4d3599ef09d5d96a8c4636e2aff1499997d23671
[WebKit.git] / JSTests / ChangeLog
1 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r248709.
4
5         Caused test/built-ins/Promise/prototype/finally/this-value-
6         non-promise.js to fail on test262 bot
7
8         Reverted changeset:
9
10         "ProxyObject should not be allow to access its target's
11         private properties."
12         https://bugs.webkit.org/show_bug.cgi?id=200739
13         https://trac.webkit.org/changeset/248709
14
15 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
16
17         DateConversion::formatDateTime incorrectly formats negative years
18         https://bugs.webkit.org/show_bug.cgi?id=199964
19
20         Reviewed by Ross Kirsling.
21
22         * test262/expectations.yaml: Mark 6 test cases as passing.
23
24 2019-08-15  Mark Lam  <mark.lam@apple.com>
25
26         More missing exception checks in String.prototype.
27         https://bugs.webkit.org/show_bug.cgi?id=200762
28         <rdar://problem/54333896>
29
30         Reviewed by Michael Saboff.
31
32         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
33         * stress/missing-exception-check-in-string-toLower.js: Added.
34         * stress/missing-exception-check-in-string-toUpper.js: Added.
35
36 2019-08-14  Mark Lam  <mark.lam@apple.com>
37
38         ProxyObject should not be allow to access its target's private properties.
39         https://bugs.webkit.org/show_bug.cgi?id=200739
40         <rdar://problem/53972768>
41
42         Reviewed by Yusuke Suzuki.
43
44         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
45         * stress/proxy-with-private-symbols.js: Rebased.
46
47 2019-08-14  Mark Lam  <mark.lam@apple.com>
48
49         Missing exception check in string compare.
50         https://bugs.webkit.org/show_bug.cgi?id=200743
51         <rdar://problem/53975356>
52
53         Reviewed by Michael Saboff.
54
55         * stress/missing-exception-check-in-string-compare.js: Added.
56
57 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
58
59         [JSC] Add "jump if (not) undefined or null" bytecode ops
60         https://bugs.webkit.org/show_bug.cgi?id=200480
61
62         Reviewed by Saam Barati.
63
64         * stress/destructuring-assignment-require-object-coercible.js:
65         * stress/nullish-coalescing.js:
66
67 2019-08-05  Michael Saboff  <msaboff@apple.com>
68
69         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
70         https://bugs.webkit.org/show_bug.cgi?id=199997
71
72         Reviewed by Saam Barati.
73
74         New test.
75
76         * stress/typedarray-no-alreadyChecked-assert.js: Added.
77         (checkIntArray):
78         (checkFloatArray):
79
80 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
81
82         [JSC] Support WebAssembly in SamplingProfiler
83         https://bugs.webkit.org/show_bug.cgi?id=200329
84
85         Reviewed by Saam Barati.
86
87         * stress/sampling-profiler-wasm-name-section.js: Added.
88         (const.compile):
89         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
90         (platformSupportsSamplingProfiler.vm.isWasmSupported):
91         * stress/sampling-profiler-wasm.js: Added.
92         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
93         (platformSupportsSamplingProfiler.vm.isWasmSupported):
94         * stress/sampling-profiler/loop.wasm: Added.
95         * stress/sampling-profiler/loop.wast: Added.
96         * stress/sampling-profiler/nameSection.wasm: Added.
97
98 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
99
100         [JSC] LazyJSValue should be robust for empty JSValue
101         https://bugs.webkit.org/show_bug.cgi?id=200388
102
103         Reviewed by Saam Barati.
104
105         * stress/switch-constant-child-becomes-empty.js: Added.
106         (foo):
107
108 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
109
110         GetterSetter type confusion during DFG compilation
111         https://bugs.webkit.org/show_bug.cgi?id=199903
112
113         Reviewed by Mark Lam.
114
115         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
116
117 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
118
119         Update Test262 (2019.08.01)
120         https://bugs.webkit.org/show_bug.cgi?id=200351
121
122         Reviewed by Keith Miller.
123
124         * test262/expectations.yaml:
125         * test262/harness/testIntl.js:
126         * test262/latest-changes-summary.txt:
127         * test262/test/:
128         * test262/test262-Revision.txt:
129
130 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
131
132         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
133         https://bugs.webkit.org/show_bug.cgi?id=200192
134
135         Reviewed by Saam Barati.
136
137         * stress/structure-chain-stress.js: Added.
138         (keys):
139
140 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
141
142         [JSC] Increment bytecode age only when SlotVisitor is first-visit
143         https://bugs.webkit.org/show_bug.cgi?id=200196
144
145         Reviewed by Robin Morisset.
146
147         * stress/reparsing-unlinked-codeblock.js:
148
149 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
150
151         [X86] Emit BT instruction for shift + mask in B3
152         https://bugs.webkit.org/show_bug.cgi?id=199891
153
154         Reviewed by Robin Morisset.
155
156         Lower the number of iterations to fix debug timeouts.
157
158         * microbenchmarks/bit-test-load.js:
159         (i):
160
161 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
162
163         [X86] Emit BT instruction for shift + mask in B3
164         https://bugs.webkit.org/show_bug.cgi?id=199891
165
166         Reviewed by Keith Miller.
167
168         * microbenchmarks/bit-test-constant.js: Added.
169         (let.glob.0.doTest):
170         * microbenchmarks/bit-test-load.js: Added.
171         (let.glob.0.let.arr.new.Int32Array.8.doTest):
172         (i):
173         * microbenchmarks/bit-test-nonconstant.js: Added.
174         (let.glob.0.doTest):
175
176 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
177
178         [JSC] Potential GC fix for JSPropertyNameEnumerator
179         https://bugs.webkit.org/show_bug.cgi?id=200151
180
181         Reviewed by Mark Lam.
182
183         * stress/for-in-stress.js: Added.
184         (keys):
185
186 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
187
188         Legacy numeric literals should not permit separators or BigInt
189         https://bugs.webkit.org/show_bug.cgi?id=199984
190
191         Reviewed by Keith Miller.
192
193         * stress/big-int-literals.js:
194         * stress/numeric-literal-separators.js:
195
196 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
197
198         [ESNext] Implement nullish coalescing
199         https://bugs.webkit.org/show_bug.cgi?id=200072
200
201         Reviewed by Darin Adler.
202
203         * stress/nullish-coalescing.js: Added.
204
205 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
206
207         Three checks are missing in Proxy internal methods
208         https://bugs.webkit.org/show_bug.cgi?id=198630
209
210         Reviewed by Darin Adler.
211
212         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
213         * test262/expectations.yaml: Mark 6 test cases as passing.
214
215 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
216
217         Sometimes we miss removable CheckInBounds
218         https://bugs.webkit.org/show_bug.cgi?id=200018
219
220         Reviewed by Saam Barati.
221
222         * microbenchmarks/typed-array-sum.js: Added.
223         (doTest):
224
225 2019-07-16  Mark Lam  <mark.lam@apple.com>
226
227         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
228         https://bugs.webkit.org/show_bug.cgi?id=199821
229         <rdar://problem/52452328>
230
231         Reviewed by Filip Pizlo.
232
233         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
234
235 2019-07-16  Keith Miller  <keith_miller@apple.com>
236
237         Unreviewed, test262 gardening.
238
239         * test262/expectations.yaml:
240
241 2019-07-15  Keith Miller  <keith_miller@apple.com>
242
243         A Possible Issue of Object.create method
244         https://bugs.webkit.org/show_bug.cgi?id=199744
245
246         Reviewed by Yusuke Suzuki.
247
248         * stress/object-create-non-object-properties-parameter.js: Added.
249         (catch):
250
251 2019-07-15  Keith Miller  <keith_miller@apple.com>
252
253         Update test262
254         https://bugs.webkit.org/show_bug.cgi?id=199801
255
256         Rubber-stamped by Yusuke Suzuki.
257
258         * test262/expectations.yaml:
259         * test262/latest-changes-summary.txt:
260         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
261         (fg.new.FinalizationGroup):
262         (callback):
263         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
264         (fg.new.FinalizationGroup):
265         (callback):
266         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
267         (fg.new.FinalizationGroup):
268         (callback):
269         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
270         (fg.new.FinalizationGroup):
271         (callback):
272         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
273         (fg.new.FinalizationGroup):
274         (callback):
275         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
276         (fg.new.FinalizationGroup):
277         (callback):
278         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
279         (fg.new.FinalizationGroup):
280         (callback):
281         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
282         (callback):
283         (fg.new.FinalizationGroup):
284         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
285         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
286         (cb):
287         (fg.new.FinalizationGroup):
288         (emptyCells):
289         (async.fn):
290         (fn.then.async):
291         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
292         (fg.new.FinalizationGroup):
293         * test262/test/built-ins/FinalizationGroup/length.js: Added.
294         * test262/test/built-ins/FinalizationGroup/name.js: Added.
295         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
296         (newTarget):
297         (fn):
298         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
299         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
300         (fn):
301         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
302         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
303         (newTarget):
304         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
305         (newTarget):
306         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
307         (fg.new.FinalizationGroup):
308         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
309         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
310         (callback):
311         (fg.new.FinalizationGroup):
312         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
313         (fg.new.FinalizationGroup):
314         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
315         (cb):
316         (fg.new.FinalizationGroup):
317         (emptyCells):
318         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
319         (fg.new.FinalizationGroup):
320         (fg.cleanupSome.cb):
321         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
322         (callback):
323         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
324         (fn):
325         (cb):
326         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
327         (cb):
328         (fg.new.FinalizationGroup):
329         (emptyCells):
330         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
331         (fg.new.FinalizationGroup):
332         (callback):
333         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
334         (fg.new.FinalizationGroup):
335         (callback):
336         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
337         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
338         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
339         (poisoned):
340         (fg.new.FinalizationGroup):
341         (emptyCells):
342         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
343         (poisoned):
344         (emptyCells):
345         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
346         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
347         (fn):
348         (cb):
349         (emptyCells):
350         (prototype.assert.sameValue.fg.cleanupSome):
351         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
352         (fn):
353         (cb):
354         (poisoned):
355         (assert.sameValue.fg.cleanupSome):
356         (prototype.assert.sameValue.fg.cleanupSome):
357         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
358         (cb):
359         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
360         (cb):
361         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
362         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
363         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
364         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
365         (fn):
366         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
367         (fn):
368         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
369         (fg.new.FinalizationGroup):
370         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
371         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
372         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
373         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
374         (fn):
375         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
376         (fn):
377         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
378         (fg.new.FinalizationGroup):
379         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
380         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
381         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
382         (fg.new.FinalizationGroup):
383         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
384         (fg.new.FinalizationGroup):
385         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
386         (fg.new.FinalizationGroup):
387         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
388         (fg.new.FinalizationGroup):
389         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
390         (fn):
391         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
392         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
393         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
394         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
395         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
396         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
397         (fn):
398         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
399         (fg.new.FinalizationGroup):
400         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
401         (cleanupCallback):
402         (let.key.of.Object.getOwnPropertyNames):
403         (set for):
404         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
405         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
406         (FinalizationGroup):
407         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
408         (cleanupCallback):
409         (let.key.of.Object.getOwnPropertyNames):
410         (set for):
411         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
412         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
413         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
414         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
415         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
416         (asyncProxy.new.Proxy.async):
417         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
418         (asyncProxy.new.Proxy.async):
419         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
420         (setIter.set Symbol):
421         (set defaultTag):
422         (gen):
423         (get return):
424         (set new):
425         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
426         (generatorProxy.new.Proxy):
427         (asyncProxy.new.Proxy.async):
428         * test262/test/built-ins/Object/subclass-object-arg.js:
429         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
430         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
431         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
432         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
433         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
434         * test262/test/built-ins/Promise/executor-function-name.js:
435         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
436         * test262/test/built-ins/Promise/reject-function-name.js:
437         * test262/test/built-ins/Promise/resolve-function-name.js:
438         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
439         * test262/test/built-ins/WeakRef/constructor.js: Added.
440         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
441         * test262/test/built-ins/WeakRef/length.js: Added.
442         * test262/test/built-ins/WeakRef/name.js: Added.
443         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
444         (newTarget):
445         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
446         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
447         * test262/test/built-ins/WeakRef/proto.js: Added.
448         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
449         (newTarget):
450         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
451         (newTarget):
452         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
453         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
454         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
455         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
456         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
457         (emptyCells):
458         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
459         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
460         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
461         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
462         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
463         (fg.new.FinalizationGroup):
464         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
465         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
466         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
467         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
468         (let.key.of.Object.getOwnPropertyNames):
469         (set for):
470         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
471         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
472         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
473         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
474         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
475         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
476         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
477         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
478         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
479         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
480         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
481         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
482         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
483         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
484         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
485         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
486         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
487         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
488         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
489         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
490         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
491         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
492         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
493         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
494         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
495         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
496         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
497         (assertParts):
498         (assertPartsNumeric):
499         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
500         (assertParts):
501         (assertPartsNumeric):
502         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
503         (assertParts):
504         (assertPartsNumeric):
505         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
506         (assertParts):
507         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
508         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
509         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
510         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
511         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
512         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
513         (C.prototype.method):
514         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
515         (C.prototype.method.innerFunction):
516         (C.prototype.method):
517         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
518         (C):
519         (C.method):
520         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
521         (C):
522         (C.method.innerFunction):
523         (C.method):
524         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
525         (C):
526         (C.checkPrivateGetter):
527         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
528         (C):
529         (C.method):
530         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
531         (C):
532         (C.method.innerFunction):
533         (C.method):
534         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
535         (C):
536         (C.checkPrivateMethod):
537         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
538         (C):
539         (C.method):
540         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
541         (C):
542         (C.method.innerFunction):
543         (C.method):
544         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
545         (C):
546         (C.checkPrivateSetter):
547         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
548         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
549         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
550         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
551         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
552         (let.classStringExpression):
553         (let.classStringExpression.access):
554         (let.createAndInstantiateClass):
555         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
556         (let.classStringExpression):
557         (let.classStringExpression.access):
558         (let.createAndInstantiateClass):
559         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
560         (const.C):
561         (let.createAndInstantiateClass):
562         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
563         (let.classStringExpression.return.prototype.m):
564         (let.classStringExpression.return.prototype.access):
565         (let.createAndInstantiateClass):
566         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
567         (let.classStringExpression.return.prototype.m):
568         (let.classStringExpression.return.prototype.access):
569         (let.createAndInstantiateClass):
570         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
571         (let.classStringExpression):
572         (let.classStringExpression.access):
573         (let.createAndInstantiateClass):
574         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
575         (let.classStringExpression.prototype.m):
576         (let.classStringExpression.prototype.access):
577         (let.classStringExpression):
578         (let.createAndInstantiateClass):
579         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
580         (let.classStringExpression.prototype.m):
581         (let.classStringExpression.prototype.access):
582         (let.classStringExpression):
583         (let.createAndInstantiateClass):
584         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
585         (const.C):
586         (let.createAndInstantiateClass):
587         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
588         (let.classStringExpression.return.C.prototype.m):
589         (let.classStringExpression.return.C.prototype.access):
590         (let.classStringExpression.return.C):
591         (let.createAndInstantiateClass):
592         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
593         (let.classStringExpression.return.C.prototype.m):
594         (let.classStringExpression.return.C.prototype.access):
595         (let.classStringExpression.return.C):
596         (let.createAndInstantiateClass):
597         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
598         (let.classStringExpression):
599         (let.classStringExpression.access):
600         (let.createAndInstantiateClass):
601         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
602         (let.classStringExpression):
603         (let.classStringExpression.access):
604         (let.createAndInstantiateClass):
605         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
606         (let.classStringExpression):
607         (let.classStringExpression.access):
608         (let.createAndInstantiateClass):
609         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
610         (const.C):
611         (let.createAndInstantiateClass):
612         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
613         (let.classStringExpression.return.prototype.m):
614         (let.classStringExpression.return.prototype.access):
615         (let.createAndInstantiateClass):
616         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
617         (let.classStringExpression.return.prototype.m):
618         (let.classStringExpression.return.prototype.access):
619         (let.createAndInstantiateClass):
620         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
621         (let.classStringExpression):
622         (let.classStringExpression.access):
623         (let.createAndInstantiateClass):
624         * test262/test/language/expressions/new.target/unary-expr.js: Added.
625         (new):
626         (async):
627         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
628         (A):
629         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
630         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
631         * test262/test/language/identifiers/vals-cjk.js: Added.
632         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
633         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
634         (C.prototype.method):
635         (C):
636         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
637         (C.prototype.method.innerFunction):
638         (C.prototype.method):
639         (C):
640         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
641         (C.prototype.checkPrivateField):
642         (C):
643         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
644         (C):
645         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
646         (C.prototype.getWithEval):
647         (C):
648         (D):
649         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
650         (C.prototype.get m):
651         (C.prototype.method):
652         (C):
653         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
654         (C.prototype.get m):
655         (C.prototype.method.innerFunction):
656         (C.prototype.method):
657         (C):
658         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
659         (let.createAndInstantiateClass):
660         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
661         (C.prototype.get m):
662         (C.prototype.checkPrivateGetter):
663         (C):
664         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
665         (C.prototype.get m):
666         (C.prototype.checkPrivateGetter):
667         (C):
668         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
669         (C.prototype.get m):
670         (C):
671         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
672         (C.prototype.get m):
673         (C.prototype.getWithEval):
674         (C):
675         (D.prototype.get m):
676         (D):
677         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
678         (C.prototype.m):
679         (C.prototype.method):
680         (C):
681         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
682         (C.prototype.m):
683         (C.prototype.method.innerFunction):
684         (C.prototype.method):
685         (C):
686         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
687         (C.prototype.m):
688         (C.prototype.checkPrivateMethod):
689         (C):
690         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
691         (C.prototype.m):
692         (C.prototype.checkPrivateMethod):
693         (C):
694         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
695         (C.prototype.m):
696         (C):
697         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
698         (C.prototype.m):
699         (C.prototype.getWithEval):
700         (C):
701         (D.prototype.m):
702         (D):
703         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
704         (C.prototype.set m):
705         (C.prototype.method):
706         (C):
707         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
708         (C.prototype.set m):
709         (C.prototype.method.innerFunction):
710         (C.prototype.method):
711         (C):
712         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
713         (C.prototype.set m):
714         (C.prototype.checkPrivateSetter):
715         (C):
716         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
717         (C.prototype.set m):
718         (C.prototype.checkPrivateSetter):
719         (C):
720         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
721         (C.prototype.set m):
722         (C):
723         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
724         (C.prototype.set m):
725         (C.prototype.setWithEval):
726         (C):
727         (D.prototype.set m):
728         (D):
729         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
730         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
731         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
732         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
733         (A.prototype.method):
734         (A):
735         (C.prototype.get m):
736         (C.prototype.access):
737         (C):
738         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
739         (A.prototype.method):
740         (A):
741         (C.prototype.m):
742         (C.prototype.access):
743         (C):
744         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
745         (A.prototype.method):
746         (A):
747         (C.prototype.set m):
748         (C.prototype.access):
749         (C):
750         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
751         (A):
752         * test262/test/language/statements/function/13.2-30-s.js:
753         * test262/test262-Revision.txt:
754
755 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
756
757         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
758         https://bugs.webkit.org/show_bug.cgi?id=199783
759
760         Reviewed by Mark Lam.
761
762         Fix our spec tests.
763
764         * wasm/js-api/Module-compile.js:
765         * wasm/js-api/test_basic_api.js:
766         (const.c.in.constructorProperties.switch):
767         * wasm/js-api/validate.js:
768         * wasm/js-api/web-assembly-instantiate.js:
769         * wasm/spec-tests/jsapi.js:
770         (testJSAPI.get test):
771         (testJSAPI.set test):
772
773 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
774
775         Unreviewed, rolling out r247440.
776
777         Broke builds
778
779         Reverted changeset:
780
781         "[JSC] Improve wasm wpt test results by fixing miscellaneous
782         issues"
783         https://bugs.webkit.org/show_bug.cgi?id=199783
784         https://trac.webkit.org/changeset/247440
785
786 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
787
788         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
789         https://bugs.webkit.org/show_bug.cgi?id=199783
790
791         Reviewed by Mark Lam.
792
793         Fix our spec tests.
794
795         * wasm/js-api/Module-compile.js:
796         * wasm/js-api/test_basic_api.js:
797         (const.c.in.constructorProperties.switch):
798         * wasm/js-api/validate.js:
799         * wasm/js-api/web-assembly-instantiate.js:
800         * wasm/spec-tests/jsapi.js:
801         (testJSAPI.get test):
802         (testJSAPI.set test):
803
804 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
805
806         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
807         https://bugs.webkit.org/show_bug.cgi?id=196371
808
809         Reviewed by Keith Miller.
810
811         * microbenchmarks/mul-immediate-sub.js: Added.
812         (doTest):
813
814 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
815
816         [BigInt] Add ValueBitLShift into DFG
817         https://bugs.webkit.org/show_bug.cgi?id=192664
818
819         Reviewed by Saam Barati.
820
821         We are adding tests to cover ValueBitwise operations AI changes.
822
823         * stress/big-int-left-shift-untyped.js: Added.
824         * stress/bit-op-with-object-returning-int32.js:
825         * stress/value-bit-and-ai-rule.js: Added.
826         * stress/value-bit-lshift-ai-rule.js: Added.
827         * stress/value-bit-or-ai-rule.js: Added.
828         * stress/value-bit-xor-ai-rule.js: Added.
829
830 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
831
832         Add b3 macro lowering for CheckMul on arm64
833         https://bugs.webkit.org/show_bug.cgi?id=199251
834
835         Reviewed by Robin Morisset.
836
837         * microbenchmarks/check-mul-constant.js: Added.
838         (doTest):
839         * microbenchmarks/check-mul-no-constant.js: Added.
840         (doTest):
841         * microbenchmarks/check-mul-power-of-two.js: Added.
842         (doTest):
843
844 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
845
846         Optimize join of large empty arrays
847         https://bugs.webkit.org/show_bug.cgi?id=199636
848
849         Reviewed by Mark Lam.
850
851         * microbenchmarks/large-empty-array-join.js: Added.
852         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
853
854 2019-07-06  Michael Saboff  <msaboff@apple.com>
855
856         switch(String) needs to check for exceptions when resolving the string
857         https://bugs.webkit.org/show_bug.cgi?id=199541
858
859         Reviewed by Mark Lam.
860
861         New tests.
862
863         * stress/switch-string-oom.js: Added.
864         (test):
865         (testLowerTiers):
866         (testFTL):
867
868 2019-07-05  Mark Lam  <mark.lam@apple.com>
869
870         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
871         https://bugs.webkit.org/show_bug.cgi?id=199533
872         <rdar://problem/52669111>
873
874         Reviewed by Filip Pizlo.
875
876         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
877
878 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
879
880         [JSC] Clean up ArraySpeciesCreate
881         https://bugs.webkit.org/show_bug.cgi?id=182434
882
883         Reviewed by Yusuke Suzuki.
884
885         Adjusts error message expectations in stress tests.
886
887         * stress/array-flatmap.js:
888         * stress/array-flatten.js:
889         * stress/array-species-create-should-handle-masquerader.js:
890         * test262/expectations.yaml: Mark 4 test cases as passing.
891
892 2019-07-02  Michael Saboff  <msaboff@apple.com>
893
894         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
895         https://bugs.webkit.org/show_bug.cgi?id=199395
896
897         Reviewed by Filip Pizlo.
898
899         New regession test.
900
901         * stress/for-of-tdz-with-try-catch.js: Added.
902         (test):
903         (i.catch):
904
905 2019-07-02  Keith Miller  <keith_miller@apple.com>
906
907         Frozen Arrays length assignment should throw in strict mode
908         https://bugs.webkit.org/show_bug.cgi?id=199365
909
910         Reviewed by Yusuke Suzuki.
911
912         * stress/frozen-array-length-should-throw-strict.js: Added.
913         (test):
914
915 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
916
917         [Wasm-References] Disable references by default
918         https://bugs.webkit.org/show_bug.cgi?id=199390
919
920         Reviewed by Saam Barati.
921
922         * wasm/references-spec-tests/ref_is_null.js:
923         * wasm/references-spec-tests/ref_null.js:
924         * wasm/references/anyref_globals.js:
925         * wasm/references/anyref_modules.js:
926         * wasm/references/anyref_table.js:
927         * wasm/references/anyref_table_import.js:
928         * wasm/references/element_parsing.js:
929         * wasm/references/func_ref.js:
930         * wasm/references/is_null.js:
931         * wasm/references/multitable.js:
932         * wasm/references/table_misc.js:
933         * wasm/references/validation.js:
934
935 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
936
937         Unreviewed, rolling out r246946.
938
939         Caused JSC test crashes on arm64
940
941         Reverted changeset:
942
943         "Add b3 macro lowering for CheckMul on arm64"
944         https://bugs.webkit.org/show_bug.cgi?id=199251
945         https://trac.webkit.org/changeset/246946
946
947 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
948
949         Add b3 macro lowering for CheckMul on arm64
950         https://bugs.webkit.org/show_bug.cgi?id=199251
951
952         Reviewed by Robin Morisset.
953
954         * microbenchmarks/check-mul-constant.js: Added.
955         (doTest):
956         * microbenchmarks/check-mul-no-constant.js: Added.
957         (doTest):
958         * microbenchmarks/check-mul-power-of-two.js: Added.
959         (doTest):
960
961 2019-06-26  Keith Miller  <keith_miller@apple.com>
962
963         speciesConstruct needs to throw if the result is a DataView
964         https://bugs.webkit.org/show_bug.cgi?id=199231
965
966         Reviewed by Mark Lam.
967
968         * stress/typedarray-filter.js:
969         (subclasses.forEach):
970         * stress/typedarray-map.js:
971         (subclasses.forEach):
972         * stress/typedarray-slice.js:
973         (typedArrays.forEach):
974         * stress/typedarray-subarray.js:
975         (subclasses.forEach):
976
977 2019-06-24  Commit Queue  <commit-queue@webkit.org>
978
979         Unreviewed, rolling out r246714.
980         https://bugs.webkit.org/show_bug.cgi?id=199179
981
982         revert to do patch in a different way. (Requested by keith_mi_
983         on #webkit).
984
985         Reverted changeset:
986
987         "All prototypes should call didBecomePrototype()"
988         https://bugs.webkit.org/show_bug.cgi?id=196315
989         https://trac.webkit.org/changeset/246714
990
991 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
992
993         Add Array.prototype.{flat,flatMap} to unscopables
994         https://bugs.webkit.org/show_bug.cgi?id=194322
995
996         Reviewed by Keith Miller.
997
998         * stress/unscopables.js: Fix test.
999         * test262/expectations.yaml: Mark 2 test cases as passing.
1000
1001 2019-06-21  Mark Lam  <mark.lam@apple.com>
1002
1003         ArraySlice needs to keep the source array alive.
1004         https://bugs.webkit.org/show_bug.cgi?id=197374
1005         <rdar://problem/50304429>
1006
1007         Reviewed by Michael Saboff and Filip Pizlo.
1008
1009         * stress/array-slice-must-keep-source-array-alive.js: Added.
1010
1011 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1012
1013         All prototypes should call didBecomePrototype()
1014         https://bugs.webkit.org/show_bug.cgi?id=196315
1015
1016         Reviewed by Saam Barati.
1017
1018         * stress/function-prototype-indexed-accessor.js: Added.
1019
1020 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1021
1022         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1023         https://bugs.webkit.org/show_bug.cgi?id=197631
1024
1025         Reviewed by Saam Barati.
1026
1027         * stress/has-own-property-arguments.js: Added.
1028         (shouldBe):
1029         (A):
1030
1031 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1032
1033         [JSC] ClassExpr should not store result in the middle of evaluation
1034         https://bugs.webkit.org/show_bug.cgi?id=199106
1035
1036         Reviewed by Tadeu Zagallo.
1037
1038         * stress/class-expression-should-store-result-at-last.js: Added.
1039         (shouldThrow):
1040         (shouldThrow.let.a):
1041
1042 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
1043
1044         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
1045         https://bugs.webkit.org/show_bug.cgi?id=199044
1046
1047         Reviewed by Saam Barati.
1048
1049         Add wasm references spec tests as well as a worker test.
1050
1051         * wasm.yaml:
1052         * wasm/Builder_WebAssemblyBinary.js:
1053         (const.emitters.Element):
1054         * wasm/js-api/element.js:
1055         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1056         * wasm/references-spec-tests/ref_is_null.js: Added.
1057         (hostref):
1058         (is_hostref):
1059         (is_funcref):
1060         (eq_ref):
1061         (let.handler.get target):
1062         (register):
1063         (module):
1064         (instance):
1065         (call):
1066         (get instance):
1067         (exports):
1068         (run):
1069         (assert_malformed):
1070         (assert_invalid):
1071         (assert_unlinkable):
1072         (assert_uninstantiable):
1073         (assert_trap):
1074         (try.f):
1075         (catch):
1076         (assert_exhaustion):
1077         (assert_return):
1078         (assert_return_canonical_nan):
1079         (assert_return_arithmetic_nan):
1080         (assert_return_ref):
1081         (assert_return_func):
1082         * wasm/references-spec-tests/ref_null.js: Added.
1083         (hostref):
1084         (is_hostref):
1085         (is_funcref):
1086         (eq_ref):
1087         (let.handler.get target):
1088         (register):
1089         (module):
1090         (instance):
1091         (call):
1092         (get instance):
1093         (exports):
1094         (run):
1095         (assert_malformed):
1096         (assert_invalid):
1097         (assert_unlinkable):
1098         (assert_uninstantiable):
1099         (assert_trap):
1100         (try.f):
1101         (catch):
1102         (assert_exhaustion):
1103         (assert_return):
1104         (assert_return_canonical_nan):
1105         (assert_return_arithmetic_nan):
1106         (assert_return_ref):
1107         (assert_return_func):
1108         * wasm/references/element_parsing.js: Added.
1109         (module):
1110         * wasm/references/func_ref.js:
1111         * wasm/references/multitable.js:
1112         * wasm/references/table_misc.js:
1113         (TableSize.0.End.End.WebAssembly):
1114         * wasm/references/validation.js:
1115         (assert.throws):
1116
1117 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1118
1119         Optimize `resolve` method lookup in Promise static methods
1120         https://bugs.webkit.org/show_bug.cgi?id=198864
1121
1122         Reviewed by Yusuke Suzuki.
1123
1124         * test262/expectations.yaml: Mark 18 test cases as passing.
1125
1126 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
1127
1128         [WASM-References] Rename anyfunc to funcref
1129         https://bugs.webkit.org/show_bug.cgi?id=198983
1130
1131         Reviewed by Yusuke Suzuki.
1132
1133         * wasm/function-tests/basic-element.js:
1134         * wasm/function-tests/context-switch.js:
1135         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1136         (makeInstance):
1137         (assert.eq.makeInstance):
1138         * wasm/function-tests/exceptions.js:
1139         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1140         * wasm/function-tests/grow-memory-2.js:
1141         (assert.eq.instance.exports.foo):
1142         * wasm/function-tests/nameSection.js:
1143         (const.compile):
1144         * wasm/function-tests/stack-overflow.js:
1145         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1146         (assertOverflows.makeInstance):
1147         * wasm/function-tests/table-basic-2.js:
1148         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1149         * wasm/function-tests/table-basic.js:
1150         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1151         * wasm/function-tests/trap-from-start-async.js:
1152         * wasm/function-tests/trap-from-start.js:
1153         * wasm/js-api/Module.exports.js:
1154         (assert.truthy):
1155         * wasm/js-api/Module.imports.js:
1156         (assert.truthy):
1157         * wasm/js-api/call-indirect.js:
1158         (const.oneTable):
1159         (const.multiTable):
1160         (multiTable.const.makeTable):
1161         (multiTable):
1162         (multiTable.Polyphic2Import):
1163         (multiTable.VirtualImport):
1164         * wasm/js-api/element-data.js:
1165         * wasm/js-api/element.js:
1166         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1167         (assert.throws):
1168         (badInstantiation.makeModule):
1169         (badInstantiation.test):
1170         (badInstantiation):
1171         * wasm/js-api/extension-MemoryMode.js:
1172         * wasm/js-api/table.js:
1173         (new.WebAssembly.Module):
1174         (assert.throws):
1175         (assertBadTableImport):
1176         (assert.throws.WebAssembly.Table.prototype.grow):
1177         (new.WebAssembly.Table):
1178         (assertBadTable):
1179         (assert.truthy):
1180         * wasm/js-api/test_basic_api.js:
1181         (const.c.in.constructorProperties.switch):
1182         * wasm/js-api/unique-signature.js:
1183         (CallIndirectWithDuplicateSignatures):
1184         * wasm/js-api/wrapper-function.js:
1185         * wasm/modules/table.wat:
1186         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1187         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1188         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1189         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1190         * wasm/references/anyref_table.js:
1191         * wasm/references/anyref_table_import.js:
1192         (doSet):
1193         (assert.throws):
1194         * wasm/references/func_ref.js:
1195         (makeFuncrefIdent):
1196         (assert.eq.instance.exports.fix):
1197         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
1198         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
1199         (let.importedFun.of):
1200         (makeAnyfuncIdent): Deleted.
1201         (makeAnyfuncIdent.fun): Deleted.
1202         * wasm/references/multitable.js:
1203         (assert.eq):
1204         (assert.throws):
1205         * wasm/references/table_misc.js:
1206         (GetLocal.0.TableFill.0.End.End.WebAssembly):
1207         * wasm/references/validation.js:
1208         (assert.throws.new.WebAssembly.Module.bin):
1209         (assert.throws):
1210         * wasm/spec-harness/index.js:
1211         * wasm/spec-harness/wasm-constants.js:
1212         * wasm/spec-harness/wasm-module-builder.js:
1213         (WasmModuleBuilder.prototype.toArray):
1214         * wasm/spec-harness/wast.js:
1215         (elem_type):
1216         (string_of_elem_type):
1217         (string_of_table_type):
1218         * wasm/spec-tests/jsapi.js:
1219         * wasm/stress/wasm-table-grow-initialize.js:
1220         * wasm/wasm.json:
1221
1222 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1223
1224         [WASM-References] Add support for Table.size, grow and fill instructions
1225         https://bugs.webkit.org/show_bug.cgi?id=198761
1226
1227         Reviewed by Yusuke Suzuki.
1228
1229         * wasm/Builder_WebAssemblyBinary.js:
1230         (const.putOp):
1231         * wasm/references/table_misc.js: Added.
1232         (TableSize.End.End.WebAssembly):
1233         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
1234         * wasm/wasm.json:
1235
1236 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1237
1238         [WASM-References] Add support for multiple tables
1239         https://bugs.webkit.org/show_bug.cgi?id=198760
1240
1241         Reviewed by Saam Barati.
1242
1243         * wasm/Builder.js:
1244         * wasm/js-api/call-indirect.js:
1245         (const.oneTable):
1246         (const.multiTable):
1247         (multiTable):
1248         (multiTable.Polyphic2Import):
1249         (multiTable.VirtualImport):
1250         (const.wasmModuleWhichImportJS): Deleted.
1251         (const.makeTable): Deleted.
1252         (): Deleted.
1253         (Polyphic2Import): Deleted.
1254         (VirtualImport): Deleted.
1255         * wasm/js-api/table.js:
1256         (new.WebAssembly.Module):
1257         (assert.throws):
1258         (assertBadTableImport):
1259         (assert.truthy):
1260         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1261         * wasm/references/anyref_table.js:
1262         * wasm/references/anyref_table_import.js:
1263         (makeImport):
1264         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1265         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1266         * wasm/references/multitable.js: Added.
1267         (assert.throws.1.exports.set_tbl0):
1268         (assert.throws):
1269         (assert.eq):
1270         * wasm/references/validation.js:
1271         (assert.throws.new.WebAssembly.Module.bin):
1272         (assert.throws):
1273         * wasm/spec-tests/imports.wast.js:
1274         * wasm/wasm.json:
1275
1276         * wasm/Builder.js:
1277         * wasm/js-api/call-indirect.js:
1278         (const.oneTable):
1279         (const.multiTable):
1280         (multiTable):
1281         (multiTable.Polyphic2Import):
1282         (multiTable.VirtualImport):
1283         (const.wasmModuleWhichImportJS): Deleted.
1284         (const.makeTable): Deleted.
1285         (): Deleted.
1286         (Polyphic2Import): Deleted.
1287         (VirtualImport): Deleted.
1288         * wasm/js-api/table.js:
1289         (new.WebAssembly.Module):
1290         (assert.throws):
1291         (assertBadTableImport):
1292         (assert.truthy):
1293         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
1294         * wasm/references/anyref_table.js:
1295         * wasm/references/anyref_table_import.js:
1296         (makeImport):
1297         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1298         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1299         * wasm/references/func_ref.js:
1300         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
1301         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
1302         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
1303         * wasm/references/multitable.js: Added.
1304         (assert.throws.1.exports.set_tbl0):
1305         (assert.throws):
1306         (assert.eq):
1307         (string_appeared_here.tableInsanity):
1308         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
1309         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
1310         * wasm/references/validation.js:
1311         (assert.throws.new.WebAssembly.Module.bin):
1312         (assert.throws):
1313         * wasm/spec-tests/imports.wast.js:
1314         * wasm/wasm.json:
1315
1316 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
1317
1318         [ESNExt] String.prototype.matchAll
1319         https://bugs.webkit.org/show_bug.cgi?id=186694
1320
1321         Reviewed by Yusuke Suzuki.
1322
1323         Implement String.prototype.matchAll.
1324         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
1325
1326         * test262/config.yaml:
1327
1328 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
1329
1330         DFG code should not reify the names of builtin functions with private names
1331         https://bugs.webkit.org/show_bug.cgi?id=198849
1332         <rdar://problem/51733890>
1333
1334         Reviewed by Filip Pizlo.
1335
1336         * stress/builtin-private-function-name.js: Added.
1337         (then):
1338         (PromiseLike):
1339
1340 2019-06-18  Keith Miller  <keith_miller@apple.com>
1341
1342         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
1343         https://bugs.webkit.org/show_bug.cgi?id=198969
1344         <rdar://problem/51620714>
1345
1346         Reviewed by Tadeu Zagallo.
1347
1348         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
1349         (catch):
1350
1351 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1352
1353         Validate that table element type is funcref if using an element section
1354         https://bugs.webkit.org/show_bug.cgi?id=198910
1355
1356         Reviewed by Yusuke Suzuki.
1357
1358         * wasm/references/anyref_table.js:
1359
1360 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
1361
1362         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
1363         https://bugs.webkit.org/show_bug.cgi?id=197378
1364
1365         Reviewed by Saam Barati.
1366
1367         * stress/disposable-call-site-index-with-call-and-this.js: Added.
1368         (foo):
1369         (bar):
1370         * stress/disposable-call-site-index.js: Added.
1371         (foo):
1372         (bar):
1373
1374 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
1375
1376         [WASM-References] Add support for Funcref in parameters and return types
1377         https://bugs.webkit.org/show_bug.cgi?id=198157
1378
1379         Reviewed by Yusuke Suzuki.
1380
1381         * wasm/Builder.js:
1382         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1383         * wasm/references/anyref_globals.js:
1384         * wasm/references/func_ref.js: Added.
1385         (fullGC.gc.makeExportedFunction):
1386         (makeExportedIdent):
1387         (makeAnyfuncIdent):
1388         (fun):
1389         (assert.eq.instance.exports.fix.fun):
1390         (assert.eq.instance.exports.fix):
1391         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
1392         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
1393         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
1394         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
1395         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
1396         (assert.throws):
1397         (assert.throws.doTest):
1398         (let.importedFun.of):
1399         (makeAnyfuncIdent.fun):
1400         * wasm/references/validation.js:
1401         (assert.throws):
1402         * wasm/wasm.json:
1403
1404 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
1405
1406         Update test262 tests (2019.06.13)
1407         https://bugs.webkit.org/show_bug.cgi?id=198821
1408
1409         Reviewed by Konstantin Tokarev.
1410
1411         * test262/expectations.yaml:
1412         * test262/harness/:
1413         * test262/latest-changes-summary.txt:
1414         * test262/test/:
1415         * test262/test262-Revision.txt:
1416
1417 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
1418
1419         [JSC] Grown region of WasmTable should be initialized with null
1420         https://bugs.webkit.org/show_bug.cgi?id=198903
1421
1422         Reviewed by Saam Barati.
1423
1424         * wasm/stress/wasm-table-grow-initialize.js: Added.
1425         (shouldBe):
1426
1427 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
1428
1429         Yarr bytecode compilation failure should be gracefully handled
1430         https://bugs.webkit.org/show_bug.cgi?id=198700
1431
1432         Reviewed by Michael Saboff.
1433
1434         * stress/regexp-bytecode-compilation-fail.js: Added.
1435         (shouldThrow):
1436
1437 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
1438
1439         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
1440         https://bugs.webkit.org/show_bug.cgi?id=198770
1441
1442         Reviewed by Saam Barati.
1443
1444         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
1445         (test):
1446
1447 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1448
1449         JSC should throw if proxy set returns falsish in strict mode context
1450         https://bugs.webkit.org/show_bug.cgi?id=177398
1451
1452         Reviewed by Yusuke Suzuki.
1453
1454         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
1455         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
1456
1457         * stress/proxy-set.js: Add 2 test cases.
1458         * stress/regexp-match-proxy.js: Fix test.
1459         * stress/regexp-replace-proxy.js: Fix test.
1460
1461 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
1462
1463         Error message for non-callable Proxy `construct` trap is misleading
1464         https://bugs.webkit.org/show_bug.cgi?id=198637
1465
1466         Reviewed by Saam Barati.
1467
1468         * stress/proxy-construct.js:
1469
1470 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
1471
1472         AI BitURShift's result should not be unsigned
1473         https://bugs.webkit.org/show_bug.cgi?id=198689
1474         <rdar://problem/51550063>
1475
1476         Reviewed by Saam Barati.
1477
1478         * stress/urshift-int32-overflow.js: Added.
1479         (foo.):
1480         (foo):
1481
1482 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
1483
1484         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
1485
1486         Unreviewed gardening.
1487
1488         * stress/ftl-gettypedarrayoffset-wasteful.js:
1489         Skipped on arm/linux as it always times out on the bot since a change
1490         between r246270 and r246278 inclusive.
1491
1492 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
1493
1494         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
1495         https://bugs.webkit.org/show_bug.cgi?id=198023
1496
1497         Reviewed by Saam Barati.
1498
1499         * stress/reparsing-unlinked-codeblock.js: Added.
1500         (shouldBe):
1501         (hello):
1502
1503 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
1504
1505         [JSC] Use mergePrediction in ValuePow prediction propagation
1506         https://bugs.webkit.org/show_bug.cgi?id=198648
1507
1508         Reviewed by Saam Barati.
1509
1510         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
1511
1512 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
1513
1514         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
1515         https://bugs.webkit.org/show_bug.cgi?id=198581
1516         <rdar://problem/51099753>
1517
1518         Reviewed by Saam Barati.
1519
1520         * stress/global-object-proto-getter.js: Added.
1521         (f):
1522         (test):
1523
1524 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
1525
1526         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
1527         https://bugs.webkit.org/show_bug.cgi?id=198398
1528
1529         Reviewed by Saam Barati.
1530
1531         * wasm/references/anyref_table.js: Added.
1532         (string_appeared_here.doGCSet):
1533         (doGCTest):
1534         (doGCSet.doGCTest.let.count.0.doBarrierSet):
1535         * wasm/references/anyref_table_import.js: Added.
1536         (makeImport):
1537         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
1538         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
1539         * wasm/references/is_null_error.js: Removed.
1540         * wasm/references/validation.js: Added.
1541         (assert.throws.new.WebAssembly.Module.bin):
1542         (assert.throws):
1543         * wasm/wasm.json:
1544
1545 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
1546
1547         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
1548         https://bugs.webkit.org/show_bug.cgi?id=198106
1549
1550         Reviewed by Saam Barati.
1551
1552         * wasm/regress/selectf64.js: Added.
1553         * wasm/regress/selectf64.wasm: Added.
1554         * wasm/regress/selectf64.wat: Added.
1555
1556 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
1557
1558         Argument elimination should check transitive dependents for interference
1559         https://bugs.webkit.org/show_bug.cgi?id=198520
1560         <rdar://problem/50863343>
1561
1562         Reviewed by Filip Pizlo.
1563
1564         * stress/argument-elimination-inline-rest-past-kill.js: Added.
1565         (f2):
1566         (f3):
1567
1568 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
1569
1570         Argument elimination should check for negative indices in GetByVal
1571         https://bugs.webkit.org/show_bug.cgi?id=198302
1572         <rdar://problem/51188095>
1573
1574         Reviewed by Filip Pizlo.
1575
1576         * stress/eliminate-arguments-negative-rest-access.js: Added.
1577         (inlinee):
1578         (opt):
1579
1580 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
1581
1582         [ESNext][BigInt] Implement support for "**"
1583         https://bugs.webkit.org/show_bug.cgi?id=190799
1584
1585         Reviewed by Saam Barati.
1586
1587         * stress/big-int-exp-basic.js: Added.
1588         * stress/big-int-exp-jit-osr.js: Added.
1589         * stress/big-int-exp-jit-untyped.js: Added.
1590         * stress/big-int-exp-jit.js: Added.
1591         * stress/big-int-exp-negative-exponent.js: Added.
1592         * stress/big-int-exp-to-primitive.js: Added.
1593         * stress/big-int-exp-type-error.js: Added.
1594         * stress/big-int-exp-wrapped-value.js: Added.
1595         * stress/value-pow-ai-rule.js: Added.
1596
1597 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1598
1599         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
1600         https://bugs.webkit.org/show_bug.cgi?id=197979
1601
1602         Reviewed by Filip Pizlo.
1603
1604         * stress/16bit-code.js: Added.
1605         (shouldBe):
1606         * stress/32bit-code.js: Added.
1607         (shouldBe):
1608
1609 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
1610
1611         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
1612         https://bugs.webkit.org/show_bug.cgi?id=198355
1613
1614         Reviewed by Saam Barati.
1615
1616         * wasm/references/is_null.js:
1617
1618 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
1619
1620         [PlayStation] Skip additional tests on PlayStation
1621         https://bugs.webkit.org/show_bug.cgi?id=198352
1622
1623         Reviewed by Don Olmstead.
1624
1625         Skip pow test on PlayStation due to behavior difference in standard library.
1626         Skip incremental marking test due to OOM on PlayStation systems.
1627
1628         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
1629         * stress/math-pow-with-constants.js:
1630         * stress/pow-with-constants.js:
1631
1632 2019-05-28  Dean Jackson  <dino@apple.com>
1633
1634         Implement Promise.allSettled
1635         https://bugs.webkit.org/show_bug.cgi?id=197600
1636         <rdar://problem/50483885>
1637
1638         Reviewed by Keith Miller.
1639
1640         Start testing Promise.allSettled. We pass most of the tests.
1641         The ones that fail are similar to the Promise.all tests we already fail.
1642
1643         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
1644         * test262/expectations.yaml: Add new expectations for allSettled tests.
1645
1646 2019-05-28  Michael Saboff  <msaboff@apple.com>
1647
1648         [YARR] Properly handle RegExp's that require large ParenContext space
1649         https://bugs.webkit.org/show_bug.cgi?id=198065
1650
1651         Reviewed by Keith Miller.
1652
1653         New test.
1654
1655         * stress/regexp-large-paren-context.js: Added.
1656         (testLargeRegExp):
1657
1658 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
1659
1660         JITOperations putByVal should mark negative array indices as out-of-bounds
1661         https://bugs.webkit.org/show_bug.cgi?id=198271
1662
1663         Reviewed by Saam Barati.
1664
1665         * microbenchmarks/get-by-val-negative-array-index.js:
1666         (foo):
1667         Update the getByVal microbenchmark added in r245769. This now shows that r245769
1668         is 4.2x faster than the previous commit.
1669
1670         * microbenchmarks/put-by-val-negative-array-index.js: Added.
1671         (foo):
1672
1673 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
1674
1675         JITOperations getByVal should mark negative array indices as out-of-bounds
1676         https://bugs.webkit.org/show_bug.cgi?id=198229
1677
1678         Reviewed by Saam Barati.
1679
1680         * microbenchmarks/get-by-val-negative-array-index.js: Added.
1681         (foo):
1682
1683 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
1684
1685         [WASM-References] Support Anyref in globals
1686         https://bugs.webkit.org/show_bug.cgi?id=198102
1687
1688         Reviewed by Saam Barati.
1689
1690         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
1691
1692         * wasm/Builder.js:
1693         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1694         * wasm/Builder_WebAssemblyBinary.js:
1695         (const.putInitExpr):
1696         * wasm/references/anyref_globals.js: Added.
1697         (GetGlobal.0.End.End.WebAssembly):
1698         (5.doGCSet):
1699         (doGCTest):
1700         (doGCSet.doGCTest.let.count.0.doBarrierSet):
1701
1702 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
1703
1704         DFG::OSREntry should not perform arity check
1705         https://bugs.webkit.org/show_bug.cgi?id=198189
1706
1707         Reviewed by Saam Barati.
1708
1709         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
1710         (foo):
1711
1712 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
1713
1714         [PlayStation] Skip additional tests on PlayStation
1715         https://bugs.webkit.org/show_bug.cgi?id=198145
1716
1717         Reviewed by Ross Kirsling.
1718
1719         * exceptionFuzz.yaml:
1720         Add skip on hostOS playstation
1721         * executableAllocationFuzz.yaml:
1722         Add skip on hostOS playstation
1723
1724 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
1725
1726         createListFromArrayLike should throw if value is not an object
1727         https://bugs.webkit.org/show_bug.cgi?id=198138
1728
1729         Reviewed by Yusuke Suzuki.
1730
1731         * stress/create-list-from-array-like-not-object.js: Added.
1732         (testValid):
1733         (testInvalid):
1734         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
1735         (opt):
1736         * stress/proxy-proto-enumerator.js: Added.
1737         (main):
1738         * stress/proxy-proto-own-keys.js: Added.
1739         (assert):
1740         (ownKeys):
1741
1742 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1743
1744         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
1745         https://bugs.webkit.org/show_bug.cgi?id=197809
1746
1747         Reviewed by Michael Saboff.
1748
1749         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
1750         (foo):
1751
1752 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
1753
1754         [ESNext] Implement support for Numeric Separators
1755         https://bugs.webkit.org/show_bug.cgi?id=196351
1756
1757         Reviewed by Keith Miller.
1758
1759         * stress/numeric-literal-separators.js: Added.
1760         Add tests for feature.
1761
1762         * test262/expectations.yaml:
1763         Mark 60 test cases as passing.
1764
1765 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
1766
1767         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
1768         https://bugs.webkit.org/show_bug.cgi?id=198120
1769         <rdar://problem/49668795>
1770
1771         Reviewed by Michael Saboff.
1772
1773         * stress/get-array-length-concurrently-change-mode.js: Added.
1774         (main):
1775
1776 2019-05-22  Commit Queue  <commit-queue@webkit.org>
1777
1778         Unreviewed, rolling out r245634.
1779         https://bugs.webkit.org/show_bug.cgi?id=198140
1780
1781         'This patch makes JSC crash on launch in debug builds'
1782         (Requested by tadeuzagallo on #webkit).
1783
1784         Reverted changeset:
1785
1786         "[ESNext] Implement support for Numeric Separators"
1787         https://bugs.webkit.org/show_bug.cgi?id=196351
1788         https://trac.webkit.org/changeset/245634
1789
1790 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
1791
1792         Stack-buffer-overflow in decodeURIComponent
1793         https://bugs.webkit.org/show_bug.cgi?id=198109
1794         <rdar://problem/50397550>
1795
1796         Reviewed by Michael Saboff.
1797
1798         * stress/decode-uri-icu-count-trail-bytes.js: Added.
1799         (i.j.try.i.toString):
1800         (i.j.catch):
1801
1802 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1803
1804         Don't clear PropertyNameArray in Proxy code
1805         https://bugs.webkit.org/show_bug.cgi?id=197691
1806
1807         Reviewed by Saam Barati.
1808
1809         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
1810         (shouldBe):
1811         (opt):
1812
1813 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
1814
1815         [ESNext] Implement support for Numeric Separators
1816         https://bugs.webkit.org/show_bug.cgi?id=196351
1817
1818         Reviewed by Keith Miller.
1819
1820         * stress/numeric-literal-separators.js: Added.
1821         Add tests for feature.
1822
1823         * test262/expectations.yaml:
1824         Mark 60 test cases as passing.
1825
1826 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
1827
1828         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
1829         https://bugs.webkit.org/show_bug.cgi?id=198101
1830
1831         Reviewed by Michael Saboff.
1832
1833         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
1834         (shouldBe):
1835
1836 2019-05-20  Keith Miller  <keith_miller@apple.com>
1837
1838         Cleanup Yarr regexp code around paren contexts.
1839         https://bugs.webkit.org/show_bug.cgi?id=198063
1840
1841         Reviewed by Yusuke Suzuki.
1842
1843         * stress/regexp-many-named-sequential-capture-groups.js: Added.
1844         (i.s):
1845         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
1846
1847 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
1848
1849         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
1850         https://bugs.webkit.org/show_bug.cgi?id=197969
1851
1852         Reviewed by Keith Miller.
1853
1854         Support the anyref type in Builder.js, plus add some extra error logging.
1855         Add new folder for wasm references tests.
1856
1857         * wasm.yaml:
1858         * wasm/Builder.js:
1859         (const._isValidValue):
1860         * wasm/references/anyref_modules.js: Added.
1861         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
1862         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
1863         (Call.3.RefIsNull.End.End.WebAssembly):
1864         (undefined):
1865         * wasm/references/is_null.js: Added.
1866         * wasm/references/is_null_error.js: Added.
1867         * wasm/spec-harness/index.js:
1868         * wasm/wasm.json:
1869
1870 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
1871
1872         [JSC] Invalid AssignmentTargetType should be an early error.
1873         https://bugs.webkit.org/show_bug.cgi?id=197603
1874
1875         Reviewed by Keith Miller.
1876
1877         * test262/expectations.yaml:
1878         Update expectations to reflect new SyntaxErrors.
1879         (Ideally, these should all be viewed as passing in the near future.)
1880
1881         * stress/async-await-basic.js:
1882         * stress/big-int-literals.js:
1883         Update tests to reflect new SyntaxErrors.
1884
1885         * ChakraCore.yaml:
1886         * ChakraCore/test/EH/try6.baseline-jsc:
1887         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
1888         Update baselines to reflect new SyntaxErrors.
1889
1890 2019-05-15  Saam Barati  <sbarati@apple.com>
1891
1892         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
1893         https://bugs.webkit.org/show_bug.cgi?id=197855
1894         <rdar://problem/50236506>
1895
1896         Reviewed by Michael Saboff.
1897
1898         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
1899         (f0):
1900         (bar):
1901         (foo):
1902         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
1903         (f1):
1904         (f2):
1905         (foo):
1906
1907 2019-05-14  Keith Miller  <keith_miller@apple.com>
1908
1909         Fix issue with byteOffset on ARM64E
1910         https://bugs.webkit.org/show_bug.cgi?id=197884
1911
1912         Reviewed by Saam Barati.
1913
1914         We didn't have any tests that run with non-byte/non-zero offset
1915         typed arrays.
1916
1917         * stress/ftl-gettypedarrayoffset-wasteful.js:
1918
1919 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
1920
1921         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
1922         https://bugs.webkit.org/show_bug.cgi?id=197833
1923
1924         Reviewed by Darin Adler.
1925
1926         * stress/generator-name.js: Added.
1927         (shouldBe):
1928         (gen):
1929         (catch):
1930
1931 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
1932
1933         JSObject::getOwnPropertyDescriptor is missing an exception check
1934         https://bugs.webkit.org/show_bug.cgi?id=197693
1935         <rdar://problem/50441784>
1936
1937         Reviewed by Saam Barati.
1938
1939         * stress/proxy-spread.js: Added.
1940         (foo):
1941
1942 2019-05-10  Saam barati  <sbarati@apple.com>
1943
1944         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
1945         https://bugs.webkit.org/show_bug.cgi?id=197807
1946         <rdar://problem/50530400>
1947
1948         Reviewed by Yusuke Suzuki.
1949
1950         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
1951         (test.getInstance):
1952         (test):
1953
1954 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
1955
1956         [Test262] Unreviewed expectations update following r245188.
1957
1958         * test262/config.yaml:
1959         * test262/expectations.yaml:
1960
1961         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
1962         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
1963         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
1964         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
1965         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
1966         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
1967         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
1968         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
1969         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
1970         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
1971         These files have invalid YAML comments. Will also submit corrections back to Test262.
1972
1973 2019-05-10  Keith Miller  <keith_miller@apple.com>
1974
1975         Update test262 tests.
1976
1977         Rubber-stamped by Yusuke Suzuki.
1978
1979         * test262/*: mega-patch too many things to list individually.
1980
1981 2019-05-09  Keith Miller  <keith_miller@apple.com>
1982
1983         Unreview, fix test to have a try-catch.
1984
1985         * stress/many-nested-functions-parser-stack-overflow.js:
1986         (catch):
1987
1988 2019-05-09  Keith Miller  <keith_miller@apple.com>
1989
1990         parseStatementListItem needs a stack overflow check
1991         https://bugs.webkit.org/show_bug.cgi?id=197749
1992
1993         Reviewed by Saam Barati.
1994
1995         * stress/many-nested-functions-parser-stack-overflow.js: Added.
1996
1997 2019-05-08  Saam barati  <sbarati@apple.com>
1998
1999         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2000         https://bugs.webkit.org/show_bug.cgi?id=197715
2001         <rdar://problem/50399252>
2002
2003         Reviewed by Filip Pizlo.
2004
2005         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2006         (foo):
2007         (bar):
2008
2009 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2010
2011         Unreviewed, rolling out r245068.
2012
2013         Caused debug layout tests to exit early due to an assertion
2014         failure.
2015
2016         Reverted changeset:
2017
2018         "All prototypes should call didBecomePrototype()"
2019         https://bugs.webkit.org/show_bug.cgi?id=196315
2020         https://trac.webkit.org/changeset/245068
2021
2022 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2023
2024         Invalid DFG JIT genereation in high CPU usage state
2025         https://bugs.webkit.org/show_bug.cgi?id=197453
2026
2027         Reviewed by Saam Barati.
2028
2029         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2030         (trigger):
2031         (main):
2032
2033 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2034
2035         All prototypes should call didBecomePrototype()
2036         https://bugs.webkit.org/show_bug.cgi?id=196315
2037
2038         Reviewed by Saam Barati.
2039
2040         This changelog already landed, but the commit was missing the actual changes.
2041
2042         * stress/function-prototype-indexed-accessor.js: Added.
2043
2044 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
2045
2046         [BigInt] Add ValueMod into DFG
2047         https://bugs.webkit.org/show_bug.cgi?id=186174
2048
2049         Reviewed by Saam Barati.
2050
2051         * microbenchmarks/mod-untyped.js: Added.
2052         * stress/big-int-mod-osr.js: Added.
2053         * stress/value-div-ai-rule.js: Added.
2054         * stress/value-mod-ai-rule.js: Added.
2055
2056 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2057
2058         [JSC] DFG_ASSERT failed in lowInt52
2059         https://bugs.webkit.org/show_bug.cgi?id=197569
2060
2061         Reviewed by Saam Barati.
2062
2063         * stress/getstack-int52.js: Added.
2064         (opt):
2065         (main):
2066
2067 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2068
2069         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
2070         https://bugs.webkit.org/show_bug.cgi?id=197479
2071
2072         Reviewed by Saam Barati.
2073
2074         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
2075         (shouldBe):
2076
2077 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2078
2079         TemplateObject passed to template literal tags are not always identical for the same source location.
2080         https://bugs.webkit.org/show_bug.cgi?id=190756
2081
2082         Reviewed by Saam Barati.
2083
2084         * complex.yaml:
2085         * complex/tagged-template-regeneration-after.js: Added.
2086         (shouldBe):
2087         * complex/tagged-template-regeneration.js: Added.
2088         (call):
2089         (test):
2090         * modules/tagged-template-inside-module.js: Added.
2091         (from.string_appeared_here.call):
2092         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2093         (call):
2094         (export.otherTaggedTemplates):
2095         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2096         (shouldBe):
2097         (call):
2098         (poly):
2099         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2100         (shouldBe):
2101         (call):
2102         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
2103         (shouldBe):
2104         (call):
2105         (test):
2106         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2107         (shouldBe):
2108         (call):
2109         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2110         (shouldBe):
2111         (call):
2112         * stress/tagged-templates-in-multiple-functions.js: Added.
2113         (shouldBe):
2114         (call):
2115         (a):
2116         (b):
2117         (c):
2118         * stress/tagged-templates-with-same-start-offset.js: Added.
2119         (shouldBe):
2120
2121 2019-05-07  Robin Morisset  <rmorisset@apple.com>
2122
2123         All prototypes should call didBecomePrototype()
2124         https://bugs.webkit.org/show_bug.cgi?id=196315
2125
2126         Reviewed by Saam Barati.
2127
2128         * stress/function-prototype-indexed-accessor.js: Added.
2129
2130 2019-05-07  Commit Queue  <commit-queue@webkit.org>
2131
2132         Unreviewed, rolling out r244978.
2133         https://bugs.webkit.org/show_bug.cgi?id=197671
2134
2135         TemplateObject map should use start/end offsets (Requested by
2136         yusukesuzuki on #webkit).
2137
2138         Reverted changeset:
2139
2140         "TemplateObject passed to template literal tags are not always
2141         identical for the same source location."
2142         https://bugs.webkit.org/show_bug.cgi?id=190756
2143         https://trac.webkit.org/changeset/244978
2144
2145 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
2146
2147         tryCachePutByID should not crash if target offset changes
2148         https://bugs.webkit.org/show_bug.cgi?id=197311
2149         <rdar://problem/48033612>
2150
2151         Reviewed by Filip Pizlo.
2152
2153         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
2154         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
2155
2156         * stress/cache-put-by-id-delete-prototype.js: Added.
2157         (A.prototype.set y):
2158         (A):
2159         (B.prototype.set y):
2160         (B):
2161         (C):
2162         * stress/cache-put-by-id-different-__proto__.js: Added.
2163         (A.prototype.set y):
2164         (A):
2165         (B1):
2166         (B2.prototype.set y):
2167         (B2):
2168         (C):
2169         (D):
2170         * stress/cache-put-by-id-different-attributes.js: Added.
2171         (Foo):
2172         (set x):
2173         * stress/cache-put-by-id-different-offset.js: Added.
2174         (Foo):
2175         (set x):
2176         * stress/cache-put-by-id-insert-prototype.js: Added.
2177         (A.prototype.set y):
2178         (A):
2179         (C):
2180         * stress/cache-put-by-id-poly-proto.js: Added.
2181         (Foo):
2182         (set _):
2183         (createBar.Bar):
2184         (createBar):
2185
2186 2019-05-07  Saam Barati  <sbarati@apple.com>
2187
2188         Don't OSR enter into an FTL CodeBlock that has been jettisoned
2189         https://bugs.webkit.org/show_bug.cgi?id=197531
2190         <rdar://problem/50162379>
2191
2192         Reviewed by Yusuke Suzuki.
2193
2194         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
2195
2196 2019-05-06  Dean Jackson  <dino@apple.com>
2197
2198         Update test262 expectations for Proxy passes
2199         https://bugs.webkit.org/show_bug.cgi?id=197628
2200
2201         Reviewed by Yusuke Suzuki.
2202
2203         There are two consistent passes in Proxy.ownKeys.
2204
2205         * test262/expectations.yaml:
2206
2207 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2208
2209         [JSC] We should check OOM for description string of Symbol
2210         https://bugs.webkit.org/show_bug.cgi?id=197634
2211
2212         Reviewed by Keith Miller.
2213
2214         * stress/check-symbol-description-oom.js: Added.
2215         (shouldThrow):
2216
2217 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2218
2219         Unreviewed, land one more test
2220         https://bugs.webkit.org/show_bug.cgi?id=197587
2221
2222         * stress/setter-frame-flush.js: Added.
2223         (setter):
2224         (foo):
2225         (bar):
2226
2227 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2228
2229         TemplateObject passed to template literal tags are not always identical for the same source location.
2230         https://bugs.webkit.org/show_bug.cgi?id=190756
2231
2232         Reviewed by Saam Barati.
2233
2234         * complex.yaml:
2235         * complex/tagged-template-regeneration-after.js: Added.
2236         (shouldBe):
2237         * complex/tagged-template-regeneration.js: Added.
2238         (call):
2239         (test):
2240         * modules/tagged-template-inside-module.js: Added.
2241         (from.string_appeared_here.call):
2242         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2243         (call):
2244         (export.otherTaggedTemplates):
2245         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2246         (shouldBe):
2247         (call):
2248         (poly):
2249         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2250         (shouldBe):
2251         (call):
2252         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2253         (shouldBe):
2254         (call):
2255         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2256         (shouldBe):
2257         (call):
2258         * stress/tagged-templates-in-multiple-functions.js: Added.
2259         (shouldBe):
2260         (call):
2261         (a):
2262         (b):
2263         (c):
2264
2265 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
2266
2267         [PlayStation] JSC Stress tests failing due to timezone printing
2268         https://bugs.webkit.org/show_bug.cgi?id=197615
2269
2270         PlayStation's strftime does not give timezone strings, which
2271         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
2272         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
2273         which causes diff failures with the expectations. Add expectations
2274         without the timezone string and use those on playstation.
2275
2276         Reviewed by Ross Kirsling.
2277
2278         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
2279         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
2280         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
2281         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
2282
2283 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2284
2285         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
2286         https://bugs.webkit.org/show_bug.cgi?id=197587
2287
2288         Reviewed by Sam Weinig.
2289
2290         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
2291
2292         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
2293
2294 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
2295
2296         TypedArrays should not store properties that are canonical numeric indices
2297         https://bugs.webkit.org/show_bug.cgi?id=197228
2298         <rdar://problem/49557381>
2299
2300         Reviewed by Saam Barati.
2301
2302         * stress/array-species-config-array-constructor.js:
2303         (test):
2304         * stress/put-direct-index-broken-2.js:
2305         * stress/typed-array-canonical-numeric-index-string.js: Added.
2306         (makeTest.assert):
2307         (makeTest):
2308         (const.testInvalidIndices.makeTest.set assert):
2309         (const.testInvalidIndices.makeTest):
2310         (const.makeTestValidIndex.configurable.set assert):
2311         (const.makeTestValidIndex.configurable):
2312         * stress/typedarray-access-monomorphic-neutered.js:
2313         (checkNoException):
2314         (testNoException):
2315         (testFTLNoException):
2316         * stress/typedarray-access-neutered.js:
2317         (testNoException):
2318         * stress/typedarray-getownproperty-not-configurable.js:
2319         (foo):
2320         * test262/expectations.yaml:
2321
2322 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2323
2324         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
2325         https://bugs.webkit.org/show_bug.cgi?id=197584
2326
2327         Reviewed by Saam Barati.
2328
2329         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
2330         (X):
2331         (foo):
2332
2333 2019-05-03  Michael Saboff  <msaboff@apple.com>
2334
2335         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
2336         https://bugs.webkit.org/show_bug.cgi?id=197586
2337
2338         Reviewed by Keith Miller.
2339
2340         We should only run one config of this test and only when we think we'll have the memory.
2341
2342         * stress/json-stringify-string-builder-overflow.js:
2343
2344 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
2345
2346         [JSC] Generator CodeBlock generation should be idempotent
2347         https://bugs.webkit.org/show_bug.cgi?id=197552
2348
2349         Reviewed by Keith Miller.
2350
2351         Add complex.yaml, which controls how to run JSC shell more.
2352         We split test files into two to run macro task between them which allows debugger to be attached to VM.
2353
2354         * complex.yaml: Added.
2355         * complex/generator-regeneration-after.js: Added.
2356         * complex/generator-regeneration.js: Added.
2357         (gen):
2358
2359 2019-05-02  Michael Saboff  <msaboff@apple.com>
2360
2361         Unreviewed rollout of r244862.
2362
2363         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
2364
2365 2019-05-01  Saam barati  <sbarati@apple.com>
2366
2367         Baseline JIT should do argument value profiling after checking for stack overflow
2368         https://bugs.webkit.org/show_bug.cgi?id=197052
2369         <rdar://problem/50009602>
2370
2371         Reviewed by Yusuke Suzuki.
2372
2373         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
2374
2375 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
2376
2377         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
2378         https://bugs.webkit.org/show_bug.cgi?id=197405
2379
2380         Reviewed by Saam Barati.
2381
2382         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
2383         (foo):
2384         (test):
2385         (i.o.get f):
2386         (i.o.set f):
2387
2388 2019-05-01  Michael Saboff  <msaboff@apple.com>
2389
2390         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
2391         https://bugs.webkit.org/show_bug.cgi?id=197485
2392
2393         Reviewed by Saam Barati.
2394
2395         New test.
2396
2397         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
2398         (foo):
2399
2400 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
2401
2402         Unreviewed correction to Test262 expectations following r244828.
2403
2404         * test262/expectations.yaml:
2405
2406 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
2407
2408         Add memory-limited skipping to some tests generating very large strings
2409         https://bugs.webkit.org/show_bug.cgi?id=197437
2410
2411         Reviewed by Ross Kirsling.
2412
2413         * stress/StringObject-define-length-getter-rope-string-oom.js:
2414         * stress/create-error-out-of-memory-rope-string.js:
2415         * stress/string-16bit-repeat-overflow.js:
2416
2417 2019-04-30  Commit Queue  <commit-queue@webkit.org>
2418
2419         Unreviewed, rolling out r244806.
2420         https://bugs.webkit.org/show_bug.cgi?id=197446
2421
2422         Causing Test262 and JSC test failures on multiple builds
2423         (Requested by ShawnRoberts on #webkit).
2424
2425         Reverted changeset:
2426
2427         "TypeArrays should not store properties that are canonical
2428         numeric indices"
2429         https://bugs.webkit.org/show_bug.cgi?id=197228
2430         https://trac.webkit.org/changeset/244806
2431
2432 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
2433
2434         TypeArrays should not store properties that are canonical numeric indices
2435         https://bugs.webkit.org/show_bug.cgi?id=197228
2436         <rdar://problem/49557381>
2437
2438         Reviewed by Darin Adler.
2439
2440         * stress/typed-array-canonical-numeric-index-string.js: Added.
2441         (makeTest.assert):
2442         (makeTest):
2443         (const.testInvalidIndices.makeTest.set assert):
2444         (const.testInvalidIndices.makeTest):
2445         (const.testValidIndices.makeTest.set assert):
2446         (const.testValidIndices.makeTest):
2447
2448 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
2449
2450         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
2451         https://bugs.webkit.org/show_bug.cgi?id=197362
2452
2453         Reviewed by Saam Barati.
2454
2455         * stress/map-with-nan.js: Added.
2456         (shouldBe):
2457         (div):
2458         (NaN1):
2459         (NaN2):
2460         (NaN3):
2461         (NaN4):
2462         (NaN1NoInline):
2463         (NaN2NoInline):
2464         (NaN3NoInline):
2465         (NaN4NoInline):
2466         (test1):
2467         (test2):
2468         (test3):
2469         (test4):
2470         * stress/set-with-nan.js: Added.
2471         (shouldBe):
2472         (div):
2473         (NaN1):
2474         (NaN2):
2475         (NaN3):
2476         (NaN4):
2477         (NaN1NoInline):
2478         (NaN2NoInline):
2479         (NaN3NoInline):
2480         (NaN4NoInline):
2481         (test2):
2482         (test4):
2483
2484 2019-04-26  Commit Queue  <commit-queue@webkit.org>
2485
2486         Unreviewed, rolling out r244708.
2487         https://bugs.webkit.org/show_bug.cgi?id=197334
2488
2489         "Broke the debug build" (Requested by rmorisset on #webkit).
2490
2491         Reverted changeset:
2492
2493         "All prototypes should call didBecomePrototype()"
2494         https://bugs.webkit.org/show_bug.cgi?id=196315
2495         https://trac.webkit.org/changeset/244708
2496
2497 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
2498
2499         [JSC] linkPolymorphicCall now does GC
2500         https://bugs.webkit.org/show_bug.cgi?id=197306
2501
2502         Reviewed by Saam Barati.
2503
2504         * stress/link-polymorphic-call-can-gc.js: Added.
2505         (module):
2506         (instance):
2507
2508 2019-04-26  Robin Morisset  <rmorisset@apple.com>
2509
2510         All prototypes should call didBecomePrototype()
2511         https://bugs.webkit.org/show_bug.cgi?id=196315
2512
2513         Reviewed by Saam Barati.
2514
2515         * stress/function-prototype-indexed-accessor.js: Added.
2516
2517 2019-04-23  Saam Barati  <sbarati@apple.com>
2518
2519         LICM incorrectly assumes it'll never insert a node which provably OSR exits
2520         https://bugs.webkit.org/show_bug.cgi?id=196721
2521         <rdar://problem/49556479> 
2522
2523         Reviewed by Filip Pizlo.
2524
2525         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
2526         (foo):
2527
2528 2019-04-19  Saam Barati  <sbarati@apple.com>
2529
2530         AbstractValue can represent more than int52
2531         https://bugs.webkit.org/show_bug.cgi?id=197118
2532         <rdar://problem/49969960>
2533
2534         Reviewed by Michael Saboff.
2535
2536         * stress/abstract-value-can-include-int52.js: Added.
2537         (foo):
2538         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
2539
2540 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
2541
2542         [WTF] StringBuilder should set correct m_is8Bit flag when merging
2543         https://bugs.webkit.org/show_bug.cgi?id=197053
2544
2545         Reviewed by Saam Barati.
2546
2547         * stress/merge-string-builder-in-dfg.js: Added.
2548         (foo):
2549
2550 2019-04-16  Caitlin Potter  <caitp@igalia.com>
2551
2552         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2553         https://bugs.webkit.org/show_bug.cgi?id=176810
2554
2555         Reviewed by Saam Barati.
2556
2557         Add tests for the DontEnum filtering, and variations of other tests
2558         take the DontEnum-filtering path.
2559
2560         * stress/proxy-own-keys.js:
2561         (i.catch):
2562         (set assert):
2563         (set add):
2564         (let.set new):
2565         (get let):
2566
2567 2019-04-15  Saam barati  <sbarati@apple.com>
2568
2569         Modify how we do SetArgument when we inline varargs calls
2570         https://bugs.webkit.org/show_bug.cgi?id=196712
2571         <rdar://problem/49605012>
2572
2573         Reviewed by Michael Saboff.
2574
2575         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
2576         (foo):
2577
2578 2019-04-15  Saam barati  <sbarati@apple.com>
2579
2580         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
2581         https://bugs.webkit.org/show_bug.cgi?id=196945
2582         <rdar://problem/49802750>
2583
2584         Reviewed by Filip Pizlo.
2585
2586         * stress/get-by-offset-should-use-correct-child.js: Added.
2587         (foo.bar):
2588         (foo):
2589
2590 2019-04-15  Robin Morisset  <rmorisset@apple.com>
2591
2592         DFG should be able to constant fold Object.create() with a constant prototype operand
2593         https://bugs.webkit.org/show_bug.cgi?id=196886
2594
2595         Reviewed by Yusuke Suzuki.
2596
2597         Note that this new benchmark does not currently see a speedup with inlining removed.
2598         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
2599
2600         * microbenchmarks/object-create-constant-prototype.js: Added.
2601         (test):
2602
2603 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
2604
2605         Incremental bytecode cache should not append function updates when loaded from memory
2606         https://bugs.webkit.org/show_bug.cgi?id=196865
2607
2608         Reviewed by Filip Pizlo.
2609
2610         * stress/bytecode-cache-shared-code-block.js: Added.
2611         (b):
2612         (program):
2613
2614 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
2615
2616         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
2617         https://bugs.webkit.org/show_bug.cgi?id=196880
2618
2619         Reviewed by Yusuke Suzuki.
2620
2621         * stress/bytecode-cache-syntax-error.js: Added.
2622         (catch):
2623
2624 2019-04-12  Saam barati  <sbarati@apple.com>
2625
2626         r244079 logically broke shouldSpeculateInt52
2627         https://bugs.webkit.org/show_bug.cgi?id=196884
2628
2629         Reviewed by Yusuke Suzuki.
2630
2631         * microbenchmarks/int52-rand-function.js: Added.
2632         (Math.random):
2633
2634 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
2635
2636         [JSC] op_has_indexed_property should not assume subscript part is Uint32
2637         https://bugs.webkit.org/show_bug.cgi?id=196850
2638
2639         Reviewed by Saam Barati.
2640
2641         * stress/has-indexed-property-should-accept-non-int32.js: Added.
2642         (foo):
2643
2644 2019-04-11  Saam barati  <sbarati@apple.com>
2645
2646         Remove invalid assertion in operationInstanceOfCustom
2647         https://bugs.webkit.org/show_bug.cgi?id=196842
2648         <rdar://problem/49725493>
2649
2650         Reviewed by Michael Saboff.
2651
2652         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
2653
2654 2019-04-10  Saam Barati  <sbarati@apple.com>
2655
2656         AbstractValue::validateOSREntryValue is wrong for Int52 constants
2657         https://bugs.webkit.org/show_bug.cgi?id=196801
2658         <rdar://problem/49771122>
2659
2660         Reviewed by Yusuke Suzuki.
2661
2662         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
2663
2664 2019-04-10  Robin Morisset  <rmorisset@apple.com>
2665
2666         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
2667         https://bugs.webkit.org/show_bug.cgi?id=196746
2668
2669         Reviewed by Yusuke Suzuki.
2670
2671         * stress/cyclic-define-properties.js: Added.
2672         (foo):
2673
2674 2019-04-09  Saam barati  <sbarati@apple.com>
2675
2676         Clean up Int52 code and some bugs in it
2677         https://bugs.webkit.org/show_bug.cgi?id=196639
2678         <rdar://problem/49515757>
2679
2680         Reviewed by Yusuke Suzuki.
2681
2682         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
2683
2684 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
2685
2686         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
2687         https://bugs.webkit.org/show_bug.cgi?id=196708
2688         <rdar://problem/49556803>
2689
2690         Reviewed by Yusuke Suzuki.
2691
2692         * stress/proxy-getter-stack-overflow.js: Added.
2693         (const.handler.get target):
2694         (const.handler.has):
2695         (try.with):
2696         (catch):
2697
2698 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2699
2700         [JSC] DFG should respect node's strict flag
2701         https://bugs.webkit.org/show_bug.cgi?id=196617
2702
2703         Reviewed by Saam Barati.
2704
2705         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
2706         (shouldEqual):
2707         (makeUnwriteableUnconfigurableObject):
2708         (runTest):
2709         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
2710         (shouldBe):
2711         (shouldThrow):
2712         (with.result):
2713         (with.putValueStrict):
2714         (with.putValueSloppy):
2715
2716 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2717
2718         [JSC] isRope jump in StringSlice should not jump over register allocations
2719         https://bugs.webkit.org/show_bug.cgi?id=196716
2720
2721         Reviewed by Saam Barati.
2722
2723         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
2724         (foo.bar):
2725         (foo):
2726
2727 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2728
2729         [JSC] to_index_string should not assume incoming value is Uint32
2730         https://bugs.webkit.org/show_bug.cgi?id=196713
2731
2732         Reviewed by Saam Barati.
2733
2734         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
2735         (foo):
2736
2737 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2738
2739         [JSC] Add more tests for r243966
2740         https://bugs.webkit.org/show_bug.cgi?id=196711
2741
2742         Reviewed by Saam Barati.
2743
2744         Adding one more test for r243966 fix. The added test will not crash after r243966.
2745
2746         * stress/stress-cleared-calllinkinfo.js: Added.
2747         (runNearStackLimit.t):
2748         (runNearStackLimit):
2749         (repeat):
2750         (cls):
2751         (let.item.of.array.runNearStackLimit):
2752
2753 2019-04-08  Saam Barati  <sbarati@apple.com>
2754
2755         WebAssembly.RuntimeError missing exception check
2756         https://bugs.webkit.org/show_bug.cgi?id=196700
2757         <rdar://problem/49693932>
2758
2759         Reviewed by Yusuke Suzuki.
2760
2761         * wasm/js-api/runtime-error-should-exception-check.js: Added.
2762
2763 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
2764
2765         Unreviewed, rolling in r243948 with test fix
2766         https://bugs.webkit.org/show_bug.cgi?id=196486
2767
2768         * stress/arrow-function-and-use-strict-directive.js: Added.
2769         * stress/arrow-function-syntax.js: Added.
2770         (checkSyntax):
2771         (checkSyntaxError):
2772
2773 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2774
2775         Unreviewed, rolling out r243948.
2776
2777         Caused inspector/runtime/parse.html to fail
2778
2779         Reverted changeset:
2780
2781         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
2782         https://bugs.webkit.org/show_bug.cgi?id=196486
2783         https://trac.webkit.org/changeset/243948
2784
2785 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
2786
2787         Unreviewed, rolling out r243943.
2788
2789         Caused test262 failures.
2790
2791         Reverted changeset:
2792
2793         "[JSC] Filter DontEnum properties in
2794         ProxyObject::getOwnPropertyNames()"
2795         https://bugs.webkit.org/show_bug.cgi?id=176810
2796         https://trac.webkit.org/changeset/243943
2797
2798 2019-04-07  Michael Saboff  <msaboff@apple.com>
2799
2800         REGRESSION (r243642): Crash in reddit.com page
2801         https://bugs.webkit.org/show_bug.cgi?id=196684
2802
2803         Reviewed by Geoffrey Garen.
2804
2805         New regression test.
2806
2807         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
2808
2809 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
2810
2811         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
2812         https://bugs.webkit.org/show_bug.cgi?id=196683
2813
2814         Reviewed by Saam Barati.
2815
2816         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
2817         (foo):
2818
2819 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2820
2821         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
2822         https://bugs.webkit.org/show_bug.cgi?id=196582
2823
2824         Reviewed by Saam Barati.
2825
2826         * stress/add-overflow-check-with-three-same-registers.js: Added.
2827         (foo):
2828         (Number.prototype.valueOf):
2829         (runWithNumber):
2830
2831 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
2832
2833         Unreviewed, rolling out r243665.
2834
2835         Caused iOS JSC tests to exit with an exception.
2836
2837         Reverted changeset:
2838
2839         "Assertion failed in JSC::createError"
2840         https://bugs.webkit.org/show_bug.cgi?id=196305
2841         https://trac.webkit.org/changeset/243665
2842
2843 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
2844
2845         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
2846         https://bugs.webkit.org/show_bug.cgi?id=196486
2847
2848         Reviewed by Saam Barati.
2849
2850         * stress/arrow-function-and-use-strict-directive.js: Added.
2851         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
2852         (checkSyntax):
2853         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
2854
2855 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2856
2857         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
2858         https://bugs.webkit.org/show_bug.cgi?id=176810
2859
2860         Reviewed by Saam Barati.
2861
2862         Add tests for the DontEnum filtering, and variations of other tests
2863         take the DontEnum-filtering path.
2864
2865         * stress/proxy-own-keys.js:
2866         (i.catch):
2867         (set assert):
2868         (set add):
2869         (let.set new):
2870         (get let):
2871
2872 2019-04-05  Caitlin Potter  <caitp@igalia.com>
2873
2874         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
2875         https://bugs.webkit.org/show_bug.cgi?id=185211
2876
2877         Reviewed by Saam Barati.
2878
2879         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
2880
2881         This changes several assertions to expect a TypeError to be thrown (in some cases,
2882         changing thee expected message).
2883
2884         * es6/Proxy_ownKeys_duplicates.js:
2885         (handler):
2886         (shouldThrow):
2887         (test):
2888         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
2889         (shouldThrow):
2890         * stress/proxy-own-keys.js:
2891         (i.catch):
2892         (assert):
2893
2894 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
2895
2896         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
2897         https://bugs.webkit.org/show_bug.cgi?id=196631
2898
2899         Reviewed by Saam Barati.
2900
2901         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
2902         (assert):
2903         (test):
2904         (foo):
2905
2906 2019-04-04  Saam Barati  <sbarati@apple.com>
2907
2908         Unreviewed. Make the test from r243906 catch the thrown exceptions.
2909
2910         * stress/inferred-types-regex-matches-array.js:
2911
2912 2019-04-04  Saam Barati  <sbarati@apple.com>
2913
2914         createRegExpMatchesArray does not respect inferred types
2915         https://bugs.webkit.org/show_bug.cgi?id=193287
2916
2917         Reviewed by Yusuke Suzuki.
2918
2919         This checks in the test case for 193287. This issue was discovered by
2920         Samuel GroƟ of Google Project Zero.
2921
2922         * stress/inferred-types-regex-matches-array.js: Added.
2923
2924 2019-04-04  Saam barati  <sbarati@apple.com>
2925
2926         Teach Call ICs how to call Wasm
2927         https://bugs.webkit.org/show_bug.cgi?id=196387
2928
2929         Reviewed by Filip Pizlo.
2930
2931         * wasm/function-tests/stack-trace.js:
2932
2933 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
2934
2935         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
2936         https://bugs.webkit.org/show_bug.cgi?id=194944
2937
2938         Reviewed by Keith Miller.
2939
2940         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
2941
2942 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
2943
2944         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
2945         https://bugs.webkit.org/show_bug.cgi?id=196409
2946
2947         Reviewed by Saam Barati.
2948
2949         * stress/bytecode-cache-cached-string-impl.js: Added.
2950         (f):
2951         (g):
2952         * stress/bytecode-cache-run-string.js: Added.
2953
2954 2019-04-03  Robin Morisset  <rmorisset@apple.com>
2955
2956         B3 should use associativity to optimize expression trees
2957         https://bugs.webkit.org/show_bug.cgi?id=194081
2958
2959         Reviewed by Filip Pizlo.
2960
2961         Added three microbenchmarks:
2962         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
2963         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
2964           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
2965         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
2966
2967         * microbenchmarks/add-tree.js: Added.
2968         * microbenchmarks/bit-or-tree.js: Added.
2969         * microbenchmarks/bit-xor-tree.js: Added.
2970
2971 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
2972
2973         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
2974         https://bugs.webkit.org/show_bug.cgi?id=196574
2975
2976         Reviewed by Saam Barati.
2977
2978         * stress/string-index-of-exception-check.js: Added.
2979         (blurType):
2980         (1.forEach):
2981
2982 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
2983
2984         Assertion failed in JSC::createError
2985         https://bugs.webkit.org/show_bug.cgi?id=196305
2986         <rdar://problem/49387382>
2987
2988         Reviewed by Saam Barati.
2989
2990         * stress/create-error-out-of-memory-rope-string-2.js: Added.
2991         (assert):
2992         (catch):
2993
2994 2019-03-28  Saam Barati  <sbarati@apple.com>
2995
2996         BackwardsGraph needs to consider back edges as the backward's root successor
2997         https://bugs.webkit.org/show_bug.cgi?id=195991
2998
2999         Reviewed by Filip Pizlo.
3000
3001         * stress/map-b3-licm-infinite-loop.js: Added.
3002
3003 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
3004
3005         CodeBlock::jettison() should disallow repatching its own calls
3006         https://bugs.webkit.org/show_bug.cgi?id=196359
3007         <rdar://problem/48973663>
3008
3009         Reviewed by Saam Barati.
3010
3011         * stress/call-link-info-osrexit-repatch.js: Added.
3012         (foo):
3013
3014 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
3015
3016         [JSC] imports-oom.js intermittently fails
3017         https://bugs.webkit.org/show_bug.cgi?id=196373
3018
3019         Reviewed by Saam Barati.
3020
3021         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
3022         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
3023         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
3024         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
3025         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
3026
3027         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
3028         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
3029
3030         * wasm/lowExecutableMemory/imports-oom.js:
3031
3032 2019-03-27  Saam Barati  <sbarati@apple.com>
3033
3034         validateOSREntryValue with Int52 should box the value being checked into double format
3035         https://bugs.webkit.org/show_bug.cgi?id=196313
3036         <rdar://problem/49306703>
3037
3038         Reviewed by Yusuke Suzuki.
3039
3040         * stress/validate-int-52-ai-state.js: Added.
3041
3042 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
3043
3044         [JSC] Owner of watchpoints should validate at GC finalizing phase
3045         https://bugs.webkit.org/show_bug.cgi?id=195827
3046
3047         Reviewed by Filip Pizlo.
3048
3049         * stress/gc-should-reap-dead-watchpoints.js: Added.
3050         (foo):
3051         (A.prototype.y):
3052         (A):
3053
3054 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
3055
3056         Skip WebAssembly test on 32-bit systems
3057         https://bugs.webkit.org/show_bug.cgi?id=196206
3058
3059         Reviewed by Saam Barati.
3060
3061         Invoking runDefault executes test immediately even though
3062         that test should be skipped due to missing WASM support.
3063         Therefore remove runDefault.
3064
3065         * wasm/regress/web-assembly-link-error-exception-check.js:
3066
3067 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
3068
3069         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
3070         https://bugs.webkit.org/show_bug.cgi?id=196217
3071
3072         Reviewed by Saam Barati.
3073
3074         Re-enable all NaN tests for f32.min, f64.min and f64.max.
3075
3076         * wasm/spec-tests/f32.wast.js:
3077         * wasm/spec-tests/f64.wast.js:
3078         * wasm/wasm.json:
3079
3080 2019-03-25  Keith Miller  <keith_miller@apple.com>
3081
3082         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
3083         https://bugs.webkit.org/show_bug.cgi?id=196176
3084
3085         Reviewed by Saam Barati.
3086
3087         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
3088         (main.v10):
3089         (main):
3090
3091 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
3092
3093         WebAssembly: f32.max with NaN generates incorrect result
3094         https://bugs.webkit.org/show_bug.cgi?id=175691
3095         <rdar://problem/33952228>
3096
3097         Reviewed by Saam Barati.
3098
3099         Enable all f32.max NaN tests
3100
3101         * wasm/spec-tests/f32.wast.js:
3102         * wasm/wasm.json:
3103
3104 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
3105
3106         [JSC] Move test into directory for WASM tests
3107         https://bugs.webkit.org/show_bug.cgi?id=196187
3108
3109         Reviewed by Mark Lam.
3110
3111         Move Test into wasm-directory. Otherwise this test
3112         is also executed on systems without WASM support.
3113
3114         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
3115
3116 2019-03-23  Mark Lam  <mark.lam@apple.com>
3117
3118         Rolling out r243032 and r243071 because the fix is incorrect.
3119         https://bugs.webkit.org/show_bug.cgi?id=195892
3120         <rdar://problem/48981239>
3121
3122         Not reviewed.
3123
3124         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
3125
3126 2019-03-22  Mark Lam  <mark.lam@apple.com>
3127
3128         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
3129         https://bugs.webkit.org/show_bug.cgi?id=196154
3130         <rdar://problem/49145307>
3131
3132         Reviewed by Filip Pizlo.
3133
3134         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
3135         There's no need to run this test on more than 1 test configuration.
3136
3137         * stress/typed-array-lastIndexOf-exception-check.js: Added.
3138         * stress/web-assembly-link-error-exception-check.js:
3139
3140 2019-03-22  Mark Lam  <mark.lam@apple.com>
3141
3142         Placate exception check validation in constructJSWebAssemblyLinkError().
3143         https://bugs.webkit.org/show_bug.cgi?id=196152
3144         <rdar://problem/49145257>
3145
3146         Reviewed by Michael Saboff.
3147
3148         * stress/web-assembly-link-error-exception-check.js: Added.
3149
3150 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
3151
3152         Skip tests running out of memory on ARM/MIPS
3153         https://bugs.webkit.org/show_bug.cgi?id=196131
3154
3155         Unreviewed. Skip test if memory is limited.
3156
3157         * microbenchmarks/put-by-val-direct-large-index.js:
3158
3159 2019-03-21  Mark Lam  <mark.lam@apple.com>
3160
3161         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
3162         https://bugs.webkit.org/show_bug.cgi?id=196116
3163         <rdar://problem/48976951>
3164
3165         Reviewed by Filip Pizlo.
3166
3167         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
3168
3169 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3170
3171         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3172         https://bugs.webkit.org/show_bug.cgi?id=196078
3173         <rdar://problem/35925380>
3174
3175         Reviewed by Mark Lam.
3176
3177         Add a new benchmark that allocates several objects and invokes put_by_val_direct
3178         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
3179
3180         * microbenchmarks/put-by-val-direct-large-index.js: Added.
3181
3182 2019-03-21  Mark Lam  <mark.lam@apple.com>
3183
3184         Placate exception check validation in operationArrayIndexOfString().
3185         https://bugs.webkit.org/show_bug.cgi?id=196067
3186         <rdar://problem/49056572>
3187
3188         Reviewed by Michael Saboff.
3189
3190         * stress/string-equal-exception-check.js: Added.
3191
3192 2019-03-21  Mark Lam  <mark.lam@apple.com>
3193
3194         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3195         https://bugs.webkit.org/show_bug.cgi?id=196055
3196         <rdar://problem/49067448>
3197
3198         Reviewed by Yusuke Suzuki.
3199
3200         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
3201
3202 2019-03-20  Saam Barati  <sbarati@apple.com>
3203
3204         typeOfDoubleSum is wrong for when NaN can be produced
3205         https://bugs.webkit.org/show_bug.cgi?id=196030
3206
3207         Reviewed by Filip Pizlo.
3208
3209         * stress/double-add-sub-mul-can-produce-nan.js: Added.
3210         (assert):
3211         (noInline.sub):
3212         (noInline):
3213         (assert.mul):
3214         (assert.add):
3215
3216 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3217
3218         Update the test to ensure OutOfMemoryError is thrown as intended
3219         https://bugs.webkit.org/show_bug.cgi?id=196032
3220         <rdar://problem/46842740>
3221
3222         Rubber stamped by Saam Barati.
3223
3224         * stress/create-error-out-of-memory-rope-string.js:
3225         (assert):
3226         (catch):
3227
3228 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3229
3230         JSC::createError needs to check for OOM in errorDescriptionForValue
3231         https://bugs.webkit.org/show_bug.cgi?id=196032
3232         <rdar://problem/46842740>
3233
3234         Reviewed by Mark Lam.
3235
3236         * stress/create-error-out-of-memory-rope-string.js: Added.
3237
3238 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
3239
3240         Unreviewed, reduce # of iterations to avoid timing out after r242991
3241         https://bugs.webkit.org/show_bug.cgi?id=195791
3242
3243         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
3244
3245         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
3246
3247 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3248
3249         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
3250         https://bugs.webkit.org/show_bug.cgi?id=195950
3251
3252         Unreviewed, reducing the amount of memory used on this test to avoid
3253         OOM on devices with memory restrictions.
3254
3255         * microbenchmarks/generate-multiple-llint-entrypoints.js:
3256
3257 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
3258
3259         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
3260         https://bugs.webkit.org/show_bug.cgi?id=194648
3261
3262         Reviewed by Keith Miller.
3263
3264         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
3265
3266 2019-03-18  Mark Lam  <mark.lam@apple.com>
3267
3268         Missing a ThrowScope release in JSObject::toString().
3269         https://bugs.webkit.org/show_bug.cgi?id=195893
3270         <rdar://problem/48970986>
3271
3272         Reviewed by Michael Saboff.
3273
3274         * stress/to-string-exception-check-release.js: Added.
3275
3276 2019-03-18  Mark Lam  <mark.lam@apple.com>
3277
3278         Structure::flattenDictionary() should clear unused property slots.
3279         https://bugs.webkit.org/show_bug.cgi?id=195871
3280         <rdar://problem/48959497>
3281
3282         Reviewed by Michael Saboff.
3283
3284         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
3285
3286 2019-03-15  Mark Lam  <mark.lam@apple.com>
3287
3288         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
3289         https://bugs.webkit.org/show_bug.cgi?id=195827
3290         <rdar://problem/48845513>
3291
3292         Reviewed by Filip Pizlo.
3293
3294         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
3295
3296 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
3297
3298         [ARM,MIPS] Skip slow tests
3299         https://bugs.webkit.org/show_bug.cgi?id=195799
3300
3301         Unreviewed, test does not finish on ARM and MIPS within the
3302         timeout limit.
3303
3304         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
3305
3306 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
3307
3308         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
3309         https://bugs.webkit.org/show_bug.cgi?id=195791
3310         <rdar://problem/48806130>
3311
3312         Reviewed by Mark Lam.
3313
3314         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
3315         (foo):
3316
3317 2019-03-14  Saam barati  <sbarati@apple.com>
3318
3319         We can't remove code after ForceOSRExit until after FixupPhase
3320         https://bugs.webkit.org/show_bug.cgi?id=186916
3321         <rdar://problem/41396612>
3322
3323         Reviewed by Yusuke Suzuki.
3324
3325         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
3326         (foo):
3327         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
3328         (foo):
3329
3330 2019-03-13  Michael Saboff  <msaboff@apple.com>
3331
3332         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
3333         https://bugs.webkit.org/show_bug.cgi?id=195735
3334
3335         Reviewed by Mark Lam.
3336
3337         New regression test.
3338
3339         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
3340         (foo):
3341         (bar):
3342
3343 2019-03-14  Saam barati  <sbarati@apple.com>
3344
3345         Fixup uses KnownInt32 incorrectly in some nodes
3346         https://bugs.webkit.org/show_bug.cgi?id=195279
3347         <rdar://problem/47915654>
3348
3349         Reviewed by Yusuke Suzuki.
3350
3351         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
3352         (foo):
3353
3354 2019-03-14  Keith Miller  <keith_miller@apple.com>
3355
3356         DFG liveness can't skip tail caller inline frames
3357         https://bugs.webkit.org/show_bug.cgi?id=195715
3358
3359         Reviewed by Saam Barati.
3360
3361         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
3362         (i.foo):
3363
3364 2019-03-13  Mark Lam  <mark.lam@apple.com>
3365
3366         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
3367         https://bugs.webkit.org/show_bug.cgi?id=195415
3368
3369         Not reviewed.
3370
3371         Changed these tests to only run the default configuration.
3372         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
3373         There's no strong need to run this test on that variant.
3374
3375         * stress/dfg-to-string-on-int-does-gc.js:
3376         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
3377
3378 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
3379
3380         String overflow when using StringBuilder in JSC::createError
3381         https://bugs.webkit.org/show_bug.cgi?id=194957
3382
3383         Reviewed by Mark Lam.
3384
3385         Add test string-overflow-createError-bulder.js that overflows
3386         StringBuilder in notAFunctionSourceAppender. The second new test
3387         string-overflow-createError-fit.js has an error message that doesn't
3388         overflow, it still failed since the String's capacity can't be doubled.
3389         Run test string-overflow-createError.js only in the default
3390         configuration to reduce memory consumption when running the test
3391         in all configurations on multiple CPUs in parallel.
3392
3393         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
3394         (catch):
3395         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
3396         (catch):
3397         * stress/string-overflow-createError.js:
3398
3399 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
3400
3401         [JSC] OSR entry should respect abstract values in addition to flush formats
3402         https://bugs.webkit.org/show_bug.cgi?id=195653
3403
3404         Reviewed by Mark Lam.
3405
3406         * stress/osr-entry-locals-none.js: Added.
3407
3408 2019-03-12  Michael Saboff  <msaboff@apple.com>
3409
3410         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
3411         https://bugs.webkit.org/show_bug.cgi?id=195613
3412
3413         Reviewed by Mark Lam.
3414
3415         New regression test.
3416
3417         * stress/regexp-backref-inbounds.js: Added.
3418         (testRegExp):
3419
3420 2019-03-12  Mark Lam  <mark.lam@apple.com>
3421
3422         The HasIndexedProperty node does GC.
3423         https://bugs.webkit.org/show_bug.cgi?id=195559
3424         <rdar://problem/48767923>
3425
3426         Reviewed by Yusuke Suzuki.
3427
3428         * stress/HasIndexedProperty-does-gc.js: Added.
3429
3430 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
3431
3432         [ESNext][BigInt] Implement "~" unary operation
3433         https://bugs.webkit.org/show_bug.cgi?id=182216
3434
3435         Reviewed by Keith Miller.
3436
3437         * stress/big-int-bit-not-general.js: Added.
3438         * stress/big-int-bitwise-not-jit.js: Added.
3439         * stress/big-int-bitwise-not-wrapped-value.js: Added.
3440         * stress/bit-op-with-object-returning-int32.js:
3441         * stress/bitwise-not-fixup-rules.js: Added.
3442         * stress/value-bit-not-ai-rule.js: Added.
3443
3444 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
3445
3446         Invalid flags in a RegExp literal should be an early SyntaxError
3447         https://bugs.webkit.org/show_bug.cgi?id=195514
3448
3449         Reviewed by Darin Adler.
3450
3451         * test262/expectations.yaml:
3452         Mark 4 test cases as passing.
3453
3454         * stress/regexp-syntax-error-invalid-flags.js:
3455         * stress/regress-161995.js: Removed.
3456         Update existing test, merging in an older test for the same behavior.
3457
3458 2019-03-08  Mark Lam  <mark.lam@apple.com>
3459
3460         Stack overflow crash in JSC::JSObject::hasInstance.
3461         https://bugs.webkit.org/show_bug.cgi?id=195458
3462         <rdar://problem/48710195>
3463
3464         Reviewed by Yusuke Suzuki.
3465
3466         * stress/stack-overflow-in-custom-hasInstance.js: Added.
3467
3468 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
3469
3470         op_check_tdz does not def its argument
3471         https://bugs.webkit.org/show_bug.cgi?id=192880
3472         <rdar://problem/46221598>
3473
3474         Reviewed by Saam Barati.
3475
3476         * microbenchmarks/let-for-in.js: Added.
3477         (foo):
3478
3479 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
3480
3481         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
3482         https://bugs.webkit.org/show_bug.cgi?id=195429
3483
3484         Reviewed by Saam Barati.
3485
3486         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
3487         (foo):
3488         * stress/string-from-char-code-255.js: Added.
3489
3490 2019-03-06  Mark Lam  <mark.lam@apple.com>
3491
3492         Fix incorrect handling of try-finally completion values.
3493         https://bugs.webkit.org/show_bug.cgi?id=195131
3494         <rdar://problem/46222079>
3495
3496         Reviewed by Saam Barati and Yusuke Suzuki.
3497
3498         Added many permutations of new test case to test-finally.js.  test-finally.js has
3499         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
3500         tests passes there as well.
3501
3502         * stress/test-finally.js:
3503
3504 2019-03-06  Saam Barati  <sbarati@apple.com>
3505
3506         Air::reportUsedRegisters must padInterference
3507         https://bugs.webkit.org/show_bug.cgi?id=195303
3508         <rdar://problem/48270343>
3509
3510         Reviewed by Keith Miller.
3511
3512         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
3513
3514 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
3515
3516         [JSC] AI should not propagate AbstractValue relying on constant folding phase
3517         https://bugs.webkit.org/show_bug.cgi?id=195375
3518
3519         Reviewed by Saam Barati.
3520
3521         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
3522         (let.array):
3523
3524 2019-03-05  Saam barati  <sbarati@apple.com>
3525
3526         op_switch_char broken for rope strings after JSRopeString layout rewrite
3527         https://bugs.webkit.org/show_bug.cgi?id=195339
3528         <rdar://problem/48592545>
3529
3530         Reviewed by Yusuke Suzuki.
3531
3532         * stress/switch-on-char-llint-rope.js: Added.
3533
3534 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
3535
3536         [JSC] Store bits for JSRopeString in 3 stores
3537         https://bugs.webkit.org/show_bug.cgi?id=195234
3538
3539         Reviewed by Saam Barati.
3540
3541         * stress/null-rope-and-collectors.js: Added.
3542
3543 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
3544
3545         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
3546         https://bugs.webkit.org/show_bug.cgi?id=195207
3547
3548         Unreviewed. After test runtime was reduced in r242213, test can be
3549         run again on ARM/MIPS.
3550
3551         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3552
3553 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
3554
3555         [JSC] sizeof(JSString) should be 16
3556         https://bugs.webkit.org/show_bug.cgi?id=194375
3557
3558         Reviewed by Saam Barati.
3559
3560         * microbenchmarks/make-rope.js: Added.
3561         (makeRope):
3562         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
3563         (returnRope.helper): Deleted.
3564         (returnRope): Deleted.
3565
3566 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
3567
3568         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
3569         https://bugs.webkit.org/show_bug.cgi?id=195144
3570
3571         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
3572         Change the number from 1e8 to 1e5.
3573
3574         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3575         (foo):
3576
3577 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
3578
3579         Test times out on ARM/MIPS
3580         https://bugs.webkit.org/show_bug.cgi?id=195168
3581
3582         Unreviewed. Skip test on ARM/MIPS.
3583
3584         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
3585
3586 2019-02-27  Mark Lam  <mark.lam@apple.com>
3587
3588         The parser is failing to record the token location of new in new.target.
3589         https://bugs.webkit.org/show_bug.cgi?id=195127
3590         <rdar://problem/39645578>
3591
3592         Reviewed by Yusuke Suzuki.
3593
3594         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
3595
3596 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
3597
3598         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
3599         https://bugs.webkit.org/show_bug.cgi?id=195144
3600         <rdar://problem/47595961>
3601
3602         Reviewed by Mark Lam.
3603
3604         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
3605         (bar):
3606         (foo):
3607         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
3608         (bar):
3609         (foo):
3610
3611 2019-02-27  Robin Morisset  <rmorisset@apple.com>
3612
3613         DFG: Loop-invariant code motion (LICM) should not hoist dead code
3614         https://bugs.webkit.org/show_bug.cgi?id=194945
3615         <rdar://problem/48311657>
3616
3617         Reviewed by Mark Lam.
3618
3619         * stress/licm-dead-code.js: Added.
3620
3621 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
3622
3623         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
3624         https://bugs.webkit.org/show_bug.cgi?id=194677
3625         <rdar://problem/48112492>
3626
3627         Reviewed by Mark Lam.
3628
3629         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
3630         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
3631         it immediately fails due the large size.
3632
3633         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
3634         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
3635         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
3636         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
3637
3638         This patch changes the test to produce 16bit string from String.fromCharCode.
3639
3640         * stress/regress-178386.js:
3641
3642 2019-02-26  Mark Lam  <mark.lam@apple.com>
3643
3644         wasmToJS() should purify incoming NaNs.
3645         https://bugs.webkit.org/show_bug.cgi?id=194807
3646         <rdar://problem/48189132>
3647
3648         Reviewed by Saam Barati.
3649
3650         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
3651
3652 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
3653
3654         [JSC] Repeat string created from Array.prototype.join() take too much memory
3655         https://bugs.webkit.org/show_bug.cgi?id=193912
3656
3657         Reviewed by Saam Barati.
3658
3659         Added a test and a microbenchmark for corner cases of
3660         Array.prototype.join() with an uninitialized array.
3661
3662         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
3663         * stress/array-prototype-join-uninitialized.js: Added.
3664         (testArray):
3665         (testABC):
3666         (B):
3667         (C):
3668
3669 2019-02-22  Robin Morisset  <rmorisset@apple.com>
3670
3671         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
3672         https://bugs.webkit.org/show_bug.cgi?id=194953
3673         <rdar://problem/47595253>
3674
3675         Reviewed by Saam Barati.
3676
3677         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
3678
3679         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
3680
3681 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
3682
3683         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3684         https://bugs.webkit.org/show_bug.cgi?id=172848
3685         <rdar://problem/25709212>
3686
3687         Reviewed by Mark Lam.
3688
3689         * typeProfiler/inheritance.js:
3690         Rewrite the test slightly for clarity. The hoisting was confusing.
3691
3692         * heapProfiler/class-names.js: Added.
3693         (MyES5Class):
3694         (MyES6Class):
3695         (MyES6Subclass):
3696         Test object types and improved class names.
3697
3698         * heapProfiler/driver/driver.js:
3699         (CheapHeapSnapshotNode):
3700         (CheapHeapSnapshot):
3701         (createCheapHeapSnapshot):
3702         (HeapSnapshot):
3703         (createHeapSnapshot):
3704         Update snapshot parsing from version 1 to version 2.
3705
3706 2019-02-19  Truitt Savell  <tsavell@apple.com>
3707
3708         Unreviewed, rolling out r241784.
3709
3710         Broke all OpenSource builds.
3711
3712         Reverted changeset:
3713
3714         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
3715         instances view"
3716         https://bugs.webkit.org/show_bug.cgi?id=172848
3717         https://trac.webkit.org/changeset/241784
3718
3719 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
3720
3721         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3722         https://bugs.webkit.org/show_bug.cgi?id=172848
3723         <rdar://problem/25709212>
3724
3725         Reviewed by Mark Lam.
3726
3727         * typeProfiler/inheritance.js:
3728         Rewrite the test slightly for clarity. The hoisting was confusing.
3729
3730         * heapProfiler/class-names.js: Added.
3731         (MyES5Class):
3732         (MyES6Class):
3733         (MyES6Subclass):
3734         Test object types and improved class names.
3735
3736         * heapProfiler/driver/driver.js:
3737         (CheapHeapSnapshotNode):
3738         (CheapHeapSnapshot):
3739         (createCheapHeapSnapshot):
3740         (HeapSnapshot):
3741         (createHeapSnapshot):
3742         Update snapshot parsing from version 1 to version 2.
3743
3744 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
3745
3746         [ARM] Fix crash with sampling profiler
3747         https://bugs.webkit.org/show_bug.cgi?id=194772
3748
3749         Reviewed by Mark Lam.
3750
3751         Do not skip test since crash with sampling profiler is now fixed.
3752
3753         * stress/sampling-profiler-richards.js:
3754
3755 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
3756
3757         [JSC] Add LazyClassStructure::getInitializedOnMainThread
3758         https://bugs.webkit.org/show_bug.cgi?id=194784
3759         <rdar://problem/48154820>
3760
3761         Reviewed by Mark Lam.
3762
3763         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
3764         (getProperties):
3765         (getRandomProperty):
3766         (i.catch):
3767
3768 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
3769
3770         [ARM] Test gardening: Test running out of executable memory
3771         https://bugs.webkit.org/show_bug.cgi?id=194771
3772
3773         Unreviewed. Do not run test without LLInt, test is running out of executable
3774         memory on ARM otherwise.
3775
3776         * stress/tagged-template-object-collect.js:
3777
3778 2019-02-18  Tomas Popela  <tpopela@redhat.com>
3779
3780         Unreviewed, skip the test on platforms without sampling profiler
3781
3782         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
3783         (platformSupportsSamplingProfiler.foo):
3784         (platformSupportsSamplingProfiler.test):
3785         (platformSupportsSamplingProfiler):
3786         (foo): Deleted.
3787         (test): Deleted.
3788
3789 2019-02-17  Saam Barati  <sbarati@apple.com>
3790
3791         Deadlock when adding a Structure property transition and then doing incremental marking
3792         https://bugs.webkit.org/show_bug.cgi?id=194767
3793
3794         Reviewed by Mark Lam.
3795
3796         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
3797
3798 2019-02-15  Michael Saboff  <msaboff@apple.com>
3799
3800         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
3801         https://bugs.webkit.org/show_bug.cgi?id=194558
3802
3803         Reviewed by Saam Barati.
3804
3805         New regression test.
3806
3807         * stress/regexp-unicode-within-string.js: Added.
3808
3809 2019-02-15  Mark Lam  <mark.lam@apple.com>
3810
3811         SamplingProfiler::stackTracesAsJSON() should escape strings.
3812         https://bugs.webkit.org/show_bug.cgi?id=194649
3813         <rdar://problem/48072386>
3814
3815         Reviewed by Saam Barati.
3816
3817         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
3818         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
3819         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
3820         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
3821
3822 2019-02-15  Robin Morisset  <rmorisset@apple.com>
3823         CodeBlock::jettison should clear related watchpoints
3824         https://bugs.webkit.org/show_bug.cgi?id=194544
3825
3826         Reviewed by Mark Lam.
3827
3828         * stress/regexp-replace-double-watchpoint.js: Added.
3829         (foo):
3830
3831 2019-02-15  Saam barati  <sbarati@apple.com>
3832
3833         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
3834         https://bugs.webkit.org/show_bug.cgi?id=194036
3835
3836         Reviewed by Yusuke Suzuki.
3837
3838         * stress/tail-call-many-arguments.js: Added.
3839         (foo):
3840         (bar):
3841
3842 2019-02-14  Saam Barati  <sbarati@apple.com>
3843
3844         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
3845         https://bugs.webkit.org/show_bug.cgi?id=194583
3846         <rdar://problem/48028140>
3847
3848         Reviewed by Yusuke Suzuki.
3849
3850         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
3851
3852 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
3853
3854         [JSC] String.fromCharCode's slow path always generates 16bit string
3855         https://bugs.webkit.org/show_bug.cgi?id=194466
3856
3857         Reviewed by Keith Miller.
3858
3859         * stress/string-from-char-code-slow-path.js: Added.
3860         (shouldBe):
3861         (testWithLength):
3862
3863 2019-02-08  Saam barati  <sbarati@apple.com>
3864
3865         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
3866         https://bugs.webkit.org/show_bug.cgi?id=194334
3867         <rdar://problem/47844327>
3868
3869         Reviewed by Mark Lam.
3870
3871         * stress/check-in-bounds-should-be-a-child-use.js: Added.
3872         (func):
3873
3874 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
3875
3876         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
3877         https://bugs.webkit.org/show_bug.cgi?id=194369
3878         <rdar://problem/47813087>
3879
3880         Reviewed by Saam Barati.
3881
3882         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
3883         (A):
3884
3885 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
3886
3887         [JSC] PrivateName to PublicName hash table is wasteful
3888         https://bugs.webkit.org/show_bug.cgi?id=194277
3889
3890         Reviewed by Michael Saboff.
3891
3892         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
3893
3894         * ChakraCore.yaml:
3895
3896 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
3897
3898         [ARM] Test running out of executable memory
3899         https://bugs.webkit.org/show_bug.cgi?id=194285
3900
3901         Unreviewed. Do no execute test with LLInt disabled, test runs out of
3902         executable memory otherwise.
3903
3904         * stress/class-subclassing-function.js:
3905
3906 2019-02-04  Robin Morisset  <rmorisset@apple.com>
3907
3908         when lowering AssertNotEmpty, create the value before creating the patchpoint
3909         https://bugs.webkit.org/show_bug.cgi?id=194231
3910
3911         Reviewed by Saam Barati.
3912
3913         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
3914         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
3915         So even tiny changes to this test can change the path code taken.
3916
3917         * stress/assert-not-empty.js: Added.
3918         (foo):
3919
3920 2019-02-01  Mark Lam  <mark.lam@apple.com>
3921
3922         Remove invalid assertion in DFG's compileDoubleRep().
3923         https://bugs.webkit.org/show_bug.cgi?id=194130
3924         <rdar://problem/47699474>
3925
3926         Reviewed by Saam Barati.
3927
3928         * stress/constant-fold-double-rep-into-double-constant.js: Added.
3929
3930 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
3931
3932         Import latest Test262 updates.
3933
3934         Rubber-stamped by Keith Miller.
3935
3936         * test262.yaml: Deleted.
3937         * test262/config.yaml:
3938         * test262/expectations.yaml:
3939         * test262/latest-changes-summary.txt:
3940         * test262/test/:
3941         * test262/test262-Revision.txt:
3942
3943 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3944
3945         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3946         https://bugs.webkit.org/show_bug.cgi?id=194050
3947         <rdar://problem/47595592>
3948
3949         Reviewed by Yusuke Suzuki.
3950
3951         * stress/object-keys-osr-exit.js: Added.
3952         (foo):
3953         (catch):
3954
3955 2019-01-29  Mark Lam  <mark.lam@apple.com>
3956
3957         ValueRecovery::recover() should purify NaN values it recovers.
3958         https://bugs.webkit.org/show_bug.cgi?id=193978
3959         <rdar://problem/47625488>
3960
3961         Reviewed by Saam Barati.
3962
3963         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
3964
3965 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3966
3967         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
3968         https://bugs.webkit.org/show_bug.cgi?id=193713
3969
3970         * stress/try-get-by-id-should-spill-registers-dfg.js:
3971         (let.f.createBuiltin):
3972
3973 2019-01-28  Mark Lam  <mark.lam@apple.com>
3974
3975         ToString node actually does GC.
3976         https://bugs.webkit.org/show_bug.cgi?id=193920
3977         <rdar://problem/46695900>
3978
3979         Reviewed by Yusuke Suzuki.
3980
3981         * stress/dfg-to-string-on-int-does-gc.js: Added.
3982         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
3983         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
3984
3985 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3986
3987         [JSC] NativeErrorConstructor should not have own IsoSubspace
3988         https://bugs.webkit.org/show_bug.cgi?id=193713
3989
3990         Reviewed by Saam Barati.
3991
3992         Remove @Error use.
3993
3994         * stress/try-get-by-id-should-spill-registers-dfg.js:
3995         (let.f.createBuiltin):
3996
3997 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3998
3999         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
4000         https://bugs.webkit.org/show_bug.cgi?id=190693
4001
4002         Reviewed by Michael Saboff.
4003
4004         * stress/regress-190693.js: Added.
4005         (truth):
4006         (assert):
4007         (shouldThrowInvalidConstAssignment):
4008         (taz):
4009
4010 2019-01-24  Saam Barati  <sbarati@apple.com>
4011
4012         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
4013         https://bugs.webkit.org/show_bug.cgi?id=193751
4014         <rdar://problem/47280215>
4015
4016         Reviewed by Michael Saboff.
4017
4018         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
4019         (let.thing):
4020         (foo.let.hello):
4021         (foo):
4022
4023 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
4024
4025         [JSC] Reenable baseline JIT on mips
4026         https://bugs.webkit.org/show_bug.cgi?id=192983
4027
4028         Reviewed by Mark Lam.
4029
4030         Added a new test for a case that was triggering a RELEASE_ASSERT when
4031         testing.
4032         Disable some slow tests that were already disabled for arm and x86.
4033
4034         * stress/json-parse-big-object.js: Added.
4035         * stress/new-largeish-contiguous-array-with-size.js:
4036         * stress/op_add.js:
4037         * stress/op_bitand.js:
4038         * stress/op_bitor.js:
4039         * stress/op_bitxor.js:
4040         * stress/op_lshift-ConstVar.js:
4041         * stress/op_lshift-VarConst.js:
4042         * stress/op_lshift-VarVar.js:
4043         * stress/op_mod-ConstVar.js:
4044         * stress/op_mod-VarConst.js:
4045         * stress/op_mod-VarVar.js:
4046         * stress/op_mul-ConstVar.js:
4047         * stress/op_mul-VarConst.js:
4048         * stress/op_mul-VarVar.js:
4049         * stress/op_rshift-ConstVar.js:
4050         * stress/op_rshift-VarConst.js:
4051         * stress/op_rshift-VarVar.js:
4052         * stress/op_sub-ConstVar.js:
4053         * stress/op_sub-VarConst.js:
4054         * stress/op_sub-VarVar.js:
4055         * stress/op_urshift-ConstVar.js:
4056         * stress/op_urshift-VarConst.js:
4057         * stress/op_urshift-VarVar.js:
4058         * stress/sampling-profiler-richards.js:
4059         * stress/spread-forward-call-varargs-stack-overflow.js:
4060
4061 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
4062
4063         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
4064         https://bugs.webkit.org/show_bug.cgi?id=193711
4065         <rdar://problem/47250262>
4066
4067         Reviewed by Saam Barati.
4068
4069         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
4070         (shouldBe):
4071         (foo):
4072         (bar):
4073         (baz):
4074
4075 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
4076
4077         Unreviewed, fix initial global lexical binding epoch
4078         https://bugs.webkit.org/show_bug.cgi?id=193603
4079         <rdar://problem/47380869>
4080
4081         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
4082         (f1.f2.f3.f4):
4083         (f1.f2.f3):
4084         (f1.f2):
4085         (f1):
4086
4087 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
4088
4089         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
4090         https://bugs.webkit.org/show_bug.cgi?id=193709
4091         <rdar://problem/47363838>
4092
4093         Unreviewed, rollout to watch the tests.
4094
4095         * stress/object-tostring-changed-proto.js: Removed.
4096         * stress/object-tostring-changed.js: Removed.
4097         * stress/object-tostring-misc.js: Removed.
4098         * stress/object-tostring-other.js: Removed.
4099         * stress/object-tostring-untyped.js: Removed.
4100
4101 2019-01-22  Saam Barati  <sbarati@apple.com>
4102
4103         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
4104
4105         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
4106         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
4107         (testUncheckedLessThanZero):
4108         (testUncheckedLessThanOrEqualZero):
4109         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
4110         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
4111
4112 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
4113
4114         [JSC] Invalidate old scope operations using global lexical binding epoch
4115         https://bugs.webkit.org/show_bug.cgi?id=193603
4116         <rdar://problem/47380869>
4117
4118         Reviewed by Saam Barati.
4119
4120         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
4121         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
4122         (shouldThrow):
4123         (bar):
4124         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
4125         (shouldBe):
4126         (get1):
4127         (get2):
4128         (get1If):
4129         (get2If):
4130         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
4131         (shouldThrow):
4132         (foo):
4133
4134 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
4135
4136         Unreviewed, roll out r240220 due to date-format-xparb regression
4137         https://bugs.webkit.org/show_bug.cgi?id=193603
4138
4139         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
4140         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
4141         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
4142         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
4143
4144 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
4145
4146         DoesGC rule is wrong for nodes with BigIntUse
4147         https://bugs.webkit.org/show_bug.cgi?id=193652
4148
4149         Reviewed by Saam Barati.
4150
4151         * stress/big-int-value-op-update-gc-rules.js: Added.
4152         (assert):
4153         (doesGCAdd):
4154         (doesGCSub):
4155         (doesGCDiv):
4156         (doesGCMul):
4157         (doesGCBitAnd):
4158         (doesGCBitOr):
4159         (doesGCBitXor):
4160
4161 2019-01-20  Saam Barati  <sbarati@apple.com>
4162
4163         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
4164         https://bugs.webkit.org/show_bug.cgi?id=193644
4165         <rdar://problem/46209745>
4166
4167         Reviewed by Yusuke Suzuki.
4168
4169         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
4170         (foo):
4171         * stress/data-view-set-intrinsic-undefined-result.js: Added.
4172         (foo):
4173         (bar):
4174
4175 2019-01-20  Saam Barati  <sbarati@apple.com>
4176
4177         MovHint must merge NodeBytecodeUsesAsValue for its child
4178         https://bugs.webkit.org/show_bug.cgi?id=186916
4179         <rdar://problem/41396612>
4180
4181         Reviewed by Yusuke Suzuki.
4182
4183         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
4184         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
4185
4186 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
4187
4188         [JSC] Invalidate old scope operations using global lexical binding epoch
4189         https://bugs.webkit.org/show_bug.cgi?id=193603
4190         <rdar://problem/47380869>
4191
4192         Reviewed by Saam Barati.
4193
4194         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
4195         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
4196         (shouldThrow):
4197         (bar):
4198         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
4199         (shouldBe):
4200         (get1):
4201         (get2):
4202         (get1If):
4203         (get2If):
4204         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
4205         (shouldThrow):
4206         (foo):
4207
4208 2019-01-17  Saam barati  <sbarati@apple.com>
4209
4210         StringObjectUse should not be a structure check for the original string object structure
4211         https://bugs.webkit.org/show_bug.cgi?id=193483
4212         <rdar://problem/47280522>
4213
4214         Reviewed by Yusuke Suzuki.
4215
4216         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
4217         (foo):
4218         (a.valueOf.0):
4219
4220 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4221
4222         [JSC] ToThis omission in DFGByteCodeParser is wrong
4223         https://bugs.webkit.org/show_bug.cgi?id=193513
4224         <rdar://problem/45842236>
4225
4226         Reviewed by Saam Barati.
4227
4228         * stress/to-this-omission-with-different-strict-modes.js: Added.
4229         (thisA):
4230         (thisAStrictWrapper):
4231
4232 2019-01-15  Mark Lam  <mark.lam@apple.com>
4233
4234         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
4235         https://bugs.webkit.org/show_bug.cgi?id=193423
4236         <rdar://problem/46209355>
4237
4238         Reviewed by Saam Barati.
4239
4240         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
4241         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
4242         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
4243         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
4244
4245 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4246
4247         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
4248         https://bugs.webkit.org/show_bug.cgi?id=193438
4249         <rdar://problem/45581249>
4250
4251         Reviewed by Saam Barati and Keith Miller.
4252
4253         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
4254         Then, GetByVal(String) crashed.
4255
4256         * stress/string-get-by-val-lowering.js: Added.
4257         (shouldBe):
4258         (test):
4259         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
4260         (Hello):
4261         (foo):
4262
4263 2019-01-15  Tomas Popela  <tpopela@redhat.com>
4264
4265         Unreviewed, skip JIT tests if it's not enabled
4266
4267         * stress/bit-op-with-object-returning-int32.js:
4268
4269 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
4270
4271         DFGByteCodeParser rules for bitwise operations should consider type of their operands
4272         https://bugs.webkit.org/show_bug.cgi?id=192966
4273
4274         Reviewed by Yusuke Suzuki.
4275
4276         * stress/bit-op-with-object-returning-int32.js: Added.
4277
4278 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
4279
4280         Skip a slow test and a flakey test on arm
4281
4282         Unreviewed gardening.
4283
4284         * typeProfiler/getter-richards.js:
4285         this test always times out, it used to be always skipped on arm and
4286         mips, but got accidentally enabled by r237919 now that we have DFG on
4287         arm. Also skipping on mips as we plan to soon enable DFG for it too.
4288
4289 2019-01-14  Keith Miller  <keith_miller@apple.com>
4290
4291         Skip type-check-hoisting-phase-hoist... with no jit
4292         https://bugs.webkit.org/show_bug.cgi?id=193421
4293
4294         Reviewed by Mark Lam.
4295
4296         It's timing out the 32-bit bots and takes 330 seconds
4297         on my machine when run by itself.
4298
4299         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
4300
4301 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4302
4303         [JSC] AI should check the given constant's array type when folding GetByVal into constant
4304         https://bugs.webkit.org/show_bug.cgi?id=193413
4305         <rdar://problem/46092389>
4306
4307         Reviewed by Keith Miller.
4308
4309         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
4310         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
4311         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
4312         but GetByVal does not have appropriate ArrayModes, JSC crashes.
4313
4314         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
4315         (compareArray):
4316
4317 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
4318
4319         [BigInt] Literal parsing is crashing when used inside a Object Literal
4320         https://bugs.webkit.org/show_bug.cgi?id=193404
4321
4322         Reviewed by Yusuke Suzuki.
4323
4324         * stress/big-int-literal-inside-literal-object.js: Added.
4325
4326 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4327
4328         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
4329         https://bugs.webkit.org/show_bug.cgi?id=193372
4330
4331         Reviewed by Saam Barati.
4332
4333         * stress/typed-array-array-modes-profile.js: Added.
4334         (foo):
4335
4336 2019-01-14  Mark Lam  <mark.lam@apple.com>
4337
4338         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
4339         https://bugs.webkit.org/show_bug.cgi?id=193402
4340         <rdar://problem/46012309>
4341
4342         Reviewed by Keith Miller.
4343
4344         * stress/regexp-compile-oom.js:
4345         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
4346           is enabled.  As a result, it will fail on cloop builds though there is no bug.
4347
4348 2019-01-11  Saam barati  <sbarati@apple.com>
4349
4350         DFG combined liveness can be wrong for terminal basic blocks
4351         https://bugs.webkit.org/show_bug.cgi?id=193304
4352         <rdar://problem/45268632>
4353
4354         Reviewed by Yusuke Suzuki.
4355
4356         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
4357
4358 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4359
4360         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
4361         https://bugs.webkit.org/show_bug.cgi?id=193308
4362         <rdar://problem/45546542>
4363
4364         Reviewed by Saam Barati.
4365
4366         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
4367         (shouldThrow):
4368         (shouldBe):
4369         (foo):
4370         (get shouldThrow):
4371         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
4372         (shouldThrow):
4373         (shouldBe):
4374         (foo):
4375         (get shouldBe):
4376         (get shouldThrow):
4377         (get return):
4378         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
4379         (shouldThrow):
4380         (shouldBe):
4381         (foo):
4382         (get shouldBe):
4383         (get shouldThrow):
4384         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
4385         (shouldThrow):
4386         (shouldBe):
4387         (foo):
4388         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
4389         (shouldThrow):
4390         (shouldBe):
4391         (foo):
4392         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
4393         (shouldThrow):
4394         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
4395         (shouldThrow):
4396         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
4397         (shouldThrow):
4398         (shouldBe):
4399         (foo):
4400         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
4401         (shouldThrow):
4402         (shouldBe):
4403         (foo):
4404         (get shouldBe):
4405         (get shouldThrow):
4406         (get return):
4407         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
4408         (shouldThrow):
4409         (shouldBe):
4410         (foo):
4411         (get shouldBe):
4412         (get shouldThrow):
4413         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
4414         (shouldThrow):
4415         (shouldBe):
4416         (foo):
4417         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
4418         (shouldThrow):
4419         (shouldBe):
4420         (foo):
4421
4422 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
4423
4424         Enable DFG on ARM/Linux again
4425         https://bugs.webkit.org/show_bug.cgi?id=192496
4426
4427         Reviewed by Yusuke Suzuki.
4428
4429         Test wasn't really skipped before moving the line with skip
4430         to the top.
4431
4432         * stress/regress-192717.js:
4433
4434 2019-01-10  Commit Queue  <commit-queue@webkit.org>
4435
4436         Unreviewed, rolling out r239825.
4437         https://bugs.webkit.org/show_bug.cgi?id=193330
4438
4439         Broke tests on armv7/linux bots (Requested by guijemont on
4440         #webkit).
4441
4442         Reverted changeset:
4443
4444         "Enable DFG on ARM/Linux again"
4445         https://bugs.webkit.org/show_bug.cgi?id=192496
4446         https://trac.webkit.org/changeset/239825
4447
4448 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
4449
4450         Enable DFG on ARM/Linux again
4451         https://bugs.webkit.org/show_bug.cgi?id=192496
4452
4453         Reviewed by Yusuke Suzuki.
4454
4455         Test wasn't really skipped before moving the line with skip
4456         to the top.
4457
4458         * stress/regress-192717.js:
4459
4460 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4461
4462         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
4463         https://bugs.webkit.org/show_bug.cgi?id=193127
4464
4465         Reviewed by Saam Barati.
4466
4467         * stress/array-species-create-should-handle-masquerader.js: Added.
4468         (shouldThrow):
4469         * stress/is-undefined-or-null-builtin.js: Added.
4470         (shouldBe):
4471         (isUndefinedOrNull.vm.createBuiltin):
4472
4473 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
4474
4475         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
4476         https://bugs.webkit.org/show_bug.cgi?id=193221
4477
4478         Reviewed by Mark Lam.
4479
4480         * stress/put-by-id-flags.js: Added.
4481         (f):
4482         (g):
4483         (numberOfDFGCompiles):
4484
4485 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
4486
4487         Baseline version of get_by_id may corrupt metadata
4488         https://bugs.webkit.org/show_bug.cgi?id=193085
4489         <rdar://problem/23453006>
4490
4491         Reviewed by Saam Barati.
4492
4493         * stress/get-by-id-change-mode.js: Added.
4494         (forEach):
4495
4496 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4497
4498         [JSC] Optimize Object.prototype.toString
4499         https://bugs.webkit.org/show_bug.cgi?id=193031
4500
4501         Reviewed by Saam Barati.
4502
4503         * stress/object-tostring-changed-proto.js: Added.
4504         (shouldBe):
4505         (test):
4506         * stress/object-tostring-changed.js: Added.
4507         (shouldBe):
4508         (test):
4509         * stress/object-tostring-misc.js: Added.
4510         (shouldBe):
4511         (test):
4512         (i.switch):
4513         * stress/object-tostring-other.js: Added.
4514         (shouldBe):
4515         (test):
4516         * stress/object-tostring-untyped.js: Added.
4517         (shouldBe):
4518         (test):
4519         (i.switch):
4520
4521 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
4522
4523         test262-runner misbehaves when test file YAML has a trailing space
4524         https://bugs.webkit.org/show_bug.cgi?id=193053
4525
4526         Reviewed by Yusuke Suzuki.
4527
4528         * test262/expectations.yaml:
4529         Mark two dozen tests as passing (and correct the output of another).
4530
4531 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
4532
4533         Unreviewed, JSTests gardening with memoryLimited
4534
4535         * stress/string-overflow-createError.js: