Update ReadMe.md

[qtwebkit.git] / JSTests / ChangeLog

2019-10-17  Mark Lam  <mark.lam@apple.com>

        Add missing checks after calls to the sameValue() JSValue comparator.
        https://bugs.webkit.org/show_bug.cgi?id=203126
        <rdar://problem/56366561>

        Reviewed by Saam Barati.

        * stress/validate-exception-check-in-proxy-object-put.js: Added.

2019-10-17  Saam Barati  <sbarati@apple.com>

        GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
        https://bugs.webkit.org/show_bug.cgi?id=203124
        <rdar://problem/55988183>

        Reviewed by Yusuke Suzuki.

        * stress/licm-array-storage-get-and-put-by-val.js: Added.
        (assert):
        (foo):

2019-10-16  Keith Miller  <keith_miller@apple.com>

        Move assert in Wasm::Plan::fail.
        https://bugs.webkit.org/show_bug.cgi?id=203052

        Reviewed by Mark Lam.

        * wasm/regress/wasm-plan-fail-bad-error-message-assert.js: Added.
        (Binary):
        (Binary.prototype.trunc_buffer):
        (Binary.prototype.emit_leb_u):
        (Binary.prototype.emit_u32v):
        (Binary.prototype.emit_bytes):
        (Binary.prototype.emit_header):
        (__f_576):
        (__f_587):

2019-10-15  Mark Lam  <mark.lam@apple.com>

        operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string.
        https://bugs.webkit.org/show_bug.cgi?id=202312
        <rdar://problem/55782280>

        Reviewed by Yusuke Suzuki.

        * stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings.js: Added.
        * stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings2.js: Added.
        * stress/switch-on-char-llint-rope.js:
        - Changed this test to make a new rope string for each iterations.  Otherwise,
          the rope will get resolved, and subsequent tiers will not be testing with a rope.

2019-10-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] GetterSetter should be JSCell, not JSObject
        https://bugs.webkit.org/show_bug.cgi?id=202656

        Reviewed by Tadeu Zagallo and Saam Barati.

        * stress/getter-setter-should-be-cell.js: Added.
        (foo.with.):
        (foo.with.get for):
        (foo.with.bar):
        (foo):

2019-10-14  Saam Barati  <sbarati@apple.com>

        Canonicalize how we prepare the prototype chain for inline caching
        https://bugs.webkit.org/show_bug.cgi?id=202827
        <rdar://problem/56193919>

        Reviewed by Yusuke Suzuki.

        * stress/cache-correct-offset-after-flattening.js: Added.
        (assert):

2019-10-14  Paulo Matos  <pmatos@igalia.com>

        Skip memcpy-typed-loop timing out on ARMv7 pending investigation
        https://bugs.webkit.org/show_bug.cgi?id=202923

        Reviewed by Adrian Perez de Castro.

        * microbenchmarks/memcpy-typed-loop.js:

2019-10-11  Keith Miller  <keith_miller@apple.com>

        Wasm B3IRGenerator should use arguments for control data.
        https://bugs.webkit.org/show_bug.cgi?id=202855

        Reviewed by Yusuke Suzuki.

        * wasm/stress/loop-more-args-than-results.js: Added.

2019-10-10  Mark Lam  <mark.lam@apple.com>

        Modify JSTests/stress/string-overflow-createError-*.js tests to allow an OOME result.
        https://bugs.webkit.org/show_bug.cgi?id=202828

        Reviewed by Yusuke Suzuki.

        The tests intentionally allocate a very large string.  Hence, for some memory
        limited configurations, it is perfectly reasonable for the test to throw an Out
        Of Memory error.

        * stress/string-overflow-createError-builder.js:
        * stress/string-overflow-createError-fit.js:

2019-10-09  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, roll out r250878
        https://bugs.webkit.org/show_bug.cgi?id=202656

        Breaking vimeo page.

        * stress/getter-setter-should-be-cell.js: Removed.

2019-10-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] GetterSetter should be JSCell, not JSObject
        https://bugs.webkit.org/show_bug.cgi?id=202656

        Reviewed by Tadeu Zagallo and Saam Barati.

        * stress/getter-setter-should-be-cell.js: Added.
        (foo.with.):
        (foo.with.get for):
        (foo.with.bar):
        (foo):

2019-10-08  Alexey Shvayka  <shvaikalesh@gmail.com>

        JSON.parse incorrectly handles array proxies
        https://bugs.webkit.org/show_bug.cgi?id=199292

        Reviewed by Saam Barati.

        * microbenchmarks/json-parse-array-reviver-same-value.js: Added.
        * microbenchmarks/json-parse-array-reviver.js: Added.
        * microbenchmarks/json-parse-object-reviver-same-value.js: Added.
        * microbenchmarks/json-parse-object-reviver.js: Added.
        * stress/json-parse-reviver-array-proxy.js: Added.
        * stress/json-parse-reviver-revoked-proxy.js: Added.
        * test262/expectations.yaml: Mark 6 test cases as passing.

2019-10-08  Ross Kirsling  <ross.kirsling@sony.com>

        Update test262 (2019.10.08).

        Rubber-stamped by Keith Miller.

        * test262/config.yaml:
        * test262/expectations.yaml:
        * test262/latest-changes-summary.txt:
        * test262/test/:
        * test262/test262-Revision.txt:

2019-10-07  Saam Barati  <sbarati@apple.com>

        Allow OSR exit to the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=197993

        Reviewed by Tadeu Zagallo.

        * stress/exit-from-getter-by-val.js: Added.
        * stress/exit-from-setter-by-val.js: Added.

2019-10-07  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r250750.

        Reverting change as this broke interal test over the weekend.

        Reverted changeset:

        "Allow OSR exit to the LLInt"
        https://bugs.webkit.org/show_bug.cgi?id=197993
        https://trac.webkit.org/changeset/250750

2019-10-04  Saam Barati  <sbarati@apple.com>

        Allow OSR exit to the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=197993

        Reviewed by Tadeu Zagallo.

        * stress/exit-from-getter-by-val.js: Added.
        * stress/exit-from-setter-by-val.js: Added.

2019-10-04  Paulo Matos  <pmatos@igalia.com>

        Revert regexp test skip on armv7l and mips
        https://bugs.webkit.org/show_bug.cgi?id=202310

        Reviewed by Žan Doberšek.

        Test was skipped in bug 202113 on armv7l and mips due to bug 202041.
        Bug 202041 is fixed and change of bug 202113 can be reverted.

        * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:

2019-10-02  Mark Lam  <mark.lam@apple.com>

        DoubleToStringConverter::ToExponential() should null terminate its string.
        https://bugs.webkit.org/show_bug.cgi?id=202492
        <rdar://problem/55907708>

        Reviewed by Filip Pizlo.

        * stress/dtoa-AddSubstring-should-uses-strnlen-in-assertion.js: Added.

2019-10-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] AsyncGenerator should have internal fields
        https://bugs.webkit.org/show_bug.cgi?id=201498

        Reviewed by Saam Barati.

        * stress/async-generator-construct-failure.js: Added.
        (shouldThrow):
        (async.gen):
        (TypeError):
        * stress/async-generator-prototype-change.js: Added.
        (shouldBe):
        (async.gen):
        * stress/async-generator-prototype-closure.js: Added.
        (shouldBe):
        (test.async.gen):
        (test):
        * stress/create-async-generator.js: Added.
        (shouldBe):
        (test.async.generator):
        (test):

2019-10-01  Saam Barati  <sbarati@apple.com>

        ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
        https://bugs.webkit.org/show_bug.cgi?id=199361
        <rdar://problem/52454940>

        Reviewed by Yusuke Suzuki.

        * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
        (main.fn):
        (main.executor):
        (main):
        * stress/allocation-sinking-hints-are-valid-ssa.js: Added.
        (main.fn):
        (main.executor):
        (main):

2019-10-01  Keith Miller  <keith_miller@apple.com>

        skip test until we figure out why it's timing out
        https://bugs.webkit.org/show_bug.cgi?id=202423

        Reviewed by Mark Lam.

        new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
        Let's skip it until we figure out what's going on.

        * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:

2019-10-01  Keith Miller  <keith_miller@apple.com>

        Mark toctou test as skipped on debug builds
        https://bugs.webkit.org/show_bug.cgi?id=202420

        Reviewed by Saam Barati.

        Keeps timing out... Let's just skip it.

        * stress/toctou-having-a-bad-time-new-array.js:

2019-10-01  Keith Miller  <keith_miller@apple.com>

        Test262 update

        Rubber-stamped by Michael Saboff.

        Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...

        * test262/*:

2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>

        [YARR] Properly handle surrogates when matching back references
        https://bugs.webkit.org/show_bug.cgi?id=202041

        Reviewed by Keith Miller.

        Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.

        Updated test.

        * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
        (testRegExpNotMatch):

2019-10-01  Keith Miller  <keith_miller@apple.com>

        Add support for the Wasm multi-value proposal
        https://bugs.webkit.org/show_bug.cgi?id=202250

        Reviewed by Saam Barati.

        This patch adds a new way to run stress tests via the .wat text
        format. By attaching an asm.js compiled version of the wabt tool
        we can easily create wat files programatically and convert them
        into a wasm blob to compile. To make this easy there is a
        wabt-wrapper.js module file that exports two useful functions that
        correspond to WebAssembly.compile and WebAssembly.instantiate.

        * wasm.yaml:
        * wasm/function-tests/if-no-else-non-void.js:
        * wasm/js-api/web-assembly-instantiate.js:
        (assert.asyncTest.async.test):
        (assert.asyncTest):
        * wasm/libwabt.js: Added.
        (WabtModule):
        (set get if):
        * wasm/references/func_ref.js:
        * wasm/references/validation.js:
        (assert.throws):
        * wasm/spec-harness/index.js:
        * wasm/spec-tests/block.wast.js:
        * wasm/spec-tests/br.wast.js:
        * wasm/spec-tests/br_if.wast.js:
        * wasm/spec-tests/call.wast.js:
        * wasm/spec-tests/call_indirect.wast.js:
        * wasm/spec-tests/func.wast.js:
        * wasm/spec-tests/if.wast.js:
        * wasm/spec-tests/loop.wast.js:
        * wasm/spec-tests/type.wast.js:
        * wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
        (buildWat):
        * wasm/stress/js-wasm-js-varying-arities.js: Added.
        (paramForwarder):
        * wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
        (buildWat):
        * wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
        (buildWat.throwError):
        (buildWat.throwErrorInIterator):
        (buildWat.tooManyValues):
        (buildWat.tooFewValues):
        (buildWat):
        * wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
        (buildWat):
        * wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
        (buildWat):
        * wasm/wabt-wrapper.js: Added.
        (export.compile):
        * wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
        * wasm/wast-tests/br-if-at-end-of-block.wast: Added.
        * wasm/wast-tests/harness.js:
        (async.runWasmFile):
        * wasm/wast-tests/single-param-loop-signature.wasm: Added.
        * wasm/wast-tests/single-param-loop-signature.wast: Added.

2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>

        Make assertion in JSObject::putOwnDataProperty more precise
        https://bugs.webkit.org/show_bug.cgi?id=202379
        <rdar://problem/49515980>

        Reviewed by Yusuke Suzuki.

        * stress/object-assign-target-proto-setter.js: Added.
        (get Object):

2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
        https://bugs.webkit.org/show_bug.cgi?id=202389
        <rdar://problem/50717564>

        Reviewed by Mark Lam.

        * stress/heap-analyzer-taking-lock.js: Added.

2019-09-30  Saam Barati  <sbarati@apple.com>

        Inline caching is wrong for custom accessors and custom values
        https://bugs.webkit.org/show_bug.cgi?id=201994
        <rdar://problem/50850326>

        Reviewed by Yusuke Suzuki.

        * microbenchmarks/custom-accessor-materialized.js: Added.
        (assert):
        (test4.get const):
        * microbenchmarks/custom-accessor-thin-air.js: Added.
        (assert):
        (test5.get const):
        (test5.get proto):
        * microbenchmarks/custom-accessor.js: Added.
        (assert):
        (test3.get const):
        * microbenchmarks/custom-value-2.js: Added.
        (assert):
        (test1.getMultiline):
        (test1):
        * microbenchmarks/custom-value.js: Added.
        (assert):
        (test1.getMultiline):
        (test1):
        * stress/custom-accessor-delete-1.js: Added.
        (assert):
        (test3.get const):
        * stress/custom-accessor-delete-2.js: Added.
        (assert):
        (test4.get const):
        * stress/custom-accessor-delete-3.js: Added.
        (assert):
        (test5.get const):
        (test5.get proto):
        * stress/custom-value-delete-property-1.js: Added.
        (assert):
        (test1.getMultiline):
        (test1):
        * stress/custom-value-delete-property-2.js: Added.
        (test2.foo):
        (test2):
        * stress/custom-value-delete-property-3.js: Added.
        (test6.foo):
        (test6):

2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
        https://bugs.webkit.org/show_bug.cgi?id=202382
        <rdar://problem/52669112>

        Reviewed by Saam Barati.

        * stress/compare-eq-bool-number-folding.js: Added.
        (test):

2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
        https://bugs.webkit.org/show_bug.cgi?id=202330

        Reviewed by Saam Barati.

        * stress/to-lower-case-gc-stress.js: Added.

2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>

        Non-standard Error properties should not be enumerable
        https://bugs.webkit.org/show_bug.cgi?id=198975

        Reviewed by Ross Kirsling.

        * ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
        * microbenchmarks/let-for-in.js: Adjust test.
        * test262/expectations.yaml: Mark 6 test cases as passing.

2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
        https://bugs.webkit.org/show_bug.cgi?id=202299
        <rdar://problem/52669116>

        Reviewed by Saam Barati.

        * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
        (foo):
        (test):
        * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
        (foo):
        (C1.prototype.baz):
        (C1):
        (bar):
        (noInline.bar.goo):
        (C2.prototype.baz):
        (C2):
        (test):

2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>

        toExponential, toFixed, and toPrecision should allow arguments up to 100
        https://bugs.webkit.org/show_bug.cgi?id=199163

        Reviewed by Ross Kirsling.

        * ChakraCore/test/Number/toString_3.baseline-jsc:
        * ChakraCore/test/es5/exceptions3.baseline-jsc:
        * test262/expectations.yaml: Mark 6 test cases as passing.

2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>

        [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
        https://bugs.webkit.org/show_bug.cgi?id=154376

        Reviewed by Ross Kirsling.

        Adds 2 test cases:
        1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
        2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.

        * stress/proxy-get-own-property.js:

2019-09-24  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueBitRShift into DFG
        https://bugs.webkit.org/show_bug.cgi?id=192663

        Reviewed by Robin Morisset.

        * stress/big-int-right-shift-jit-osr.js: Added.
        * stress/big-int-right-shift-jit-untyped.js: Added.
        * stress/big-int-right-shift-jit.js: Added.
        * stress/value-rshift-ai-rule.js: Added.

2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>

        Array methods should throw TypeError upon attempting to modify a string
        https://bugs.webkit.org/show_bug.cgi?id=201910

        Reviewed by Keith Miller.

        * stress/array-methods-should-not-modify-string.js: Added.

        * mozilla/js1_6/Array/regress-304828.js:
        Fix test. Original copy was changed similarly seven years ago:
        https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js

        * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
        Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.

2019-09-23  Mark Lam  <mark.lam@apple.com>

        Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
        https://bugs.webkit.org/show_bug.cgi?id=202122
        <rdar://problem/55535249>

        Reviewed by Yusuke Suzuki.

        * stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.

2019-09-23  Caio Lima  <ticaiolima@gmail.com>

        Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
        https://bugs.webkit.org/show_bug.cgi?id=202113

        Unreviewed test gardening, skipped test in ARMv7 and MIPS.

        It is going to be fixed in
        https://bugs.webkit.org/show_bug.cgi?id=202041

        * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:

2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
        https://bugs.webkit.org/show_bug.cgi?id=202072

        Reviewed by Mark Lam.

        * stress/int52rep-with-double-checks-int52-range.js: Added.
        (shouldBe):
        (test):

2019-09-21  Caio Lima  <ticaiolima@gmail.com>

        stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
        https://bugs.webkit.org/show_bug.cgi?id=202011

        Reviewed by Mark Lam.

        We are skipping this test into MIPS and ARMv7 because some of its assumptions
        are not valid for them. The current behavior of the test in those architectures
        is that it does not throw during `new ArrayBuffer(1000)` allocation site,
        because eden collection keeps happening between iterations. The collection
        is triggered on those architectures because the amount of stress 
        `new Promise` generates into GC limits is not enough to avoid them
        while loop is executing.

        Changing the size of `UInt8Array` from `80000000` to `160000000` can
        be an alternative fix to avoid collection happening during `ArrayBuffer`
        allocation loop, but we can't guarantee this test is always going to execute
        without error when Gigacage is disabled, given we can reach an OOM state in
        some allocations that need to succeed, making this test flaky for those
        architectures.

        * stress/test-out-of-memory.js:

2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>

        AccessCase should strongly visit its dependencies while on stack
        https://bugs.webkit.org/show_bug.cgi?id=201986
        <rdar://problem/55521953>

        Reviewed by Saam Barati and Yusuke Suzuki.

        * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
        (foo):
        (warmup):

2019-09-20  Saam Barati  <sbarati@apple.com>

        Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.

        * stress/toctou-having-a-bad-time-new-array.js:

2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
        https://bugs.webkit.org/show_bug.cgi?id=202014

        Reviewed by Saam Barati.

        * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
        (__v0):

2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>

        Syntax checker should report duplicate __proto__ properties
        https://bugs.webkit.org/show_bug.cgi?id=201897
        <rdar://problem/53201788>

        Reviewed by Mark Lam.

        * stress/syntax-checker-duplicate-underscore-proto.js: Added.
        (catch):

2019-09-18  Saam Barati  <sbarati@apple.com>

        TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
        https://bugs.webkit.org/show_bug.cgi?id=201953
        <rdar://problem/53803524>

        Reviewed by Yusuke Suzuki.

        * stress/toctou-having-a-bad-time-new-array.js: Added.
        (let.code):

2019-09-18  Saam Barati  <sbarati@apple.com>

        Phantom insertion phase may disagree with arguments forwarding about live ranges
        https://bugs.webkit.org/show_bug.cgi?id=200715
        <rdar://problem/54301717>

        Reviewed by Yusuke Suzuki.

        * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
        (main.v23):
        (main.try.v43):
        (main.):
        (main):

2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Generator should have internal fields
        https://bugs.webkit.org/show_bug.cgi?id=201159

        Reviewed by Keith Miller.

        * stress/create-generator.js: Added.
        (shouldBe):
        (test.generator):
        (test):
        * stress/generator-construct-failure.js: Added.
        (shouldThrow):
        (TypeError):
        * stress/generator-prototype-change.js: Added.
        (shouldBe):
        (gen):
        * stress/generator-prototype-closure.js: Added.
        (shouldBe):
        (test.gen):
        (test):
        * stress/object-assign-fast-path.js:

2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        Follow-up after String.codePointAt optimization
        https://bugs.webkit.org/show_bug.cgi?id=201889

        Reviewed by Saam Barati.

        * stress/string-char-at-bad-type.js: Added.
        (shouldBe):
        (object.toString):
        (test):
        * stress/string-char-code-at-bad-type.js: Added.
        (shouldBe):
        (object.toString):
        (test):
        * stress/string-code-point-at-bad-type.js: Added.
        (shouldBe):
        (object.toString):
        (test):

2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] CheckArray+NonArray is not filtering out Array in AI
        https://bugs.webkit.org/show_bug.cgi?id=201857
        <rdar://problem/54194820>

        Reviewed by Keith Miller.

        * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
        (foo):

2019-09-17  Saam Barati  <sbarati@apple.com>

        CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
        https://bugs.webkit.org/show_bug.cgi?id=201853
        <rdar://problem/53805461>

        Reviewed by Yusuke Suzuki.

        * stress/direct-arguments-check-array-filter-type.js: Added.
        (foo):

2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>

        Wasm StreamingParser should validate that number of functions matches number of declarations
        https://bugs.webkit.org/show_bug.cgi?id=201850
        <rdar://problem/55290186>

        Reviewed by Yusuke Suzuki.

        * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
        (catch):

2019-09-16  Michael Saboff  <msaboff@apple.com>

        [JSC] Perform check again when we found non-BMP characters
        https://bugs.webkit.org/show_bug.cgi?id=201647

        Reviewed by Yusuke Suzuki.

        * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
        * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
        (testRegExpInbounds):

2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Add missing syntax errors for await in function parameter default expressions
        https://bugs.webkit.org/show_bug.cgi?id=201615

        Reviewed by Darin Adler.

        * stress/async-await-reserved-word.js:
        * stress/async-await-syntax.js:
        Add test cases.

        * test262/expectations.yaml:
        Mark newly-passing test cases.

2019-09-16  Saam Barati  <sbarati@apple.com>

        JSObject::putInlineSlow should not ignore "__proto__" for Proxy
        https://bugs.webkit.org/show_bug.cgi?id=200386
        <rdar://problem/53854946>

        Reviewed by Yusuke Suzuki.

        * stress/proxy-__proto__-in-prototype-chain.js: Added.
        * stress/proxy-property-replace-structure-transition.js: Added.

2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>

        Date.prototype.toJSON does not execute steps 1-2
        https://bugs.webkit.org/show_bug.cgi?id=105282

        Reviewed by Ross Kirsling.

        * test262/expectations.yaml: Mark 2 test cases as passing.

2019-09-12  Mark Lam  <mark.lam@apple.com>

        Harden JSC against the abuse of runtime options.
        https://bugs.webkit.org/show_bug.cgi?id=201597
        <rdar://problem/55167068>

        Reviewed by Filip Pizlo.

        Remove the call to forceGCSlowPaths().  This utility function will be removed.
        The modern way to set the required option is to use //@ requireOptions.

        * stress/ftl-try-catch-oom-error-lazy-slow-path.js:

2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add StringCodePointAt intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=201673

        Reviewed by Michael Saboff.

        * stress/string-char-at-constant-index-out-of-range.js: Added.
        (shouldBe):
        (test):
        * stress/string-char-code-at-constant-index-out-of-range.js: Added.
        (shouldBe):
        (test):
        * stress/string-code-point-at--out-of-range.js: Added.
        (shouldBe):
        (test):
        * stress/string-code-point-at-basic.js: Added.
        (test):
        * stress/string-code-point-at-constant-index-out-of-range.js: Added.
        (shouldBe):
        (test):
        * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
        (shouldBe):
        (test):
        * stress/string-code-point-at-constant-surrogate-pair.js: Added.
        (shouldBe):
        (test):
        (breaking):
        * stress/string-code-point-at-surrogate-pair.js: Added.
        (shouldBe):
        * stress/string-code-point-at.js: Added.
        (shouldBe):

2019-09-10  Michael Saboff  <msaboff@apple.com>

        JSC crashes due to stack overflow while building RegExp
        https://bugs.webkit.org/show_bug.cgi?id=201649

        Reviewed by Yusuke Suzuki.

        New regression test.

        * stress/regexp-bol-optimize-out-of-stack.js: Added.
        (test):
        (catch):

2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
        https://bugs.webkit.org/show_bug.cgi?id=189043

        Reviewed by Keith Miller.

        The offset performing the validation becomes a bit different.
        The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.

        * wasm/js-api/version.js:

2019-09-07  Keith Miller  <keith_miller@apple.com>

        OSR entry into wasm misses some contexts
        https://bugs.webkit.org/show_bug.cgi?id=201569

        Reviewed by Yusuke Suzuki.

        Add a new harness and wast and the generated wasm file for
        testing. The idea long term is to make it easy to test by creating
        a C file and converting it to a wast then modify that to produce a
        test.

        * wasm.yaml:
        * wasm/wast-tests/harness.js: Added.
        (async.runWasmFile):
        * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
        * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
        * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
        * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
        * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
        * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
        * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
        * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.

2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Promise resolve/reject functions should be created more efficiently
        https://bugs.webkit.org/show_bug.cgi?id=201488

        Reviewed by Mark Lam.

        * microbenchmarks/promise-creation-many.js: Added.
        (executor):

2019-09-09  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed JSC test gardening.

        * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
        This test allocates a 2GB string before it goes out and tests
        out-of-memory exception when appending other strings to it. As such,
        skip the test on memory-limited platforms.

2019-09-07  Mark Lam  <mark.lam@apple.com>

        The jsc shell should allow disabling of the Gigacage for testing purposes.
        https://bugs.webkit.org/show_bug.cgi?id=201579

        Reviewed by Michael Saboff.

        Unskip the tests now.

        * stress/disable-gigacage-arrays.js:
        * stress/disable-gigacage-strings.js:
        * stress/disable-gigacage-typed-arrays.js:

2019-09-07  Mark Lam  <mark.lam@apple.com>

        Gardening: temporarily skipping these tests until the fix can be reviewed and landed.

        Not reviewed.

        See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.

        * stress/disable-gigacage-arrays.js:
        * stress/disable-gigacage-strings.js:
        * stress/disable-gigacage-typed-arrays.js:

2019-09-07  Mark Lam  <mark.lam@apple.com>

        Gardening: speculative test fix to green bots [attempt #2].
        https://bugs.webkit.org/show_bug.cgi?id=201529
        <rdar://problem/53935772>

        Not reviewed.

        * stress/test-out-of-memory.js:

2019-09-06  Mark Lam  <mark.lam@apple.com>

        Gardening: speculative test fix to green bots.
        https://bugs.webkit.org/show_bug.cgi?id=201529
        <rdar://problem/53935772>

        Not reviewed.

        * stress/test-out-of-memory.js:

2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>

        Math.round() produces wrong result for value prior to 0.5
        https://bugs.webkit.org/show_bug.cgi?id=185115

        Reviewed by Saam Barati.

        * stress/math-round-basics.js:
        Add positive/negative test cases.

        * test262/expectations.yaml:
        Mark test passing.

2019-09-06  Mark Lam  <mark.lam@apple.com>

        Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
        https://bugs.webkit.org/show_bug.cgi?id=201551

        Reviewed by Tadeu Zagallo.

        Ports that don't support WASM will always fail this test if it stays in JSTests/stress.

        * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
        * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.

2019-09-06  Mark Lam  <mark.lam@apple.com>

        Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
        https://bugs.webkit.org/show_bug.cgi?id=201529
        <rdar://problem/53935772>

        Reviewed by Yusuke Suzuki.

        * stress/test-out-of-memory.js: Added.

2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>

        LazyClassStructure::setConstructor should not store the constructor to the global object
        https://bugs.webkit.org/show_bug.cgi?id=201484
        <rdar://problem/50400451>

        Reviewed by Yusuke Suzuki.

        * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.

2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Do not use FTLOutput::weakPointer directly
        https://bugs.webkit.org/show_bug.cgi?id=201495

        Reviewed by Filip Pizlo.

        * stress/create-promise-weak-pointer.js: Added.
        (foo):

2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make Promise implementation faster
        https://bugs.webkit.org/show_bug.cgi?id=200898

        Reviewed by Saam Barati.

        * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
        (assert.assert.return.throws):
        * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
        * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
        * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
        (shouldThrow):
        (new.Promise):
        (shouldThrow.Promise):
        * stress/create-promise-should-respect-promise-realm.js: Added.
        (shouldBe):
        (other.new.OtherPromise):
        (DerivedOtherPromise):
        (i.promise.new.DerivedOtherPromise):
        (createPromise):
        * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
        (shouldBe):
        (DerivedPromise):
        (i.array.push.new.DerivedPromise):
        (promise.new.DerivedPromise):
        * stress/derived-promise-constructor-inlined.js: Added.
        (shouldBe):
        (DerivedPromise):
        (i.array.push.new.DerivedPromise):
        (DerivedPromise.all.array.then):
        * stress/derived-promise-prototype-replaced.js: Added.
        (shouldBe):
        (DerivedPromise):
        (i.array.push.new.DerivedPromise):
        (promise.new.DerivedPromise):
        * stress/internal-promise-constructor-not-confusing.js: Added.
        (shouldBe):
        (InternalPromise.vm.createBuiltin):
        (DerivedPromise):
        * stress/internal-promise-is-not-exposed.js: Added.
        (shouldBe):
        * stress/new-promise-should-respect-promise-realm.js: Added.
        (shouldBe):
        (other.new.OtherPromise):
        (createPromise):
        * stress/promise-cannot-be-called.js:
        (shouldThrow):
        * stress/promise-capability-fast-path.js: Added.
        (shouldBe):
        (i.array.push.new.Promise):
        (i.array.i.then):
        * stress/promise-capability-slow-path.js: Added.
        (shouldBe):
        (Promise.prototype.then):
        (i.array.push.new.Promise):
        (i.array.i.then):
        * stress/promise-capability-then-slow-path.js: Added.
        (shouldBe):
        (DerivedPromise):
        (DerivedPromise.prototype.then):
        (i.array.push.new.DerivedPromise):
        (i.array.i.then):
        * stress/promise-constructor-inlined.js: Added.
        (shouldBe):
        (i.array.push.new.Promise):
        (Promise.all.array.then):
        * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
        (shouldBe):
        (DerivedPromise):
        (DerivedPromise2):
        (i.array.push.new.DerivedPromise):
        (i.array2.push.new.DerivedPromise2):
        * stress/without-promise-functions.js: Added.
        (shouldBe):
        (async):

2019-09-03  Mark Lam  <mark.lam@apple.com>

        Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
        https://bugs.webkit.org/show_bug.cgi?id=201309
        <rdar://problem/54832121>

        Reviewed by Yusuke Suzuki.

        * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.

2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Generate new.target register only when it is used
        https://bugs.webkit.org/show_bug.cgi?id=201335

        Reviewed by Mark Lam.

        * stress/ensure-new-register-allocated.js: Added.
        (shouldBe):
        (basic):
        (arrow):
        (Base):
        (Derived):
        (evaluate):

2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
        https://bugs.webkit.org/show_bug.cgi?id=201331

        Reviewed by Mark Lam.

        * stress/simple-jump-table-copy.js: Added.
        (let.code):
        (g2):

2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
        https://bugs.webkit.org/show_bug.cgi?id=201332

        Reviewed by Mark Lam.

        This test is very flaky, it is hard to reproduce.

        * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
        (code):

2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Repatch should construct CallCases and CasesValue at the same time
        https://bugs.webkit.org/show_bug.cgi?id=201325

        Reviewed by Saam Barati.

        * stress/repatch-switch.js: Added.
        (main.f2.f0):
        (main.f2.f3):
        (main.f2.f1):
        (main.f2):
        (main):

2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
        https://bugs.webkit.org/show_bug.cgi?id=198650

        Reviewed by Saam Barati.

        * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
        (main.v0):
        (main):

2019-08-28  Mark Lam  <mark.lam@apple.com>

        DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
        https://bugs.webkit.org/show_bug.cgi?id=201281
        <rdar://problem/54028228>

        Reviewed by Yusuke Suzuki and Saam Barati.

        * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.

2019-08-28  Mark Lam  <mark.lam@apple.com>

        Placate exception check validation in DFG's operationHasGenericProperty().
        https://bugs.webkit.org/show_bug.cgi?id=201245
        <rdar://problem/54777512>

        Reviewed by Robin Morisset.

        * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.

2019-08-27  Mark Lam  <mark.lam@apple.com>

        constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
        https://bugs.webkit.org/show_bug.cgi?id=201196
        <rdar://problem/54703775>

        Reviewed by Yusuke Suzuki.

        * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.

2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Ensure x?.y ?? z is fast
        https://bugs.webkit.org/show_bug.cgi?id=200875

        Reviewed by Yusuke Suzuki.

        * stress/nullish-coalescing.js:

2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>

        Remove MaximalFlushInsertionPhase
        https://bugs.webkit.org/show_bug.cgi?id=201036

        Reviewed by Saam Barati.

        Remove all the references to maximal flush

        * stress/arith-ceil-on-various-types.js:
        (checkCompileCountForUselessNegativeZero):
        * stress/arith-floor-on-various-types.js:
        (checkCompileCountForUselessNegativeZero):
        * stress/arith-negate-on-various-types.js:
        (checkCompileCountForUselessNegativeZero):
        * stress/arith-round-on-various-types.js:
        (checkCompileCountForUselessNegativeZero):
        * stress/arith-trunc-on-various-types.js:
        (checkCompileCountForUselessNegativeZero):
        * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
        * stress/has-indexed-property-should-accept-non-int32.js:
        * stress/has-indexed-property-with-worsening-array-mode.js:
        * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
        * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
        * stress/rest-parameter-many-arguments.js:
        * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
        * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
        * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:

2019-08-23  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
        https://bugs.webkit.org/show_bug.cgi?id=200952

        Reviewed by Saam Barati.

        * wasm/references/func_ref.js:
        (assert.throws):

2019-08-22  Justin Michaud  <justin_michaud@apple.com>

        Add missing exception check in canonicalizeLocaleList
        https://bugs.webkit.org/show_bug.cgi?id=201021

        Reviewed by Mark Lam.

        * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
        (catch):

2019-08-21  Mark Lam  <mark.lam@apple.com>

        Wasm::FunctionParser is failing to enforce maxFunctionLocals.
        https://bugs.webkit.org/show_bug.cgi?id=201016
        <rdar://problem/54579911>

        Reviewed by Yusuke Suzuki.

        * wasm/stress/too-many-locals.js: Added.
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):

2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>

        JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
        https://bugs.webkit.org/show_bug.cgi?id=200965

        Reviewed by Saam Barati.

        This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
        The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.

        * stress/optional-chaining.js:

2019-08-21  Michael Saboff  <msaboff@apple.com>

        [JSC] incorrent JIT lead to StackOverflow
        https://bugs.webkit.org/show_bug.cgi?id=197823

        Reviewed by Tadeu Zagallo.

        New test.

        * stress/bound-function-stack-overflow.js: Added.
        (foo):
        (catch):

2019-08-20  Justin Michaud  <justin_michaud@apple.com>

        Identify memcpy loops in b3
        https://bugs.webkit.org/show_bug.cgi?id=200181

        Reviewed by Saam Barati.

        * microbenchmarks/memcpy-loop.js: Added.
        (doTest):
        (let.arr1):
        * microbenchmarks/memcpy-typed-loop-large.js: Added.
        (doTest):
        (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
        (arr2):
        * microbenchmarks/memcpy-typed-loop-small.js: Added.
        (doTest):
        (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
        (16.arr2):
        * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
        (doTest):
        (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
        (arr2):
        * microbenchmarks/memcpy-wasm-large.js: Added.
        (typeof.WebAssembly.string_appeared_here.eq):
        (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
        * microbenchmarks/memcpy-wasm-medium.js: Added.
        (typeof.WebAssembly.string_appeared_here.eq):
        (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
        * microbenchmarks/memcpy-wasm-small.js: Added.
        (typeof.WebAssembly.string_appeared_here.eq):
        (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
        * microbenchmarks/memcpy-wasm.js: Added.
        (typeof.WebAssembly.string_appeared_here.eq):
        (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
        * stress/memcpy-typed-loops.js: Added.
        (noLoop):
        (invalidStart):
        (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
        (arr2):
        * wasm/function-tests/memcpy-wasm-loop.js: Added.
        (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
        (string_appeared_here):

2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Array.prototype.toString should not get "join" function each time
        https://bugs.webkit.org/show_bug.cgi?id=200905

        Reviewed by Mark Lam.

        * stress/array-prototype-join-change.js: Added.
        (shouldBe):
        (array2.join):
        (DerivedArray):
        (DerivedArray.prototype.join):
        (array3.__proto__.join):
        (Array.prototype.join):

2019-08-20  Justin Michaud  <justin_michaud@apple.com>

        Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
        https://bugs.webkit.org/show_bug.cgi?id=200782

        Reviewed by Saam Barati.

        Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.

        * microbenchmarks/memcpy-typed-loop.js:
        * stress/int8-repeat-in-then-out-of-bounds.js:

2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>

        Proxy constructor should throw if handler is revoked Proxy
        https://bugs.webkit.org/show_bug.cgi?id=198755

        Reviewed by Saam Barati.

        * stress/proxy-revoke.js: Adjust error message.
        * test262/expectations.yaml: Mark 2 test cases as passing.

2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] OSR entry to Wasm OMG
        https://bugs.webkit.org/show_bug.cgi?id=200362

        Reviewed by Michael Saboff.

        * wasm/stress/osr-entry-basic.js: Added.
        (instance.exports.loop):
        * wasm/stress/osr-entry-many-locals-f32.js: Added.
        * wasm/stress/osr-entry-many-locals-f64.js: Added.
        * wasm/stress/osr-entry-many-locals-i32.js: Added.
        * wasm/stress/osr-entry-many-locals-i64.js: Added.
        * wasm/stress/osr-entry-many-stacks-f32.js: Added.
        * wasm/stress/osr-entry-many-stacks-f64.js: Added.
        * wasm/stress/osr-entry-many-stacks-i32.js: Added.
        * wasm/stress/osr-entry-many-stacks-i64.js: Added.

2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>

        Date.prototype.toJSON throws if toISOString returns an object
        https://bugs.webkit.org/show_bug.cgi?id=198495

        Reviewed by Ross Kirsling.

        * test262/expectations.yaml: Mark 6 test cases as passing.

2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
        https://bugs.webkit.org/show_bug.cgi?id=200899
        <rdar://problem/54073341>

        Reviewed by Mark Lam.

        * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
        (i.new.Promise):
        * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
        (i.new.Promise):

2019-08-19  Michael Saboff  <msaboff@apple.com>

        Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
        https://bugs.webkit.org/show_bug.cgi?id=197090

        Reviewed by Yusuke Suzuki.

        New test.

        * stress/regexp-nonconsuming-counted-parens.js: Added.

2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Correct a->an in error messages and API docblocks
        https://bugs.webkit.org/show_bug.cgi?id=200833

        Reviewed by Don Olmstead.

        * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
        (assert.assert.return.throws):
        * stress/promise-finally-should-accept-non-promise-objects.js:
        * wasm/js-api/table.js:
        (assert.throws):

2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Implement optional chaining
        https://bugs.webkit.org/show_bug.cgi?id=200199

        Reviewed by Yusuke Suzuki.

        * stress/nullish-coalescing.js:
        * stress/optional-chaining.js: Added.
        * stress/tail-call-recognize.js:

2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Support hashbang.
        https://bugs.webkit.org/show_bug.cgi?id=200865

        Reviewed by Mark Lam.

        * stress/hashbang.js: Added.
        * test262/expectations.yaml: Mark 6 cases as passing.

2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG ToNumber should support Boolean in fixup
        https://bugs.webkit.org/show_bug.cgi?id=200864

        Reviewed by Mark Lam.

        * microbenchmarks/to-number-boolean.js: Added.
        (test):
        * stress/to-number-boolean-int32.js: Added.
        (shouldBe):
        (test):
        (check):
        * stress/to-number-boolean.js: Added.
        (shouldBe):
        (test):
        (check):
        * stress/to-number-int32.js: Added.
        (shouldBe):
        (test):
        (check):

2019-08-16  Mark Lam  <mark.lam@apple.com>

        More missing exception checks in string comparison operators.
        https://bugs.webkit.org/show_bug.cgi?id=200844
        <rdar://problem/54378684>

        Reviewed by Saam Barati.

        * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
        * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
        * stress/missing-exception-check-in-string-less-than-compare.js: Added.
        * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.

2019-08-16  Mark Lam  <mark.lam@apple.com>

        CodeBlock destructor should clear all of its watchpoints.
        https://bugs.webkit.org/show_bug.cgi?id=200792
        <rdar://problem/53947800>

        Reviewed by Yusuke Suzuki.

        * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.

2019-08-16  Justin Michaud  <justin_michaud@apple.com>

        Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
        https://bugs.webkit.org/show_bug.cgi?id=200782

        Reviewed by Saam Barati.

        * microbenchmarks/int8-out-of-bounds.js: Added.
        (foo):
        * microbenchmarks/memcpy-typed-loop.js: Added.
        (doTest):
        (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
        (arr2):
        * stress/int8-repeat-in-then-out-of-bounds.js: Added.
        (foo):

2019-08-16  Mark Lam  <mark.lam@apple.com>

        [Re-land] ProxyObject should not be allow to access its target's private properties.
        https://bugs.webkit.org/show_bug.cgi?id=200739
        <rdar://problem/53972768>

        Reviewed by Yusuke Suzuki.

        * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
        * stress/proxy-with-private-symbols.js:

2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Promise.prototype.finally should accept non-promise objects
        https://bugs.webkit.org/show_bug.cgi?id=200829

        Reviewed by Mark Lam.

        * stress/promise-finally-should-accept-non-promise-objects.js: Added.
        (shouldBe):
        (Thenable):
        (Thenable.prototype.then):

2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>

        Promise constructor should check argument before [[Construct]]
        https://bugs.webkit.org/show_bug.cgi?id=198976

        Reviewed by Ross Kirsling.

        * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
        * stress/create-subclass-structure-might-throw.js: Fix test.
        * test262/expectations.yaml: Mark 2 test cases as passing.

2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r248709.

        Caused test/built-ins/Promise/prototype/finally/this-value-
        non-promise.js to fail on test262 bot

        Reverted changeset:

        "ProxyObject should not be allow to access its target's
        private properties."
        https://bugs.webkit.org/show_bug.cgi?id=200739
        https://trac.webkit.org/changeset/248709

2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>

        DateConversion::formatDateTime incorrectly formats negative years
        https://bugs.webkit.org/show_bug.cgi?id=199964

        Reviewed by Ross Kirsling.

        * test262/expectations.yaml: Mark 6 test cases as passing.

2019-08-15  Mark Lam  <mark.lam@apple.com>

        More missing exception checks in String.prototype.
        https://bugs.webkit.org/show_bug.cgi?id=200762
        <rdar://problem/54333896>

        Reviewed by Michael Saboff.

        * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
        * stress/missing-exception-check-in-string-toLower.js: Added.
        * stress/missing-exception-check-in-string-toUpper.js: Added.

2019-08-14  Mark Lam  <mark.lam@apple.com>

        ProxyObject should not be allow to access its target's private properties.
        https://bugs.webkit.org/show_bug.cgi?id=200739
        <rdar://problem/53972768>

        Reviewed by Yusuke Suzuki.

        * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
        * stress/proxy-with-private-symbols.js: Rebased.

2019-08-14  Mark Lam  <mark.lam@apple.com>

        Missing exception check in string compare.
        https://bugs.webkit.org/show_bug.cgi?id=200743
        <rdar://problem/53975356>

        Reviewed by Michael Saboff.

        * stress/missing-exception-check-in-string-compare.js: Added.

2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Add "jump if (not) undefined or null" bytecode ops
        https://bugs.webkit.org/show_bug.cgi?id=200480

        Reviewed by Saam Barati.

        * stress/destructuring-assignment-require-object-coercible.js:
        * stress/nullish-coalescing.js:

2019-08-05  Michael Saboff  <msaboff@apple.com>

        JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
        https://bugs.webkit.org/show_bug.cgi?id=199997

        Reviewed by Saam Barati.

        New test.

        * stress/typedarray-no-alreadyChecked-assert.js: Added.
        (checkIntArray):
        (checkFloatArray):

2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Support WebAssembly in SamplingProfiler
        https://bugs.webkit.org/show_bug.cgi?id=200329

        Reviewed by Saam Barati.

        * stress/sampling-profiler-wasm-name-section.js: Added.
        (const.compile):
        (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
        (platformSupportsSamplingProfiler.vm.isWasmSupported):
        * stress/sampling-profiler-wasm.js: Added.
        (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
        (platformSupportsSamplingProfiler.vm.isWasmSupported):
        * stress/sampling-profiler/loop.wasm: Added.
        * stress/sampling-profiler/loop.wast: Added.
        * stress/sampling-profiler/nameSection.wasm: Added.

2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] LazyJSValue should be robust for empty JSValue
        https://bugs.webkit.org/show_bug.cgi?id=200388

        Reviewed by Saam Barati.

        * stress/switch-constant-child-becomes-empty.js: Added.
        (foo):

2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>

        GetterSetter type confusion during DFG compilation
        https://bugs.webkit.org/show_bug.cgi?id=199903

        Reviewed by Mark Lam.

        * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.

2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>

        Update Test262 (2019.08.01)
        https://bugs.webkit.org/show_bug.cgi?id=200351

        Reviewed by Keith Miller.

        * test262/expectations.yaml:
        * test262/harness/testIntl.js:
        * test262/latest-changes-summary.txt:
        * test262/test/:
        * test262/test262-Revision.txt:

2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
        https://bugs.webkit.org/show_bug.cgi?id=200192

        Reviewed by Saam Barati.

        * stress/structure-chain-stress.js: Added.
        (keys):

2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Increment bytecode age only when SlotVisitor is first-visit
        https://bugs.webkit.org/show_bug.cgi?id=200196

        Reviewed by Robin Morisset.

        * stress/reparsing-unlinked-codeblock.js:

2019-07-29  Justin Michaud  <justin_michaud@apple.com>

        [X86] Emit BT instruction for shift + mask in B3
        https://bugs.webkit.org/show_bug.cgi?id=199891

        Reviewed by Robin Morisset.

        Lower the number of iterations to fix debug timeouts.

        * microbenchmarks/bit-test-load.js:
        (i):

2019-07-27  Justin Michaud  <justin_michaud@apple.com>

        [X86] Emit BT instruction for shift + mask in B3
        https://bugs.webkit.org/show_bug.cgi?id=199891

        Reviewed by Keith Miller.

        * microbenchmarks/bit-test-constant.js: Added.
        (let.glob.0.doTest):
        * microbenchmarks/bit-test-load.js: Added.
        (let.glob.0.let.arr.new.Int32Array.8.doTest):
        (i):
        * microbenchmarks/bit-test-nonconstant.js: Added.
        (let.glob.0.doTest):

2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Potential GC fix for JSPropertyNameEnumerator
        https://bugs.webkit.org/show_bug.cgi?id=200151

        Reviewed by Mark Lam.

        * stress/for-in-stress.js: Added.
        (keys):

2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>

        Legacy numeric literals should not permit separators or BigInt
        https://bugs.webkit.org/show_bug.cgi?id=199984

        Reviewed by Keith Miller.

        * stress/big-int-literals.js:
        * stress/numeric-literal-separators.js:

2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Implement nullish coalescing
        https://bugs.webkit.org/show_bug.cgi?id=200072

        Reviewed by Darin Adler.

        * stress/nullish-coalescing.js: Added.

2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>

        Three checks are missing in Proxy internal methods
        https://bugs.webkit.org/show_bug.cgi?id=198630

        Reviewed by Darin Adler.

        * stress/proxy-delete.js: Assert isExtensible is called in correct order.
        * test262/expectations.yaml: Mark 6 test cases as passing.

2019-07-23  Justin Michaud  <justin_michaud@apple.com>

        Sometimes we miss removable CheckInBounds
        https://bugs.webkit.org/show_bug.cgi?id=200018

        Reviewed by Saam Barati.

        * microbenchmarks/typed-array-sum.js: Added.
        (doTest):

2019-07-16  Mark Lam  <mark.lam@apple.com>

        ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
        https://bugs.webkit.org/show_bug.cgi?id=199821
        <rdar://problem/52452328>

        Reviewed by Filip Pizlo.

        * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.

2019-07-16  Keith Miller  <keith_miller@apple.com>

        Unreviewed, test262 gardening.

        * test262/expectations.yaml:

2019-07-15  Keith Miller  <keith_miller@apple.com>

        A Possible Issue of Object.create method
        https://bugs.webkit.org/show_bug.cgi?id=199744

        Reviewed by Yusuke Suzuki.

        * stress/object-create-non-object-properties-parameter.js: Added.
        (catch):

2019-07-15  Keith Miller  <keith_miller@apple.com>

        Update test262
        https://bugs.webkit.org/show_bug.cgi?id=199801

        Rubber-stamped by Yusuke Suzuki.

        * test262/expectations.yaml:
        * test262/latest-changes-summary.txt:
        * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
        (callback):
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
        * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
        (cb):
        (fg.new.FinalizationGroup):
        (emptyCells):
        (async.fn):
        (fn.then.async):
        * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/length.js: Added.
        * test262/test/built-ins/FinalizationGroup/name.js: Added.
        * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
        (newTarget):
        (fn):
        * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
        * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
        (fn):
        * test262/test/built-ins/FinalizationGroup/proto.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
        (newTarget):
        * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
        (newTarget):
        * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
        (callback):
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
        (cb):
        (fg.new.FinalizationGroup):
        (emptyCells):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
        (fg.new.FinalizationGroup):
        (fg.cleanupSome.cb):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
        (callback):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
        (fn):
        (cb):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
        (cb):
        (fg.new.FinalizationGroup):
        (emptyCells):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
        (fg.new.FinalizationGroup):
        (callback):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
        (poisoned):
        (fg.new.FinalizationGroup):
        (emptyCells):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
        (poisoned):
        (emptyCells):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
        (fn):
        (cb):
        (emptyCells):
        (prototype.assert.sameValue.fg.cleanupSome):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
        (fn):
        (cb):
        (poisoned):
        (assert.sameValue.fg.cleanupSome):
        (prototype.assert.sameValue.fg.cleanupSome):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
        (cb):
        * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
        (cb):
        * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
        (fn):
        * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
        (fn):
        * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
        (fn):
        * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
        (fn):
        * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
        (fn):
        * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
        * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
        (fn):
        * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
        (cleanupCallback):
        (let.key.of.Object.getOwnPropertyNames):
        (set for):
        * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
        * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
        (FinalizationGroup):
        * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
        (cleanupCallback):
        (let.key.of.Object.getOwnPropertyNames):
        (set for):
        * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
        * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
        * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
        * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
        * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
        (asyncProxy.new.Proxy.async):
        * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
        (asyncProxy.new.Proxy.async):
        * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
        (setIter.set Symbol):
        (set defaultTag):
        (gen):
        (get return):
        (set new):
        * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
        (generatorProxy.new.Proxy):
        (asyncProxy.new.Proxy.async):
        * test262/test/built-ins/Object/subclass-object-arg.js:
        * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
        * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
        * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
        * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
        * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
        * test262/test/built-ins/Promise/executor-function-name.js:
        * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
        * test262/test/built-ins/Promise/reject-function-name.js:
        * test262/test/built-ins/Promise/resolve-function-name.js:
        * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
        * test262/test/built-ins/WeakRef/constructor.js: Added.
        * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
        * test262/test/built-ins/WeakRef/length.js: Added.
        * test262/test/built-ins/WeakRef/name.js: Added.
        * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
        (newTarget):
        * test262/test/built-ins/WeakRef/prop-desc.js: Added.
        * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
        * test262/test/built-ins/WeakRef/proto.js: Added.
        * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
        (newTarget):
        * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
        (newTarget):
        * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
        * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
        * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
        * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
        * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
        (emptyCells):
        * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
        * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
        * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
        * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
        * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
        (fg.new.FinalizationGroup):
        * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
        * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
        * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
        * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
        (let.key.of.Object.getOwnPropertyNames):
        (set for):
        * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
        * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
        * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
        * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
        * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
        * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
        * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
        * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
        * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
        * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
        * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
        * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
        * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
        * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
        * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
        * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
        (assertParts):
        (assertPartsNumeric):
        * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
        (assertParts):
        (assertPartsNumeric):
        * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
        (assertParts):
        (assertPartsNumeric):
        * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
        (assertParts):
        * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
        * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
        * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
        * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
        * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
        * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
        (C.prototype.method):
        * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
        (C.prototype.method.innerFunction):
        (C.prototype.method):
        * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
        (C):
        (C.method):
        * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
        (C):
        (C.method.innerFunction):
        (C.method):
        * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
        (C):
        (C.checkPrivateGetter):
        * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
        (C):
        (C.method):
        * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
        (C):
        (C.method.innerFunction):
        (C.method):
        * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
        (C):
        (C.checkPrivateMethod):
        * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
        (C):
        (C.method):
        * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
        (C):
        (C.method.innerFunction):
        (C.method):
        * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
        (C):
        (C.checkPrivateSetter):
        * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
        * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
        * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
        * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
        * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression):
        (let.classStringExpression.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression):
        (let.classStringExpression.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (const.C):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression.return.prototype.m):
        (let.classStringExpression.return.prototype.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression.return.prototype.m):
        (let.classStringExpression.return.prototype.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression):
        (let.classStringExpression.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression.prototype.m):
        (let.classStringExpression.prototype.access):
        (let.classStringExpression):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression.prototype.m):
        (let.classStringExpression.prototype.access):
        (let.classStringExpression):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (const.C):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression.return.C.prototype.m):
        (let.classStringExpression.return.C.prototype.access):
        (let.classStringExpression.return.C):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression.return.C.prototype.m):
        (let.classStringExpression.return.C.prototype.access):
        (let.classStringExpression.return.C):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression):
        (let.classStringExpression.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression):
        (let.classStringExpression.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression):
        (let.classStringExpression.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (const.C):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression.return.prototype.m):
        (let.classStringExpression.return.prototype.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression.return.prototype.m):
        (let.classStringExpression.return.prototype.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
        (let.classStringExpression):
        (let.classStringExpression.access):
        (let.createAndInstantiateClass):
        * test262/test/language/expressions/new.target/unary-expr.js: Added.
        (new):
        (async):
        * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
        (A):
        * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
        * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
        * test262/test/language/identifiers/vals-cjk.js: Added.
        * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
        * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
        (C.prototype.method):
        (C):
        * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
        (C.prototype.method.innerFunction):
        (C.prototype.method):
        (C):
        * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
        (C.prototype.checkPrivateField):
        (C):
        * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
        (C):
        * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
        (C.prototype.getWithEval):
        (C):
        (D):
        * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
        (C.prototype.get m):
        (C.prototype.method):
        (C):
        * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
        (C.prototype.get m):
        (C.prototype.method.innerFunction):
        (C.prototype.method):
        (C):
        * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
        (let.createAndInstantiateClass):
        * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
        (C.prototype.get m):
        (C.prototype.checkPrivateGetter):
        (C):
        * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
        (C.prototype.get m):
        (C.prototype.checkPrivateGetter):
        (C):
        * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
        (C.prototype.get m):
        (C):
        * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
        (C.prototype.get m):
        (C.prototype.getWithEval):
        (C):
        (D.prototype.get m):
        (D):
        * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
        (C.prototype.m):
        (C.prototype.method):
        (C):
        * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
        (C.prototype.m):
        (C.prototype.method.innerFunction):
        (C.prototype.method):
        (C):
        * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
        (C.prototype.m):
        (C.prototype.checkPrivateMethod):
        (C):
        * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
        (C.prototype.m):
        (C.prototype.checkPrivateMethod):
        (C):
        * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
        (C.prototype.m):
        (C):
        * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
        (C.prototype.m):
        (C.prototype.getWithEval):
        (C):
        (D.prototype.m):
        (D):
        * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
        (C.prototype.set m):
        (C.prototype.method):
        (C):
        * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
        (C.prototype.set m):
        (C.prototype.method.innerFunction):
        (C.prototype.method):
        (C):
        * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
        (C.prototype.set m):
        (C.prototype.checkPrivateSetter):
        (C):
        * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
        (C.prototype.set m):
        (C.prototype.checkPrivateSetter):
        (C):
        * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
        (C.prototype.set m):
        (C):
        * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
        (C.prototype.set m):
        (C.prototype.setWithEval):
        (C):
        (D.prototype.set m):
        (D):
        * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
        * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
        * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
        * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
        (A.prototype.method):
        (A):
        (C.prototype.get m):
        (C.prototype.access):
        (C):
        * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
        (A.prototype.method):
        (A):
        (C.prototype.m):
        (C.prototype.access):
        (C):
        * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
        (A.prototype.method):
        (A):
        (C.prototype.set m):
        (C.prototype.access):
        (C):
        * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
        (A):
        * test262/test/language/statements/function/13.2-30-s.js:
        * test262/test262-Revision.txt:

2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Improve wasm wpt test results by fixing miscellaneous issues
        https://bugs.webkit.org/show_bug.cgi?id=199783

        Reviewed by Mark Lam.

        Fix our spec tests.

        * wasm/js-api/Module-compile.js:
        * wasm/js-api/test_basic_api.js:
        (const.c.in.constructorProperties.switch):
        * wasm/js-api/validate.js:
        * wasm/js-api/web-assembly-instantiate.js:
        * wasm/spec-tests/jsapi.js:
        (testJSAPI.get test):
        (testJSAPI.set test):

2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, rolling out r247440.

        Broke builds

        Reverted changeset:

        "[JSC] Improve wasm wpt test results by fixing miscellaneous
        issues"
        https://bugs.webkit.org/show_bug.cgi?id=199783
        https://trac.webkit.org/changeset/247440

2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Improve wasm wpt test results by fixing miscellaneous issues
        https://bugs.webkit.org/show_bug.cgi?id=199783

        Reviewed by Mark Lam.

        Fix our spec tests.

        * wasm/js-api/Module-compile.js:
        * wasm/js-api/test_basic_api.js:
        (const.c.in.constructorProperties.switch):
        * wasm/js-api/validate.js:
        * wasm/js-api/web-assembly-instantiate.js:
        * wasm/spec-tests/jsapi.js:
        (testJSAPI.get test):
        (testJSAPI.set test):

2019-07-12  Justin Michaud  <justin_michaud@apple.com>

        B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
        https://bugs.webkit.org/show_bug.cgi?id=196371

        Reviewed by Keith Miller.

        * microbenchmarks/mul-immediate-sub.js: Added.
        (doTest):

2019-07-12  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueBitLShift into DFG
        https://bugs.webkit.org/show_bug.cgi?id=192664

        Reviewed by Saam Barati.

        We are adding tests to cover ValueBitwise operations AI changes.

        * stress/big-int-left-shift-untyped.js: Added.
        * stress/bit-op-with-object-returning-int32.js:
        * stress/value-bit-and-ai-rule.js: Added.
        * stress/value-bit-lshift-ai-rule.js: Added.
        * stress/value-bit-or-ai-rule.js: Added.
        * stress/value-bit-xor-ai-rule.js: Added.

2019-07-11  Justin Michaud  <justin_michaud@apple.com>

        Add b3 macro lowering for CheckMul on arm64
        https://bugs.webkit.org/show_bug.cgi?id=199251

        Reviewed by Robin Morisset.

        * microbenchmarks/check-mul-constant.js: Added.
        (doTest):
        * microbenchmarks/check-mul-no-constant.js: Added.
        (doTest):
        * microbenchmarks/check-mul-power-of-two.js: Added.
        (doTest):

2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>

        Optimize join of large empty arrays
        https://bugs.webkit.org/show_bug.cgi?id=199636

        Reviewed by Mark Lam.

        * microbenchmarks/large-empty-array-join.js: Added.
        * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.

2019-07-06  Michael Saboff  <msaboff@apple.com>

        switch(String) needs to check for exceptions when resolving the string
        https://bugs.webkit.org/show_bug.cgi?id=199541

        Reviewed by Mark Lam.

        New tests.

        * stress/switch-string-oom.js: Added.
        (test):
        (testLowerTiers):
        (testFTL):

2019-07-05  Mark Lam  <mark.lam@apple.com>

        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
        https://bugs.webkit.org/show_bug.cgi?id=199533
        <rdar://problem/52669111>

        Reviewed by Filip Pizlo.

        * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.

2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>

        [JSC] Clean up ArraySpeciesCreate
        https://bugs.webkit.org/show_bug.cgi?id=182434

        Reviewed by Yusuke Suzuki.

        Adjusts error message expectations in stress tests.

        * stress/array-flatmap.js:
        * stress/array-flatten.js:
        * stress/array-species-create-should-handle-masquerader.js:
        * test262/expectations.yaml: Mark 4 test cases as passing.

2019-07-02  Michael Saboff  <msaboff@apple.com>

        Exception from For..of loop assignment eliminates TDZ checks in subsequent code
        https://bugs.webkit.org/show_bug.cgi?id=199395

        Reviewed by Filip Pizlo.

        New regession test.

        * stress/for-of-tdz-with-try-catch.js: Added.
        (test):
        (i.catch):

2019-07-02  Keith Miller  <keith_miller@apple.com>

        Frozen Arrays length assignment should throw in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=199365

        Reviewed by Yusuke Suzuki.

        * stress/frozen-array-length-should-throw-strict.js: Added.
        (test):

2019-07-01  Justin Michaud  <justin_michaud@apple.com>

        [Wasm-References] Disable references by default
        https://bugs.webkit.org/show_bug.cgi?id=199390

        Reviewed by Saam Barati.

        * wasm/references-spec-tests/ref_is_null.js:
        * wasm/references-spec-tests/ref_null.js:
        * wasm/references/anyref_globals.js:
        * wasm/references/anyref_modules.js:
        * wasm/references/anyref_table.js:
        * wasm/references/anyref_table_import.js:
        * wasm/references/element_parsing.js:
        * wasm/references/func_ref.js:
        * wasm/references/is_null.js:
        * wasm/references/multitable.js:
        * wasm/references/table_misc.js:
        * wasm/references/validation.js:

2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r246946.

        Caused JSC test crashes on arm64

        Reverted changeset:

        "Add b3 macro lowering for CheckMul on arm64"
        https://bugs.webkit.org/show_bug.cgi?id=199251
        https://trac.webkit.org/changeset/246946

2019-06-28  Justin Michaud  <justin_michaud@apple.com>

        Add b3 macro lowering for CheckMul on arm64
        https://bugs.webkit.org/show_bug.cgi?id=199251

        Reviewed by Robin Morisset.

        * microbenchmarks/check-mul-constant.js: Added.
        (doTest):
        * microbenchmarks/check-mul-no-constant.js: Added.
        (doTest):
        * microbenchmarks/check-mul-power-of-two.js: Added.
        (doTest):

2019-06-26  Keith Miller  <keith_miller@apple.com>

        speciesConstruct needs to throw if the result is a DataView
        https://bugs.webkit.org/show_bug.cgi?id=199231

        Reviewed by Mark Lam.

        * stress/typedarray-filter.js:
        (subclasses.forEach):
        * stress/typedarray-map.js:
        (subclasses.forEach):
        * stress/typedarray-slice.js:
        (typedArrays.forEach):
        * stress/typedarray-subarray.js:
        (subclasses.forEach):

2019-06-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r246714.
        https://bugs.webkit.org/show_bug.cgi?id=199179

        revert to do patch in a different way. (Requested by keith_mi_
        on #webkit).

        Reverted changeset:

        "All prototypes should call didBecomePrototype()"
        https://bugs.webkit.org/show_bug.cgi?id=196315
        https://trac.webkit.org/changeset/246714

2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>

        Add Array.prototype.{flat,flatMap} to unscopables
        https://bugs.webkit.org/show_bug.cgi?id=194322

        Reviewed by Keith Miller.

        * stress/unscopables.js: Fix test.
        * test262/expectations.yaml: Mark 2 test cases as passing.

2019-06-21  Mark Lam  <mark.lam@apple.com>

        ArraySlice needs to keep the source array alive.
        https://bugs.webkit.org/show_bug.cgi?id=197374
        <rdar://problem/50304429>

        Reviewed by Michael Saboff and Filip Pizlo.

        * stress/array-slice-must-keep-source-array-alive.js: Added.

2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>

        All prototypes should call didBecomePrototype()
        https://bugs.webkit.org/show_bug.cgi?id=196315

        Reviewed by Saam Barati.

        * stress/function-prototype-indexed-accessor.js: Added.

2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Strict, Sloppy and Arrow functions should have different classInfo
        https://bugs.webkit.org/show_bug.cgi?id=197631

        Reviewed by Saam Barati.

        * stress/has-own-property-arguments.js: Added.
        (shouldBe):
        (A):

2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ClassExpr should not store result in the middle of evaluation
        https://bugs.webkit.org/show_bug.cgi?id=199106

        Reviewed by Tadeu Zagallo.

        * stress/class-expression-should-store-result-at-last.js: Added.
        (shouldThrow):
        (shouldThrow.let.a):

2019-06-20  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
        https://bugs.webkit.org/show_bug.cgi?id=199044

        Reviewed by Saam Barati.

        Add wasm references spec tests as well as a worker test.

        * wasm.yaml:
        * wasm/Builder_WebAssemblyBinary.js:
        (const.emitters.Element):
        * wasm/js-api/element.js:
        (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
        * wasm/references-spec-tests/ref_is_null.js: Added.
        (hostref):
        (is_hostref):
        (is_funcref):
        (eq_ref):
        (let.handler.get target):
        (register):
        (module):
        (instance):
        (call):
        (get instance):
        (exports):
        (run):
        (assert_malformed):
        (assert_invalid):
        (assert_unlinkable):
        (assert_uninstantiable):
        (assert_trap):
        (try.f):
        (catch):
        (assert_exhaustion):
        (assert_return):
        (assert_return_canonical_nan):
        (assert_return_arithmetic_nan):
        (assert_return_ref):
        (assert_return_func):
        * wasm/references-spec-tests/ref_null.js: Added.
        (hostref):
        (is_hostref):
        (is_funcref):
        (eq_ref):
        (let.handler.get target):
        (register):
        (module):
        (instance):
        (call):
        (get instance):
        (exports):
        (run):
        (assert_malformed):
        (assert_invalid):
        (assert_unlinkable):
        (assert_uninstantiable):
        (assert_trap):
        (try.f):
        (catch):
        (assert_exhaustion):
        (assert_return):
        (assert_return_canonical_nan):
        (assert_return_arithmetic_nan):
        (assert_return_ref):
        (assert_return_func):
        * wasm/references/element_parsing.js: Added.
        (module):
        * wasm/references/func_ref.js:
        * wasm/references/multitable.js:
        * wasm/references/table_misc.js:
        (TableSize.0.End.End.WebAssembly):
        * wasm/references/validation.js:
        (assert.throws):

2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>

        Optimize `resolve` method lookup in Promise static methods
        https://bugs.webkit.org/show_bug.cgi?id=198864

        Reviewed by Yusuke Suzuki.

        * test262/expectations.yaml: Mark 18 test cases as passing.

2019-06-19  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Rename anyfunc to funcref
        https://bugs.webkit.org/show_bug.cgi?id=198983

        Reviewed by Yusuke Suzuki.

        * wasm/function-tests/basic-element.js:
        * wasm/function-tests/context-switch.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
        (makeInstance):
        (assert.eq.makeInstance):
        * wasm/function-tests/exceptions.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
        * wasm/function-tests/grow-memory-2.js:
        (assert.eq.instance.exports.foo):
        * wasm/function-tests/nameSection.js:
        (const.compile):
        * wasm/function-tests/stack-overflow.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
        (assertOverflows.makeInstance):
        * wasm/function-tests/table-basic-2.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
        * wasm/function-tests/table-basic.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
        * wasm/function-tests/trap-from-start-async.js:
        * wasm/function-tests/trap-from-start.js:
        * wasm/js-api/Module.exports.js:
        (assert.truthy):
        * wasm/js-api/Module.imports.js:
        (assert.truthy):
        * wasm/js-api/call-indirect.js:
        (const.oneTable):
        (const.multiTable):
        (multiTable.const.makeTable):
        (multiTable):
        (multiTable.Polyphic2Import):
        (multiTable.VirtualImport):
        * wasm/js-api/element-data.js:
        * wasm/js-api/element.js:
        (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
        (assert.throws):
        (badInstantiation.makeModule):
        (badInstantiation.test):
        (badInstantiation):
        * wasm/js-api/extension-MemoryMode.js:
        * wasm/js-api/table.js:
        (new.WebAssembly.Module):
        (assert.throws):
        (assertBadTableImport):
        (assert.throws.WebAssembly.Table.prototype.grow):
        (new.WebAssembly.Table):
        (assertBadTable):
        (assert.truthy):
        * wasm/js-api/test_basic_api.js:
        (const.c.in.constructorProperties.switch):
        * wasm/js-api/unique-signature.js:
        (CallIndirectWithDuplicateSignatures):
        * wasm/js-api/wrapper-function.js:
        * wasm/modules/table.wat:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
        * wasm/modules/wasm-imports-wasm-exports/imports.wat:
        * wasm/modules/wasm-imports-wasm-exports/sum.wat:
        * wasm/references/anyref_table.js:
        * wasm/references/anyref_table_import.js:
        (doSet):
        (assert.throws):
        * wasm/references/func_ref.js:
        (makeFuncrefIdent):
        (assert.eq.instance.exports.fix):
        (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
        (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
        (let.importedFun.of):
        (makeAnyfuncIdent): Deleted.
        (makeAnyfuncIdent.fun): Deleted.
        * wasm/references/multitable.js:
        (assert.eq):
        (assert.throws):
        * wasm/references/table_misc.js:
        (GetLocal.0.TableFill.0.End.End.WebAssembly):
        * wasm/references/validation.js:
        (assert.throws.new.WebAssembly.Module.bin):
        (assert.throws):
        * wasm/spec-harness/index.js:
        * wasm/spec-harness/wasm-constants.js:
        * wasm/spec-harness/wasm-module-builder.js:
        (WasmModuleBuilder.prototype.toArray):
        * wasm/spec-harness/wast.js:
        (elem_type):
        (string_of_elem_type):
        (string_of_table_type):
        * wasm/spec-tests/jsapi.js:
        * wasm/stress/wasm-table-grow-initialize.js:
        * wasm/wasm.json:

2019-06-18  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for Table.size, grow and fill instructions
        https://bugs.webkit.org/show_bug.cgi?id=198761

        Reviewed by Yusuke Suzuki.

        * wasm/Builder_WebAssemblyBinary.js:
        (const.putOp):
        * wasm/references/table_misc.js: Added.
        (TableSize.End.End.WebAssembly):
        (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
        * wasm/wasm.json:

2019-06-18  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for multiple tables
        https://bugs.webkit.org/show_bug.cgi?id=198760

        Reviewed by Saam Barati.

        * wasm/Builder.js:
        * wasm/js-api/call-indirect.js:
        (const.oneTable):
        (const.multiTable):
        (multiTable):
        (multiTable.Polyphic2Import):
        (multiTable.VirtualImport):
        (const.wasmModuleWhichImportJS): Deleted.
        (const.makeTable): Deleted.
        (): Deleted.
        (Polyphic2Import): Deleted.
        (VirtualImport): Deleted.
        * wasm/js-api/table.js:
        (new.WebAssembly.Module):
        (assert.throws):
        (assertBadTableImport):
        (assert.truthy):
        (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
        * wasm/references/anyref_table.js:
        * wasm/references/anyref_table_import.js:
        (makeImport):
        (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
        (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
        * wasm/references/multitable.js: Added.
        (assert.throws.1.exports.set_tbl0):
        (assert.throws):
        (assert.eq):
        * wasm/references/validation.js:
        (assert.throws.new.WebAssembly.Module.bin):
        (assert.throws):
        * wasm/spec-tests/imports.wast.js:
        * wasm/wasm.json:

        * wasm/Builder.js:
        * wasm/js-api/call-indirect.js:
        (const.oneTable):
        (const.multiTable):
        (multiTable):
        (multiTable.Polyphic2Import):
        (multiTable.VirtualImport):
        (const.wasmModuleWhichImportJS): Deleted.
        (const.makeTable): Deleted.
        (): Deleted.
        (Polyphic2Import): Deleted.
        (VirtualImport): Deleted.
        * wasm/js-api/table.js:
        (new.WebAssembly.Module):
        (assert.throws):
        (assertBadTableImport):
        (assert.truthy):
        (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
        * wasm/references/anyref_table.js:
        * wasm/references/anyref_table_import.js:
        (makeImport):
        (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
        (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
        * wasm/references/func_ref.js:
        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
        * wasm/references/multitable.js: Added.
        (assert.throws.1.exports.set_tbl0):
        (assert.throws):
        (assert.eq):
        (string_appeared_here.tableInsanity):
        (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
        (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
        * wasm/references/validation.js:
        (assert.throws.new.WebAssembly.Module.bin):
        (assert.throws):
        * wasm/spec-tests/imports.wast.js:
        * wasm/wasm.json:

2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>

        [ESNExt] String.prototype.matchAll
        https://bugs.webkit.org/show_bug.cgi?id=186694

        Reviewed by Yusuke Suzuki.

        Implement String.prototype.matchAll.
        (https://tc39.es/ecma262/#sec-string.prototype.matchall)

        * test262/config.yaml:

2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>

        DFG code should not reify the names of builtin functions with private names
        https://bugs.webkit.org/show_bug.cgi?id=198849
        <rdar://problem/51733890>

        Reviewed by Filip Pizlo.

        * stress/builtin-private-function-name.js: Added.
        (then):
        (PromiseLike):

2019-06-18  Keith Miller  <keith_miller@apple.com>

        MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
        https://bugs.webkit.org/show_bug.cgi?id=198969
        <rdar://problem/51620714>

        Reviewed by Tadeu Zagallo.

        * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
        (catch):

2019-06-17  Justin Michaud  <justin_michaud@apple.com>

        Validate that table element type is funcref if using an element section
        https://bugs.webkit.org/show_bug.cgi?id=198910

        Reviewed by Yusuke Suzuki.

        * wasm/references/anyref_table.js:

2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
        https://bugs.webkit.org/show_bug.cgi?id=197378

        Reviewed by Saam Barati.

        * stress/disposable-call-site-index-with-call-and-this.js: Added.
        (foo):
        (bar):
        * stress/disposable-call-site-index.js: Added.
        (foo):
        (bar):

2019-06-17  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for Funcref in parameters and return types
        https://bugs.webkit.org/show_bug.cgi?id=198157

        Reviewed by Yusuke Suzuki.

        * wasm/Builder.js:
        (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
        * wasm/references/anyref_globals.js:
        * wasm/references/func_ref.js: Added.
        (fullGC.gc.makeExportedFunction):
        (makeExportedIdent):
        (makeAnyfuncIdent):
        (fun):
        (assert.eq.instance.exports.fix.fun):
        (assert.eq.instance.exports.fix):
        (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
        (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
        (assert.throws):
        (assert.throws.doTest):
        (let.importedFun.of):
        (makeAnyfuncIdent.fun):
        * wasm/references/validation.js:
        (assert.throws):
        * wasm/wasm.json:

2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>

        Update test262 tests (2019.06.13)
        https://bugs.webkit.org/show_bug.cgi?id=198821

        Reviewed by Konstantin Tokarev.

        * test262/expectations.yaml:
        * test262/harness/:
        * test262/latest-changes-summary.txt:
        * test262/test/:
        * test262/test262-Revision.txt:

2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Grown region of WasmTable should be initialized with null
        https://bugs.webkit.org/show_bug.cgi?id=198903

        Reviewed by Saam Barati.

        * wasm/stress/wasm-table-grow-initialize.js: Added.
        (shouldBe):

2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>

        Yarr bytecode compilation failure should be gracefully handled
        https://bugs.webkit.org/show_bug.cgi?id=198700

        Reviewed by Michael Saboff.

        * stress/regexp-bytecode-compilation-fail.js: Added.
        (shouldThrow):

2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
        https://bugs.webkit.org/show_bug.cgi?id=198770

        Reviewed by Saam Barati.

        * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
        (test):

2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>

        JSC should throw if proxy set returns falsish in strict mode context
        https://bugs.webkit.org/show_bug.cgi?id=177398

        Reviewed by Yusuke Suzuki.

        1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
        2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.

        * stress/proxy-set.js: Add 2 test cases.
        * stress/regexp-match-proxy.js: Fix test.
        * stress/regexp-replace-proxy.js: Fix test.

2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>

        Error message for non-callable Proxy `construct` trap is misleading
        https://bugs.webkit.org/show_bug.cgi?id=198637

        Reviewed by Saam Barati.

        * stress/proxy-construct.js:

2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>

        AI BitURShift's result should not be unsigned
        https://bugs.webkit.org/show_bug.cgi?id=198689
        <rdar://problem/51550063>

        Reviewed by Saam Barati.

        * stress/urshift-int32-overflow.js: Added.
        (foo.):
        (foo):

2019-06-11  Guillaume Emont  <guijemont@igalia.com>

        Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux

        Unreviewed gardening.

        * stress/ftl-gettypedarrayoffset-wasteful.js:
        Skipped on arm/linux as it always times out on the bot since a change
        between r246270 and r246278 inclusive.

2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
        https://bugs.webkit.org/show_bug.cgi?id=198023

        Reviewed by Saam Barati.

        * stress/reparsing-unlinked-codeblock.js: Added.
        (shouldBe):
        (hello):

2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use mergePrediction in ValuePow prediction propagation
        https://bugs.webkit.org/show_bug.cgi?id=198648

        Reviewed by Saam Barati.

        * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.

2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>

        AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
        https://bugs.webkit.org/show_bug.cgi?id=198581
        <rdar://problem/51099753>

        Reviewed by Saam Barati.

        * stress/global-object-proto-getter.js: Added.
        (f):
        (test):

2019-06-05  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
        https://bugs.webkit.org/show_bug.cgi?id=198398

        Reviewed by Saam Barati.

        * wasm/references/anyref_table.js: Added.
        (string_appeared_here.doGCSet):
        (doGCTest):
        (doGCSet.doGCTest.let.count.0.doBarrierSet):
        * wasm/references/anyref_table_import.js: Added.
        (makeImport):
        (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
        (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
        * wasm/references/is_null_error.js: Removed.
        * wasm/references/validation.js: Added.
        (assert.throws.new.WebAssembly.Module.bin):
        (assert.throws):
        * wasm/wasm.json:

2019-06-05  Justin Michaud  <justin_michaud@apple.com>

        WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
        https://bugs.webkit.org/show_bug.cgi?id=198106

        Reviewed by Saam Barati.

        * wasm/regress/selectf64.js: Added.
        * wasm/regress/selectf64.wasm: Added.
        * wasm/regress/selectf64.wat: Added.

2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>

        Argument elimination should check transitive dependents for interference
        https://bugs.webkit.org/show_bug.cgi?id=198520
        <rdar://problem/50863343>

        Reviewed by Filip Pizlo.

        * stress/argument-elimination-inline-rest-past-kill.js: Added.
        (f2):
        (f3):

2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>

        Argument elimination should check for negative indices in GetByVal
        https://bugs.webkit.org/show_bug.cgi?id=198302
        <rdar://problem/51188095>

        Reviewed by Filip Pizlo.

        * stress/eliminate-arguments-negative-rest-access.js: Added.
        (inlinee):
        (opt):

2019-06-03  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "**"
        https://bugs.webkit.org/show_bug.cgi?id=190799

        Reviewed by Saam Barati.

        * stress/big-int-exp-basic.js: Added.
        * stress/big-int-exp-jit-osr.js: Added.
        * stress/big-int-exp-jit-untyped.js: Added.
        * stress/big-int-exp-jit.js: Added.
        * stress/big-int-exp-negative-exponent.js: Added.
        * stress/big-int-exp-to-primitive.js: Added.
        * stress/big-int-exp-type-error.js: Added.
        * stress/big-int-exp-wrapped-value.js: Added.
        * stress/value-pow-ai-rule.js: Added.

2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
        https://bugs.webkit.org/show_bug.cgi?id=197979

        Reviewed by Filip Pizlo.

        * stress/16bit-code.js: Added.
        (shouldBe):
        * stress/32bit-code.js: Added.
        (shouldBe):

2019-05-30  Justin Michaud  <justin_michaud@apple.com>

        oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
        https://bugs.webkit.org/show_bug.cgi?id=198355

        Reviewed by Saam Barati.

        * wasm/references/is_null.js:

2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>

        [PlayStation] Skip additional tests on PlayStation
        https://bugs.webkit.org/show_bug.cgi?id=198352

        Reviewed by Don Olmstead.

        Skip pow test on PlayStation due to behavior difference in standard library.
        Skip incremental marking test due to OOM on PlayStation systems.

        * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
        * stress/math-pow-with-constants.js:
        * stress/pow-with-constants.js:

2019-05-28  Dean Jackson  <dino@apple.com>

        Implement Promise.allSettled
        https://bugs.webkit.org/show_bug.cgi?id=197600
        <rdar://problem/50483885>

        Reviewed by Keith Miller.

        Start testing Promise.allSettled. We pass most of the tests.
        The ones that fail are similar to the Promise.all tests we already fail.

        * test262/config.yaml: Remove Promise.allSettled from skipped tests.
        * test262/expectations.yaml: Add new expectations for allSettled tests.

2019-05-28  Michael Saboff  <msaboff@apple.com>

        [YARR] Properly handle RegExp's that require large ParenContext space
        https://bugs.webkit.org/show_bug.cgi?id=198065

        Reviewed by Keith Miller.

        New test.

        * stress/regexp-large-paren-context.js: Added.
        (testLargeRegExp):

2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>

        JITOperations putByVal should mark negative array indices as out-of-bounds
        https://bugs.webkit.org/show_bug.cgi?id=198271

        Reviewed by Saam Barati.

        * microbenchmarks/get-by-val-negative-array-index.js:
        (foo):
        Update the getByVal microbenchmark added in r245769. This now shows that r245769
        is 4.2x faster than the previous commit.

        * microbenchmarks/put-by-val-negative-array-index.js: Added.
        (foo):

2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>

        JITOperations getByVal should mark negative array indices as out-of-bounds
        https://bugs.webkit.org/show_bug.cgi?id=198229

        Reviewed by Saam Barati.

        * microbenchmarks/get-by-val-negative-array-index.js: Added.
        (foo):

2019-05-24  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Support Anyref in globals
        https://bugs.webkit.org/show_bug.cgi?id=198102

        Reviewed by Saam Barati.

        Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.

        * wasm/Builder.js:
        (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
        * wasm/Builder_WebAssemblyBinary.js:
        (const.putInitExpr):
        * wasm/references/anyref_globals.js: Added.
        (GetGlobal.0.End.End.WebAssembly):
        (5.doGCSet):
        (doGCTest):
        (doGCSet.doGCTest.let.count.0.doBarrierSet):

2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>

        DFG::OSREntry should not perform arity check
        https://bugs.webkit.org/show_bug.cgi?id=198189

        Reviewed by Saam Barati.

        * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
        (foo):

2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>

        [PlayStation] Skip additional tests on PlayStation
        https://bugs.webkit.org/show_bug.cgi?id=198145

        Reviewed by Ross Kirsling.

        * exceptionFuzz.yaml:
        Add skip on hostOS playstation
        * executableAllocationFuzz.yaml:
        Add skip on hostOS playstation

2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>

        createListFromArrayLike should throw if value is not an object
        https://bugs.webkit.org/show_bug.cgi?id=198138

        Reviewed by Yusuke Suzuki.

        * stress/create-list-from-array-like-not-object.js: Added.
        (testValid):
        (testInvalid):
        * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
        (opt):
        * stress/proxy-proto-enumerator.js: Added.
        (main):
        * stress/proxy-proto-own-keys.js: Added.
        (assert):
        (ownKeys):

2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
        https://bugs.webkit.org/show_bug.cgi?id=197809

        Reviewed by Michael Saboff.

        * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
        (foo):

2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Implement support for Numeric Separators
        https://bugs.webkit.org/show_bug.cgi?id=196351

        Reviewed by Keith Miller.

        * stress/numeric-literal-separators.js: Added.
        Add tests for feature.

        * test262/expectations.yaml:
        Mark 60 test cases as passing.

2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>

        llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
        https://bugs.webkit.org/show_bug.cgi?id=198120
        <rdar://problem/49668795>

        Reviewed by Michael Saboff.

        * stress/get-array-length-concurrently-change-mode.js: Added.
        (main):

2019-05-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r245634.
        https://bugs.webkit.org/show_bug.cgi?id=198140

        'This patch makes JSC crash on launch in debug builds'
        (Requested by tadeuzagallo on #webkit).

        Reverted changeset:

        "[ESNext] Implement support for Numeric Separators"
        https://bugs.webkit.org/show_bug.cgi?id=196351
        https://trac.webkit.org/changeset/245634

2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>

        Stack-buffer-overflow in decodeURIComponent
        https://bugs.webkit.org/show_bug.cgi?id=198109
        <rdar://problem/50397550>

        Reviewed by Michael Saboff.

        * stress/decode-uri-icu-count-trail-bytes.js: Added.
        (i.j.try.i.toString):
        (i.j.catch):

2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>

        Don't clear PropertyNameArray in Proxy code
        https://bugs.webkit.org/show_bug.cgi?id=197691

        Reviewed by Saam Barati.

        * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
        (shouldBe):
        (opt):

2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Implement support for Numeric Separators
        https://bugs.webkit.org/show_bug.cgi?id=196351

        Reviewed by Keith Miller.

        * stress/numeric-literal-separators.js: Added.
        Add tests for feature.

        * test262/expectations.yaml:
        Mark 60 test cases as passing.

2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
        https://bugs.webkit.org/show_bug.cgi?id=198101

        Reviewed by Michael Saboff.

        * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
        (shouldBe):

2019-05-20  Keith Miller  <keith_miller@apple.com>

        Cleanup Yarr regexp code around paren contexts.
        https://bugs.webkit.org/show_bug.cgi?id=198063

        Reviewed by Yusuke Suzuki.

        * stress/regexp-many-named-sequential-capture-groups.js: Added.
        (i.s):
        * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.

2019-05-17  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
        https://bugs.webkit.org/show_bug.cgi?id=197969

        Reviewed by Keith Miller.

        Support the anyref type in Builder.js, plus add some extra error logging.
        Add new folder for wasm references tests.

        * wasm.yaml:
        * wasm/Builder.js:
        (const._isValidValue):
        * wasm/references/anyref_modules.js: Added.
        (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
        (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
        (Call.3.RefIsNull.End.End.WebAssembly):
        (undefined):
        * wasm/references/is_null.js: Added.
        * wasm/references/is_null_error.js: Added.
        * wasm/spec-harness/index.js:
        * wasm/wasm.json:

2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Invalid AssignmentTargetType should be an early error.
        https://bugs.webkit.org/show_bug.cgi?id=197603

        Reviewed by Keith Miller.

        * test262/expectations.yaml:
        Update expectations to reflect new SyntaxErrors.
        (Ideally, these should all be viewed as passing in the near future.)

        * stress/async-await-basic.js:
        * stress/big-int-literals.js:
        Update tests to reflect new SyntaxErrors.

        * ChakraCore.yaml:
        * ChakraCore/test/EH/try6.baseline-jsc:
        * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
        Update baselines to reflect new SyntaxErrors.

2019-05-15  Saam Barati  <sbarati@apple.com>

        Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
        https://bugs.webkit.org/show_bug.cgi?id=197855
        <rdar://problem/50236506>

        Reviewed by Michael Saboff.

        * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
        (f0):
        (bar):
        (foo):
        * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
        (f1):
        (f2):
        (foo):

2019-05-14  Keith Miller  <keith_miller@apple.com>

        Fix issue with byteOffset on ARM64E
        https://bugs.webkit.org/show_bug.cgi?id=197884

        Reviewed by Saam Barati.

        We didn't have any tests that run with non-byte/non-zero offset
        typed arrays.

        * stress/ftl-gettypedarrayoffset-wasteful.js:

2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
        https://bugs.webkit.org/show_bug.cgi?id=197833

        Reviewed by Darin Adler.

        * stress/generator-name.js: Added.
        (shouldBe):
        (gen):
        (catch):

2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>

        JSObject::getOwnPropertyDescriptor is missing an exception check
        https://bugs.webkit.org/show_bug.cgi?id=197693
        <rdar://problem/50441784>

        Reviewed by Saam Barati.

        * stress/proxy-spread.js: Added.
        (foo):

2019-05-10  Saam barati  <sbarati@apple.com>

        Call to JSToWasmICCallee::createStructure passes in wrong prototype value
        https://bugs.webkit.org/show_bug.cgi?id=197807
        <rdar://problem/50530400>

        Reviewed by Yusuke Suzuki.

        * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
        (test.getInstance):
        (test):

2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>

        [Test262] Unreviewed expectations update following r245188.

        * test262/config.yaml:
        * test262/expectations.yaml:

        * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
        * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
        These files have invalid YAML comments. Will also submit corrections back to Test262.

2019-05-10  Keith Miller  <keith_miller@apple.com>

        Update test262 tests.

        Rubber-stamped by Yusuke Suzuki.

        * test262/*: mega-patch too many things to list individually.

2019-05-09  Keith Miller  <keith_miller@apple.com>

        Unreview, fix test to have a try-catch.

        * stress/many-nested-functions-parser-stack-overflow.js:
        (catch):

2019-05-09  Keith Miller  <keith_miller@apple.com>

        parseStatementListItem needs a stack overflow check
        https://bugs.webkit.org/show_bug.cgi?id=197749

        Reviewed by Saam Barati.

        * stress/many-nested-functions-parser-stack-overflow.js: Added.

2019-05-08  Saam barati  <sbarati@apple.com>

        AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
        https://bugs.webkit.org/show_bug.cgi?id=197715
        <rdar://problem/50399252>

        Reviewed by Filip Pizlo.

        * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
        (foo):
        (bar):

2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r245068.

        Caused debug layout tests to exit early due to an assertion
        failure.

        Reverted changeset:

        "All prototypes should call didBecomePrototype()"
        https://bugs.webkit.org/show_bug.cgi?id=196315
        https://trac.webkit.org/changeset/245068

2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>

        Invalid DFG JIT genereation in high CPU usage state
        https://bugs.webkit.org/show_bug.cgi?id=197453

        Reviewed by Saam Barati.

        * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
        (trigger):
        (main):

2019-05-08  Robin Morisset  <rmorisset@apple.com>

        All prototypes should call didBecomePrototype()
        https://bugs.webkit.org/show_bug.cgi?id=196315

        Reviewed by Saam Barati.

        This changelog already landed, but the commit was missing the actual changes.

        * stress/function-prototype-indexed-accessor.js: Added.

2019-05-08  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueMod into DFG
        https://bugs.webkit.org/show_bug.cgi?id=186174

        Reviewed by Saam Barati.

        * microbenchmarks/mod-untyped.js: Added.
        * stress/big-int-mod-osr.js: Added.
        * stress/value-div-ai-rule.js: Added.
        * stress/value-mod-ai-rule.js: Added.

2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG_ASSERT failed in lowInt52
        https://bugs.webkit.org/show_bug.cgi?id=197569

        Reviewed by Saam Barati.

        * stress/getstack-int52.js: Added.
        (opt):
        (main):

2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>

        JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
        https://bugs.webkit.org/show_bug.cgi?id=197479

        Reviewed by Saam Barati.

        * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
        (shouldBe):

2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>

        TemplateObject passed to template literal tags are not always identical for the same source location.
        https://bugs.webkit.org/show_bug.cgi?id=190756

        Reviewed by Saam Barati.

        * complex.yaml:
        * complex/tagged-template-regeneration-after.js: Added.
        (shouldBe):
        * complex/tagged-template-regeneration.js: Added.
        (call):
        (test):
        * modules/tagged-template-inside-module.js: Added.
        (from.string_appeared_here.call):
        * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
        (call):
        (export.otherTaggedTemplates):
        * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
        (shouldBe):
        (call):
        (poly):
        * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
        (shouldBe):
        (call):
        * stress/tagged-templates-in-function-in-direct-eval.js: Added.
        (shouldBe):
        (call):
        (test):
        * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
        (shouldBe):
        (call):
        * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
        (shouldBe):
        (call):
        * stress/tagged-templates-in-multiple-functions.js: Added.
        (shouldBe):
        (call):
        (a):
        (b):
        (c):
        * stress/tagged-templates-with-same-start-offset.js: Added.
        (shouldBe):

2019-05-07  Robin Morisset  <rmorisset@apple.com>

        All prototypes should call didBecomePrototype()
        https://bugs.webkit.org/show_bug.cgi?id=196315

        Reviewed by Saam Barati.

        * stress/function-prototype-indexed-accessor.js: Added.

2019-05-07  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r244978.
        https://bugs.webkit.org/show_bug.cgi?id=197671

        TemplateObject map should use start/end offsets (Requested by
        yusukesuzuki on #webkit).

        Reverted changeset:

        "TemplateObject passed to template literal tags are not always
        identical for the same source location."
        https://bugs.webkit.org/show_bug.cgi?id=190756
        https://trac.webkit.org/changeset/244978

2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>

        tryCachePutByID should not crash if target offset changes
        https://bugs.webkit.org/show_bug.cgi?id=197311
        <rdar://problem/48033612>

        Reviewed by Filip Pizlo.

        Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
        by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`

        * stress/cache-put-by-id-delete-prototype.js: Added.
        (A.prototype.set y):
        (A):
        (B.prototype.set y):
        (B):
        (C):
        * stress/cache-put-by-id-different-__proto__.js: Added.
        (A.prototype.set y):
        (A):
        (B1):
        (B2.prototype.set y):
        (B2):
        (C):
        (D):
        * stress/cache-put-by-id-different-attributes.js: Added.
        (Foo):
        (set x):
        * stress/cache-put-by-id-different-offset.js: Added.
        (Foo):
        (set x):
        * stress/cache-put-by-id-insert-prototype.js: Added.
        (A.prototype.set y):
        (A):
        (C):
        * stress/cache-put-by-id-poly-proto.js: Added.
        (Foo):
        (set _):
        (createBar.Bar):
        (createBar):

2019-05-07  Saam Barati  <sbarati@apple.com>

        Don't OSR enter into an FTL CodeBlock that has been jettisoned
        https://bugs.webkit.org/show_bug.cgi?id=197531
        <rdar://problem/50162379>

        Reviewed by Yusuke Suzuki.

        * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.

2019-05-06  Dean Jackson  <dino@apple.com>

        Update test262 expectations for Proxy passes
        https://bugs.webkit.org/show_bug.cgi?id=197628

        Reviewed by Yusuke Suzuki.

        There are two consistent passes in Proxy.ownKeys.

        * test262/expectations.yaml:

2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] We should check OOM for description string of Symbol
        https://bugs.webkit.org/show_bug.cgi?id=197634

        Reviewed by Keith Miller.

        * stress/check-symbol-description-oom.js: Added.
        (shouldThrow):

2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, land one more test
        https://bugs.webkit.org/show_bug.cgi?id=197587

        * stress/setter-frame-flush.js: Added.
        (setter):
        (foo):
        (bar):

2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>

        TemplateObject passed to template literal tags are not always identical for the same source location.
        https://bugs.webkit.org/show_bug.cgi?id=190756

        Reviewed by Saam Barati.

        * complex.yaml:
        * complex/tagged-template-regeneration-after.js: Added.
        (shouldBe):
        * complex/tagged-template-regeneration.js: Added.
        (call):
        (test):
        * modules/tagged-template-inside-module.js: Added.
        (from.string_appeared_here.call):
        * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
        (call):
        (export.otherTaggedTemplates):
        * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
        (shouldBe):
        (call):
        (poly):
        * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
        (shouldBe):
        (call):
        * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
        (shouldBe):
        (call):
        * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
        (shouldBe):
        (call):
        * stress/tagged-templates-in-multiple-functions.js: Added.
        (shouldBe):
        (call):
        (a):
        (b):
        (c):

2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>

        [PlayStation] JSC Stress tests failing due to timezone printing
        https://bugs.webkit.org/show_bug.cgi?id=197615

        PlayStation's strftime does not give timezone strings, which
        results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
        rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
        which causes diff failures with the expectations. Add expectations
        without the timezone string and use those on playstation.

        Reviewed by Ross Kirsling.

        * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
        * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
        * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
        * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.

2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
        https://bugs.webkit.org/show_bug.cgi?id=197587

        Reviewed by Sam Weinig.

        This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.

        * stress/adhoc-setter-frame-should-not-be-killed.js: Added.

2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>

        TypedArrays should not store properties that are canonical numeric indices
        https://bugs.webkit.org/show_bug.cgi?id=197228
        <rdar://problem/49557381>

        Reviewed by Saam Barati.

        * stress/array-species-config-array-constructor.js:
        (test):
        * stress/put-direct-index-broken-2.js:
        * stress/typed-array-canonical-numeric-index-string.js: Added.
        (makeTest.assert):
        (makeTest):
        (const.testInvalidIndices.makeTest.set assert):
        (const.testInvalidIndices.makeTest):
        (const.makeTestValidIndex.configurable.set assert):
        (const.makeTestValidIndex.configurable):
        * stress/typedarray-access-monomorphic-neutered.js:
        (checkNoException):
        (testNoException):
        (testFTLNoException):
        * stress/typedarray-access-neutered.js:
        (testNoException):
        * stress/typedarray-getownproperty-not-configurable.js:
        (foo):
        * test262/expectations.yaml:

2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
        https://bugs.webkit.org/show_bug.cgi?id=197584

        Reviewed by Saam Barati.

        * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
        (X):
        (foo):

2019-05-03  Michael Saboff  <msaboff@apple.com>

        iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
        https://bugs.webkit.org/show_bug.cgi?id=197586

        Reviewed by Keith Miller.

        We should only run one config of this test and only when we think we'll have the memory.

        * stress/json-stringify-string-builder-overflow.js:

2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Generator CodeBlock generation should be idempotent
        https://bugs.webkit.org/show_bug.cgi?id=197552

        Reviewed by Keith Miller.

        Add complex.yaml, which controls how to run JSC shell more.
        We split test files into two to run macro task between them which allows debugger to be attached to VM.

        * complex.yaml: Added.
        * complex/generator-regeneration-after.js: Added.
        * complex/generator-regeneration.js: Added.
        (gen):

2019-05-02  Michael Saboff  <msaboff@apple.com>

        Unreviewed rollout of r244862.

        * stress/proxy-getOwnPropertySlots-exceptionChecks.js:

2019-05-01  Saam barati  <sbarati@apple.com>

        Baseline JIT should do argument value profiling after checking for stack overflow
        https://bugs.webkit.org/show_bug.cgi?id=197052
        <rdar://problem/50009602>

        Reviewed by Yusuke Suzuki.

        * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.

2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
        https://bugs.webkit.org/show_bug.cgi?id=197405

        Reviewed by Saam Barati.

        * stress/getter-setter-inlining-should-emit-movhint.js: Added.
        (foo):
        (test):
        (i.o.get f):
        (i.o.set f):

2019-05-01  Michael Saboff  <msaboff@apple.com>

        ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
        https://bugs.webkit.org/show_bug.cgi?id=197485

        Reviewed by Saam Barati.

        New test.

        * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
        (foo):

2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed correction to Test262 expectations following r244828.

        * test262/expectations.yaml:

2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>

        Add memory-limited skipping to some tests generating very large strings
        https://bugs.webkit.org/show_bug.cgi?id=197437

        Reviewed by Ross Kirsling.

        * stress/StringObject-define-length-getter-rope-string-oom.js:
        * stress/create-error-out-of-memory-rope-string.js:
        * stress/string-16bit-repeat-overflow.js:

2019-04-30  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r244806.
        https://bugs.webkit.org/show_bug.cgi?id=197446

        Causing Test262 and JSC test failures on multiple builds
        (Requested by ShawnRoberts on #webkit).

        Reverted changeset:

        "TypeArrays should not store properties that are canonical
        numeric indices"
        https://bugs.webkit.org/show_bug.cgi?id=197228
        https://trac.webkit.org/changeset/244806

2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>

        TypeArrays should not store properties that are canonical numeric indices
        https://bugs.webkit.org/show_bug.cgi?id=197228
        <rdar://problem/49557381>

        Reviewed by Darin Adler.

        * stress/typed-array-canonical-numeric-index-string.js: Added.
        (makeTest.assert):
        (makeTest):
        (const.testInvalidIndices.makeTest.set assert):
        (const.testInvalidIndices.makeTest):
        (const.testValidIndices.makeTest.set assert):
        (const.testValidIndices.makeTest):

2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>

        normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
        https://bugs.webkit.org/show_bug.cgi?id=197362

        Reviewed by Saam Barati.

        * stress/map-with-nan.js: Added.
        (shouldBe):
        (div):
        (NaN1):
        (NaN2):
        (NaN3):
        (NaN4):
        (NaN1NoInline):
        (NaN2NoInline):
        (NaN3NoInline):
        (NaN4NoInline):
        (test1):
        (test2):
        (test3):
        (test4):
        * stress/set-with-nan.js: Added.
        (shouldBe):
        (div):
        (NaN1):
        (NaN2):
        (NaN3):
        (NaN4):
        (NaN1NoInline):
        (NaN2NoInline):
        (NaN3NoInline):
        (NaN4NoInline):
        (test2):
        (test4):

2019-04-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r244708.
        https://bugs.webkit.org/show_bug.cgi?id=197334

        "Broke the debug build" (Requested by rmorisset on #webkit).

        Reverted changeset:

        "All prototypes should call didBecomePrototype()"
        https://bugs.webkit.org/show_bug.cgi?id=196315
        https://trac.webkit.org/changeset/244708

2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] linkPolymorphicCall now does GC
        https://bugs.webkit.org/show_bug.cgi?id=197306

        Reviewed by Saam Barati.

        * stress/link-polymorphic-call-can-gc.js: Added.
        (module):
        (instance):

2019-04-26  Robin Morisset  <rmorisset@apple.com>

        All prototypes should call didBecomePrototype()
        https://bugs.webkit.org/show_bug.cgi?id=196315

        Reviewed by Saam Barati.

        * stress/function-prototype-indexed-accessor.js: Added.

2019-04-23  Saam Barati  <sbarati@apple.com>

        LICM incorrectly assumes it'll never insert a node which provably OSR exits
        https://bugs.webkit.org/show_bug.cgi?id=196721
        <rdar://problem/49556479> 

        Reviewed by Filip Pizlo.

        * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
        (foo):

2019-04-19  Saam Barati  <sbarati@apple.com>

        AbstractValue can represent more than int52
        https://bugs.webkit.org/show_bug.cgi?id=197118
        <rdar://problem/49969960>

        Reviewed by Michael Saboff.

        * stress/abstract-value-can-include-int52.js: Added.
        (foo):
        (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):

2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [WTF] StringBuilder should set correct m_is8Bit flag when merging
        https://bugs.webkit.org/show_bug.cgi?id=197053

        Reviewed by Saam Barati.

        * stress/merge-string-builder-in-dfg.js: Added.
        (foo):

2019-04-16  Caitlin Potter  <caitp@igalia.com>

        [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
        https://bugs.webkit.org/show_bug.cgi?id=176810

        Reviewed by Saam Barati.

        Add tests for the DontEnum filtering, and variations of other tests
        take the DontEnum-filtering path.

        * stress/proxy-own-keys.js:
        (i.catch):
        (set assert):
        (set add):
        (let.set new):
        (get let):

2019-04-15  Saam barati  <sbarati@apple.com>

        Modify how we do SetArgument when we inline varargs calls
        https://bugs.webkit.org/show_bug.cgi?id=196712
        <rdar://problem/49605012>

        Reviewed by Michael Saboff.

        * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
        (foo):

2019-04-15  Saam barati  <sbarati@apple.com>

        SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
        https://bugs.webkit.org/show_bug.cgi?id=196945
        <rdar://problem/49802750>

        Reviewed by Filip Pizlo.

        * stress/get-by-offset-should-use-correct-child.js: Added.
        (foo.bar):
        (foo):

2019-04-15  Robin Morisset  <rmorisset@apple.com>

        DFG should be able to constant fold Object.create() with a constant prototype operand
        https://bugs.webkit.org/show_bug.cgi?id=196886

        Reviewed by Yusuke Suzuki.

        Note that this new benchmark does not currently see a speedup with inlining removed.
        The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.

        * microbenchmarks/object-create-constant-prototype.js: Added.
        (test):

2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>

        Incremental bytecode cache should not append function updates when loaded from memory
        https://bugs.webkit.org/show_bug.cgi?id=196865

        Reviewed by Filip Pizlo.

        * stress/bytecode-cache-shared-code-block.js: Added.
        (b):
        (program):

2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>

        CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
        https://bugs.webkit.org/show_bug.cgi?id=196880

        Reviewed by Yusuke Suzuki.

        * stress/bytecode-cache-syntax-error.js: Added.
        (catch):

2019-04-12  Saam barati  <sbarati@apple.com>

        r244079 logically broke shouldSpeculateInt52
        https://bugs.webkit.org/show_bug.cgi?id=196884

        Reviewed by Yusuke Suzuki.

        * microbenchmarks/int52-rand-function.js: Added.
        (Math.random):

2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] op_has_indexed_property should not assume subscript part is Uint32
        https://bugs.webkit.org/show_bug.cgi?id=196850

        Reviewed by Saam Barati.

        * stress/has-indexed-property-should-accept-non-int32.js: Added.
        (foo):

2019-04-11  Saam barati  <sbarati@apple.com>

        Remove invalid assertion in operationInstanceOfCustom
        https://bugs.webkit.org/show_bug.cgi?id=196842
        <rdar://problem/49725493>

        Reviewed by Michael Saboff.

        * stress/operationInstanceOfCustom-bad-assertion.js: Added.

2019-04-10  Saam Barati  <sbarati@apple.com>

        AbstractValue::validateOSREntryValue is wrong for Int52 constants
        https://bugs.webkit.org/show_bug.cgi?id=196801
        <rdar://problem/49771122>

        Reviewed by Yusuke Suzuki.

        * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.

2019-04-10  Robin Morisset  <rmorisset@apple.com>

        We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
        https://bugs.webkit.org/show_bug.cgi?id=196746

        Reviewed by Yusuke Suzuki.

        * stress/cyclic-define-properties.js: Added.
        (foo):

2019-04-09  Saam barati  <sbarati@apple.com>

        Clean up Int52 code and some bugs in it
        https://bugs.webkit.org/show_bug.cgi?id=196639
        <rdar://problem/49515757>

        Reviewed by Yusuke Suzuki.

        * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.

2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>

        ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
        https://bugs.webkit.org/show_bug.cgi?id=196708
        <rdar://problem/49556803>

        Reviewed by Yusuke Suzuki.

        * stress/proxy-getter-stack-overflow.js: Added.
        (const.handler.get target):
        (const.handler.has):
        (try.with):
        (catch):

2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG should respect node's strict flag
        https://bugs.webkit.org/show_bug.cgi?id=196617

        Reviewed by Saam Barati.

        * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
        (shouldEqual):
        (makeUnwriteableUnconfigurableObject):
        (runTest):
        * stress/put-dynamic-var-strict-and-sloppy.js: Added.
        (shouldBe):
        (shouldThrow):
        (with.result):
        (with.putValueStrict):
        (with.putValueSloppy):

2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] isRope jump in StringSlice should not jump over register allocations
        https://bugs.webkit.org/show_bug.cgi?id=196716

        Reviewed by Saam Barati.

        * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
        (foo.bar):
        (foo):

2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] to_index_string should not assume incoming value is Uint32
        https://bugs.webkit.org/show_bug.cgi?id=196713

        Reviewed by Saam Barati.

        * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
        (foo):

2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add more tests for r243966
        https://bugs.webkit.org/show_bug.cgi?id=196711

        Reviewed by Saam Barati.

        Adding one more test for r243966 fix. The added test will not crash after r243966.

        * stress/stress-cleared-calllinkinfo.js: Added.
        (runNearStackLimit.t):
        (runNearStackLimit):
        (repeat):
        (cls):
        (let.item.of.array.runNearStackLimit):

2019-04-08  Saam Barati  <sbarati@apple.com>

        WebAssembly.RuntimeError missing exception check
        https://bugs.webkit.org/show_bug.cgi?id=196700
        <rdar://problem/49693932>

        Reviewed by Yusuke Suzuki.

        * wasm/js-api/runtime-error-should-exception-check.js: Added.

2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, rolling in r243948 with test fix
        https://bugs.webkit.org/show_bug.cgi?id=196486

        * stress/arrow-function-and-use-strict-directive.js: Added.
        * stress/arrow-function-syntax.js: Added.
        (checkSyntax):
        (checkSyntaxError):

2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r243948.

        Caused inspector/runtime/parse.html to fail

        Reverted changeset:

        "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
        https://bugs.webkit.org/show_bug.cgi?id=196486
        https://trac.webkit.org/changeset/243948

2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r243943.

        Caused test262 failures.

        Reverted changeset:

        "[JSC] Filter DontEnum properties in
        ProxyObject::getOwnPropertyNames()"
        https://bugs.webkit.org/show_bug.cgi?id=176810
        https://trac.webkit.org/changeset/243943

2019-04-07  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r243642): Crash in reddit.com page
        https://bugs.webkit.org/show_bug.cgi?id=196684

        Reviewed by Geoffrey Garen.

        New regression test.

        * stress/regexp-nongreedy-charclass-backtracks.js: Added.

2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
        https://bugs.webkit.org/show_bug.cgi?id=196683

        Reviewed by Saam Barati.

        * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
        (foo):

2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
        https://bugs.webkit.org/show_bug.cgi?id=196582

        Reviewed by Saam Barati.

        * stress/add-overflow-check-with-three-same-registers.js: Added.
        (foo):
        (Number.prototype.valueOf):
        (runWithNumber):

2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r243665.

        Caused iOS JSC tests to exit with an exception.

        Reverted changeset:

        "Assertion failed in JSC::createError"
        https://bugs.webkit.org/show_bug.cgi?id=196305
        https://trac.webkit.org/changeset/243665

2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>

        SIGSEGV in JSC::BytecodeGenerator::addStringConstant
        https://bugs.webkit.org/show_bug.cgi?id=196486

        Reviewed by Saam Barati.

        * stress/arrow-function-and-use-strict-directive.js: Added.
        * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
        (checkSyntax):
        (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.

2019-04-05  Caitlin Potter  <caitp@igalia.com>

        [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
        https://bugs.webkit.org/show_bug.cgi?id=176810

        Reviewed by Saam Barati.

        Add tests for the DontEnum filtering, and variations of other tests
        take the DontEnum-filtering path.

        * stress/proxy-own-keys.js:
        (i.catch):
        (set assert):
        (set add):
        (let.set new):
        (get let):

2019-04-05  Caitlin Potter  <caitp@igalia.com>

        [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
        https://bugs.webkit.org/show_bug.cgi?id=185211

        Reviewed by Saam Barati.

        This is for the normative spec change in https://github.com/tc39/ecma262/pull/833

        This changes several assertions to expect a TypeError to be thrown (in some cases,
        changing thee expected message).

        * es6/Proxy_ownKeys_duplicates.js:
        (handler):
        (shouldThrow):
        (test):
        * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
        (shouldThrow):
        * stress/proxy-own-keys.js:
        (i.catch):
        (assert):

2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
        https://bugs.webkit.org/show_bug.cgi?id=196631

        Reviewed by Saam Barati.

        * stress/make-bound-function-should-not-assume-int32-length.js: Added.
        (assert):
        (test):
        (foo):

2019-04-04  Saam Barati  <sbarati@apple.com>

        Unreviewed. Make the test from r243906 catch the thrown exceptions.

        * stress/inferred-types-regex-matches-array.js:

2019-04-04  Saam Barati  <sbarati@apple.com>

        createRegExpMatchesArray does not respect inferred types
        https://bugs.webkit.org/show_bug.cgi?id=193287

        Reviewed by Yusuke Suzuki.

        This checks in the test case for 193287. This issue was discovered by
        Samuel Groß of Google Project Zero.

        * stress/inferred-types-regex-matches-array.js: Added.

2019-04-04  Saam barati  <sbarati@apple.com>

        Teach Call ICs how to call Wasm
        https://bugs.webkit.org/show_bug.cgi?id=196387

        Reviewed by Filip Pizlo.

        * wasm/function-tests/stack-trace.js:

2019-04-04  Caio Lima  <ticaiolima@gmail.com>

        [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
        https://bugs.webkit.org/show_bug.cgi?id=194944

        Reviewed by Keith Miller.

        * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.

2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>

        Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
        https://bugs.webkit.org/show_bug.cgi?id=196409

        Reviewed by Saam Barati.

        * stress/bytecode-cache-cached-string-impl.js: Added.
        (f):
        (g):
        * stress/bytecode-cache-run-string.js: Added.

2019-04-03  Robin Morisset  <rmorisset@apple.com>

        B3 should use associativity to optimize expression trees
        https://bugs.webkit.org/show_bug.cgi?id=194081

        Reviewed by Filip Pizlo.

        Added three microbenchmarks:
        - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
        - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
          an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
        - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup

        * microbenchmarks/add-tree.js: Added.
        * microbenchmarks/bit-or-tree.js: Added.
        * microbenchmarks/bit-xor-tree.js: Added.

2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
        https://bugs.webkit.org/show_bug.cgi?id=196574

        Reviewed by Saam Barati.

        * stress/string-index-of-exception-check.js: Added.
        (blurType):
        (1.forEach):

2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>

        Assertion failed in JSC::createError
        https://bugs.webkit.org/show_bug.cgi?id=196305
        <rdar://problem/49387382>

        Reviewed by Saam Barati.

        * stress/create-error-out-of-memory-rope-string-2.js: Added.
        (assert):
        (catch):

2019-03-28  Saam Barati  <sbarati@apple.com>

        BackwardsGraph needs to consider back edges as the backward's root successor
        https://bugs.webkit.org/show_bug.cgi?id=195991

        Reviewed by Filip Pizlo.

        * stress/map-b3-licm-infinite-loop.js: Added.

2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>

        CodeBlock::jettison() should disallow repatching its own calls
        https://bugs.webkit.org/show_bug.cgi?id=196359
        <rdar://problem/48973663>

        Reviewed by Saam Barati.

        * stress/call-link-info-osrexit-repatch.js: Added.
        (foo):

2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] imports-oom.js intermittently fails
        https://bugs.webkit.org/show_bug.cgi?id=196373

        Reviewed by Saam Barati.

        imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
        with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
        wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
        and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
        imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.

        This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
        an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.

        * wasm/lowExecutableMemory/imports-oom.js:

2019-03-27  Saam Barati  <sbarati@apple.com>

        validateOSREntryValue with Int52 should box the value being checked into double format
        https://bugs.webkit.org/show_bug.cgi?id=196313
        <rdar://problem/49306703>

        Reviewed by Yusuke Suzuki.

        * stress/validate-int-52-ai-state.js: Added.

2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Owner of watchpoints should validate at GC finalizing phase
        https://bugs.webkit.org/show_bug.cgi?id=195827

        Reviewed by Filip Pizlo.

        * stress/gc-should-reap-dead-watchpoints.js: Added.
        (foo):
        (A.prototype.y):
        (A):

2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>

        Skip WebAssembly test on 32-bit systems
        https://bugs.webkit.org/show_bug.cgi?id=196206

        Reviewed by Saam Barati.

        Invoking runDefault executes test immediately even though
        that test should be skipped due to missing WASM support.
        Therefore remove runDefault.

        * wasm/regress/web-assembly-link-error-exception-check.js:

2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>

        WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
        https://bugs.webkit.org/show_bug.cgi?id=196217

        Reviewed by Saam Barati.

        Re-enable all NaN tests for f32.min, f64.min and f64.max.

        * wasm/spec-tests/f32.wast.js:
        * wasm/spec-tests/f64.wast.js:
        * wasm/wasm.json:

2019-03-25  Keith Miller  <keith_miller@apple.com>

        ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
        https://bugs.webkit.org/show_bug.cgi?id=196176

        Reviewed by Saam Barati.

        * stress/object-is-fold-to-compare-eq-ptr.js: Added.
        (main.v10):
        (main):

2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>

        WebAssembly: f32.max with NaN generates incorrect result
        https://bugs.webkit.org/show_bug.cgi?id=175691
        <rdar://problem/33952228>

        Reviewed by Saam Barati.

        Enable all f32.max NaN tests

        * wasm/spec-tests/f32.wast.js:
        * wasm/wasm.json:

2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>

        [JSC] Move test into directory for WASM tests
        https://bugs.webkit.org/show_bug.cgi?id=196187

        Reviewed by Mark Lam.

        Move Test into wasm-directory. Otherwise this test
        is also executed on systems without WASM support.

        * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.

2019-03-23  Mark Lam  <mark.lam@apple.com>

        Rolling out r243032 and r243071 because the fix is incorrect.
        https://bugs.webkit.org/show_bug.cgi?id=195892
        <rdar://problem/48981239>

        Not reviewed.

        * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.

2019-03-22  Mark Lam  <mark.lam@apple.com>

        Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
        https://bugs.webkit.org/show_bug.cgi?id=196154
        <rdar://problem/49145307>

        Reviewed by Filip Pizlo.

        Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
        There's no need to run this test on more than 1 test configuration.

        * stress/typed-array-lastIndexOf-exception-check.js: Added.
        * stress/web-assembly-link-error-exception-check.js:

2019-03-22  Mark Lam  <mark.lam@apple.com>

        Placate exception check validation in constructJSWebAssemblyLinkError().
        https://bugs.webkit.org/show_bug.cgi?id=196152
        <rdar://problem/49145257>

        Reviewed by Michael Saboff.

        * stress/web-assembly-link-error-exception-check.js: Added.

2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>

        Skip tests running out of memory on ARM/MIPS
        https://bugs.webkit.org/show_bug.cgi?id=196131

        Unreviewed. Skip test if memory is limited.

        * microbenchmarks/put-by-val-direct-large-index.js:

2019-03-21  Mark Lam  <mark.lam@apple.com>

        Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
        https://bugs.webkit.org/show_bug.cgi?id=196116
        <rdar://problem/48976951>

        Reviewed by Filip Pizlo.

        * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.

2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>

        JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
        https://bugs.webkit.org/show_bug.cgi?id=196078
        <rdar://problem/35925380>

        Reviewed by Mark Lam.

        Add a new benchmark that allocates several objects and invokes put_by_val_direct
        with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".

        * microbenchmarks/put-by-val-direct-large-index.js: Added.

2019-03-21  Mark Lam  <mark.lam@apple.com>

        Placate exception check validation in operationArrayIndexOfString().
        https://bugs.webkit.org/show_bug.cgi?id=196067
        <rdar://problem/49056572>

        Reviewed by Michael Saboff.

        * stress/string-equal-exception-check.js: Added.

2019-03-21  Mark Lam  <mark.lam@apple.com>

        Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
        https://bugs.webkit.org/show_bug.cgi?id=196055
        <rdar://problem/49067448>

        Reviewed by Yusuke Suzuki.

        * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.

2019-03-20  Saam Barati  <sbarati@apple.com>

        typeOfDoubleSum is wrong for when NaN can be produced
        https://bugs.webkit.org/show_bug.cgi?id=196030

        Reviewed by Filip Pizlo.

        * stress/double-add-sub-mul-can-produce-nan.js: Added.
        (assert):
        (noInline.sub):
        (noInline):
        (assert.mul):
        (assert.add):

2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>

        Update the test to ensure OutOfMemoryError is thrown as intended
        https://bugs.webkit.org/show_bug.cgi?id=196032
        <rdar://problem/46842740>

        Rubber stamped by Saam Barati.

        * stress/create-error-out-of-memory-rope-string.js:
        (assert):
        (catch):

2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>

        JSC::createError needs to check for OOM in errorDescriptionForValue
        https://bugs.webkit.org/show_bug.cgi?id=196032
        <rdar://problem/46842740>

        Reviewed by Mark Lam.

        * stress/create-error-out-of-memory-rope-string.js: Added.

2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, reduce # of iterations to avoid timing out after r242991
        https://bugs.webkit.org/show_bug.cgi?id=195791

        To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.

        * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:

2019-03-19  Caio Lima  <ticaiolima@gmail.com>

        [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=195950

        Unreviewed, reducing the amount of memory used on this test to avoid
        OOM on devices with memory restrictions.

        * microbenchmarks/generate-multiple-llint-entrypoints.js:

2019-03-19  Caio Lima  <ticaiolima@gmail.com>

        [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
        https://bugs.webkit.org/show_bug.cgi?id=194648

        Reviewed by Keith Miller.

        * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.

2019-03-18  Mark Lam  <mark.lam@apple.com>

        Missing a ThrowScope release in JSObject::toString().
        https://bugs.webkit.org/show_bug.cgi?id=195893
        <rdar://problem/48970986>

        Reviewed by Michael Saboff.

        * stress/to-string-exception-check-release.js: Added.

2019-03-18  Mark Lam  <mark.lam@apple.com>

        Structure::flattenDictionary() should clear unused property slots.
        https://bugs.webkit.org/show_bug.cgi?id=195871
        <rdar://problem/48959497>

        Reviewed by Michael Saboff.

        * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.

2019-03-15  Mark Lam  <mark.lam@apple.com>

        Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
        https://bugs.webkit.org/show_bug.cgi?id=195827
        <rdar://problem/48845513>

        Reviewed by Filip Pizlo.

        * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.

2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>

        [ARM,MIPS] Skip slow tests
        https://bugs.webkit.org/show_bug.cgi?id=195799

        Unreviewed, test does not finish on ARM and MIPS within the
        timeout limit.

        * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:

2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
        https://bugs.webkit.org/show_bug.cgi?id=195791
        <rdar://problem/48806130>

        Reviewed by Mark Lam.

        * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
        (foo):

2019-03-14  Saam barati  <sbarati@apple.com>

        We can't remove code after ForceOSRExit until after FixupPhase
        https://bugs.webkit.org/show_bug.cgi?id=186916
        <rdar://problem/41396612>

        Reviewed by Yusuke Suzuki.

        * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
        (foo):
        * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
        (foo):

2019-03-13  Michael Saboff  <msaboff@apple.com>

        ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
        https://bugs.webkit.org/show_bug.cgi?id=195735

        Reviewed by Mark Lam.

        New regression test.

        * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
        (foo):
        (bar):

2019-03-14  Saam barati  <sbarati@apple.com>

        Fixup uses KnownInt32 incorrectly in some nodes
        https://bugs.webkit.org/show_bug.cgi?id=195279
        <rdar://problem/47915654>

        Reviewed by Yusuke Suzuki.

        * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
        (foo):

2019-03-14  Keith Miller  <keith_miller@apple.com>

        DFG liveness can't skip tail caller inline frames
        https://bugs.webkit.org/show_bug.cgi?id=195715

        Reviewed by Saam Barati.

        * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
        (i.foo):

2019-03-13  Mark Lam  <mark.lam@apple.com>

        Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
        https://bugs.webkit.org/show_bug.cgi?id=195415

        Not reviewed.

        Changed these tests to only run the default configuration.
        The ftl-no-cjit-validate-sampling-profiler variant was timing out.
        There's no strong need to run this test on that variant.

        * stress/dfg-to-string-on-int-does-gc.js:
        * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:

2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>

        String overflow when using StringBuilder in JSC::createError
        https://bugs.webkit.org/show_bug.cgi?id=194957

        Reviewed by Mark Lam.

        Add test string-overflow-createError-bulder.js that overflows
        StringBuilder in notAFunctionSourceAppender. The second new test
        string-overflow-createError-fit.js has an error message that doesn't
        overflow, it still failed since the String's capacity can't be doubled.
        Run test string-overflow-createError.js only in the default
        configuration to reduce memory consumption when running the test
        in all configurations on multiple CPUs in parallel.

        * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
        (catch):
        * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
        (catch):
        * stress/string-overflow-createError.js:

2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] OSR entry should respect abstract values in addition to flush formats
        https://bugs.webkit.org/show_bug.cgi?id=195653

        Reviewed by Mark Lam.

        * stress/osr-entry-locals-none.js: Added.

2019-03-12  Michael Saboff  <msaboff@apple.com>

        REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
        https://bugs.webkit.org/show_bug.cgi?id=195613

        Reviewed by Mark Lam.

        New regression test.

        * stress/regexp-backref-inbounds.js: Added.
        (testRegExp):

2019-03-12  Mark Lam  <mark.lam@apple.com>

        The HasIndexedProperty node does GC.
        https://bugs.webkit.org/show_bug.cgi?id=195559
        <rdar://problem/48767923>

        Reviewed by Yusuke Suzuki.

        * stress/HasIndexedProperty-does-gc.js: Added.

2019-03-11  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement "~" unary operation
        https://bugs.webkit.org/show_bug.cgi?id=182216

        Reviewed by Keith Miller.

        * stress/big-int-bit-not-general.js: Added.
        * stress/big-int-bitwise-not-jit.js: Added.
        * stress/big-int-bitwise-not-wrapped-value.js: Added.
        * stress/bit-op-with-object-returning-int32.js:
        * stress/bitwise-not-fixup-rules.js: Added.
        * stress/value-bit-not-ai-rule.js: Added.

2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>

        Invalid flags in a RegExp literal should be an early SyntaxError
        https://bugs.webkit.org/show_bug.cgi?id=195514

        Reviewed by Darin Adler.

        * test262/expectations.yaml:
        Mark 4 test cases as passing.

        * stress/regexp-syntax-error-invalid-flags.js:
        * stress/regress-161995.js: Removed.
        Update existing test, merging in an older test for the same behavior.

2019-03-08  Mark Lam  <mark.lam@apple.com>

        Stack overflow crash in JSC::JSObject::hasInstance.
        https://bugs.webkit.org/show_bug.cgi?id=195458
        <rdar://problem/48710195>

        Reviewed by Yusuke Suzuki.

        * stress/stack-overflow-in-custom-hasInstance.js: Added.

2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>

        op_check_tdz does not def its argument
        https://bugs.webkit.org/show_bug.cgi?id=192880
        <rdar://problem/46221598>

        Reviewed by Saam Barati.

        * microbenchmarks/let-for-in.js: Added.
        (foo):

2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
        https://bugs.webkit.org/show_bug.cgi?id=195429

        Reviewed by Saam Barati.

        * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
        (foo):
        * stress/string-from-char-code-255.js: Added.

2019-03-06  Mark Lam  <mark.lam@apple.com>

        Fix incorrect handling of try-finally completion values.
        https://bugs.webkit.org/show_bug.cgi?id=195131
        <rdar://problem/46222079>

        Reviewed by Saam Barati and Yusuke Suzuki.

        Added many permutations of new test case to test-finally.js.  test-finally.js has
        been run on Chrome and Firefox as a sanity check, and we confirmed that all the
        tests passes there as well.

        * stress/test-finally.js:

2019-03-06  Saam Barati  <sbarati@apple.com>

        Air::reportUsedRegisters must padInterference
        https://bugs.webkit.org/show_bug.cgi?id=195303
        <rdar://problem/48270343>

        Reviewed by Keith Miller.

        * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.

2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] AI should not propagate AbstractValue relying on constant folding phase
        https://bugs.webkit.org/show_bug.cgi?id=195375

        Reviewed by Saam Barati.

        * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
        (let.array):

2019-03-05  Saam barati  <sbarati@apple.com>

        op_switch_char broken for rope strings after JSRopeString layout rewrite
        https://bugs.webkit.org/show_bug.cgi?id=195339
        <rdar://problem/48592545>

        Reviewed by Yusuke Suzuki.

        * stress/switch-on-char-llint-rope.js: Added.

2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Store bits for JSRopeString in 3 stores
        https://bugs.webkit.org/show_bug.cgi?id=195234

        Reviewed by Saam Barati.

        * stress/null-rope-and-collectors.js: Added.

2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>

        Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
        https://bugs.webkit.org/show_bug.cgi?id=195207

        Unreviewed. After test runtime was reduced in r242213, test can be
        run again on ARM/MIPS.

        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:

2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] sizeof(JSString) should be 16
        https://bugs.webkit.org/show_bug.cgi?id=194375

        Reviewed by Saam Barati.

        * microbenchmarks/make-rope.js: Added.
        (makeRope):
        * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
        (returnRope.helper): Deleted.
        (returnRope): Deleted.

2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
        https://bugs.webkit.org/show_bug.cgi?id=195144

        1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
        Change the number from 1e8 to 1e5.

        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
        (foo):

2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>

        Test times out on ARM/MIPS
        https://bugs.webkit.org/show_bug.cgi?id=195168

        Unreviewed. Skip test on ARM/MIPS.

        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:

2019-02-27  Mark Lam  <mark.lam@apple.com>

        The parser is failing to record the token location of new in new.target.
        https://bugs.webkit.org/show_bug.cgi?id=195127
        <rdar://problem/39645578>

        Reviewed by Yusuke Suzuki.

        * stress/parser-should-record-token-location-of-new-dot-target.js: Added.

2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
        https://bugs.webkit.org/show_bug.cgi?id=195144
        <rdar://problem/47595961>

        Reviewed by Mark Lam.

        * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
        (bar):
        (foo):
        * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
        (bar):
        (foo):

2019-02-27  Robin Morisset  <rmorisset@apple.com>

        DFG: Loop-invariant code motion (LICM) should not hoist dead code
        https://bugs.webkit.org/show_bug.cgi?id=194945
        <rdar://problem/48311657>

        Reviewed by Mark Lam.

        * stress/licm-dead-code.js: Added.

2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>

        REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
        https://bugs.webkit.org/show_bug.cgi?id=194677
        <rdar://problem/48112492>

        Reviewed by Mark Lam.

        Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
        This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
        it immediately fails due the large size.

        After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
        8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
        time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
        OOM error anyway because JSON.stringify's builder overflows with such a large string input.

        This patch changes the test to produce 16bit string from String.fromCharCode.

        * stress/regress-178386.js:

2019-02-26  Mark Lam  <mark.lam@apple.com>

        wasmToJS() should purify incoming NaNs.
        https://bugs.webkit.org/show_bug.cgi?id=194807
        <rdar://problem/48189132>

        Reviewed by Saam Barati.

        * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.

2019-02-26  Guillaume Emont  <guijemont@igalia.com>

        [JSC] Repeat string created from Array.prototype.join() take too much memory
        https://bugs.webkit.org/show_bug.cgi?id=193912

        Reviewed by Saam Barati.

        Added a test and a microbenchmark for corner cases of
        Array.prototype.join() with an uninitialized array.

        * microbenchmarks/array-prototype-join-uninitialized.js: Added.
        * stress/array-prototype-join-uninitialized.js: Added.
        (testArray):
        (testABC):
        (B):
        (C):

2019-02-22  Robin Morisset  <rmorisset@apple.com>

        DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
        https://bugs.webkit.org/show_bug.cgi?id=194953
        <rdar://problem/47595253>

        Reviewed by Saam Barati.

        I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.

        * stress/has-indexed-property-with-worsening-array-mode.js: Added.

2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
        https://bugs.webkit.org/show_bug.cgi?id=172848
        <rdar://problem/25709212>

        Reviewed by Mark Lam.

        * typeProfiler/inheritance.js:
        Rewrite the test slightly for clarity. The hoisting was confusing.

        * heapProfiler/class-names.js: Added.
        (MyES5Class):
        (MyES6Class):
        (MyES6Subclass):
        Test object types and improved class names.

        * heapProfiler/driver/driver.js:
        (CheapHeapSnapshotNode):
        (CheapHeapSnapshot):
        (createCheapHeapSnapshot):
        (HeapSnapshot):
        (createHeapSnapshot):
        Update snapshot parsing from version 1 to version 2.

2019-02-19  Truitt Savell  <tsavell@apple.com>

        Unreviewed, rolling out r241784.

        Broke all OpenSource builds.

        Reverted changeset:

        "Web Inspector: Improve ES6 Class instances in Heap Snapshot
        instances view"
        https://bugs.webkit.org/show_bug.cgi?id=172848
        https://trac.webkit.org/changeset/241784

2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
        https://bugs.webkit.org/show_bug.cgi?id=172848
        <rdar://problem/25709212>

        Reviewed by Mark Lam.

        * typeProfiler/inheritance.js:
        Rewrite the test slightly for clarity. The hoisting was confusing.

        * heapProfiler/class-names.js: Added.
        (MyES5Class):
        (MyES6Class):
        (MyES6Subclass):
        Test object types and improved class names.

        * heapProfiler/driver/driver.js:
        (CheapHeapSnapshotNode):
        (CheapHeapSnapshot):
        (createCheapHeapSnapshot):
        (HeapSnapshot):
        (createHeapSnapshot):
        Update snapshot parsing from version 1 to version 2.

2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>

        [ARM] Fix crash with sampling profiler
        https://bugs.webkit.org/show_bug.cgi?id=194772

        Reviewed by Mark Lam.

        Do not skip test since crash with sampling profiler is now fixed.

        * stress/sampling-profiler-richards.js:

2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add LazyClassStructure::getInitializedOnMainThread
        https://bugs.webkit.org/show_bug.cgi?id=194784
        <rdar://problem/48154820>

        Reviewed by Mark Lam.

        * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
        (getProperties):
        (getRandomProperty):
        (i.catch):

2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>

        [ARM] Test gardening: Test running out of executable memory
        https://bugs.webkit.org/show_bug.cgi?id=194771

        Unreviewed. Do not run test without LLInt, test is running out of executable
        memory on ARM otherwise.

        * stress/tagged-template-object-collect.js:

2019-02-18  Tomas Popela  <tpopela@redhat.com>

        Unreviewed, skip the test on platforms without sampling profiler

        * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
        (platformSupportsSamplingProfiler.foo):
        (platformSupportsSamplingProfiler.test):
        (platformSupportsSamplingProfiler):
        (foo): Deleted.
        (test): Deleted.

2019-02-17  Saam Barati  <sbarati@apple.com>

        Deadlock when adding a Structure property transition and then doing incremental marking
        https://bugs.webkit.org/show_bug.cgi?id=194767

        Reviewed by Mark Lam.

        * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.

2019-02-15  Michael Saboff  <msaboff@apple.com>

        RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
        https://bugs.webkit.org/show_bug.cgi?id=194558

        Reviewed by Saam Barati.

        New regression test.

        * stress/regexp-unicode-within-string.js: Added.

2019-02-15  Mark Lam  <mark.lam@apple.com>

        SamplingProfiler::stackTracesAsJSON() should escape strings.
        https://bugs.webkit.org/show_bug.cgi?id=194649
        <rdar://problem/48072386>

        Reviewed by Saam Barati.

        * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
        * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
        * stress/type-profiler-with-double-quote-in-field-name.js: Added.
        * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.

2019-02-15  Robin Morisset  <rmorisset@apple.com>
        CodeBlock::jettison should clear related watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=194544

        Reviewed by Mark Lam.

        * stress/regexp-replace-double-watchpoint.js: Added.
        (foo):

2019-02-15  Saam barati  <sbarati@apple.com>

        [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
        https://bugs.webkit.org/show_bug.cgi?id=194036

        Reviewed by Yusuke Suzuki.

        * stress/tail-call-many-arguments.js: Added.
        (foo):
        (bar):

2019-02-14  Saam Barati  <sbarati@apple.com>

        Cache the results of BytecodeGenerator::getVariablesUnderTDZ
        https://bugs.webkit.org/show_bug.cgi?id=194583
        <rdar://problem/48028140>

        Reviewed by Yusuke Suzuki.

        * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.

2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] String.fromCharCode's slow path always generates 16bit string
        https://bugs.webkit.org/show_bug.cgi?id=194466

        Reviewed by Keith Miller.

        * stress/string-from-char-code-slow-path.js: Added.
        (shouldBe):
        (testWithLength):

2019-02-08  Saam barati  <sbarati@apple.com>

        Nodes that rely on being dominated by CheckInBounds should have a child edge to it
        https://bugs.webkit.org/show_bug.cgi?id=194334
        <rdar://problem/47844327>

        Reviewed by Mark Lam.

        * stress/check-in-bounds-should-be-a-child-use.js: Added.
        (func):

2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
        https://bugs.webkit.org/show_bug.cgi?id=194369
        <rdar://problem/47813087>

        Reviewed by Saam Barati.

        * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
        (A):

2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] PrivateName to PublicName hash table is wasteful
        https://bugs.webkit.org/show_bug.cgi?id=194277

        Reviewed by Michael Saboff.

        This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.

        * ChakraCore.yaml:

2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>

        [ARM] Test running out of executable memory
        https://bugs.webkit.org/show_bug.cgi?id=194285

        Unreviewed. Do no execute test with LLInt disabled, test runs out of
        executable memory otherwise.

        * stress/class-subclassing-function.js:

2019-02-04  Robin Morisset  <rmorisset@apple.com>

        when lowering AssertNotEmpty, create the value before creating the patchpoint
        https://bugs.webkit.org/show_bug.cgi?id=194231

        Reviewed by Saam Barati.

        This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
        The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
        So even tiny changes to this test can change the path code taken.

        * stress/assert-not-empty.js: Added.
        (foo):

2019-02-01  Mark Lam  <mark.lam@apple.com>

        Remove invalid assertion in DFG's compileDoubleRep().
        https://bugs.webkit.org/show_bug.cgi?id=194130
        <rdar://problem/47699474>

        Reviewed by Saam Barati.

        * stress/constant-fold-double-rep-into-double-constant.js: Added.

2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>

        Import latest Test262 updates.

        Rubber-stamped by Keith Miller.

        * test262.yaml: Deleted.
        * test262/config.yaml:
        * test262/expectations.yaml:
        * test262/latest-changes-summary.txt:
        * test262/test/:
        * test262/test262-Revision.txt:

2019-01-30  Robin Morisset  <rmorisset@apple.com>

        Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
        https://bugs.webkit.org/show_bug.cgi?id=194050
        <rdar://problem/47595592>

        Reviewed by Yusuke Suzuki.

        * stress/object-keys-osr-exit.js: Added.
        (foo):
        (catch):

2019-01-29  Mark Lam  <mark.lam@apple.com>

        ValueRecovery::recover() should purify NaN values it recovers.
        https://bugs.webkit.org/show_bug.cgi?id=193978
        <rdar://problem/47625488>

        Reviewed by Saam Barati.

        * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.

2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
        https://bugs.webkit.org/show_bug.cgi?id=193713

        * stress/try-get-by-id-should-spill-registers-dfg.js:
        (let.f.createBuiltin):

2019-01-28  Mark Lam  <mark.lam@apple.com>

        ToString node actually does GC.
        https://bugs.webkit.org/show_bug.cgi?id=193920
        <rdar://problem/46695900>

        Reviewed by Yusuke Suzuki.

        * stress/dfg-to-string-on-int-does-gc.js: Added.
        * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
        * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.

2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] NativeErrorConstructor should not have own IsoSubspace
        https://bugs.webkit.org/show_bug.cgi?id=193713

        Reviewed by Saam Barati.

        Remove @Error use.

        * stress/try-get-by-id-should-spill-registers-dfg.js:
        (let.f.createBuiltin):

2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>

        stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
        https://bugs.webkit.org/show_bug.cgi?id=190693

        Reviewed by Michael Saboff.

        * stress/regress-190693.js: Added.
        (truth):
        (assert):
        (shouldThrowInvalidConstAssignment):
        (taz):

2019-01-24  Saam Barati  <sbarati@apple.com>

        Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
        https://bugs.webkit.org/show_bug.cgi?id=193751
        <rdar://problem/47280215>

        Reviewed by Michael Saboff.

        * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
        (let.thing):
        (foo.let.hello):
        (foo):

2019-01-24  Guillaume Emont  <guijemont@igalia.com>

        [JSC] Reenable baseline JIT on mips
        https://bugs.webkit.org/show_bug.cgi?id=192983

        Reviewed by Mark Lam.

        Added a new test for a case that was triggering a RELEASE_ASSERT when
        testing.
        Disable some slow tests that were already disabled for arm and x86.

        * stress/json-parse-big-object.js: Added.
        * stress/new-largeish-contiguous-array-with-size.js:
        * stress/op_add.js:
        * stress/op_bitand.js:
        * stress/op_bitor.js:
        * stress/op_bitxor.js:
        * stress/op_lshift-ConstVar.js:
        * stress/op_lshift-VarConst.js:
        * stress/op_lshift-VarVar.js:
        * stress/op_mod-ConstVar.js:
        * stress/op_mod-VarConst.js:
        * stress/op_mod-VarVar.js:
        * stress/op_mul-ConstVar.js:
        * stress/op_mul-VarConst.js:
        * stress/op_mul-VarVar.js:
        * stress/op_rshift-ConstVar.js:
        * stress/op_rshift-VarConst.js:
        * stress/op_rshift-VarVar.js:
        * stress/op_sub-ConstVar.js:
        * stress/op_sub-VarConst.js:
        * stress/op_sub-VarVar.js:
        * stress/op_urshift-ConstVar.js:
        * stress/op_urshift-VarConst.js:
        * stress/op_urshift-VarVar.js:
        * stress/sampling-profiler-richards.js:
        * stress/spread-forward-call-varargs-stack-overflow.js:

2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>

        [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
        https://bugs.webkit.org/show_bug.cgi?id=193711
        <rdar://problem/47250262>

        Reviewed by Saam Barati.

        * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
        (shouldBe):
        (foo):
        (bar):
        (baz):

2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, fix initial global lexical binding epoch
        https://bugs.webkit.org/show_bug.cgi?id=193603
        <rdar://problem/47380869>

        * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
        (f1.f2.f3.f4):
        (f1.f2.f3):
        (f1.f2):
        (f1):

2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>

        REGRESSION(r239612) Crash at runtime due to broken DFG assumption
        https://bugs.webkit.org/show_bug.cgi?id=193709
        <rdar://problem/47363838>

        Unreviewed, rollout to watch the tests.

        * stress/object-tostring-changed-proto.js: Removed.
        * stress/object-tostring-changed.js: Removed.
        * stress/object-tostring-misc.js: Removed.
        * stress/object-tostring-other.js: Removed.
        * stress/object-tostring-untyped.js: Removed.

2019-01-22  Saam Barati  <sbarati@apple.com>

        Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.

        * stress/arith-abs-to-arith-negate-range-optimizaton.js:
        (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
        (testUncheckedLessThanZero):
        (testUncheckedLessThanOrEqualZero):
        * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
        * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.

2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Invalidate old scope operations using global lexical binding epoch
        https://bugs.webkit.org/show_bug.cgi?id=193603
        <rdar://problem/47380869>

        Reviewed by Saam Barati.

        * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
        * stress/scope-operation-cache-global-property-before-deleting.js: Added.
        (shouldThrow):
        (bar):
        * stress/scope-operation-cache-global-property-bump-counter.js: Added.
        (shouldBe):
        (get1):
        (get2):
        (get1If):
        (get2If):
        * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
        (shouldThrow):
        (foo):

2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, roll out r240220 due to date-format-xparb regression
        https://bugs.webkit.org/show_bug.cgi?id=193603

        * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
        * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
        * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
        * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.

2019-01-21  Caio Lima  <ticaiolima@gmail.com>

        DoesGC rule is wrong for nodes with BigIntUse
        https://bugs.webkit.org/show_bug.cgi?id=193652

        Reviewed by Saam Barati.

        * stress/big-int-value-op-update-gc-rules.js: Added.
        (assert):
        (doesGCAdd):
        (doesGCSub):
        (doesGCDiv):
        (doesGCMul):
        (doesGCBitAnd):
        (doesGCBitOr):
        (doesGCBitXor):

2019-01-20  Saam Barati  <sbarati@apple.com>

        DFG: When inlining DataView set* intrinsics we need to set undefined as our result
        https://bugs.webkit.org/show_bug.cgi?id=193644
        <rdar://problem/46209745>

        Reviewed by Yusuke Suzuki.

        * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
        (foo):
        * stress/data-view-set-intrinsic-undefined-result.js: Added.
        (foo):
        (bar):

2019-01-20  Saam Barati  <sbarati@apple.com>

        MovHint must merge NodeBytecodeUsesAsValue for its child
        https://bugs.webkit.org/show_bug.cgi?id=186916
        <rdar://problem/41396612>

        Reviewed by Yusuke Suzuki.

        * stress/arith-abs-to-arith-negate-range-optimizaton.js:
        * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.

2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Invalidate old scope operations using global lexical binding epoch
        https://bugs.webkit.org/show_bug.cgi?id=193603
        <rdar://problem/47380869>

        Reviewed by Saam Barati.

        * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
        * stress/scope-operation-cache-global-property-before-deleting.js: Added.
        (shouldThrow):
        (bar):
        * stress/scope-operation-cache-global-property-bump-counter.js: Added.
        (shouldBe):
        (get1):
        (get2):
        (get1If):
        (get2If):
        * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
        (shouldThrow):
        (foo):

2019-01-17  Saam barati  <sbarati@apple.com>

        StringObjectUse should not be a structure check for the original string object structure
        https://bugs.webkit.org/show_bug.cgi?id=193483
        <rdar://problem/47280522>

        Reviewed by Yusuke Suzuki.

        * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
        (foo):
        (a.valueOf.0):

2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] ToThis omission in DFGByteCodeParser is wrong
        https://bugs.webkit.org/show_bug.cgi?id=193513
        <rdar://problem/45842236>

        Reviewed by Saam Barati.

        * stress/to-this-omission-with-different-strict-modes.js: Added.
        (thisA):
        (thisAStrictWrapper):

2019-01-15  Mark Lam  <mark.lam@apple.com>

        JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
        https://bugs.webkit.org/show_bug.cgi?id=193423
        <rdar://problem/46209355>

        Reviewed by Saam Barati.

        * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
        * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
        * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
        * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.

2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
        https://bugs.webkit.org/show_bug.cgi?id=193438
        <rdar://problem/45581249>

        Reviewed by Saam Barati and Keith Miller.

        Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
        Then, GetByVal(String) crashed.

        * stress/string-get-by-val-lowering.js: Added.
        (shouldBe):
        (test):
        * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
        (Hello):
        (foo):

2019-01-15  Tomas Popela  <tpopela@redhat.com>

        Unreviewed, skip JIT tests if it's not enabled

        * stress/bit-op-with-object-returning-int32.js:

2019-01-15  Caio Lima  <ticaiolima@gmail.com>

        DFGByteCodeParser rules for bitwise operations should consider type of their operands
        https://bugs.webkit.org/show_bug.cgi?id=192966

        Reviewed by Yusuke Suzuki.

        * stress/bit-op-with-object-returning-int32.js: Added.

2019-01-15  Guillaume Emont  <guijemont@igalia.com>

        Skip a slow test and a flakey test on arm

        Unreviewed gardening.

        * typeProfiler/getter-richards.js:
        this test always times out, it used to be always skipped on arm and
        mips, but got accidentally enabled by r237919 now that we have DFG on
        arm. Also skipping on mips as we plan to soon enable DFG for it too.

2019-01-14  Keith Miller  <keith_miller@apple.com>

        Skip type-check-hoisting-phase-hoist... with no jit
        https://bugs.webkit.org/show_bug.cgi?id=193421

        Reviewed by Mark Lam.

        It's timing out the 32-bit bots and takes 330 seconds
        on my machine when run by itself.

        * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:

2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] AI should check the given constant's array type when folding GetByVal into constant
        https://bugs.webkit.org/show_bug.cgi?id=193413
        <rdar://problem/46092389>

        Reviewed by Keith Miller.

        This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
        It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
        without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
        but GetByVal does not have appropriate ArrayModes, JSC crashes.

        * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
        (compareArray):

2019-01-14  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Literal parsing is crashing when used inside a Object Literal
        https://bugs.webkit.org/show_bug.cgi?id=193404

        Reviewed by Yusuke Suzuki.

        * stress/big-int-literal-inside-literal-object.js: Added.

2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
        https://bugs.webkit.org/show_bug.cgi?id=193372

        Reviewed by Saam Barati.

        * stress/typed-array-array-modes-profile.js: Added.
        (foo):

2019-01-14  Mark Lam  <mark.lam@apple.com>

        Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
        https://bugs.webkit.org/show_bug.cgi?id=193402
        <rdar://problem/46012309>

        Reviewed by Keith Miller.

        * stress/regexp-compile-oom.js:
        - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
          is enabled.  As a result, it will fail on cloop builds though there is no bug.

2019-01-11  Saam barati  <sbarati@apple.com>

        DFG combined liveness can be wrong for terminal basic blocks
        https://bugs.webkit.org/show_bug.cgi?id=193304
        <rdar://problem/45268632>

        Reviewed by Yusuke Suzuki.

        * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.

2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
        https://bugs.webkit.org/show_bug.cgi?id=193308
        <rdar://problem/45546542>

        Reviewed by Saam Barati.

        * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        (get shouldThrow):
        * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        (get shouldBe):
        (get shouldThrow):
        (get return):
        * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        (get shouldBe):
        (get shouldThrow):
        * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
        (shouldThrow):
        * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
        (shouldThrow):
        * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        (get shouldBe):
        (get shouldThrow):
        (get return):
        * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        (get shouldBe):
        (get shouldThrow):
        * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):
        * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
        (shouldThrow):
        (shouldBe):
        (foo):

2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>

        Enable DFG on ARM/Linux again
        https://bugs.webkit.org/show_bug.cgi?id=192496

        Reviewed by Yusuke Suzuki.

        Test wasn't really skipped before moving the line with skip
        to the top.

        * stress/regress-192717.js:

2019-01-10  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r239825.
        https://bugs.webkit.org/show_bug.cgi?id=193330

        Broke tests on armv7/linux bots (Requested by guijemont on
        #webkit).

        Reverted changeset:

        "Enable DFG on ARM/Linux again"
        https://bugs.webkit.org/show_bug.cgi?id=192496
        https://trac.webkit.org/changeset/239825

2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>

        Enable DFG on ARM/Linux again
        https://bugs.webkit.org/show_bug.cgi?id=192496

        Reviewed by Yusuke Suzuki.

        Test wasn't really skipped before moving the line with skip
        to the top.

        * stress/regress-192717.js:

2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
        https://bugs.webkit.org/show_bug.cgi?id=193127

        Reviewed by Saam Barati.

        * stress/array-species-create-should-handle-masquerader.js: Added.
        (shouldThrow):
        * stress/is-undefined-or-null-builtin.js: Added.
        (shouldBe):
        (isUndefinedOrNull.vm.createBuiltin):

2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>

        LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
        https://bugs.webkit.org/show_bug.cgi?id=193221

        Reviewed by Mark Lam.

        * stress/put-by-id-flags.js: Added.
        (f):
        (g):
        (numberOfDFGCompiles):

2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>

        Baseline version of get_by_id may corrupt metadata
        https://bugs.webkit.org/show_bug.cgi?id=193085
        <rdar://problem/23453006>

        Reviewed by Saam Barati.

        * stress/get-by-id-change-mode.js: Added.
        (forEach):

2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Optimize Object.prototype.toString
        https://bugs.webkit.org/show_bug.cgi?id=193031

        Reviewed by Saam Barati.

        * stress/object-tostring-changed-proto.js: Added.
        (shouldBe):
        (test):
        * stress/object-tostring-changed.js: Added.
        (shouldBe):
        (test):
        * stress/object-tostring-misc.js: Added.
        (shouldBe):
        (test):
        (i.switch):
        * stress/object-tostring-other.js: Added.
        (shouldBe):
        (test):
        * stress/object-tostring-untyped.js: Added.
        (shouldBe):
        (test):
        (i.switch):

2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>

        test262-runner misbehaves when test file YAML has a trailing space
        https://bugs.webkit.org/show_bug.cgi?id=193053

        Reviewed by Yusuke Suzuki.

        * test262/expectations.yaml:
        Mark two dozen tests as passing (and correct the output of another).

2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Unreviewed, JSTests gardening with memoryLimited

        * stress/string-overflow-createError.js:

2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
        https://bugs.webkit.org/show_bug.cgi?id=193050

        Reviewed by Yusuke Suzuki.

        * test262.yaml:
        * test262/expectations.yaml:
        Mark 16 tests as passing.

2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [BigInt] Support BigInt in JSON.stringify
        https://bugs.webkit.org/show_bug.cgi?id=192624

        Reviewed by Saam Barati.

        * stress/big-int-json-stringify-to-json.js: Added.
        (shouldBe):
        (shouldThrow):
        (BigInt.prototype.toJSON):
        (shouldBe.JSON.stringify):
        * stress/big-int-json-stringify.js: Added.
        (shouldBe):
        (shouldThrow):

2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Implement "well-formed JSON.stringify" proposal
        https://bugs.webkit.org/show_bug.cgi?id=191677

        Reviewed by Darin Adler.

        * stress/json-surrogate-pair.js: Added.
        (shouldBe):
        * test262/expectations.yaml:

2018-12-20  Keith Miller  <keith_miller@apple.com>

        Add support for globalThis
        https://bugs.webkit.org/show_bug.cgi?id=165171

        Reviewed by Mark Lam.

        * test262/config.yaml:

2018-12-19  Keith Miller  <keith_miller@apple.com>

        Update test262 configuration to not run tests dependent on ICU version.
        https://bugs.webkit.org/show_bug.cgi?id=192920

        Reviewed by Saam Barati.

        * test262/expectations.yaml:

2018-12-20  Mark Lam  <mark.lam@apple.com>

        Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
        https://bugs.webkit.org/show_bug.cgi?id=192939
        <rdar://problem/46869516>

        Reviewed by Keith Miller.

        * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.

2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>

        WTF::String and StringImpl overflow MaxLength
        https://bugs.webkit.org/show_bug.cgi?id=192853
        <rdar://problem/45726906>

        Reviewed by Mark Lam.

        * stress/string-16bit-repeat-overflow.js: Added.
        (catch):

2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed follow-up to r192914.

        * test262/expectations.yaml:
        Add the last 20 missing expectations.

2018-12-19  Keith Miller  <keith_miller@apple.com>

        Fix test262 expectations
        https://bugs.webkit.org/show_bug.cgi?id=192914

        Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.

        * test262/expectations.yaml:

2018-12-19  Keith Miller  <keith_miller@apple.com>

        Update test262 tests.
        https://bugs.webkit.org/show_bug.cgi?id=192907

        Rubber stamped by Mark Lam.

        * test262/*: Omitted because prepare-changelog crashes.

2018-12-19  Mark Lam  <mark.lam@apple.com>

        JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
        https://bugs.webkit.org/show_bug.cgi?id=192464
        <rdar://problem/46519455>

        Reviewed by Saam Barati.

        This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
        microbenchmark.

        * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
        * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.

2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>

        String overflow in JSC::createError results in ASSERT in WTF::makeString
        https://bugs.webkit.org/show_bug.cgi?id=192833
        <rdar://problem/45706868>

        Reviewed by Mark Lam.

        * stress/string-overflow-createError.js: Added.

2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>

        Error message for `-x ** y` contains a typo.
        https://bugs.webkit.org/show_bug.cgi?id=192832

        Reviewed by Saam Barati.

        * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
        (assert.assert.return.throws):
        * stress/pow-expects-update-expression-on-lhs.js:
        (throw.new.Error):
        Update test expectations which match against the exact error message.

2018-12-18  Mark Lam  <mark.lam@apple.com>

        Gardening: test options fix.
        https://bugs.webkit.org/show_bug.cgi?id=192822

        Unreviewed.

        * stress/json-stringify-string-builder-overflow.js:

2018-12-18  Mark Lam  <mark.lam@apple.com>

        JSON.stringify() should throw OOM on StringBuilder overflows.
        https://bugs.webkit.org/show_bug.cgi?id=192822
        <rdar://problem/46670577>

        Reviewed by Saam Barati.

        * stress/json-stringify-string-builder-overflow.js: Added.

2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>

        Redeclaration of var over let/const/class should be a syntax error.
        https://bugs.webkit.org/show_bug.cgi?id=192298

        Reviewed by Keith Miller.

        * test262.yaml:
        * test262/expectations.yaml:
        Mark 46 tests as passing.

        * stress/block-scope-redeclarations.js:
        Add some new tests.

        * stress/for-in-invalidate-context-weird-assignments.js:
        * stress/for-in-tests.js:
        Replace tests for outdated behavior with tests for SyntaxError.

        * ChakraCore/test/LetConst/defer3.baseline-jsc:
        * ChakraCore/test/LetConst/letvar.baseline-jsc:
        Update expectations.

2018-12-18  Mark Lam  <mark.lam@apple.com>

        Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
        https://bugs.webkit.org/show_bug.cgi?id=191374
        <rdar://problem/46525447>

        Reviewed by Yusuke Suzuki.

        This test runs too slow on 32-bit, and is not relevant for non-JIT builds.

        * stress/elidable-new-object-roflcopter-then-exit.js:

2018-12-17  Mark Lam  <mark.lam@apple.com>

        Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
        https://bugs.webkit.org/show_bug.cgi?id=192019
        <rdar://problem/46525456>

        Reviewed by Yusuke Suzuki.

        The test runs too slow on 32-bit.

        * stress/materialized-regexp-has-correct-last-index-set-by-match.js:

2018-12-17  Mark Lam  <mark.lam@apple.com>

        Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
        https://bugs.webkit.org/show_bug.cgi?id=191373
        <rdar://problem/46525458>

        Reviewed by Yusuke Suzuki.

        The test is already slow running with a JIT on 64-bit.  It will always timeout
        on 32-bit without a JIT.

        * stress/materialize-regexp-cyclic-regexp.js:

2018-12-17  Mark Lam  <mark.lam@apple.com>

        Array unshift/shift should not race against the AI in the compiler thread.
        https://bugs.webkit.org/show_bug.cgi?id=192795
        <rdar://problem/46724263>

        Reviewed by Saam Barati.

        * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.

2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Optimize Object.keys by caching own keys results in StructureRareData
        https://bugs.webkit.org/show_bug.cgi?id=190047

        Reviewed by Saam Barati.

        * stress/object-keys-cached-zero.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-changed-attribute.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-changed-index.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-changed.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-indexed-non-cache.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-overrides-get-property-names.js: Added.
        (shouldBe):
        (test):
        (noInline):

2018-12-17  Mark Lam  <mark.lam@apple.com>

        SamplingProfiler's isValidFramePointer() should reject address at stack origin.
        https://bugs.webkit.org/show_bug.cgi?id=192779
        <rdar://problem/46775869>

        Reviewed by Saam Barati.

        * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.

2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed test gardening, address a syntax error in a new test.

        * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:

2018-12-17  Mark Lam  <mark.lam@apple.com>

        Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
        https://bugs.webkit.org/show_bug.cgi?id=192776
        <rdar://problem/46772368>

        Reviewed by Keith Miller.

        * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.

2018-12-17  Mark Lam  <mark.lam@apple.com>

        Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
        https://bugs.webkit.org/show_bug.cgi?id=192770
        <rdar://problem/46449037>

        Reviewed by Keith Miller.

        * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.

2018-12-14  Mark Lam  <mark.lam@apple.com>

        CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
        https://bugs.webkit.org/show_bug.cgi?id=192717
        <rdar://problem/46660677>

        Reviewed by Saam Barati.

        * stress/regress-192717.js: Added.

2018-12-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r239153, r239154, and r239155.
        https://bugs.webkit.org/show_bug.cgi?id=192715

        Caused flaky GC-related crashes seen with layout tests
        (Requested by ryanhaddad on #webkit).

        Reverted changesets:

        "[JSC] Optimize Object.keys by caching own keys results in
        StructureRareData"
        https://bugs.webkit.org/show_bug.cgi?id=190047
        https://trac.webkit.org/changeset/239153

        "Unreviewed, build fix after r239153"
        https://bugs.webkit.org/show_bug.cgi?id=190047
        https://trac.webkit.org/changeset/239154

        "Unreviewed, build fix after r239153, part 2"
        https://bugs.webkit.org/show_bug.cgi?id=190047
        https://trac.webkit.org/changeset/239155

2018-12-14  Keith Miller  <keith_miller@apple.com>

        Callers of JSString::getIndex should check for OOM exceptions
        https://bugs.webkit.org/show_bug.cgi?id=192709

        Reviewed by Mark Lam.

        * stress/StringObject-define-length-getter-rope-string-oom.js: Added.

2018-12-13  Mark Lam  <mark.lam@apple.com>

        Add a missing exception check.
        https://bugs.webkit.org/show_bug.cgi?id=192626
        <rdar://problem/46662163>

        Reviewed by Keith Miller.

        * stress/regress-192626.js: Added.

2018-12-13  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueDiv into DFG
        https://bugs.webkit.org/show_bug.cgi?id=186178

        Reviewed by Yusuke Suzuki.

        * stress/big-int-div-jit-osr.js: Added.
        * stress/big-int-div-jit-untyped.js: Added.
        * stress/value-div-fixup-int32-big-int.js: Added.

2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Optimize Object.keys by caching own keys results in StructureRareData
        https://bugs.webkit.org/show_bug.cgi?id=190047

        Reviewed by Keith Miller.

        * stress/object-keys-cached-zero.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-changed-attribute.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-changed-index.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-changed.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-indexed-non-cache.js: Added.
        (shouldBe):
        (test):
        * stress/object-keys-overrides-get-property-names.js: Added.
        (shouldBe):
        (test):
        (noInline):

2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [DFG][FTL] Add NewSymbol
        https://bugs.webkit.org/show_bug.cgi?id=192620

        Reviewed by Saam Barati.

        * microbenchmarks/symbol-creation.js: Added.
        (test):
        * stress/symbol-description-identity.js: Added.
        (shouldBe):
        (test):
        * stress/symbol-identity.js: Added.
        (shouldBe):
        (test):
        * stress/symbol-with-description-throw-error.js: Added.
        (shouldBe):
        (shouldThrow):
        (test):
        (object.toString):

2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [BigInt] Implement DFG/FTL typeof for BigInt
        https://bugs.webkit.org/show_bug.cgi?id=192619

        Reviewed by Keith Miller.

        * stress/big-int-boolean-proven-type.js: Added.
        (assert):
        (bool):
        * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
        (assert):
        (typeOf):
        (i.switch):
        * stress/big-int-type-of-proven-type-non-constant.js: Added.
        (assert):
        (typeOf):
        * stress/big-int-type-of.js:
        (typeOf):
        (func):

2018-12-10  Mark Lam  <mark.lam@apple.com>

        PropertyAttribute needs a CustomValue bit.
        https://bugs.webkit.org/show_bug.cgi?id=191993
        <rdar://problem/46264467>

        Reviewed by Saam Barati.

        * stress/regress-191993.js: Added.

2018-12-10  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueMul into DFG
        https://bugs.webkit.org/show_bug.cgi?id=186175

        Reviewed by Yusuke Suzuki.

        * stress/big-int-mul-jit-osr.js: Added.
        * stress/big-int-mul-jit-untyped.js: Added.
        * stress/value-mul-fixup-int32-big-int.js: Added.

2018-12-06  Keith Miller  <keith_miller@apple.com>

        stress/big-wasm-memory tests failing on 32-bit JSC bot
        https://bugs.webkit.org/show_bug.cgi?id=192020

        Reviewed by Saam Barati.

        Not every platform has WebAssembly, e.g. 32-bit, so we should exit
        the wasm stress tests if the WebAssembly object does not exist.

        * stress/big-wasm-memory-grow-no-max.js:
        (test.foo):
        (test):
        (foo): Deleted.
        (catch): Deleted.
        * stress/big-wasm-memory-grow.js:
        (test.foo):
        (test):
        (foo): Deleted.
        (catch): Deleted.
        * stress/big-wasm-memory.js:
        (test.foo):
        (test):
        (foo): Deleted.
        (catch): Deleted.

2018-12-05  Mark Lam  <mark.lam@apple.com>

        speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
        https://bugs.webkit.org/show_bug.cgi?id=192441
        <rdar://problem/46480355>

        Reviewed by Saam Barati.

        * stress/regress-192441.js: Added.

2018-12-04  Mark Lam  <mark.lam@apple.com>

        DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
        https://bugs.webkit.org/show_bug.cgi?id=192386
        <rdar://problem/46445516>

        Reviewed by Saam Barati.

        * stress/regress-192386.js: Added.

2018-12-04  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Support logic operations
        https://bugs.webkit.org/show_bug.cgi?id=179903

        Reviewed by Yusuke Suzuki.

        * stress/big-int-branch-usage.js: Added.
        * stress/big-int-logical-and.js: Added.
        * stress/big-int-logical-not.js: Added.
        * stress/big-int-logical-or.js: Added.

2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r238833.

        Breaks macOS and iOS debug builds.

        Reverted changeset:

        "[ESNext][BigInt] Support logic operations"
        https://bugs.webkit.org/show_bug.cgi?id=179903
        https://trac.webkit.org/changeset/238833

2018-12-03  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Support logic operations
        https://bugs.webkit.org/show_bug.cgi?id=179903

        Reviewed by Yusuke Suzuki.

        * stress/big-int-branch-usage.js: Added.
        * stress/big-int-logical-and.js: Added.
        * stress/big-int-logical-not.js: Added.
        * stress/big-int-logical-or.js: Added.

2018-12-02  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "<<" and ">>"
        https://bugs.webkit.org/show_bug.cgi?id=186233

        Reviewed by Yusuke Suzuki.

        * stress/big-int-left-shift-general.js: Added.
        * stress/big-int-left-shift-range-error.js: Added.
        * stress/big-int-left-shift-type-error.js: Added.
        * stress/big-int-left-shift-wrapped-value.js: Added.
        * stress/big-int-right-shift-general.js: Added.
        * stress/big-int-right-shift-type-error.js: Added.
        * stress/big-int-right-shift-wrapped-value.js: Added.
        * stress/left-shift-to-primitive-precedence.js: Added.
        * stress/right-shift-to-primitive-precedence.js: Added.

2018-11-30  Dean Jackson  <dino@apple.com>

        Add first-class support for .mjs files in jsc binary
        https://bugs.webkit.org/show_bug.cgi?id=192190
        <rdar://problem/46375715>

        Reviewed by Keith Miller.

        * stress/simple-module.mjs: Added.
        * stress/simple-script.js: Added.

2018-11-30  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Implement ValueBitXor into DFG
        https://bugs.webkit.org/show_bug.cgi?id=190264

        Reviewed by Yusuke Suzuki.

        * stress/big-int-bitwise-xor-jit.js: Added.
        * stress/big-int-bitwise-xor-memory-stress.js: Added.
        * stress/big-int-bitwise-xor-untyped.js: Added.

2018-11-27  Saam barati  <sbarati@apple.com>

        r238510 broke scopes of size zero
        https://bugs.webkit.org/show_bug.cgi?id=192033
        <rdar://problem/46281734>

        Reviewed by Keith Miller.

        * stress/r238510-bad-loop.js: Added.
        (foo):

2018-11-27  Mark Lam  <mark.lam@apple.com>

        [Re-landing] NaNs read from Wasm code needs to be be purified.
        https://bugs.webkit.org/show_bug.cgi?id=191056
        <rdar://problem/45660341>

        Reviewed by Filip Pizlo.

        * wasm/regress/regress-191056.js: Added.

2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r238509.

        Causes JSC tests to fail on iOS.

        Reverted changeset:

        "NaNs read from Wasm code needs to be be purified."
        https://bugs.webkit.org/show_bug.cgi?id=191056
        https://trac.webkit.org/changeset/238509

2018-11-26  Caio Lima  <ticaiolima@gmail.com>

        Re-introduce op_bitnot
        https://bugs.webkit.org/show_bug.cgi?id=190923

        Reviewed by Yusuke Suzuki.

        * stress/bit-not-must-generate.js: Added.
        * stress/bitwise-not-no-int32.js: Added.

2018-11-26  Saam barati  <sbarati@apple.com>

        InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
        https://bugs.webkit.org/show_bug.cgi?id=191956
        <rdar://problem/45665806>

        Reviewed by Yusuke Suzuki.

        * stress/end-basic-block-set-local-should-filter-type.js: Added.
        (bar):
        (foo):

2018-11-26  Saam barati  <sbarati@apple.com>

        Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
        https://bugs.webkit.org/show_bug.cgi?id=191958
        <rdar://problem/46221877>

        Reviewed by Yusuke Suzuki.

        * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
        (x):
        (foo):

2018-11-26  Mark Lam  <mark.lam@apple.com>

        NaNs read from Wasm code needs to be be purified.
        https://bugs.webkit.org/show_bug.cgi?id=191056
        <rdar://problem/45660341>

        Reviewed by Filip Pizlo.

        * wasm/regress/regress-191056.js: Added.

2018-11-26  Michael Saboff  <msaboff@apple.com>

        32-bit JSC test failure: stress/regexp-compile-oom.js
        https://bugs.webkit.org/show_bug.cgi?id=191375

        Reviewed by Mark Lam.

        Disabled the test for 32 bit platforms.

        * stress/regexp-compile-oom.js:

2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>

        ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
        https://bugs.webkit.org/show_bug.cgi?id=191716
        <rdar://problem/45723878>

        Reviewed by Saam Barati.

        * stress/regress-187373.js: Added.
        (async.fn):

2018-11-21  Saam barati  <sbarati@apple.com>

        DFGSpeculativeJIT should not &= exitOK with mayExit(node)
        https://bugs.webkit.org/show_bug.cgi?id=191897
        <rdar://problem/45871998>

        Reviewed by Mark Lam.

        * stress/exitok-is-not-the-same-as-mayExit.js: Added.
        (bar):
        (foo):

2018-11-21  Saam barati  <sbarati@apple.com>

        Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
        https://bugs.webkit.org/show_bug.cgi?id=191895
        <rdar://problem/46167406>

        Reviewed by Mark Lam.

        * stress/known-cell-use-needs-type-check-assertion.js: Added.
        (foo):
        (bar):

2018-11-21  Mark Lam  <mark.lam@apple.com>

        Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
        https://bugs.webkit.org/show_bug.cgi?id=191776
        <rdar://problem/46152851>

        Reviewed by Saam Barati.

        * stress/big-wasm-memory-grow-no-max.js:
        * stress/big-wasm-memory-grow.js:
        * stress/big-wasm-memory.js:
        - updated these to expect an OutOfMemoryError.

        * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
        (Binary.prototype.emit_u8):
        (Binary.prototype.emit_u32v):
        (Binary.prototype.emit_header):
        (Binary.prototype.emit_section):
        (Binary):
        (WasmModuleBuilder):
        (WasmModuleBuilder.prototype.addMemory):
        (WasmModuleBuilder.prototype.toArray):
        (WasmModuleBuilder.prototype.toBuffer):
        (WasmModuleBuilder.prototype.instantiate):
        (catch):
        * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
        (catch):

2018-11-21  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
        https://bugs.webkit.org/show_bug.cgi?id=190836

        Reviewed by Saam Barati and Yusuke Suzuki.

        * stress/big-int-out-of-memory-tests.js: Added.

2018-11-20  Mark Lam  <mark.lam@apple.com>

        Remove invalid assertion in VMTraps::SignalSender's SignalAction.
        https://bugs.webkit.org/show_bug.cgi?id=191856
        <rdar://problem/46089992>

        Reviewed by Yusuke Suzuki.

        * stress/regress-191856.js: Added.
        - this test is skipped for now until we have a fix for webkit.org/b/191855.

2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>

        Enable JIT on ARM/Linux
        https://bugs.webkit.org/show_bug.cgi?id=191548

        Reviewed by Yusuke Suzuki.

        Disable test on system with limited memory. Program was killed by
        the OS before the exception was thrown.

        * slowMicrobenchmarks/function-constructor-with-huge-strings.js:

2018-11-20  Saam barati  <sbarati@apple.com>

        Merging an IC variant may lead to the IC status containing overlapping structure sets
        https://bugs.webkit.org/show_bug.cgi?id=191869
        <rdar://problem/45403453>

        Reviewed by Mark Lam.

        * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.

2018-11-19  Mark Lam  <mark.lam@apple.com>

        globalFuncImportModule() should return a promise when it clears exceptions.
        https://bugs.webkit.org/show_bug.cgi?id=191792
        <rdar://problem/46090763>

        Reviewed by Michael Saboff.

        * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.

2018-11-19  Guillaume Emont  <guijemont@igalia.com>

        Skip new memory-hungry tests on memory limited devices

        Unreviewed gardening.

        * stress/big-wasm-memory-grow-no-max.js:
        * stress/big-wasm-memory-grow.js:
        * stress/big-wasm-memory.js:

2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        Unreviewed, rolling in the rest of r237254
        https://bugs.webkit.org/show_bug.cgi?id=190340

        * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
        * stress/function-cache-with-parameters-end-position.js: Added.
        (shouldBe):
        (shouldThrow):
        (i.anonymous):
        * stress/function-constructor-name.js: Added.
        (shouldBe):
        (GeneratorFunction):
        (AsyncFunction.async):
        (AsyncGeneratorFunction.async):
        (anonymous):
        (async.anonymous):
        * test262/expectations.yaml:

2018-11-16  Filip Pizlo  <fpizlo@apple.com>

        All users of ArrayBuffer should agree on the same max size
        https://bugs.webkit.org/show_bug.cgi?id=191771

        Reviewed by Mark Lam.

        * stress/big-wasm-memory-grow-no-max.js: Added.
        (foo):
        (catch):
        * stress/big-wasm-memory-grow.js: Added.
        (foo):
        (catch):
        * stress/big-wasm-memory.js: Added.
        (foo):
        (catch):

2018-11-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
        run for each JSC config since they're regression tests for runtime bugs.

        * stress/json-stringified-overflow-2.js:
        * stress/json-stringified-overflow.js:

2018-11-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
        config since they're regression tests for runtime bugs.

        * stress/large-unshift-splice.js:
        * stress/regress-185888.js:

2018-11-16  Saam Barati  <sbarati@apple.com>

        KnownCellUse should also have SpecCellCheck as its type filter
        https://bugs.webkit.org/show_bug.cgi?id=191729
        <rdar://problem/45872852>

        Reviewed by Filip Pizlo.

        * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
        (C):

2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>

        Fix assertion failure on BytecodeGenerator::recordOpcode
        https://bugs.webkit.org/show_bug.cgi?id=191724
        <rdar://problem/45724395>

        Reviewed by Saam Barati.

        * stress/regress-187373-2.js: Added.
        (foo):

2018-11-15  Mark Lam  <mark.lam@apple.com>

        RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
        https://bugs.webkit.org/show_bug.cgi?id=191730
        <rdar://problem/46048517>

        Reviewed by Saam Barati.

        * stress/regress-187006.js: Removed.
          - this test is invalid because its sole purpose is to test for the non-spec
            compliant behavior that we just fixed.

        * stress/regress-191730.js: Added.

2018-11-15  Mark Lam  <mark.lam@apple.com>

        RegExp operations should not take fast patch if lastIndex is not numeric.
        https://bugs.webkit.org/show_bug.cgi?id=191731
        <rdar://problem/46017305>

        Reviewed by Saam Barati.

        * stress/regress-191731.js: Added.

2018-11-13  Saam Barati  <sbarati@apple.com>

        TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
        https://bugs.webkit.org/show_bug.cgi?id=191600

        Reviewed by Mark Lam.

        * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
        (foo):
        (test):
        (bar):

2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r238132.

        The test added with this change is timing out on Debug JSC
        bots.

        Reverted changeset:

        "[BigInt] JSBigInt::createWithLength should throw when length
        is greater than JSBigInt::maxLength"
        https://bugs.webkit.org/show_bug.cgi?id=190836
        https://trac.webkit.org/changeset/238132

2018-11-13  Mark Lam  <mark.lam@apple.com>

        Add OOM detection to StringPrototype's substituteBackreferences().
        https://bugs.webkit.org/show_bug.cgi?id=191563
        <rdar://problem/45720428>

        Reviewed by Saam Barati.

        * stress/regress-191563.js: Added.

2018-11-13  Mark Lam  <mark.lam@apple.com>

        LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
        https://bugs.webkit.org/show_bug.cgi?id=191579
        <rdar://problem/45942472>

        Reviewed by Saam Barati.

        * stress/regress-191579.js: Added.

2018-11-13  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
        https://bugs.webkit.org/show_bug.cgi?id=190836

        Reviewed by Saam Barati.

        * stress/big-int-out-of-memory-tests.js: Added.

2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>

        U+180E is no longer a whitespace character
        https://bugs.webkit.org/show_bug.cgi?id=191415

        Reviewed by Saam Barati.

        * ChakraCore/test/es5/regexSpace.baseline:
        * ChakraCore/test/es6/unicode_whitespace.js:
        Update tests to latest version.
        (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)

        * test262.yaml:
        * test262/config.yaml:
        * test262/expectations.yaml:
        Update expectations.

2018-11-07  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add support to BigInt into ValueAdd
        https://bugs.webkit.org/show_bug.cgi?id=186177

        Reviewed by Keith Miller.

        * stress/big-int-negate-jit.js:
        * stress/value-add-big-int-and-string.js: Added.
        * stress/value-add-big-int-prediction-propagation.js: Added.
        * stress/value-add-big-int-untyped.js: Added.

2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>

        REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
        https://bugs.webkit.org/show_bug.cgi?id=191184

        Reviewed by Saam Barati.

        Most tests were failing due to timeouts, since they are too slow to
        run on CLoop. The exceptions are:

        proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
        dont-crash-on-stack-overflow-when-parsing-builtin.js and
        dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
        to change the stack size since CLoop requires it to be page aligned.

        * microbenchmarks/array-push-1.js:
        * microbenchmarks/array-push-2.js:
        * microbenchmarks/elidable-new-object-dag.js:
        * microbenchmarks/elidable-new-object-roflcopter.js:
        * microbenchmarks/elidable-new-object-tree.js:
        * microbenchmarks/getter-richards.js:
        * microbenchmarks/sinkable-new-object-dag.js:
        * microbenchmarks/string-concat-long-convert.js:
        * microbenchmarks/typed-array-get-set-by-val-profiling.js:
        * slowMicrobenchmarks/array-push-3.js:
        * slowMicrobenchmarks/large-map-iteration-with-additions.js:
        * slowMicrobenchmarks/spread-small-array.js:
        * slowMicrobenchmarks/undefined-property-access.js:
        * stress/activation-sink-default-value-tdz-error.js:
        * stress/activation-sink-default-value.js:
        * stress/activation-sink-osrexit-default-value-tdz-error.js:
        * stress/activation-sink-osrexit-default-value.js:
        * stress/activation-sink-osrexit.js:
        * stress/activation-sink.js:
        * stress/allow-math-ic-b3-code-duplication.js:
        * stress/array-push-multiple-int32.js:
        * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
        * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
        * stress/arrowfunction-lexical-this-activation-sink.js:
        * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
        * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
        * stress/elide-new-object-dag-then-exit.js:
        * stress/materialize-regexp-cyclic.js:
        * stress/new-regex-inline.js:
        * stress/op_add.js:
        * stress/op_bitand.js:
        * stress/op_bitor.js:
        * stress/op_bitxor.js:
        * stress/op_div-ConstVar.js:
        * stress/op_div-VarConst.js:
        * stress/op_div-VarVar.js:
        * stress/op_lshift-ConstVar.js:
        * stress/op_lshift-VarConst.js:
        * stress/op_lshift-VarVar.js:
        * stress/op_mod-ConstVar.js:
        * stress/op_mod-VarConst.js:
        * stress/op_mod-VarVar.js:
        * stress/op_mul-ConstVar.js:
        * stress/op_mul-VarConst.js:
        * stress/op_mul-VarVar.js:
        * stress/op_rshift-ConstVar.js:
        * stress/op_rshift-VarConst.js:
        * stress/op_rshift-VarVar.js:
        * stress/op_sub-ConstVar.js:
        * stress/op_sub-VarConst.js:
        * stress/op_sub-VarVar.js:
        * stress/op_urshift-ConstVar.js:
        * stress/op_urshift-VarConst.js:
        * stress/op_urshift-VarVar.js:
        * stress/proxy-get-set-correct-receiver.js:
        * stress/regress-179562.js:
        * stress/rest-parameter-many-arguments.js:
        * stress/sampling-profiler-richards.js:
        * stress/splay-flash-access-1ms.js:
        * stress/tailCallForwardArguments.js:
        * stress/typed-array-get-by-val-profiling.js:
        * typeProfiler/getter-richards.js:

2018-11-06  Michael Saboff  <msaboff@apple.com>

        Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
        https://bugs.webkit.org/show_bug.cgi?id=191271

        Reviewed by Saam Barati.

        Added more test cases and made all test cases run with the same deeply recursive stack
        instead of finding that same point for each test case.

        * stress/regexp-compile-oom.js:
        (prototype.runTest):
        (recurseAndTest):
        (testList.push.new.TestAndExpectedException):

2018-11-05  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for linux.

        * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.

2018-11-02  Michael Saboff  <msaboff@apple.com>

        Rolling in r237753 with unreviewed build fix.

        Fixed issues with DECLARE_THROW_SCOPE placement.

2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r237753.

        Introduced JSC test failures

        Reverted changeset:

        "Running out of stack space not properly handled in
        RegExp::compile() and its callers"
        https://bugs.webkit.org/show_bug.cgi?id=191206
        https://trac.webkit.org/changeset/237753

2018-11-02  Michael Saboff  <msaboff@apple.com>

        Running out of stack space not properly handled in RegExp::compile() and its callers
        https://bugs.webkit.org/show_bug.cgi?id=191206

        Reviewed by Filip Pizlo.

        New regression test.

        * stress/regexp-compile-oom.js: Added.
        (recurseAndTest):

2018-11-01  Guillaume Emont  <guijemont@igalia.com>

        Skip tests on arm/mips that time out now we're running on CLoop

        Unreviewed gardening.

        Since the JIT is temporarily disabled on 32-bit platforms, these tests
        time out on the bots and need to be disabled. There's more tests
        disabled on arm because the timeout is longer on the mips bot (as the
        device is slower to start with), so many of the tests don't time out
        there.

        * microbenchmarks/getter-richards.js: disable on arm and mips.
        * stress/op_add.js: disable on arm.
        * stress/op_bitand.js: disable on arm.
        * stress/op_bitor.js: disable on arm.
        * stress/op_bitxor.js: disable on arm.
        * stress/op_lshift-ConstVar.js: disable on arm.
        * stress/op_lshift-VarConst.js: disable on arm.
        * stress/op_lshift-VarVar.js: disable on arm.
        * stress/op_mod-ConstVar.js: disable on arm.
        * stress/op_mod-VarConst.js: disable on arm.
        * stress/op_mod-VarVar.js: disable on arm.
        * stress/op_mul-ConstVar.js: disable on arm.
        * stress/op_mul-VarConst.js: disable on arm.
        * stress/op_mul-VarVar.js: disable on arm.
        * stress/op_rshift-ConstVar.js: disable on arm.
        * stress/op_rshift-VarConst.js: disable on arm.
        * stress/op_rshift-VarVar.js: disable on arm.
        * stress/op_sub-ConstVar.js: disable on arm.
        * stress/op_sub-VarConst.js: disable on arm.
        * stress/op_sub-VarVar.js: disable on arm.
        * stress/op_urshift-ConstVar.js: disable on arm.
        * stress/op_urshift-VarConst.js: disable on arm.
        * stress/op_urshift-VarVar.js: disable on arm.
        * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
        * stress/value-to-boolean.js: disable on arm and mips.

2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>

        REGRESSION(r237547): Exception handlers should be aware of wide opcodes
        https://bugs.webkit.org/show_bug.cgi?id=191108
        <rdar://problem/45690700>

        Reviewed by Saam Barati.

        * stress/wide-op_catch.js: Added.
        (catch):

2018-10-29  Mark Lam  <mark.lam@apple.com>

        Correctly detect string overflow when using the 'Function' constructor.
        https://bugs.webkit.org/show_bug.cgi?id=184883
        <rdar://problem/36320331>

        Reviewed by Saam Barati.

        I've verified that this passes on 32-bit as well.

        * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.

2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>

        Add support for GetStack FlushedDouble
        https://bugs.webkit.org/show_bug.cgi?id=191012
        <rdar://problem/45265141>

        Reviewed by Saam Barati.

        * stress/get-stack-double.js: Added.
        (bar):
        (noInline):

2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>

        New bytecode format for JSC
        https://bugs.webkit.org/show_bug.cgi?id=187373
        <rdar://problem/44186758>

        Reviewed by Filip Pizlo.

        Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.

        * stress/maximum-inline-capacity.js: Added.
        (test1):
        (test3.Foo):
        (test3):

2018-10-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r237479 and r237484.
        https://bugs.webkit.org/show_bug.cgi?id=190978

        broke JSC on iOS (Requested by tadeuzagallo on #webkit).

        Reverted changesets:

        "New bytecode format for JSC"
        https://bugs.webkit.org/show_bug.cgi?id=187373
        https://trac.webkit.org/changeset/237479

        "Gardening: Build fix after r237479."
        https://bugs.webkit.org/show_bug.cgi?id=187373
        https://trac.webkit.org/changeset/237484

2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>

        New bytecode format for JSC
        https://bugs.webkit.org/show_bug.cgi?id=187373
        <rdar://problem/44186758>

        Reviewed by Filip Pizlo.

        Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.

        * stress/maximum-inline-capacity.js: Added.
        (test1):
        (test3.Foo):
        (test3):

2018-10-26  Mark Lam  <mark.lam@apple.com>

        Fix missing edge cases with JSGlobalObjects having a bad time.
        https://bugs.webkit.org/show_bug.cgi?id=189028
        <rdar://problem/45204939>

        Reviewed by Saam Barati.

        * stress/regress-189028.js: Added.

2018-10-22  Mark Lam  <mark.lam@apple.com>

        DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
        https://bugs.webkit.org/show_bug.cgi?id=190515
        <rdar://problem/45222379>

        Rubber-stamped by Saam Barati.

        Adding another test.

        * stress/regress-190515-2.js: Added.

2018-10-22  Mark Lam  <mark.lam@apple.com>

        DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
        https://bugs.webkit.org/show_bug.cgi?id=190515
        <rdar://problem/45222379>

        Reviewed by Saam Barati.

        * stress/regress-190515.js: Added.

2018-10-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r237254.
        https://bugs.webkit.org/show_bug.cgi?id=190760

        "It regresses JetStream 2 by 5% on some iOS devices"
        (Requested by saamyjoon on #webkit).

        Reverted changeset:

        "[JSC] JSC should have "parseFunction" to optimize Function
        constructor"
        https://bugs.webkit.org/show_bug.cgi?id=190340
        https://trac.webkit.org/changeset/237254

2018-10-19  Saam Barati  <sbarati@apple.com>

        vmCall should check if we exit before emitting an OSR exit due to exceptions
        https://bugs.webkit.org/show_bug.cgi?id=190740
        <rdar://problem/45220139>

        Reviewed by Mark Lam.

        * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
        (foo):

2018-10-19  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "^"
        https://bugs.webkit.org/show_bug.cgi?id=186235

        Reviewed by Yusuke Suzuki.

        * stress/big-int-bitwise-xor-general.js: Added.
        * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
        * stress/big-int-bitwise-xor-type-error.js: Added.
        * stress/big-int-bitwise-xor-wrapped-value.js: Added.

2018-10-19  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueSub into DFG
        https://bugs.webkit.org/show_bug.cgi?id=186176

        Reviewed by Yusuke Suzuki.

        * stress/big-int-subtraction-jit.js:
        * stress/value-sub-big-int-prediction-propagation.js: Added.
        * stress/value-sub-big-int-untyped.js: Added.
        * stress/value-sub-spec-none-case.js: Added.

2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] JSC should have "parseFunction" to optimize Function constructor
        https://bugs.webkit.org/show_bug.cgi?id=190340

        Reviewed by Mark Lam.

        This patch fixes the line number of syntax errors raised by the Function constructor,
        since we now parse the final code only once. And we no longer use block statement
        for Function constructor's parsing.

        * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
        * stress/function-cache-with-parameters-end-position.js: Added.
        (shouldBe):
        (shouldThrow):
        (i.anonymous):
        * stress/function-constructor-name.js: Added.
        (shouldBe):
        (GeneratorFunction):
        (AsyncFunction.async):
        (AsyncGeneratorFunction.async):
        (anonymous):
        (async.anonymous):
        * test262/expectations.yaml:

2018-10-18  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r237242.
        https://bugs.webkit.org/show_bug.cgi?id=190701

        it breaks "stress/sampling-profiler-basic.js" (Requested by
        caiolima on #webkit).

        Reverted changeset:

        "[BigInt] Add ValueSub into DFG"
        https://bugs.webkit.org/show_bug.cgi?id=186176
        https://trac.webkit.org/changeset/237242

2018-10-17  Keith Miller  <keith_miller@apple.com>

        AI does not clear Phantom allocation nodes.
        https://bugs.webkit.org/show_bug.cgi?id=190694

        Reviewed by Saam Barati.

        * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
        (Day):
        (DaysInYear):
        (TimeInYear):
        (TimeFromYear):
        (DayFromYear):
        (InLeapYear):
        (YearFromTime):
        (WeekDay):
        (DaylightSavingTA):
        (GetSecondSundayInMarch):
        (TimeInMonth):

2018-10-17  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueSub into DFG
        https://bugs.webkit.org/show_bug.cgi?id=186176

        Reviewed by Yusuke Suzuki.

        * stress/big-int-subtraction-jit.js:
        * stress/value-sub-big-int-prediction-propagation.js: Added.
        * stress/value-sub-big-int-untyped.js: Added.

2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>

        [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
        https://bugs.webkit.org/show_bug.cgi?id=190611

        Reviewed by Saam Barati.

        Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
        to improve test runtime. On ARM/MIPS this test even timed out when running all
        tests.

        * stress/array-prototype-concat-of-long-spliced-arrays2.js:
        (test):

2018-10-15  Guillaume Emont  <guijemont@igalia.com>

        Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux

        Unreviewed gardening.

        * stress/array-prototype-concat-of-long-spliced-arrays2.js:

2018-10-15  Saam barati  <sbarati@apple.com>

        Emit fjcvtzs on ARM64E on Darwin
        https://bugs.webkit.org/show_bug.cgi?id=184023

        Reviewed by Yusuke Suzuki and Filip Pizlo.

        * stress/double-to-int32-NaN.js: Added.
        (assert):
        (foo):

2018-10-15  Saam Barati  <sbarati@apple.com>

        JSArray::shiftCountWithArrayStorage is wrong when an array has holes
        https://bugs.webkit.org/show_bug.cgi?id=190262
        <rdar://problem/44986241>

        Reviewed by Mark Lam.

        * stress/array-prototype-concat-of-long-spliced-arrays.js:
        (test):
        * stress/slice-array-storage-with-holes.js: Added.
        (main):

2018-10-15  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r237054.
        https://bugs.webkit.org/show_bug.cgi?id=190593

        "this regressed JetStream 2 by 6% on iOS" (Requested by
        saamyjoon on #webkit).

        Reverted changeset:

        "[JSC] JSC should have "parseFunction" to optimize Function
        constructor"
        https://bugs.webkit.org/show_bug.cgi?id=190340
        https://trac.webkit.org/changeset/237054

2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] JSON.stringify can accept call-with-no-arguments
        https://bugs.webkit.org/show_bug.cgi?id=190343

        Reviewed by Mark Lam.

        * stress/json-stringify-no-arguments.js: Added.
        (shouldBe):

2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] JSC should have "parseFunction" to optimize Function constructor
        https://bugs.webkit.org/show_bug.cgi?id=190340

        Reviewed by Mark Lam.

        This patch fixes the line number of syntax errors raised by the Function constructor,
        since we now parse the final code only once. And we no longer use block statement
        for Function constructor's parsing.

        * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
        * stress/function-cache-with-parameters-end-position.js: Added.
        (shouldBe):
        (shouldThrow):
        (i.anonymous):
        * stress/function-constructor-name.js: Added.
        (shouldBe):
        (GeneratorFunction):
        (AsyncFunction.async):
        (AsyncGeneratorFunction.async):
        (anonymous):
        (async.anonymous):
        * test262/expectations.yaml:

2018-10-10  Guillaume Emont  <guijemont@igalia.com>

        Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
        https://bugs.webkit.org/show_bug.cgi?id=190426

        Unreviewed gardening.

        * stress/sampling-profiler-richards.js:

2018-10-06  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "|"
        https://bugs.webkit.org/show_bug.cgi?id=186229

        Reviewed by Yusuke Suzuki.

        * stress/big-int-bitwise-and-jit.js:
        * stress/big-int-bitwise-or-general.js: Added.
        * stress/big-int-bitwise-or-jit-untyped.js: Added.
        * stress/big-int-bitwise-or-jit.js: Added.
        * stress/big-int-bitwise-or-memory-stress.js: Added.
        * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
        * stress/big-int-bitwise-or-type-error.js: Added.
        * stress/big-int-bitwise-or-wrapped-value.js: Added.

2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>

        Skip test on systems with limited memory
        https://bugs.webkit.org/show_bug.cgi?id=190310

        Invoking runDefault adds test to runlist, skipping the test in the next
        line does not prevent the test from executing. Change order of lines such
        that runDefault is only executed if test is not executed.

        Reviewed by Mark Lam.

        * stress/regress-190187.js:

2018-10-03  Saam barati  <sbarati@apple.com>

        lowXYZ in FTLLower should always filter the type of the incoming edge
        https://bugs.webkit.org/show_bug.cgi?id=189939
        <rdar://problem/44407030>

        Reviewed by Michael Saboff.

        * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
        (foo):
        (test):

2018-10-03  Mark Lam  <mark.lam@apple.com>

        Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
        https://bugs.webkit.org/show_bug.cgi?id=190187
        <rdar://problem/42512909>

        Reviewed by Michael Saboff.

        * stress/regress-190187.js: Added.

2018-10-02  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
        https://bugs.webkit.org/show_bug.cgi?id=190033

        Reviewed by Yusuke Suzuki.

        * stress/big-int-to-string.js:

2018-10-01  Mark Lam  <mark.lam@apple.com>

        Function.toString() should also copy the source code Functions that are class definitions.
        https://bugs.webkit.org/show_bug.cgi?id=190186
        <rdar://problem/44733360>

        Reviewed by Saam Barati.

        * stress/regress-190186.js: Added.

2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>

        Split NaN-check into separate test
        https://bugs.webkit.org/show_bug.cgi?id=190010

        Reviewed by Saam Barati.

        DataView exposes NaN-representation, which is not necessarily the same on each
        architecture. Therefore move the check of the NaN-representation into its own
        file such that we can disable this test on MIPS where NaN-representation can be
        different on older CPUs.

        * stress/dataview-jit-set-nan.js: Added.
        (assert):
        (test.storeLittleEndian):
        (test.storeBigEndian):
        (test.store):
        (test):
        * stress/dataview-jit-set.js:
        (test5):

2018-10-01  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r236647.
        https://bugs.webkit.org/show_bug.cgi?id=190124

        Breaking test stress/big-int-to-string.js (Requested by
        caiolima_ on #webkit).

        Reverted changeset:

        "[BigInt] BigInt.proptotype.toString is broken when radix is
        power of 2"
        https://bugs.webkit.org/show_bug.cgi?id=190033
        https://trac.webkit.org/changeset/236647

2018-09-30  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
        https://bugs.webkit.org/show_bug.cgi?id=190033

        Reviewed by Yusuke Suzuki.

        * stress/big-int-to-string.js:

2018-09-28  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "&"
        https://bugs.webkit.org/show_bug.cgi?id=186228

        Reviewed by Yusuke Suzuki.

        * stress/big-int-bitwise-and-general.js: Added.
        (assert):
        (assert.sameValue):
        * stress/big-int-bitwise-and-jit.js: Added.
        (let.assert.sameValue):
        (bigIntBitAnd):
        * stress/big-int-bitwise-and-memory-stress.js: Added.
        (assert):
        * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
        (assert.sameValue):
        (let.o.Symbol.toPrimitive):
        (catch):
        * stress/big-int-bitwise-and-type-error.js: Added.
        (assert):
        (assertThrowTypeError):
        (let.o.valueOf):
        (o.valueOf):
        (o.toString):
        (o.Symbol.toPrimitive):
        * stress/big-int-bitwise-and-wrapped-value.js: Added.
        (assert.sameValue):
        (testBitAnd):
        (let.o.Symbol.toPrimitive):
        (o.valueOf):
        (o.toString):

2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>

        JSC test stress/jsc-read.js doesn't support CRLF
        https://bugs.webkit.org/show_bug.cgi?id=190063

        Reviewed by Yusuke Suzuki.

        In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.

        * stress/jsc-read.js:
        (test):

2018-09-27  Saam barati  <sbarati@apple.com>

        Verify the contents of AssemblerBuffer on arm64e
        https://bugs.webkit.org/show_bug.cgi?id=190057
        <rdar://problem/38916630>

        Reviewed by Mark Lam.

        * stress/regress-189132.js:

2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>

        Disable test without LLInt on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=190037

        Reviewed by Mark Lam.

        Test runs out of executable memory on ARMv7, do not run
        this test without LLInt enabled.

        * stress/regress-169445.js:

2018-09-26  Keith Miller  <keith_miller@apple.com>

        We should zero unused property storage when rebalancing array storage.
        https://bugs.webkit.org/show_bug.cgi?id=188151

        Reviewed by Michael Saboff.

        * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.

2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Optimize Array#lastIndexOf
        https://bugs.webkit.org/show_bug.cgi?id=189780

        Reviewed by Saam Barati.

        * stress/array-lastindexof-array-prototype-trap.js: Added.
        (shouldBe):
        (AncestorArray.prototype.get 2):
        (AncestorArray):
        * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
        (shouldBe):
        * stress/array-lastindexof-hole-nan.js: Added.
        (shouldBe):
        (throw.new.Error):
        * stress/array-lastindexof-infinity.js: Added.
        (shouldBe):
        (throw.new.Error):
        * stress/array-lastindexof-negative-zero.js: Added.
        (shouldBe):
        (throw.new.Error):
        * stress/array-lastindexof-own-getter.js: Added.
        (shouldBe):
        (throw.new.Error.get array):
        (get array):
        * stress/array-lastindexof-prototype-trap.js: Added.
        (shouldBe):
        (DerivedArray.prototype.get 2):
        (DerivedArray):

2018-09-25  Saam Barati  <sbarati@apple.com>

        Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=189940
        <rdar://problem/43640987>

        Reviewed by Mark Lam.

        * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.

2018-09-24  Saam Barati  <sbarati@apple.com>

        Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
        https://bugs.webkit.org/show_bug.cgi?id=189922
        <rdar://problem/44651275>

        Reviewed by Mark Lam.

        * stress/array-indexof-fast-path-effects.js: Added.
        * stress/array-indexof-cached-length.js: Added.

2018-09-24  Saam barati  <sbarati@apple.com>

        ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
        https://bugs.webkit.org/show_bug.cgi?id=189682
        <rdar://problem/43557315>

        Reviewed by Mark Lam.

        * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
        (foo):

2018-09-22  Saam barati  <sbarati@apple.com>

        The sampling should not use Strong<CodeBlock> in its machineLocation field
        https://bugs.webkit.org/show_bug.cgi?id=189319

        Reviewed by Filip Pizlo.

        * stress/sampling-profiler-richards.js: Added.

2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>

        [JSC] Optimize Array#indexOf in C++ runtime
        https://bugs.webkit.org/show_bug.cgi?id=189507

        Reviewed by Saam Barati.

        * stress/array-indexof-array-prototype-trap.js: Added.
        (shouldBe):
        (AncestorArray.prototype.get 2):
        (AncestorArray):
        * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
        (shouldBe):
        * stress/array-indexof-hole-nan.js: Added.
        (shouldBe):
        (throw.new.Error):
        * stress/array-indexof-infinity.js: Added.
        (shouldBe):
        (throw.new.Error):
        * stress/array-indexof-negative-zero.js: Added.
        (shouldBe):
        (throw.new.Error):
        * stress/array-indexof-own-getter.js: Added.
        (shouldBe):
        (throw.new.Error.get array):
        (get array):
        * stress/array-indexof-prototype-trap.js: Added.
        (shouldBe):
        (DerivedArray.prototype.get 2):
        (DerivedArray):

2018-09-19  Saam barati  <sbarati@apple.com>

        AI rule for MultiPutByOffset executes its effects in the wrong order
        https://bugs.webkit.org/show_bug.cgi?id=189757
        <rdar://problem/43535257>

        Reviewed by Michael Saboff.

        * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
        (foo):
        (Foo):
        (g):

2018-09-17  Mark Lam  <mark.lam@apple.com>

        Ensure that ForInContexts are invalidated if their loop local is over-written.
        https://bugs.webkit.org/show_bug.cgi?id=189571
        <rdar://problem/44402277>

        Reviewed by Saam Barati.

        * stress/regress-189571.js: Added.

2018-09-17  Saam barati  <sbarati@apple.com>

        We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
        https://bugs.webkit.org/show_bug.cgi?id=189676
        <rdar://problem/39682897>

        Reviewed by Michael Saboff.

        * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
        (A):
        (K):
        (i.catch):

2018-09-14  Saam barati  <sbarati@apple.com>

        Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
        https://bugs.webkit.org/show_bug.cgi?id=189628
        <rdar://problem/39481690>

        Reviewed by Mark Lam.

        * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
        (foo):

2018-09-11  Mark Lam  <mark.lam@apple.com>

        Test for array initialization in arrayProtoFuncSplice.
        https://bugs.webkit.org/show_bug.cgi?id=170253
        <rdar://problem/31328773>

        Rubber-stamped by Saam Barati.

        * stress/regress-170253.js: Added.

2018-09-11  Mark Lam  <mark.lam@apple.com>

        Test for IntlObject initialization.
        https://bugs.webkit.org/show_bug.cgi?id=170251
        <rdar://problem/31328419>

        Rubber-stamped by Saam Barati.

        * stress/regress-170251.js: Added.

2018-09-11  Mark Lam  <mark.lam@apple.com>

        Test for array memcpy'ing when JSGlobalObject::haveABadTime.
        https://bugs.webkit.org/show_bug.cgi?id=169889
        <rdar://problem/31155607>

        Reviewed by Saam Barati.

        * stress/regress-169889-array-concat.js: Added.
        * stress/regress-169889-array-concat1.js: Added.
        * stress/regress-169889-array-slice.js: Added.

2018-09-11  Mark Lam  <mark.lam@apple.com>

        Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
        https://bugs.webkit.org/show_bug.cgi?id=169445
        <rdar://problem/30957435>

        Reviewed by Saam Barati.

        * stress/regress-169445.js: Added.
        (let.gun.eval.A):
        (let.gun.eval.B.C):
        (let.gun.eval.B.C.prototype.trigger):
        (let.gun.eval.B.C.prototype.triggerWithRestParameters):
        (let.gun.eval.B):
        (let.gun.eval):

== Rolled over to ChangeLog-2018-09-11 ==