Unreviewed, follow-up change after r250198
[WebKit-https.git] / JSTests / ChangeLog
1 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
2
3         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
4         https://bugs.webkit.org/show_bug.cgi?id=202011
5
6         Reviewed by Mark Lam.
7
8         We are skipping this test into MIPS and ARMv7 because some of its assumptions
9         are not valid for them. The current behavior of the test in those architectures
10         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
11         because eden collection keeps happening between iterations. The collection
12         is triggered on those architectures because the amount of stress 
13         `new Promise` generates into GC limits is not enough to avoid them
14         while loop is executing.
15
16         Changing the size of `UInt8Array` from `80000000` to `160000000` can
17         be an alternative fix to avoid collection happening during `ArrayBuffer`
18         allocation loop, but we can't guarantee this test is always going to execute
19         without error when Gigacage is disabled, given we can reach an OOM state in
20         some allocations that need to succeed, making this test flaky for those
21         architectures.
22
23         * stress/test-out-of-memory.js:
24
25 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
26
27         AccessCase should strongly visit its dependencies while on stack
28         https://bugs.webkit.org/show_bug.cgi?id=201986
29         <rdar://problem/55521953>
30
31         Reviewed by Saam Barati and Yusuke Suzuki.
32
33         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
34         (foo):
35         (warmup):
36
37 2019-09-20  Saam Barati  <sbarati@apple.com>
38
39         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
40
41         * stress/toctou-having-a-bad-time-new-array.js:
42
43 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
44
45         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
46         https://bugs.webkit.org/show_bug.cgi?id=202014
47
48         Reviewed by Saam Barati.
49
50         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
51         (__v0):
52
53 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
54
55         Syntax checker should report duplicate __proto__ properties
56         https://bugs.webkit.org/show_bug.cgi?id=201897
57         <rdar://problem/53201788>
58
59         Reviewed by Mark Lam.
60
61         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
62         (catch):
63
64 2019-09-18  Saam Barati  <sbarati@apple.com>
65
66         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
67         https://bugs.webkit.org/show_bug.cgi?id=201953
68         <rdar://problem/53803524>
69
70         Reviewed by Yusuke Suzuki.
71
72         * stress/toctou-having-a-bad-time-new-array.js: Added.
73         (let.code):
74
75 2019-09-18  Saam Barati  <sbarati@apple.com>
76
77         Phantom insertion phase may disagree with arguments forwarding about live ranges
78         https://bugs.webkit.org/show_bug.cgi?id=200715
79         <rdar://problem/54301717>
80
81         Reviewed by Yusuke Suzuki.
82
83         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
84         (main.v23):
85         (main.try.v43):
86         (main.):
87         (main):
88
89 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
90
91         [JSC] Generator should have internal fields
92         https://bugs.webkit.org/show_bug.cgi?id=201159
93
94         Reviewed by Keith Miller.
95
96         * stress/create-generator.js: Added.
97         (shouldBe):
98         (test.generator):
99         (test):
100         * stress/generator-construct-failure.js: Added.
101         (shouldThrow):
102         (TypeError):
103         * stress/generator-prototype-change.js: Added.
104         (shouldBe):
105         (gen):
106         * stress/generator-prototype-closure.js: Added.
107         (shouldBe):
108         (test.gen):
109         (test):
110         * stress/object-assign-fast-path.js:
111
112 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
113
114         Follow-up after String.codePointAt optimization
115         https://bugs.webkit.org/show_bug.cgi?id=201889
116
117         Reviewed by Saam Barati.
118
119         * stress/string-char-at-bad-type.js: Added.
120         (shouldBe):
121         (object.toString):
122         (test):
123         * stress/string-char-code-at-bad-type.js: Added.
124         (shouldBe):
125         (object.toString):
126         (test):
127         * stress/string-code-point-at-bad-type.js: Added.
128         (shouldBe):
129         (object.toString):
130         (test):
131
132 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
133
134         [JSC] CheckArray+NonArray is not filtering out Array in AI
135         https://bugs.webkit.org/show_bug.cgi?id=201857
136         <rdar://problem/54194820>
137
138         Reviewed by Keith Miller.
139
140         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
141         (foo):
142
143 2019-09-17  Saam Barati  <sbarati@apple.com>
144
145         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
146         https://bugs.webkit.org/show_bug.cgi?id=201853
147         <rdar://problem/53805461>
148
149         Reviewed by Yusuke Suzuki.
150
151         * stress/direct-arguments-check-array-filter-type.js: Added.
152         (foo):
153
154 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
155
156         Wasm StreamingParser should validate that number of functions matches number of declarations
157         https://bugs.webkit.org/show_bug.cgi?id=201850
158         <rdar://problem/55290186>
159
160         Reviewed by Yusuke Suzuki.
161
162         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
163         (catch):
164
165 2019-09-16  Michael Saboff  <msaboff@apple.com>
166
167         [JSC] Perform check again when we found non-BMP characters
168         https://bugs.webkit.org/show_bug.cgi?id=201647
169
170         Reviewed by Yusuke Suzuki.
171
172         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
173         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
174         (testRegExpInbounds):
175
176 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
177
178         [JSC] Add missing syntax errors for await in function parameter default expressions
179         https://bugs.webkit.org/show_bug.cgi?id=201615
180
181         Reviewed by Darin Adler.
182
183         * stress/async-await-reserved-word.js:
184         * stress/async-await-syntax.js:
185         Add test cases.
186
187         * test262/expectations.yaml:
188         Mark newly-passing test cases.
189
190 2019-09-16  Saam Barati  <sbarati@apple.com>
191
192         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
193         https://bugs.webkit.org/show_bug.cgi?id=200386
194         <rdar://problem/53854946>
195
196         Reviewed by Yusuke Suzuki.
197
198         * stress/proxy-__proto__-in-prototype-chain.js: Added.
199         * stress/proxy-property-replace-structure-transition.js: Added.
200
201 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
202
203         Date.prototype.toJSON does not execute steps 1-2
204         https://bugs.webkit.org/show_bug.cgi?id=105282
205
206         Reviewed by Ross Kirsling.
207
208         * test262/expectations.yaml: Mark 2 test cases as passing.
209
210 2019-09-12  Mark Lam  <mark.lam@apple.com>
211
212         Harden JSC against the abuse of runtime options.
213         https://bugs.webkit.org/show_bug.cgi?id=201597
214         <rdar://problem/55167068>
215
216         Reviewed by Filip Pizlo.
217
218         Remove the call to forceGCSlowPaths().  This utility function will be removed.
219         The modern way to set the required option is to use //@ requireOptions.
220
221         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
222
223 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
224
225         [JSC] Add StringCodePointAt intrinsic
226         https://bugs.webkit.org/show_bug.cgi?id=201673
227
228         Reviewed by Michael Saboff.
229
230         * stress/string-char-at-constant-index-out-of-range.js: Added.
231         (shouldBe):
232         (test):
233         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
234         (shouldBe):
235         (test):
236         * stress/string-code-point-at--out-of-range.js: Added.
237         (shouldBe):
238         (test):
239         * stress/string-code-point-at-basic.js: Added.
240         (test):
241         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
242         (shouldBe):
243         (test):
244         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
245         (shouldBe):
246         (test):
247         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
248         (shouldBe):
249         (test):
250         (breaking):
251         * stress/string-code-point-at-surrogate-pair.js: Added.
252         (shouldBe):
253         * stress/string-code-point-at.js: Added.
254         (shouldBe):
255
256 2019-09-10  Michael Saboff  <msaboff@apple.com>
257
258         JSC crashes due to stack overflow while building RegExp
259         https://bugs.webkit.org/show_bug.cgi?id=201649
260
261         Reviewed by Yusuke Suzuki.
262
263         New regression test.
264
265         * stress/regexp-bol-optimize-out-of-stack.js: Added.
266         (test):
267         (catch):
268
269 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
270
271         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
272         https://bugs.webkit.org/show_bug.cgi?id=189043
273
274         Reviewed by Keith Miller.
275
276         The offset performing the validation becomes a bit different.
277         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
278
279         * wasm/js-api/version.js:
280
281 2019-09-07  Keith Miller  <keith_miller@apple.com>
282
283         OSR entry into wasm misses some contexts
284         https://bugs.webkit.org/show_bug.cgi?id=201569
285
286         Reviewed by Yusuke Suzuki.
287
288         Add a new harness and wast and the generated wasm file for
289         testing. The idea long term is to make it easy to test by creating
290         a C file and converting it to a wast then modify that to produce a
291         test.
292
293         * wasm.yaml:
294         * wasm/wast-tests/harness.js: Added.
295         (async.runWasmFile):
296         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
297         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
298         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
299         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
300         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
301         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
302         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
303         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
304
305 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
306
307         [JSC] Promise resolve/reject functions should be created more efficiently
308         https://bugs.webkit.org/show_bug.cgi?id=201488
309
310         Reviewed by Mark Lam.
311
312         * microbenchmarks/promise-creation-many.js: Added.
313         (executor):
314
315 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
316
317         Unreviewed JSC test gardening.
318
319         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
320         This test allocates a 2GB string before it goes out and tests
321         out-of-memory exception when appending other strings to it. As such,
322         skip the test on memory-limited platforms.
323
324 2019-09-07  Mark Lam  <mark.lam@apple.com>
325
326         The jsc shell should allow disabling of the Gigacage for testing purposes.
327         https://bugs.webkit.org/show_bug.cgi?id=201579
328
329         Reviewed by Michael Saboff.
330
331         Unskip the tests now.
332
333         * stress/disable-gigacage-arrays.js:
334         * stress/disable-gigacage-strings.js:
335         * stress/disable-gigacage-typed-arrays.js:
336
337 2019-09-07  Mark Lam  <mark.lam@apple.com>
338
339         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
340
341         Not reviewed.
342
343         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
344
345         * stress/disable-gigacage-arrays.js:
346         * stress/disable-gigacage-strings.js:
347         * stress/disable-gigacage-typed-arrays.js:
348
349 2019-09-07  Mark Lam  <mark.lam@apple.com>
350
351         Gardening: speculative test fix to green bots [attempt #2].
352         https://bugs.webkit.org/show_bug.cgi?id=201529
353         <rdar://problem/53935772>
354
355         Not reviewed.
356
357         * stress/test-out-of-memory.js:
358
359 2019-09-06  Mark Lam  <mark.lam@apple.com>
360
361         Gardening: speculative test fix to green bots.
362         https://bugs.webkit.org/show_bug.cgi?id=201529
363         <rdar://problem/53935772>
364
365         Not reviewed.
366
367         * stress/test-out-of-memory.js:
368
369 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
370
371         Math.round() produces wrong result for value prior to 0.5
372         https://bugs.webkit.org/show_bug.cgi?id=185115
373
374         Reviewed by Saam Barati.
375
376         * stress/math-round-basics.js:
377         Add positive/negative test cases.
378
379         * test262/expectations.yaml:
380         Mark test passing.
381
382 2019-09-06  Mark Lam  <mark.lam@apple.com>
383
384         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
385         https://bugs.webkit.org/show_bug.cgi?id=201551
386
387         Reviewed by Tadeu Zagallo.
388
389         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
390
391         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
392         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
393
394 2019-09-06  Mark Lam  <mark.lam@apple.com>
395
396         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
397         https://bugs.webkit.org/show_bug.cgi?id=201529
398         <rdar://problem/53935772>
399
400         Reviewed by Yusuke Suzuki.
401
402         * stress/test-out-of-memory.js: Added.
403
404 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
405
406         LazyClassStructure::setConstructor should not store the constructor to the global object
407         https://bugs.webkit.org/show_bug.cgi?id=201484
408         <rdar://problem/50400451>
409
410         Reviewed by Yusuke Suzuki.
411
412         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
413
414 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
415
416         [JSC] Do not use FTLOutput::weakPointer directly
417         https://bugs.webkit.org/show_bug.cgi?id=201495
418
419         Reviewed by Filip Pizlo.
420
421         * stress/create-promise-weak-pointer.js: Added.
422         (foo):
423
424 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
425
426         [JSC] Make Promise implementation faster
427         https://bugs.webkit.org/show_bug.cgi?id=200898
428
429         Reviewed by Saam Barati.
430
431         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
432         (assert.assert.return.throws):
433         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
434         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
435         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
436         (shouldThrow):
437         (new.Promise):
438         (shouldThrow.Promise):
439         * stress/create-promise-should-respect-promise-realm.js: Added.
440         (shouldBe):
441         (other.new.OtherPromise):
442         (DerivedOtherPromise):
443         (i.promise.new.DerivedOtherPromise):
444         (createPromise):
445         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
446         (shouldBe):
447         (DerivedPromise):
448         (i.array.push.new.DerivedPromise):
449         (promise.new.DerivedPromise):
450         * stress/derived-promise-constructor-inlined.js: Added.
451         (shouldBe):
452         (DerivedPromise):
453         (i.array.push.new.DerivedPromise):
454         (DerivedPromise.all.array.then):
455         * stress/derived-promise-prototype-replaced.js: Added.
456         (shouldBe):
457         (DerivedPromise):
458         (i.array.push.new.DerivedPromise):
459         (promise.new.DerivedPromise):
460         * stress/internal-promise-constructor-not-confusing.js: Added.
461         (shouldBe):
462         (InternalPromise.vm.createBuiltin):
463         (DerivedPromise):
464         * stress/internal-promise-is-not-exposed.js: Added.
465         (shouldBe):
466         * stress/new-promise-should-respect-promise-realm.js: Added.
467         (shouldBe):
468         (other.new.OtherPromise):
469         (createPromise):
470         * stress/promise-cannot-be-called.js:
471         (shouldThrow):
472         * stress/promise-capability-fast-path.js: Added.
473         (shouldBe):
474         (i.array.push.new.Promise):
475         (i.array.i.then):
476         * stress/promise-capability-slow-path.js: Added.
477         (shouldBe):
478         (Promise.prototype.then):
479         (i.array.push.new.Promise):
480         (i.array.i.then):
481         * stress/promise-capability-then-slow-path.js: Added.
482         (shouldBe):
483         (DerivedPromise):
484         (DerivedPromise.prototype.then):
485         (i.array.push.new.DerivedPromise):
486         (i.array.i.then):
487         * stress/promise-constructor-inlined.js: Added.
488         (shouldBe):
489         (i.array.push.new.Promise):
490         (Promise.all.array.then):
491         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
492         (shouldBe):
493         (DerivedPromise):
494         (DerivedPromise2):
495         (i.array.push.new.DerivedPromise):
496         (i.array2.push.new.DerivedPromise2):
497         * stress/without-promise-functions.js: Added.
498         (shouldBe):
499         (async):
500
501 2019-09-03  Mark Lam  <mark.lam@apple.com>
502
503         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
504         https://bugs.webkit.org/show_bug.cgi?id=201309
505         <rdar://problem/54832121>
506
507         Reviewed by Yusuke Suzuki.
508
509         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
510
511 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
512
513         [JSC] Generate new.target register only when it is used
514         https://bugs.webkit.org/show_bug.cgi?id=201335
515
516         Reviewed by Mark Lam.
517
518         * stress/ensure-new-register-allocated.js: Added.
519         (shouldBe):
520         (basic):
521         (arrow):
522         (Base):
523         (Derived):
524         (evaluate):
525
526 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
527
528         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
529         https://bugs.webkit.org/show_bug.cgi?id=201331
530
531         Reviewed by Mark Lam.
532
533         * stress/simple-jump-table-copy.js: Added.
534         (let.code):
535         (g2):
536
537 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
538
539         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
540         https://bugs.webkit.org/show_bug.cgi?id=201332
541
542         Reviewed by Mark Lam.
543
544         This test is very flaky, it is hard to reproduce.
545
546         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
547         (code):
548
549 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
550
551         [JSC] Repatch should construct CallCases and CasesValue at the same time
552         https://bugs.webkit.org/show_bug.cgi?id=201325
553
554         Reviewed by Saam Barati.
555
556         * stress/repatch-switch.js: Added.
557         (main.f2.f0):
558         (main.f2.f3):
559         (main.f2.f1):
560         (main.f2):
561         (main):
562
563 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
564
565         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
566         https://bugs.webkit.org/show_bug.cgi?id=198650
567
568         Reviewed by Saam Barati.
569
570         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
571         (main.v0):
572         (main):
573
574 2019-08-28  Mark Lam  <mark.lam@apple.com>
575
576         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
577         https://bugs.webkit.org/show_bug.cgi?id=201281
578         <rdar://problem/54028228>
579
580         Reviewed by Yusuke Suzuki and Saam Barati.
581
582         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
583
584 2019-08-28  Mark Lam  <mark.lam@apple.com>
585
586         Placate exception check validation in DFG's operationHasGenericProperty().
587         https://bugs.webkit.org/show_bug.cgi?id=201245
588         <rdar://problem/54777512>
589
590         Reviewed by Robin Morisset.
591
592         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
593
594 2019-08-27  Mark Lam  <mark.lam@apple.com>
595
596         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
597         https://bugs.webkit.org/show_bug.cgi?id=201196
598         <rdar://problem/54703775>
599
600         Reviewed by Yusuke Suzuki.
601
602         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
603
604 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
605
606         [JSC] Ensure x?.y ?? z is fast
607         https://bugs.webkit.org/show_bug.cgi?id=200875
608
609         Reviewed by Yusuke Suzuki.
610
611         * stress/nullish-coalescing.js:
612
613 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
614
615         Remove MaximalFlushInsertionPhase
616         https://bugs.webkit.org/show_bug.cgi?id=201036
617
618         Reviewed by Saam Barati.
619
620         Remove all the references to maximal flush
621
622         * stress/arith-ceil-on-various-types.js:
623         (checkCompileCountForUselessNegativeZero):
624         * stress/arith-floor-on-various-types.js:
625         (checkCompileCountForUselessNegativeZero):
626         * stress/arith-negate-on-various-types.js:
627         (checkCompileCountForUselessNegativeZero):
628         * stress/arith-round-on-various-types.js:
629         (checkCompileCountForUselessNegativeZero):
630         * stress/arith-trunc-on-various-types.js:
631         (checkCompileCountForUselessNegativeZero):
632         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
633         * stress/has-indexed-property-should-accept-non-int32.js:
634         * stress/has-indexed-property-with-worsening-array-mode.js:
635         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
636         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
637         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
638         * stress/rest-parameter-many-arguments.js:
639         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
640         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
641         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
642
643 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
644
645         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
646         https://bugs.webkit.org/show_bug.cgi?id=200952
647
648         Reviewed by Saam Barati.
649
650         * wasm/references/func_ref.js:
651         (assert.throws):
652
653 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
654
655         Add missing exception check in canonicalizeLocaleList
656         https://bugs.webkit.org/show_bug.cgi?id=201021
657
658         Reviewed by Mark Lam.
659
660         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
661         (catch):
662
663 2019-08-21  Mark Lam  <mark.lam@apple.com>
664
665         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
666         https://bugs.webkit.org/show_bug.cgi?id=201016
667         <rdar://problem/54579911>
668
669         Reviewed by Yusuke Suzuki.
670
671         * wasm/stress/too-many-locals.js: Added.
672         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
673
674 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
675
676         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
677         https://bugs.webkit.org/show_bug.cgi?id=200965
678
679         Reviewed by Saam Barati.
680
681         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
682         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
683
684         * stress/optional-chaining.js:
685
686 2019-08-21  Michael Saboff  <msaboff@apple.com>
687
688         [JSC] incorrent JIT lead to StackOverflow
689         https://bugs.webkit.org/show_bug.cgi?id=197823
690
691         Reviewed by Tadeu Zagallo.
692
693         New test.
694
695         * stress/bound-function-stack-overflow.js: Added.
696         (foo):
697         (catch):
698
699 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
700
701         Identify memcpy loops in b3
702         https://bugs.webkit.org/show_bug.cgi?id=200181
703
704         Reviewed by Saam Barati.
705
706         * microbenchmarks/memcpy-loop.js: Added.
707         (doTest):
708         (let.arr1):
709         * microbenchmarks/memcpy-typed-loop-large.js: Added.
710         (doTest):
711         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
712         (arr2):
713         * microbenchmarks/memcpy-typed-loop-small.js: Added.
714         (doTest):
715         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
716         (16.arr2):
717         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
718         (doTest):
719         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
720         (arr2):
721         * microbenchmarks/memcpy-wasm-large.js: Added.
722         (typeof.WebAssembly.string_appeared_here.eq):
723         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
724         * microbenchmarks/memcpy-wasm-medium.js: Added.
725         (typeof.WebAssembly.string_appeared_here.eq):
726         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
727         * microbenchmarks/memcpy-wasm-small.js: Added.
728         (typeof.WebAssembly.string_appeared_here.eq):
729         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
730         * microbenchmarks/memcpy-wasm.js: Added.
731         (typeof.WebAssembly.string_appeared_here.eq):
732         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
733         * stress/memcpy-typed-loops.js: Added.
734         (noLoop):
735         (invalidStart):
736         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
737         (arr2):
738         * wasm/function-tests/memcpy-wasm-loop.js: Added.
739         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
740         (string_appeared_here):
741
742 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
743
744         [JSC] Array.prototype.toString should not get "join" function each time
745         https://bugs.webkit.org/show_bug.cgi?id=200905
746
747         Reviewed by Mark Lam.
748
749         * stress/array-prototype-join-change.js: Added.
750         (shouldBe):
751         (array2.join):
752         (DerivedArray):
753         (DerivedArray.prototype.join):
754         (array3.__proto__.join):
755         (Array.prototype.join):
756
757 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
758
759         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
760         https://bugs.webkit.org/show_bug.cgi?id=200782
761
762         Reviewed by Saam Barati.
763
764         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
765
766         * microbenchmarks/memcpy-typed-loop.js:
767         * stress/int8-repeat-in-then-out-of-bounds.js:
768
769 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
770
771         Proxy constructor should throw if handler is revoked Proxy
772         https://bugs.webkit.org/show_bug.cgi?id=198755
773
774         Reviewed by Saam Barati.
775
776         * stress/proxy-revoke.js: Adjust error message.
777         * test262/expectations.yaml: Mark 2 test cases as passing.
778
779 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
780
781         [JSC] OSR entry to Wasm OMG
782         https://bugs.webkit.org/show_bug.cgi?id=200362
783
784         Reviewed by Michael Saboff.
785
786         * wasm/stress/osr-entry-basic.js: Added.
787         (instance.exports.loop):
788         * wasm/stress/osr-entry-many-locals-f32.js: Added.
789         * wasm/stress/osr-entry-many-locals-f64.js: Added.
790         * wasm/stress/osr-entry-many-locals-i32.js: Added.
791         * wasm/stress/osr-entry-many-locals-i64.js: Added.
792         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
793         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
794         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
795         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
796
797 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
798
799         Date.prototype.toJSON throws if toISOString returns an object
800         https://bugs.webkit.org/show_bug.cgi?id=198495
801
802         Reviewed by Ross Kirsling.
803
804         * test262/expectations.yaml: Mark 6 test cases as passing.
805
806 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
807
808         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
809         https://bugs.webkit.org/show_bug.cgi?id=200899
810         <rdar://problem/54073341>
811
812         Reviewed by Mark Lam.
813
814         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
815         (i.new.Promise):
816         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
817         (i.new.Promise):
818
819 2019-08-19  Michael Saboff  <msaboff@apple.com>
820
821         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
822         https://bugs.webkit.org/show_bug.cgi?id=197090
823
824         Reviewed by Yusuke Suzuki.
825
826         New test.
827
828         * stress/regexp-nonconsuming-counted-parens.js: Added.
829
830 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
831
832         [JSC] Correct a->an in error messages and API docblocks
833         https://bugs.webkit.org/show_bug.cgi?id=200833
834
835         Reviewed by Don Olmstead.
836
837         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
838         (assert.assert.return.throws):
839         * stress/promise-finally-should-accept-non-promise-objects.js:
840         * wasm/js-api/table.js:
841         (assert.throws):
842
843 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
844
845         [ESNext] Implement optional chaining
846         https://bugs.webkit.org/show_bug.cgi?id=200199
847
848         Reviewed by Yusuke Suzuki.
849
850         * stress/nullish-coalescing.js:
851         * stress/optional-chaining.js: Added.
852         * stress/tail-call-recognize.js:
853
854 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
855
856         [ESNext] Support hashbang.
857         https://bugs.webkit.org/show_bug.cgi?id=200865
858
859         Reviewed by Mark Lam.
860
861         * stress/hashbang.js: Added.
862         * test262/expectations.yaml: Mark 6 cases as passing.
863
864 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
865
866         [JSC] DFG ToNumber should support Boolean in fixup
867         https://bugs.webkit.org/show_bug.cgi?id=200864
868
869         Reviewed by Mark Lam.
870
871         * microbenchmarks/to-number-boolean.js: Added.
872         (test):
873         * stress/to-number-boolean-int32.js: Added.
874         (shouldBe):
875         (test):
876         (check):
877         * stress/to-number-boolean.js: Added.
878         (shouldBe):
879         (test):
880         (check):
881         * stress/to-number-int32.js: Added.
882         (shouldBe):
883         (test):
884         (check):
885
886 2019-08-16  Mark Lam  <mark.lam@apple.com>
887
888         More missing exception checks in string comparison operators.
889         https://bugs.webkit.org/show_bug.cgi?id=200844
890         <rdar://problem/54378684>
891
892         Reviewed by Saam Barati.
893
894         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
895         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
896         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
897         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
898
899 2019-08-16  Mark Lam  <mark.lam@apple.com>
900
901         CodeBlock destructor should clear all of its watchpoints.
902         https://bugs.webkit.org/show_bug.cgi?id=200792
903         <rdar://problem/53947800>
904
905         Reviewed by Yusuke Suzuki.
906
907         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
908
909 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
910
911         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
912         https://bugs.webkit.org/show_bug.cgi?id=200782
913
914         Reviewed by Saam Barati.
915
916         * microbenchmarks/int8-out-of-bounds.js: Added.
917         (foo):
918         * microbenchmarks/memcpy-typed-loop.js: Added.
919         (doTest):
920         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
921         (arr2):
922         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
923         (foo):
924
925 2019-08-16  Mark Lam  <mark.lam@apple.com>
926
927         [Re-land] ProxyObject should not be allow to access its target's private properties.
928         https://bugs.webkit.org/show_bug.cgi?id=200739
929         <rdar://problem/53972768>
930
931         Reviewed by Yusuke Suzuki.
932
933         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
934         * stress/proxy-with-private-symbols.js:
935
936 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
937
938         [JSC] Promise.prototype.finally should accept non-promise objects
939         https://bugs.webkit.org/show_bug.cgi?id=200829
940
941         Reviewed by Mark Lam.
942
943         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
944         (shouldBe):
945         (Thenable):
946         (Thenable.prototype.then):
947
948 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
949
950         Promise constructor should check argument before [[Construct]]
951         https://bugs.webkit.org/show_bug.cgi?id=198976
952
953         Reviewed by Ross Kirsling.
954
955         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
956         * stress/create-subclass-structure-might-throw.js: Fix test.
957         * test262/expectations.yaml: Mark 2 test cases as passing.
958
959 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
960
961         Unreviewed, rolling out r248709.
962
963         Caused test/built-ins/Promise/prototype/finally/this-value-
964         non-promise.js to fail on test262 bot
965
966         Reverted changeset:
967
968         "ProxyObject should not be allow to access its target's
969         private properties."
970         https://bugs.webkit.org/show_bug.cgi?id=200739
971         https://trac.webkit.org/changeset/248709
972
973 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
974
975         DateConversion::formatDateTime incorrectly formats negative years
976         https://bugs.webkit.org/show_bug.cgi?id=199964
977
978         Reviewed by Ross Kirsling.
979
980         * test262/expectations.yaml: Mark 6 test cases as passing.
981
982 2019-08-15  Mark Lam  <mark.lam@apple.com>
983
984         More missing exception checks in String.prototype.
985         https://bugs.webkit.org/show_bug.cgi?id=200762
986         <rdar://problem/54333896>
987
988         Reviewed by Michael Saboff.
989
990         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
991         * stress/missing-exception-check-in-string-toLower.js: Added.
992         * stress/missing-exception-check-in-string-toUpper.js: Added.
993
994 2019-08-14  Mark Lam  <mark.lam@apple.com>
995
996         ProxyObject should not be allow to access its target's private properties.
997         https://bugs.webkit.org/show_bug.cgi?id=200739
998         <rdar://problem/53972768>
999
1000         Reviewed by Yusuke Suzuki.
1001
1002         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1003         * stress/proxy-with-private-symbols.js: Rebased.
1004
1005 2019-08-14  Mark Lam  <mark.lam@apple.com>
1006
1007         Missing exception check in string compare.
1008         https://bugs.webkit.org/show_bug.cgi?id=200743
1009         <rdar://problem/53975356>
1010
1011         Reviewed by Michael Saboff.
1012
1013         * stress/missing-exception-check-in-string-compare.js: Added.
1014
1015 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1016
1017         [JSC] Add "jump if (not) undefined or null" bytecode ops
1018         https://bugs.webkit.org/show_bug.cgi?id=200480
1019
1020         Reviewed by Saam Barati.
1021
1022         * stress/destructuring-assignment-require-object-coercible.js:
1023         * stress/nullish-coalescing.js:
1024
1025 2019-08-05  Michael Saboff  <msaboff@apple.com>
1026
1027         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1028         https://bugs.webkit.org/show_bug.cgi?id=199997
1029
1030         Reviewed by Saam Barati.
1031
1032         New test.
1033
1034         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1035         (checkIntArray):
1036         (checkFloatArray):
1037
1038 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1039
1040         [JSC] Support WebAssembly in SamplingProfiler
1041         https://bugs.webkit.org/show_bug.cgi?id=200329
1042
1043         Reviewed by Saam Barati.
1044
1045         * stress/sampling-profiler-wasm-name-section.js: Added.
1046         (const.compile):
1047         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1048         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1049         * stress/sampling-profiler-wasm.js: Added.
1050         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1051         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1052         * stress/sampling-profiler/loop.wasm: Added.
1053         * stress/sampling-profiler/loop.wast: Added.
1054         * stress/sampling-profiler/nameSection.wasm: Added.
1055
1056 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1057
1058         [JSC] LazyJSValue should be robust for empty JSValue
1059         https://bugs.webkit.org/show_bug.cgi?id=200388
1060
1061         Reviewed by Saam Barati.
1062
1063         * stress/switch-constant-child-becomes-empty.js: Added.
1064         (foo):
1065
1066 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1067
1068         GetterSetter type confusion during DFG compilation
1069         https://bugs.webkit.org/show_bug.cgi?id=199903
1070
1071         Reviewed by Mark Lam.
1072
1073         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1074
1075 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1076
1077         Update Test262 (2019.08.01)
1078         https://bugs.webkit.org/show_bug.cgi?id=200351
1079
1080         Reviewed by Keith Miller.
1081
1082         * test262/expectations.yaml:
1083         * test262/harness/testIntl.js:
1084         * test262/latest-changes-summary.txt:
1085         * test262/test/:
1086         * test262/test262-Revision.txt:
1087
1088 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1089
1090         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1091         https://bugs.webkit.org/show_bug.cgi?id=200192
1092
1093         Reviewed by Saam Barati.
1094
1095         * stress/structure-chain-stress.js: Added.
1096         (keys):
1097
1098 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1099
1100         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1101         https://bugs.webkit.org/show_bug.cgi?id=200196
1102
1103         Reviewed by Robin Morisset.
1104
1105         * stress/reparsing-unlinked-codeblock.js:
1106
1107 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1108
1109         [X86] Emit BT instruction for shift + mask in B3
1110         https://bugs.webkit.org/show_bug.cgi?id=199891
1111
1112         Reviewed by Robin Morisset.
1113
1114         Lower the number of iterations to fix debug timeouts.
1115
1116         * microbenchmarks/bit-test-load.js:
1117         (i):
1118
1119 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1120
1121         [X86] Emit BT instruction for shift + mask in B3
1122         https://bugs.webkit.org/show_bug.cgi?id=199891
1123
1124         Reviewed by Keith Miller.
1125
1126         * microbenchmarks/bit-test-constant.js: Added.
1127         (let.glob.0.doTest):
1128         * microbenchmarks/bit-test-load.js: Added.
1129         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1130         (i):
1131         * microbenchmarks/bit-test-nonconstant.js: Added.
1132         (let.glob.0.doTest):
1133
1134 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1135
1136         [JSC] Potential GC fix for JSPropertyNameEnumerator
1137         https://bugs.webkit.org/show_bug.cgi?id=200151
1138
1139         Reviewed by Mark Lam.
1140
1141         * stress/for-in-stress.js: Added.
1142         (keys):
1143
1144 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1145
1146         Legacy numeric literals should not permit separators or BigInt
1147         https://bugs.webkit.org/show_bug.cgi?id=199984
1148
1149         Reviewed by Keith Miller.
1150
1151         * stress/big-int-literals.js:
1152         * stress/numeric-literal-separators.js:
1153
1154 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1155
1156         [ESNext] Implement nullish coalescing
1157         https://bugs.webkit.org/show_bug.cgi?id=200072
1158
1159         Reviewed by Darin Adler.
1160
1161         * stress/nullish-coalescing.js: Added.
1162
1163 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1164
1165         Three checks are missing in Proxy internal methods
1166         https://bugs.webkit.org/show_bug.cgi?id=198630
1167
1168         Reviewed by Darin Adler.
1169
1170         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1171         * test262/expectations.yaml: Mark 6 test cases as passing.
1172
1173 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1174
1175         Sometimes we miss removable CheckInBounds
1176         https://bugs.webkit.org/show_bug.cgi?id=200018
1177
1178         Reviewed by Saam Barati.
1179
1180         * microbenchmarks/typed-array-sum.js: Added.
1181         (doTest):
1182
1183 2019-07-16  Mark Lam  <mark.lam@apple.com>
1184
1185         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1186         https://bugs.webkit.org/show_bug.cgi?id=199821
1187         <rdar://problem/52452328>
1188
1189         Reviewed by Filip Pizlo.
1190
1191         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1192
1193 2019-07-16  Keith Miller  <keith_miller@apple.com>
1194
1195         Unreviewed, test262 gardening.
1196
1197         * test262/expectations.yaml:
1198
1199 2019-07-15  Keith Miller  <keith_miller@apple.com>
1200
1201         A Possible Issue of Object.create method
1202         https://bugs.webkit.org/show_bug.cgi?id=199744
1203
1204         Reviewed by Yusuke Suzuki.
1205
1206         * stress/object-create-non-object-properties-parameter.js: Added.
1207         (catch):
1208
1209 2019-07-15  Keith Miller  <keith_miller@apple.com>
1210
1211         Update test262
1212         https://bugs.webkit.org/show_bug.cgi?id=199801
1213
1214         Rubber-stamped by Yusuke Suzuki.
1215
1216         * test262/expectations.yaml:
1217         * test262/latest-changes-summary.txt:
1218         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1219         (fg.new.FinalizationGroup):
1220         (callback):
1221         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1222         (fg.new.FinalizationGroup):
1223         (callback):
1224         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1225         (fg.new.FinalizationGroup):
1226         (callback):
1227         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1228         (fg.new.FinalizationGroup):
1229         (callback):
1230         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1231         (fg.new.FinalizationGroup):
1232         (callback):
1233         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1234         (fg.new.FinalizationGroup):
1235         (callback):
1236         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1237         (fg.new.FinalizationGroup):
1238         (callback):
1239         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1240         (callback):
1241         (fg.new.FinalizationGroup):
1242         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1243         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1244         (cb):
1245         (fg.new.FinalizationGroup):
1246         (emptyCells):
1247         (async.fn):
1248         (fn.then.async):
1249         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1250         (fg.new.FinalizationGroup):
1251         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1252         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1253         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1254         (newTarget):
1255         (fn):
1256         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1257         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1258         (fn):
1259         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1260         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1261         (newTarget):
1262         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1263         (newTarget):
1264         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1265         (fg.new.FinalizationGroup):
1266         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1267         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1268         (callback):
1269         (fg.new.FinalizationGroup):
1270         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1271         (fg.new.FinalizationGroup):
1272         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1273         (cb):
1274         (fg.new.FinalizationGroup):
1275         (emptyCells):
1276         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1277         (fg.new.FinalizationGroup):
1278         (fg.cleanupSome.cb):
1279         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1280         (callback):
1281         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1282         (fn):
1283         (cb):
1284         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1285         (cb):
1286         (fg.new.FinalizationGroup):
1287         (emptyCells):
1288         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1289         (fg.new.FinalizationGroup):
1290         (callback):
1291         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1292         (fg.new.FinalizationGroup):
1293         (callback):
1294         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1295         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1296         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1297         (poisoned):
1298         (fg.new.FinalizationGroup):
1299         (emptyCells):
1300         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1301         (poisoned):
1302         (emptyCells):
1303         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1304         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1305         (fn):
1306         (cb):
1307         (emptyCells):
1308         (prototype.assert.sameValue.fg.cleanupSome):
1309         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1310         (fn):
1311         (cb):
1312         (poisoned):
1313         (assert.sameValue.fg.cleanupSome):
1314         (prototype.assert.sameValue.fg.cleanupSome):
1315         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1316         (cb):
1317         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1318         (cb):
1319         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1320         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1321         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1322         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1323         (fn):
1324         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1325         (fn):
1326         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1327         (fg.new.FinalizationGroup):
1328         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1329         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1330         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1331         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1332         (fn):
1333         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1334         (fn):
1335         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1336         (fg.new.FinalizationGroup):
1337         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1338         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1339         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1340         (fg.new.FinalizationGroup):
1341         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1342         (fg.new.FinalizationGroup):
1343         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1344         (fg.new.FinalizationGroup):
1345         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1346         (fg.new.FinalizationGroup):
1347         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1348         (fn):
1349         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1350         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1351         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1352         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1353         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1354         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1355         (fn):
1356         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1357         (fg.new.FinalizationGroup):
1358         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1359         (cleanupCallback):
1360         (let.key.of.Object.getOwnPropertyNames):
1361         (set for):
1362         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1363         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1364         (FinalizationGroup):
1365         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1366         (cleanupCallback):
1367         (let.key.of.Object.getOwnPropertyNames):
1368         (set for):
1369         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1370         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1371         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1372         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1373         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1374         (asyncProxy.new.Proxy.async):
1375         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1376         (asyncProxy.new.Proxy.async):
1377         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1378         (setIter.set Symbol):
1379         (set defaultTag):
1380         (gen):
1381         (get return):
1382         (set new):
1383         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1384         (generatorProxy.new.Proxy):
1385         (asyncProxy.new.Proxy.async):
1386         * test262/test/built-ins/Object/subclass-object-arg.js:
1387         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1388         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1389         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1390         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1391         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1392         * test262/test/built-ins/Promise/executor-function-name.js:
1393         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1394         * test262/test/built-ins/Promise/reject-function-name.js:
1395         * test262/test/built-ins/Promise/resolve-function-name.js:
1396         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1397         * test262/test/built-ins/WeakRef/constructor.js: Added.
1398         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1399         * test262/test/built-ins/WeakRef/length.js: Added.
1400         * test262/test/built-ins/WeakRef/name.js: Added.
1401         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1402         (newTarget):
1403         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1404         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1405         * test262/test/built-ins/WeakRef/proto.js: Added.
1406         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1407         (newTarget):
1408         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1409         (newTarget):
1410         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1411         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1412         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1413         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1414         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1415         (emptyCells):
1416         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1417         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1418         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1419         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1420         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1421         (fg.new.FinalizationGroup):
1422         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1423         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1424         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1425         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1426         (let.key.of.Object.getOwnPropertyNames):
1427         (set for):
1428         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1429         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1430         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1431         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1432         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1433         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1434         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1435         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1436         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1437         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1438         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1439         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1440         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1441         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1442         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1443         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1444         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1445         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1446         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1447         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1448         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1449         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1450         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1451         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1452         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1453         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1454         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1455         (assertParts):
1456         (assertPartsNumeric):
1457         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1458         (assertParts):
1459         (assertPartsNumeric):
1460         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1461         (assertParts):
1462         (assertPartsNumeric):
1463         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1464         (assertParts):
1465         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1466         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1467         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1468         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1469         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1470         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1471         (C.prototype.method):
1472         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1473         (C.prototype.method.innerFunction):
1474         (C.prototype.method):
1475         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1476         (C):
1477         (C.method):
1478         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1479         (C):
1480         (C.method.innerFunction):
1481         (C.method):
1482         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1483         (C):
1484         (C.checkPrivateGetter):
1485         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1486         (C):
1487         (C.method):
1488         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1489         (C):
1490         (C.method.innerFunction):
1491         (C.method):
1492         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1493         (C):
1494         (C.checkPrivateMethod):
1495         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1496         (C):
1497         (C.method):
1498         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1499         (C):
1500         (C.method.innerFunction):
1501         (C.method):
1502         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1503         (C):
1504         (C.checkPrivateSetter):
1505         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1506         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1507         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1508         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1509         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1510         (let.classStringExpression):
1511         (let.classStringExpression.access):
1512         (let.createAndInstantiateClass):
1513         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1514         (let.classStringExpression):
1515         (let.classStringExpression.access):
1516         (let.createAndInstantiateClass):
1517         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1518         (const.C):
1519         (let.createAndInstantiateClass):
1520         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1521         (let.classStringExpression.return.prototype.m):
1522         (let.classStringExpression.return.prototype.access):
1523         (let.createAndInstantiateClass):
1524         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1525         (let.classStringExpression.return.prototype.m):
1526         (let.classStringExpression.return.prototype.access):
1527         (let.createAndInstantiateClass):
1528         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1529         (let.classStringExpression):
1530         (let.classStringExpression.access):
1531         (let.createAndInstantiateClass):
1532         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1533         (let.classStringExpression.prototype.m):
1534         (let.classStringExpression.prototype.access):
1535         (let.classStringExpression):
1536         (let.createAndInstantiateClass):
1537         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1538         (let.classStringExpression.prototype.m):
1539         (let.classStringExpression.prototype.access):
1540         (let.classStringExpression):
1541         (let.createAndInstantiateClass):
1542         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1543         (const.C):
1544         (let.createAndInstantiateClass):
1545         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1546         (let.classStringExpression.return.C.prototype.m):
1547         (let.classStringExpression.return.C.prototype.access):
1548         (let.classStringExpression.return.C):
1549         (let.createAndInstantiateClass):
1550         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1551         (let.classStringExpression.return.C.prototype.m):
1552         (let.classStringExpression.return.C.prototype.access):
1553         (let.classStringExpression.return.C):
1554         (let.createAndInstantiateClass):
1555         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1556         (let.classStringExpression):
1557         (let.classStringExpression.access):
1558         (let.createAndInstantiateClass):
1559         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1560         (let.classStringExpression):
1561         (let.classStringExpression.access):
1562         (let.createAndInstantiateClass):
1563         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1564         (let.classStringExpression):
1565         (let.classStringExpression.access):
1566         (let.createAndInstantiateClass):
1567         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1568         (const.C):
1569         (let.createAndInstantiateClass):
1570         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1571         (let.classStringExpression.return.prototype.m):
1572         (let.classStringExpression.return.prototype.access):
1573         (let.createAndInstantiateClass):
1574         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1575         (let.classStringExpression.return.prototype.m):
1576         (let.classStringExpression.return.prototype.access):
1577         (let.createAndInstantiateClass):
1578         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1579         (let.classStringExpression):
1580         (let.classStringExpression.access):
1581         (let.createAndInstantiateClass):
1582         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1583         (new):
1584         (async):
1585         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1586         (A):
1587         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1588         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1589         * test262/test/language/identifiers/vals-cjk.js: Added.
1590         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1591         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1592         (C.prototype.method):
1593         (C):
1594         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1595         (C.prototype.method.innerFunction):
1596         (C.prototype.method):
1597         (C):
1598         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1599         (C.prototype.checkPrivateField):
1600         (C):
1601         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1602         (C):
1603         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1604         (C.prototype.getWithEval):
1605         (C):
1606         (D):
1607         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1608         (C.prototype.get m):
1609         (C.prototype.method):
1610         (C):
1611         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1612         (C.prototype.get m):
1613         (C.prototype.method.innerFunction):
1614         (C.prototype.method):
1615         (C):
1616         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1617         (let.createAndInstantiateClass):
1618         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1619         (C.prototype.get m):
1620         (C.prototype.checkPrivateGetter):
1621         (C):
1622         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1623         (C.prototype.get m):
1624         (C.prototype.checkPrivateGetter):
1625         (C):
1626         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1627         (C.prototype.get m):
1628         (C):
1629         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1630         (C.prototype.get m):
1631         (C.prototype.getWithEval):
1632         (C):
1633         (D.prototype.get m):
1634         (D):
1635         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1636         (C.prototype.m):
1637         (C.prototype.method):
1638         (C):
1639         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1640         (C.prototype.m):
1641         (C.prototype.method.innerFunction):
1642         (C.prototype.method):
1643         (C):
1644         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1645         (C.prototype.m):
1646         (C.prototype.checkPrivateMethod):
1647         (C):
1648         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1649         (C.prototype.m):
1650         (C.prototype.checkPrivateMethod):
1651         (C):
1652         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1653         (C.prototype.m):
1654         (C):
1655         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1656         (C.prototype.m):
1657         (C.prototype.getWithEval):
1658         (C):
1659         (D.prototype.m):
1660         (D):
1661         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1662         (C.prototype.set m):
1663         (C.prototype.method):
1664         (C):
1665         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1666         (C.prototype.set m):
1667         (C.prototype.method.innerFunction):
1668         (C.prototype.method):
1669         (C):
1670         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1671         (C.prototype.set m):
1672         (C.prototype.checkPrivateSetter):
1673         (C):
1674         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1675         (C.prototype.set m):
1676         (C.prototype.checkPrivateSetter):
1677         (C):
1678         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1679         (C.prototype.set m):
1680         (C):
1681         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1682         (C.prototype.set m):
1683         (C.prototype.setWithEval):
1684         (C):
1685         (D.prototype.set m):
1686         (D):
1687         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1688         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1689         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1690         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
1691         (A.prototype.method):
1692         (A):
1693         (C.prototype.get m):
1694         (C.prototype.access):
1695         (C):
1696         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
1697         (A.prototype.method):
1698         (A):
1699         (C.prototype.m):
1700         (C.prototype.access):
1701         (C):
1702         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
1703         (A.prototype.method):
1704         (A):
1705         (C.prototype.set m):
1706         (C.prototype.access):
1707         (C):
1708         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
1709         (A):
1710         * test262/test/language/statements/function/13.2-30-s.js:
1711         * test262/test262-Revision.txt:
1712
1713 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1714
1715         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1716         https://bugs.webkit.org/show_bug.cgi?id=199783
1717
1718         Reviewed by Mark Lam.
1719
1720         Fix our spec tests.
1721
1722         * wasm/js-api/Module-compile.js:
1723         * wasm/js-api/test_basic_api.js:
1724         (const.c.in.constructorProperties.switch):
1725         * wasm/js-api/validate.js:
1726         * wasm/js-api/web-assembly-instantiate.js:
1727         * wasm/spec-tests/jsapi.js:
1728         (testJSAPI.get test):
1729         (testJSAPI.set test):
1730
1731 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1732
1733         Unreviewed, rolling out r247440.
1734
1735         Broke builds
1736
1737         Reverted changeset:
1738
1739         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1740         issues"
1741         https://bugs.webkit.org/show_bug.cgi?id=199783
1742         https://trac.webkit.org/changeset/247440
1743
1744 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1745
1746         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1747         https://bugs.webkit.org/show_bug.cgi?id=199783
1748
1749         Reviewed by Mark Lam.
1750
1751         Fix our spec tests.
1752
1753         * wasm/js-api/Module-compile.js:
1754         * wasm/js-api/test_basic_api.js:
1755         (const.c.in.constructorProperties.switch):
1756         * wasm/js-api/validate.js:
1757         * wasm/js-api/web-assembly-instantiate.js:
1758         * wasm/spec-tests/jsapi.js:
1759         (testJSAPI.get test):
1760         (testJSAPI.set test):
1761
1762 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1763
1764         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1765         https://bugs.webkit.org/show_bug.cgi?id=196371
1766
1767         Reviewed by Keith Miller.
1768
1769         * microbenchmarks/mul-immediate-sub.js: Added.
1770         (doTest):
1771
1772 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1773
1774         [BigInt] Add ValueBitLShift into DFG
1775         https://bugs.webkit.org/show_bug.cgi?id=192664
1776
1777         Reviewed by Saam Barati.
1778
1779         We are adding tests to cover ValueBitwise operations AI changes.
1780
1781         * stress/big-int-left-shift-untyped.js: Added.
1782         * stress/bit-op-with-object-returning-int32.js:
1783         * stress/value-bit-and-ai-rule.js: Added.
1784         * stress/value-bit-lshift-ai-rule.js: Added.
1785         * stress/value-bit-or-ai-rule.js: Added.
1786         * stress/value-bit-xor-ai-rule.js: Added.
1787
1788 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
1789
1790         Add b3 macro lowering for CheckMul on arm64
1791         https://bugs.webkit.org/show_bug.cgi?id=199251
1792
1793         Reviewed by Robin Morisset.
1794
1795         * microbenchmarks/check-mul-constant.js: Added.
1796         (doTest):
1797         * microbenchmarks/check-mul-no-constant.js: Added.
1798         (doTest):
1799         * microbenchmarks/check-mul-power-of-two.js: Added.
1800         (doTest):
1801
1802 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
1803
1804         Optimize join of large empty arrays
1805         https://bugs.webkit.org/show_bug.cgi?id=199636
1806
1807         Reviewed by Mark Lam.
1808
1809         * microbenchmarks/large-empty-array-join.js: Added.
1810         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
1811
1812 2019-07-06  Michael Saboff  <msaboff@apple.com>
1813
1814         switch(String) needs to check for exceptions when resolving the string
1815         https://bugs.webkit.org/show_bug.cgi?id=199541
1816
1817         Reviewed by Mark Lam.
1818
1819         New tests.
1820
1821         * stress/switch-string-oom.js: Added.
1822         (test):
1823         (testLowerTiers):
1824         (testFTL):
1825
1826 2019-07-05  Mark Lam  <mark.lam@apple.com>
1827
1828         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
1829         https://bugs.webkit.org/show_bug.cgi?id=199533
1830         <rdar://problem/52669111>
1831
1832         Reviewed by Filip Pizlo.
1833
1834         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
1835
1836 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1837
1838         [JSC] Clean up ArraySpeciesCreate
1839         https://bugs.webkit.org/show_bug.cgi?id=182434
1840
1841         Reviewed by Yusuke Suzuki.
1842
1843         Adjusts error message expectations in stress tests.
1844
1845         * stress/array-flatmap.js:
1846         * stress/array-flatten.js:
1847         * stress/array-species-create-should-handle-masquerader.js:
1848         * test262/expectations.yaml: Mark 4 test cases as passing.
1849
1850 2019-07-02  Michael Saboff  <msaboff@apple.com>
1851
1852         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
1853         https://bugs.webkit.org/show_bug.cgi?id=199395
1854
1855         Reviewed by Filip Pizlo.
1856
1857         New regession test.
1858
1859         * stress/for-of-tdz-with-try-catch.js: Added.
1860         (test):
1861         (i.catch):
1862
1863 2019-07-02  Keith Miller  <keith_miller@apple.com>
1864
1865         Frozen Arrays length assignment should throw in strict mode
1866         https://bugs.webkit.org/show_bug.cgi?id=199365
1867
1868         Reviewed by Yusuke Suzuki.
1869
1870         * stress/frozen-array-length-should-throw-strict.js: Added.
1871         (test):
1872
1873 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
1874
1875         [Wasm-References] Disable references by default
1876         https://bugs.webkit.org/show_bug.cgi?id=199390
1877
1878         Reviewed by Saam Barati.
1879
1880         * wasm/references-spec-tests/ref_is_null.js:
1881         * wasm/references-spec-tests/ref_null.js:
1882         * wasm/references/anyref_globals.js:
1883         * wasm/references/anyref_modules.js:
1884         * wasm/references/anyref_table.js:
1885         * wasm/references/anyref_table_import.js:
1886         * wasm/references/element_parsing.js:
1887         * wasm/references/func_ref.js:
1888         * wasm/references/is_null.js:
1889         * wasm/references/multitable.js:
1890         * wasm/references/table_misc.js:
1891         * wasm/references/validation.js:
1892
1893 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
1894
1895         Unreviewed, rolling out r246946.
1896
1897         Caused JSC test crashes on arm64
1898
1899         Reverted changeset:
1900
1901         "Add b3 macro lowering for CheckMul on arm64"
1902         https://bugs.webkit.org/show_bug.cgi?id=199251
1903         https://trac.webkit.org/changeset/246946
1904
1905 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
1906
1907         Add b3 macro lowering for CheckMul on arm64
1908         https://bugs.webkit.org/show_bug.cgi?id=199251
1909
1910         Reviewed by Robin Morisset.
1911
1912         * microbenchmarks/check-mul-constant.js: Added.
1913         (doTest):
1914         * microbenchmarks/check-mul-no-constant.js: Added.
1915         (doTest):
1916         * microbenchmarks/check-mul-power-of-two.js: Added.
1917         (doTest):
1918
1919 2019-06-26  Keith Miller  <keith_miller@apple.com>
1920
1921         speciesConstruct needs to throw if the result is a DataView
1922         https://bugs.webkit.org/show_bug.cgi?id=199231
1923
1924         Reviewed by Mark Lam.
1925
1926         * stress/typedarray-filter.js:
1927         (subclasses.forEach):
1928         * stress/typedarray-map.js:
1929         (subclasses.forEach):
1930         * stress/typedarray-slice.js:
1931         (typedArrays.forEach):
1932         * stress/typedarray-subarray.js:
1933         (subclasses.forEach):
1934
1935 2019-06-24  Commit Queue  <commit-queue@webkit.org>
1936
1937         Unreviewed, rolling out r246714.
1938         https://bugs.webkit.org/show_bug.cgi?id=199179
1939
1940         revert to do patch in a different way. (Requested by keith_mi_
1941         on #webkit).
1942
1943         Reverted changeset:
1944
1945         "All prototypes should call didBecomePrototype()"
1946         https://bugs.webkit.org/show_bug.cgi?id=196315
1947         https://trac.webkit.org/changeset/246714
1948
1949 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1950
1951         Add Array.prototype.{flat,flatMap} to unscopables
1952         https://bugs.webkit.org/show_bug.cgi?id=194322
1953
1954         Reviewed by Keith Miller.
1955
1956         * stress/unscopables.js: Fix test.
1957         * test262/expectations.yaml: Mark 2 test cases as passing.
1958
1959 2019-06-21  Mark Lam  <mark.lam@apple.com>
1960
1961         ArraySlice needs to keep the source array alive.
1962         https://bugs.webkit.org/show_bug.cgi?id=197374
1963         <rdar://problem/50304429>
1964
1965         Reviewed by Michael Saboff and Filip Pizlo.
1966
1967         * stress/array-slice-must-keep-source-array-alive.js: Added.
1968
1969 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1970
1971         All prototypes should call didBecomePrototype()
1972         https://bugs.webkit.org/show_bug.cgi?id=196315
1973
1974         Reviewed by Saam Barati.
1975
1976         * stress/function-prototype-indexed-accessor.js: Added.
1977
1978 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1979
1980         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1981         https://bugs.webkit.org/show_bug.cgi?id=197631
1982
1983         Reviewed by Saam Barati.
1984
1985         * stress/has-own-property-arguments.js: Added.
1986         (shouldBe):
1987         (A):
1988
1989 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1990
1991         [JSC] ClassExpr should not store result in the middle of evaluation
1992         https://bugs.webkit.org/show_bug.cgi?id=199106
1993
1994         Reviewed by Tadeu Zagallo.
1995
1996         * stress/class-expression-should-store-result-at-last.js: Added.
1997         (shouldThrow):
1998         (shouldThrow.let.a):
1999
2000 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2001
2002         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2003         https://bugs.webkit.org/show_bug.cgi?id=199044
2004
2005         Reviewed by Saam Barati.
2006
2007         Add wasm references spec tests as well as a worker test.
2008
2009         * wasm.yaml:
2010         * wasm/Builder_WebAssemblyBinary.js:
2011         (const.emitters.Element):
2012         * wasm/js-api/element.js:
2013         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2014         * wasm/references-spec-tests/ref_is_null.js: Added.
2015         (hostref):
2016         (is_hostref):
2017         (is_funcref):
2018         (eq_ref):
2019         (let.handler.get target):
2020         (register):
2021         (module):
2022         (instance):
2023         (call):
2024         (get instance):
2025         (exports):
2026         (run):
2027         (assert_malformed):
2028         (assert_invalid):
2029         (assert_unlinkable):
2030         (assert_uninstantiable):
2031         (assert_trap):
2032         (try.f):
2033         (catch):
2034         (assert_exhaustion):
2035         (assert_return):
2036         (assert_return_canonical_nan):
2037         (assert_return_arithmetic_nan):
2038         (assert_return_ref):
2039         (assert_return_func):
2040         * wasm/references-spec-tests/ref_null.js: Added.
2041         (hostref):
2042         (is_hostref):
2043         (is_funcref):
2044         (eq_ref):
2045         (let.handler.get target):
2046         (register):
2047         (module):
2048         (instance):
2049         (call):
2050         (get instance):
2051         (exports):
2052         (run):
2053         (assert_malformed):
2054         (assert_invalid):
2055         (assert_unlinkable):
2056         (assert_uninstantiable):
2057         (assert_trap):
2058         (try.f):
2059         (catch):
2060         (assert_exhaustion):
2061         (assert_return):
2062         (assert_return_canonical_nan):
2063         (assert_return_arithmetic_nan):
2064         (assert_return_ref):
2065         (assert_return_func):
2066         * wasm/references/element_parsing.js: Added.
2067         (module):
2068         * wasm/references/func_ref.js:
2069         * wasm/references/multitable.js:
2070         * wasm/references/table_misc.js:
2071         (TableSize.0.End.End.WebAssembly):
2072         * wasm/references/validation.js:
2073         (assert.throws):
2074
2075 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2076
2077         Optimize `resolve` method lookup in Promise static methods
2078         https://bugs.webkit.org/show_bug.cgi?id=198864
2079
2080         Reviewed by Yusuke Suzuki.
2081
2082         * test262/expectations.yaml: Mark 18 test cases as passing.
2083
2084 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2085
2086         [WASM-References] Rename anyfunc to funcref
2087         https://bugs.webkit.org/show_bug.cgi?id=198983
2088
2089         Reviewed by Yusuke Suzuki.
2090
2091         * wasm/function-tests/basic-element.js:
2092         * wasm/function-tests/context-switch.js:
2093         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2094         (makeInstance):
2095         (assert.eq.makeInstance):
2096         * wasm/function-tests/exceptions.js:
2097         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2098         * wasm/function-tests/grow-memory-2.js:
2099         (assert.eq.instance.exports.foo):
2100         * wasm/function-tests/nameSection.js:
2101         (const.compile):
2102         * wasm/function-tests/stack-overflow.js:
2103         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2104         (assertOverflows.makeInstance):
2105         * wasm/function-tests/table-basic-2.js:
2106         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2107         * wasm/function-tests/table-basic.js:
2108         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2109         * wasm/function-tests/trap-from-start-async.js:
2110         * wasm/function-tests/trap-from-start.js:
2111         * wasm/js-api/Module.exports.js:
2112         (assert.truthy):
2113         * wasm/js-api/Module.imports.js:
2114         (assert.truthy):
2115         * wasm/js-api/call-indirect.js:
2116         (const.oneTable):
2117         (const.multiTable):
2118         (multiTable.const.makeTable):
2119         (multiTable):
2120         (multiTable.Polyphic2Import):
2121         (multiTable.VirtualImport):
2122         * wasm/js-api/element-data.js:
2123         * wasm/js-api/element.js:
2124         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2125         (assert.throws):
2126         (badInstantiation.makeModule):
2127         (badInstantiation.test):
2128         (badInstantiation):
2129         * wasm/js-api/extension-MemoryMode.js:
2130         * wasm/js-api/table.js:
2131         (new.WebAssembly.Module):
2132         (assert.throws):
2133         (assertBadTableImport):
2134         (assert.throws.WebAssembly.Table.prototype.grow):
2135         (new.WebAssembly.Table):
2136         (assertBadTable):
2137         (assert.truthy):
2138         * wasm/js-api/test_basic_api.js:
2139         (const.c.in.constructorProperties.switch):
2140         * wasm/js-api/unique-signature.js:
2141         (CallIndirectWithDuplicateSignatures):
2142         * wasm/js-api/wrapper-function.js:
2143         * wasm/modules/table.wat:
2144         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2145         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2146         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2147         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2148         * wasm/references/anyref_table.js:
2149         * wasm/references/anyref_table_import.js:
2150         (doSet):
2151         (assert.throws):
2152         * wasm/references/func_ref.js:
2153         (makeFuncrefIdent):
2154         (assert.eq.instance.exports.fix):
2155         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2156         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2157         (let.importedFun.of):
2158         (makeAnyfuncIdent): Deleted.
2159         (makeAnyfuncIdent.fun): Deleted.
2160         * wasm/references/multitable.js:
2161         (assert.eq):
2162         (assert.throws):
2163         * wasm/references/table_misc.js:
2164         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2165         * wasm/references/validation.js:
2166         (assert.throws.new.WebAssembly.Module.bin):
2167         (assert.throws):
2168         * wasm/spec-harness/index.js:
2169         * wasm/spec-harness/wasm-constants.js:
2170         * wasm/spec-harness/wasm-module-builder.js:
2171         (WasmModuleBuilder.prototype.toArray):
2172         * wasm/spec-harness/wast.js:
2173         (elem_type):
2174         (string_of_elem_type):
2175         (string_of_table_type):
2176         * wasm/spec-tests/jsapi.js:
2177         * wasm/stress/wasm-table-grow-initialize.js:
2178         * wasm/wasm.json:
2179
2180 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2181
2182         [WASM-References] Add support for Table.size, grow and fill instructions
2183         https://bugs.webkit.org/show_bug.cgi?id=198761
2184
2185         Reviewed by Yusuke Suzuki.
2186
2187         * wasm/Builder_WebAssemblyBinary.js:
2188         (const.putOp):
2189         * wasm/references/table_misc.js: Added.
2190         (TableSize.End.End.WebAssembly):
2191         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2192         * wasm/wasm.json:
2193
2194 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2195
2196         [WASM-References] Add support for multiple tables
2197         https://bugs.webkit.org/show_bug.cgi?id=198760
2198
2199         Reviewed by Saam Barati.
2200
2201         * wasm/Builder.js:
2202         * wasm/js-api/call-indirect.js:
2203         (const.oneTable):
2204         (const.multiTable):
2205         (multiTable):
2206         (multiTable.Polyphic2Import):
2207         (multiTable.VirtualImport):
2208         (const.wasmModuleWhichImportJS): Deleted.
2209         (const.makeTable): Deleted.
2210         (): Deleted.
2211         (Polyphic2Import): Deleted.
2212         (VirtualImport): Deleted.
2213         * wasm/js-api/table.js:
2214         (new.WebAssembly.Module):
2215         (assert.throws):
2216         (assertBadTableImport):
2217         (assert.truthy):
2218         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2219         * wasm/references/anyref_table.js:
2220         * wasm/references/anyref_table_import.js:
2221         (makeImport):
2222         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2223         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2224         * wasm/references/multitable.js: Added.
2225         (assert.throws.1.exports.set_tbl0):
2226         (assert.throws):
2227         (assert.eq):
2228         * wasm/references/validation.js:
2229         (assert.throws.new.WebAssembly.Module.bin):
2230         (assert.throws):
2231         * wasm/spec-tests/imports.wast.js:
2232         * wasm/wasm.json:
2233
2234         * wasm/Builder.js:
2235         * wasm/js-api/call-indirect.js:
2236         (const.oneTable):
2237         (const.multiTable):
2238         (multiTable):
2239         (multiTable.Polyphic2Import):
2240         (multiTable.VirtualImport):
2241         (const.wasmModuleWhichImportJS): Deleted.
2242         (const.makeTable): Deleted.
2243         (): Deleted.
2244         (Polyphic2Import): Deleted.
2245         (VirtualImport): Deleted.
2246         * wasm/js-api/table.js:
2247         (new.WebAssembly.Module):
2248         (assert.throws):
2249         (assertBadTableImport):
2250         (assert.truthy):
2251         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2252         * wasm/references/anyref_table.js:
2253         * wasm/references/anyref_table_import.js:
2254         (makeImport):
2255         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2256         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2257         * wasm/references/func_ref.js:
2258         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2259         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2260         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2261         * wasm/references/multitable.js: Added.
2262         (assert.throws.1.exports.set_tbl0):
2263         (assert.throws):
2264         (assert.eq):
2265         (string_appeared_here.tableInsanity):
2266         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2267         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2268         * wasm/references/validation.js:
2269         (assert.throws.new.WebAssembly.Module.bin):
2270         (assert.throws):
2271         * wasm/spec-tests/imports.wast.js:
2272         * wasm/wasm.json:
2273
2274 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2275
2276         [ESNExt] String.prototype.matchAll
2277         https://bugs.webkit.org/show_bug.cgi?id=186694
2278
2279         Reviewed by Yusuke Suzuki.
2280
2281         Implement String.prototype.matchAll.
2282         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2283
2284         * test262/config.yaml:
2285
2286 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2287
2288         DFG code should not reify the names of builtin functions with private names
2289         https://bugs.webkit.org/show_bug.cgi?id=198849
2290         <rdar://problem/51733890>
2291
2292         Reviewed by Filip Pizlo.
2293
2294         * stress/builtin-private-function-name.js: Added.
2295         (then):
2296         (PromiseLike):
2297
2298 2019-06-18  Keith Miller  <keith_miller@apple.com>
2299
2300         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2301         https://bugs.webkit.org/show_bug.cgi?id=198969
2302         <rdar://problem/51620714>
2303
2304         Reviewed by Tadeu Zagallo.
2305
2306         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2307         (catch):
2308
2309 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2310
2311         Validate that table element type is funcref if using an element section
2312         https://bugs.webkit.org/show_bug.cgi?id=198910
2313
2314         Reviewed by Yusuke Suzuki.
2315
2316         * wasm/references/anyref_table.js:
2317
2318 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2319
2320         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2321         https://bugs.webkit.org/show_bug.cgi?id=197378
2322
2323         Reviewed by Saam Barati.
2324
2325         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2326         (foo):
2327         (bar):
2328         * stress/disposable-call-site-index.js: Added.
2329         (foo):
2330         (bar):
2331
2332 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2333
2334         [WASM-References] Add support for Funcref in parameters and return types
2335         https://bugs.webkit.org/show_bug.cgi?id=198157
2336
2337         Reviewed by Yusuke Suzuki.
2338
2339         * wasm/Builder.js:
2340         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2341         * wasm/references/anyref_globals.js:
2342         * wasm/references/func_ref.js: Added.
2343         (fullGC.gc.makeExportedFunction):
2344         (makeExportedIdent):
2345         (makeAnyfuncIdent):
2346         (fun):
2347         (assert.eq.instance.exports.fix.fun):
2348         (assert.eq.instance.exports.fix):
2349         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2350         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2351         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2352         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2353         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2354         (assert.throws):
2355         (assert.throws.doTest):
2356         (let.importedFun.of):
2357         (makeAnyfuncIdent.fun):
2358         * wasm/references/validation.js:
2359         (assert.throws):
2360         * wasm/wasm.json:
2361
2362 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2363
2364         Update test262 tests (2019.06.13)
2365         https://bugs.webkit.org/show_bug.cgi?id=198821
2366
2367         Reviewed by Konstantin Tokarev.
2368
2369         * test262/expectations.yaml:
2370         * test262/harness/:
2371         * test262/latest-changes-summary.txt:
2372         * test262/test/:
2373         * test262/test262-Revision.txt:
2374
2375 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2376
2377         [JSC] Grown region of WasmTable should be initialized with null
2378         https://bugs.webkit.org/show_bug.cgi?id=198903
2379
2380         Reviewed by Saam Barati.
2381
2382         * wasm/stress/wasm-table-grow-initialize.js: Added.
2383         (shouldBe):
2384
2385 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2386
2387         Yarr bytecode compilation failure should be gracefully handled
2388         https://bugs.webkit.org/show_bug.cgi?id=198700
2389
2390         Reviewed by Michael Saboff.
2391
2392         * stress/regexp-bytecode-compilation-fail.js: Added.
2393         (shouldThrow):
2394
2395 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2396
2397         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2398         https://bugs.webkit.org/show_bug.cgi?id=198770
2399
2400         Reviewed by Saam Barati.
2401
2402         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2403         (test):
2404
2405 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2406
2407         JSC should throw if proxy set returns falsish in strict mode context
2408         https://bugs.webkit.org/show_bug.cgi?id=177398
2409
2410         Reviewed by Yusuke Suzuki.
2411
2412         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2413         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2414
2415         * stress/proxy-set.js: Add 2 test cases.
2416         * stress/regexp-match-proxy.js: Fix test.
2417         * stress/regexp-replace-proxy.js: Fix test.
2418
2419 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2420
2421         Error message for non-callable Proxy `construct` trap is misleading
2422         https://bugs.webkit.org/show_bug.cgi?id=198637
2423
2424         Reviewed by Saam Barati.
2425
2426         * stress/proxy-construct.js:
2427
2428 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2429
2430         AI BitURShift's result should not be unsigned
2431         https://bugs.webkit.org/show_bug.cgi?id=198689
2432         <rdar://problem/51550063>
2433
2434         Reviewed by Saam Barati.
2435
2436         * stress/urshift-int32-overflow.js: Added.
2437         (foo.):
2438         (foo):
2439
2440 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2441
2442         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2443
2444         Unreviewed gardening.
2445
2446         * stress/ftl-gettypedarrayoffset-wasteful.js:
2447         Skipped on arm/linux as it always times out on the bot since a change
2448         between r246270 and r246278 inclusive.
2449
2450 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2451
2452         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2453         https://bugs.webkit.org/show_bug.cgi?id=198023
2454
2455         Reviewed by Saam Barati.
2456
2457         * stress/reparsing-unlinked-codeblock.js: Added.
2458         (shouldBe):
2459         (hello):
2460
2461 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2462
2463         [JSC] Use mergePrediction in ValuePow prediction propagation
2464         https://bugs.webkit.org/show_bug.cgi?id=198648
2465
2466         Reviewed by Saam Barati.
2467
2468         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2469
2470 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2471
2472         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2473         https://bugs.webkit.org/show_bug.cgi?id=198581
2474         <rdar://problem/51099753>
2475
2476         Reviewed by Saam Barati.
2477
2478         * stress/global-object-proto-getter.js: Added.
2479         (f):
2480         (test):
2481
2482 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2483
2484         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2485         https://bugs.webkit.org/show_bug.cgi?id=198398
2486
2487         Reviewed by Saam Barati.
2488
2489         * wasm/references/anyref_table.js: Added.
2490         (string_appeared_here.doGCSet):
2491         (doGCTest):
2492         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2493         * wasm/references/anyref_table_import.js: Added.
2494         (makeImport):
2495         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2496         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2497         * wasm/references/is_null_error.js: Removed.
2498         * wasm/references/validation.js: Added.
2499         (assert.throws.new.WebAssembly.Module.bin):
2500         (assert.throws):
2501         * wasm/wasm.json:
2502
2503 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2504
2505         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2506         https://bugs.webkit.org/show_bug.cgi?id=198106
2507
2508         Reviewed by Saam Barati.
2509
2510         * wasm/regress/selectf64.js: Added.
2511         * wasm/regress/selectf64.wasm: Added.
2512         * wasm/regress/selectf64.wat: Added.
2513
2514 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2515
2516         Argument elimination should check transitive dependents for interference
2517         https://bugs.webkit.org/show_bug.cgi?id=198520
2518         <rdar://problem/50863343>
2519
2520         Reviewed by Filip Pizlo.
2521
2522         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2523         (f2):
2524         (f3):
2525
2526 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2527
2528         Argument elimination should check for negative indices in GetByVal
2529         https://bugs.webkit.org/show_bug.cgi?id=198302
2530         <rdar://problem/51188095>
2531
2532         Reviewed by Filip Pizlo.
2533
2534         * stress/eliminate-arguments-negative-rest-access.js: Added.
2535         (inlinee):
2536         (opt):
2537
2538 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2539
2540         [ESNext][BigInt] Implement support for "**"
2541         https://bugs.webkit.org/show_bug.cgi?id=190799
2542
2543         Reviewed by Saam Barati.
2544
2545         * stress/big-int-exp-basic.js: Added.
2546         * stress/big-int-exp-jit-osr.js: Added.
2547         * stress/big-int-exp-jit-untyped.js: Added.
2548         * stress/big-int-exp-jit.js: Added.
2549         * stress/big-int-exp-negative-exponent.js: Added.
2550         * stress/big-int-exp-to-primitive.js: Added.
2551         * stress/big-int-exp-type-error.js: Added.
2552         * stress/big-int-exp-wrapped-value.js: Added.
2553         * stress/value-pow-ai-rule.js: Added.
2554
2555 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2556
2557         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2558         https://bugs.webkit.org/show_bug.cgi?id=197979
2559
2560         Reviewed by Filip Pizlo.
2561
2562         * stress/16bit-code.js: Added.
2563         (shouldBe):
2564         * stress/32bit-code.js: Added.
2565         (shouldBe):
2566
2567 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2568
2569         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2570         https://bugs.webkit.org/show_bug.cgi?id=198355
2571
2572         Reviewed by Saam Barati.
2573
2574         * wasm/references/is_null.js:
2575
2576 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2577
2578         [PlayStation] Skip additional tests on PlayStation
2579         https://bugs.webkit.org/show_bug.cgi?id=198352
2580
2581         Reviewed by Don Olmstead.
2582
2583         Skip pow test on PlayStation due to behavior difference in standard library.
2584         Skip incremental marking test due to OOM on PlayStation systems.
2585
2586         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2587         * stress/math-pow-with-constants.js:
2588         * stress/pow-with-constants.js:
2589
2590 2019-05-28  Dean Jackson  <dino@apple.com>
2591
2592         Implement Promise.allSettled
2593         https://bugs.webkit.org/show_bug.cgi?id=197600
2594         <rdar://problem/50483885>
2595
2596         Reviewed by Keith Miller.
2597
2598         Start testing Promise.allSettled. We pass most of the tests.
2599         The ones that fail are similar to the Promise.all tests we already fail.
2600
2601         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2602         * test262/expectations.yaml: Add new expectations for allSettled tests.
2603
2604 2019-05-28  Michael Saboff  <msaboff@apple.com>
2605
2606         [YARR] Properly handle RegExp's that require large ParenContext space
2607         https://bugs.webkit.org/show_bug.cgi?id=198065
2608
2609         Reviewed by Keith Miller.
2610
2611         New test.
2612
2613         * stress/regexp-large-paren-context.js: Added.
2614         (testLargeRegExp):
2615
2616 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2617
2618         JITOperations putByVal should mark negative array indices as out-of-bounds
2619         https://bugs.webkit.org/show_bug.cgi?id=198271
2620
2621         Reviewed by Saam Barati.
2622
2623         * microbenchmarks/get-by-val-negative-array-index.js:
2624         (foo):
2625         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2626         is 4.2x faster than the previous commit.
2627
2628         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2629         (foo):
2630
2631 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2632
2633         JITOperations getByVal should mark negative array indices as out-of-bounds
2634         https://bugs.webkit.org/show_bug.cgi?id=198229
2635
2636         Reviewed by Saam Barati.
2637
2638         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2639         (foo):
2640
2641 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2642
2643         [WASM-References] Support Anyref in globals
2644         https://bugs.webkit.org/show_bug.cgi?id=198102
2645
2646         Reviewed by Saam Barati.
2647
2648         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2649
2650         * wasm/Builder.js:
2651         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2652         * wasm/Builder_WebAssemblyBinary.js:
2653         (const.putInitExpr):
2654         * wasm/references/anyref_globals.js: Added.
2655         (GetGlobal.0.End.End.WebAssembly):
2656         (5.doGCSet):
2657         (doGCTest):
2658         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2659
2660 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2661
2662         DFG::OSREntry should not perform arity check
2663         https://bugs.webkit.org/show_bug.cgi?id=198189
2664
2665         Reviewed by Saam Barati.
2666
2667         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2668         (foo):
2669
2670 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2671
2672         [PlayStation] Skip additional tests on PlayStation
2673         https://bugs.webkit.org/show_bug.cgi?id=198145
2674
2675         Reviewed by Ross Kirsling.
2676
2677         * exceptionFuzz.yaml:
2678         Add skip on hostOS playstation
2679         * executableAllocationFuzz.yaml:
2680         Add skip on hostOS playstation
2681
2682 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2683
2684         createListFromArrayLike should throw if value is not an object
2685         https://bugs.webkit.org/show_bug.cgi?id=198138
2686
2687         Reviewed by Yusuke Suzuki.
2688
2689         * stress/create-list-from-array-like-not-object.js: Added.
2690         (testValid):
2691         (testInvalid):
2692         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
2693         (opt):
2694         * stress/proxy-proto-enumerator.js: Added.
2695         (main):
2696         * stress/proxy-proto-own-keys.js: Added.
2697         (assert):
2698         (ownKeys):
2699
2700 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2701
2702         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
2703         https://bugs.webkit.org/show_bug.cgi?id=197809
2704
2705         Reviewed by Michael Saboff.
2706
2707         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
2708         (foo):
2709
2710 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2711
2712         [ESNext] Implement support for Numeric Separators
2713         https://bugs.webkit.org/show_bug.cgi?id=196351
2714
2715         Reviewed by Keith Miller.
2716
2717         * stress/numeric-literal-separators.js: Added.
2718         Add tests for feature.
2719
2720         * test262/expectations.yaml:
2721         Mark 60 test cases as passing.
2722
2723 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2724
2725         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
2726         https://bugs.webkit.org/show_bug.cgi?id=198120
2727         <rdar://problem/49668795>
2728
2729         Reviewed by Michael Saboff.
2730
2731         * stress/get-array-length-concurrently-change-mode.js: Added.
2732         (main):
2733
2734 2019-05-22  Commit Queue  <commit-queue@webkit.org>
2735
2736         Unreviewed, rolling out r245634.
2737         https://bugs.webkit.org/show_bug.cgi?id=198140
2738
2739         'This patch makes JSC crash on launch in debug builds'
2740         (Requested by tadeuzagallo on #webkit).
2741
2742         Reverted changeset:
2743
2744         "[ESNext] Implement support for Numeric Separators"
2745         https://bugs.webkit.org/show_bug.cgi?id=196351
2746         https://trac.webkit.org/changeset/245634
2747
2748 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2749
2750         Stack-buffer-overflow in decodeURIComponent
2751         https://bugs.webkit.org/show_bug.cgi?id=198109
2752         <rdar://problem/50397550>
2753
2754         Reviewed by Michael Saboff.
2755
2756         * stress/decode-uri-icu-count-trail-bytes.js: Added.
2757         (i.j.try.i.toString):
2758         (i.j.catch):
2759
2760 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2761
2762         Don't clear PropertyNameArray in Proxy code
2763         https://bugs.webkit.org/show_bug.cgi?id=197691
2764
2765         Reviewed by Saam Barati.
2766
2767         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
2768         (shouldBe):
2769         (opt):
2770
2771 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2772
2773         [ESNext] Implement support for Numeric Separators
2774         https://bugs.webkit.org/show_bug.cgi?id=196351
2775
2776         Reviewed by Keith Miller.
2777
2778         * stress/numeric-literal-separators.js: Added.
2779         Add tests for feature.
2780
2781         * test262/expectations.yaml:
2782         Mark 60 test cases as passing.
2783
2784 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2785
2786         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
2787         https://bugs.webkit.org/show_bug.cgi?id=198101
2788
2789         Reviewed by Michael Saboff.
2790
2791         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
2792         (shouldBe):
2793
2794 2019-05-20  Keith Miller  <keith_miller@apple.com>
2795
2796         Cleanup Yarr regexp code around paren contexts.
2797         https://bugs.webkit.org/show_bug.cgi?id=198063
2798
2799         Reviewed by Yusuke Suzuki.
2800
2801         * stress/regexp-many-named-sequential-capture-groups.js: Added.
2802         (i.s):
2803         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2804
2805 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
2806
2807         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
2808         https://bugs.webkit.org/show_bug.cgi?id=197969
2809
2810         Reviewed by Keith Miller.
2811
2812         Support the anyref type in Builder.js, plus add some extra error logging.
2813         Add new folder for wasm references tests.
2814
2815         * wasm.yaml:
2816         * wasm/Builder.js:
2817         (const._isValidValue):
2818         * wasm/references/anyref_modules.js: Added.
2819         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
2820         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
2821         (Call.3.RefIsNull.End.End.WebAssembly):
2822         (undefined):
2823         * wasm/references/is_null.js: Added.
2824         * wasm/references/is_null_error.js: Added.
2825         * wasm/spec-harness/index.js:
2826         * wasm/wasm.json:
2827
2828 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
2829
2830         [JSC] Invalid AssignmentTargetType should be an early error.
2831         https://bugs.webkit.org/show_bug.cgi?id=197603
2832
2833         Reviewed by Keith Miller.
2834
2835         * test262/expectations.yaml:
2836         Update expectations to reflect new SyntaxErrors.
2837         (Ideally, these should all be viewed as passing in the near future.)
2838
2839         * stress/async-await-basic.js:
2840         * stress/big-int-literals.js:
2841         Update tests to reflect new SyntaxErrors.
2842
2843         * ChakraCore.yaml:
2844         * ChakraCore/test/EH/try6.baseline-jsc:
2845         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
2846         Update baselines to reflect new SyntaxErrors.
2847
2848 2019-05-15  Saam Barati  <sbarati@apple.com>
2849
2850         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
2851         https://bugs.webkit.org/show_bug.cgi?id=197855
2852         <rdar://problem/50236506>
2853
2854         Reviewed by Michael Saboff.
2855
2856         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
2857         (f0):
2858         (bar):
2859         (foo):
2860         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
2861         (f1):
2862         (f2):
2863         (foo):
2864
2865 2019-05-14  Keith Miller  <keith_miller@apple.com>
2866
2867         Fix issue with byteOffset on ARM64E
2868         https://bugs.webkit.org/show_bug.cgi?id=197884
2869
2870         Reviewed by Saam Barati.
2871
2872         We didn't have any tests that run with non-byte/non-zero offset
2873         typed arrays.
2874
2875         * stress/ftl-gettypedarrayoffset-wasteful.js:
2876
2877 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2878
2879         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
2880         https://bugs.webkit.org/show_bug.cgi?id=197833
2881
2882         Reviewed by Darin Adler.
2883
2884         * stress/generator-name.js: Added.
2885         (shouldBe):
2886         (gen):
2887         (catch):
2888
2889 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
2890
2891         JSObject::getOwnPropertyDescriptor is missing an exception check
2892         https://bugs.webkit.org/show_bug.cgi?id=197693
2893         <rdar://problem/50441784>
2894
2895         Reviewed by Saam Barati.
2896
2897         * stress/proxy-spread.js: Added.
2898         (foo):
2899
2900 2019-05-10  Saam barati  <sbarati@apple.com>
2901
2902         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
2903         https://bugs.webkit.org/show_bug.cgi?id=197807
2904         <rdar://problem/50530400>
2905
2906         Reviewed by Yusuke Suzuki.
2907
2908         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
2909         (test.getInstance):
2910         (test):
2911
2912 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
2913
2914         [Test262] Unreviewed expectations update following r245188.
2915
2916         * test262/config.yaml:
2917         * test262/expectations.yaml:
2918
2919         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
2920         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
2921         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
2922         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
2923         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
2924         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
2925         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
2926         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
2927         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
2928         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
2929         These files have invalid YAML comments. Will also submit corrections back to Test262.
2930
2931 2019-05-10  Keith Miller  <keith_miller@apple.com>
2932
2933         Update test262 tests.
2934
2935         Rubber-stamped by Yusuke Suzuki.
2936
2937         * test262/*: mega-patch too many things to list individually.
2938
2939 2019-05-09  Keith Miller  <keith_miller@apple.com>
2940
2941         Unreview, fix test to have a try-catch.
2942
2943         * stress/many-nested-functions-parser-stack-overflow.js:
2944         (catch):
2945
2946 2019-05-09  Keith Miller  <keith_miller@apple.com>
2947
2948         parseStatementListItem needs a stack overflow check
2949         https://bugs.webkit.org/show_bug.cgi?id=197749
2950
2951         Reviewed by Saam Barati.
2952
2953         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2954
2955 2019-05-08  Saam barati  <sbarati@apple.com>
2956
2957         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2958         https://bugs.webkit.org/show_bug.cgi?id=197715
2959         <rdar://problem/50399252>
2960
2961         Reviewed by Filip Pizlo.
2962
2963         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2964         (foo):
2965         (bar):
2966
2967 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2968
2969         Unreviewed, rolling out r245068.
2970
2971         Caused debug layout tests to exit early due to an assertion
2972         failure.
2973
2974         Reverted changeset:
2975
2976         "All prototypes should call didBecomePrototype()"
2977         https://bugs.webkit.org/show_bug.cgi?id=196315
2978         https://trac.webkit.org/changeset/245068
2979
2980 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2981
2982         Invalid DFG JIT genereation in high CPU usage state
2983         https://bugs.webkit.org/show_bug.cgi?id=197453
2984
2985         Reviewed by Saam Barati.
2986
2987         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2988         (trigger):
2989         (main):
2990
2991 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2992
2993         All prototypes should call didBecomePrototype()
2994         https://bugs.webkit.org/show_bug.cgi?id=196315
2995
2996         Reviewed by Saam Barati.
2997
2998         This changelog already landed, but the commit was missing the actual changes.
2999
3000         * stress/function-prototype-indexed-accessor.js: Added.
3001
3002 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3003
3004         [BigInt] Add ValueMod into DFG
3005         https://bugs.webkit.org/show_bug.cgi?id=186174
3006
3007         Reviewed by Saam Barati.
3008
3009         * microbenchmarks/mod-untyped.js: Added.
3010         * stress/big-int-mod-osr.js: Added.
3011         * stress/value-div-ai-rule.js: Added.
3012         * stress/value-mod-ai-rule.js: Added.
3013
3014 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3015
3016         [JSC] DFG_ASSERT failed in lowInt52
3017         https://bugs.webkit.org/show_bug.cgi?id=197569
3018
3019         Reviewed by Saam Barati.
3020
3021         * stress/getstack-int52.js: Added.
3022         (opt):
3023         (main):
3024
3025 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3026
3027         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3028         https://bugs.webkit.org/show_bug.cgi?id=197479
3029
3030         Reviewed by Saam Barati.
3031
3032         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3033         (shouldBe):
3034
3035 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3036
3037         TemplateObject passed to template literal tags are not always identical for the same source location.
3038         https://bugs.webkit.org/show_bug.cgi?id=190756
3039
3040         Reviewed by Saam Barati.
3041
3042         * complex.yaml:
3043         * complex/tagged-template-regeneration-after.js: Added.
3044         (shouldBe):
3045         * complex/tagged-template-regeneration.js: Added.
3046         (call):
3047         (test):
3048         * modules/tagged-template-inside-module.js: Added.
3049         (from.string_appeared_here.call):
3050         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3051         (call):
3052         (export.otherTaggedTemplates):
3053         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3054         (shouldBe):
3055         (call):
3056         (poly):
3057         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3058         (shouldBe):
3059         (call):
3060         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3061         (shouldBe):
3062         (call):
3063         (test):
3064         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3065         (shouldBe):
3066         (call):
3067         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3068         (shouldBe):
3069         (call):
3070         * stress/tagged-templates-in-multiple-functions.js: Added.
3071         (shouldBe):
3072         (call):
3073         (a):
3074         (b):
3075         (c):
3076         * stress/tagged-templates-with-same-start-offset.js: Added.
3077         (shouldBe):
3078
3079 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3080
3081         All prototypes should call didBecomePrototype()
3082         https://bugs.webkit.org/show_bug.cgi?id=196315
3083
3084         Reviewed by Saam Barati.
3085
3086         * stress/function-prototype-indexed-accessor.js: Added.
3087
3088 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3089
3090         Unreviewed, rolling out r244978.
3091         https://bugs.webkit.org/show_bug.cgi?id=197671
3092
3093         TemplateObject map should use start/end offsets (Requested by
3094         yusukesuzuki on #webkit).
3095
3096         Reverted changeset:
3097
3098         "TemplateObject passed to template literal tags are not always
3099         identical for the same source location."
3100         https://bugs.webkit.org/show_bug.cgi?id=190756
3101         https://trac.webkit.org/changeset/244978
3102
3103 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3104
3105         tryCachePutByID should not crash if target offset changes
3106         https://bugs.webkit.org/show_bug.cgi?id=197311
3107         <rdar://problem/48033612>
3108
3109         Reviewed by Filip Pizlo.
3110
3111         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3112         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3113
3114         * stress/cache-put-by-id-delete-prototype.js: Added.
3115         (A.prototype.set y):
3116         (A):
3117         (B.prototype.set y):
3118         (B):
3119         (C):
3120         * stress/cache-put-by-id-different-__proto__.js: Added.
3121         (A.prototype.set y):
3122         (A):
3123         (B1):
3124         (B2.prototype.set y):
3125         (B2):
3126         (C):
3127         (D):
3128         * stress/cache-put-by-id-different-attributes.js: Added.
3129         (Foo):
3130         (set x):
3131         * stress/cache-put-by-id-different-offset.js: Added.
3132         (Foo):
3133         (set x):
3134         * stress/cache-put-by-id-insert-prototype.js: Added.
3135         (A.prototype.set y):
3136         (A):
3137         (C):
3138         * stress/cache-put-by-id-poly-proto.js: Added.
3139         (Foo):
3140         (set _):
3141         (createBar.Bar):
3142         (createBar):
3143
3144 2019-05-07  Saam Barati  <sbarati@apple.com>
3145
3146         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3147         https://bugs.webkit.org/show_bug.cgi?id=197531
3148         <rdar://problem/50162379>
3149
3150         Reviewed by Yusuke Suzuki.
3151
3152         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3153
3154 2019-05-06  Dean Jackson  <dino@apple.com>
3155
3156         Update test262 expectations for Proxy passes
3157         https://bugs.webkit.org/show_bug.cgi?id=197628
3158
3159         Reviewed by Yusuke Suzuki.
3160
3161         There are two consistent passes in Proxy.ownKeys.
3162
3163         * test262/expectations.yaml:
3164
3165 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3166
3167         [JSC] We should check OOM for description string of Symbol
3168         https://bugs.webkit.org/show_bug.cgi?id=197634
3169
3170         Reviewed by Keith Miller.
3171
3172         * stress/check-symbol-description-oom.js: Added.
3173         (shouldThrow):
3174
3175 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3176
3177         Unreviewed, land one more test
3178         https://bugs.webkit.org/show_bug.cgi?id=197587
3179
3180         * stress/setter-frame-flush.js: Added.
3181         (setter):
3182         (foo):
3183         (bar):
3184
3185 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3186
3187         TemplateObject passed to template literal tags are not always identical for the same source location.
3188         https://bugs.webkit.org/show_bug.cgi?id=190756
3189
3190         Reviewed by Saam Barati.
3191
3192         * complex.yaml:
3193         * complex/tagged-template-regeneration-after.js: Added.
3194         (shouldBe):
3195         * complex/tagged-template-regeneration.js: Added.
3196         (call):
3197         (test):
3198         * modules/tagged-template-inside-module.js: Added.
3199         (from.string_appeared_here.call):
3200         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3201         (call):
3202         (export.otherTaggedTemplates):
3203         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3204         (shouldBe):
3205         (call):
3206         (poly):
3207         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3208         (shouldBe):
3209         (call):
3210         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3211         (shouldBe):
3212         (call):
3213         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3214         (shouldBe):
3215         (call):
3216         * stress/tagged-templates-in-multiple-functions.js: Added.
3217         (shouldBe):
3218         (call):
3219         (a):
3220         (b):
3221         (c):
3222
3223 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3224
3225         [PlayStation] JSC Stress tests failing due to timezone printing
3226         https://bugs.webkit.org/show_bug.cgi?id=197615
3227
3228         PlayStation's strftime does not give timezone strings, which
3229         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3230         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3231         which causes diff failures with the expectations. Add expectations
3232         without the timezone string and use those on playstation.
3233
3234         Reviewed by Ross Kirsling.
3235
3236         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3237         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3238         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3239         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3240
3241 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3242
3243         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3244         https://bugs.webkit.org/show_bug.cgi?id=197587
3245
3246         Reviewed by Sam Weinig.
3247
3248         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3249
3250         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3251
3252 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3253
3254         TypedArrays should not store properties that are canonical numeric indices
3255         https://bugs.webkit.org/show_bug.cgi?id=197228
3256         <rdar://problem/49557381>
3257
3258         Reviewed by Saam Barati.
3259
3260         * stress/array-species-config-array-constructor.js:
3261         (test):
3262         * stress/put-direct-index-broken-2.js:
3263         * stress/typed-array-canonical-numeric-index-string.js: Added.
3264         (makeTest.assert):
3265         (makeTest):
3266         (const.testInvalidIndices.makeTest.set assert):
3267         (const.testInvalidIndices.makeTest):
3268         (const.makeTestValidIndex.configurable.set assert):
3269         (const.makeTestValidIndex.configurable):
3270         * stress/typedarray-access-monomorphic-neutered.js:
3271         (checkNoException):
3272         (testNoException):
3273         (testFTLNoException):
3274         * stress/typedarray-access-neutered.js:
3275         (testNoException):
3276         * stress/typedarray-getownproperty-not-configurable.js:
3277         (foo):
3278         * test262/expectations.yaml:
3279
3280 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3281
3282         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3283         https://bugs.webkit.org/show_bug.cgi?id=197584
3284
3285         Reviewed by Saam Barati.
3286
3287         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3288         (X):
3289         (foo):
3290
3291 2019-05-03  Michael Saboff  <msaboff@apple.com>
3292
3293         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3294         https://bugs.webkit.org/show_bug.cgi?id=197586
3295
3296         Reviewed by Keith Miller.
3297
3298         We should only run one config of this test and only when we think we'll have the memory.
3299
3300         * stress/json-stringify-string-builder-overflow.js:
3301
3302 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3303
3304         [JSC] Generator CodeBlock generation should be idempotent
3305         https://bugs.webkit.org/show_bug.cgi?id=197552
3306
3307         Reviewed by Keith Miller.
3308
3309         Add complex.yaml, which controls how to run JSC shell more.
3310         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3311
3312         * complex.yaml: Added.
3313         * complex/generator-regeneration-after.js: Added.
3314         * complex/generator-regeneration.js: Added.
3315         (gen):
3316
3317 2019-05-02  Michael Saboff  <msaboff@apple.com>
3318
3319         Unreviewed rollout of r244862.
3320
3321         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3322
3323 2019-05-01  Saam barati  <sbarati@apple.com>
3324
3325         Baseline JIT should do argument value profiling after checking for stack overflow
3326         https://bugs.webkit.org/show_bug.cgi?id=197052
3327         <rdar://problem/50009602>
3328
3329         Reviewed by Yusuke Suzuki.
3330
3331         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3332
3333 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3334
3335         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3336         https://bugs.webkit.org/show_bug.cgi?id=197405
3337
3338         Reviewed by Saam Barati.
3339
3340         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3341         (foo):
3342         (test):
3343         (i.o.get f):
3344         (i.o.set f):
3345
3346 2019-05-01  Michael Saboff  <msaboff@apple.com>
3347
3348         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3349         https://bugs.webkit.org/show_bug.cgi?id=197485
3350
3351         Reviewed by Saam Barati.
3352
3353         New test.
3354
3355         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3356         (foo):
3357
3358 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3359
3360         Unreviewed correction to Test262 expectations following r244828.
3361
3362         * test262/expectations.yaml:
3363
3364 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3365
3366         Add memory-limited skipping to some tests generating very large strings
3367         https://bugs.webkit.org/show_bug.cgi?id=197437
3368
3369         Reviewed by Ross Kirsling.
3370
3371         * stress/StringObject-define-length-getter-rope-string-oom.js:
3372         * stress/create-error-out-of-memory-rope-string.js:
3373         * stress/string-16bit-repeat-overflow.js:
3374
3375 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3376
3377         Unreviewed, rolling out r244806.
3378         https://bugs.webkit.org/show_bug.cgi?id=197446
3379
3380         Causing Test262 and JSC test failures on multiple builds
3381         (Requested by ShawnRoberts on #webkit).
3382
3383         Reverted changeset:
3384
3385         "TypeArrays should not store properties that are canonical
3386         numeric indices"
3387         https://bugs.webkit.org/show_bug.cgi?id=197228
3388         https://trac.webkit.org/changeset/244806
3389
3390 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3391
3392         TypeArrays should not store properties that are canonical numeric indices
3393         https://bugs.webkit.org/show_bug.cgi?id=197228
3394         <rdar://problem/49557381>
3395
3396         Reviewed by Darin Adler.
3397
3398         * stress/typed-array-canonical-numeric-index-string.js: Added.
3399         (makeTest.assert):
3400         (makeTest):
3401         (const.testInvalidIndices.makeTest.set assert):
3402         (const.testInvalidIndices.makeTest):
3403         (const.testValidIndices.makeTest.set assert):
3404         (const.testValidIndices.makeTest):
3405
3406 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3407
3408         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3409         https://bugs.webkit.org/show_bug.cgi?id=197362
3410
3411         Reviewed by Saam Barati.
3412
3413         * stress/map-with-nan.js: Added.
3414         (shouldBe):
3415         (div):
3416         (NaN1):
3417         (NaN2):
3418         (NaN3):
3419         (NaN4):
3420         (NaN1NoInline):
3421         (NaN2NoInline):
3422         (NaN3NoInline):
3423         (NaN4NoInline):
3424         (test1):
3425         (test2):
3426         (test3):
3427         (test4):
3428         * stress/set-with-nan.js: Added.
3429         (shouldBe):
3430         (div):
3431         (NaN1):
3432         (NaN2):
3433         (NaN3):
3434         (NaN4):
3435         (NaN1NoInline):
3436         (NaN2NoInline):
3437         (NaN3NoInline):
3438         (NaN4NoInline):
3439         (test2):
3440         (test4):
3441
3442 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3443
3444         Unreviewed, rolling out r244708.
3445         https://bugs.webkit.org/show_bug.cgi?id=197334
3446
3447         "Broke the debug build" (Requested by rmorisset on #webkit).
3448
3449         Reverted changeset:
3450
3451         "All prototypes should call didBecomePrototype()"
3452         https://bugs.webkit.org/show_bug.cgi?id=196315
3453         https://trac.webkit.org/changeset/244708
3454
3455 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3456
3457         [JSC] linkPolymorphicCall now does GC
3458         https://bugs.webkit.org/show_bug.cgi?id=197306
3459
3460         Reviewed by Saam Barati.
3461
3462         * stress/link-polymorphic-call-can-gc.js: Added.
3463         (module):
3464         (instance):
3465
3466 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3467
3468         All prototypes should call didBecomePrototype()
3469         https://bugs.webkit.org/show_bug.cgi?id=196315
3470
3471         Reviewed by Saam Barati.
3472
3473         * stress/function-prototype-indexed-accessor.js: Added.
3474
3475 2019-04-23  Saam Barati  <sbarati@apple.com>
3476
3477         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3478         https://bugs.webkit.org/show_bug.cgi?id=196721
3479         <rdar://problem/49556479> 
3480
3481         Reviewed by Filip Pizlo.
3482
3483         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3484         (foo):
3485
3486 2019-04-19  Saam Barati  <sbarati@apple.com>
3487
3488         AbstractValue can represent more than int52
3489         https://bugs.webkit.org/show_bug.cgi?id=197118
3490         <rdar://problem/49969960>
3491
3492         Reviewed by Michael Saboff.
3493
3494         * stress/abstract-value-can-include-int52.js: Added.
3495         (foo):
3496         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3497
3498 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3499
3500         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3501         https://bugs.webkit.org/show_bug.cgi?id=197053
3502
3503         Reviewed by Saam Barati.
3504
3505         * stress/merge-string-builder-in-dfg.js: Added.
3506         (foo):
3507
3508 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3509
3510         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3511         https://bugs.webkit.org/show_bug.cgi?id=176810
3512
3513         Reviewed by Saam Barati.
3514
3515         Add tests for the DontEnum filtering, and variations of other tests
3516         take the DontEnum-filtering path.
3517
3518         * stress/proxy-own-keys.js:
3519         (i.catch):
3520         (set assert):
3521         (set add):
3522         (let.set new):
3523         (get let):
3524
3525 2019-04-15  Saam barati  <sbarati@apple.com>
3526
3527         Modify how we do SetArgument when we inline varargs calls
3528         https://bugs.webkit.org/show_bug.cgi?id=196712
3529         <rdar://problem/49605012>
3530
3531         Reviewed by Michael Saboff.
3532
3533         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3534         (foo):
3535
3536 2019-04-15  Saam barati  <sbarati@apple.com>
3537
3538         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3539         https://bugs.webkit.org/show_bug.cgi?id=196945
3540         <rdar://problem/49802750>
3541
3542         Reviewed by Filip Pizlo.
3543
3544         * stress/get-by-offset-should-use-correct-child.js: Added.
3545         (foo.bar):
3546         (foo):
3547
3548 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3549
3550         DFG should be able to constant fold Object.create() with a constant prototype operand
3551         https://bugs.webkit.org/show_bug.cgi?id=196886
3552
3553         Reviewed by Yusuke Suzuki.
3554
3555         Note that this new benchmark does not currently see a speedup with inlining removed.
3556         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3557
3558         * microbenchmarks/object-create-constant-prototype.js: Added.
3559         (test):
3560
3561 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3562
3563         Incremental bytecode cache should not append function updates when loaded from memory
3564         https://bugs.webkit.org/show_bug.cgi?id=196865
3565
3566         Reviewed by Filip Pizlo.
3567
3568         * stress/bytecode-cache-shared-code-block.js: Added.
3569         (b):
3570         (program):
3571
3572 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3573
3574         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3575         https://bugs.webkit.org/show_bug.cgi?id=196880
3576
3577         Reviewed by Yusuke Suzuki.
3578
3579         * stress/bytecode-cache-syntax-error.js: Added.
3580         (catch):
3581
3582 2019-04-12  Saam barati  <sbarati@apple.com>
3583
3584         r244079 logically broke shouldSpeculateInt52
3585         https://bugs.webkit.org/show_bug.cgi?id=196884
3586
3587         Reviewed by Yusuke Suzuki.
3588
3589         * microbenchmarks/int52-rand-function.js: Added.
3590         (Math.random):
3591
3592 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3593
3594         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3595         https://bugs.webkit.org/show_bug.cgi?id=196850
3596
3597         Reviewed by Saam Barati.
3598
3599         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3600         (foo):
3601
3602 2019-04-11  Saam barati  <sbarati@apple.com>
3603
3604         Remove invalid assertion in operationInstanceOfCustom
3605         https://bugs.webkit.org/show_bug.cgi?id=196842
3606         <rdar://problem/49725493>
3607
3608         Reviewed by Michael Saboff.
3609
3610         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3611
3612 2019-04-10  Saam Barati  <sbarati@apple.com>
3613
3614         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3615         https://bugs.webkit.org/show_bug.cgi?id=196801
3616         <rdar://problem/49771122>
3617
3618         Reviewed by Yusuke Suzuki.
3619
3620         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3621
3622 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3623
3624         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3625         https://bugs.webkit.org/show_bug.cgi?id=196746
3626
3627         Reviewed by Yusuke Suzuki.
3628
3629         * stress/cyclic-define-properties.js: Added.
3630         (foo):
3631
3632 2019-04-09  Saam barati  <sbarati@apple.com>
3633
3634         Clean up Int52 code and some bugs in it
3635         https://bugs.webkit.org/show_bug.cgi?id=196639
3636         <rdar://problem/49515757>
3637
3638         Reviewed by Yusuke Suzuki.
3639
3640         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3641
3642 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3643
3644         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3645         https://bugs.webkit.org/show_bug.cgi?id=196708
3646         <rdar://problem/49556803>
3647
3648         Reviewed by Yusuke Suzuki.
3649
3650         * stress/proxy-getter-stack-overflow.js: Added.
3651         (const.handler.get target):
3652         (const.handler.has):
3653         (try.with):
3654         (catch):
3655
3656 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3657
3658         [JSC] DFG should respect node's strict flag
3659         https://bugs.webkit.org/show_bug.cgi?id=196617
3660
3661         Reviewed by Saam Barati.
3662
3663         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3664         (shouldEqual):
3665         (makeUnwriteableUnconfigurableObject):
3666         (runTest):
3667         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3668         (shouldBe):
3669         (shouldThrow):
3670         (with.result):
3671         (with.putValueStrict):
3672         (with.putValueSloppy):
3673
3674 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3675
3676         [JSC] isRope jump in StringSlice should not jump over register allocations
3677         https://bugs.webkit.org/show_bug.cgi?id=196716
3678
3679         Reviewed by Saam Barati.
3680
3681         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3682         (foo.bar):
3683         (foo):
3684
3685 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3686
3687         [JSC] to_index_string should not assume incoming value is Uint32
3688         https://bugs.webkit.org/show_bug.cgi?id=196713
3689
3690         Reviewed by Saam Barati.
3691
3692         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
3693         (foo):
3694
3695 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3696
3697         [JSC] Add more tests for r243966
3698         https://bugs.webkit.org/show_bug.cgi?id=196711
3699
3700         Reviewed by Saam Barati.
3701
3702         Adding one more test for r243966 fix. The added test will not crash after r243966.
3703
3704         * stress/stress-cleared-calllinkinfo.js: Added.
3705         (runNearStackLimit.t):
3706         (runNearStackLimit):
3707         (repeat):
3708         (cls):