[JSC] GetterSetter should be JSCell, not JSObject
[WebKit-https.git] / JSTests / ChangeLog
1 2019-10-08  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] GetterSetter should be JSCell, not JSObject
4         https://bugs.webkit.org/show_bug.cgi?id=202656
5
6         Reviewed by Tadeu Zagallo and Saam Barati.
7
8         * stress/getter-setter-should-be-cell.js: Added.
9         (foo.with.):
10         (foo.with.get for):
11         (foo.with.bar):
12         (foo):
13
14 2019-10-08  Alexey Shvayka  <shvaikalesh@gmail.com>
15
16         JSON.parse incorrectly handles array proxies
17         https://bugs.webkit.org/show_bug.cgi?id=199292
18
19         Reviewed by Saam Barati.
20
21         * microbenchmarks/json-parse-array-reviver-same-value.js: Added.
22         * microbenchmarks/json-parse-array-reviver.js: Added.
23         * microbenchmarks/json-parse-object-reviver-same-value.js: Added.
24         * microbenchmarks/json-parse-object-reviver.js: Added.
25         * stress/json-parse-reviver-array-proxy.js: Added.
26         * stress/json-parse-reviver-revoked-proxy.js: Added.
27         * test262/expectations.yaml: Mark 6 test cases as passing.
28
29 2019-10-08  Ross Kirsling  <ross.kirsling@sony.com>
30
31         Update test262 (2019.10.08).
32
33         Rubber-stamped by Keith Miller.
34
35         * test262/config.yaml:
36         * test262/expectations.yaml:
37         * test262/latest-changes-summary.txt:
38         * test262/test/:
39         * test262/test262-Revision.txt:
40
41 2019-10-07  Saam Barati  <sbarati@apple.com>
42
43         Allow OSR exit to the LLInt
44         https://bugs.webkit.org/show_bug.cgi?id=197993
45
46         Reviewed by Tadeu Zagallo.
47
48         * stress/exit-from-getter-by-val.js: Added.
49         * stress/exit-from-setter-by-val.js: Added.
50
51 2019-10-07  Matt Lewis  <jlewis3@apple.com>
52
53         Unreviewed, rolling out r250750.
54
55         Reverting change as this broke interal test over the weekend.
56
57         Reverted changeset:
58
59         "Allow OSR exit to the LLInt"
60         https://bugs.webkit.org/show_bug.cgi?id=197993
61         https://trac.webkit.org/changeset/250750
62
63 2019-10-04  Saam Barati  <sbarati@apple.com>
64
65         Allow OSR exit to the LLInt
66         https://bugs.webkit.org/show_bug.cgi?id=197993
67
68         Reviewed by Tadeu Zagallo.
69
70         * stress/exit-from-getter-by-val.js: Added.
71         * stress/exit-from-setter-by-val.js: Added.
72
73 2019-10-04  Paulo Matos  <pmatos@igalia.com>
74
75         Revert regexp test skip on armv7l and mips
76         https://bugs.webkit.org/show_bug.cgi?id=202310
77
78         Reviewed by Žan Doberšek.
79
80         Test was skipped in bug 202113 on armv7l and mips due to bug 202041.
81         Bug 202041 is fixed and change of bug 202113 can be reverted.
82
83         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
84
85 2019-10-02  Mark Lam  <mark.lam@apple.com>
86
87         DoubleToStringConverter::ToExponential() should null terminate its string.
88         https://bugs.webkit.org/show_bug.cgi?id=202492
89         <rdar://problem/55907708>
90
91         Reviewed by Filip Pizlo.
92
93         * stress/dtoa-AddSubstring-should-uses-strnlen-in-assertion.js: Added.
94
95 2019-10-02  Yusuke Suzuki  <ysuzuki@apple.com>
96
97         [JSC] AsyncGenerator should have internal fields
98         https://bugs.webkit.org/show_bug.cgi?id=201498
99
100         Reviewed by Saam Barati.
101
102         * stress/async-generator-construct-failure.js: Added.
103         (shouldThrow):
104         (async.gen):
105         (TypeError):
106         * stress/async-generator-prototype-change.js: Added.
107         (shouldBe):
108         (async.gen):
109         * stress/async-generator-prototype-closure.js: Added.
110         (shouldBe):
111         (test.async.gen):
112         (test):
113         * stress/create-async-generator.js: Added.
114         (shouldBe):
115         (test.async.generator):
116         (test):
117
118 2019-10-01  Saam Barati  <sbarati@apple.com>
119
120         ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
121         https://bugs.webkit.org/show_bug.cgi?id=199361
122         <rdar://problem/52454940>
123
124         Reviewed by Yusuke Suzuki.
125
126         * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
127         (main.fn):
128         (main.executor):
129         (main):
130         * stress/allocation-sinking-hints-are-valid-ssa.js: Added.
131         (main.fn):
132         (main.executor):
133         (main):
134
135 2019-10-01  Keith Miller  <keith_miller@apple.com>
136
137         skip test until we figure out why it's timing out
138         https://bugs.webkit.org/show_bug.cgi?id=202423
139
140         Reviewed by Mark Lam.
141
142         new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
143         Let's skip it until we figure out what's going on.
144
145         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:
146
147 2019-10-01  Keith Miller  <keith_miller@apple.com>
148
149         Mark toctou test as skipped on debug builds
150         https://bugs.webkit.org/show_bug.cgi?id=202420
151
152         Reviewed by Saam Barati.
153
154         Keeps timing out... Let's just skip it.
155
156         * stress/toctou-having-a-bad-time-new-array.js:
157
158 2019-10-01  Keith Miller  <keith_miller@apple.com>
159
160         Test262 update
161
162         Rubber-stamped by Michael Saboff.
163
164         Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...
165
166         * test262/*:
167
168 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
169
170         [YARR] Properly handle surrogates when matching back references
171         https://bugs.webkit.org/show_bug.cgi?id=202041
172
173         Reviewed by Keith Miller.
174
175         Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.
176
177         Updated test.
178
179         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
180         (testRegExpNotMatch):
181
182 2019-10-01  Keith Miller  <keith_miller@apple.com>
183
184         Add support for the Wasm multi-value proposal
185         https://bugs.webkit.org/show_bug.cgi?id=202250
186
187         Reviewed by Saam Barati.
188
189         This patch adds a new way to run stress tests via the .wat text
190         format. By attaching an asm.js compiled version of the wabt tool
191         we can easily create wat files programatically and convert them
192         into a wasm blob to compile. To make this easy there is a
193         wabt-wrapper.js module file that exports two useful functions that
194         correspond to WebAssembly.compile and WebAssembly.instantiate.
195
196         * wasm.yaml:
197         * wasm/function-tests/if-no-else-non-void.js:
198         * wasm/js-api/web-assembly-instantiate.js:
199         (assert.asyncTest.async.test):
200         (assert.asyncTest):
201         * wasm/libwabt.js: Added.
202         (WabtModule):
203         (set get if):
204         * wasm/references/func_ref.js:
205         * wasm/references/validation.js:
206         (assert.throws):
207         * wasm/spec-harness/index.js:
208         * wasm/spec-tests/block.wast.js:
209         * wasm/spec-tests/br.wast.js:
210         * wasm/spec-tests/br_if.wast.js:
211         * wasm/spec-tests/call.wast.js:
212         * wasm/spec-tests/call_indirect.wast.js:
213         * wasm/spec-tests/func.wast.js:
214         * wasm/spec-tests/if.wast.js:
215         * wasm/spec-tests/loop.wast.js:
216         * wasm/spec-tests/type.wast.js:
217         * wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
218         (buildWat):
219         * wasm/stress/js-wasm-js-varying-arities.js: Added.
220         (paramForwarder):
221         * wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
222         (buildWat):
223         * wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
224         (buildWat.throwError):
225         (buildWat.throwErrorInIterator):
226         (buildWat.tooManyValues):
227         (buildWat.tooFewValues):
228         (buildWat):
229         * wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
230         (buildWat):
231         * wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
232         (buildWat):
233         * wasm/wabt-wrapper.js: Added.
234         (export.compile):
235         * wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
236         * wasm/wast-tests/br-if-at-end-of-block.wast: Added.
237         * wasm/wast-tests/harness.js:
238         (async.runWasmFile):
239         * wasm/wast-tests/single-param-loop-signature.wasm: Added.
240         * wasm/wast-tests/single-param-loop-signature.wast: Added.
241
242 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
243
244         Make assertion in JSObject::putOwnDataProperty more precise
245         https://bugs.webkit.org/show_bug.cgi?id=202379
246         <rdar://problem/49515980>
247
248         Reviewed by Yusuke Suzuki.
249
250         * stress/object-assign-target-proto-setter.js: Added.
251         (get Object):
252
253 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
254
255         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
256         https://bugs.webkit.org/show_bug.cgi?id=202389
257         <rdar://problem/50717564>
258
259         Reviewed by Mark Lam.
260
261         * stress/heap-analyzer-taking-lock.js: Added.
262
263 2019-09-30  Saam Barati  <sbarati@apple.com>
264
265         Inline caching is wrong for custom accessors and custom values
266         https://bugs.webkit.org/show_bug.cgi?id=201994
267         <rdar://problem/50850326>
268
269         Reviewed by Yusuke Suzuki.
270
271         * microbenchmarks/custom-accessor-materialized.js: Added.
272         (assert):
273         (test4.get const):
274         * microbenchmarks/custom-accessor-thin-air.js: Added.
275         (assert):
276         (test5.get const):
277         (test5.get proto):
278         * microbenchmarks/custom-accessor.js: Added.
279         (assert):
280         (test3.get const):
281         * microbenchmarks/custom-value-2.js: Added.
282         (assert):
283         (test1.getMultiline):
284         (test1):
285         * microbenchmarks/custom-value.js: Added.
286         (assert):
287         (test1.getMultiline):
288         (test1):
289         * stress/custom-accessor-delete-1.js: Added.
290         (assert):
291         (test3.get const):
292         * stress/custom-accessor-delete-2.js: Added.
293         (assert):
294         (test4.get const):
295         * stress/custom-accessor-delete-3.js: Added.
296         (assert):
297         (test5.get const):
298         (test5.get proto):
299         * stress/custom-value-delete-property-1.js: Added.
300         (assert):
301         (test1.getMultiline):
302         (test1):
303         * stress/custom-value-delete-property-2.js: Added.
304         (test2.foo):
305         (test2):
306         * stress/custom-value-delete-property-3.js: Added.
307         (test6.foo):
308         (test6):
309
310 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
311
312         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
313         https://bugs.webkit.org/show_bug.cgi?id=202382
314         <rdar://problem/52669112>
315
316         Reviewed by Saam Barati.
317
318         * stress/compare-eq-bool-number-folding.js: Added.
319         (test):
320
321 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
322
323         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
324         https://bugs.webkit.org/show_bug.cgi?id=202330
325
326         Reviewed by Saam Barati.
327
328         * stress/to-lower-case-gc-stress.js: Added.
329
330 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
331
332         Non-standard Error properties should not be enumerable
333         https://bugs.webkit.org/show_bug.cgi?id=198975
334
335         Reviewed by Ross Kirsling.
336
337         * ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
338         * microbenchmarks/let-for-in.js: Adjust test.
339         * test262/expectations.yaml: Mark 6 test cases as passing.
340
341 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
342
343         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
344         https://bugs.webkit.org/show_bug.cgi?id=202299
345         <rdar://problem/52669116>
346
347         Reviewed by Saam Barati.
348
349         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
350         (foo):
351         (test):
352         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
353         (foo):
354         (C1.prototype.baz):
355         (C1):
356         (bar):
357         (noInline.bar.goo):
358         (C2.prototype.baz):
359         (C2):
360         (test):
361
362 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
363
364         toExponential, toFixed, and toPrecision should allow arguments up to 100
365         https://bugs.webkit.org/show_bug.cgi?id=199163
366
367         Reviewed by Ross Kirsling.
368
369         * ChakraCore/test/Number/toString_3.baseline-jsc:
370         * ChakraCore/test/es5/exceptions3.baseline-jsc:
371         * test262/expectations.yaml: Mark 6 test cases as passing.
372
373 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
374
375         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
376         https://bugs.webkit.org/show_bug.cgi?id=154376
377
378         Reviewed by Ross Kirsling.
379
380         Adds 2 test cases:
381         1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
382         2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.
383
384         * stress/proxy-get-own-property.js:
385
386 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
387
388         [BigInt] Add ValueBitRShift into DFG
389         https://bugs.webkit.org/show_bug.cgi?id=192663
390
391         Reviewed by Robin Morisset.
392
393         * stress/big-int-right-shift-jit-osr.js: Added.
394         * stress/big-int-right-shift-jit-untyped.js: Added.
395         * stress/big-int-right-shift-jit.js: Added.
396         * stress/value-rshift-ai-rule.js: Added.
397
398 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
399
400         Array methods should throw TypeError upon attempting to modify a string
401         https://bugs.webkit.org/show_bug.cgi?id=201910
402
403         Reviewed by Keith Miller.
404
405         * stress/array-methods-should-not-modify-string.js: Added.
406
407         * mozilla/js1_6/Array/regress-304828.js:
408         Fix test. Original copy was changed similarly seven years ago:
409         https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js
410
411         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
412         Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.
413
414 2019-09-23  Mark Lam  <mark.lam@apple.com>
415
416         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
417         https://bugs.webkit.org/show_bug.cgi?id=202122
418         <rdar://problem/55535249>
419
420         Reviewed by Yusuke Suzuki.
421
422         * stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.
423
424 2019-09-23  Caio Lima  <ticaiolima@gmail.com>
425
426         Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
427         https://bugs.webkit.org/show_bug.cgi?id=202113
428
429         Unreviewed test gardening, skipped test in ARMv7 and MIPS.
430
431         It is going to be fixed in
432         https://bugs.webkit.org/show_bug.cgi?id=202041
433
434         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
435
436 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
437
438         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
439         https://bugs.webkit.org/show_bug.cgi?id=202072
440
441         Reviewed by Mark Lam.
442
443         * stress/int52rep-with-double-checks-int52-range.js: Added.
444         (shouldBe):
445         (test):
446
447 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
448
449         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
450         https://bugs.webkit.org/show_bug.cgi?id=202011
451
452         Reviewed by Mark Lam.
453
454         We are skipping this test into MIPS and ARMv7 because some of its assumptions
455         are not valid for them. The current behavior of the test in those architectures
456         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
457         because eden collection keeps happening between iterations. The collection
458         is triggered on those architectures because the amount of stress 
459         `new Promise` generates into GC limits is not enough to avoid them
460         while loop is executing.
461
462         Changing the size of `UInt8Array` from `80000000` to `160000000` can
463         be an alternative fix to avoid collection happening during `ArrayBuffer`
464         allocation loop, but we can't guarantee this test is always going to execute
465         without error when Gigacage is disabled, given we can reach an OOM state in
466         some allocations that need to succeed, making this test flaky for those
467         architectures.
468
469         * stress/test-out-of-memory.js:
470
471 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
472
473         AccessCase should strongly visit its dependencies while on stack
474         https://bugs.webkit.org/show_bug.cgi?id=201986
475         <rdar://problem/55521953>
476
477         Reviewed by Saam Barati and Yusuke Suzuki.
478
479         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
480         (foo):
481         (warmup):
482
483 2019-09-20  Saam Barati  <sbarati@apple.com>
484
485         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
486
487         * stress/toctou-having-a-bad-time-new-array.js:
488
489 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
490
491         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
492         https://bugs.webkit.org/show_bug.cgi?id=202014
493
494         Reviewed by Saam Barati.
495
496         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
497         (__v0):
498
499 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
500
501         Syntax checker should report duplicate __proto__ properties
502         https://bugs.webkit.org/show_bug.cgi?id=201897
503         <rdar://problem/53201788>
504
505         Reviewed by Mark Lam.
506
507         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
508         (catch):
509
510 2019-09-18  Saam Barati  <sbarati@apple.com>
511
512         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
513         https://bugs.webkit.org/show_bug.cgi?id=201953
514         <rdar://problem/53803524>
515
516         Reviewed by Yusuke Suzuki.
517
518         * stress/toctou-having-a-bad-time-new-array.js: Added.
519         (let.code):
520
521 2019-09-18  Saam Barati  <sbarati@apple.com>
522
523         Phantom insertion phase may disagree with arguments forwarding about live ranges
524         https://bugs.webkit.org/show_bug.cgi?id=200715
525         <rdar://problem/54301717>
526
527         Reviewed by Yusuke Suzuki.
528
529         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
530         (main.v23):
531         (main.try.v43):
532         (main.):
533         (main):
534
535 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
536
537         [JSC] Generator should have internal fields
538         https://bugs.webkit.org/show_bug.cgi?id=201159
539
540         Reviewed by Keith Miller.
541
542         * stress/create-generator.js: Added.
543         (shouldBe):
544         (test.generator):
545         (test):
546         * stress/generator-construct-failure.js: Added.
547         (shouldThrow):
548         (TypeError):
549         * stress/generator-prototype-change.js: Added.
550         (shouldBe):
551         (gen):
552         * stress/generator-prototype-closure.js: Added.
553         (shouldBe):
554         (test.gen):
555         (test):
556         * stress/object-assign-fast-path.js:
557
558 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
559
560         Follow-up after String.codePointAt optimization
561         https://bugs.webkit.org/show_bug.cgi?id=201889
562
563         Reviewed by Saam Barati.
564
565         * stress/string-char-at-bad-type.js: Added.
566         (shouldBe):
567         (object.toString):
568         (test):
569         * stress/string-char-code-at-bad-type.js: Added.
570         (shouldBe):
571         (object.toString):
572         (test):
573         * stress/string-code-point-at-bad-type.js: Added.
574         (shouldBe):
575         (object.toString):
576         (test):
577
578 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
579
580         [JSC] CheckArray+NonArray is not filtering out Array in AI
581         https://bugs.webkit.org/show_bug.cgi?id=201857
582         <rdar://problem/54194820>
583
584         Reviewed by Keith Miller.
585
586         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
587         (foo):
588
589 2019-09-17  Saam Barati  <sbarati@apple.com>
590
591         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
592         https://bugs.webkit.org/show_bug.cgi?id=201853
593         <rdar://problem/53805461>
594
595         Reviewed by Yusuke Suzuki.
596
597         * stress/direct-arguments-check-array-filter-type.js: Added.
598         (foo):
599
600 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
601
602         Wasm StreamingParser should validate that number of functions matches number of declarations
603         https://bugs.webkit.org/show_bug.cgi?id=201850
604         <rdar://problem/55290186>
605
606         Reviewed by Yusuke Suzuki.
607
608         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
609         (catch):
610
611 2019-09-16  Michael Saboff  <msaboff@apple.com>
612
613         [JSC] Perform check again when we found non-BMP characters
614         https://bugs.webkit.org/show_bug.cgi?id=201647
615
616         Reviewed by Yusuke Suzuki.
617
618         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
619         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
620         (testRegExpInbounds):
621
622 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
623
624         [JSC] Add missing syntax errors for await in function parameter default expressions
625         https://bugs.webkit.org/show_bug.cgi?id=201615
626
627         Reviewed by Darin Adler.
628
629         * stress/async-await-reserved-word.js:
630         * stress/async-await-syntax.js:
631         Add test cases.
632
633         * test262/expectations.yaml:
634         Mark newly-passing test cases.
635
636 2019-09-16  Saam Barati  <sbarati@apple.com>
637
638         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
639         https://bugs.webkit.org/show_bug.cgi?id=200386
640         <rdar://problem/53854946>
641
642         Reviewed by Yusuke Suzuki.
643
644         * stress/proxy-__proto__-in-prototype-chain.js: Added.
645         * stress/proxy-property-replace-structure-transition.js: Added.
646
647 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
648
649         Date.prototype.toJSON does not execute steps 1-2
650         https://bugs.webkit.org/show_bug.cgi?id=105282
651
652         Reviewed by Ross Kirsling.
653
654         * test262/expectations.yaml: Mark 2 test cases as passing.
655
656 2019-09-12  Mark Lam  <mark.lam@apple.com>
657
658         Harden JSC against the abuse of runtime options.
659         https://bugs.webkit.org/show_bug.cgi?id=201597
660         <rdar://problem/55167068>
661
662         Reviewed by Filip Pizlo.
663
664         Remove the call to forceGCSlowPaths().  This utility function will be removed.
665         The modern way to set the required option is to use //@ requireOptions.
666
667         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
668
669 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
670
671         [JSC] Add StringCodePointAt intrinsic
672         https://bugs.webkit.org/show_bug.cgi?id=201673
673
674         Reviewed by Michael Saboff.
675
676         * stress/string-char-at-constant-index-out-of-range.js: Added.
677         (shouldBe):
678         (test):
679         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
680         (shouldBe):
681         (test):
682         * stress/string-code-point-at--out-of-range.js: Added.
683         (shouldBe):
684         (test):
685         * stress/string-code-point-at-basic.js: Added.
686         (test):
687         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
688         (shouldBe):
689         (test):
690         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
691         (shouldBe):
692         (test):
693         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
694         (shouldBe):
695         (test):
696         (breaking):
697         * stress/string-code-point-at-surrogate-pair.js: Added.
698         (shouldBe):
699         * stress/string-code-point-at.js: Added.
700         (shouldBe):
701
702 2019-09-10  Michael Saboff  <msaboff@apple.com>
703
704         JSC crashes due to stack overflow while building RegExp
705         https://bugs.webkit.org/show_bug.cgi?id=201649
706
707         Reviewed by Yusuke Suzuki.
708
709         New regression test.
710
711         * stress/regexp-bol-optimize-out-of-stack.js: Added.
712         (test):
713         (catch):
714
715 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
716
717         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
718         https://bugs.webkit.org/show_bug.cgi?id=189043
719
720         Reviewed by Keith Miller.
721
722         The offset performing the validation becomes a bit different.
723         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
724
725         * wasm/js-api/version.js:
726
727 2019-09-07  Keith Miller  <keith_miller@apple.com>
728
729         OSR entry into wasm misses some contexts
730         https://bugs.webkit.org/show_bug.cgi?id=201569
731
732         Reviewed by Yusuke Suzuki.
733
734         Add a new harness and wast and the generated wasm file for
735         testing. The idea long term is to make it easy to test by creating
736         a C file and converting it to a wast then modify that to produce a
737         test.
738
739         * wasm.yaml:
740         * wasm/wast-tests/harness.js: Added.
741         (async.runWasmFile):
742         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
743         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
744         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
745         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
746         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
747         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
748         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
749         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
750
751 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
752
753         [JSC] Promise resolve/reject functions should be created more efficiently
754         https://bugs.webkit.org/show_bug.cgi?id=201488
755
756         Reviewed by Mark Lam.
757
758         * microbenchmarks/promise-creation-many.js: Added.
759         (executor):
760
761 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
762
763         Unreviewed JSC test gardening.
764
765         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
766         This test allocates a 2GB string before it goes out and tests
767         out-of-memory exception when appending other strings to it. As such,
768         skip the test on memory-limited platforms.
769
770 2019-09-07  Mark Lam  <mark.lam@apple.com>
771
772         The jsc shell should allow disabling of the Gigacage for testing purposes.
773         https://bugs.webkit.org/show_bug.cgi?id=201579
774
775         Reviewed by Michael Saboff.
776
777         Unskip the tests now.
778
779         * stress/disable-gigacage-arrays.js:
780         * stress/disable-gigacage-strings.js:
781         * stress/disable-gigacage-typed-arrays.js:
782
783 2019-09-07  Mark Lam  <mark.lam@apple.com>
784
785         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
786
787         Not reviewed.
788
789         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
790
791         * stress/disable-gigacage-arrays.js:
792         * stress/disable-gigacage-strings.js:
793         * stress/disable-gigacage-typed-arrays.js:
794
795 2019-09-07  Mark Lam  <mark.lam@apple.com>
796
797         Gardening: speculative test fix to green bots [attempt #2].
798         https://bugs.webkit.org/show_bug.cgi?id=201529
799         <rdar://problem/53935772>
800
801         Not reviewed.
802
803         * stress/test-out-of-memory.js:
804
805 2019-09-06  Mark Lam  <mark.lam@apple.com>
806
807         Gardening: speculative test fix to green bots.
808         https://bugs.webkit.org/show_bug.cgi?id=201529
809         <rdar://problem/53935772>
810
811         Not reviewed.
812
813         * stress/test-out-of-memory.js:
814
815 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
816
817         Math.round() produces wrong result for value prior to 0.5
818         https://bugs.webkit.org/show_bug.cgi?id=185115
819
820         Reviewed by Saam Barati.
821
822         * stress/math-round-basics.js:
823         Add positive/negative test cases.
824
825         * test262/expectations.yaml:
826         Mark test passing.
827
828 2019-09-06  Mark Lam  <mark.lam@apple.com>
829
830         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
831         https://bugs.webkit.org/show_bug.cgi?id=201551
832
833         Reviewed by Tadeu Zagallo.
834
835         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
836
837         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
838         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
839
840 2019-09-06  Mark Lam  <mark.lam@apple.com>
841
842         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
843         https://bugs.webkit.org/show_bug.cgi?id=201529
844         <rdar://problem/53935772>
845
846         Reviewed by Yusuke Suzuki.
847
848         * stress/test-out-of-memory.js: Added.
849
850 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
851
852         LazyClassStructure::setConstructor should not store the constructor to the global object
853         https://bugs.webkit.org/show_bug.cgi?id=201484
854         <rdar://problem/50400451>
855
856         Reviewed by Yusuke Suzuki.
857
858         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
859
860 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
861
862         [JSC] Do not use FTLOutput::weakPointer directly
863         https://bugs.webkit.org/show_bug.cgi?id=201495
864
865         Reviewed by Filip Pizlo.
866
867         * stress/create-promise-weak-pointer.js: Added.
868         (foo):
869
870 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
871
872         [JSC] Make Promise implementation faster
873         https://bugs.webkit.org/show_bug.cgi?id=200898
874
875         Reviewed by Saam Barati.
876
877         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
878         (assert.assert.return.throws):
879         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
880         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
881         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
882         (shouldThrow):
883         (new.Promise):
884         (shouldThrow.Promise):
885         * stress/create-promise-should-respect-promise-realm.js: Added.
886         (shouldBe):
887         (other.new.OtherPromise):
888         (DerivedOtherPromise):
889         (i.promise.new.DerivedOtherPromise):
890         (createPromise):
891         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
892         (shouldBe):
893         (DerivedPromise):
894         (i.array.push.new.DerivedPromise):
895         (promise.new.DerivedPromise):
896         * stress/derived-promise-constructor-inlined.js: Added.
897         (shouldBe):
898         (DerivedPromise):
899         (i.array.push.new.DerivedPromise):
900         (DerivedPromise.all.array.then):
901         * stress/derived-promise-prototype-replaced.js: Added.
902         (shouldBe):
903         (DerivedPromise):
904         (i.array.push.new.DerivedPromise):
905         (promise.new.DerivedPromise):
906         * stress/internal-promise-constructor-not-confusing.js: Added.
907         (shouldBe):
908         (InternalPromise.vm.createBuiltin):
909         (DerivedPromise):
910         * stress/internal-promise-is-not-exposed.js: Added.
911         (shouldBe):
912         * stress/new-promise-should-respect-promise-realm.js: Added.
913         (shouldBe):
914         (other.new.OtherPromise):
915         (createPromise):
916         * stress/promise-cannot-be-called.js:
917         (shouldThrow):
918         * stress/promise-capability-fast-path.js: Added.
919         (shouldBe):
920         (i.array.push.new.Promise):
921         (i.array.i.then):
922         * stress/promise-capability-slow-path.js: Added.
923         (shouldBe):
924         (Promise.prototype.then):
925         (i.array.push.new.Promise):
926         (i.array.i.then):
927         * stress/promise-capability-then-slow-path.js: Added.
928         (shouldBe):
929         (DerivedPromise):
930         (DerivedPromise.prototype.then):
931         (i.array.push.new.DerivedPromise):
932         (i.array.i.then):
933         * stress/promise-constructor-inlined.js: Added.
934         (shouldBe):
935         (i.array.push.new.Promise):
936         (Promise.all.array.then):
937         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
938         (shouldBe):
939         (DerivedPromise):
940         (DerivedPromise2):
941         (i.array.push.new.DerivedPromise):
942         (i.array2.push.new.DerivedPromise2):
943         * stress/without-promise-functions.js: Added.
944         (shouldBe):
945         (async):
946
947 2019-09-03  Mark Lam  <mark.lam@apple.com>
948
949         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
950         https://bugs.webkit.org/show_bug.cgi?id=201309
951         <rdar://problem/54832121>
952
953         Reviewed by Yusuke Suzuki.
954
955         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
956
957 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
958
959         [JSC] Generate new.target register only when it is used
960         https://bugs.webkit.org/show_bug.cgi?id=201335
961
962         Reviewed by Mark Lam.
963
964         * stress/ensure-new-register-allocated.js: Added.
965         (shouldBe):
966         (basic):
967         (arrow):
968         (Base):
969         (Derived):
970         (evaluate):
971
972 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
973
974         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
975         https://bugs.webkit.org/show_bug.cgi?id=201331
976
977         Reviewed by Mark Lam.
978
979         * stress/simple-jump-table-copy.js: Added.
980         (let.code):
981         (g2):
982
983 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
984
985         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
986         https://bugs.webkit.org/show_bug.cgi?id=201332
987
988         Reviewed by Mark Lam.
989
990         This test is very flaky, it is hard to reproduce.
991
992         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
993         (code):
994
995 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
996
997         [JSC] Repatch should construct CallCases and CasesValue at the same time
998         https://bugs.webkit.org/show_bug.cgi?id=201325
999
1000         Reviewed by Saam Barati.
1001
1002         * stress/repatch-switch.js: Added.
1003         (main.f2.f0):
1004         (main.f2.f3):
1005         (main.f2.f1):
1006         (main.f2):
1007         (main):
1008
1009 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1010
1011         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
1012         https://bugs.webkit.org/show_bug.cgi?id=198650
1013
1014         Reviewed by Saam Barati.
1015
1016         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
1017         (main.v0):
1018         (main):
1019
1020 2019-08-28  Mark Lam  <mark.lam@apple.com>
1021
1022         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
1023         https://bugs.webkit.org/show_bug.cgi?id=201281
1024         <rdar://problem/54028228>
1025
1026         Reviewed by Yusuke Suzuki and Saam Barati.
1027
1028         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
1029
1030 2019-08-28  Mark Lam  <mark.lam@apple.com>
1031
1032         Placate exception check validation in DFG's operationHasGenericProperty().
1033         https://bugs.webkit.org/show_bug.cgi?id=201245
1034         <rdar://problem/54777512>
1035
1036         Reviewed by Robin Morisset.
1037
1038         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
1039
1040 2019-08-27  Mark Lam  <mark.lam@apple.com>
1041
1042         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
1043         https://bugs.webkit.org/show_bug.cgi?id=201196
1044         <rdar://problem/54703775>
1045
1046         Reviewed by Yusuke Suzuki.
1047
1048         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
1049
1050 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
1051
1052         [JSC] Ensure x?.y ?? z is fast
1053         https://bugs.webkit.org/show_bug.cgi?id=200875
1054
1055         Reviewed by Yusuke Suzuki.
1056
1057         * stress/nullish-coalescing.js:
1058
1059 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
1060
1061         Remove MaximalFlushInsertionPhase
1062         https://bugs.webkit.org/show_bug.cgi?id=201036
1063
1064         Reviewed by Saam Barati.
1065
1066         Remove all the references to maximal flush
1067
1068         * stress/arith-ceil-on-various-types.js:
1069         (checkCompileCountForUselessNegativeZero):
1070         * stress/arith-floor-on-various-types.js:
1071         (checkCompileCountForUselessNegativeZero):
1072         * stress/arith-negate-on-various-types.js:
1073         (checkCompileCountForUselessNegativeZero):
1074         * stress/arith-round-on-various-types.js:
1075         (checkCompileCountForUselessNegativeZero):
1076         * stress/arith-trunc-on-various-types.js:
1077         (checkCompileCountForUselessNegativeZero):
1078         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
1079         * stress/has-indexed-property-should-accept-non-int32.js:
1080         * stress/has-indexed-property-with-worsening-array-mode.js:
1081         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
1082         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
1083         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1084         * stress/rest-parameter-many-arguments.js:
1085         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
1086         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
1087         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
1088
1089 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
1090
1091         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
1092         https://bugs.webkit.org/show_bug.cgi?id=200952
1093
1094         Reviewed by Saam Barati.
1095
1096         * wasm/references/func_ref.js:
1097         (assert.throws):
1098
1099 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
1100
1101         Add missing exception check in canonicalizeLocaleList
1102         https://bugs.webkit.org/show_bug.cgi?id=201021
1103
1104         Reviewed by Mark Lam.
1105
1106         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
1107         (catch):
1108
1109 2019-08-21  Mark Lam  <mark.lam@apple.com>
1110
1111         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
1112         https://bugs.webkit.org/show_bug.cgi?id=201016
1113         <rdar://problem/54579911>
1114
1115         Reviewed by Yusuke Suzuki.
1116
1117         * wasm/stress/too-many-locals.js: Added.
1118         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
1119
1120 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
1121
1122         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
1123         https://bugs.webkit.org/show_bug.cgi?id=200965
1124
1125         Reviewed by Saam Barati.
1126
1127         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
1128         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
1129
1130         * stress/optional-chaining.js:
1131
1132 2019-08-21  Michael Saboff  <msaboff@apple.com>
1133
1134         [JSC] incorrent JIT lead to StackOverflow
1135         https://bugs.webkit.org/show_bug.cgi?id=197823
1136
1137         Reviewed by Tadeu Zagallo.
1138
1139         New test.
1140
1141         * stress/bound-function-stack-overflow.js: Added.
1142         (foo):
1143         (catch):
1144
1145 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1146
1147         Identify memcpy loops in b3
1148         https://bugs.webkit.org/show_bug.cgi?id=200181
1149
1150         Reviewed by Saam Barati.
1151
1152         * microbenchmarks/memcpy-loop.js: Added.
1153         (doTest):
1154         (let.arr1):
1155         * microbenchmarks/memcpy-typed-loop-large.js: Added.
1156         (doTest):
1157         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
1158         (arr2):
1159         * microbenchmarks/memcpy-typed-loop-small.js: Added.
1160         (doTest):
1161         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1162         (16.arr2):
1163         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
1164         (doTest):
1165         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
1166         (arr2):
1167         * microbenchmarks/memcpy-wasm-large.js: Added.
1168         (typeof.WebAssembly.string_appeared_here.eq):
1169         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1170         * microbenchmarks/memcpy-wasm-medium.js: Added.
1171         (typeof.WebAssembly.string_appeared_here.eq):
1172         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1173         * microbenchmarks/memcpy-wasm-small.js: Added.
1174         (typeof.WebAssembly.string_appeared_here.eq):
1175         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1176         * microbenchmarks/memcpy-wasm.js: Added.
1177         (typeof.WebAssembly.string_appeared_here.eq):
1178         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1179         * stress/memcpy-typed-loops.js: Added.
1180         (noLoop):
1181         (invalidStart):
1182         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1183         (arr2):
1184         * wasm/function-tests/memcpy-wasm-loop.js: Added.
1185         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
1186         (string_appeared_here):
1187
1188 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
1189
1190         [JSC] Array.prototype.toString should not get "join" function each time
1191         https://bugs.webkit.org/show_bug.cgi?id=200905
1192
1193         Reviewed by Mark Lam.
1194
1195         * stress/array-prototype-join-change.js: Added.
1196         (shouldBe):
1197         (array2.join):
1198         (DerivedArray):
1199         (DerivedArray.prototype.join):
1200         (array3.__proto__.join):
1201         (Array.prototype.join):
1202
1203 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1204
1205         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1206         https://bugs.webkit.org/show_bug.cgi?id=200782
1207
1208         Reviewed by Saam Barati.
1209
1210         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
1211
1212         * microbenchmarks/memcpy-typed-loop.js:
1213         * stress/int8-repeat-in-then-out-of-bounds.js:
1214
1215 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1216
1217         Proxy constructor should throw if handler is revoked Proxy
1218         https://bugs.webkit.org/show_bug.cgi?id=198755
1219
1220         Reviewed by Saam Barati.
1221
1222         * stress/proxy-revoke.js: Adjust error message.
1223         * test262/expectations.yaml: Mark 2 test cases as passing.
1224
1225 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1226
1227         [JSC] OSR entry to Wasm OMG
1228         https://bugs.webkit.org/show_bug.cgi?id=200362
1229
1230         Reviewed by Michael Saboff.
1231
1232         * wasm/stress/osr-entry-basic.js: Added.
1233         (instance.exports.loop):
1234         * wasm/stress/osr-entry-many-locals-f32.js: Added.
1235         * wasm/stress/osr-entry-many-locals-f64.js: Added.
1236         * wasm/stress/osr-entry-many-locals-i32.js: Added.
1237         * wasm/stress/osr-entry-many-locals-i64.js: Added.
1238         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
1239         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
1240         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
1241         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
1242
1243 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1244
1245         Date.prototype.toJSON throws if toISOString returns an object
1246         https://bugs.webkit.org/show_bug.cgi?id=198495
1247
1248         Reviewed by Ross Kirsling.
1249
1250         * test262/expectations.yaml: Mark 6 test cases as passing.
1251
1252 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1253
1254         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
1255         https://bugs.webkit.org/show_bug.cgi?id=200899
1256         <rdar://problem/54073341>
1257
1258         Reviewed by Mark Lam.
1259
1260         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
1261         (i.new.Promise):
1262         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
1263         (i.new.Promise):
1264
1265 2019-08-19  Michael Saboff  <msaboff@apple.com>
1266
1267         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
1268         https://bugs.webkit.org/show_bug.cgi?id=197090
1269
1270         Reviewed by Yusuke Suzuki.
1271
1272         New test.
1273
1274         * stress/regexp-nonconsuming-counted-parens.js: Added.
1275
1276 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
1277
1278         [JSC] Correct a->an in error messages and API docblocks
1279         https://bugs.webkit.org/show_bug.cgi?id=200833
1280
1281         Reviewed by Don Olmstead.
1282
1283         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1284         (assert.assert.return.throws):
1285         * stress/promise-finally-should-accept-non-promise-objects.js:
1286         * wasm/js-api/table.js:
1287         (assert.throws):
1288
1289 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1290
1291         [ESNext] Implement optional chaining
1292         https://bugs.webkit.org/show_bug.cgi?id=200199
1293
1294         Reviewed by Yusuke Suzuki.
1295
1296         * stress/nullish-coalescing.js:
1297         * stress/optional-chaining.js: Added.
1298         * stress/tail-call-recognize.js:
1299
1300 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1301
1302         [ESNext] Support hashbang.
1303         https://bugs.webkit.org/show_bug.cgi?id=200865
1304
1305         Reviewed by Mark Lam.
1306
1307         * stress/hashbang.js: Added.
1308         * test262/expectations.yaml: Mark 6 cases as passing.
1309
1310 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
1311
1312         [JSC] DFG ToNumber should support Boolean in fixup
1313         https://bugs.webkit.org/show_bug.cgi?id=200864
1314
1315         Reviewed by Mark Lam.
1316
1317         * microbenchmarks/to-number-boolean.js: Added.
1318         (test):
1319         * stress/to-number-boolean-int32.js: Added.
1320         (shouldBe):
1321         (test):
1322         (check):
1323         * stress/to-number-boolean.js: Added.
1324         (shouldBe):
1325         (test):
1326         (check):
1327         * stress/to-number-int32.js: Added.
1328         (shouldBe):
1329         (test):
1330         (check):
1331
1332 2019-08-16  Mark Lam  <mark.lam@apple.com>
1333
1334         More missing exception checks in string comparison operators.
1335         https://bugs.webkit.org/show_bug.cgi?id=200844
1336         <rdar://problem/54378684>
1337
1338         Reviewed by Saam Barati.
1339
1340         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
1341         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
1342         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
1343         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
1344
1345 2019-08-16  Mark Lam  <mark.lam@apple.com>
1346
1347         CodeBlock destructor should clear all of its watchpoints.
1348         https://bugs.webkit.org/show_bug.cgi?id=200792
1349         <rdar://problem/53947800>
1350
1351         Reviewed by Yusuke Suzuki.
1352
1353         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
1354
1355 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
1356
1357         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1358         https://bugs.webkit.org/show_bug.cgi?id=200782
1359
1360         Reviewed by Saam Barati.
1361
1362         * microbenchmarks/int8-out-of-bounds.js: Added.
1363         (foo):
1364         * microbenchmarks/memcpy-typed-loop.js: Added.
1365         (doTest):
1366         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
1367         (arr2):
1368         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
1369         (foo):
1370
1371 2019-08-16  Mark Lam  <mark.lam@apple.com>
1372
1373         [Re-land] ProxyObject should not be allow to access its target's private properties.
1374         https://bugs.webkit.org/show_bug.cgi?id=200739
1375         <rdar://problem/53972768>
1376
1377         Reviewed by Yusuke Suzuki.
1378
1379         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
1380         * stress/proxy-with-private-symbols.js:
1381
1382 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
1383
1384         [JSC] Promise.prototype.finally should accept non-promise objects
1385         https://bugs.webkit.org/show_bug.cgi?id=200829
1386
1387         Reviewed by Mark Lam.
1388
1389         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
1390         (shouldBe):
1391         (Thenable):
1392         (Thenable.prototype.then):
1393
1394 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
1395
1396         Promise constructor should check argument before [[Construct]]
1397         https://bugs.webkit.org/show_bug.cgi?id=198976
1398
1399         Reviewed by Ross Kirsling.
1400
1401         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
1402         * stress/create-subclass-structure-might-throw.js: Fix test.
1403         * test262/expectations.yaml: Mark 2 test cases as passing.
1404
1405 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
1406
1407         Unreviewed, rolling out r248709.
1408
1409         Caused test/built-ins/Promise/prototype/finally/this-value-
1410         non-promise.js to fail on test262 bot
1411
1412         Reverted changeset:
1413
1414         "ProxyObject should not be allow to access its target's
1415         private properties."
1416         https://bugs.webkit.org/show_bug.cgi?id=200739
1417         https://trac.webkit.org/changeset/248709
1418
1419 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1420
1421         DateConversion::formatDateTime incorrectly formats negative years
1422         https://bugs.webkit.org/show_bug.cgi?id=199964
1423
1424         Reviewed by Ross Kirsling.
1425
1426         * test262/expectations.yaml: Mark 6 test cases as passing.
1427
1428 2019-08-15  Mark Lam  <mark.lam@apple.com>
1429
1430         More missing exception checks in String.prototype.
1431         https://bugs.webkit.org/show_bug.cgi?id=200762
1432         <rdar://problem/54333896>
1433
1434         Reviewed by Michael Saboff.
1435
1436         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1437         * stress/missing-exception-check-in-string-toLower.js: Added.
1438         * stress/missing-exception-check-in-string-toUpper.js: Added.
1439
1440 2019-08-14  Mark Lam  <mark.lam@apple.com>
1441
1442         ProxyObject should not be allow to access its target's private properties.
1443         https://bugs.webkit.org/show_bug.cgi?id=200739
1444         <rdar://problem/53972768>
1445
1446         Reviewed by Yusuke Suzuki.
1447
1448         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1449         * stress/proxy-with-private-symbols.js: Rebased.
1450
1451 2019-08-14  Mark Lam  <mark.lam@apple.com>
1452
1453         Missing exception check in string compare.
1454         https://bugs.webkit.org/show_bug.cgi?id=200743
1455         <rdar://problem/53975356>
1456
1457         Reviewed by Michael Saboff.
1458
1459         * stress/missing-exception-check-in-string-compare.js: Added.
1460
1461 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1462
1463         [JSC] Add "jump if (not) undefined or null" bytecode ops
1464         https://bugs.webkit.org/show_bug.cgi?id=200480
1465
1466         Reviewed by Saam Barati.
1467
1468         * stress/destructuring-assignment-require-object-coercible.js:
1469         * stress/nullish-coalescing.js:
1470
1471 2019-08-05  Michael Saboff  <msaboff@apple.com>
1472
1473         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1474         https://bugs.webkit.org/show_bug.cgi?id=199997
1475
1476         Reviewed by Saam Barati.
1477
1478         New test.
1479
1480         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1481         (checkIntArray):
1482         (checkFloatArray):
1483
1484 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1485
1486         [JSC] Support WebAssembly in SamplingProfiler
1487         https://bugs.webkit.org/show_bug.cgi?id=200329
1488
1489         Reviewed by Saam Barati.
1490
1491         * stress/sampling-profiler-wasm-name-section.js: Added.
1492         (const.compile):
1493         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1494         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1495         * stress/sampling-profiler-wasm.js: Added.
1496         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1497         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1498         * stress/sampling-profiler/loop.wasm: Added.
1499         * stress/sampling-profiler/loop.wast: Added.
1500         * stress/sampling-profiler/nameSection.wasm: Added.
1501
1502 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1503
1504         [JSC] LazyJSValue should be robust for empty JSValue
1505         https://bugs.webkit.org/show_bug.cgi?id=200388
1506
1507         Reviewed by Saam Barati.
1508
1509         * stress/switch-constant-child-becomes-empty.js: Added.
1510         (foo):
1511
1512 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1513
1514         GetterSetter type confusion during DFG compilation
1515         https://bugs.webkit.org/show_bug.cgi?id=199903
1516
1517         Reviewed by Mark Lam.
1518
1519         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1520
1521 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1522
1523         Update Test262 (2019.08.01)
1524         https://bugs.webkit.org/show_bug.cgi?id=200351
1525
1526         Reviewed by Keith Miller.
1527
1528         * test262/expectations.yaml:
1529         * test262/harness/testIntl.js:
1530         * test262/latest-changes-summary.txt:
1531         * test262/test/:
1532         * test262/test262-Revision.txt:
1533
1534 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1535
1536         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1537         https://bugs.webkit.org/show_bug.cgi?id=200192
1538
1539         Reviewed by Saam Barati.
1540
1541         * stress/structure-chain-stress.js: Added.
1542         (keys):
1543
1544 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1545
1546         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1547         https://bugs.webkit.org/show_bug.cgi?id=200196
1548
1549         Reviewed by Robin Morisset.
1550
1551         * stress/reparsing-unlinked-codeblock.js:
1552
1553 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1554
1555         [X86] Emit BT instruction for shift + mask in B3
1556         https://bugs.webkit.org/show_bug.cgi?id=199891
1557
1558         Reviewed by Robin Morisset.
1559
1560         Lower the number of iterations to fix debug timeouts.
1561
1562         * microbenchmarks/bit-test-load.js:
1563         (i):
1564
1565 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1566
1567         [X86] Emit BT instruction for shift + mask in B3
1568         https://bugs.webkit.org/show_bug.cgi?id=199891
1569
1570         Reviewed by Keith Miller.
1571
1572         * microbenchmarks/bit-test-constant.js: Added.
1573         (let.glob.0.doTest):
1574         * microbenchmarks/bit-test-load.js: Added.
1575         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1576         (i):
1577         * microbenchmarks/bit-test-nonconstant.js: Added.
1578         (let.glob.0.doTest):
1579
1580 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1581
1582         [JSC] Potential GC fix for JSPropertyNameEnumerator
1583         https://bugs.webkit.org/show_bug.cgi?id=200151
1584
1585         Reviewed by Mark Lam.
1586
1587         * stress/for-in-stress.js: Added.
1588         (keys):
1589
1590 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1591
1592         Legacy numeric literals should not permit separators or BigInt
1593         https://bugs.webkit.org/show_bug.cgi?id=199984
1594
1595         Reviewed by Keith Miller.
1596
1597         * stress/big-int-literals.js:
1598         * stress/numeric-literal-separators.js:
1599
1600 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1601
1602         [ESNext] Implement nullish coalescing
1603         https://bugs.webkit.org/show_bug.cgi?id=200072
1604
1605         Reviewed by Darin Adler.
1606
1607         * stress/nullish-coalescing.js: Added.
1608
1609 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1610
1611         Three checks are missing in Proxy internal methods
1612         https://bugs.webkit.org/show_bug.cgi?id=198630
1613
1614         Reviewed by Darin Adler.
1615
1616         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1617         * test262/expectations.yaml: Mark 6 test cases as passing.
1618
1619 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1620
1621         Sometimes we miss removable CheckInBounds
1622         https://bugs.webkit.org/show_bug.cgi?id=200018
1623
1624         Reviewed by Saam Barati.
1625
1626         * microbenchmarks/typed-array-sum.js: Added.
1627         (doTest):
1628
1629 2019-07-16  Mark Lam  <mark.lam@apple.com>
1630
1631         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1632         https://bugs.webkit.org/show_bug.cgi?id=199821
1633         <rdar://problem/52452328>
1634
1635         Reviewed by Filip Pizlo.
1636
1637         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1638
1639 2019-07-16  Keith Miller  <keith_miller@apple.com>
1640
1641         Unreviewed, test262 gardening.
1642
1643         * test262/expectations.yaml:
1644
1645 2019-07-15  Keith Miller  <keith_miller@apple.com>
1646
1647         A Possible Issue of Object.create method
1648         https://bugs.webkit.org/show_bug.cgi?id=199744
1649
1650         Reviewed by Yusuke Suzuki.
1651
1652         * stress/object-create-non-object-properties-parameter.js: Added.
1653         (catch):
1654
1655 2019-07-15  Keith Miller  <keith_miller@apple.com>
1656
1657         Update test262
1658         https://bugs.webkit.org/show_bug.cgi?id=199801
1659
1660         Rubber-stamped by Yusuke Suzuki.
1661
1662         * test262/expectations.yaml:
1663         * test262/latest-changes-summary.txt:
1664         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1665         (fg.new.FinalizationGroup):
1666         (callback):
1667         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1668         (fg.new.FinalizationGroup):
1669         (callback):
1670         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1671         (fg.new.FinalizationGroup):
1672         (callback):
1673         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1674         (fg.new.FinalizationGroup):
1675         (callback):
1676         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1677         (fg.new.FinalizationGroup):
1678         (callback):
1679         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1680         (fg.new.FinalizationGroup):
1681         (callback):
1682         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1683         (fg.new.FinalizationGroup):
1684         (callback):
1685         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1686         (callback):
1687         (fg.new.FinalizationGroup):
1688         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1689         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1690         (cb):
1691         (fg.new.FinalizationGroup):
1692         (emptyCells):
1693         (async.fn):
1694         (fn.then.async):
1695         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1696         (fg.new.FinalizationGroup):
1697         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1698         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1699         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1700         (newTarget):
1701         (fn):
1702         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1703         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1704         (fn):
1705         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1706         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1707         (newTarget):
1708         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1709         (newTarget):
1710         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1711         (fg.new.FinalizationGroup):
1712         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1713         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1714         (callback):
1715         (fg.new.FinalizationGroup):
1716         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1717         (fg.new.FinalizationGroup):
1718         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1719         (cb):
1720         (fg.new.FinalizationGroup):
1721         (emptyCells):
1722         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1723         (fg.new.FinalizationGroup):
1724         (fg.cleanupSome.cb):
1725         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1726         (callback):
1727         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1728         (fn):
1729         (cb):
1730         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1731         (cb):
1732         (fg.new.FinalizationGroup):
1733         (emptyCells):
1734         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1735         (fg.new.FinalizationGroup):
1736         (callback):
1737         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1738         (fg.new.FinalizationGroup):
1739         (callback):
1740         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1741         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1742         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1743         (poisoned):
1744         (fg.new.FinalizationGroup):
1745         (emptyCells):
1746         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1747         (poisoned):
1748         (emptyCells):
1749         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1750         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1751         (fn):
1752         (cb):
1753         (emptyCells):
1754         (prototype.assert.sameValue.fg.cleanupSome):
1755         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1756         (fn):
1757         (cb):
1758         (poisoned):
1759         (assert.sameValue.fg.cleanupSome):
1760         (prototype.assert.sameValue.fg.cleanupSome):
1761         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1762         (cb):
1763         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1764         (cb):
1765         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1766         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1767         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1768         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1769         (fn):
1770         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1771         (fn):
1772         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1773         (fg.new.FinalizationGroup):
1774         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1775         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1776         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1777         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1778         (fn):
1779         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1780         (fn):
1781         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1782         (fg.new.FinalizationGroup):
1783         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1784         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1785         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1786         (fg.new.FinalizationGroup):
1787         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1788         (fg.new.FinalizationGroup):
1789         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1790         (fg.new.FinalizationGroup):
1791         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1792         (fg.new.FinalizationGroup):
1793         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1794         (fn):
1795         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1796         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1797         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1798         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1799         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1800         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1801         (fn):
1802         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1803         (fg.new.FinalizationGroup):
1804         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1805         (cleanupCallback):
1806         (let.key.of.Object.getOwnPropertyNames):
1807         (set for):
1808         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1809         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1810         (FinalizationGroup):
1811         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1812         (cleanupCallback):
1813         (let.key.of.Object.getOwnPropertyNames):
1814         (set for):
1815         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1816         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1817         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1818         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1819         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1820         (asyncProxy.new.Proxy.async):
1821         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1822         (asyncProxy.new.Proxy.async):
1823         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1824         (setIter.set Symbol):
1825         (set defaultTag):
1826         (gen):
1827         (get return):
1828         (set new):
1829         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1830         (generatorProxy.new.Proxy):
1831         (asyncProxy.new.Proxy.async):
1832         * test262/test/built-ins/Object/subclass-object-arg.js:
1833         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1834         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1835         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1836         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1837         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1838         * test262/test/built-ins/Promise/executor-function-name.js:
1839         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1840         * test262/test/built-ins/Promise/reject-function-name.js:
1841         * test262/test/built-ins/Promise/resolve-function-name.js:
1842         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1843         * test262/test/built-ins/WeakRef/constructor.js: Added.
1844         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1845         * test262/test/built-ins/WeakRef/length.js: Added.
1846         * test262/test/built-ins/WeakRef/name.js: Added.
1847         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1848         (newTarget):
1849         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1850         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1851         * test262/test/built-ins/WeakRef/proto.js: Added.
1852         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1853         (newTarget):
1854         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1855         (newTarget):
1856         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1857         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1858         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1859         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1860         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1861         (emptyCells):
1862         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1863         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1864         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1865         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1866         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1867         (fg.new.FinalizationGroup):
1868         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1869         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1870         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1871         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1872         (let.key.of.Object.getOwnPropertyNames):
1873         (set for):
1874         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1875         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1876         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1877         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1878         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1879         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1880         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1881         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1882         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1883         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1884         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1885         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1886         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1887         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1888         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1889         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1890         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1891         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1892         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1893         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1894         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1895         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1896         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1897         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1898         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1899         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1900         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1901         (assertParts):
1902         (assertPartsNumeric):
1903         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1904         (assertParts):
1905         (assertPartsNumeric):
1906         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1907         (assertParts):
1908         (assertPartsNumeric):
1909         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1910         (assertParts):
1911         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1912         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1913         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1914         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1915         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1916         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1917         (C.prototype.method):
1918         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1919         (C.prototype.method.innerFunction):
1920         (C.prototype.method):
1921         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1922         (C):
1923         (C.method):
1924         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1925         (C):
1926         (C.method.innerFunction):
1927         (C.method):
1928         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1929         (C):
1930         (C.checkPrivateGetter):
1931         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1932         (C):
1933         (C.method):
1934         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1935         (C):
1936         (C.method.innerFunction):
1937         (C.method):
1938         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1939         (C):
1940         (C.checkPrivateMethod):
1941         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1942         (C):
1943         (C.method):
1944         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1945         (C):
1946         (C.method.innerFunction):
1947         (C.method):
1948         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1949         (C):
1950         (C.checkPrivateSetter):
1951         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1952         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1953         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1954         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1955         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1956         (let.classStringExpression):
1957         (let.classStringExpression.access):
1958         (let.createAndInstantiateClass):
1959         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1960         (let.classStringExpression):
1961         (let.classStringExpression.access):
1962         (let.createAndInstantiateClass):
1963         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1964         (const.C):
1965         (let.createAndInstantiateClass):
1966         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1967         (let.classStringExpression.return.prototype.m):
1968         (let.classStringExpression.return.prototype.access):
1969         (let.createAndInstantiateClass):
1970         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1971         (let.classStringExpression.return.prototype.m):
1972         (let.classStringExpression.return.prototype.access):
1973         (let.createAndInstantiateClass):
1974         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1975         (let.classStringExpression):
1976         (let.classStringExpression.access):
1977         (let.createAndInstantiateClass):
1978         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1979         (let.classStringExpression.prototype.m):
1980         (let.classStringExpression.prototype.access):
1981         (let.classStringExpression):
1982         (let.createAndInstantiateClass):
1983         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1984         (let.classStringExpression.prototype.m):
1985         (let.classStringExpression.prototype.access):
1986         (let.classStringExpression):
1987         (let.createAndInstantiateClass):
1988         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1989         (const.C):
1990         (let.createAndInstantiateClass):
1991         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1992         (let.classStringExpression.return.C.prototype.m):
1993         (let.classStringExpression.return.C.prototype.access):
1994         (let.classStringExpression.return.C):
1995         (let.createAndInstantiateClass):
1996         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1997         (let.classStringExpression.return.C.prototype.m):
1998         (let.classStringExpression.return.C.prototype.access):
1999         (let.classStringExpression.return.C):
2000         (let.createAndInstantiateClass):
2001         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2002         (let.classStringExpression):
2003         (let.classStringExpression.access):
2004         (let.createAndInstantiateClass):
2005         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2006         (let.classStringExpression):
2007         (let.classStringExpression.access):
2008         (let.createAndInstantiateClass):
2009         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2010         (let.classStringExpression):
2011         (let.classStringExpression.access):
2012         (let.createAndInstantiateClass):
2013         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2014         (const.C):
2015         (let.createAndInstantiateClass):
2016         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2017         (let.classStringExpression.return.prototype.m):
2018         (let.classStringExpression.return.prototype.access):
2019         (let.createAndInstantiateClass):
2020         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2021         (let.classStringExpression.return.prototype.m):
2022         (let.classStringExpression.return.prototype.access):
2023         (let.createAndInstantiateClass):
2024         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2025         (let.classStringExpression):
2026         (let.classStringExpression.access):
2027         (let.createAndInstantiateClass):
2028         * test262/test/language/expressions/new.target/unary-expr.js: Added.
2029         (new):
2030         (async):
2031         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
2032         (A):
2033         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
2034         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
2035         * test262/test/language/identifiers/vals-cjk.js: Added.
2036         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
2037         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
2038         (C.prototype.method):
2039         (C):
2040         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
2041         (C.prototype.method.innerFunction):
2042         (C.prototype.method):
2043         (C):
2044         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
2045         (C.prototype.checkPrivateField):
2046         (C):
2047         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
2048         (C):
2049         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
2050         (C.prototype.getWithEval):
2051         (C):
2052         (D):
2053         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
2054         (C.prototype.get m):
2055         (C.prototype.method):
2056         (C):
2057         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
2058         (C.prototype.get m):
2059         (C.prototype.method.innerFunction):
2060         (C.prototype.method):
2061         (C):
2062         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
2063         (let.createAndInstantiateClass):
2064         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
2065         (C.prototype.get m):
2066         (C.prototype.checkPrivateGetter):
2067         (C):
2068         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
2069         (C.prototype.get m):
2070         (C.prototype.checkPrivateGetter):
2071         (C):
2072         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
2073         (C.prototype.get m):
2074         (C):
2075         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
2076         (C.prototype.get m):
2077         (C.prototype.getWithEval):
2078         (C):
2079         (D.prototype.get m):
2080         (D):
2081         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
2082         (C.prototype.m):
2083         (C.prototype.method):
2084         (C):
2085         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
2086         (C.prototype.m):
2087         (C.prototype.method.innerFunction):
2088         (C.prototype.method):
2089         (C):
2090         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
2091         (C.prototype.m):
2092         (C.prototype.checkPrivateMethod):
2093         (C):
2094         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
2095         (C.prototype.m):
2096         (C.prototype.checkPrivateMethod):
2097         (C):
2098         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
2099         (C.prototype.m):
2100         (C):
2101         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
2102         (C.prototype.m):
2103         (C.prototype.getWithEval):
2104         (C):
2105         (D.prototype.m):
2106         (D):
2107         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
2108         (C.prototype.set m):
2109         (C.prototype.method):
2110         (C):
2111         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
2112         (C.prototype.set m):
2113         (C.prototype.method.innerFunction):
2114         (C.prototype.method):
2115         (C):
2116         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
2117         (C.prototype.set m):
2118         (C.prototype.checkPrivateSetter):
2119         (C):
2120         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
2121         (C.prototype.set m):
2122         (C.prototype.checkPrivateSetter):
2123         (C):
2124         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
2125         (C.prototype.set m):
2126         (C):
2127         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
2128         (C.prototype.set m):
2129         (C.prototype.setWithEval):
2130         (C):
2131         (D.prototype.set m):
2132         (D):
2133         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2134         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2135         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2136         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
2137         (A.prototype.method):
2138         (A):
2139         (C.prototype.get m):
2140         (C.prototype.access):
2141         (C):
2142         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
2143         (A.prototype.method):
2144         (A):
2145         (C.prototype.m):
2146         (C.prototype.access):
2147         (C):
2148         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
2149         (A.prototype.method):
2150         (A):
2151         (C.prototype.set m):
2152         (C.prototype.access):
2153         (C):
2154         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
2155         (A):
2156         * test262/test/language/statements/function/13.2-30-s.js:
2157         * test262/test262-Revision.txt:
2158
2159 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2160
2161         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2162         https://bugs.webkit.org/show_bug.cgi?id=199783
2163
2164         Reviewed by Mark Lam.
2165
2166         Fix our spec tests.
2167
2168         * wasm/js-api/Module-compile.js:
2169         * wasm/js-api/test_basic_api.js:
2170         (const.c.in.constructorProperties.switch):
2171         * wasm/js-api/validate.js:
2172         * wasm/js-api/web-assembly-instantiate.js:
2173         * wasm/spec-tests/jsapi.js:
2174         (testJSAPI.get test):
2175         (testJSAPI.set test):
2176
2177 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2178
2179         Unreviewed, rolling out r247440.
2180
2181         Broke builds
2182
2183         Reverted changeset:
2184
2185         "[JSC] Improve wasm wpt test results by fixing miscellaneous
2186         issues"
2187         https://bugs.webkit.org/show_bug.cgi?id=199783
2188         https://trac.webkit.org/changeset/247440
2189
2190 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2191
2192         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2193         https://bugs.webkit.org/show_bug.cgi?id=199783
2194
2195         Reviewed by Mark Lam.
2196
2197         Fix our spec tests.
2198
2199         * wasm/js-api/Module-compile.js:
2200         * wasm/js-api/test_basic_api.js:
2201         (const.c.in.constructorProperties.switch):
2202         * wasm/js-api/validate.js:
2203         * wasm/js-api/web-assembly-instantiate.js:
2204         * wasm/spec-tests/jsapi.js:
2205         (testJSAPI.get test):
2206         (testJSAPI.set test):
2207
2208 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
2209
2210         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
2211         https://bugs.webkit.org/show_bug.cgi?id=196371
2212
2213         Reviewed by Keith Miller.
2214
2215         * microbenchmarks/mul-immediate-sub.js: Added.
2216         (doTest):
2217
2218 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
2219
2220         [BigInt] Add ValueBitLShift into DFG
2221         https://bugs.webkit.org/show_bug.cgi?id=192664
2222
2223         Reviewed by Saam Barati.
2224
2225         We are adding tests to cover ValueBitwise operations AI changes.
2226
2227         * stress/big-int-left-shift-untyped.js: Added.
2228         * stress/bit-op-with-object-returning-int32.js:
2229         * stress/value-bit-and-ai-rule.js: Added.
2230         * stress/value-bit-lshift-ai-rule.js: Added.
2231         * stress/value-bit-or-ai-rule.js: Added.
2232         * stress/value-bit-xor-ai-rule.js: Added.
2233
2234 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2235
2236         Add b3 macro lowering for CheckMul on arm64
2237         https://bugs.webkit.org/show_bug.cgi?id=199251
2238
2239         Reviewed by Robin Morisset.
2240
2241         * microbenchmarks/check-mul-constant.js: Added.
2242         (doTest):
2243         * microbenchmarks/check-mul-no-constant.js: Added.
2244         (doTest):
2245         * microbenchmarks/check-mul-power-of-two.js: Added.
2246         (doTest):
2247
2248 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
2249
2250         Optimize join of large empty arrays
2251         https://bugs.webkit.org/show_bug.cgi?id=199636
2252
2253         Reviewed by Mark Lam.
2254
2255         * microbenchmarks/large-empty-array-join.js: Added.
2256         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
2257
2258 2019-07-06  Michael Saboff  <msaboff@apple.com>
2259
2260         switch(String) needs to check for exceptions when resolving the string
2261         https://bugs.webkit.org/show_bug.cgi?id=199541
2262
2263         Reviewed by Mark Lam.
2264
2265         New tests.
2266
2267         * stress/switch-string-oom.js: Added.
2268         (test):
2269         (testLowerTiers):
2270         (testFTL):
2271
2272 2019-07-05  Mark Lam  <mark.lam@apple.com>
2273
2274         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
2275         https://bugs.webkit.org/show_bug.cgi?id=199533
2276         <rdar://problem/52669111>
2277
2278         Reviewed by Filip Pizlo.
2279
2280         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
2281
2282 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
2283
2284         [JSC] Clean up ArraySpeciesCreate
2285         https://bugs.webkit.org/show_bug.cgi?id=182434
2286
2287         Reviewed by Yusuke Suzuki.
2288
2289         Adjusts error message expectations in stress tests.
2290
2291         * stress/array-flatmap.js:
2292         * stress/array-flatten.js:
2293         * stress/array-species-create-should-handle-masquerader.js:
2294         * test262/expectations.yaml: Mark 4 test cases as passing.
2295
2296 2019-07-02  Michael Saboff  <msaboff@apple.com>
2297
2298         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
2299         https://bugs.webkit.org/show_bug.cgi?id=199395
2300
2301         Reviewed by Filip Pizlo.
2302
2303         New regession test.
2304
2305         * stress/for-of-tdz-with-try-catch.js: Added.
2306         (test):
2307         (i.catch):
2308
2309 2019-07-02  Keith Miller  <keith_miller@apple.com>
2310
2311         Frozen Arrays length assignment should throw in strict mode
2312         https://bugs.webkit.org/show_bug.cgi?id=199365
2313
2314         Reviewed by Yusuke Suzuki.
2315
2316         * stress/frozen-array-length-should-throw-strict.js: Added.
2317         (test):
2318
2319 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
2320
2321         [Wasm-References] Disable references by default
2322         https://bugs.webkit.org/show_bug.cgi?id=199390
2323
2324         Reviewed by Saam Barati.
2325
2326         * wasm/references-spec-tests/ref_is_null.js:
2327         * wasm/references-spec-tests/ref_null.js:
2328         * wasm/references/anyref_globals.js:
2329         * wasm/references/anyref_modules.js:
2330         * wasm/references/anyref_table.js:
2331         * wasm/references/anyref_table_import.js:
2332         * wasm/references/element_parsing.js:
2333         * wasm/references/func_ref.js:
2334         * wasm/references/is_null.js:
2335         * wasm/references/multitable.js:
2336         * wasm/references/table_misc.js:
2337         * wasm/references/validation.js:
2338
2339 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
2340
2341         Unreviewed, rolling out r246946.
2342
2343         Caused JSC test crashes on arm64
2344
2345         Reverted changeset:
2346
2347         "Add b3 macro lowering for CheckMul on arm64"
2348         https://bugs.webkit.org/show_bug.cgi?id=199251
2349         https://trac.webkit.org/changeset/246946
2350
2351 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
2352
2353         Add b3 macro lowering for CheckMul on arm64
2354         https://bugs.webkit.org/show_bug.cgi?id=199251
2355
2356         Reviewed by Robin Morisset.
2357
2358         * microbenchmarks/check-mul-constant.js: Added.
2359         (doTest):
2360         * microbenchmarks/check-mul-no-constant.js: Added.
2361         (doTest):
2362         * microbenchmarks/check-mul-power-of-two.js: Added.
2363         (doTest):
2364
2365 2019-06-26  Keith Miller  <keith_miller@apple.com>
2366
2367         speciesConstruct needs to throw if the result is a DataView
2368         https://bugs.webkit.org/show_bug.cgi?id=199231
2369
2370         Reviewed by Mark Lam.
2371
2372         * stress/typedarray-filter.js:
2373         (subclasses.forEach):
2374         * stress/typedarray-map.js:
2375         (subclasses.forEach):
2376         * stress/typedarray-slice.js:
2377         (typedArrays.forEach):
2378         * stress/typedarray-subarray.js:
2379         (subclasses.forEach):
2380
2381 2019-06-24  Commit Queue  <commit-queue@webkit.org>
2382
2383         Unreviewed, rolling out r246714.
2384         https://bugs.webkit.org/show_bug.cgi?id=199179
2385
2386         revert to do patch in a different way. (Requested by keith_mi_
2387         on #webkit).
2388
2389         Reverted changeset:
2390
2391         "All prototypes should call didBecomePrototype()"
2392         https://bugs.webkit.org/show_bug.cgi?id=196315
2393         https://trac.webkit.org/changeset/246714
2394
2395 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
2396
2397         Add Array.prototype.{flat,flatMap} to unscopables
2398         https://bugs.webkit.org/show_bug.cgi?id=194322
2399
2400         Reviewed by Keith Miller.
2401
2402         * stress/unscopables.js: Fix test.
2403         * test262/expectations.yaml: Mark 2 test cases as passing.
2404
2405 2019-06-21  Mark Lam  <mark.lam@apple.com>
2406
2407         ArraySlice needs to keep the source array alive.
2408         https://bugs.webkit.org/show_bug.cgi?id=197374
2409         <rdar://problem/50304429>
2410
2411         Reviewed by Michael Saboff and Filip Pizlo.
2412
2413         * stress/array-slice-must-keep-source-array-alive.js: Added.
2414
2415 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2416
2417         All prototypes should call didBecomePrototype()
2418         https://bugs.webkit.org/show_bug.cgi?id=196315
2419
2420         Reviewed by Saam Barati.
2421
2422         * stress/function-prototype-indexed-accessor.js: Added.
2423
2424 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2425
2426         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
2427         https://bugs.webkit.org/show_bug.cgi?id=197631
2428
2429         Reviewed by Saam Barati.
2430
2431         * stress/has-own-property-arguments.js: Added.
2432         (shouldBe):
2433         (A):
2434
2435 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2436
2437         [JSC] ClassExpr should not store result in the middle of evaluation
2438         https://bugs.webkit.org/show_bug.cgi?id=199106
2439
2440         Reviewed by Tadeu Zagallo.
2441
2442         * stress/class-expression-should-store-result-at-last.js: Added.
2443         (shouldThrow):
2444         (shouldThrow.let.a):
2445
2446 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2447
2448         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2449         https://bugs.webkit.org/show_bug.cgi?id=199044
2450
2451         Reviewed by Saam Barati.
2452
2453         Add wasm references spec tests as well as a worker test.
2454
2455         * wasm.yaml:
2456         * wasm/Builder_WebAssemblyBinary.js:
2457         (const.emitters.Element):
2458         * wasm/js-api/element.js:
2459         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2460         * wasm/references-spec-tests/ref_is_null.js: Added.
2461         (hostref):
2462         (is_hostref):
2463         (is_funcref):
2464         (eq_ref):
2465         (let.handler.get target):
2466         (register):
2467         (module):
2468         (instance):
2469         (call):
2470         (get instance):
2471         (exports):
2472         (run):
2473         (assert_malformed):
2474         (assert_invalid):
2475         (assert_unlinkable):
2476         (assert_uninstantiable):
2477         (assert_trap):
2478         (try.f):
2479         (catch):
2480         (assert_exhaustion):
2481         (assert_return):
2482         (assert_return_canonical_nan):
2483         (assert_return_arithmetic_nan):
2484         (assert_return_ref):
2485         (assert_return_func):
2486         * wasm/references-spec-tests/ref_null.js: Added.
2487         (hostref):
2488         (is_hostref):
2489         (is_funcref):
2490         (eq_ref):
2491         (let.handler.get target):
2492         (register):
2493         (module):
2494         (instance):
2495         (call):
2496         (get instance):
2497         (exports):
2498         (run):
2499         (assert_malformed):
2500         (assert_invalid):
2501         (assert_unlinkable):
2502         (assert_uninstantiable):
2503         (assert_trap):
2504         (try.f):
2505         (catch):
2506         (assert_exhaustion):
2507         (assert_return):
2508         (assert_return_canonical_nan):
2509         (assert_return_arithmetic_nan):
2510         (assert_return_ref):
2511         (assert_return_func):
2512         * wasm/references/element_parsing.js: Added.
2513         (module):
2514         * wasm/references/func_ref.js:
2515         * wasm/references/multitable.js:
2516         * wasm/references/table_misc.js:
2517         (TableSize.0.End.End.WebAssembly):
2518         * wasm/references/validation.js:
2519         (assert.throws):
2520
2521 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2522
2523         Optimize `resolve` method lookup in Promise static methods
2524         https://bugs.webkit.org/show_bug.cgi?id=198864
2525
2526         Reviewed by Yusuke Suzuki.
2527
2528         * test262/expectations.yaml: Mark 18 test cases as passing.
2529
2530 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2531
2532         [WASM-References] Rename anyfunc to funcref
2533         https://bugs.webkit.org/show_bug.cgi?id=198983
2534
2535         Reviewed by Yusuke Suzuki.
2536
2537         * wasm/function-tests/basic-element.js:
2538         * wasm/function-tests/context-switch.js:
2539         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2540         (makeInstance):
2541         (assert.eq.makeInstance):
2542         * wasm/function-tests/exceptions.js:
2543         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2544         * wasm/function-tests/grow-memory-2.js:
2545         (assert.eq.instance.exports.foo):
2546         * wasm/function-tests/nameSection.js:
2547         (const.compile):
2548         * wasm/function-tests/stack-overflow.js:
2549         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2550         (assertOverflows.makeInstance):
2551         * wasm/function-tests/table-basic-2.js:
2552         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2553         * wasm/function-tests/table-basic.js:
2554         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2555         * wasm/function-tests/trap-from-start-async.js:
2556         * wasm/function-tests/trap-from-start.js:
2557         * wasm/js-api/Module.exports.js:
2558         (assert.truthy):
2559         * wasm/js-api/Module.imports.js:
2560         (assert.truthy):
2561         * wasm/js-api/call-indirect.js:
2562         (const.oneTable):
2563         (const.multiTable):
2564         (multiTable.const.makeTable):
2565         (multiTable):
2566         (multiTable.Polyphic2Import):
2567         (multiTable.VirtualImport):
2568         * wasm/js-api/element-data.js:
2569         * wasm/js-api/element.js:
2570         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2571         (assert.throws):
2572         (badInstantiation.makeModule):
2573         (badInstantiation.test):
2574         (badInstantiation):
2575         * wasm/js-api/extension-MemoryMode.js:
2576         * wasm/js-api/table.js:
2577         (new.WebAssembly.Module):
2578         (assert.throws):
2579         (assertBadTableImport):
2580         (assert.throws.WebAssembly.Table.prototype.grow):
2581         (new.WebAssembly.Table):
2582         (assertBadTable):
2583         (assert.truthy):
2584         * wasm/js-api/test_basic_api.js:
2585         (const.c.in.constructorProperties.switch):
2586         * wasm/js-api/unique-signature.js:
2587         (CallIndirectWithDuplicateSignatures):
2588         * wasm/js-api/wrapper-function.js:
2589         * wasm/modules/table.wat:
2590         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2591         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2592         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2593         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2594         * wasm/references/anyref_table.js:
2595         * wasm/references/anyref_table_import.js:
2596         (doSet):
2597         (assert.throws):
2598         * wasm/references/func_ref.js:
2599         (makeFuncrefIdent):
2600         (assert.eq.instance.exports.fix):
2601         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2602         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2603         (let.importedFun.of):
2604         (makeAnyfuncIdent): Deleted.
2605         (makeAnyfuncIdent.fun): Deleted.
2606         * wasm/references/multitable.js:
2607         (assert.eq):
2608         (assert.throws):
2609         * wasm/references/table_misc.js:
2610         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2611         * wasm/references/validation.js:
2612         (assert.throws.new.WebAssembly.Module.bin):
2613         (assert.throws):
2614         * wasm/spec-harness/index.js:
2615         * wasm/spec-harness/wasm-constants.js:
2616         * wasm/spec-harness/wasm-module-builder.js:
2617         (WasmModuleBuilder.prototype.toArray):
2618         * wasm/spec-harness/wast.js:
2619         (elem_type):
2620         (string_of_elem_type):
2621         (string_of_table_type):
2622         * wasm/spec-tests/jsapi.js:
2623         * wasm/stress/wasm-table-grow-initialize.js:
2624         * wasm/wasm.json:
2625
2626 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2627
2628         [WASM-References] Add support for Table.size, grow and fill instructions
2629         https://bugs.webkit.org/show_bug.cgi?id=198761
2630
2631         Reviewed by Yusuke Suzuki.
2632
2633         * wasm/Builder_WebAssemblyBinary.js:
2634         (const.putOp):
2635         * wasm/references/table_misc.js: Added.
2636         (TableSize.End.End.WebAssembly):
2637         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2638         * wasm/wasm.json:
2639
2640 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2641
2642         [WASM-References] Add support for multiple tables
2643         https://bugs.webkit.org/show_bug.cgi?id=198760
2644
2645         Reviewed by Saam Barati.
2646
2647         * wasm/Builder.js:
2648         * wasm/js-api/call-indirect.js:
2649         (const.oneTable):
2650         (const.multiTable):
2651         (multiTable):
2652         (multiTable.Polyphic2Import):
2653         (multiTable.VirtualImport):
2654         (const.wasmModuleWhichImportJS): Deleted.
2655         (const.makeTable): Deleted.
2656         (): Deleted.
2657         (Polyphic2Import): Deleted.
2658         (VirtualImport): Deleted.
2659         * wasm/js-api/table.js:
2660         (new.WebAssembly.Module):
2661         (assert.throws):
2662         (assertBadTableImport):
2663         (assert.truthy):
2664         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2665         * wasm/references/anyref_table.js:
2666         * wasm/references/anyref_table_import.js:
2667         (makeImport):
2668         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2669         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2670         * wasm/references/multitable.js: Added.
2671         (assert.throws.1.exports.set_tbl0):
2672         (assert.throws):
2673         (assert.eq):
2674         * wasm/references/validation.js:
2675         (assert.throws.new.WebAssembly.Module.bin):
2676         (assert.throws):
2677         * wasm/spec-tests/imports.wast.js:
2678         * wasm/wasm.json:
2679
2680         * wasm/Builder.js:
2681         * wasm/js-api/call-indirect.js:
2682         (const.oneTable):
2683         (const.multiTable):
2684         (multiTable):
2685         (multiTable.Polyphic2Import):
2686         (multiTable.VirtualImport):
2687         (const.wasmModuleWhichImportJS): Deleted.
2688         (const.makeTable): Deleted.
2689         (): Deleted.
2690         (Polyphic2Import): Deleted.
2691         (VirtualImport): Deleted.
2692         * wasm/js-api/table.js:
2693         (new.WebAssembly.Module):
2694         (assert.throws):
2695         (assertBadTableImport):
2696         (assert.truthy):
2697         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2698         * wasm/references/anyref_table.js:
2699         * wasm/references/anyref_table_import.js:
2700         (makeImport):
2701         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2702         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2703         * wasm/references/func_ref.js:
2704         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2705         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2706         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2707         * wasm/references/multitable.js: Added.
2708         (assert.throws.1.exports.set_tbl0):
2709         (assert.throws):
2710         (assert.eq):
2711         (string_appeared_here.tableInsanity):
2712         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2713         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2714         * wasm/references/validation.js:
2715         (assert.throws.new.WebAssembly.Module.bin):
2716         (assert.throws):
2717         * wasm/spec-tests/imports.wast.js:
2718         * wasm/wasm.json:
2719
2720 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2721
2722         [ESNExt] String.prototype.matchAll
2723         https://bugs.webkit.org/show_bug.cgi?id=186694
2724
2725         Reviewed by Yusuke Suzuki.
2726
2727         Implement String.prototype.matchAll.
2728         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2729
2730         * test262/config.yaml:
2731
2732 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2733
2734         DFG code should not reify the names of builtin functions with private names
2735         https://bugs.webkit.org/show_bug.cgi?id=198849
2736         <rdar://problem/51733890>
2737
2738         Reviewed by Filip Pizlo.
2739
2740         * stress/builtin-private-function-name.js: Added.
2741         (then):
2742         (PromiseLike):
2743
2744 2019-06-18  Keith Miller  <keith_miller@apple.com>
2745
2746         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2747         https://bugs.webkit.org/show_bug.cgi?id=198969
2748         <rdar://problem/51620714>
2749
2750         Reviewed by Tadeu Zagallo.
2751
2752         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2753         (catch):
2754
2755 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2756
2757         Validate that table element type is funcref if using an element section
2758         https://bugs.webkit.org/show_bug.cgi?id=198910
2759
2760         Reviewed by Yusuke Suzuki.
2761
2762         * wasm/references/anyref_table.js:
2763
2764 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2765
2766         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2767         https://bugs.webkit.org/show_bug.cgi?id=197378
2768
2769         Reviewed by Saam Barati.
2770
2771         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2772         (foo):
2773         (bar):
2774         * stress/disposable-call-site-index.js: Added.
2775         (foo):
2776         (bar):
2777
2778 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2779
2780         [WASM-References] Add support for Funcref in parameters and return types
2781         https://bugs.webkit.org/show_bug.cgi?id=198157
2782
2783         Reviewed by Yusuke Suzuki.
2784
2785         * wasm/Builder.js:
2786         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2787         * wasm/references/anyref_globals.js:
2788         * wasm/references/func_ref.js: Added.
2789         (fullGC.gc.makeExportedFunction):
2790         (makeExportedIdent):
2791         (makeAnyfuncIdent):
2792         (fun):
2793         (assert.eq.instance.exports.fix.fun):
2794         (assert.eq.instance.exports.fix):
2795         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2796         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2797         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2798         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2799         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2800         (assert.throws):
2801         (assert.throws.doTest):
2802         (let.importedFun.of):
2803         (makeAnyfuncIdent.fun):
2804         * wasm/references/validation.js:
2805         (assert.throws):
2806         * wasm/wasm.json:
2807
2808 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2809
2810         Update test262 tests (2019.06.13)
2811         https://bugs.webkit.org/show_bug.cgi?id=198821
2812
2813         Reviewed by Konstantin Tokarev.
2814
2815         * test262/expectations.yaml:
2816         * test262/harness/:
2817         * test262/latest-changes-summary.txt:
2818         * test262/test/:
2819         * test262/test262-Revision.txt:
2820
2821 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2822
2823         [JSC] Grown region of WasmTable should be initialized with null
2824         https://bugs.webkit.org/show_bug.cgi?id=198903
2825
2826         Reviewed by Saam Barati.
2827
2828         * wasm/stress/wasm-table-grow-initialize.js: Added.
2829         (shouldBe):
2830
2831 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2832
2833         Yarr bytecode compilation failure should be gracefully handled
2834         https://bugs.webkit.org/show_bug.cgi?id=198700
2835
2836         Reviewed by Michael Saboff.
2837
2838         * stress/regexp-bytecode-compilation-fail.js: Added.
2839         (shouldThrow):
2840
2841 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2842
2843         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2844         https://bugs.webkit.org/show_bug.cgi?id=198770
2845
2846         Reviewed by Saam Barati.
2847
2848         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2849         (test):
2850
2851 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2852
2853         JSC should throw if proxy set returns falsish in strict mode context
2854         https://bugs.webkit.org/show_bug.cgi?id=177398
2855
2856         Reviewed by Yusuke Suzuki.
2857
2858         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2859         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2860
2861         * stress/proxy-set.js: Add 2 test cases.
2862         * stress/regexp-match-proxy.js: Fix test.
2863         * stress/regexp-replace-proxy.js: Fix test.
2864
2865 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2866
2867         Error message for non-callable Proxy `construct` trap is misleading
2868         https://bugs.webkit.org/show_bug.cgi?id=198637
2869
2870         Reviewed by Saam Barati.
2871
2872         * stress/proxy-construct.js:
2873
2874 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2875
2876         AI BitURShift's result should not be unsigned
2877         https://bugs.webkit.org/show_bug.cgi?id=198689
2878         <rdar://problem/51550063>
2879
2880         Reviewed by Saam Barati.
2881
2882         * stress/urshift-int32-overflow.js: Added.
2883         (foo.):
2884         (foo):
2885
2886 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2887
2888         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2889
2890         Unreviewed gardening.
2891
2892         * stress/ftl-gettypedarrayoffset-wasteful.js:
2893         Skipped on arm/linux as it always times out on the bot since a change
2894         between r246270 and r246278 inclusive.
2895
2896 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2897
2898         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2899         https://bugs.webkit.org/show_bug.cgi?id=198023
2900
2901         Reviewed by Saam Barati.
2902
2903         * stress/reparsing-unlinked-codeblock.js: Added.
2904         (shouldBe):
2905         (hello):
2906
2907 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2908
2909         [JSC] Use mergePrediction in ValuePow prediction propagation
2910         https://bugs.webkit.org/show_bug.cgi?id=198648
2911
2912         Reviewed by Saam Barati.
2913
2914         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2915
2916 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2917
2918         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2919         https://bugs.webkit.org/show_bug.cgi?id=198581
2920         <rdar://problem/51099753>
2921
2922         Reviewed by Saam Barati.
2923
2924         * stress/global-object-proto-getter.js: Added.
2925         (f):
2926         (test):
2927
2928 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2929
2930         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2931         https://bugs.webkit.org/show_bug.cgi?id=198398
2932
2933         Reviewed by Saam Barati.
2934
2935         * wasm/references/anyref_table.js: Added.
2936         (string_appeared_here.doGCSet):
2937         (doGCTest):
2938         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2939         * wasm/references/anyref_table_import.js: Added.
2940         (makeImport):
2941         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2942         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2943         * wasm/references/is_null_error.js: Removed.
2944         * wasm/references/validation.js: Added.
2945         (assert.throws.new.WebAssembly.Module.bin):
2946         (assert.throws):
2947         * wasm/wasm.json:
2948
2949 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2950
2951         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2952         https://bugs.webkit.org/show_bug.cgi?id=198106
2953
2954         Reviewed by Saam Barati.
2955
2956         * wasm/regress/selectf64.js: Added.
2957         * wasm/regress/selectf64.wasm: Added.
2958         * wasm/regress/selectf64.wat: Added.
2959
2960 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2961
2962         Argument elimination should check transitive dependents for interference
2963         https://bugs.webkit.org/show_bug.cgi?id=198520
2964         <rdar://problem/50863343>
2965
2966         Reviewed by Filip Pizlo.
2967
2968         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2969         (f2):
2970         (f3):
2971
2972 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2973
2974         Argument elimination should check for negative indices in GetByVal
2975         https://bugs.webkit.org/show_bug.cgi?id=198302
2976         <rdar://problem/51188095>
2977
2978         Reviewed by Filip Pizlo.
2979
2980         * stress/eliminate-arguments-negative-rest-access.js: Added.
2981         (inlinee):
2982         (opt):
2983
2984 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2985
2986         [ESNext][BigInt] Implement support for "**"
2987         https://bugs.webkit.org/show_bug.cgi?id=190799
2988
2989         Reviewed by Saam Barati.
2990
2991         * stress/big-int-exp-basic.js: Added.
2992         * stress/big-int-exp-jit-osr.js: Added.
2993         * stress/big-int-exp-jit-untyped.js: Added.
2994         * stress/big-int-exp-jit.js: Added.
2995         * stress/big-int-exp-negative-exponent.js: Added.
2996         * stress/big-int-exp-to-primitive.js: Added.
2997         * stress/big-int-exp-type-error.js: Added.
2998         * stress/big-int-exp-wrapped-value.js: Added.
2999         * stress/value-pow-ai-rule.js: Added.
3000
3001 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
3002
3003         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
3004         https://bugs.webkit.org/show_bug.cgi?id=197979
3005
3006         Reviewed by Filip Pizlo.
3007
3008         * stress/16bit-code.js: Added.
3009         (shouldBe):
3010         * stress/32bit-code.js: Added.
3011         (shouldBe):
3012
3013 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
3014
3015         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
3016         https://bugs.webkit.org/show_bug.cgi?id=198355
3017
3018         Reviewed by Saam Barati.
3019
3020         * wasm/references/is_null.js:
3021
3022 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
3023
3024         [PlayStation] Skip additional tests on PlayStation
3025         https://bugs.webkit.org/show_bug.cgi?id=198352
3026
3027         Reviewed by Don Olmstead.
3028
3029         Skip pow test on PlayStation due to behavior difference in standard library.
3030         Skip incremental marking test due to OOM on PlayStation systems.
3031
3032         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
3033         * stress/math-pow-with-constants.js:
3034         * stress/pow-with-constants.js:
3035
3036 2019-05-28  Dean Jackson  <dino@apple.com>
3037
3038         Implement Promise.allSettled
3039         https://bugs.webkit.org/show_bug.cgi?id=197600
3040         <rdar://problem/50483885>
3041
3042         Reviewed by Keith Miller.
3043
3044         Start testing Promise.allSettled. We pass most of the tests.
3045         The ones that fail are similar to the Promise.all tests we already fail.
3046
3047         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
3048         * test262/expectations.yaml: Add new expectations for allSettled tests.
3049
3050 2019-05-28  Michael Saboff  <msaboff@apple.com>
3051
3052         [YARR] Properly handle RegExp's that require large ParenContext space
3053         https://bugs.webkit.org/show_bug.cgi?id=198065
3054
3055         Reviewed by Keith Miller.
3056
3057         New test.
3058
3059         * stress/regexp-large-paren-context.js: Added.
3060         (testLargeRegExp):
3061
3062 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
3063
3064         JITOperations putByVal should mark negative array indices as out-of-bounds
3065         https://bugs.webkit.org/show_bug.cgi?id=198271
3066
3067         Reviewed by Saam Barati.
3068
3069         * microbenchmarks/get-by-val-negative-array-index.js:
3070         (foo):
3071         Update the getByVal microbenchmark added in r245769. This now shows that r245769
3072         is 4.2x faster than the previous commit.
3073
3074         * microbenchmarks/put-by-val-negative-array-index.js: Added.
3075         (foo):
3076
3077 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
3078
3079         JITOperations getByVal should mark negative array indices as out-of-bounds
3080         https://bugs.webkit.org/show_bug.cgi?id=198229
3081
3082         Reviewed by Saam Barati.
3083
3084         * microbenchmarks/get-by-val-negative-array-index.js: Added.
3085         (foo):
3086
3087 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
3088
3089         [WASM-References] Support Anyref in globals
3090         https://bugs.webkit.org/show_bug.cgi?id=198102
3091
3092         Reviewed by Saam Barati.
3093
3094         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
3095
3096         * wasm/Builder.js:
3097         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
3098         * wasm/Builder_WebAssemblyBinary.js:
3099         (const.putInitExpr):
3100         * wasm/references/anyref_globals.js: Added.
3101         (GetGlobal.0.End.End.WebAssembly):
3102         (5.doGCSet):
3103         (doGCTest):
3104         (doGCSet.doGCTest.let.count.0.doBarrierSet):
3105
3106 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3107
3108         DFG::OSREntry should not perform arity check
3109         https://bugs.webkit.org/show_bug.cgi?id=198189
3110
3111         Reviewed by Saam Barati.
3112
3113         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
3114         (foo):
3115
3116 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
3117
3118         [PlayStation] Skip additional tests on PlayStation
3119         https://bugs.webkit.org/show_bug.cgi?id=198145
3120
3121         Reviewed by Ross Kirsling.
3122
3123         * exceptionFuzz.yaml:
3124         Add skip on hostOS playstation
3125         * executableAllocationFuzz.yaml:
3126         Add skip on hostOS playstation
3127
3128 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3129
3130         createListFromArrayLike should throw if value is not an object
3131         https://bugs.webkit.org/show_bug.cgi?id=198138
3132
3133         Reviewed by Yusuke Suzuki.
3134
3135         * stress/create-list-from-array-like-not-object.js: Added.
3136         (testValid):
3137         (testInvalid):
3138         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
3139         (opt):
3140         * stress/proxy-proto-enumerator.js: Added.
3141         (main):
3142         * stress/proxy-proto-own-keys.js: Added.
3143         (assert):
3144         (ownKeys):
3145
3146 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3147
3148         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
3149         https://bugs.webkit.org/show_bug.cgi?id=197809
3150
3151         Reviewed by Michael Saboff.
3152
3153         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
3154         (foo):
3155
3156 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3157
3158         [ESNext] Implement support for Numeric Separators
3159         https://bugs.webkit.org/show_bug.cgi?id=196351
3160
3161         Reviewed by Keith Miller.
3162
3163         * stress/numeric-literal-separators.js: Added.
3164         Add tests for feature.
3165
3166         * test262/expectations.yaml:
3167         Mark 60 test cases as passing.
3168
3169 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3170
3171         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
3172         https://bugs.webkit.org/show_bug.cgi?id=198120
3173         <rdar://problem/49668795>
3174
3175         Reviewed by Michael Saboff.
3176
3177         * stress/get-array-length-concurrently-change-mode.js: Added.
3178         (main):
3179
3180 2019-05-22  Commit Queue  <commit-queue@webkit.org>
3181
3182         Unreviewed, rolling out r245634.
3183         https://bugs.webkit.org/show_bug.cgi?id=198140
3184
3185         'This patch makes JSC crash on launch in debug builds'
3186         (Requested by tadeuzagallo on #webkit).
3187
3188         Reverted changeset:
3189
3190         "[ESNext] Implement support for Numeric Separators"
3191         https://bugs.webkit.org/show_bug.cgi?id=196351
3192         https://trac.webkit.org/changeset/245634
3193
3194 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3195
3196         Stack-buffer-overflow in decodeURIComponent
3197         https://bugs.webkit.org/show_bug.cgi?id=198109
3198         <rdar://problem/50397550>
3199
3200         Reviewed by Michael Saboff.
3201
3202         * stress/decode-uri-icu-count-trail-bytes.js: Added.
3203         (i.j.try.i.toString):
3204         (i.j.catch):
3205
3206 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3207
3208         Don't clear PropertyNameArray in Proxy code
3209         https://bugs.webkit.org/show_bug.cgi?id=197691
3210
3211         Reviewed by Saam Barati.
3212
3213         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
3214         (shouldBe):
3215         (opt):
3216
3217 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3218
3219         [ESNext] Implement support for Numeric Separators
3220         https://bugs.webkit.org/show_bug.cgi?id=196351
3221
3222         Reviewed by Keith Miller.
3223
3224         * stress/numeric-literal-separators.js: Added.
3225         Add tests for feature.
3226
3227         * test262/expectations.yaml:
3228         Mark 60 test cases as passing.
3229
3230 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3231
3232         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
3233         https://bugs.webkit.org/show_bug.cgi?id=198101
3234
3235         Reviewed by Michael Saboff.
3236
3237         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
3238         (shouldBe):
3239
3240 2019-05-20  Keith Miller  <keith_miller@apple.com>
3241
3242         Cleanup Yarr regexp code around paren contexts.
3243         https://bugs.webkit.org/show_bug.cgi?id=198063
3244
3245         Reviewed by Yusuke Suzuki.
3246
3247         * stress/regexp-many-named-sequential-capture-groups.js: Added.
3248         (i.s):
3249         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
3250
3251 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
3252
3253         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
3254         https://bugs.webkit.org/show_bug.cgi?id=197969
3255
3256         Reviewed by Keith Miller.
3257
3258         Support the anyref type in Builder.js, plus add some extra error logging.
3259         Add new folder for wasm references tests.
3260
3261         * wasm.yaml:
3262         * wasm/Builder.js:
3263         (const._isValidValue):
3264         * wasm/references/anyref_modules.js: Added.
3265         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
3266         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
3267         (Call.3.RefIsNull.End.End.WebAssembly):
3268         (undefined):
3269         * wasm/references/is_null.js: Added.
3270         * wasm/references/is_null_error.js: Added.
3271         * wasm/spec-harness/index.js:
3272         * wasm/wasm.json:
3273
3274 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
3275
3276         [JSC] Invalid AssignmentTargetType should be an early error.
3277         https://bugs.webkit.org/show_bug.cgi?id=197603
3278
3279         Reviewed by Keith Miller.
3280
3281         * test262/expectations.yaml:
3282         Update expectations to reflect new SyntaxErrors.
3283         (Ideally, these should all be viewed as passing in the near future.)
3284
3285         * stress/async-await-basic.js:
3286         * stress/big-int-literals.js:
3287         Update tests to reflect new SyntaxErrors.
3288
3289         * ChakraCore.yaml:
3290         * ChakraCore/test/EH/try6.baseline-jsc:
3291         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
3292         Update baselines to reflect new SyntaxErrors.
3293
3294 2019-05-15  Saam Barati  <sbarati@apple.com>
3295
3296         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
3297         https://bugs.webkit.org/show_bug.cgi?id=197855
3298         <rdar://problem/50236506>
3299
3300         Reviewed by Michael Saboff.
3301
3302         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
3303         (f0):
3304         (bar):
3305         (foo):
3306         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
3307         (f1):
3308         (f2):
3309         (foo):
3310
3311 2019-05-14  Keith Miller  <keith_miller@apple.com>
3312
3313         Fix issue with byteOffset on ARM64E
3314         https://bugs.webkit.org/show_bug.cgi?id=197884
3315
3316         Reviewed by Saam Barati.
3317
3318         We didn't have any tests that run with non-byte/non-zero offset
3319         typed arrays.
3320
3321         * stress/ftl-gettypedarrayoffset-wasteful.js:
3322
3323 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
3324
3325         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
3326         https://bugs.webkit.org/show_bug.cgi?id=197833
3327
3328         Reviewed by Darin Adler.
3329
3330         * stress/generator-name.js: Added.
3331         (shouldBe):
3332         (gen):
3333         (catch):
3334
3335 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
3336
3337         JSObject::getOwnPropertyDescriptor is missing an exception check
3338         https://bugs.webkit.org/show_bug.cgi?id=197693
3339         <rdar://problem/50441784>
3340
3341         Reviewed by Saam Barati.
3342
3343         * stress/proxy-spread.js: Added.
3344         (foo):
3345
3346 2019-05-10  Saam barati  <sbarati@apple.com>
3347
3348         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
3349         https://bugs.webkit.org/show_bug.cgi?id=197807
3350         <rdar://problem/50530400>
3351
3352         Reviewed by Yusuke Suzuki.
3353
3354         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
3355         (test.getInstance):
3356         (test):
3357
3358 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
3359
3360         [Test262] Unreviewed expectations update following r245188.
3361
3362         * test262/config.yaml:
3363         * test262/expectations.yaml:
3364
3365         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
3366         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
3367         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
3368         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
3369         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
3370         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
3371         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
3372         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
3373         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
3374         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
3375         These files have invalid YAML comments. Will also submit corrections back to Test262.
3376
3377 2019-05-10  Keith Miller  <keith_miller@apple.com>
3378
3379         Update test262 tests.
3380
3381         Rubber-stamped by Yusuke Suzuki.
3382
3383         * test262/*: mega-patch too many things to list individually.
3384
3385 2019-05-09  Keith Miller  <keith_miller@apple.com>
3386
3387         Unreview, fix test to have a try-catch.
3388
3389         * stress/many-nested-functions-parser-stack-overflow.js:
3390         (catch):
3391
3392 2019-05-09  Keith Miller  <keith_miller@apple.com>
3393
3394         parseStatementListItem needs a stack overflow check
3395         https://bugs.webkit.org/show_bug.cgi?id=197749
3396
3397         Reviewed by Saam Barati.
3398
3399         * stress/many-nested-functions-parser-stack-overflow.js: Added.
3400
3401 2019-05-08  Saam barati  <sbarati@apple.com>
3402
3403         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
3404         https://bugs.webkit.org/show_bug.cgi?id=197715
3405         <rdar://problem/50399252>
3406
3407         Reviewed by Filip Pizlo.
3408
3409         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
3410         (foo):
3411         (bar):
3412
3413 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
3414
3415         Unreviewed, rolling out r245068.
3416
3417         Caused debug layout tests to exit early due to an assertion
3418         failure.
3419
3420         Reverted changeset:
3421
3422         "All prototypes should call didBecomePrototype()"
3423         https://bugs.webkit.org/show_bug.cgi?id=196315
3424         https://trac.webkit.org/changeset/245068
3425
3426 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
3427
3428         Invalid DFG JIT genereation in high CPU usage state
3429         https://bugs.webkit.org/show_bug.cgi?id=197453
3430
3431         Reviewed by Saam Barati.
3432
3433         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
3434         (trigger):
3435         (main):
3436
3437 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3438
3439         All prototypes should call didBecomePrototype()
3440         https://bugs.webkit.org/show_bug.cgi?id=196315
3441
3442         Reviewed by Saam Barati.
3443
3444         This changelog already landed, but the commit was missing the actual changes.
3445
3446         * stress/function-prototype-indexed-accessor.js: Added.
3447
3448 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3449
3450         [BigInt] Add ValueMod into DFG
3451         https://bugs.webkit.org/show_bug.cgi?id=186174
3452
3453         Reviewed by Saam Barati.
3454
3455         * microbenchmarks/mod-untyped.js: Added.
3456         * stress/big-int-mod-osr.js: Added.
3457         * stress/value-div-ai-rule.js: Added.
3458         * stress/value-mod-ai-rule.js: Added.
3459
3460 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3461
3462         [JSC] DFG_ASSERT failed in lowInt52
3463         https://bugs.webkit.org/show_bug.cgi?id=197569
3464
3465         Reviewed by Saam Barati.
3466
3467         * stress/getstack-int52.js: Added.
3468         (opt):
3469         (main):
3470
3471 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3472
3473         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3474         https://bugs.webkit.org/show_bug.cgi?id=197479
3475
3476         Reviewed by Saam Barati.
3477
3478         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3479         (shouldBe):
3480
3481 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3482
3483         TemplateObject passed to template literal tags are not always identical for the same source location.
3484         https://bugs.webkit.org/show_bug.cgi?id=190756
3485
3486         Reviewed by Saam Barati.
3487
3488         * complex.yaml:
3489         * complex/tagged-template-regeneration-after.js: Added.
3490         (shouldBe):
3491         * complex/tagged-template-regeneration.js: Added.
3492         (call):
3493         (test):
3494         * modules/tagged-template-inside-module.js: Added.
3495         (from.string_appeared_here.call):
3496         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3497         (call):
3498         (export.otherTaggedTemplates):
3499         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3500         (shouldBe):
3501         (call):
3502         (poly):
3503         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3504         (shouldBe):
3505         (call):
3506         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3507         (shouldBe):
3508         (call):
3509         (test):
3510         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3511         (shouldBe):
3512         (call):
3513         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3514         (shouldBe):
3515         (call):
3516         * stress/tagged-templates-in-multiple-functions.js: Added.
3517         (shouldBe):
3518         (call):
3519         (a):
3520         (b):
3521         (c):
3522         * stress/tagged-templates-with-same-start-offset.js: Added.
3523         (shouldBe):
3524
3525 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3526
3527         All prototypes should call didBecomePrototype()
3528         https://bugs.webkit.org/show_bug.cgi?id=196315
3529
3530         Reviewed by Saam Barati.
3531
3532         * stress/function-prototype-indexed-accessor.js: Added.
3533
3534 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3535
3536         Unreviewed, rolling out r244978.
3537         https://bugs.webkit.org/show_bug.cgi?id=197671
3538
3539         TemplateObject map should use start/end offsets (Requested by
3540         yusukesuzuki on #webkit).
3541
3542         Reverted changeset:
3543
3544         "TemplateObject passed to template literal tags are not always
3545         identical for the same source location."
3546         https://bugs.webkit.org/show_bug.cgi?id=190756
3547         https://trac.webkit.org/changeset/244978
3548
3549 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3550
3551         tryCachePutByID should not crash if target offset changes
3552         https://bugs.webkit.org/show_bug.cgi?id=197311
3553         <rdar://problem/48033612>
3554
3555         Reviewed by Filip Pizlo.
3556
3557         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3558         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3559
3560         * stress/cache-put-by-id-delete-prototype.js: Added.
3561         (A.prototype.set y):
3562         (A):
3563         (B.prototype.set y):
3564         (B):
3565         (C):
3566         * stress/cache-put-by-id-different-__proto__.js: Added.
3567         (A.prototype.set y):
3568         (A):
3569         (B1):
3570         (B2.prototype.set y):
3571         (B2):
3572         (C):
3573         (D):
3574         * stress/cache-put-by-id-different-attributes.js: Added.
3575         (Foo):
3576         (set x):
3577         * stress/cache-put-by-id-different-offset.js: Added.
3578         (Foo):
3579         (set x):
3580         * stress/cache-put-by-id-insert-prototype.js: Added.
3581         (A.prototype.set y):
3582         (A):
3583         (C):
3584         * stress/cache-put-by-id-poly-proto.js: Added.
3585         (Foo):
3586         (set _):
3587         (createBar.Bar):
3588         (createBar):
3589
3590 2019-05-07  Saam Barati  <sbarati@apple.com>
3591
3592         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3593         https://bugs.webkit.org/show_bug.cgi?id=197531
3594         <rdar://problem/50162379>
3595
3596         Reviewed by Yusuke Suzuki.
3597
3598         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3599
3600 2019-05-06  Dean Jackson  <dino@apple.com>
3601
3602         Update test262 expectations for Proxy passes
3603         https://bugs.webkit.org/show_bug.cgi?id=197628
3604
3605         Reviewed by Yusuke Suzuki.
3606
3607         There are two consistent passes in Proxy.ownKeys.
3608
3609         * test262/expectations.yaml:
3610
3611 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3612
3613         [JSC] We should check OOM for description string of Symbol
3614         https://bugs.webkit.org/show_bug.cgi?id=197634
3615
3616         Reviewed by Keith Miller.
3617
3618         * stress/check-symbol-description-oom.js: Added.
3619         (shouldThrow):
3620
3621 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3622
3623         Unreviewed, land one more test
3624         https://bugs.webkit.org/show_bug.cgi?id=197587
3625
3626         * stress/setter-frame-flush.js: Added.
3627         (setter):
3628         (foo):
3629         (bar):
3630
3631 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3632
3633         TemplateObject passed to template literal tags are not always identical for the same source location.
3634         https://bugs.webkit.org/show_bug.cgi?id=190756
3635
3636         Reviewed by Saam Barati.
3637
3638         * complex.yaml:
3639         * complex/tagged-template-regeneration-after.js: Added.
3640         (shouldBe):
3641         * complex/tagged-template-regeneration.js: Added.
3642         (call):
3643         (test):
3644         * modules/tagged-template-inside-module.js: Added.
3645         (from.string_appeared_here.call):
3646         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3647         (call):
3648         (export.otherTaggedTemplates):
3649         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3650         (shouldBe):
3651         (call):
3652         (poly):
3653         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3654         (shouldBe):
3655         (call):
3656         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3657         (shouldBe):
3658         (call):
3659         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3660         (shouldBe):
3661         (call):
3662         * stress/tagged-templates-in-multiple-functions.js: Added.
3663         (shouldBe):
3664         (call):
3665         (a):
3666         (b):
3667         (c):
3668
3669 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3670
3671         [PlayStation] JSC Stress tests failing due to timezone printing
3672         https://bugs.webkit.org/show_bug.cgi?id=197615
3673
3674         PlayStation's strftime does not give timezone strings, which
3675         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3676         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3677         which causes diff failures with the expectations. Add expectations
3678         without the timezone string and use those on playstation.
3679
3680         Reviewed by Ross Kirsling.
3681
3682         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3683         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3684         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3685         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3686
3687 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3688
3689         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3690         https://bugs.webkit.org/show_bug.cgi?id=197587
3691
3692         Reviewed by Sam Weinig.
3693
3694         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3695
3696         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3697
3698 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3699
3700