression.return.C.prototype.m):
600         (let.classStringExpression.return.C.prototype.access):
601         (let.classStringExpression.return.C):
602         (let.createAndInstantiateClass):
603         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
604         (let.classStringExpression.return.C.prototype.m):
605         (let.classStringExpression.return.C.prototype.access):
606         (let.classStringExpression.return.C):
607         (let.createAndInstantiateClass):
608         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
609         (let.classStringExpression):
610         (let.classStringExpression.access):
611         (let.createAndInstantiateClass):
612         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
613         (let.classStringExpression):
614         (let.classStringExpression.access):
615         (let.createAndInstantiateClass):
616         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
617         (let.classStringExpression):
618         (let.classStringExpression.access):
619         (let.createAndInstantiateClass):
620         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
621         (const.C):
622         (let.createAndInstantiateClass):
623         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
624         (let.classStringExpression.return.prototype.m):
625         (let.classStringExpression.return.prototype.access):
626         (let.createAndInstantiateClass):
627         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
628         (let.classStringExpression.return.prototype.m):
629         (let.classStringExpression.return.prototype.access):
630         (let.createAndInstantiateClass):
631         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
632         (let.classStringExpression):
633         (let.classStringExpression.access):
634         (let.createAndInstantiateClass):
635         * test262/test/language/expressions/new.target/unary-expr.js: Added.
636         (new):
637         (async):
638         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
639         (A):
640         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
641         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
642         * test262/test/language/identifiers/vals-cjk.js: Added.
643         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
644         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
645         (C.prototype.method):
646         (C):
647         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
648         (C.prototype.method.innerFunction):
649         (C.prototype.method):
650         (C):
651         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
652         (C.prototype.checkPrivateField):
653         (C):
654         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
655         (C):
656         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
657         (C.prototype.getWithEval):
658         (C):
659         (D):
660         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
661         (C.prototype.get m):
662         (C.prototype.method):
663         (C):
664         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
665         (C.prototype.get m):
666         (C.prototype.method.innerFunction):
667         (C.prototype.method):
668         (C):
669         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
670         (let.createAndInstantiateClass):
671         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
672         (C.prototype.get m):
673         (C.prototype.checkPrivateGetter):
674         (C):
675         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
676         (C.prototype.get m):
677         (C.prototype.checkPrivateGetter):
678         (C):
679         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
680         (C.prototype.get m):
681         (C):
682         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
683         (C.prototype.get m):
684         (C.prototype.getWithEval):
685         (C):
686         (D.prototype.get m):
687         (D):
688         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
689         (C.prototype.m):
690         (C.prototype.method):
691         (C):
692         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
693         (C.prototype.m):
694         (C.prototype.method.innerFunction):
695         (C.prototype.method):
696         (C):
697         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
698         (C.prototype.m):
699         (C.prototype.checkPrivateMethod):
700         (C):
701         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
702         (C.prototype.m):
703         (C.prototype.checkPrivateMethod):
704         (C):
705         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
706         (C.prototype.m):
707         (C):
708         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
709         (C.prototype.m):
710         (C.prototype.getWithEval):
711         (C):
712         (D.prototype.m):
713         (D):
714         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
715         (C.prototype.set m):
716         (C.prototype.method):
717         (C):
718         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
719         (C.prototype.set m):
720         (C.prototype.method.innerFunction):
721         (C.prototype.method):
722         (C):
723         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
724         (C.prototype.set m):
725         (C.prototype.checkPrivateSetter):
726         (C):
727         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
728         (C.prototype.set m):
729         (C.prototype.checkPrivateSetter):
730         (C):
731         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
732         (C.prototype.set m):
733         (C):
734         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
735         (C.prototype.set m):
736         (C.prototype.setWithEval):
737         (C):
738         (D.prototype.set m):
739         (D):
740         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
741         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
742         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
743         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
744         (A.prototype.method):
745         (A):
746         (C.prototype.get m):
747         (C.prototype.access):
748         (C):
749         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
750         (A.prototype.method):
751         (A):
752         (C.prototype.m):
753         (C.prototype.access):
754         (C):
755         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
756         (A.prototype.method):
757         (A):
758         (C.prototype.set m):
759         (C.prototype.access):
760         (C):
761         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
762         (A):
763         * test262/test/language/statements/function/13.2-30-s.js:
764         * test262/test262-Revision.txt:
765
766 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
767
768         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
769         https://bugs.webkit.org/show_bug.cgi?id=199783
770
771         Reviewed by Mark Lam.
772
773         Fix our spec tests.
774
775         * wasm/js-api/Module-compile.js:
776         * wasm/js-api/test_basic_api.js:
777         (const.c.in.constructorProperties.switch):
778         * wasm/js-api/validate.js:
779         * wasm/js-api/web-assembly-instantiate.js:
780         * wasm/spec-tests/jsapi.js:
781         (testJSAPI.get test):
782         (testJSAPI.set test):
783
784 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
785
786         Unreviewed, rolling out r247440.
787
788         Broke builds
789
790         Reverted changeset:
791
792         "[JSC] Improve wasm wpt test results by fixing miscellaneous
793         issues"
794         https://bugs.webkit.org/show_bug.cgi?id=199783
795         https://trac.webkit.org/changeset/247440
796
797 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
798
799         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
800         https://bugs.webkit.org/show_bug.cgi?id=199783
801
802         Reviewed by Mark Lam.
803
804         Fix our spec tests.
805
806         * wasm/js-api/Module-compile.js:
807         * wasm/js-api/test_basic_api.js:
808         (const.c.in.constructorProperties.switch):
809         * wasm/js-api/validate.js:
810         * wasm/js-api/web-assembly-instantiate.js:
811         * wasm/spec-tests/jsapi.js:
812         (testJSAPI.get test):
813         (testJSAPI.set test):
814
815 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
816
817         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
818         https://bugs.webkit.org/show_bug.cgi?id=196371
819
820         Reviewed by Keith Miller.
821
822         * microbenchmarks/mul-immediate-sub.js: Added.
823         (doTest):
824
825 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
826
827         [BigInt] Add ValueBitLShift into DFG
828         https://bugs.webkit.org/show_bug.cgi?id=192664
829
830         Reviewed by Saam Barati.
831
832         We are adding tests to cover ValueBitwise operations AI changes.
833
834         * stress/big-int-left-shift-untyped.js: Added.
835         * stress/bit-op-with-object-returning-int32.js:
836         * stress/value-bit-and-ai-rule.js: Added.
837         * stress/value-bit-lshift-ai-rule.js: Added.
838         * stress/value-bit-or-ai-rule.js: Added.
839         * stress/value-bit-xor-ai-rule.js: Added.
840
841 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
842
843         Add b3 macro lowering for CheckMul on arm64
844         https://bugs.webkit.org/show_bug.cgi?id=199251
845
846         Reviewed by Robin Morisset.
847
848         * microbenchmarks/check-mul-constant.js: Added.
849         (doTest):
850         * microbenchmarks/check-mul-no-constant.js: Added.
851         (doTest):
852         * microbenchmarks/check-mul-power-of-two.js: Added.
853         (doTest):
854
855 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
856
857         Optimize join of large empty arrays
858         https://bugs.webkit.org/show_bug.cgi?id=199636
859
860         Reviewed by Mark Lam.
861
862         * microbenchmarks/large-empty-array-join.js: Added.
863         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
864
865 2019-07-06  Michael Saboff  <msaboff@apple.com>
866
867         switch(String) needs to check for exceptions when resolving the string
868         https://bugs.webkit.org/show_bug.cgi?id=199541
869
870         Reviewed by Mark Lam.
871
872         New tests.
873
874         * stress/switch-string-oom.js: Added.
875         (test):
876         (testLowerTiers):
877         (testFTL):
878
879 2019-07-05  Mark Lam  <mark.lam@apple.com>
880
881         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
882         https://bugs.webkit.org/show_bug.cgi?id=199533
883         <rdar://problem/52669111>
884
885         Reviewed by Filip Pizlo.
886
887         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
888
889 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
890
891         [JSC] Clean up ArraySpeciesCreate
892         https://bugs.webkit.org/show_bug.cgi?id=182434
893
894         Reviewed by Yusuke Suzuki.
895
896         Adjusts error message expectations in stress tests.
897
898         * stress/array-flatmap.js:
899         * stress/array-flatten.js:
900         * stress/array-species-create-should-handle-masquerader.js:
901         * test262/expectations.yaml: Mark 4 test cases as passing.
902
903 2019-07-02  Michael Saboff  <msaboff@apple.com>
904
905         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
906         https://bugs.webkit.org/show_bug.cgi?id=199395
907
908         Reviewed by Filip Pizlo.
909
910         New regession test.
911
912         * stress/for-of-tdz-with-try-catch.js: Added.
913         (test):
914         (i.catch):
915
916 2019-07-02  Keith Miller  <keith_miller@apple.com>
917
918         Frozen Arrays length assignment should throw in strict mode
919         https://bugs.webkit.org/show_bug.cgi?id=199365
920
921         Reviewed by Yusuke Suzuki.
922
923         * stress/frozen-array-length-should-throw-strict.js: Added.
924         (test):
925
926 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
927
928         [Wasm-References] Disable references by default
929         https://bugs.webkit.org/show_bug.cgi?id=199390
930
931         Reviewed by Saam Barati.
932
933         * wasm/references-spec-tests/ref_is_null.js:
934         * wasm/references-spec-tests/ref_null.js:
935         * wasm/references/anyref_globals.js:
936         * wasm/references/anyref_modules.js:
937         * wasm/references/anyref_table.js:
938         * wasm/references/anyref_table_import.js:
939         * wasm/references/element_parsing.js:
940         * wasm/references/func_ref.js:
941         * wasm/references/is_null.js:
942         * wasm/references/multitable.js:
943         * wasm/references/table_misc.js:
944         * wasm/references/validation.js:
945
946 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
947
948         Unreviewed, rolling out r246946.
949
950         Caused JSC test crashes on arm64
951
952         Reverted changeset:
953
954         "Add b3 macro lowering for CheckMul on arm64"
955         https://bugs.webkit.org/show_bug.cgi?id=199251
956         https://trac.webkit.org/changeset/246946
957
958 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
959
960         Add b3 macro lowering for CheckMul on arm64
961         https://bugs.webkit.org/show_bug.cgi?id=199251
962
963         Reviewed by Robin Morisset.
964
965         * microbenchmarks/check-mul-constant.js: Added.
966         (doTest):
967         * microbenchmarks/check-mul-no-constant.js: Added.
968         (doTest):
969         * microbenchmarks/check-mul-power-of-two.js: Added.
970         (doTest):
971
972 2019-06-26  Keith Miller  <keith_miller@apple.com>
973
974         speciesConstruct needs to throw if the result is a DataView
975         https://bugs.webkit.org/show_bug.cgi?id=199231
976
977         Reviewed by Mark Lam.
978
979         * stress/typedarray-filter.js:
980         (subclasses.forEach):
981         * stress/typedarray-map.js:
982         (subclasses.forEach):
983         * stress/typedarray-slice.js:
984         (typedArrays.forEach):
985         * stress/typedarray-subarray.js:
986         (subclasses.forEach):
987
988 2019-06-24  Commit Queue  <commit-queue@webkit.org>
989
990         Unreviewed, rolling out r246714.
991         https://bugs.webkit.org/show_bug.cgi?id=199179
992
993         revert to do patch in a different way. (Requested by keith_mi_
994         on #webkit).
995
996         Reverted changeset:
997
998         "All prototypes should call didBecomePrototype()"
999         https://bugs.webkit.org/show_bug.cgi?id=196315
1000         https://trac.webkit.org/changeset/246714
1001
1002 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1003
1004         Add Array.prototype.{flat,flatMap} to unscopables
1005         https://bugs.webkit.org/show_bug.cgi?id=194322
1006
1007         Reviewed by Keith Miller.
1008
1009         * stress/unscopables.js: Fix test.
1010         * test262/expectations.yaml: Mark 2 test cases as passing.
1011
1012 2019-06-21  Mark Lam  <mark.lam@apple.com>
1013
1014         ArraySlice needs to keep the source array alive.
1015         https://bugs.webkit.org/show_bug.cgi?id=197374
1016         <rdar://problem/50304429>
1017
1018         Reviewed by Michael Saboff and Filip Pizlo.
1019
1020         * stress/array-slice-must-keep-source-array-alive.js: Added.
1021
1022 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1023
1024         All prototypes should call didBecomePrototype()
1025         https://bugs.webkit.org/show_bug.cgi?id=196315
1026
1027         Reviewed by Saam Barati.
1028
1029         * stress/function-prototype-indexed-accessor.js: Added.
1030
1031 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1032
1033         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1034         https://bugs.webkit.org/show_bug.cgi?id=197631
1035
1036         Reviewed by Saam Barati.
1037
1038         * stress/has-own-property-arguments.js: Added.
1039         (shouldBe):
1040         (A):
1041
1042 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1043
1044         [JSC] ClassExpr should not store result in the middle of evaluation
1045         https://bugs.webkit.org/show_bug.cgi?id=199106
1046
1047         Reviewed by Tadeu Zagallo.
1048
1049         * stress/class-expression-should-store-result-at-last.js: Added.
1050         (shouldThrow):
1051         (shouldThrow.let.a):
1052
1053 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
1054
1055         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
1056         https://bugs.webkit.org/show_bug.cgi?id=199044
1057
1058         Reviewed by Saam Barati.
1059
1060         Add wasm references spec tests as well as a worker test.
1061
1062         * wasm.yaml:
1063         * wasm/Builder_WebAssemblyBinary.js:
1064         (const.emitters.Element):
1065         * wasm/js-api/element.js:
1066         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1067         * wasm/references-spec-tests/ref_is_null.js: Added.
1068         (hostref):
1069         (is_hostref):
1070         (is_funcref):
1071         (eq_ref):
1072         (let.handler.get target):
1073         (register):
1074         (module):
1075         (instance):
1076         (call):
1077         (get instance):
1078         (exports):
1079         (run):
1080         (assert_malformed):
1081         (assert_invalid):
1082         (assert_unlinkable):
1083         (assert_uninstantiable):
1084         (assert_trap):
1085         (try.f):
1086         (catch):
1087         (assert_exhaustion):
1088         (assert_return):
1089         (assert_return_canonical_nan):
1090         (assert_return_arithmetic_nan):
1091         (assert_return_ref):
1092         (assert_return_func):
1093         * wasm/references-spec-tests/ref_null.js: Added.
1094         (hostref):
1095         (is_hostref):
1096         (is_funcref):
1097         (eq_ref):
1098         (let.handler.get target):
1099         (register):
1100         (module):
1101         (instance):
1102         (call):
1103         (get instance):
1104         (exports):
1105         (run):
1106         (assert_malformed):
1107         (assert_invalid):
1108         (assert_unlinkable):
1109         (assert_uninstantiable):
1110         (assert_trap):
1111         (try.f):
1112         (catch):
1113         (assert_exhaustion):
1114         (assert_return):
1115         (assert_return_canonical_nan):
1116         (assert_return_arithmetic_nan):
1117         (assert_return_ref):
1118         (assert_return_func):
1119         * wasm/references/element_parsing.js: Added.
1120         (module):
1121         * wasm/references/func_ref.js:
1122         * wasm/references/multitable.js:
1123         * wasm/references/table_misc.js:
1124         (TableSize.0.End.End.WebAssembly):
1125         * wasm/references/validation.js:
1126         (assert.throws):
1127
1128 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1129
1130         Optimize `resolve` method lookup in Promise static methods
1131         https://bugs.webkit.org/show_bug.cgi?id=198864
1132
1133         Reviewed by Yusuke Suzuki.
1134
1135         * test262/expectations.yaml: Mark 18 test cases as passing.
1136
1137 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
1138
1139         [WASM-References] Rename anyfunc to funcref
1140         https://bugs.webkit.org/show_bug.cgi?id=198983
1141
1142         Reviewed by Yusuke Suzuki.
1143
1144         * wasm/function-tests/basic-element.js:
1145         * wasm/function-tests/context-switch.js:
1146         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1147         (makeInstance):
1148         (assert.eq.makeInstance):
1149         * wasm/function-tests/exceptions.js:
1150         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1151         * wasm/function-tests/grow-memory-2.js:
1152         (assert.eq.instance.exports.foo):
1153         * wasm/function-tests/nameSection.js:
1154         (const.compile):
1155         * wasm/function-tests/stack-overflow.js:
1156         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1157         (assertOverflows.makeInstance):
1158         * wasm/function-tests/table-basic-2.js:
1159         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1160         * wasm/function-tests/table-basic.js:
1161         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1162         * wasm/function-tests/trap-from-start-async.js:
1163         * wasm/function-tests/trap-from-start.js:
1164         * wasm/js-api/Module.exports.js:
1165         (assert.truthy):
1166         * wasm/js-api/Module.imports.js:
1167         (assert.truthy):
1168         * wasm/js-api/call-indirect.js:
1169         (const.oneTable):
1170         (const.multiTable):
1171         (multiTable.const.makeTable):
1172         (multiTable):
1173         (multiTable.Polyphic2Import):
1174         (multiTable.VirtualImport):
1175         * wasm/js-api/element-data.js:
1176         * wasm/js-api/element.js:
1177         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1178         (assert.throws):
1179         (badInstantiation.makeModule):
1180         (badInstantiation.test):
1181         (badInstantiation):
1182         * wasm/js-api/extension-MemoryMode.js:
1183         * wasm/js-api/table.js:
1184         (new.WebAssembly.Module):
1185         (assert.throws):
1186         (assertBadTableImport):
1187         (assert.throws.WebAssembly.Table.prototype.grow):
1188         (new.WebAssembly.Table):
1189         (assertBadTable):
1190         (assert.truthy):
1191         * wasm/js-api/test_basic_api.js:
1192         (const.c.in.constructorProperties.switch):
1193         * wasm/js-api/unique-signature.js:
1194         (CallIndirectWithDuplicateSignatures):
1195         * wasm/js-api/wrapper-function.js:
1196         * wasm/modules/table.wat:
1197         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1198         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1199         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1200         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1201         * wasm/references/anyref_table.js:
1202         * wasm/references/anyref_table_import.js:
1203         (doSet):
1204         (assert.throws):
1205         * wasm/references/func_ref.js:
1206         (makeFuncrefIdent):
1207         (assert.eq.instance.exports.fix):
1208         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
1209         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
1210         (let.importedFun.of):
1211         (makeAnyfuncIdent): Deleted.
1212         (makeAnyfuncIdent.fun): Deleted.
1213         * wasm/references/multitable.js:
1214         (assert.eq):
1215         (assert.throws):
1216         * wasm/references/table_misc.js:
1217         (GetLocal.0.TableFill.0.End.End.WebAssembly):
1218         * wasm/references/validation.js:
1219         (assert.throws.new.WebAssembly.Module.bin):
1220         (assert.throws):
1221         * wasm/spec-harness/index.js:
1222         * wasm/spec-harness/wasm-constants.js:
1223         * wasm/spec-harness/wasm-module-builder.js:
1224         (WasmModuleBuilder.prototype.toArray):
1225         * wasm/spec-harness/wast.js:
1226         (elem_type):
1227         (string_of_elem_type):
1228         (string_of_table_type):
1229         * wasm/spec-tests/jsapi.js:
1230         * wasm/stress/wasm-table-grow-initialize.js:
1231         * wasm/wasm.json:
1232
1233 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1234
1235         [WASM-References] Add support for Table.size, grow and fill instructions
1236         https://bugs.webkit.org/show_bug.cgi?id=198761
1237
1238         Reviewed by Yusuke Suzuki.
1239
1240         * wasm/Builder_WebAssemblyBinary.js:
1241         (const.putOp):
1242         * wasm/references/table_misc.js: Added.
1243         (TableSize.End.End.WebAssembly):
1244         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
1245         * wasm/wasm.json:
1246
1247 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1248
1249         [WASM-References] Add support for multiple tables
1250         https://bugs.webkit.org/show_bug.cgi?id=198760
1251
1252         Reviewed by Saam Barati.
1253
1254         * wasm/Builder.js:
1255         * wasm/js-api/call-indirect.js:
1256         (const.oneTable):
1257         (const.multiTable):
1258         (multiTable):
1259         (multiTable.Polyphic2Import):
1260         (multiTable.VirtualImport):
1261         (const.wasmModuleWhichImportJS): Deleted.
1262         (const.makeTable): Deleted.
1263         (): Deleted.
1264         (Polyphic2Import): Deleted.
1265         (VirtualImport): Deleted.
1266         * wasm/js-api/table.js:
1267         (new.WebAssembly.Module):
1268         (assert.throws):
1269         (assertBadTableImport):
1270         (assert.truthy):
1271         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1272         * wasm/references/anyref_table.js:
1273         * wasm/references/anyref_table_import.js:
1274         (makeImport):
1275         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1276         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1277         * wasm/references/multitable.js: Added.
1278         (assert.throws.1.exports.set_tbl0):
1279         (assert.throws):
1280         (assert.eq):
1281         * wasm/references/validation.js:
1282         (assert.throws.new.WebAssembly.Module.bin):
1283         (assert.throws):
1284         * wasm/spec-tests/imports.wast.js:
1285         * wasm/wasm.json:
1286
1287         * wasm/Builder.js:
1288         * wasm/js-api/call-indirect.js:
1289         (const.oneTable):
1290         (const.multiTable):
1291         (multiTable):
1292         (multiTable.Polyphic2Import):
1293         (multiTable.VirtualImport):
1294         (const.wasmModuleWhichImportJS): Deleted.
1295         (const.makeTable): Deleted.
1296         (): Deleted.
1297         (Polyphic2Import): Deleted.
1298         (VirtualImport): Deleted.
1299         * wasm/js-api/table.js:
1300         (new.WebAssembly.Module):
1301         (assert.throws):
1302         (assertBadTableImport):
1303         (assert.truthy):
1304         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1305         * wasm/references/anyref_table.js:
1306         * wasm/references/anyref_table_import.js:
1307         (makeImport):
1308         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1309         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1310         * wasm/references/func_ref.js:
1311         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
1312         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
1313         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
1314         * wasm/references/multitable.js: Added.
1315         (assert.throws.1.exports.set_tbl0):
1316         (assert.throws):
1317         (assert.eq):
1318         (string_appeared_here.tableInsanity):
1319         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
1320         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
1321         * wasm/references/validation.js:
1322         (assert.throws.new.WebAssembly.Module.bin):
1323         (assert.throws):
1324         * wasm/spec-tests/imports.wast.js:
1325         * wasm/wasm.json:
1326
1327 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
1328
1329         [ESNExt] String.prototype.matchAll
1330         https://bugs.webkit.org/show_bug.cgi?id=186694
1331
1332         Reviewed by Yusuke Suzuki.
1333
1334         Implement String.prototype.matchAll.
1335         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
1336
1337         * test262/config.yaml:
1338
1339 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
1340
1341         DFG code should not reify the names of builtin functions with private names
1342         https://bugs.webkit.org/show_bug.cgi?id=198849
1343         <rdar://problem/51733890>
1344
1345         Reviewed by Filip Pizlo.
1346
1347         * stress/builtin-private-function-name.js: Added.
1348         (then):
1349         (PromiseLike):
1350
1351 2019-06-18  Keith Miller  <keith_miller@apple.com>
1352
1353         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
1354         https://bugs.webkit.org/show_bug.cgi?id=198969
1355         <rdar://problem/51620714>
1356
1357         Reviewed by Tadeu Zagallo.
1358
1359         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
1360         (catch):
1361
1362 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1363
1364         Validate that table element type is funcref if using an element section
1365         https://bugs.webkit.org/show_bug.cgi?id=198910
1366
1367         Reviewed by Yusuke Suzuki.
1368
1369         * wasm/references/anyref_table.js:
1370
1371 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
1372
1373         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
1374         https://bugs.webkit.org/show_bug.cgi?id=197378
1375
1376         Reviewed by Saam Barati.
1377
1378         * stress/disposable-call-site-index-with-call-and-this.js: Added.
1379         (foo):
1380         (bar):
1381         * stress/disposable-call-site-index.js: Added.
1382         (foo):
1383         (bar):
1384
1385 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1386
1387         [WASM-References] Add support for Funcref in parameters and return types
1388         https://bugs.webkit.org/show_bug.cgi?id=198157
1389
1390         Reviewed by Yusuke Suzuki.
1391
1392         * wasm/Builder.js:
1393         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1394         * wasm/references/anyref_globals.js:
1395         * wasm/references/func_ref.js: Added.
1396         (fullGC.gc.makeExportedFunction):
1397         (makeExportedIdent):
1398         (makeAnyfuncIdent):
1399         (fun):
1400         (assert.eq.instance.exports.fix.fun):
1401         (assert.eq.instance.exports.fix):
1402         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
1403         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
1404         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
1405         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
1406         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
1407         (assert.throws):
1408         (assert.throws.doTest):
1409         (let.importedFun.of):
1410         (makeAnyfuncIdent.fun):
1411         * wasm/references/validation.js:
1412         (assert.throws):
1413         * wasm/wasm.json:
1414
1415 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
1416
1417         Update test262 tests (2019.06.13)
1418         https://bugs.webkit.org/show_bug.cgi?id=198821
1419
1420         Reviewed by Konstantin Tokarev.
1421
1422         * test262/expectations.yaml:
1423         * test262/harness/:
1424         * test262/latest-changes-summary.txt:
1425         * test262/test/:
1426         * test262/test262-Revision.txt:
1427
1428 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
1429
1430         [JSC] Grown region of WasmTable should be initialized with null
1431         https://bugs.webkit.org/show_bug.cgi?id=198903
1432
1433         Reviewed by Saam Barati.
1434
1435         * wasm/stress/wasm-table-grow-initialize.js: Added.
1436         (shouldBe):
1437
1438 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
1439
1440         Yarr bytecode compilation failure should be gracefully handled
1441         https://bugs.webkit.org/show_bug.cgi?id=198700
1442
1443         Reviewed by Michael Saboff.
1444
1445         * stress/regexp-bytecode-compilation-fail.js: Added.
1446         (shouldThrow):
1447
1448 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
1449
1450         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
1451         https://bugs.webkit.org/show_bug.cgi?id=198770
1452
1453         Reviewed by Saam Barati.
1454
1455         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
1456         (test):
1457
1458 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1459
1460         JSC should throw if proxy set returns falsish in strict mode context
1461         https://bugs.webkit.org/show_bug.cgi?id=177398
1462
1463         Reviewed by Yusuke Suzuki.
1464
1465         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
1466         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
1467
1468         * stress/proxy-set.js: Add 2 test cases.
1469         * stress/regexp-match-proxy.js: Fix test.
1470         * stress/regexp-replace-proxy.js: Fix test.
1471
1472 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1473
1474         Error message for non-callable Proxy `construct` trap is misleading
1475         https://bugs.webkit.org/show_bug.cgi?id=198637
1476
1477         Reviewed by Saam Barati.
1478
1479         * stress/proxy-construct.js:
1480
1481 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
1482
1483         AI BitURShift's result should not be unsigned
1484         https://bugs.webkit.org/show_bug.cgi?id=198689
1485         <rdar://problem/51550063>
1486
1487         Reviewed by Saam Barati.
1488
1489         * stress/urshift-int32-overflow.js: Added.
1490         (foo.):
1491         (foo):
1492
1493 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
1494
1495         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
1496
1497         Unreviewed gardening.
1498
1499         * stress/ftl-gettypedarrayoffset-wasteful.js:
1500         Skipped on arm/linux as it always times out on the bot since a change
1501         between r246270 and r246278 inclusive.
1502
1503 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
1504
1505         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
1506         https://bugs.webkit.org/show_bug.cgi?id=198023
1507
1508         Reviewed by Saam Barati.
1509
1510         * stress/reparsing-unlinked-codeblock.js: Added.
1511         (shouldBe):
1512         (hello):
1513
1514 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
1515
1516         [JSC] Use mergePrediction in ValuePow prediction propagation
1517         https://bugs.webkit.org/show_bug.cgi?id=198648
1518
1519         Reviewed by Saam Barati.
1520
1521         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
1522
1523 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
1524
1525         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
1526         https://bugs.webkit.org/show_bug.cgi?id=198581
1527         <rdar://problem/51099753>
1528
1529         Reviewed by Saam Barati.
1530
1531         * stress/global-object-proto-getter.js: Added.
1532         (f):
1533         (test):
1534
1535 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
1536
1537         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
1538         https://bugs.webkit.org/show_bug.cgi?id=198398
1539
1540         Reviewed by Saam Barati.
1541
1542         * wasm/references/anyref_table.js: Added.
1543         (string_appeared_here.doGCSet):
1544         (doGCTest):
1545         (doGCSet.doGCTest.let.count.0.doBarrierSet):
1546         * wasm/references/anyref_table_import.js: Added.
1547         (makeImport):
1548         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1549         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1550         * wasm/references/is_null_error.js: Removed.
1551         * wasm/references/validation.js: Added.
1552         (assert.throws.new.WebAssembly.Module.bin):
1553         (assert.throws):
1554         * wasm/wasm.json:
1555
1556 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
1557
1558         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
1559         https://bugs.webkit.org/show_bug.cgi?id=198106
1560
1561         Reviewed by Saam Barati.
1562
1563         * wasm/regress/selectf64.js: Added.
1564         * wasm/regress/selectf64.wasm: Added.
1565         * wasm/regress/selectf64.wat: Added.
1566
1567 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
1568
1569         Argument elimination should check transitive dependents for interference
1570         https://bugs.webkit.org/show_bug.cgi?id=198520
1571         <rdar://problem/50863343>
1572
1573         Reviewed by Filip Pizlo.
1574
1575         * stress/argument-elimination-inline-rest-past-kill.js: Added.
1576         (f2):
1577         (f3):
1578
1579 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
1580
1581         Argument elimination should check for negative indices in GetByVal
1582         https://bugs.webkit.org/show_bug.cgi?id=198302
1583         <rdar://problem/51188095>
1584
1585         Reviewed by Filip Pizlo.
1586
1587         * stress/eliminate-arguments-negative-rest-access.js: Added.
1588         (inlinee):
1589         (opt):
1590
1591 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
1592
1593         [ESNext][BigInt] Implement support for "**"
1594         https://bugs.webkit.org/show_bug.cgi?id=190799
1595
1596         Reviewed by Saam Barati.
1597
1598         * stress/big-int-exp-basic.js: Added.
1599         * stress/big-int-exp-jit-osr.js: Added.
1600         * stress/big-int-exp-jit-untyped.js: Added.
1601         * stress/big-int-exp-jit.js: Added.
1602         * stress/big-int-exp-negative-exponent.js: Added.
1603         * stress/big-int-exp-to-primitive.js: Added.
1604         * stress/big-int-exp-type-error.js: Added.
1605         * stress/big-int-exp-wrapped-value.js: Added.
1606         * stress/value-pow-ai-rule.js: Added.
1607
1608 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1609
1610         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
1611         https://bugs.webkit.org/show_bug.cgi?id=197979
1612
1613         Reviewed by Filip Pizlo.
1614
1615         * stress/16bit-code.js: Added.
1616         (shouldBe):
1617         * stress/32bit-code.js: Added.
1618         (shouldBe):
1619
1620 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
1621
1622         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
1623         https://bugs.webkit.org/show_bug.cgi?id=198355
1624
1625         Reviewed by Saam Barati.
1626
1627         * wasm/references/is_null.js:
1628
1629 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
1630
1631         [PlayStation] Skip additional tests on PlayStation
1632         https://bugs.webkit.org/show_bug.cgi?id=198352
1633
1634         Reviewed by Don Olmstead.
1635
1636         Skip pow test on PlayStation due to behavior difference in standard library.
1637         Skip incremental marking test due to OOM on PlayStation systems.
1638
1639         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
1640         * stress/math-pow-with-constants.js:
1641         * stress/pow-with-constants.js:
1642
1643 2019-05-28  Dean Jackson  <dino@apple.com>
1644
1645         Implement Promise.allSettled
1646         https://bugs.webkit.org/show_bug.cgi?id=197600
1647         <rdar://problem/50483885>
1648
1649         Reviewed by Keith Miller.
1650
1651         Start testing Promise.allSettled. We pass most of the tests.
1652         The ones that fail are similar to the Promise.all tests we already fail.
1653
1654         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
1655         * test262/expectations.yaml: Add new expectations for allSettled tests.
1656
1657 2019-05-28  Michael Saboff  <msaboff@apple.com>
1658
1659         [YARR] Properly handle RegExp's that require large ParenContext space
1660         https://bugs.webkit.org/show_bug.cgi?id=198065
1661
1662         Reviewed by Keith Miller.
1663
1664         New test.
1665
1666         * stress/regexp-large-paren-context.js: Added.
1667         (testLargeRegExp):
1668
1669 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
1670
1671         JITOperations putByVal should mark negative array indices as out-of-bounds
1672         https://bugs.webkit.org/show_bug.cgi?id=198271
1673
1674         Reviewed by Saam Barati.
1675
1676         * microbenchmarks/get-by-val-negative-array-index.js:
1677         (foo):
1678         Update the getByVal microbenchmark added in r245769. This now shows that r245769
1679         is 4.2x faster than the previous commit.
1680
1681         * microbenchmarks/put-by-val-negative-array-index.js: Added.
1682         (foo):
1683
1684 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
1685
1686         JITOperations getByVal should mark negative array indices as out-of-bounds
1687         https://bugs.webkit.org/show_bug.cgi?id=198229
1688
1689         Reviewed by Saam Barati.
1690
1691         * microbenchmarks/get-by-val-negative-array-index.js: Added.
1692         (foo):
1693
1694 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
1695
1696         [WASM-References] Support Anyref in globals
1697         https://bugs.webkit.org/show_bug.cgi?id=198102
1698
1699         Reviewed by Saam Barati.
1700
1701         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
1702
1703         * wasm/Builder.js:
1704         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1705         * wasm/Builder_WebAssemblyBinary.js:
1706         (const.putInitExpr):
1707         * wasm/references/anyref_globals.js: Added.
1708         (GetGlobal.0.End.End.WebAssembly):
1709         (5.doGCSet):
1710         (doGCTest):
1711         (doGCSet.doGCTest.let.count.0.doBarrierSet):
1712
1713 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
1714
1715         DFG::OSREntry should not perform arity check
1716         https://bugs.webkit.org/show_bug.cgi?id=198189
1717
1718         Reviewed by Saam Barati.
1719
1720         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
1721         (foo):
1722
1723 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
1724
1725         [PlayStation] Skip additional tests on PlayStation
1726         https://bugs.webkit.org/show_bug.cgi?id=198145
1727
1728         Reviewed by Ross Kirsling.
1729
1730         * exceptionFuzz.yaml:
1731         Add skip on hostOS playstation
1732         * executableAllocationFuzz.yaml:
1733         Add skip on hostOS playstation
1734
1735 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
1736
1737         createListFromArrayLike should throw if value is not an object
1738         https://bugs.webkit.org/show_bug.cgi?id=198138
1739
1740         Reviewed by Yusuke Suzuki.
1741
1742         * stress/create-list-from-array-like-not-object.js: Added.
1743         (testValid):
1744         (testInvalid):
1745         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
1746         (opt):
1747         * stress/proxy-proto-enumerator.js: Added.
1748         (main):
1749         * stress/proxy-proto-own-keys.js: Added.
1750         (assert):
1751         (ownKeys):
1752
1753 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1754
1755         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
1756         https://bugs.webkit.org/show_bug.cgi?id=197809
1757
1758         Reviewed by Michael Saboff.
1759
1760         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
1761         (foo):
1762
1763 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
1764
1765         [ESNext] Implement support for Numeric Separators
1766         https://bugs.webkit.org/show_bug.cgi?id=196351
1767
1768         Reviewed by Keith Miller.
1769
1770         * stress/numeric-literal-separators.js: Added.
1771         Add tests for feature.
1772
1773         * test262/expectations.yaml:
1774         Mark 60 test cases as passing.
1775
1776 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
1777
1778         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
1779         https://bugs.webkit.org/show_bug.cgi?id=198120
1780         <rdar://problem/49668795>
1781
1782         Reviewed by Michael Saboff.
1783
1784         * stress/get-array-length-concurrently-change-mode.js: Added.
1785         (main):
1786
1787 2019-05-22  Commit Queue  <commit-queue@webkit.org>
1788
1789         Unreviewed, rolling out r245634.
1790         https://bugs.webkit.org/show_bug.cgi?id=198140
1791
1792         'This patch makes JSC crash on launch in debug builds'
1793         (Requested by tadeuzagallo on #webkit).
1794
1795         Reverted changeset:
1796
1797         "[ESNext] Implement support for Numeric Separators"
1798         https://bugs.webkit.org/show_bug.cgi?id=196351
1799         https://trac.webkit.org/changeset/245634
1800
1801 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
1802
1803         Stack-buffer-overflow in decodeURIComponent
1804         https://bugs.webkit.org/show_bug.cgi?id=198109
1805         <rdar://problem/50397550>
1806
1807         Reviewed by Michael Saboff.
1808
1809         * stress/decode-uri-icu-count-trail-bytes.js: Added.
1810         (i.j.try.i.toString):
1811         (i.j.catch):
1812
1813 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1814
1815         Don't clear PropertyNameArray in Proxy code
1816         https://bugs.webkit.org/show_bug.cgi?id=197691
1817
1818         Reviewed by Saam Barati.
1819
1820         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
1821         (shouldBe):
1822         (opt):
1823
1824 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
1825
1826         [ESNext] Implement support for Numeric Separators
1827         https://bugs.webkit.org/show_bug.cgi?id=196351
1828
1829         Reviewed by Keith Miller.
1830
1831         * stress/numeric-literal-separators.js: Added.
1832         Add tests for feature.
1833
1834         * test262/expectations.yaml:
1835         Mark 60 test cases as passing.
1836
1837 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1838
1839         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
1840         https://bugs.webkit.org/show_bug.cgi?id=198101
1841
1842         Reviewed by Michael Saboff.
1843
1844         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
1845         (shouldBe):
1846
1847 2019-05-20  Keith Miller  <keith_miller@apple.com>
1848
1849         Cleanup Yarr regexp code around paren contexts.
1850         https://bugs.webkit.org/show_bug.cgi?id=198063
1851
1852         Reviewed by Yusuke Suzuki.
1853
1854         * stress/regexp-many-named-sequential-capture-groups.js: Added.
1855         (i.s):
1856         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
1857
1858 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
1859
1860         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
1861         https://bugs.webkit.org/show_bug.cgi?id=197969
1862
1863         Reviewed by Keith Miller.
1864
1865         Support the anyref type in Builder.js, plus add some extra error logging.
1866         Add new folder for wasm references tests.
1867
1868         * wasm.yaml:
1869         * wasm/Builder.js:
1870         (const._isValidValue):
1871         * wasm/references/anyref_modules.js: Added.
1872         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
1873         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
1874         (Call.3.RefIsNull.End.End.WebAssembly):
1875         (undefined):
1876         * wasm/references/is_null.js: Added.
1877         * wasm/references/is_null_error.js: Added.
1878         * wasm/spec-harness/index.js:
1879         * wasm/wasm.json:
1880
1881 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
1882
1883         [JSC] Invalid AssignmentTargetType should be an early error.
1884         https://bugs.webkit.org/show_bug.cgi?id=197603
1885
1886         Reviewed by Keith Miller.
1887
1888         * test262/expectations.yaml:
1889         Update expectations to reflect new SyntaxErrors.
1890         (Ideally, these should all be viewed as passing in the near future.)
1891
1892         * stress/async-await-basic.js:
1893         * stress/big-int-literals.js:
1894         Update tests to reflect new SyntaxErrors.
1895
1896         * ChakraCore.yaml:
1897         * ChakraCore/test/EH/try6.baseline-jsc:
1898         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
1899         Update baselines to reflect new SyntaxErrors.
1900
1901 2019-05-15  Saam Barati  <sbarati@apple.com>
1902
1903         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
1904         https://bugs.webkit.org/show_bug.cgi?id=197855
1905         <rdar://problem/50236506>
1906
1907         Reviewed by Michael Saboff.
1908
1909         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
1910         (f0):
1911         (bar):
1912         (foo):
1913         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
1914         (f1):
1915         (f2):
1916         (foo):
1917
1918 2019-05-14  Keith Miller  <keith_miller@apple.com>
1919
1920         Fix issue with byteOffset on ARM64E
1921         https://bugs.webkit.org/show_bug.cgi?id=197884
1922
1923         Reviewed by Saam Barati.
1924
1925         We didn't have any tests that run with non-byte/non-zero offset
1926         typed arrays.
1927
1928         * stress/ftl-gettypedarrayoffset-wasteful.js:
1929
1930 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
1931
1932         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
1933         https://bugs.webkit.org/show_bug.cgi?id=197833
1934
1935         Reviewed by Darin Adler.
1936
1937         * stress/generator-name.js: Added.
1938         (shouldBe):
1939         (gen):
1940         (catch):
1941
1942 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
1943
1944         JSObject::getOwnPropertyDescriptor is missing an exception check
1945         https://bugs.webkit.org/show_bug.cgi?id=197693
1946         <rdar://problem/50441784>
1947
1948         Reviewed by Saam Barati.
1949
1950         * stress/proxy-spread.js: Added.
1951         (foo):
1952
1953 2019-05-10  Saam barati  <sbarati@apple.com>
1954
1955         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
1956         https://bugs.webkit.org/show_bug.cgi?id=197807
1957         <rdar://problem/50530400>
1958
1959         Reviewed by Yusuke Suzuki.
1960
1961         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
1962         (test.getInstance):
1963         (test):
1964
1965 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
1966
1967         [Test262] Unreviewed expectations update following r245188.
1968
1969         * test262/config.yaml:
1970         * test262/expectations.yaml:
1971
1972         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
1973         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
1974         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
1975         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
1976         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
1977         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
1978         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
1979         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
1980         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
1981         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
1982         These files have invalid YAML comments. Will also submit corrections back to Test262.
1983
1984 2019-05-10  Keith Miller  <keith_miller@apple.com>
1985
1986         Update test262 tests.
1987
1988         Rubber-stamped by Yusuke Suzuki.
1989
1990         * test262/*: mega-patch too many things to list individually.
1991
1992 2019-05-09  Keith Miller  <keith_miller@apple.com>
1993
1994         Unreview, fix test to have a try-catch.
1995
1996         * stress/many-nested-functions-parser-stack-overflow.js:
1997         (catch):
1998
1999 2019-05-09  Keith Miller  <keith_miller@apple.com>
2000
2001         parseStatementListItem needs a stack overflow check
2002         https://bugs.webkit.org/show_bug.cgi?id=197749
2003
2004         Reviewed by Saam Barati.
2005
2006         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2007
2008 2019-05-08  Saam barati  <sbarati@apple.com>
2009
2010         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2011         https://bugs.webkit.org/show_bug.cgi?id=197715
2012         <rdar://problem/50399252>
2013
2014         Reviewed by Filip Pizlo.
2015
2016         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2017         (foo):
2018         (bar):
2019
2020 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2021
2022         Unreviewed, rolling out r245068.
2023
2024         Caused debug layout tests to exit early due to an assertion
2025         failure.
2026
2027         Reverted changeset:
2028
2029         "All prototypes should call didBecomePrototype()"
2030         https://bugs.webkit.org/show_bug.cgi?id=196315
2031         https://trac.webkit.org/changeset/245068
2032
2033 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2034
2035         Invalid DFG JIT genereation in high CPU usage state
2036         https://bugs.webkit.org/show_bug.cgi?id=197453
2037
2038         Reviewed by Saam Barati.
2039
2040         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2041         (trigger):
2042         (main):
2043
2044 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2045
2046         All prototypes should call didBecomePrototype()
2047         https://bugs.webkit.org/show_bug.cgi?id=196315
2048
2049         Reviewed by Saam Barati.
2050
2051         This changelog already landed, but the commit was missing the actual changes.
2052
2053         * stress/function-prototype-indexed-accessor.js: Added.
2054
2055 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
2056
2057         [BigInt] Add ValueMod into DFG
2058         https://bugs.webkit.org/show_bug.cgi?id=186174
2059
2060         Reviewed by Saam Barati.
2061
2062         * microbenchmarks/mod-untyped.js: Added.
2063         * stress/big-int-mod-osr.js: Added.
2064         * stress/value-div-ai-rule.js: Added.
2065         * stress/value-mod-ai-rule.js: Added.
2066
2067 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2068
2069         [JSC] DFG_ASSERT failed in lowInt52
2070         https://bugs.webkit.org/show_bug.cgi?id=197569
2071
2072         Reviewed by Saam Barati.
2073
2074         * stress/getstack-int52.js: Added.
2075         (opt):
2076         (main):
2077
2078 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2079
2080         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
2081         https://bugs.webkit.org/show_bug.cgi?id=197479
2082
2083         Reviewed by Saam Barati.
2084
2085         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
2086         (shouldBe):
2087
2088 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2089
2090         TemplateObject passed to template literal tags are not always identical for the same source location.
2091         https://bugs.webkit.org/show_bug.cgi?id=190756
2092
2093         Reviewed by Saam Barati.
2094
2095         * complex.yaml:
2096         * complex/tagged-template-regeneration-after.js: Added.
2097         (shouldBe):
2098         * complex/tagged-template-regeneration.js: Added.
2099         (call):
2100         (test):
2101         * modules/tagged-template-inside-module.js: Added.
2102         (from.string_appeared_here.call):
2103         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2104         (call):
2105         (export.otherTaggedTemplates):
2106         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2107         (shouldBe):
2108         (call):
2109         (poly):
2110         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2111         (shouldBe):
2112         (call):
2113         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
2114         (shouldBe):
2115         (call):
2116         (test):
2117         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2118         (shouldBe):
2119         (call):
2120         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2121         (shouldBe):
2122         (call):
2123         * stress/tagged-templates-in-multiple-functions.js: Added.
2124         (shouldBe):
2125         (call):
2126         (a):
2127         (b):
2128         (c):
2129         * stress/tagged-templates-with-same-start-offset.js: Added.
2130         (shouldBe):
2131
2132 2019-05-07  Robin Morisset  <rmorisset@apple.com>
2133
2134         All prototypes should call didBecomePrototype()
2135         https://bugs.webkit.org/show_bug.cgi?id=196315
2136
2137         Reviewed by Saam Barati.
2138
2139         * stress/function-prototype-indexed-accessor.js: Added.
2140
2141 2019-05-07  Commit Queue  <commit-queue@webkit.org>
2142
2143         Unreviewed, rolling out r244978.
2144         https://bugs.webkit.org/show_bug.cgi?id=197671
2145
2146         TemplateObject map should use start/end offsets (Requested by
2147         yusukesuzuki on #webkit).
2148
2149         Reverted changeset:
2150
2151         "TemplateObject passed to template literal tags are not always
2152         identical for the same source location."
2153         https://bugs.webkit.org/show_bug.cgi?id=190756
2154         https://trac.webkit.org/changeset/244978
2155
2156 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
2157
2158         tryCachePutByID should not crash if target offset changes
2159         https://bugs.webkit.org/show_bug.cgi?id=197311
2160         <rdar://problem/48033612>
2161
2162         Reviewed by Filip Pizlo.
2163
2164         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
2165         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
2166
2167         * stress/cache-put-by-id-delete-prototype.js: Added.
2168         (A.prototype.set y):
2169         (A):
2170         (B.prototype.set y):
2171         (B):
2172         (C):
2173         * stress/cache-put-by-id-different-__proto__.js: Added.
2174         (A.prototype.set y):
2175         (A):
2176         (B1):
2177         (B2.prototype.set y):
2178         (B2):
2179         (C):
2180         (D):
2181         * stress/cache-put-by-id-different-attributes.js: Added.
2182         (Foo):
2183         (set x):
2184         * stress/cache-put-by-id-different-offset.js: Added.
2185         (Foo):
2186         (set x):
2187         * stress/cache-put-by-id-insert-prototype.js: Added.
2188         (A.prototype.set y):
2189         (A):
2190         (C):
2191         * stress/cache-put-by-id-poly-proto.js: Added.
2192         (Foo):
2193         (set _):
2194         (createBar.Bar):
2195         (createBar):
2196
2197 2019-05-07  Saam Barati  <sbarati@apple.com>
2198
2199         Don't OSR enter into an FTL CodeBlock that has been jettisoned
2200         https://bugs.webkit.org/show_bug.cgi?id=197531
2201         <rdar://problem/50162379>
2202
2203         Reviewed by Yusuke Suzuki.
2204
2205         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
2206
2207 2019-05-06  Dean Jackson  <dino@apple.com>
2208
2209         Update test262 expectations for Proxy passes
2210         https://bugs.webkit.org/show_bug.cgi?id=197628
2211
2212         Reviewed by Yusuke Suzuki.
2213
2214         There are two consistent passes in Proxy.ownKeys.
2215
2216         * test262/expectations.yaml:
2217
2218 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2219
2220         [JSC] We should check OOM for description string of Symbol
2221         https://bugs.webkit.org/show_bug.cgi?id=197634
2222
2223         Reviewed by Keith Miller.
2224
2225         * stress/check-symbol-description-oom.js: Added.
2226         (shouldThrow):
2227
2228 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2229
2230         Unreviewed, land one more test
2231         https://bugs.webkit.org/show_bug.cgi?id=197587
2232
2233         * stress/setter-frame-flush.js: Added.
2234         (setter):
2235         (foo):
2236         (bar):
2237
2238 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2239
2240         TemplateObject passed to template literal tags are not always identical for the same source location.
2241         https://bugs.webkit.org/show_bug.cgi?id=190756
2242
2243         Reviewed by Saam Barati.
2244
2245         * complex.yaml:
2246         * complex/tagged-template-regeneration-after.js: Added.
2247         (shouldBe):
2248         * complex/tagged-template-regeneration.js: Added.
2249         (call):
2250         (test):
2251         * modules/tagged-template-inside-module.js: Added.
2252         (from.string_appeared_here.call):
2253         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2254         (call):
2255         (export.otherTaggedTemplates):
2256         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2257         (shouldBe):
2258         (call):
2259         (poly):
2260         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2261         (shouldBe):
2262         (call):
2263         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2264         (shouldBe):
2265         (call):
2266         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2267         (shouldBe):
2268         (call):
2269         * stress/tagged-templates-in-multiple-functions.js: Added.
2270         (shouldBe):
2271         (call):
2272         (a):
2273         (b):
2274         (c):
2275
2276 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
2277
2278         [PlayStation] JSC Stress tests failing due to timezone printing
2279         https://bugs.webkit.org/show_bug.cgi?id=197615
2280
2281         PlayStation's strftime does not give timezone strings, which
2282         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
2283         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
2284         which causes diff failures with the expectations. Add expectations
2285         without the timezone string and use those on playstation.
2286
2287         Reviewed by Ross Kirsling.
2288
2289         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
2290         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
2291         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
2292         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
2293
2294 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2295
2296         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
2297         https://bugs.webkit.org/show_bug.cgi?id=197587
2298
2299         Reviewed by Sam Weinig.
2300
2301         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
2302
2303         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
2304
2305 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
2306
2307         TypedArrays should not store properties that are canonical numeric indices
2308         https://bugs.webkit.org/show_bug.cgi?id=197228
2309         <rdar://problem/49557381>
2310
2311         Reviewed by Saam Barati.
2312
2313         * stress/array-species-config-array-constructor.js:
2314         (test):
2315         * stress/put-direct-index-broken-2.js:
2316         * stress/typed-array-canonical-numeric-index-string.js: Added.
2317         (makeTest.assert):
2318         (makeTest):
2319         (const.testInvalidIndices.makeTest.set assert):
2320         (const.testInvalidIndices.makeTest):
2321         (const.makeTestValidIndex.configurable.set assert):
2322         (const.makeTestValidIndex.configurable):
2323         * stress/typedarray-access-monomorphic-neutered.js:
2324         (checkNoException):
2325         (testNoException):
2326         (testFTLNoException):
2327         * stress/typedarray-access-neutered.js:
2328         (testNoException):
2329         * stress/typedarray-getownproperty-not-configurable.js:
2330         (foo):
2331         * test262/expectations.yaml:
2332
2333 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2334
2335         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
2336         https://bugs.webkit.org/show_bug.cgi?id=197584
2337
2338         Reviewed by Saam Barati.
2339
2340         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
2341         (X):
2342         (foo):
2343
2344 2019-05-03  Michael Saboff  <msaboff@apple.com>
2345
2346         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
2347         https://bugs.webkit.org/show_bug.cgi?id=197586
2348
2349         Reviewed by Keith Miller.
2350
2351         We should only run one config of this test and only when we think we'll have the memory.
2352
2353         * stress/json-stringify-string-builder-overflow.js:
2354
2355 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2356
2357         [JSC] Generator CodeBlock generation should be idempotent
2358         https://bugs.webkit.org/show_bug.cgi?id=197552
2359
2360         Reviewed by Keith Miller.
2361
2362         Add complex.yaml, which controls how to run JSC shell more.
2363         We split test files into two to run macro task between them which allows debugger to be attached to VM.
2364
2365         * complex.yaml: Added.
2366         * complex/generator-regeneration-after.js: Added.
2367         * complex/generator-regeneration.js: Added.
2368         (gen):
2369
2370 2019-05-02  Michael Saboff  <msaboff@apple.com>
2371
2372         Unreviewed rollout of r244862.
2373
2374         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
2375
2376 2019-05-01  Saam barati  <sbarati@apple.com>
2377
2378         Baseline JIT should do argument value profiling after checking for stack overflow
2379         https://bugs.webkit.org/show_bug.cgi?id=197052
2380         <rdar://problem/50009602>
2381
2382         Reviewed by Yusuke Suzuki.
2383
2384         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
2385
2386 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
2387
2388         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
2389         https://bugs.webkit.org/show_bug.cgi?id=197405
2390
2391         Reviewed by Saam Barati.
2392
2393         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
2394         (foo):
2395         (test):
2396         (i.o.get f):
2397         (i.o.set f):
2398
2399 2019-05-01  Michael Saboff  <msaboff@apple.com>
2400
2401         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
2402         https://bugs.webkit.org/show_bug.cgi?id=197485
2403
2404         Reviewed by Saam Barati.
2405
2406         New test.
2407
2408         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
2409         (foo):
2410
2411 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
2412
2413         Unreviewed correction to Test262 expectations following r244828.
2414
2415         * test262/expectations.yaml:
2416
2417 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
2418
2419         Add memory-limited skipping to some tests generating very large strings
2420         https://bugs.webkit.org/show_bug.cgi?id=197437
2421
2422         Reviewed by Ross Kirsling.
2423
2424         * stress/StringObject-define-length-getter-rope-string-oom.js:
2425         * stress/create-error-out-of-memory-rope-string.js:
2426         * stress/string-16bit-repeat-overflow.js:
2427
2428 2019-04-30  Commit Queue  <commit-queue@webkit.org>
2429
2430         Unreviewed, rolling out r244806.
2431         https://bugs.webkit.org/show_bug.cgi?id=197446
2432
2433         Causing Test262 and JSC test failures on multiple builds
2434         (Requested by ShawnRoberts on #webkit).
2435
2436         Reverted changeset:
2437
2438         "TypeArrays should not store properties that are canonical
2439         numeric indices"
2440         https://bugs.webkit.org/show_bug.cgi?id=197228
2441         https://trac.webkit.org/changeset/244806
2442
2443 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
2444
2445         TypeArrays should not store properties that are canonical numeric indices
2446         https://bugs.webkit.org/show_bug.cgi?id=197228
2447         <rdar://problem/49557381>
2448
2449         Reviewed by Darin Adler.
2450
2451         * stress/typed-array-canonical-numeric-index-string.js: Added.
2452         (makeTest.assert):
2453         (makeTest):
2454         (const.testInvalidIndices.makeTest.set assert):
2455         (const.testInvalidIndices.makeTest):
2456         (const.testValidIndices.makeTest.set assert):
2457         (const.testValidIndices.makeTest):
2458
2459 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
2460
2461         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
2462         https://bugs.webkit.org/show_bug.cgi?id=197362
2463
2464         Reviewed by Saam Barati.
2465
2466         * stress/map-with-nan.js: Added.
2467         (shouldBe):
2468         (div):
2469         (NaN1):
2470         (NaN2):
2471         (NaN3):
2472         (NaN4):
2473         (NaN1NoInline):
2474         (NaN2NoInline):
2475         (NaN3NoInline):
2476         (NaN4NoInline):
2477         (test1):
2478         (test2):
2479         (test3):
2480         (test4):
2481         * stress/set-with-nan.js: Added.
2482         (shouldBe):
2483         (div):
2484         (NaN1):
2485         (NaN2):
2486         (NaN3):
2487         (NaN4):
2488         (NaN1NoInline):
2489         (NaN2NoInline):
2490         (NaN3NoInline):
2491         (NaN4NoInline):
2492         (test2):
2493         (test4):
2494
2495 2019-04-26  Commit Queue  <commit-queue@webkit.org>
2496
2497         Unreviewed, rolling out r244708.
2498         https://bugs.webkit.org/show_bug.cgi?id=197334
2499
2500         "Broke the debug build" (Requested by rmorisset on #webkit).
2501
2502         Reverted changeset:
2503
2504         "All prototypes should call didBecomePrototype()"
2505         https://bugs.webkit.org/show_bug.cgi?id=196315
2506         https://trac.webkit.org/changeset/244708
2507
2508 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
2509
2510         [JSC] linkPolymorphicCall now does GC
2511         https://bugs.webkit.org/show_bug.cgi?id=197306
2512
2513         Reviewed by Saam Barati.
2514
2515         * stress/link-polymorphic-call-can-gc.js: Added.
2516         (module):
2517         (instance):
2518
2519 2019-04-26  Robin Morisset  <rmorisset@apple.com>
2520
2521         All prototypes should call didBecomePrototype()
2522         https://bugs.webkit.org/show_bug.cgi?id=196315
2523
2524         Reviewed by Saam Barati.
2525
2526         * stress/function-prototype-indexed-accessor.js: Added.
2527
2528 2019-04-23  Saam Barati  <sbarati@apple.com>
2529
2530         LICM incorrectly assumes it'll never insert a node which provably OSR exits
2531         https://bugs.webkit.org/show_bug.cgi?id=196721
2532         <rdar://problem/49556479> 
2533
2534         Reviewed by Filip Pizlo.
2535
2536         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
2537         (foo):
2538
2539 2019-04-19  Saam Barati  <sbarati@apple.com>
2540
2541         AbstractValue can represent more than int52
2542         https://bugs.webkit.org/show_bug.cgi?id=197118
2543         <rdar://problem/49969960>
2544
2545         Reviewed by Michael Saboff.
2546
2547         * stress/abstract-value-can-include-int52.js: Added.
2548         (foo):
2549         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
2550
2551 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
2552
2553         [WTF] StringBuilder should set correct m_is8Bit flag when merging
2554         https://bugs.webkit.org/show_bug.cgi?id=197053
2555
2556         Reviewed by Saam Barati.
2557
2558         * stress/merge-string-builder-in-dfg.js: Added.
2559         (foo):
2560
2561 2019-04-16  Caitlin Potter  <caitp@igalia.com>
2562
2563         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2564         https://bugs.webkit.org/show_bug.cgi?id=176810
2565
2566         Reviewed by Saam Barati.
2567
2568         Add tests for the DontEnum filtering, and variations of other tests
2569         take the DontEnum-filtering path.
2570
2571         * stress/proxy-own-keys.js:
2572         (i.catch):
2573         (set assert):
2574         (set add):
2575         (let.set new):
2576         (get let):
2577
2578 2019-04-15  Saam barati  <sbarati@apple.com>
2579
2580         Modify how we do SetArgument when we inline varargs calls
2581         https://bugs.webkit.org/show_bug.cgi?id=196712
2582         <rdar://problem/49605012>
2583
2584         Reviewed by Michael Saboff.
2585
2586         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
2587         (foo):
2588
2589 2019-04-15  Saam barati  <sbarati@apple.com>
2590
2591         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
2592         https://bugs.webkit.org/show_bug.cgi?id=196945
2593         <rdar://problem/49802750>
2594
2595         Reviewed by Filip Pizlo.
2596
2597         * stress/get-by-offset-should-use-correct-child.js: Added.
2598         (foo.bar):
2599         (foo):
2600
2601 2019-04-15  Robin Morisset  <rmorisset@apple.com>
2602
2603         DFG should be able to constant fold Object.create() with a constant prototype operand
2604         https://bugs.webkit.org/show_bug.cgi?id=196886
2605
2606         Reviewed by Yusuke Suzuki.
2607
2608         Note that this new benchmark does not currently see a speedup with inlining removed.
2609         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
2610
2611         * microbenchmarks/object-create-constant-prototype.js: Added.
2612         (test):
2613
2614 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
2615
2616         Incremental bytecode cache should not append function updates when loaded from memory
2617         https://bugs.webkit.org/show_bug.cgi?id=196865
2618
2619         Reviewed by Filip Pizlo.
2620
2621         * stress/bytecode-cache-shared-code-block.js: Added.
2622         (b):
2623         (program):
2624
2625 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
2626
2627         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
2628         https://bugs.webkit.org/show_bug.cgi?id=196880
2629
2630         Reviewed by Yusuke Suzuki.
2631
2632         * stress/bytecode-cache-syntax-error.js: Added.
2633         (catch):
2634
2635 2019-04-12  Saam barati  <sbarati@apple.com>
2636
2637         r244079 logically broke shouldSpeculateInt52
2638         https://bugs.webkit.org/show_bug.cgi?id=196884
2639
2640         Reviewed by Yusuke Suzuki.
2641
2642         * microbenchmarks/int52-rand-function.js: Added.
2643         (Math.random):
2644
2645 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
2646
2647         [JSC] op_has_indexed_property should not assume subscript part is Uint32
2648         https://bugs.webkit.org/show_bug.cgi?id=196850
2649
2650         Reviewed by Saam Barati.
2651
2652         * stress/has-indexed-property-should-accept-non-int32.js: Added.
2653         (foo):
2654
2655 2019-04-11  Saam barati  <sbarati@apple.com>
2656
2657         Remove invalid assertion in operationInstanceOfCustom
2658         https://bugs.webkit.org/show_bug.cgi?id=196842
2659         <rdar://problem/49725493>
2660
2661         Reviewed by Michael Saboff.
2662
2663         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
2664
2665 2019-04-10  Saam Barati  <sbarati@apple.com>
2666
2667         AbstractValue::validateOSREntryValue is wrong for Int52 constants
2668         https://bugs.webkit.org/show_bug.cgi?id=196801
2669         <rdar://problem/49771122>
2670
2671         Reviewed by Yusuke Suzuki.
2672
2673         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
2674
2675 2019-04-10  Robin Morisset  <rmorisset@apple.com>
2676
2677         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
2678         https://bugs.webkit.org/show_bug.cgi?id=196746
2679
2680         Reviewed by Yusuke Suzuki.
2681
2682         * stress/cyclic-define-properties.js: Added.
2683         (foo):
2684
2685 2019-04-09  Saam barati  <sbarati@apple.com>
2686
2687         Clean up Int52 code and some bugs in it
2688         https://bugs.webkit.org/show_bug.cgi?id=196639
2689         <rdar://problem/49515757>
2690
2691         Reviewed by Yusuke Suzuki.
2692
2693         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
2694
2695 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
2696
2697         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
2698         https://bugs.webkit.org/show_bug.cgi?id=196708
2699         <rdar://problem/49556803>
2700
2701         Reviewed by Yusuke Suzuki.
2702
2703         * stress/proxy-getter-stack-overflow.js: Added.
2704         (const.handler.get target):
2705         (const.handler.has):
2706         (try.with):
2707         (catch):
2708
2709 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2710
2711         [JSC] DFG should respect node's strict flag
2712         https://bugs.webkit.org/show_bug.cgi?id=196617
2713
2714         Reviewed by Saam Barati.
2715
2716         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
2717         (shouldEqual):
2718         (makeUnwriteableUnconfigurableObject):
2719         (runTest):
2720         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
2721         (shouldBe):
2722         (shouldThrow):
2723         (with.result):
2724         (with.putValueStrict):
2725         (with.putValueSloppy):
2726
2727 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2728
2729         [JSC] isRope jump in StringSlice should not jump over register allocations
2730         https://bugs.webkit.org/show_bug.cgi?id=196716
2731
2732         Reviewed by Saam Barati.
2733
2734         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
2735         (foo.bar):
2736         (foo):
2737
2738 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2739
2740         [JSC] to_index_string should not assume incoming value is Uint32
2741         https://bugs.webkit.org/show_bug.cgi?id=196713
2742
2743         Reviewed by Saam Barati.
2744
2745         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
2746         (foo):
2747
2748 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2749
2750         [JSC] Add more tests for r243966
2751         https://bugs.webkit.org/show_bug.cgi?id=196711
2752
2753         Reviewed by Saam Barati.
2754
2755         Adding one more test for r243966 fix. The added test will not crash after r243966.
2756
2757         * stress/stress-cleared-calllinkinfo.js: Added.
2758         (runNearStackLimit.t):
2759         (runNearStackLimit):
2760         (repeat):
2761         (cls):
2762         (let.item.of.array.runNearStackLimit):
2763
2764 2019-04-08  Saam Barati  <sbarati@apple.com>
2765
2766         WebAssembly.RuntimeError missing exception check
2767         https://bugs.webkit.org/show_bug.cgi?id=196700
2768         <rdar://problem/49693932>
2769
2770         Reviewed by Yusuke Suzuki.
2771
2772         * wasm/js-api/runtime-error-should-exception-check.js: Added.
2773
2774 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2775
2776         Unreviewed, rolling in r243948 with test fix
2777         https://bugs.webkit.org/show_bug.cgi?id=196486
2778
2779         * stress/arrow-function-and-use-strict-directive.js: Added.
2780         * stress/arrow-function-syntax.js: Added.
2781         (checkSyntax):
2782         (checkSyntaxError):
2783
2784 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2785
2786         Unreviewed, rolling out r243948.
2787
2788         Caused inspector/runtime/parse.html to fail
2789
2790         Reverted changeset:
2791
2792         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
2793         https://bugs.webkit.org/show_bug.cgi?id=196486
2794         https://trac.webkit.org/changeset/243948
2795
2796 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2797
2798         Unreviewed, rolling out r243943.
2799
2800         Caused test262 failures.
2801
2802         Reverted changeset:
2803
2804         "[JSC] Filter DontEnum properties in
2805         ProxyObject::getOwnPropertyNames()"
2806         https://bugs.webkit.org/show_bug.cgi?id=176810
2807         https://trac.webkit.org/changeset/243943
2808
2809 2019-04-07  Michael Saboff  <msaboff@apple.com>
2810
2811         REGRESSION (r243642): Crash in reddit.com page
2812         https://bugs.webkit.org/show_bug.cgi?id=196684
2813
2814         Reviewed by Geoffrey Garen.
2815
2816         New regression test.
2817
2818         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
2819
2820 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
2821
2822         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
2823         https://bugs.webkit.org/show_bug.cgi?id=196683
2824
2825         Reviewed by Saam Barati.
2826
2827         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
2828         (foo):
2829
2830 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2831
2832         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
2833         https://bugs.webkit.org/show_bug.cgi?id=196582
2834
2835         Reviewed by Saam Barati.
2836
2837         * stress/add-overflow-check-with-three-same-registers.js: Added.
2838         (foo):
2839         (Number.prototype.valueOf):
2840         (runWithNumber):
2841
2842 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
2843
2844         Unreviewed, rolling out r243665.
2845
2846         Caused iOS JSC tests to exit with an exception.
2847
2848         Reverted changeset:
2849
2850         "Assertion failed in JSC::createError"
2851         https://bugs.webkit.org/show_bug.cgi?id=196305
2852         https://trac.webkit.org/changeset/243665
2853
2854 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2855
2856         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
2857         https://bugs.webkit.org/show_bug.cgi?id=196486
2858
2859         Reviewed by Saam Barati.
2860
2861         * stress/arrow-function-and-use-strict-directive.js: Added.
2862         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
2863         (checkSyntax):
2864         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
2865
2866 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2867
2868         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2869         https://bugs.webkit.org/show_bug.cgi?id=176810
2870
2871         Reviewed by Saam Barati.
2872
2873         Add tests for the DontEnum filtering, and variations of other tests
2874         take the DontEnum-filtering path.
2875
2876         * stress/proxy-own-keys.js:
2877         (i.catch):
2878         (set assert):
2879         (set add):
2880         (let.set new):
2881         (get let):
2882
2883 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2884
2885         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
2886         https://bugs.webkit.org/show_bug.cgi?id=185211
2887
2888         Reviewed by Saam Barati.
2889
2890         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
2891
2892         This changes several assertions to expect a TypeError to be thrown (in some cases,
2893         changing thee expected message).
2894
2895         * es6/Proxy_ownKeys_duplicates.js:
2896         (handler):
2897         (shouldThrow):
2898         (test):
2899         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
2900         (shouldThrow):
2901         * stress/proxy-own-keys.js:
2902         (i.catch):
2903         (assert):
2904
2905 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2906
2907         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
2908         https://bugs.webkit.org/show_bug.cgi?id=196631
2909
2910         Reviewed by Saam Barati.
2911
2912         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
2913         (assert):
2914         (test):
2915         (foo):
2916
2917 2019-04-04  Saam Barati  <sbarati@apple.com>
2918
2919         Unreviewed. Make the test from r243906 catch the thrown exceptions.
2920
2921         * stress/inferred-types-regex-matches-array.js:
2922
2923 2019-04-04  Saam Barati  <sbarati@apple.com>
2924
2925         createRegExpMatchesArray does not respect inferred types
2926         https://bugs.webkit.org/show_bug.cgi?id=193287
2927
2928         Reviewed by Yusuke Suzuki.
2929
2930         This checks in the test case for 193287. This issue was discovered by
2931         Samuel GroƟ of Google Project Zero.
2932
2933         * stress/inferred-types-regex-matches-array.js: Added.
2934
2935 2019-04-04  Saam barati  <sbarati@apple.com>
2936
2937         Teach Call ICs how to call Wasm
2938         https://bugs.webkit.org/show_bug.cgi?id=196387
2939
2940         Reviewed by Filip Pizlo.
2941
2942         * wasm/function-tests/stack-trace.js:
2943
2944 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
2945
2946         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
2947         https://bugs.webkit.org/show_bug.cgi?id=194944
2948
2949         Reviewed by Keith Miller.
2950
2951         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
2952
2953 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
2954
2955         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
2956         https://bugs.webkit.org/show_bug.cgi?id=196409
2957
2958         Reviewed by Saam Barati.
2959
2960         * stress/bytecode-cache-cached-string-impl.js: Added.
2961         (f):
2962         (g):
2963         * stress/bytecode-cache-run-string.js: Added.
2964
2965 2019-04-03  Robin Morisset  <rmorisset@apple.com>
2966
2967         B3 should use associativity to optimize expression trees
2968         https://bugs.webkit.org/show_bug.cgi?id=194081
2969
2970         Reviewed by Filip Pizlo.
2971
2972         Added three microbenchmarks:
2973         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
2974         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
2975           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
2976         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
2977
2978         * microbenchmarks/add-tree.js: Added.
2979         * microbenchmarks/bit-or-tree.js: Added.
2980         * microbenchmarks/bit-xor-tree.js: Added.
2981
2982 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2983
2984         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
2985         https://bugs.webkit.org/show_bug.cgi?id=196574
2986
2987         Reviewed by Saam Barati.
2988
2989         * stress/string-index-of-exception-check.js: Added.
2990         (blurType):
2991         (1.forEach):
2992
2993 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2994
2995         Assertion failed in JSC::createError
2996         https://bugs.webkit.org/show_bug.cgi?id=196305
2997         <rdar://problem/49387382>
2998
2999         Reviewed by Saam Barati.
3000
3001         * stress/create-error-out-of-memory-rope-string-2.js: Added.
3002         (assert):
3003         (catch):
3004
3005 2019-03-28  Saam Barati  <sbarati@apple.com>
3006
3007         BackwardsGraph needs to consider back edges as the backward's root successor
3008         https://bugs.webkit.org/show_bug.cgi?id=195991
3009
3010         Reviewed by Filip Pizlo.
3011
3012         * stress/map-b3-licm-infinite-loop.js: Added.
3013
3014 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
3015
3016         CodeBlock::jettison() should disallow repatching its own calls
3017         https://bugs.webkit.org/show_bug.cgi?id=196359
3018         <rdar://problem/48973663>
3019
3020         Reviewed by Saam Barati.
3021
3022         * stress/call-link-info-osrexit-repatch.js: Added.
3023         (foo):
3024
3025 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
3026
3027         [JSC] imports-oom.js intermittently fails
3028         https://bugs.webkit.org/show_bug.cgi?id=196373
3029
3030         Reviewed by Saam Barati.
3031
3032         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
3033         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
3034         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
3035         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
3036         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
3037
3038         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
3039         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
3040
3041         * wasm/lowExecutableMemory/imports-oom.js:
3042
3043 2019-03-27  Saam Barati  <sbarati@apple.com>
3044
3045         validateOSREntryValue with Int52 should box the value being checked into double format
3046         https://bugs.webkit.org/show_bug.cgi?id=196313
3047         <rdar://problem/49306703>
3048
3049         Reviewed by Yusuke Suzuki.
3050
3051         * stress/validate-int-52-ai-state.js: Added.
3052
3053 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
3054
3055         [JSC] Owner of watchpoints should validate at GC finalizing phase
3056         https://bugs.webkit.org/show_bug.cgi?id=195827
3057
3058         Reviewed by Filip Pizlo.
3059
3060         * stress/gc-should-reap-dead-watchpoints.js: Added.
3061         (foo):
3062         (A.prototype.y):
3063         (A):
3064
3065 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
3066
3067         Skip WebAssembly test on 32-bit systems
3068         https://bugs.webkit.org/show_bug.cgi?id=196206
3069
3070         Reviewed by Saam Barati.
3071
3072         Invoking runDefault executes test immediately even though
3073         that test should be skipped due to missing WASM support.
3074         Therefore remove runDefault.
3075
3076         * wasm/regress/web-assembly-link-error-exception-check.js:
3077
3078 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
3079
3080         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
3081         https://bugs.webkit.org/show_bug.cgi?id=196217
3082
3083         Reviewed by Saam Barati.
3084
3085         Re-enable all NaN tests for f32.min, f64.min and f64.max.
3086
3087         * wasm/spec-tests/f32.wast.js:
3088         * wasm/spec-tests/f64.wast.js:
3089         * wasm/wasm.json:
3090
3091 2019-03-25  Keith Miller  <keith_miller@apple.com>
3092
3093         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
3094         https://bugs.webkit.org/show_bug.cgi?id=196176
3095
3096         Reviewed by Saam Barati.
3097
3098         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
3099         (main.v10):
3100         (main):
3101
3102 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
3103
3104         WebAssembly: f32.max with NaN generates incorrect result
3105         https://bugs.webkit.org/show_bug.cgi?id=175691
3106         <rdar://problem/33952228>
3107
3108         Reviewed by Saam Barati.
3109
3110         Enable all f32.max NaN tests
3111
3112         * wasm/spec-tests/f32.wast.js:
3113         * wasm/wasm.json:
3114
3115 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
3116
3117         [JSC] Move test into directory for WASM tests
3118         https://bugs.webkit.org/show_bug.cgi?id=196187
3119
3120         Reviewed by Mark Lam.
3121
3122         Move Test into wasm-directory. Otherwise this test
3123         is also executed on systems without WASM support.
3124
3125         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
3126
3127 2019-03-23  Mark Lam  <mark.lam@apple.com>
3128
3129         Rolling out r243032 and r243071 because the fix is incorrect.
3130         https://bugs.webkit.org/show_bug.cgi?id=195892
3131         <rdar://problem/48981239>
3132
3133         Not reviewed.
3134
3135         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
3136
3137 2019-03-22  Mark Lam  <mark.lam@apple.com>
3138
3139         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
3140         https://bugs.webkit.org/show_bug.cgi?id=196154
3141         <rdar://problem/49145307>
3142
3143         Reviewed by Filip Pizlo.
3144
3145         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
3146         There's no need to run this test on more than 1 test configuration.
3147
3148         * stress/typed-array-lastIndexOf-exception-check.js: Added.
3149         * stress/web-assembly-link-error-exception-check.js:
3150
3151 2019-03-22  Mark Lam  <mark.lam@apple.com>
3152
3153         Placate exception check validation in constructJSWebAssemblyLinkError().
3154         https://bugs.webkit.org/show_bug.cgi?id=196152
3155         <rdar://problem/49145257>
3156
3157         Reviewed by Michael Saboff.
3158
3159         * stress/web-assembly-link-error-exception-check.js: Added.
3160
3161 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
3162
3163         Skip tests running out of memory on ARM/MIPS
3164         https://bugs.webkit.org/show_bug.cgi?id=196131
3165
3166         Unreviewed. Skip test if memory is limited.
3167
3168         * microbenchmarks/put-by-val-direct-large-index.js:
3169
3170 2019-03-21  Mark Lam  <mark.lam@apple.com>
3171
3172         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
3173         https://bugs.webkit.org/show_bug.cgi?id=196116
3174         <rdar://problem/48976951>
3175
3176         Reviewed by Filip Pizlo.
3177
3178         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
3179
3180 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3181
3182         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3183         https://bugs.webkit.org/show_bug.cgi?id=196078
3184         <rdar://problem/35925380>
3185
3186         Reviewed by Mark Lam.
3187
3188         Add a new benchmark that allocates several objects and invokes put_by_val_direct
3189         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
3190
3191         * microbenchmarks/put-by-val-direct-large-index.js: Added.
3192
3193 2019-03-21  Mark Lam  <mark.lam@apple.com>
3194
3195         Placate exception check validation in operationArrayIndexOfString().
3196         https://bugs.webkit.org/show_bug.cgi?id=196067
3197         <rdar://problem/49056572>
3198
3199         Reviewed by Michael Saboff.
3200
3201         * stress/string-equal-exception-check.js: Added.
3202
3203 2019-03-21  Mark Lam  <mark.lam@apple.com>
3204
3205         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3206         https://bugs.webkit.org/show_bug.cgi?id=196055
3207         <rdar://problem/49067448>
3208
3209         Reviewed by Yusuke Suzuki.
3210
3211         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
3212
3213 2019-03-20  Saam Barati  <sbarati@apple.com>
3214
3215         typeOfDoubleSum is wrong for when NaN can be produced
3216         https://bugs.webkit.org/show_bug.cgi?id=196030
3217
3218         Reviewed by Filip Pizlo.
3219
3220         * stress/double-add-sub-mul-can-produce-nan.js: Added.
3221         (assert):
3222         (noInline.sub):
3223         (noInline):
3224         (assert.mul):
3225         (assert.add):
3226
3227 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3228
3229         Update the test to ensure OutOfMemoryError is thrown as intended
3230         https://bugs.webkit.org/show_bug.cgi?id=196032
3231         <rdar://problem/46842740>
3232
3233         Rubber stamped by Saam Barati.
3234
3235         * stress/create-error-out-of-memory-rope-string.js:
3236         (assert):
3237         (catch):
3238
3239 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3240
3241         JSC::createError needs to check for OOM in errorDescriptionForValue
3242         https://bugs.webkit.org/show_bug.cgi?id=196032
3243         <rdar://problem/46842740>
3244
3245         Reviewed by Mark Lam.
3246
3247         * stress/create-error-out-of-memory-rope-string.js: Added.
3248
3249 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
3250
3251         Unreviewed, reduce # of iterations to avoid timing out after r242991
3252         https://bugs.webkit.org/show_bug.cgi?id=195791
3253
3254         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
3255
3256         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
3257
3258 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3259
3260         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
3261         https://bugs.webkit.org/show_bug.cgi?id=195950
3262
3263         Unreviewed, reducing the amount of memory used on this test to avoid
3264         OOM on devices with memory restrictions.
3265
3266         * microbenchmarks/generate-multiple-llint-entrypoints.js:
3267
3268 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3269
3270         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
3271         https://bugs.webkit.org/show_bug.cgi?id=194648
3272
3273         Reviewed by Keith Miller.
3274
3275         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
3276
3277 2019-03-18  Mark Lam  <mark.lam@apple.com>
3278
3279         Missing a ThrowScope release in JSObject::toString().
3280         https://bugs.webkit.org/show_bug.cgi?id=195893
3281         <rdar://problem/48970986>
3282
3283         Reviewed by Michael Saboff.
3284
3285         * stress/to-string-exception-check-release.js: Added.
3286
3287 2019-03-18  Mark Lam  <mark.lam@apple.com>
3288
3289         Structure::flattenDictionary() should clear unused property slots.
3290         https://bugs.webkit.org/show_bug.cgi?id=195871
3291         <rdar://problem/48959497>
3292
3293         Reviewed by Michael Saboff.
3294
3295         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
3296
3297 2019-03-15  Mark Lam  <mark.lam@apple.com>
3298
3299         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
3300         https://bugs.webkit.org/show_bug.cgi?id=195827
3301         <rdar://problem/48845513>
3302
3303         Reviewed by Filip Pizlo.
3304
3305         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
3306
3307 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
3308
3309         [ARM,MIPS] Skip slow tests
3310         https://bugs.webkit.org/show_bug.cgi?id=195799
3311
3312         Unreviewed, test does not finish on ARM and MIPS within the
3313         timeout limit.
3314
3315         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
3316
3317 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
3318
3319         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
3320         https://bugs.webkit.org/show_bug.cgi?id=195791
3321         <rdar://problem/48806130>
3322
3323         Reviewed by Mark Lam.
3324
3325         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
3326         (foo):
3327
3328 2019-03-14  Saam barati  <sbarati@apple.com>
3329
3330         We can't remove code after ForceOSRExit until after FixupPhase
3331         https://bugs.webkit.org/show_bug.cgi?id=186916
3332         <rdar://problem/41396612>
3333
3334         Reviewed by Yusuke Suzuki.
3335
3336         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
3337         (foo):
3338         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
3339         (foo):
3340
3341 2019-03-13  Michael Saboff  <msaboff@apple.com>
3342
3343         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
3344         https://bugs.webkit.org/show_bug.cgi?id=195735
3345
3346         Reviewed by Mark Lam.
3347
3348         New regression test.
3349
3350         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
3351         (foo):
3352         (bar):
3353
3354 2019-03-14  Saam barati  <sbarati@apple.com>
3355
3356         Fixup uses KnownInt32 incorrectly in some nodes
3357         https://bugs.webkit.org/show_bug.cgi?id=195279
3358         <rdar://problem/47915654>
3359
3360         Reviewed by Yusuke Suzuki.
3361
3362         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
3363         (foo):
3364
3365 2019-03-14  Keith Miller  <keith_miller@apple.com>
3366
3367         DFG liveness can't skip tail caller inline frames
3368         https://bugs.webkit.org/show_bug.cgi?id=195715
3369
3370         Reviewed by Saam Barati.
3371
3372         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
3373         (i.foo):
3374
3375 2019-03-13  Mark Lam  <mark.lam@apple.com>
3376
3377         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
3378         https://bugs.webkit.org/show_bug.cgi?id=195415
3379
3380         Not reviewed.
3381
3382         Changed these tests to only run the default configuration.
3383         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
3384         There's no strong need to run this test on that variant.
3385
3386         * stress/dfg-to-string-on-int-does-gc.js:
3387         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
3388
3389 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
3390
3391         String overflow when using StringBuilder in JSC::createError
3392         https://bugs.webkit.org/show_bug.cgi?id=194957
3393
3394         Reviewed by Mark Lam.
3395
3396         Add test string-overflow-createError-bulder.js that overflows
3397         StringBuilder in notAFunctionSourceAppender. The second new test
3398         string-overflow-createError-fit.js has an error message that doesn't
3399         overflow, it still failed since the String's capacity can't be doubled.
3400         Run test string-overflow-createError.js only in the default
3401         configuration to reduce memory consumption when running the test
3402         in all configurations on multiple CPUs in parallel.
3403
3404         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
3405         (catch):
3406         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
3407         (catch):
3408         * stress/string-overflow-createError.js:
3409
3410 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
3411
3412         [JSC] OSR entry should respect abstract values in addition to flush formats
3413         https://bugs.webkit.org/show_bug.cgi?id=195653
3414
3415         Reviewed by Mark Lam.
3416
3417         * stress/osr-entry-locals-none.js: Added.
3418
3419 2019-03-12  Michael Saboff  <msaboff@apple.com>
3420
3421         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
3422         https://bugs.webkit.org/show_bug.cgi?id=195613
3423
3424         Reviewed by Mark Lam.
3425
3426         New regression test.
3427
3428         * stress/regexp-backref-inbounds.js: Added.
3429         (testRegExp):
3430
3431 2019-03-12  Mark Lam  <mark.lam@apple.com>
3432
3433         The HasIndexedProperty node does GC.
3434         https://bugs.webkit.org/show_bug.cgi?id=195559
3435         <rdar://problem/48767923>
3436
3437         Reviewed by Yusuke Suzuki.
3438
3439         * stress/HasIndexedProperty-does-gc.js: Added.
3440
3441 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
3442
3443         [ESNext][BigInt] Implement "~" unary operation
3444         https://bugs.webkit.org/show_bug.cgi?id=182216
3445
3446         Reviewed by Keith Miller.
3447
3448         * stress/big-int-bit-not-general.js: Added.
3449         * stress/big-int-bitwise-not-jit.js: Added.
3450         * stress/big-int-bitwise-not-wrapped-value.js: Added.
3451         * stress/bit-op-with-object-returning-int32.js:
3452         * stress/bitwise-not-fixup-rules.js: Added.
3453         * stress/value-bit-not-ai-rule.js: Added.
3454
3455 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
3456
3457         Invalid flags in a RegExp literal should be an early SyntaxError
3458         https://bugs.webkit.org/show_bug.cgi?id=195514
3459
3460         Reviewed by Darin Adler.
3461
3462         * test262/expectations.yaml:
3463         Mark 4 test cases as passing.
3464
3465         * stress/regexp-syntax-error-invalid-flags.js:
3466         * stress/regress-161995.js: Removed.
3467         Update existing test, merging in an older test for the same behavior.
3468
3469 2019-03-08  Mark Lam  <mark.lam@apple.com>
3470
3471         Stack overflow crash in JSC::JSObject::hasInstance.
3472         https://bugs.webkit.org/show_bug.cgi?id=195458
3473         <rdar://problem/48710195>
3474
3475         Reviewed by Yusuke Suzuki.
3476
3477         * stress/stack-overflow-in-custom-hasInstance.js: Added.
3478
3479 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
3480
3481         op_check_tdz does not def its argument
3482         https://bugs.webkit.org/show_bug.cgi?id=192880
3483         <rdar://problem/46221598>
3484
3485         Reviewed by Saam Barati.
3486
3487         * microbenchmarks/let-for-in.js: Added.
3488         (foo):
3489
3490 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
3491
3492         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
3493         https://bugs.webkit.org/show_bug.cgi?id=195429
3494
3495         Reviewed by Saam Barati.
3496
3497         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
3498         (foo):
3499         * stress/string-from-char-code-255.js: Added.
3500
3501 2019-03-06  Mark Lam  <mark.lam@apple.com>
3502
3503         Fix incorrect handling of try-finally completion values.
3504         https://bugs.webkit.org/show_bug.cgi?id=195131
3505         <rdar://problem/46222079>
3506
3507         Reviewed by Saam Barati and Yusuke Suzuki.
3508
3509         Added many permutations of new test case to test-finally.js.  test-finally.js has
3510         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
3511         tests passes there as well.
3512
3513         * stress/test-finally.js:
3514
3515 2019-03-06  Saam Barati  <sbarati@apple.com>
3516
3517         Air::reportUsedRegisters must padInterference
3518         https://bugs.webkit.org/show_bug.cgi?id=195303
3519         <rdar://problem/48270343>
3520
3521         Reviewed by Keith Miller.
3522
3523         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
3524
3525 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
3526
3527         [JSC] AI should not propagate AbstractValue relying on constant folding phase
3528         https://bugs.webkit.org/show_bug.cgi?id=195375
3529
3530         Reviewed by Saam Barati.
3531
3532         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
3533         (let.array):
3534
3535 2019-03-05  Saam barati  <sbarati@apple.com>
3536
3537         op_switch_char broken for rope strings after JSRopeString layout rewrite
3538         https://bugs.webkit.org/show_bug.cgi?id=195339
3539         <rdar://problem/48592545>
3540
3541         Reviewed by Yusuke Suzuki.
3542
3543         * stress/switch-on-char-llint-rope.js: Added.
3544
3545 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
3546
3547         [JSC] Store bits for JSRopeString in 3 stores
3548         https://bugs.webkit.org/show_bug.cgi?id=195234
3549
3550         Reviewed by Saam Barati.
3551
3552         * stress/null-rope-and-collectors.js: Added.
3553
3554 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
3555
3556         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
3557         https://bugs.webkit.org/show_bug.cgi?id=195207
3558
3559         Unreviewed. After test runtime was reduced in r242213, test can be
3560         run again on ARM/MIPS.
3561
3562         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3563
3564 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
3565
3566         [JSC] sizeof(JSString) should be 16
3567         https://bugs.webkit.org/show_bug.cgi?id=194375
3568
3569         Reviewed by Saam Barati.
3570
3571         * microbenchmarks/make-rope.js: Added.
3572         (makeRope):
3573         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
3574         (returnRope.helper): Deleted.
3575         (returnRope): Deleted.
3576
3577 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
3578
3579         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
3580         https://bugs.webkit.org/show_bug.cgi?id=195144
3581
3582         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
3583         Change the number from 1e8 to 1e5.
3584
3585         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3586         (foo):
3587
3588 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
3589
3590         Test times out on ARM/MIPS
3591         https://bugs.webkit.org/show_bug.cgi?id=195168
3592
3593         Unreviewed. Skip test on ARM/MIPS.
3594
3595         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3596
3597 2019-02-27  Mark Lam  <mark.lam@apple.com>
3598
3599         The parser is failing to record the token location of new in new.target.
3600         https://bugs.webkit.org/show_bug.cgi?id=195127
3601         <rdar://problem/39645578>
3602
3603         Reviewed by Yusuke Suzuki.
3604
3605         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
3606
3607 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
3608
3609         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
3610         https://bugs.webkit.org/show_bug.cgi?id=195144
3611         <rdar://problem/47595961>
3612
3613         Reviewed by Mark Lam.
3614
3615         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
3616         (bar):
3617         (foo):
3618         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
3619         (bar):
3620         (foo):
3621
3622 2019-02-27  Robin Morisset  <rmorisset@apple.com>
3623
3624         DFG: Loop-invariant code motion (LICM) should not hoist dead code
3625         https://bugs.webkit.org/show_bug.cgi?id=194945
3626         <rdar://problem/48311657>
3627
3628         Reviewed by Mark Lam.
3629
3630         * stress/licm-dead-code.js: Added.
3631
3632 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
3633
3634         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
3635         https://bugs.webkit.org/show_bug.cgi?id=194677
3636         <rdar://problem/48112492>
3637
3638         Reviewed by Mark Lam.
3639
3640         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
3641         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
3642         it immediately fails due the large size.
3643
3644         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
3645         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
3646         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
3647         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
3648
3649         This patch changes the test to produce 16bit string from String.fromCharCode.
3650
3651         * stress/regress-178386.js:
3652
3653 2019-02-26  Mark Lam  <mark.lam@apple.com>
3654
3655         wasmToJS() should purify incoming NaNs.
3656         https://bugs.webkit.org/show_bug.cgi?id=194807
3657         <rdar://problem/48189132>
3658
3659         Reviewed by Saam Barati.
3660
3661         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
3662
3663 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
3664
3665         [JSC] Repeat string created from Array.prototype.join() take too much memory
3666         https://bugs.webkit.org/show_bug.cgi?id=193912
3667
3668         Reviewed by Saam Barati.
3669
3670         Added a test and a microbenchmark for corner cases of
3671         Array.prototype.join() with an uninitialized array.
3672
3673         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
3674         * stress/array-prototype-join-uninitialized.js: Added.
3675         (testArray):
3676         (testABC):
3677         (B):
3678         (C):
3679
3680 2019-02-22  Robin Morisset  <rmorisset@apple.com>
3681
3682         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
3683         https://bugs.webkit.org/show_bug.cgi?id=194953
3684         <rdar://problem/47595253>
3685
3686         Reviewed by Saam Barati.
3687
3688         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
3689
3690         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
3691
3692 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
3693
3694         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3695         https://bugs.webkit.org/show_bug.cgi?id=172848
3696         <rdar://problem/25709212>
3697
3698         Reviewed by Mark Lam.
3699
3700         * typeProfiler/inheritance.js:
3701         Rewrite the test slightly for clarity. The hoisting was confusing.
3702
3703         * heapProfiler/class-names.js: Added.
3704         (MyES5Class):
3705         (MyES6Class):
3706         (MyES6Subclass):
3707         Test object types and improved class names.
3708
3709         * heapProfiler/driver/driver.js:
3710         (CheapHeapSnapshotNode):
3711         (CheapHeapSnapshot):
3712         (createCheapHeapSnapshot):
3713         (HeapSnapshot):
3714         (createHeapSnapshot):
3715         Update snapshot parsing from version 1 to version 2.
3716
3717 2019-02-19  Truitt Savell  <tsavell@apple.com>
3718
3719         Unreviewed, rolling out r241784.
3720
3721         Broke all OpenSource builds.
3722
3723         Reverted changeset:
3724
3725         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
3726         instances view"
3727         https://bugs.webkit.org/show_bug.cgi?id=172848
3728         https://trac.webkit.org/changeset/241784
3729
3730 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
3731
3732         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3733         https://bugs.webkit.org/show_bug.cgi?id=172848
3734         <rdar://problem/25709212>
3735
3736         Reviewed by Mark Lam.
3737
3738         * typeProfiler/inheritance.js:
3739         Rewrite the test slightly for clarity. The hoisting was confusing.
3740
3741         * heapProfiler/class-names.js: Added.
3742         (MyES5Class):
3743         (MyES6Class):
3744         (MyES6Subclass):
3745         Test object types and improved class names.
3746
3747         * heapProfiler/driver/driver.js:
3748         (CheapHeapSnapshotNode):
3749         (CheapHeapSnapshot):
3750         (createCheapHeapSnapshot):
3751         (HeapSnapshot):
3752         (createHeapSnapshot):
3753         Update snapshot parsing from version 1 to version 2.
3754
3755 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
3756
3757         [ARM] Fix crash with sampling profiler
3758         https://bugs.webkit.org/show_bug.cgi?id=194772
3759
3760         Reviewed by Mark Lam.
3761
3762         Do not skip test since crash with sampling profiler is now fixed.
3763
3764         * stress/sampling-profiler-richards.js:
3765
3766 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
3767
3768         [JSC] Add LazyClassStructure::getInitializedOnMainThread
3769         https://bugs.webkit.org/show_bug.cgi?id=194784
3770         <rdar://problem/48154820>
3771
3772         Reviewed by Mark Lam.
3773
3774         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
3775         (getProperties):
3776         (getRandomProperty):
3777         (i.catch):
3778
3779 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
3780
3781         [ARM] Test gardening: Test running out of executable memory
3782         https://bugs.webkit.org/show_bug.cgi?id=194771
3783
3784         Unreviewed. Do not run test without LLInt, test is running out of executable
3785         memory on ARM otherwise.
3786
3787         * stress/tagged-template-object-collect.js:
3788
3789 2019-02-18  Tomas Popela  <tpopela@redhat.com>
3790
3791         Unreviewed, skip the test on platforms without sampling profiler
3792
3793         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
3794         (platformSupportsSamplingProfiler.foo):
3795         (platformSupportsSamplingProfiler.test):
3796         (platformSupportsSamplingProfiler):
3797         (foo): Deleted.
3798         (test): D