462ba63a351616452e29ae36a7445f5e3e49ccfe
[WebKit-https.git] / JSTests / ChangeLog
1 2019-10-08  Alexey Shvayka  <shvaikalesh@gmail.com>
2
3         JSON.parse incorrectly handles array proxies
4         https://bugs.webkit.org/show_bug.cgi?id=199292
5
6         Reviewed by Saam Barati.
7
8         * microbenchmarks/json-parse-array-reviver-same-value.js: Added.
9         * microbenchmarks/json-parse-array-reviver.js: Added.
10         * microbenchmarks/json-parse-object-reviver-same-value.js: Added.
11         * microbenchmarks/json-parse-object-reviver.js: Added.
12         * stress/json-parse-reviver-array-proxy.js: Added.
13         * stress/json-parse-reviver-revoked-proxy.js: Added.
14         * test262/expectations.yaml: Mark 6 test cases as passing.
15
16 2019-10-08  Ross Kirsling  <ross.kirsling@sony.com>
17
18         Update test262 (2019.10.08).
19
20         Rubber-stamped by Keith Miller.
21
22         * test262/config.yaml:
23         * test262/expectations.yaml:
24         * test262/latest-changes-summary.txt:
25         * test262/test/:
26         * test262/test262-Revision.txt:
27
28 2019-10-07  Saam Barati  <sbarati@apple.com>
29
30         Allow OSR exit to the LLInt
31         https://bugs.webkit.org/show_bug.cgi?id=197993
32
33         Reviewed by Tadeu Zagallo.
34
35         * stress/exit-from-getter-by-val.js: Added.
36         * stress/exit-from-setter-by-val.js: Added.
37
38 2019-10-07  Matt Lewis  <jlewis3@apple.com>
39
40         Unreviewed, rolling out r250750.
41
42         Reverting change as this broke interal test over the weekend.
43
44         Reverted changeset:
45
46         "Allow OSR exit to the LLInt"
47         https://bugs.webkit.org/show_bug.cgi?id=197993
48         https://trac.webkit.org/changeset/250750
49
50 2019-10-04  Saam Barati  <sbarati@apple.com>
51
52         Allow OSR exit to the LLInt
53         https://bugs.webkit.org/show_bug.cgi?id=197993
54
55         Reviewed by Tadeu Zagallo.
56
57         * stress/exit-from-getter-by-val.js: Added.
58         * stress/exit-from-setter-by-val.js: Added.
59
60 2019-10-04  Paulo Matos  <pmatos@igalia.com>
61
62         Revert regexp test skip on armv7l and mips
63         https://bugs.webkit.org/show_bug.cgi?id=202310
64
65         Reviewed by Žan Doberšek.
66
67         Test was skipped in bug 202113 on armv7l and mips due to bug 202041.
68         Bug 202041 is fixed and change of bug 202113 can be reverted.
69
70         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
71
72 2019-10-02  Mark Lam  <mark.lam@apple.com>
73
74         DoubleToStringConverter::ToExponential() should null terminate its string.
75         https://bugs.webkit.org/show_bug.cgi?id=202492
76         <rdar://problem/55907708>
77
78         Reviewed by Filip Pizlo.
79
80         * stress/dtoa-AddSubstring-should-uses-strnlen-in-assertion.js: Added.
81
82 2019-10-02  Yusuke Suzuki  <ysuzuki@apple.com>
83
84         [JSC] AsyncGenerator should have internal fields
85         https://bugs.webkit.org/show_bug.cgi?id=201498
86
87         Reviewed by Saam Barati.
88
89         * stress/async-generator-construct-failure.js: Added.
90         (shouldThrow):
91         (async.gen):
92         (TypeError):
93         * stress/async-generator-prototype-change.js: Added.
94         (shouldBe):
95         (async.gen):
96         * stress/async-generator-prototype-closure.js: Added.
97         (shouldBe):
98         (test.async.gen):
99         (test):
100         * stress/create-async-generator.js: Added.
101         (shouldBe):
102         (test.async.generator):
103         (test):
104
105 2019-10-01  Saam Barati  <sbarati@apple.com>
106
107         ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
108         https://bugs.webkit.org/show_bug.cgi?id=199361
109         <rdar://problem/52454940>
110
111         Reviewed by Yusuke Suzuki.
112
113         * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
114         (main.fn):
115         (main.executor):
116         (main):
117         * stress/allocation-sinking-hints-are-valid-ssa.js: Added.
118         (main.fn):
119         (main.executor):
120         (main):
121
122 2019-10-01  Keith Miller  <keith_miller@apple.com>
123
124         skip test until we figure out why it's timing out
125         https://bugs.webkit.org/show_bug.cgi?id=202423
126
127         Reviewed by Mark Lam.
128
129         new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
130         Let's skip it until we figure out what's going on.
131
132         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:
133
134 2019-10-01  Keith Miller  <keith_miller@apple.com>
135
136         Mark toctou test as skipped on debug builds
137         https://bugs.webkit.org/show_bug.cgi?id=202420
138
139         Reviewed by Saam Barati.
140
141         Keeps timing out... Let's just skip it.
142
143         * stress/toctou-having-a-bad-time-new-array.js:
144
145 2019-10-01  Keith Miller  <keith_miller@apple.com>
146
147         Test262 update
148
149         Rubber-stamped by Michael Saboff.
150
151         Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...
152
153         * test262/*:
154
155 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
156
157         [YARR] Properly handle surrogates when matching back references
158         https://bugs.webkit.org/show_bug.cgi?id=202041
159
160         Reviewed by Keith Miller.
161
162         Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.
163
164         Updated test.
165
166         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
167         (testRegExpNotMatch):
168
169 2019-10-01  Keith Miller  <keith_miller@apple.com>
170
171         Add support for the Wasm multi-value proposal
172         https://bugs.webkit.org/show_bug.cgi?id=202250
173
174         Reviewed by Saam Barati.
175
176         This patch adds a new way to run stress tests via the .wat text
177         format. By attaching an asm.js compiled version of the wabt tool
178         we can easily create wat files programatically and convert them
179         into a wasm blob to compile. To make this easy there is a
180         wabt-wrapper.js module file that exports two useful functions that
181         correspond to WebAssembly.compile and WebAssembly.instantiate.
182
183         * wasm.yaml:
184         * wasm/function-tests/if-no-else-non-void.js:
185         * wasm/js-api/web-assembly-instantiate.js:
186         (assert.asyncTest.async.test):
187         (assert.asyncTest):
188         * wasm/libwabt.js: Added.
189         (WabtModule):
190         (set get if):
191         * wasm/references/func_ref.js:
192         * wasm/references/validation.js:
193         (assert.throws):
194         * wasm/spec-harness/index.js:
195         * wasm/spec-tests/block.wast.js:
196         * wasm/spec-tests/br.wast.js:
197         * wasm/spec-tests/br_if.wast.js:
198         * wasm/spec-tests/call.wast.js:
199         * wasm/spec-tests/call_indirect.wast.js:
200         * wasm/spec-tests/func.wast.js:
201         * wasm/spec-tests/if.wast.js:
202         * wasm/spec-tests/loop.wast.js:
203         * wasm/spec-tests/type.wast.js:
204         * wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
205         (buildWat):
206         * wasm/stress/js-wasm-js-varying-arities.js: Added.
207         (paramForwarder):
208         * wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
209         (buildWat):
210         * wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
211         (buildWat.throwError):
212         (buildWat.throwErrorInIterator):
213         (buildWat.tooManyValues):
214         (buildWat.tooFewValues):
215         (buildWat):
216         * wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
217         (buildWat):
218         * wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
219         (buildWat):
220         * wasm/wabt-wrapper.js: Added.
221         (export.compile):
222         * wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
223         * wasm/wast-tests/br-if-at-end-of-block.wast: Added.
224         * wasm/wast-tests/harness.js:
225         (async.runWasmFile):
226         * wasm/wast-tests/single-param-loop-signature.wasm: Added.
227         * wasm/wast-tests/single-param-loop-signature.wast: Added.
228
229 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
230
231         Make assertion in JSObject::putOwnDataProperty more precise
232         https://bugs.webkit.org/show_bug.cgi?id=202379
233         <rdar://problem/49515980>
234
235         Reviewed by Yusuke Suzuki.
236
237         * stress/object-assign-target-proto-setter.js: Added.
238         (get Object):
239
240 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
241
242         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
243         https://bugs.webkit.org/show_bug.cgi?id=202389
244         <rdar://problem/50717564>
245
246         Reviewed by Mark Lam.
247
248         * stress/heap-analyzer-taking-lock.js: Added.
249
250 2019-09-30  Saam Barati  <sbarati@apple.com>
251
252         Inline caching is wrong for custom accessors and custom values
253         https://bugs.webkit.org/show_bug.cgi?id=201994
254         <rdar://problem/50850326>
255
256         Reviewed by Yusuke Suzuki.
257
258         * microbenchmarks/custom-accessor-materialized.js: Added.
259         (assert):
260         (test4.get const):
261         * microbenchmarks/custom-accessor-thin-air.js: Added.
262         (assert):
263         (test5.get const):
264         (test5.get proto):
265         * microbenchmarks/custom-accessor.js: Added.
266         (assert):
267         (test3.get const):
268         * microbenchmarks/custom-value-2.js: Added.
269         (assert):
270         (test1.getMultiline):
271         (test1):
272         * microbenchmarks/custom-value.js: Added.
273         (assert):
274         (test1.getMultiline):
275         (test1):
276         * stress/custom-accessor-delete-1.js: Added.
277         (assert):
278         (test3.get const):
279         * stress/custom-accessor-delete-2.js: Added.
280         (assert):
281         (test4.get const):
282         * stress/custom-accessor-delete-3.js: Added.
283         (assert):
284         (test5.get const):
285         (test5.get proto):
286         * stress/custom-value-delete-property-1.js: Added.
287         (assert):
288         (test1.getMultiline):
289         (test1):
290         * stress/custom-value-delete-property-2.js: Added.
291         (test2.foo):
292         (test2):
293         * stress/custom-value-delete-property-3.js: Added.
294         (test6.foo):
295         (test6):
296
297 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
298
299         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
300         https://bugs.webkit.org/show_bug.cgi?id=202382
301         <rdar://problem/52669112>
302
303         Reviewed by Saam Barati.
304
305         * stress/compare-eq-bool-number-folding.js: Added.
306         (test):
307
308 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
309
310         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
311         https://bugs.webkit.org/show_bug.cgi?id=202330
312
313         Reviewed by Saam Barati.
314
315         * stress/to-lower-case-gc-stress.js: Added.
316
317 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
318
319         Non-standard Error properties should not be enumerable
320         https://bugs.webkit.org/show_bug.cgi?id=198975
321
322         Reviewed by Ross Kirsling.
323
324         * ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
325         * microbenchmarks/let-for-in.js: Adjust test.
326         * test262/expectations.yaml: Mark 6 test cases as passing.
327
328 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
329
330         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
331         https://bugs.webkit.org/show_bug.cgi?id=202299
332         <rdar://problem/52669116>
333
334         Reviewed by Saam Barati.
335
336         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
337         (foo):
338         (test):
339         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
340         (foo):
341         (C1.prototype.baz):
342         (C1):
343         (bar):
344         (noInline.bar.goo):
345         (C2.prototype.baz):
346         (C2):
347         (test):
348
349 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
350
351         toExponential, toFixed, and toPrecision should allow arguments up to 100
352         https://bugs.webkit.org/show_bug.cgi?id=199163
353
354         Reviewed by Ross Kirsling.
355
356         * ChakraCore/test/Number/toString_3.baseline-jsc:
357         * ChakraCore/test/es5/exceptions3.baseline-jsc:
358         * test262/expectations.yaml: Mark 6 test cases as passing.
359
360 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
361
362         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
363         https://bugs.webkit.org/show_bug.cgi?id=154376
364
365         Reviewed by Ross Kirsling.
366
367         Adds 2 test cases:
368         1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
369         2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.
370
371         * stress/proxy-get-own-property.js:
372
373 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
374
375         [BigInt] Add ValueBitRShift into DFG
376         https://bugs.webkit.org/show_bug.cgi?id=192663
377
378         Reviewed by Robin Morisset.
379
380         * stress/big-int-right-shift-jit-osr.js: Added.
381         * stress/big-int-right-shift-jit-untyped.js: Added.
382         * stress/big-int-right-shift-jit.js: Added.
383         * stress/value-rshift-ai-rule.js: Added.
384
385 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
386
387         Array methods should throw TypeError upon attempting to modify a string
388         https://bugs.webkit.org/show_bug.cgi?id=201910
389
390         Reviewed by Keith Miller.
391
392         * stress/array-methods-should-not-modify-string.js: Added.
393
394         * mozilla/js1_6/Array/regress-304828.js:
395         Fix test. Original copy was changed similarly seven years ago:
396         https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js
397
398         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
399         Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.
400
401 2019-09-23  Mark Lam  <mark.lam@apple.com>
402
403         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
404         https://bugs.webkit.org/show_bug.cgi?id=202122
405         <rdar://problem/55535249>
406
407         Reviewed by Yusuke Suzuki.
408
409         * stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.
410
411 2019-09-23  Caio Lima  <ticaiolima@gmail.com>
412
413         Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
414         https://bugs.webkit.org/show_bug.cgi?id=202113
415
416         Unreviewed test gardening, skipped test in ARMv7 and MIPS.
417
418         It is going to be fixed in
419         https://bugs.webkit.org/show_bug.cgi?id=202041
420
421         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
422
423 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
424
425         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
426         https://bugs.webkit.org/show_bug.cgi?id=202072
427
428         Reviewed by Mark Lam.
429
430         * stress/int52rep-with-double-checks-int52-range.js: Added.
431         (shouldBe):
432         (test):
433
434 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
435
436         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
437         https://bugs.webkit.org/show_bug.cgi?id=202011
438
439         Reviewed by Mark Lam.
440
441         We are skipping this test into MIPS and ARMv7 because some of its assumptions
442         are not valid for them. The current behavior of the test in those architectures
443         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
444         because eden collection keeps happening between iterations. The collection
445         is triggered on those architectures because the amount of stress 
446         `new Promise` generates into GC limits is not enough to avoid them
447         while loop is executing.
448
449         Changing the size of `UInt8Array` from `80000000` to `160000000` can
450         be an alternative fix to avoid collection happening during `ArrayBuffer`
451         allocation loop, but we can't guarantee this test is always going to execute
452         without error when Gigacage is disabled, given we can reach an OOM state in
453         some allocations that need to succeed, making this test flaky for those
454         architectures.
455
456         * stress/test-out-of-memory.js:
457
458 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
459
460         AccessCase should strongly visit its dependencies while on stack
461         https://bugs.webkit.org/show_bug.cgi?id=201986
462         <rdar://problem/55521953>
463
464         Reviewed by Saam Barati and Yusuke Suzuki.
465
466         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
467         (foo):
468         (warmup):
469
470 2019-09-20  Saam Barati  <sbarati@apple.com>
471
472         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
473
474         * stress/toctou-having-a-bad-time-new-array.js:
475
476 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
477
478         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
479         https://bugs.webkit.org/show_bug.cgi?id=202014
480
481         Reviewed by Saam Barati.
482
483         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
484         (__v0):
485
486 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
487
488         Syntax checker should report duplicate __proto__ properties
489         https://bugs.webkit.org/show_bug.cgi?id=201897
490         <rdar://problem/53201788>
491
492         Reviewed by Mark Lam.
493
494         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
495         (catch):
496
497 2019-09-18  Saam Barati  <sbarati@apple.com>
498
499         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
500         https://bugs.webkit.org/show_bug.cgi?id=201953
501         <rdar://problem/53803524>
502
503         Reviewed by Yusuke Suzuki.
504
505         * stress/toctou-having-a-bad-time-new-array.js: Added.
506         (let.code):
507
508 2019-09-18  Saam Barati  <sbarati@apple.com>
509
510         Phantom insertion phase may disagree with arguments forwarding about live ranges
511         https://bugs.webkit.org/show_bug.cgi?id=200715
512         <rdar://problem/54301717>
513
514         Reviewed by Yusuke Suzuki.
515
516         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
517         (main.v23):
518         (main.try.v43):
519         (main.):
520         (main):
521
522 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
523
524         [JSC] Generator should have internal fields
525         https://bugs.webkit.org/show_bug.cgi?id=201159
526
527         Reviewed by Keith Miller.
528
529         * stress/create-generator.js: Added.
530         (shouldBe):
531         (test.generator):
532         (test):
533         * stress/generator-construct-failure.js: Added.
534         (shouldThrow):
535         (TypeError):
536         * stress/generator-prototype-change.js: Added.
537         (shouldBe):
538         (gen):
539         * stress/generator-prototype-closure.js: Added.
540         (shouldBe):
541         (test.gen):
542         (test):
543         * stress/object-assign-fast-path.js:
544
545 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
546
547         Follow-up after String.codePointAt optimization
548         https://bugs.webkit.org/show_bug.cgi?id=201889
549
550         Reviewed by Saam Barati.
551
552         * stress/string-char-at-bad-type.js: Added.
553         (shouldBe):
554         (object.toString):
555         (test):
556         * stress/string-char-code-at-bad-type.js: Added.
557         (shouldBe):
558         (object.toString):
559         (test):
560         * stress/string-code-point-at-bad-type.js: Added.
561         (shouldBe):
562         (object.toString):
563         (test):
564
565 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
566
567         [JSC] CheckArray+NonArray is not filtering out Array in AI
568         https://bugs.webkit.org/show_bug.cgi?id=201857
569         <rdar://problem/54194820>
570
571         Reviewed by Keith Miller.
572
573         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
574         (foo):
575
576 2019-09-17  Saam Barati  <sbarati@apple.com>
577
578         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
579         https://bugs.webkit.org/show_bug.cgi?id=201853
580         <rdar://problem/53805461>
581
582         Reviewed by Yusuke Suzuki.
583
584         * stress/direct-arguments-check-array-filter-type.js: Added.
585         (foo):
586
587 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
588
589         Wasm StreamingParser should validate that number of functions matches number of declarations
590         https://bugs.webkit.org/show_bug.cgi?id=201850
591         <rdar://problem/55290186>
592
593         Reviewed by Yusuke Suzuki.
594
595         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
596         (catch):
597
598 2019-09-16  Michael Saboff  <msaboff@apple.com>
599
600         [JSC] Perform check again when we found non-BMP characters
601         https://bugs.webkit.org/show_bug.cgi?id=201647
602
603         Reviewed by Yusuke Suzuki.
604
605         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
606         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
607         (testRegExpInbounds):
608
609 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
610
611         [JSC] Add missing syntax errors for await in function parameter default expressions
612         https://bugs.webkit.org/show_bug.cgi?id=201615
613
614         Reviewed by Darin Adler.
615
616         * stress/async-await-reserved-word.js:
617         * stress/async-await-syntax.js:
618         Add test cases.
619
620         * test262/expectations.yaml:
621         Mark newly-passing test cases.
622
623 2019-09-16  Saam Barati  <sbarati@apple.com>
624
625         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
626         https://bugs.webkit.org/show_bug.cgi?id=200386
627         <rdar://problem/53854946>
628
629         Reviewed by Yusuke Suzuki.
630
631         * stress/proxy-__proto__-in-prototype-chain.js: Added.
632         * stress/proxy-property-replace-structure-transition.js: Added.
633
634 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
635
636         Date.prototype.toJSON does not execute steps 1-2
637         https://bugs.webkit.org/show_bug.cgi?id=105282
638
639         Reviewed by Ross Kirsling.
640
641         * test262/expectations.yaml: Mark 2 test cases as passing.
642
643 2019-09-12  Mark Lam  <mark.lam@apple.com>
644
645         Harden JSC against the abuse of runtime options.
646         https://bugs.webkit.org/show_bug.cgi?id=201597
647         <rdar://problem/55167068>
648
649         Reviewed by Filip Pizlo.
650
651         Remove the call to forceGCSlowPaths().  This utility function will be removed.
652         The modern way to set the required option is to use //@ requireOptions.
653
654         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
655
656 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
657
658         [JSC] Add StringCodePointAt intrinsic
659         https://bugs.webkit.org/show_bug.cgi?id=201673
660
661         Reviewed by Michael Saboff.
662
663         * stress/string-char-at-constant-index-out-of-range.js: Added.
664         (shouldBe):
665         (test):
666         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
667         (shouldBe):
668         (test):
669         * stress/string-code-point-at--out-of-range.js: Added.
670         (shouldBe):
671         (test):
672         * stress/string-code-point-at-basic.js: Added.
673         (test):
674         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
675         (shouldBe):
676         (test):
677         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
678         (shouldBe):
679         (test):
680         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
681         (shouldBe):
682         (test):
683         (breaking):
684         * stress/string-code-point-at-surrogate-pair.js: Added.
685         (shouldBe):
686         * stress/string-code-point-at.js: Added.
687         (shouldBe):
688
689 2019-09-10  Michael Saboff  <msaboff@apple.com>
690
691         JSC crashes due to stack overflow while building RegExp
692         https://bugs.webkit.org/show_bug.cgi?id=201649
693
694         Reviewed by Yusuke Suzuki.
695
696         New regression test.
697
698         * stress/regexp-bol-optimize-out-of-stack.js: Added.
699         (test):
700         (catch):
701
702 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
703
704         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
705         https://bugs.webkit.org/show_bug.cgi?id=189043
706
707         Reviewed by Keith Miller.
708
709         The offset performing the validation becomes a bit different.
710         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
711
712         * wasm/js-api/version.js:
713
714 2019-09-07  Keith Miller  <keith_miller@apple.com>
715
716         OSR entry into wasm misses some contexts
717         https://bugs.webkit.org/show_bug.cgi?id=201569
718
719         Reviewed by Yusuke Suzuki.
720
721         Add a new harness and wast and the generated wasm file for
722         testing. The idea long term is to make it easy to test by creating
723         a C file and converting it to a wast then modify that to produce a
724         test.
725
726         * wasm.yaml:
727         * wasm/wast-tests/harness.js: Added.
728         (async.runWasmFile):
729         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
730         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
731         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
732         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
733         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
734         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
735         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
736         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
737
738 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
739
740         [JSC] Promise resolve/reject functions should be created more efficiently
741         https://bugs.webkit.org/show_bug.cgi?id=201488
742
743         Reviewed by Mark Lam.
744
745         * microbenchmarks/promise-creation-many.js: Added.
746         (executor):
747
748 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
749
750         Unreviewed JSC test gardening.
751
752         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
753         This test allocates a 2GB string before it goes out and tests
754         out-of-memory exception when appending other strings to it. As such,
755         skip the test on memory-limited platforms.
756
757 2019-09-07  Mark Lam  <mark.lam@apple.com>
758
759         The jsc shell should allow disabling of the Gigacage for testing purposes.
760         https://bugs.webkit.org/show_bug.cgi?id=201579
761
762         Reviewed by Michael Saboff.
763
764         Unskip the tests now.
765
766         * stress/disable-gigacage-arrays.js:
767         * stress/disable-gigacage-strings.js:
768         * stress/disable-gigacage-typed-arrays.js:
769
770 2019-09-07  Mark Lam  <mark.lam@apple.com>
771
772         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
773
774         Not reviewed.
775
776         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
777
778         * stress/disable-gigacage-arrays.js:
779         * stress/disable-gigacage-strings.js:
780         * stress/disable-gigacage-typed-arrays.js:
781
782 2019-09-07  Mark Lam  <mark.lam@apple.com>
783
784         Gardening: speculative test fix to green bots [attempt #2].
785         https://bugs.webkit.org/show_bug.cgi?id=201529
786         <rdar://problem/53935772>
787
788         Not reviewed.
789
790         * stress/test-out-of-memory.js:
791
792 2019-09-06  Mark Lam  <mark.lam@apple.com>
793
794         Gardening: speculative test fix to green bots.
795         https://bugs.webkit.org/show_bug.cgi?id=201529
796         <rdar://problem/53935772>
797
798         Not reviewed.
799
800         * stress/test-out-of-memory.js:
801
802 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
803
804         Math.round() produces wrong result for value prior to 0.5
805         https://bugs.webkit.org/show_bug.cgi?id=185115
806
807         Reviewed by Saam Barati.
808
809         * stress/math-round-basics.js:
810         Add positive/negative test cases.
811
812         * test262/expectations.yaml:
813         Mark test passing.
814
815 2019-09-06  Mark Lam  <mark.lam@apple.com>
816
817         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
818         https://bugs.webkit.org/show_bug.cgi?id=201551
819
820         Reviewed by Tadeu Zagallo.
821
822         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
823
824         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
825         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
826
827 2019-09-06  Mark Lam  <mark.lam@apple.com>
828
829         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
830         https://bugs.webkit.org/show_bug.cgi?id=201529
831         <rdar://problem/53935772>
832
833         Reviewed by Yusuke Suzuki.
834
835         * stress/test-out-of-memory.js: Added.
836
837 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
838
839         LazyClassStructure::setConstructor should not store the constructor to the global object
840         https://bugs.webkit.org/show_bug.cgi?id=201484
841         <rdar://problem/50400451>
842
843         Reviewed by Yusuke Suzuki.
844
845         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
846
847 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
848
849         [JSC] Do not use FTLOutput::weakPointer directly
850         https://bugs.webkit.org/show_bug.cgi?id=201495
851
852         Reviewed by Filip Pizlo.
853
854         * stress/create-promise-weak-pointer.js: Added.
855         (foo):
856
857 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
858
859         [JSC] Make Promise implementation faster
860         https://bugs.webkit.org/show_bug.cgi?id=200898
861
862         Reviewed by Saam Barati.
863
864         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
865         (assert.assert.return.throws):
866         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
867         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
868         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
869         (shouldThrow):
870         (new.Promise):
871         (shouldThrow.Promise):
872         * stress/create-promise-should-respect-promise-realm.js: Added.
873         (shouldBe):
874         (other.new.OtherPromise):
875         (DerivedOtherPromise):
876         (i.promise.new.DerivedOtherPromise):
877         (createPromise):
878         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
879         (shouldBe):
880         (DerivedPromise):
881         (i.array.push.new.DerivedPromise):
882         (promise.new.DerivedPromise):
883         * stress/derived-promise-constructor-inlined.js: Added.
884         (shouldBe):
885         (DerivedPromise):
886         (i.array.push.new.DerivedPromise):
887         (DerivedPromise.all.array.then):
888         * stress/derived-promise-prototype-replaced.js: Added.
889         (shouldBe):
890         (DerivedPromise):
891         (i.array.push.new.DerivedPromise):
892         (promise.new.DerivedPromise):
893         * stress/internal-promise-constructor-not-confusing.js: Added.
894         (shouldBe):
895         (InternalPromise.vm.createBuiltin):
896         (DerivedPromise):
897         * stress/internal-promise-is-not-exposed.js: Added.
898         (shouldBe):
899         * stress/new-promise-should-respect-promise-realm.js: Added.
900         (shouldBe):
901         (other.new.OtherPromise):
902         (createPromise):
903         * stress/promise-cannot-be-called.js:
904         (shouldThrow):
905         * stress/promise-capability-fast-path.js: Added.
906         (shouldBe):
907         (i.array.push.new.Promise):
908         (i.array.i.then):
909         * stress/promise-capability-slow-path.js: Added.
910         (shouldBe):
911         (Promise.prototype.then):
912         (i.array.push.new.Promise):
913         (i.array.i.then):
914         * stress/promise-capability-then-slow-path.js: Added.
915         (shouldBe):
916         (DerivedPromise):
917         (DerivedPromise.prototype.then):
918         (i.array.push.new.DerivedPromise):
919         (i.array.i.then):
920         * stress/promise-constructor-inlined.js: Added.
921         (shouldBe):
922         (i.array.push.new.Promise):
923         (Promise.all.array.then):
924         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
925         (shouldBe):
926         (DerivedPromise):
927         (DerivedPromise2):
928         (i.array.push.new.DerivedPromise):
929         (i.array2.push.new.DerivedPromise2):
930         * stress/without-promise-functions.js: Added.
931         (shouldBe):
932         (async):
933
934 2019-09-03  Mark Lam  <mark.lam@apple.com>
935
936         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
937         https://bugs.webkit.org/show_bug.cgi?id=201309
938         <rdar://problem/54832121>
939
940         Reviewed by Yusuke Suzuki.
941
942         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
943
944 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
945
946         [JSC] Generate new.target register only when it is used
947         https://bugs.webkit.org/show_bug.cgi?id=201335
948
949         Reviewed by Mark Lam.
950
951         * stress/ensure-new-register-allocated.js: Added.
952         (shouldBe):
953         (basic):
954         (arrow):
955         (Base):
956         (Derived):
957         (evaluate):
958
959 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
960
961         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
962         https://bugs.webkit.org/show_bug.cgi?id=201331
963
964         Reviewed by Mark Lam.
965
966         * stress/simple-jump-table-copy.js: Added.
967         (let.code):
968         (g2):
969
970 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
971
972         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
973         https://bugs.webkit.org/show_bug.cgi?id=201332
974
975         Reviewed by Mark Lam.
976
977         This test is very flaky, it is hard to reproduce.
978
979         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
980         (code):
981
982 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
983
984         [JSC] Repatch should construct CallCases and CasesValue at the same time
985         https://bugs.webkit.org/show_bug.cgi?id=201325
986
987         Reviewed by Saam Barati.
988
989         * stress/repatch-switch.js: Added.
990         (main.f2.f0):
991         (main.f2.f3):
992         (main.f2.f1):
993         (main.f2):
994         (main):
995
996 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
997
998         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
999         https://bugs.webkit.org/show_bug.cgi?id=198650
1000
1001         Reviewed by Saam Barati.
1002
1003         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
1004         (main.v0):
1005         (main):
1006
1007 2019-08-28  Mark Lam  <mark.lam@apple.com>
1008
1009         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
1010         https://bugs.webkit.org/show_bug.cgi?id=201281
1011         <rdar://problem/54028228>
1012
1013         Reviewed by Yusuke Suzuki and Saam Barati.
1014
1015         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
1016
1017 2019-08-28  Mark Lam  <mark.lam@apple.com>
1018
1019         Placate exception check validation in DFG's operationHasGenericProperty().
1020         https://bugs.webkit.org/show_bug.cgi?id=201245
1021         <rdar://problem/54777512>
1022
1023         Reviewed by Robin Morisset.
1024
1025         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
1026
1027 2019-08-27  Mark Lam  <mark.lam@apple.com>
1028
1029         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
1030         https://bugs.webkit.org/show_bug.cgi?id=201196
1031         <rdar://problem/54703775>
1032
1033         Reviewed by Yusuke Suzuki.
1034
1035         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
1036
1037 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
1038
1039         [JSC] Ensure x?.y ?? z is fast
1040         https://bugs.webkit.org/show_bug.cgi?id=200875
1041
1042         Reviewed by Yusuke Suzuki.
1043
1044         * stress/nullish-coalescing.js:
1045
1046 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
1047
1048         Remove MaximalFlushInsertionPhase
1049         https://bugs.webkit.org/show_bug.cgi?id=201036
1050
1051         Reviewed by Saam Barati.
1052
1053         Remove all the references to maximal flush
1054
1055         * stress/arith-ceil-on-various-types.js:
1056         (checkCompileCountForUselessNegativeZero):
1057         * stress/arith-floor-on-various-types.js:
1058         (checkCompileCountForUselessNegativeZero):
1059         * stress/arith-negate-on-various-types.js:
1060         (checkCompileCountForUselessNegativeZero):
1061         * stress/arith-round-on-various-types.js:
1062         (checkCompileCountForUselessNegativeZero):
1063         * stress/arith-trunc-on-various-types.js:
1064         (checkCompileCountForUselessNegativeZero):
1065         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
1066         * stress/has-indexed-property-should-accept-non-int32.js:
1067         * stress/has-indexed-property-with-worsening-array-mode.js:
1068         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
1069         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
1070         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1071         * stress/rest-parameter-many-arguments.js:
1072         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
1073         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
1074         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
1075
1076 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
1077
1078         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
1079         https://bugs.webkit.org/show_bug.cgi?id=200952
1080
1081         Reviewed by Saam Barati.
1082
1083         * wasm/references/func_ref.js:
1084         (assert.throws):
1085
1086 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
1087
1088         Add missing exception check in canonicalizeLocaleList
1089         https://bugs.webkit.org/show_bug.cgi?id=201021
1090
1091         Reviewed by Mark Lam.
1092
1093         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
1094         (catch):
1095
1096 2019-08-21  Mark Lam  <mark.lam@apple.com>
1097
1098         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
1099         https://bugs.webkit.org/show_bug.cgi?id=201016
1100         <rdar://problem/54579911>
1101
1102         Reviewed by Yusuke Suzuki.
1103
1104         * wasm/stress/too-many-locals.js: Added.
1105         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
1106
1107 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
1108
1109         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
1110         https://bugs.webkit.org/show_bug.cgi?id=200965
1111
1112         Reviewed by Saam Barati.
1113
1114         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
1115         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
1116
1117         * stress/optional-chaining.js:
1118
1119 2019-08-21  Michael Saboff  <msaboff@apple.com>
1120
1121         [JSC] incorrent JIT lead to StackOverflow
1122         https://bugs.webkit.org/show_bug.cgi?id=197823
1123
1124         Reviewed by Tadeu Zagallo.
1125
1126         New test.
1127
1128         * stress/bound-function-stack-overflow.js: Added.
1129         (foo):
1130         (catch):
1131
1132 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1133
1134         Identify memcpy loops in b3
1135         https://bugs.webkit.org/show_bug.cgi?id=200181
1136
1137         Reviewed by Saam Barati.
1138
1139         * microbenchmarks/memcpy-loop.js: Added.
1140         (doTest):
1141         (let.arr1):
1142         * microbenchmarks/memcpy-typed-loop-large.js: Added.
1143         (doTest):
1144         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
1145         (arr2):
1146         * microbenchmarks/memcpy-typed-loop-small.js: Added.
1147         (doTest):
1148         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1149         (16.arr2):
1150         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
1151         (doTest):
1152         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
1153         (arr2):
1154         * microbenchmarks/memcpy-wasm-large.js: Added.
1155         (typeof.WebAssembly.string_appeared_here.eq):
1156         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1157         * microbenchmarks/memcpy-wasm-medium.js: Added.
1158         (typeof.WebAssembly.string_appeared_here.eq):
1159         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1160         * microbenchmarks/memcpy-wasm-small.js: Added.
1161         (typeof.WebAssembly.string_appeared_here.eq):
1162         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1163         * microbenchmarks/memcpy-wasm.js: Added.
1164         (typeof.WebAssembly.string_appeared_here.eq):
1165         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1166         * stress/memcpy-typed-loops.js: Added.
1167         (noLoop):
1168         (invalidStart):
1169         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1170         (arr2):
1171         * wasm/function-tests/memcpy-wasm-loop.js: Added.
1172         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
1173         (string_appeared_here):
1174
1175 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
1176
1177         [JSC] Array.prototype.toString should not get "join" function each time
1178         https://bugs.webkit.org/show_bug.cgi?id=200905
1179
1180         Reviewed by Mark Lam.
1181
1182         * stress/array-prototype-join-change.js: Added.
1183         (shouldBe):
1184         (array2.join):
1185         (DerivedArray):
1186         (DerivedArray.prototype.join):
1187         (array3.__proto__.join):
1188         (Array.prototype.join):
1189
1190 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1191
1192         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1193         https://bugs.webkit.org/show_bug.cgi?id=200782
1194
1195         Reviewed by Saam Barati.
1196
1197         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
1198
1199         * microbenchmarks/memcpy-typed-loop.js:
1200         * stress/int8-repeat-in-then-out-of-bounds.js:
1201
1202 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1203
1204         Proxy constructor should throw if handler is revoked Proxy
1205         https://bugs.webkit.org/show_bug.cgi?id=198755
1206
1207         Reviewed by Saam Barati.
1208
1209         * stress/proxy-revoke.js: Adjust error message.
1210         * test262/expectations.yaml: Mark 2 test cases as passing.
1211
1212 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1213
1214         [JSC] OSR entry to Wasm OMG
1215         https://bugs.webkit.org/show_bug.cgi?id=200362
1216
1217         Reviewed by Michael Saboff.
1218
1219         * wasm/stress/osr-entry-basic.js: Added.
1220         (instance.exports.loop):
1221         * wasm/stress/osr-entry-many-locals-f32.js: Added.
1222         * wasm/stress/osr-entry-many-locals-f64.js: Added.
1223         * wasm/stress/osr-entry-many-locals-i32.js: Added.
1224         * wasm/stress/osr-entry-many-locals-i64.js: Added.
1225         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
1226         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
1227         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
1228         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
1229
1230 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1231
1232         Date.prototype.toJSON throws if toISOString returns an object
1233         https://bugs.webkit.org/show_bug.cgi?id=198495
1234
1235         Reviewed by Ross Kirsling.
1236
1237         * test262/expectations.yaml: Mark 6 test cases as passing.
1238
1239 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1240
1241         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
1242         https://bugs.webkit.org/show_bug.cgi?id=200899
1243         <rdar://problem/54073341>
1244
1245         Reviewed by Mark Lam.
1246
1247         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
1248         (i.new.Promise):
1249         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
1250         (i.new.Promise):
1251
1252 2019-08-19  Michael Saboff  <msaboff@apple.com>
1253
1254         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
1255         https://bugs.webkit.org/show_bug.cgi?id=197090
1256
1257         Reviewed by Yusuke Suzuki.
1258
1259         New test.
1260
1261         * stress/regexp-nonconsuming-counted-parens.js: Added.
1262
1263 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
1264
1265         [JSC] Correct a->an in error messages and API docblocks
1266         https://bugs.webkit.org/show_bug.cgi?id=200833
1267
1268         Reviewed by Don Olmstead.
1269
1270         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1271         (assert.assert.return.throws):
1272         * stress/promise-finally-should-accept-non-promise-objects.js:
1273         * wasm/js-api/table.js:
1274         (assert.throws):
1275
1276 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1277
1278         [ESNext] Implement optional chaining
1279         https://bugs.webkit.org/show_bug.cgi?id=200199
1280
1281         Reviewed by Yusuke Suzuki.
1282
1283         * stress/nullish-coalescing.js:
1284         * stress/optional-chaining.js: Added.
1285         * stress/tail-call-recognize.js:
1286
1287 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1288
1289         [ESNext] Support hashbang.
1290         https://bugs.webkit.org/show_bug.cgi?id=200865
1291
1292         Reviewed by Mark Lam.
1293
1294         * stress/hashbang.js: Added.
1295         * test262/expectations.yaml: Mark 6 cases as passing.
1296
1297 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
1298
1299         [JSC] DFG ToNumber should support Boolean in fixup
1300         https://bugs.webkit.org/show_bug.cgi?id=200864
1301
1302         Reviewed by Mark Lam.
1303
1304         * microbenchmarks/to-number-boolean.js: Added.
1305         (test):
1306         * stress/to-number-boolean-int32.js: Added.
1307         (shouldBe):
1308         (test):
1309         (check):
1310         * stress/to-number-boolean.js: Added.
1311         (shouldBe):
1312         (test):
1313         (check):
1314         * stress/to-number-int32.js: Added.
1315         (shouldBe):
1316         (test):
1317         (check):
1318
1319 2019-08-16  Mark Lam  <mark.lam@apple.com>
1320
1321         More missing exception checks in string comparison operators.
1322         https://bugs.webkit.org/show_bug.cgi?id=200844
1323         <rdar://problem/54378684>
1324
1325         Reviewed by Saam Barati.
1326
1327         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
1328         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
1329         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
1330         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
1331
1332 2019-08-16  Mark Lam  <mark.lam@apple.com>
1333
1334         CodeBlock destructor should clear all of its watchpoints.
1335         https://bugs.webkit.org/show_bug.cgi?id=200792
1336         <rdar://problem/53947800>
1337
1338         Reviewed by Yusuke Suzuki.
1339
1340         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
1341
1342 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
1343
1344         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1345         https://bugs.webkit.org/show_bug.cgi?id=200782
1346
1347         Reviewed by Saam Barati.
1348
1349         * microbenchmarks/int8-out-of-bounds.js: Added.
1350         (foo):
1351         * microbenchmarks/memcpy-typed-loop.js: Added.
1352         (doTest):
1353         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
1354         (arr2):
1355         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
1356         (foo):
1357
1358 2019-08-16  Mark Lam  <mark.lam@apple.com>
1359
1360         [Re-land] ProxyObject should not be allow to access its target's private properties.
1361         https://bugs.webkit.org/show_bug.cgi?id=200739
1362         <rdar://problem/53972768>
1363
1364         Reviewed by Yusuke Suzuki.
1365
1366         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
1367         * stress/proxy-with-private-symbols.js:
1368
1369 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
1370
1371         [JSC] Promise.prototype.finally should accept non-promise objects
1372         https://bugs.webkit.org/show_bug.cgi?id=200829
1373
1374         Reviewed by Mark Lam.
1375
1376         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
1377         (shouldBe):
1378         (Thenable):
1379         (Thenable.prototype.then):
1380
1381 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
1382
1383         Promise constructor should check argument before [[Construct]]
1384         https://bugs.webkit.org/show_bug.cgi?id=198976
1385
1386         Reviewed by Ross Kirsling.
1387
1388         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
1389         * stress/create-subclass-structure-might-throw.js: Fix test.
1390         * test262/expectations.yaml: Mark 2 test cases as passing.
1391
1392 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
1393
1394         Unreviewed, rolling out r248709.
1395
1396         Caused test/built-ins/Promise/prototype/finally/this-value-
1397         non-promise.js to fail on test262 bot
1398
1399         Reverted changeset:
1400
1401         "ProxyObject should not be allow to access its target's
1402         private properties."
1403         https://bugs.webkit.org/show_bug.cgi?id=200739
1404         https://trac.webkit.org/changeset/248709
1405
1406 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1407
1408         DateConversion::formatDateTime incorrectly formats negative years
1409         https://bugs.webkit.org/show_bug.cgi?id=199964
1410
1411         Reviewed by Ross Kirsling.
1412
1413         * test262/expectations.yaml: Mark 6 test cases as passing.
1414
1415 2019-08-15  Mark Lam  <mark.lam@apple.com>
1416
1417         More missing exception checks in String.prototype.
1418         https://bugs.webkit.org/show_bug.cgi?id=200762
1419         <rdar://problem/54333896>
1420
1421         Reviewed by Michael Saboff.
1422
1423         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1424         * stress/missing-exception-check-in-string-toLower.js: Added.
1425         * stress/missing-exception-check-in-string-toUpper.js: Added.
1426
1427 2019-08-14  Mark Lam  <mark.lam@apple.com>
1428
1429         ProxyObject should not be allow to access its target's private properties.
1430         https://bugs.webkit.org/show_bug.cgi?id=200739
1431         <rdar://problem/53972768>
1432
1433         Reviewed by Yusuke Suzuki.
1434
1435         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1436         * stress/proxy-with-private-symbols.js: Rebased.
1437
1438 2019-08-14  Mark Lam  <mark.lam@apple.com>
1439
1440         Missing exception check in string compare.
1441         https://bugs.webkit.org/show_bug.cgi?id=200743
1442         <rdar://problem/53975356>
1443
1444         Reviewed by Michael Saboff.
1445
1446         * stress/missing-exception-check-in-string-compare.js: Added.
1447
1448 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1449
1450         [JSC] Add "jump if (not) undefined or null" bytecode ops
1451         https://bugs.webkit.org/show_bug.cgi?id=200480
1452
1453         Reviewed by Saam Barati.
1454
1455         * stress/destructuring-assignment-require-object-coercible.js:
1456         * stress/nullish-coalescing.js:
1457
1458 2019-08-05  Michael Saboff  <msaboff@apple.com>
1459
1460         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1461         https://bugs.webkit.org/show_bug.cgi?id=199997
1462
1463         Reviewed by Saam Barati.
1464
1465         New test.
1466
1467         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1468         (checkIntArray):
1469         (checkFloatArray):
1470
1471 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1472
1473         [JSC] Support WebAssembly in SamplingProfiler
1474         https://bugs.webkit.org/show_bug.cgi?id=200329
1475
1476         Reviewed by Saam Barati.
1477
1478         * stress/sampling-profiler-wasm-name-section.js: Added.
1479         (const.compile):
1480         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1481         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1482         * stress/sampling-profiler-wasm.js: Added.
1483         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1484         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1485         * stress/sampling-profiler/loop.wasm: Added.
1486         * stress/sampling-profiler/loop.wast: Added.
1487         * stress/sampling-profiler/nameSection.wasm: Added.
1488
1489 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1490
1491         [JSC] LazyJSValue should be robust for empty JSValue
1492         https://bugs.webkit.org/show_bug.cgi?id=200388
1493
1494         Reviewed by Saam Barati.
1495
1496         * stress/switch-constant-child-becomes-empty.js: Added.
1497         (foo):
1498
1499 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1500
1501         GetterSetter type confusion during DFG compilation
1502         https://bugs.webkit.org/show_bug.cgi?id=199903
1503
1504         Reviewed by Mark Lam.
1505
1506         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1507
1508 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1509
1510         Update Test262 (2019.08.01)
1511         https://bugs.webkit.org/show_bug.cgi?id=200351
1512
1513         Reviewed by Keith Miller.
1514
1515         * test262/expectations.yaml:
1516         * test262/harness/testIntl.js:
1517         * test262/latest-changes-summary.txt:
1518         * test262/test/:
1519         * test262/test262-Revision.txt:
1520
1521 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1522
1523         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1524         https://bugs.webkit.org/show_bug.cgi?id=200192
1525
1526         Reviewed by Saam Barati.
1527
1528         * stress/structure-chain-stress.js: Added.
1529         (keys):
1530
1531 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1532
1533         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1534         https://bugs.webkit.org/show_bug.cgi?id=200196
1535
1536         Reviewed by Robin Morisset.
1537
1538         * stress/reparsing-unlinked-codeblock.js:
1539
1540 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1541
1542         [X86] Emit BT instruction for shift + mask in B3
1543         https://bugs.webkit.org/show_bug.cgi?id=199891
1544
1545         Reviewed by Robin Morisset.
1546
1547         Lower the number of iterations to fix debug timeouts.
1548
1549         * microbenchmarks/bit-test-load.js:
1550         (i):
1551
1552 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1553
1554         [X86] Emit BT instruction for shift + mask in B3
1555         https://bugs.webkit.org/show_bug.cgi?id=199891
1556
1557         Reviewed by Keith Miller.
1558
1559         * microbenchmarks/bit-test-constant.js: Added.
1560         (let.glob.0.doTest):
1561         * microbenchmarks/bit-test-load.js: Added.
1562         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1563         (i):
1564         * microbenchmarks/bit-test-nonconstant.js: Added.
1565         (let.glob.0.doTest):
1566
1567 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1568
1569         [JSC] Potential GC fix for JSPropertyNameEnumerator
1570         https://bugs.webkit.org/show_bug.cgi?id=200151
1571
1572         Reviewed by Mark Lam.
1573
1574         * stress/for-in-stress.js: Added.
1575         (keys):
1576
1577 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1578
1579         Legacy numeric literals should not permit separators or BigInt
1580         https://bugs.webkit.org/show_bug.cgi?id=199984
1581
1582         Reviewed by Keith Miller.
1583
1584         * stress/big-int-literals.js:
1585         * stress/numeric-literal-separators.js:
1586
1587 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1588
1589         [ESNext] Implement nullish coalescing
1590         https://bugs.webkit.org/show_bug.cgi?id=200072
1591
1592         Reviewed by Darin Adler.
1593
1594         * stress/nullish-coalescing.js: Added.
1595
1596 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1597
1598         Three checks are missing in Proxy internal methods
1599         https://bugs.webkit.org/show_bug.cgi?id=198630
1600
1601         Reviewed by Darin Adler.
1602
1603         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1604         * test262/expectations.yaml: Mark 6 test cases as passing.
1605
1606 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1607
1608         Sometimes we miss removable CheckInBounds
1609         https://bugs.webkit.org/show_bug.cgi?id=200018
1610
1611         Reviewed by Saam Barati.
1612
1613         * microbenchmarks/typed-array-sum.js: Added.
1614         (doTest):
1615
1616 2019-07-16  Mark Lam  <mark.lam@apple.com>
1617
1618         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1619         https://bugs.webkit.org/show_bug.cgi?id=199821
1620         <rdar://problem/52452328>
1621
1622         Reviewed by Filip Pizlo.
1623
1624         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1625
1626 2019-07-16  Keith Miller  <keith_miller@apple.com>
1627
1628         Unreviewed, test262 gardening.
1629
1630         * test262/expectations.yaml:
1631
1632 2019-07-15  Keith Miller  <keith_miller@apple.com>
1633
1634         A Possible Issue of Object.create method
1635         https://bugs.webkit.org/show_bug.cgi?id=199744
1636
1637         Reviewed by Yusuke Suzuki.
1638
1639         * stress/object-create-non-object-properties-parameter.js: Added.
1640         (catch):
1641
1642 2019-07-15  Keith Miller  <keith_miller@apple.com>
1643
1644         Update test262
1645         https://bugs.webkit.org/show_bug.cgi?id=199801
1646
1647         Rubber-stamped by Yusuke Suzuki.
1648
1649         * test262/expectations.yaml:
1650         * test262/latest-changes-summary.txt:
1651         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1652         (fg.new.FinalizationGroup):
1653         (callback):
1654         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1655         (fg.new.FinalizationGroup):
1656         (callback):
1657         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1658         (fg.new.FinalizationGroup):
1659         (callback):
1660         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1661         (fg.new.FinalizationGroup):
1662         (callback):
1663         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1664         (fg.new.FinalizationGroup):
1665         (callback):
1666         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1667         (fg.new.FinalizationGroup):
1668         (callback):
1669         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1670         (fg.new.FinalizationGroup):
1671         (callback):
1672         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1673         (callback):
1674         (fg.new.FinalizationGroup):
1675         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1676         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1677         (cb):
1678         (fg.new.FinalizationGroup):
1679         (emptyCells):
1680         (async.fn):
1681         (fn.then.async):
1682         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1683         (fg.new.FinalizationGroup):
1684         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1685         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1686         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1687         (newTarget):
1688         (fn):
1689         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1690         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1691         (fn):
1692         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1693         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1694         (newTarget):
1695         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1696         (newTarget):
1697         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1698         (fg.new.FinalizationGroup):
1699         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1700         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1701         (callback):
1702         (fg.new.FinalizationGroup):
1703         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1704         (fg.new.FinalizationGroup):
1705         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1706         (cb):
1707         (fg.new.FinalizationGroup):
1708         (emptyCells):
1709         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1710         (fg.new.FinalizationGroup):
1711         (fg.cleanupSome.cb):
1712         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1713         (callback):
1714         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1715         (fn):
1716         (cb):
1717         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1718         (cb):
1719         (fg.new.FinalizationGroup):
1720         (emptyCells):
1721         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1722         (fg.new.FinalizationGroup):
1723         (callback):
1724         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1725         (fg.new.FinalizationGroup):
1726         (callback):
1727         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1728         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1729         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1730         (poisoned):
1731         (fg.new.FinalizationGroup):
1732         (emptyCells):
1733         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1734         (poisoned):
1735         (emptyCells):
1736         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1737         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1738         (fn):
1739         (cb):
1740         (emptyCells):
1741         (prototype.assert.sameValue.fg.cleanupSome):
1742         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1743         (fn):
1744         (cb):
1745         (poisoned):
1746         (assert.sameValue.fg.cleanupSome):
1747         (prototype.assert.sameValue.fg.cleanupSome):
1748         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1749         (cb):
1750         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1751         (cb):
1752         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1753         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1754         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1755         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1756         (fn):
1757         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1758         (fn):
1759         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1760         (fg.new.FinalizationGroup):
1761         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1762         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1763         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1764         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1765         (fn):
1766         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1767         (fn):
1768         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1769         (fg.new.FinalizationGroup):
1770         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1771         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1772         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1773         (fg.new.FinalizationGroup):
1774         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1775         (fg.new.FinalizationGroup):
1776         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1777         (fg.new.FinalizationGroup):
1778         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1779         (fg.new.FinalizationGroup):
1780         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1781         (fn):
1782         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1783         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1784         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1785         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1786         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1787         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1788         (fn):
1789         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1790         (fg.new.FinalizationGroup):
1791         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1792         (cleanupCallback):
1793         (let.key.of.Object.getOwnPropertyNames):
1794         (set for):
1795         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1796         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1797         (FinalizationGroup):
1798         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1799         (cleanupCallback):
1800         (let.key.of.Object.getOwnPropertyNames):
1801         (set for):
1802         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1803         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1804         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1805         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1806         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1807         (asyncProxy.new.Proxy.async):
1808         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1809         (asyncProxy.new.Proxy.async):
1810         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1811         (setIter.set Symbol):
1812         (set defaultTag):
1813         (gen):
1814         (get return):
1815         (set new):
1816         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1817         (generatorProxy.new.Proxy):
1818         (asyncProxy.new.Proxy.async):
1819         * test262/test/built-ins/Object/subclass-object-arg.js:
1820         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1821         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1822         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1823         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1824         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1825         * test262/test/built-ins/Promise/executor-function-name.js:
1826         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1827         * test262/test/built-ins/Promise/reject-function-name.js:
1828         * test262/test/built-ins/Promise/resolve-function-name.js:
1829         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1830         * test262/test/built-ins/WeakRef/constructor.js: Added.
1831         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1832         * test262/test/built-ins/WeakRef/length.js: Added.
1833         * test262/test/built-ins/WeakRef/name.js: Added.
1834         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1835         (newTarget):
1836         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1837         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1838         * test262/test/built-ins/WeakRef/proto.js: Added.
1839         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1840         (newTarget):
1841         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1842         (newTarget):
1843         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1844         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1845         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1846         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1847         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1848         (emptyCells):
1849         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1850         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1851         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1852         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1853         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1854         (fg.new.FinalizationGroup):
1855         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1856         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1857         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1858         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1859         (let.key.of.Object.getOwnPropertyNames):
1860         (set for):
1861         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1862         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1863         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1864         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1865         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1866         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1867         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1868         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1869         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1870         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1871         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1872         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1873         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1874         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1875         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1876         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1877         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1878         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1879         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1880         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1881         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1882         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1883         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1884         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1885         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1886         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1887         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1888         (assertParts):
1889         (assertPartsNumeric):
1890         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1891         (assertParts):
1892         (assertPartsNumeric):
1893         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1894         (assertParts):
1895         (assertPartsNumeric):
1896         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1897         (assertParts):
1898         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1899         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1900         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1901         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1902         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1903         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1904         (C.prototype.method):
1905         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1906         (C.prototype.method.innerFunction):
1907         (C.prototype.method):
1908         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1909         (C):
1910         (C.method):
1911         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1912         (C):
1913         (C.method.innerFunction):
1914         (C.method):
1915         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1916         (C):
1917         (C.checkPrivateGetter):
1918         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1919         (C):
1920         (C.method):
1921         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1922         (C):
1923         (C.method.innerFunction):
1924         (C.method):
1925         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1926         (C):
1927         (C.checkPrivateMethod):
1928         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1929         (C):
1930         (C.method):
1931         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1932         (C):
1933         (C.method.innerFunction):
1934         (C.method):
1935         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1936         (C):
1937         (C.checkPrivateSetter):
1938         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1939         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1940         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1941         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1942         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1943         (let.classStringExpression):
1944         (let.classStringExpression.access):
1945         (let.createAndInstantiateClass):
1946         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1947         (let.classStringExpression):
1948         (let.classStringExpression.access):
1949         (let.createAndInstantiateClass):
1950         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1951         (const.C):
1952         (let.createAndInstantiateClass):
1953         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1954         (let.classStringExpression.return.prototype.m):
1955         (let.classStringExpression.return.prototype.access):
1956         (let.createAndInstantiateClass):
1957         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1958         (let.classStringExpression.return.prototype.m):
1959         (let.classStringExpression.return.prototype.access):
1960         (let.createAndInstantiateClass):
1961         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1962         (let.classStringExpression):
1963         (let.classStringExpression.access):
1964         (let.createAndInstantiateClass):
1965         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1966         (let.classStringExpression.prototype.m):
1967         (let.classStringExpression.prototype.access):
1968         (let.classStringExpression):
1969         (let.createAndInstantiateClass):
1970         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1971         (let.classStringExpression.prototype.m):
1972         (let.classStringExpression.prototype.access):
1973         (let.classStringExpression):
1974         (let.createAndInstantiateClass):
1975         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1976         (const.C):
1977         (let.createAndInstantiateClass):
1978         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1979         (let.classStringExpression.return.C.prototype.m):
1980         (let.classStringExpression.return.C.prototype.access):
1981         (let.classStringExpression.return.C):
1982         (let.createAndInstantiateClass):
1983         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1984         (let.classStringExpression.return.C.prototype.m):
1985         (let.classStringExpression.return.C.prototype.access):
1986         (let.classStringExpression.return.C):
1987         (let.createAndInstantiateClass):
1988         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1989         (let.classStringExpression):
1990         (let.classStringExpression.access):
1991         (let.createAndInstantiateClass):
1992         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1993         (let.classStringExpression):
1994         (let.classStringExpression.access):
1995         (let.createAndInstantiateClass):
1996         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1997         (let.classStringExpression):
1998         (let.classStringExpression.access):
1999         (let.createAndInstantiateClass):
2000         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2001         (const.C):
2002         (let.createAndInstantiateClass):
2003         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2004         (let.classStringExpression.return.prototype.m):
2005         (let.classStringExpression.return.prototype.access):
2006         (let.createAndInstantiateClass):
2007         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2008         (let.classStringExpression.return.prototype.m):
2009         (let.classStringExpression.return.prototype.access):
2010         (let.createAndInstantiateClass):
2011         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2012         (let.classStringExpression):
2013         (let.classStringExpression.access):
2014         (let.createAndInstantiateClass):
2015         * test262/test/language/expressions/new.target/unary-expr.js: Added.
2016         (new):
2017         (async):
2018         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
2019         (A):
2020         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
2021         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
2022         * test262/test/language/identifiers/vals-cjk.js: Added.
2023         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
2024         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
2025         (C.prototype.method):
2026         (C):
2027         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
2028         (C.prototype.method.innerFunction):
2029         (C.prototype.method):
2030         (C):
2031         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
2032         (C.prototype.checkPrivateField):
2033         (C):
2034         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
2035         (C):
2036         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
2037         (C.prototype.getWithEval):
2038         (C):
2039         (D):
2040         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
2041         (C.prototype.get m):
2042         (C.prototype.method):
2043         (C):
2044         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
2045         (C.prototype.get m):
2046         (C.prototype.method.innerFunction):
2047         (C.prototype.method):
2048         (C):
2049         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
2050         (let.createAndInstantiateClass):
2051         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
2052         (C.prototype.get m):
2053         (C.prototype.checkPrivateGetter):
2054         (C):
2055         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
2056         (C.prototype.get m):
2057         (C.prototype.checkPrivateGetter):
2058         (C):
2059         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
2060         (C.prototype.get m):
2061         (C):
2062         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
2063         (C.prototype.get m):
2064         (C.prototype.getWithEval):
2065         (C):
2066         (D.prototype.get m):
2067         (D):
2068         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
2069         (C.prototype.m):
2070         (C.prototype.method):
2071         (C):
2072         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
2073         (C.prototype.m):
2074         (C.prototype.method.innerFunction):
2075         (C.prototype.method):
2076         (C):
2077         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
2078         (C.prototype.m):
2079         (C.prototype.checkPrivateMethod):
2080         (C):
2081         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
2082         (C.prototype.m):
2083         (C.prototype.checkPrivateMethod):
2084         (C):
2085         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
2086         (C.prototype.m):
2087         (C):
2088         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
2089         (C.prototype.m):
2090         (C.prototype.getWithEval):
2091         (C):
2092         (D.prototype.m):
2093         (D):
2094         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
2095         (C.prototype.set m):
2096         (C.prototype.method):
2097         (C):
2098         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
2099         (C.prototype.set m):
2100         (C.prototype.method.innerFunction):
2101         (C.prototype.method):
2102         (C):
2103         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
2104         (C.prototype.set m):
2105         (C.prototype.checkPrivateSetter):
2106         (C):
2107         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
2108         (C.prototype.set m):
2109         (C.prototype.checkPrivateSetter):
2110         (C):
2111         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
2112         (C.prototype.set m):
2113         (C):
2114         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
2115         (C.prototype.set m):
2116         (C.prototype.setWithEval):
2117         (C):
2118         (D.prototype.set m):
2119         (D):
2120         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2121         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2122         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2123         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
2124         (A.prototype.method):
2125         (A):
2126         (C.prototype.get m):
2127         (C.prototype.access):
2128         (C):
2129         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
2130         (A.prototype.method):
2131         (A):
2132         (C.prototype.m):
2133         (C.prototype.access):
2134         (C):
2135         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
2136         (A.prototype.method):
2137         (A):
2138         (C.prototype.set m):
2139         (C.prototype.access):
2140         (C):
2141         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
2142         (A):
2143         * test262/test/language/statements/function/13.2-30-s.js:
2144         * test262/test262-Revision.txt:
2145
2146 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2147
2148         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2149         https://bugs.webkit.org/show_bug.cgi?id=199783
2150
2151         Reviewed by Mark Lam.
2152
2153         Fix our spec tests.
2154
2155         * wasm/js-api/Module-compile.js:
2156         * wasm/js-api/test_basic_api.js:
2157         (const.c.in.constructorProperties.switch):
2158         * wasm/js-api/validate.js:
2159         * wasm/js-api/web-assembly-instantiate.js:
2160         * wasm/spec-tests/jsapi.js:
2161         (testJSAPI.get test):
2162         (testJSAPI.set test):
2163
2164 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2165
2166         Unreviewed, rolling out r247440.
2167
2168         Broke builds
2169
2170         Reverted changeset:
2171
2172         "[JSC] Improve wasm wpt test results by fixing miscellaneous
2173         issues"
2174         https://bugs.webkit.org/show_bug.cgi?id=199783
2175         https://trac.webkit.org/changeset/247440
2176
2177 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2178
2179         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2180         https://bugs.webkit.org/show_bug.cgi?id=199783
2181
2182         Reviewed by Mark Lam.
2183
2184         Fix our spec tests.
2185
2186         * wasm/js-api/Module-compile.js:
2187         * wasm/js-api/test_basic_api.js:
2188         (const.c.in.constructorProperties.switch):
2189         * wasm/js-api/validate.js:
2190         * wasm/js-api/web-assembly-instantiate.js:
2191         * wasm/spec-tests/jsapi.js:
2192         (testJSAPI.get test):
2193         (testJSAPI.set test):
2194
2195 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
2196
2197         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
2198         https://bugs.webkit.org/show_bug.cgi?id=196371
2199
2200         Reviewed by Keith Miller.
2201
2202         * microbenchmarks/mul-immediate-sub.js: Added.
2203         (doTest):
2204
2205 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
2206
2207         [BigInt] Add ValueBitLShift into DFG
2208         https://bugs.webkit.org/show_bug.cgi?id=192664
2209
2210         Reviewed by Saam Barati.
2211
2212         We are adding tests to cover ValueBitwise operations AI changes.
2213
2214         * stress/big-int-left-shift-untyped.js: Added.
2215         * stress/bit-op-with-object-returning-int32.js:
2216         * stress/value-bit-and-ai-rule.js: Added.
2217         * stress/value-bit-lshift-ai-rule.js: Added.
2218         * stress/value-bit-or-ai-rule.js: Added.
2219         * stress/value-bit-xor-ai-rule.js: Added.
2220
2221 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2222
2223         Add b3 macro lowering for CheckMul on arm64
2224         https://bugs.webkit.org/show_bug.cgi?id=199251
2225
2226         Reviewed by Robin Morisset.
2227
2228         * microbenchmarks/check-mul-constant.js: Added.
2229         (doTest):
2230         * microbenchmarks/check-mul-no-constant.js: Added.
2231         (doTest):
2232         * microbenchmarks/check-mul-power-of-two.js: Added.
2233         (doTest):
2234
2235 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
2236
2237         Optimize join of large empty arrays
2238         https://bugs.webkit.org/show_bug.cgi?id=199636
2239
2240         Reviewed by Mark Lam.
2241
2242         * microbenchmarks/large-empty-array-join.js: Added.
2243         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
2244
2245 2019-07-06  Michael Saboff  <msaboff@apple.com>
2246
2247         switch(String) needs to check for exceptions when resolving the string
2248         https://bugs.webkit.org/show_bug.cgi?id=199541
2249
2250         Reviewed by Mark Lam.
2251
2252         New tests.
2253
2254         * stress/switch-string-oom.js: Added.
2255         (test):
2256         (testLowerTiers):
2257         (testFTL):
2258
2259 2019-07-05  Mark Lam  <mark.lam@apple.com>
2260
2261         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
2262         https://bugs.webkit.org/show_bug.cgi?id=199533
2263         <rdar://problem/52669111>
2264
2265         Reviewed by Filip Pizlo.
2266
2267         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
2268
2269 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
2270
2271         [JSC] Clean up ArraySpeciesCreate
2272         https://bugs.webkit.org/show_bug.cgi?id=182434
2273
2274         Reviewed by Yusuke Suzuki.
2275
2276         Adjusts error message expectations in stress tests.
2277
2278         * stress/array-flatmap.js:
2279         * stress/array-flatten.js:
2280         * stress/array-species-create-should-handle-masquerader.js:
2281         * test262/expectations.yaml: Mark 4 test cases as passing.
2282
2283 2019-07-02  Michael Saboff  <msaboff@apple.com>
2284
2285         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
2286         https://bugs.webkit.org/show_bug.cgi?id=199395
2287
2288         Reviewed by Filip Pizlo.
2289
2290         New regession test.
2291
2292         * stress/for-of-tdz-with-try-catch.js: Added.
2293         (test):
2294         (i.catch):
2295
2296 2019-07-02  Keith Miller  <keith_miller@apple.com>
2297
2298         Frozen Arrays length assignment should throw in strict mode
2299         https://bugs.webkit.org/show_bug.cgi?id=199365
2300
2301         Reviewed by Yusuke Suzuki.
2302
2303         * stress/frozen-array-length-should-throw-strict.js: Added.
2304         (test):
2305
2306 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
2307
2308         [Wasm-References] Disable references by default
2309         https://bugs.webkit.org/show_bug.cgi?id=199390
2310
2311         Reviewed by Saam Barati.
2312
2313         * wasm/references-spec-tests/ref_is_null.js:
2314         * wasm/references-spec-tests/ref_null.js:
2315         * wasm/references/anyref_globals.js:
2316         * wasm/references/anyref_modules.js:
2317         * wasm/references/anyref_table.js:
2318         * wasm/references/anyref_table_import.js:
2319         * wasm/references/element_parsing.js:
2320         * wasm/references/func_ref.js:
2321         * wasm/references/is_null.js:
2322         * wasm/references/multitable.js:
2323         * wasm/references/table_misc.js:
2324         * wasm/references/validation.js:
2325
2326 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
2327
2328         Unreviewed, rolling out r246946.
2329
2330         Caused JSC test crashes on arm64
2331
2332         Reverted changeset:
2333
2334         "Add b3 macro lowering for CheckMul on arm64"
2335         https://bugs.webkit.org/show_bug.cgi?id=199251
2336         https://trac.webkit.org/changeset/246946
2337
2338 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
2339
2340         Add b3 macro lowering for CheckMul on arm64
2341         https://bugs.webkit.org/show_bug.cgi?id=199251
2342
2343         Reviewed by Robin Morisset.
2344
2345         * microbenchmarks/check-mul-constant.js: Added.
2346         (doTest):
2347         * microbenchmarks/check-mul-no-constant.js: Added.
2348         (doTest):
2349         * microbenchmarks/check-mul-power-of-two.js: Added.
2350         (doTest):
2351
2352 2019-06-26  Keith Miller  <keith_miller@apple.com>
2353
2354         speciesConstruct needs to throw if the result is a DataView
2355         https://bugs.webkit.org/show_bug.cgi?id=199231
2356
2357         Reviewed by Mark Lam.
2358
2359         * stress/typedarray-filter.js:
2360         (subclasses.forEach):
2361         * stress/typedarray-map.js:
2362         (subclasses.forEach):
2363         * stress/typedarray-slice.js:
2364         (typedArrays.forEach):
2365         * stress/typedarray-subarray.js:
2366         (subclasses.forEach):
2367
2368 2019-06-24  Commit Queue  <commit-queue@webkit.org>
2369
2370         Unreviewed, rolling out r246714.
2371         https://bugs.webkit.org/show_bug.cgi?id=199179
2372
2373         revert to do patch in a different way. (Requested by keith_mi_
2374         on #webkit).
2375
2376         Reverted changeset:
2377
2378         "All prototypes should call didBecomePrototype()"
2379         https://bugs.webkit.org/show_bug.cgi?id=196315
2380         https://trac.webkit.org/changeset/246714
2381
2382 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
2383
2384         Add Array.prototype.{flat,flatMap} to unscopables
2385         https://bugs.webkit.org/show_bug.cgi?id=194322
2386
2387         Reviewed by Keith Miller.
2388
2389         * stress/unscopables.js: Fix test.
2390         * test262/expectations.yaml: Mark 2 test cases as passing.
2391
2392 2019-06-21  Mark Lam  <mark.lam@apple.com>
2393
2394         ArraySlice needs to keep the source array alive.
2395         https://bugs.webkit.org/show_bug.cgi?id=197374
2396         <rdar://problem/50304429>
2397
2398         Reviewed by Michael Saboff and Filip Pizlo.
2399
2400         * stress/array-slice-must-keep-source-array-alive.js: Added.
2401
2402 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2403
2404         All prototypes should call didBecomePrototype()
2405         https://bugs.webkit.org/show_bug.cgi?id=196315
2406
2407         Reviewed by Saam Barati.
2408
2409         * stress/function-prototype-indexed-accessor.js: Added.
2410
2411 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2412
2413         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
2414         https://bugs.webkit.org/show_bug.cgi?id=197631
2415
2416         Reviewed by Saam Barati.
2417
2418         * stress/has-own-property-arguments.js: Added.
2419         (shouldBe):
2420         (A):
2421
2422 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2423
2424         [JSC] ClassExpr should not store result in the middle of evaluation
2425         https://bugs.webkit.org/show_bug.cgi?id=199106
2426
2427         Reviewed by Tadeu Zagallo.
2428
2429         * stress/class-expression-should-store-result-at-last.js: Added.
2430         (shouldThrow):
2431         (shouldThrow.let.a):
2432
2433 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2434
2435         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2436         https://bugs.webkit.org/show_bug.cgi?id=199044
2437
2438         Reviewed by Saam Barati.
2439
2440         Add wasm references spec tests as well as a worker test.
2441
2442         * wasm.yaml:
2443         * wasm/Builder_WebAssemblyBinary.js:
2444         (const.emitters.Element):
2445         * wasm/js-api/element.js:
2446         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2447         * wasm/references-spec-tests/ref_is_null.js: Added.
2448         (hostref):
2449         (is_hostref):
2450         (is_funcref):
2451         (eq_ref):
2452         (let.handler.get target):
2453         (register):
2454         (module):
2455         (instance):
2456         (call):
2457         (get instance):
2458         (exports):
2459         (run):
2460         (assert_malformed):
2461         (assert_invalid):
2462         (assert_unlinkable):
2463         (assert_uninstantiable):
2464         (assert_trap):
2465         (try.f):
2466         (catch):
2467         (assert_exhaustion):
2468         (assert_return):
2469         (assert_return_canonical_nan):
2470         (assert_return_arithmetic_nan):
2471         (assert_return_ref):
2472         (assert_return_func):
2473         * wasm/references-spec-tests/ref_null.js: Added.
2474         (hostref):
2475         (is_hostref):
2476         (is_funcref):
2477         (eq_ref):
2478         (let.handler.get target):
2479         (register):
2480         (module):
2481         (instance):
2482         (call):
2483         (get instance):
2484         (exports):
2485         (run):
2486         (assert_malformed):
2487         (assert_invalid):
2488         (assert_unlinkable):
2489         (assert_uninstantiable):
2490         (assert_trap):
2491         (try.f):
2492         (catch):
2493         (assert_exhaustion):
2494         (assert_return):
2495         (assert_return_canonical_nan):
2496         (assert_return_arithmetic_nan):
2497         (assert_return_ref):
2498         (assert_return_func):
2499         * wasm/references/element_parsing.js: Added.
2500         (module):
2501         * wasm/references/func_ref.js:
2502         * wasm/references/multitable.js:
2503         * wasm/references/table_misc.js:
2504         (TableSize.0.End.End.WebAssembly):
2505         * wasm/references/validation.js:
2506         (assert.throws):
2507
2508 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2509
2510         Optimize `resolve` method lookup in Promise static methods
2511         https://bugs.webkit.org/show_bug.cgi?id=198864
2512
2513         Reviewed by Yusuke Suzuki.
2514
2515         * test262/expectations.yaml: Mark 18 test cases as passing.
2516
2517 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2518
2519         [WASM-References] Rename anyfunc to funcref
2520         https://bugs.webkit.org/show_bug.cgi?id=198983
2521
2522         Reviewed by Yusuke Suzuki.
2523
2524         * wasm/function-tests/basic-element.js:
2525         * wasm/function-tests/context-switch.js:
2526         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2527         (makeInstance):
2528         (assert.eq.makeInstance):
2529         * wasm/function-tests/exceptions.js:
2530         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2531         * wasm/function-tests/grow-memory-2.js:
2532         (assert.eq.instance.exports.foo):
2533         * wasm/function-tests/nameSection.js:
2534         (const.compile):
2535         * wasm/function-tests/stack-overflow.js:
2536         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2537         (assertOverflows.makeInstance):
2538         * wasm/function-tests/table-basic-2.js:
2539         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2540         * wasm/function-tests/table-basic.js:
2541         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2542         * wasm/function-tests/trap-from-start-async.js:
2543         * wasm/function-tests/trap-from-start.js:
2544         * wasm/js-api/Module.exports.js:
2545         (assert.truthy):
2546         * wasm/js-api/Module.imports.js:
2547         (assert.truthy):
2548         * wasm/js-api/call-indirect.js:
2549         (const.oneTable):
2550         (const.multiTable):
2551         (multiTable.const.makeTable):
2552         (multiTable):
2553         (multiTable.Polyphic2Import):
2554         (multiTable.VirtualImport):
2555         * wasm/js-api/element-data.js:
2556         * wasm/js-api/element.js:
2557         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2558         (assert.throws):
2559         (badInstantiation.makeModule):
2560         (badInstantiation.test):
2561         (badInstantiation):
2562         * wasm/js-api/extension-MemoryMode.js:
2563         * wasm/js-api/table.js:
2564         (new.WebAssembly.Module):
2565         (assert.throws):
2566         (assertBadTableImport):
2567         (assert.throws.WebAssembly.Table.prototype.grow):
2568         (new.WebAssembly.Table):
2569         (assertBadTable):
2570         (assert.truthy):
2571         * wasm/js-api/test_basic_api.js:
2572         (const.c.in.constructorProperties.switch):
2573         * wasm/js-api/unique-signature.js:
2574         (CallIndirectWithDuplicateSignatures):
2575         * wasm/js-api/wrapper-function.js:
2576         * wasm/modules/table.wat:
2577         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2578         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2579         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2580         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2581         * wasm/references/anyref_table.js:
2582         * wasm/references/anyref_table_import.js:
2583         (doSet):
2584         (assert.throws):
2585         * wasm/references/func_ref.js:
2586         (makeFuncrefIdent):
2587         (assert.eq.instance.exports.fix):
2588         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2589         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2590         (let.importedFun.of):
2591         (makeAnyfuncIdent): Deleted.
2592         (makeAnyfuncIdent.fun): Deleted.
2593         * wasm/references/multitable.js:
2594         (assert.eq):
2595         (assert.throws):
2596         * wasm/references/table_misc.js:
2597         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2598         * wasm/references/validation.js:
2599         (assert.throws.new.WebAssembly.Module.bin):
2600         (assert.throws):
2601         * wasm/spec-harness/index.js:
2602         * wasm/spec-harness/wasm-constants.js:
2603         * wasm/spec-harness/wasm-module-builder.js:
2604         (WasmModuleBuilder.prototype.toArray):
2605         * wasm/spec-harness/wast.js:
2606         (elem_type):
2607         (string_of_elem_type):
2608         (string_of_table_type):
2609         * wasm/spec-tests/jsapi.js:
2610         * wasm/stress/wasm-table-grow-initialize.js:
2611         * wasm/wasm.json:
2612
2613 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2614
2615         [WASM-References] Add support for Table.size, grow and fill instructions
2616         https://bugs.webkit.org/show_bug.cgi?id=198761
2617
2618         Reviewed by Yusuke Suzuki.
2619
2620         * wasm/Builder_WebAssemblyBinary.js:
2621         (const.putOp):
2622         * wasm/references/table_misc.js: Added.
2623         (TableSize.End.End.WebAssembly):
2624         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2625         * wasm/wasm.json:
2626
2627 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2628
2629         [WASM-References] Add support for multiple tables
2630         https://bugs.webkit.org/show_bug.cgi?id=198760
2631
2632         Reviewed by Saam Barati.
2633
2634         * wasm/Builder.js:
2635         * wasm/js-api/call-indirect.js:
2636         (const.oneTable):
2637         (const.multiTable):
2638         (multiTable):
2639         (multiTable.Polyphic2Import):
2640         (multiTable.VirtualImport):
2641         (const.wasmModuleWhichImportJS): Deleted.
2642         (const.makeTable): Deleted.
2643         (): Deleted.
2644         (Polyphic2Import): Deleted.
2645         (VirtualImport): Deleted.
2646         * wasm/js-api/table.js:
2647         (new.WebAssembly.Module):
2648         (assert.throws):
2649         (assertBadTableImport):
2650         (assert.truthy):
2651         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2652         * wasm/references/anyref_table.js:
2653         * wasm/references/anyref_table_import.js:
2654         (makeImport):
2655         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2656         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2657         * wasm/references/multitable.js: Added.
2658         (assert.throws.1.exports.set_tbl0):
2659         (assert.throws):
2660         (assert.eq):
2661         * wasm/references/validation.js:
2662         (assert.throws.new.WebAssembly.Module.bin):
2663         (assert.throws):
2664         * wasm/spec-tests/imports.wast.js:
2665         * wasm/wasm.json:
2666
2667         * wasm/Builder.js:
2668         * wasm/js-api/call-indirect.js:
2669         (const.oneTable):
2670         (const.multiTable):
2671         (multiTable):
2672         (multiTable.Polyphic2Import):
2673         (multiTable.VirtualImport):
2674         (const.wasmModuleWhichImportJS): Deleted.
2675         (const.makeTable): Deleted.
2676         (): Deleted.
2677         (Polyphic2Import): Deleted.
2678         (VirtualImport): Deleted.
2679         * wasm/js-api/table.js:
2680         (new.WebAssembly.Module):
2681         (assert.throws):
2682         (assertBadTableImport):
2683         (assert.truthy):
2684         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2685         * wasm/references/anyref_table.js:
2686         * wasm/references/anyref_table_import.js:
2687         (makeImport):
2688         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2689         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2690         * wasm/references/func_ref.js:
2691         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2692         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2693         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2694         * wasm/references/multitable.js: Added.
2695         (assert.throws.1.exports.set_tbl0):
2696         (assert.throws):
2697         (assert.eq):
2698         (string_appeared_here.tableInsanity):
2699         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2700         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2701         * wasm/references/validation.js:
2702         (assert.throws.new.WebAssembly.Module.bin):
2703         (assert.throws):
2704         * wasm/spec-tests/imports.wast.js:
2705         * wasm/wasm.json:
2706
2707 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2708
2709         [ESNExt] String.prototype.matchAll
2710         https://bugs.webkit.org/show_bug.cgi?id=186694
2711
2712         Reviewed by Yusuke Suzuki.
2713
2714         Implement String.prototype.matchAll.
2715         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2716
2717         * test262/config.yaml:
2718
2719 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2720
2721         DFG code should not reify the names of builtin functions with private names
2722         https://bugs.webkit.org/show_bug.cgi?id=198849
2723         <rdar://problem/51733890>
2724
2725         Reviewed by Filip Pizlo.
2726
2727         * stress/builtin-private-function-name.js: Added.
2728         (then):
2729         (PromiseLike):
2730
2731 2019-06-18  Keith Miller  <keith_miller@apple.com>
2732
2733         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2734         https://bugs.webkit.org/show_bug.cgi?id=198969
2735         <rdar://problem/51620714>
2736
2737         Reviewed by Tadeu Zagallo.
2738
2739         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2740         (catch):
2741
2742 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2743
2744         Validate that table element type is funcref if using an element section
2745         https://bugs.webkit.org/show_bug.cgi?id=198910
2746
2747         Reviewed by Yusuke Suzuki.
2748
2749         * wasm/references/anyref_table.js:
2750
2751 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2752
2753         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2754         https://bugs.webkit.org/show_bug.cgi?id=197378
2755
2756         Reviewed by Saam Barati.
2757
2758         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2759         (foo):
2760         (bar):
2761         * stress/disposable-call-site-index.js: Added.
2762         (foo):
2763         (bar):
2764
2765 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2766
2767         [WASM-References] Add support for Funcref in parameters and return types
2768         https://bugs.webkit.org/show_bug.cgi?id=198157
2769
2770         Reviewed by Yusuke Suzuki.
2771
2772         * wasm/Builder.js:
2773         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2774         * wasm/references/anyref_globals.js:
2775         * wasm/references/func_ref.js: Added.
2776         (fullGC.gc.makeExportedFunction):
2777         (makeExportedIdent):
2778         (makeAnyfuncIdent):
2779         (fun):
2780         (assert.eq.instance.exports.fix.fun):
2781         (assert.eq.instance.exports.fix):
2782         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2783         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2784         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2785         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2786         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2787         (assert.throws):
2788         (assert.throws.doTest):
2789         (let.importedFun.of):
2790         (makeAnyfuncIdent.fun):
2791         * wasm/references/validation.js:
2792         (assert.throws):
2793         * wasm/wasm.json:
2794
2795 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2796
2797         Update test262 tests (2019.06.13)
2798         https://bugs.webkit.org/show_bug.cgi?id=198821
2799
2800         Reviewed by Konstantin Tokarev.
2801
2802         * test262/expectations.yaml:
2803         * test262/harness/:
2804         * test262/latest-changes-summary.txt:
2805         * test262/test/:
2806         * test262/test262-Revision.txt:
2807
2808 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2809
2810         [JSC] Grown region of WasmTable should be initialized with null
2811         https://bugs.webkit.org/show_bug.cgi?id=198903
2812
2813         Reviewed by Saam Barati.
2814
2815         * wasm/stress/wasm-table-grow-initialize.js: Added.
2816         (shouldBe):
2817
2818 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2819
2820         Yarr bytecode compilation failure should be gracefully handled
2821         https://bugs.webkit.org/show_bug.cgi?id=198700
2822
2823         Reviewed by Michael Saboff.
2824
2825         * stress/regexp-bytecode-compilation-fail.js: Added.
2826         (shouldThrow):
2827
2828 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2829
2830         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2831         https://bugs.webkit.org/show_bug.cgi?id=198770
2832
2833         Reviewed by Saam Barati.
2834
2835         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2836         (test):
2837
2838 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2839
2840         JSC should throw if proxy set returns falsish in strict mode context
2841         https://bugs.webkit.org/show_bug.cgi?id=177398
2842
2843         Reviewed by Yusuke Suzuki.
2844
2845         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2846         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2847
2848         * stress/proxy-set.js: Add 2 test cases.
2849         * stress/regexp-match-proxy.js: Fix test.
2850         * stress/regexp-replace-proxy.js: Fix test.
2851
2852 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2853
2854         Error message for non-callable Proxy `construct` trap is misleading
2855         https://bugs.webkit.org/show_bug.cgi?id=198637
2856
2857         Reviewed by Saam Barati.
2858
2859         * stress/proxy-construct.js:
2860
2861 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2862
2863         AI BitURShift's result should not be unsigned
2864         https://bugs.webkit.org/show_bug.cgi?id=198689
2865         <rdar://problem/51550063>
2866
2867         Reviewed by Saam Barati.
2868
2869         * stress/urshift-int32-overflow.js: Added.
2870         (foo.):
2871         (foo):
2872
2873 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2874
2875         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2876
2877         Unreviewed gardening.
2878
2879         * stress/ftl-gettypedarrayoffset-wasteful.js:
2880         Skipped on arm/linux as it always times out on the bot since a change
2881         between r246270 and r246278 inclusive.
2882
2883 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2884
2885         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2886         https://bugs.webkit.org/show_bug.cgi?id=198023
2887
2888         Reviewed by Saam Barati.
2889
2890         * stress/reparsing-unlinked-codeblock.js: Added.
2891         (shouldBe):
2892         (hello):
2893
2894 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2895
2896         [JSC] Use mergePrediction in ValuePow prediction propagation
2897         https://bugs.webkit.org/show_bug.cgi?id=198648
2898
2899         Reviewed by Saam Barati.
2900
2901         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2902
2903 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2904
2905         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2906         https://bugs.webkit.org/show_bug.cgi?id=198581
2907         <rdar://problem/51099753>
2908
2909         Reviewed by Saam Barati.
2910
2911         * stress/global-object-proto-getter.js: Added.
2912         (f):
2913         (test):
2914
2915 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2916
2917         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2918         https://bugs.webkit.org/show_bug.cgi?id=198398
2919
2920         Reviewed by Saam Barati.
2921
2922         * wasm/references/anyref_table.js: Added.
2923         (string_appeared_here.doGCSet):
2924         (doGCTest):
2925         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2926         * wasm/references/anyref_table_import.js: Added.
2927         (makeImport):
2928         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2929         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2930         * wasm/references/is_null_error.js: Removed.
2931         * wasm/references/validation.js: Added.
2932         (assert.throws.new.WebAssembly.Module.bin):
2933         (assert.throws):
2934         * wasm/wasm.json:
2935
2936 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2937
2938         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2939         https://bugs.webkit.org/show_bug.cgi?id=198106
2940
2941         Reviewed by Saam Barati.
2942
2943         * wasm/regress/selectf64.js: Added.
2944         * wasm/regress/selectf64.wasm: Added.
2945         * wasm/regress/selectf64.wat: Added.
2946
2947 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2948
2949         Argument elimination should check transitive dependents for interference
2950         https://bugs.webkit.org/show_bug.cgi?id=198520
2951         <rdar://problem/50863343>
2952
2953         Reviewed by Filip Pizlo.
2954
2955         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2956         (f2):
2957         (f3):
2958
2959 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2960
2961         Argument elimination should check for negative indices in GetByVal
2962         https://bugs.webkit.org/show_bug.cgi?id=198302
2963         <rdar://problem/51188095>
2964
2965         Reviewed by Filip Pizlo.
2966
2967         * stress/eliminate-arguments-negative-rest-access.js: Added.
2968         (inlinee):
2969         (opt):
2970
2971 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2972
2973         [ESNext][BigInt] Implement support for "**"
2974         https://bugs.webkit.org/show_bug.cgi?id=190799
2975
2976         Reviewed by Saam Barati.
2977
2978         * stress/big-int-exp-basic.js: Added.
2979         * stress/big-int-exp-jit-osr.js: Added.
2980         * stress/big-int-exp-jit-untyped.js: Added.
2981         * stress/big-int-exp-jit.js: Added.
2982         * stress/big-int-exp-negative-exponent.js: Added.
2983         * stress/big-int-exp-to-primitive.js: Added.
2984         * stress/big-int-exp-type-error.js: Added.
2985         * stress/big-int-exp-wrapped-value.js: Added.
2986         * stress/value-pow-ai-rule.js: Added.
2987
2988 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2989
2990         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2991         https://bugs.webkit.org/show_bug.cgi?id=197979
2992
2993         Reviewed by Filip Pizlo.
2994
2995         * stress/16bit-code.js: Added.
2996         (shouldBe):
2997         * stress/32bit-code.js: Added.
2998         (shouldBe):
2999
3000 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
3001
3002         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
3003         https://bugs.webkit.org/show_bug.cgi?id=198355
3004
3005         Reviewed by Saam Barati.
3006
3007         * wasm/references/is_null.js:
3008
3009 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
3010
3011         [PlayStation] Skip additional tests on PlayStation
3012         https://bugs.webkit.org/show_bug.cgi?id=198352
3013
3014         Reviewed by Don Olmstead.
3015
3016         Skip pow test on PlayStation due to behavior difference in standard library.
3017         Skip incremental marking test due to OOM on PlayStation systems.
3018
3019         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
3020         * stress/math-pow-with-constants.js:
3021         * stress/pow-with-constants.js:
3022
3023 2019-05-28  Dean Jackson  <dino@apple.com>
3024
3025         Implement Promise.allSettled
3026         https://bugs.webkit.org/show_bug.cgi?id=197600
3027         <rdar://problem/50483885>
3028
3029         Reviewed by Keith Miller.
3030
3031         Start testing Promise.allSettled. We pass most of the tests.
3032         The ones that fail are similar to the Promise.all tests we already fail.
3033
3034         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
3035         * test262/expectations.yaml: Add new expectations for allSettled tests.
3036
3037 2019-05-28  Michael Saboff  <msaboff@apple.com>
3038
3039         [YARR] Properly handle RegExp's that require large ParenContext space
3040         https://bugs.webkit.org/show_bug.cgi?id=198065
3041
3042         Reviewed by Keith Miller.
3043
3044         New test.
3045
3046         * stress/regexp-large-paren-context.js: Added.
3047         (testLargeRegExp):
3048
3049 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
3050
3051         JITOperations putByVal should mark negative array indices as out-of-bounds
3052         https://bugs.webkit.org/show_bug.cgi?id=198271
3053
3054         Reviewed by Saam Barati.
3055
3056         * microbenchmarks/get-by-val-negative-array-index.js:
3057         (foo):
3058         Update the getByVal microbenchmark added in r245769. This now shows that r245769
3059         is 4.2x faster than the previous commit.
3060
3061         * microbenchmarks/put-by-val-negative-array-index.js: Added.
3062         (foo):
3063
3064 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
3065
3066         JITOperations getByVal should mark negative array indices as out-of-bounds
3067         https://bugs.webkit.org/show_bug.cgi?id=198229
3068
3069         Reviewed by Saam Barati.
3070
3071         * microbenchmarks/get-by-val-negative-array-index.js: Added.
3072         (foo):
3073
3074 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
3075
3076         [WASM-References] Support Anyref in globals
3077         https://bugs.webkit.org/show_bug.cgi?id=198102
3078
3079         Reviewed by Saam Barati.
3080
3081         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
3082
3083         * wasm/Builder.js:
3084         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
3085         * wasm/Builder_WebAssemblyBinary.js:
3086         (const.putInitExpr):
3087         * wasm/references/anyref_globals.js: Added.
3088         (GetGlobal.0.End.End.WebAssembly):
3089         (5.doGCSet):
3090         (doGCTest):
3091         (doGCSet.doGCTest.let.count.0.doBarrierSet):
3092
3093 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3094
3095         DFG::OSREntry should not perform arity check
3096         https://bugs.webkit.org/show_bug.cgi?id=198189
3097
3098         Reviewed by Saam Barati.
3099
3100         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
3101         (foo):
3102
3103 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
3104
3105         [PlayStation] Skip additional tests on PlayStation
3106         https://bugs.webkit.org/show_bug.cgi?id=198145
3107
3108         Reviewed by Ross Kirsling.
3109
3110         * exceptionFuzz.yaml:
3111         Add skip on hostOS playstation
3112         * executableAllocationFuzz.yaml:
3113         Add skip on hostOS playstation
3114
3115 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3116
3117         createListFromArrayLike should throw if value is not an object
3118         https://bugs.webkit.org/show_bug.cgi?id=198138
3119
3120         Reviewed by Yusuke Suzuki.
3121
3122         * stress/create-list-from-array-like-not-object.js: Added.
3123         (testValid):
3124         (testInvalid):
3125         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
3126         (opt):
3127         * stress/proxy-proto-enumerator.js: Added.
3128         (main):
3129         * stress/proxy-proto-own-keys.js: Added.
3130         (assert):
3131         (ownKeys):
3132
3133 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3134
3135         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
3136         https://bugs.webkit.org/show_bug.cgi?id=197809
3137
3138         Reviewed by Michael Saboff.
3139
3140         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
3141         (foo):
3142
3143 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3144
3145         [ESNext] Implement support for Numeric Separators
3146         https://bugs.webkit.org/show_bug.cgi?id=196351
3147
3148         Reviewed by Keith Miller.
3149
3150         * stress/numeric-literal-separators.js: Added.
3151         Add tests for feature.
3152
3153         * test262/expectations.yaml:
3154         Mark 60 test cases as passing.
3155
3156 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3157
3158         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
3159         https://bugs.webkit.org/show_bug.cgi?id=198120
3160         <rdar://problem/49668795>
3161
3162         Reviewed by Michael Saboff.
3163
3164         * stress/get-array-length-concurrently-change-mode.js: Added.
3165         (main):
3166
3167 2019-05-22  Commit Queue  <commit-queue@webkit.org>
3168
3169         Unreviewed, rolling out r245634.
3170         https://bugs.webkit.org/show_bug.cgi?id=198140
3171
3172         'This patch makes JSC crash on launch in debug builds'
3173         (Requested by tadeuzagallo on #webkit).
3174
3175         Reverted changeset:
3176
3177         "[ESNext] Implement support for Numeric Separators"
3178         https://bugs.webkit.org/show_bug.cgi?id=196351
3179         https://trac.webkit.org/changeset/245634
3180
3181 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3182
3183         Stack-buffer-overflow in decodeURIComponent
3184         https://bugs.webkit.org/show_bug.cgi?id=198109
3185         <rdar://problem/50397550>
3186
3187         Reviewed by Michael Saboff.
3188
3189         * stress/decode-uri-icu-count-trail-bytes.js: Added.
3190         (i.j.try.i.toString):
3191         (i.j.catch):
3192
3193 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3194
3195         Don't clear PropertyNameArray in Proxy code
3196         https://bugs.webkit.org/show_bug.cgi?id=197691
3197
3198         Reviewed by Saam Barati.
3199
3200         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
3201         (shouldBe):
3202         (opt):
3203
3204 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3205
3206         [ESNext] Implement support for Numeric Separators
3207         https://bugs.webkit.org/show_bug.cgi?id=196351
3208
3209         Reviewed by Keith Miller.
3210
3211         * stress/numeric-literal-separators.js: Added.
3212         Add tests for feature.
3213
3214         * test262/expectations.yaml:
3215         Mark 60 test cases as passing.
3216
3217 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3218
3219         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
3220         https://bugs.webkit.org/show_bug.cgi?id=198101
3221
3222         Reviewed by Michael Saboff.
3223
3224         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
3225         (shouldBe):
3226
3227 2019-05-20  Keith Miller  <keith_miller@apple.com>
3228
3229         Cleanup Yarr regexp code around paren contexts.
3230         https://bugs.webkit.org/show_bug.cgi?id=198063
3231
3232         Reviewed by Yusuke Suzuki.
3233
3234         * stress/regexp-many-named-sequential-capture-groups.js: Added.
3235         (i.s):
3236         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
3237
3238 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
3239
3240         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
3241         https://bugs.webkit.org/show_bug.cgi?id=197969
3242
3243         Reviewed by Keith Miller.
3244
3245         Support the anyref type in Builder.js, plus add some extra error logging.
3246         Add new folder for wasm references tests.
3247
3248         * wasm.yaml:
3249         * wasm/Builder.js:
3250         (const._isValidValue):
3251         * wasm/references/anyref_modules.js: Added.
3252         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
3253         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
3254         (Call.3.RefIsNull.End.End.WebAssembly):
3255         (undefined):
3256         * wasm/references/is_null.js: Added.
3257         * wasm/references/is_null_error.js: Added.
3258         * wasm/spec-harness/index.js:
3259         * wasm/wasm.json:
3260
3261 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
3262
3263         [JSC] Invalid AssignmentTargetType should be an early error.
3264         https://bugs.webkit.org/show_bug.cgi?id=197603
3265
3266         Reviewed by Keith Miller.
3267
3268         * test262/expectations.yaml:
3269         Update expectations to reflect new SyntaxErrors.
3270         (Ideally, these should all be viewed as passing in the near future.)
3271
3272         * stress/async-await-basic.js:
3273         * stress/big-int-literals.js:
3274         Update tests to reflect new SyntaxErrors.
3275
3276         * ChakraCore.yaml:
3277         * ChakraCore/test/EH/try6.baseline-jsc:
3278         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
3279         Update baselines to reflect new SyntaxErrors.
3280
3281 2019-05-15  Saam Barati  <sbarati@apple.com>
3282
3283         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
3284         https://bugs.webkit.org/show_bug.cgi?id=197855
3285         <rdar://problem/50236506>
3286
3287         Reviewed by Michael Saboff.
3288
3289         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
3290         (f0):
3291         (bar):
3292         (foo):
3293         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
3294         (f1):
3295         (f2):
3296         (foo):
3297
3298 2019-05-14  Keith Miller  <keith_miller@apple.com>
3299
3300         Fix issue with byteOffset on ARM64E
3301         https://bugs.webkit.org/show_bug.cgi?id=197884
3302
3303         Reviewed by Saam Barati.
3304
3305         We didn't have any tests that run with non-byte/non-zero offset
3306         typed arrays.
3307
3308         * stress/ftl-gettypedarrayoffset-wasteful.js:
3309
3310 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
3311
3312         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
3313         https://bugs.webkit.org/show_bug.cgi?id=197833
3314
3315         Reviewed by Darin Adler.
3316
3317         * stress/generator-name.js: Added.
3318         (shouldBe):
3319         (gen):
3320         (catch):
3321
3322 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
3323
3324         JSObject::getOwnPropertyDescriptor is missing an exception check
3325         https://bugs.webkit.org/show_bug.cgi?id=197693
3326         <rdar://problem/50441784>
3327
3328         Reviewed by Saam Barati.
3329
3330         * stress/proxy-spread.js: Added.
3331         (foo):
3332
3333 2019-05-10  Saam barati  <sbarati@apple.com>
3334
3335         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
3336         https://bugs.webkit.org/show_bug.cgi?id=197807
3337         <rdar://problem/50530400>
3338
3339         Reviewed by Yusuke Suzuki.
3340
3341         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
3342         (test.getInstance):
3343         (test):
3344
3345 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
3346
3347         [Test262] Unreviewed expectations update following r245188.
3348
3349         * test262/config.yaml:
3350         * test262/expectations.yaml:
3351
3352         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
3353         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
3354         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
3355         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
3356         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
3357         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
3358         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
3359         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
3360         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
3361         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
3362         These files have invalid YAML comments. Will also submit corrections back to Test262.
3363
3364 2019-05-10  Keith Miller  <keith_miller@apple.com>
3365
3366         Update test262 tests.
3367
3368         Rubber-stamped by Yusuke Suzuki.
3369
3370         * test262/*: mega-patch too many things to list individually.
3371
3372 2019-05-09  Keith Miller  <keith_miller@apple.com>
3373
3374         Unreview, fix test to have a try-catch.
3375
3376         * stress/many-nested-functions-parser-stack-overflow.js:
3377         (catch):
3378
3379 2019-05-09  Keith Miller  <keith_miller@apple.com>
3380
3381         parseStatementListItem needs a stack overflow check
3382         https://bugs.webkit.org/show_bug.cgi?id=197749
3383
3384         Reviewed by Saam Barati.
3385
3386         * stress/many-nested-functions-parser-stack-overflow.js: Added.
3387
3388 2019-05-08  Saam barati  <sbarati@apple.com>
3389
3390         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
3391         https://bugs.webkit.org/show_bug.cgi?id=197715
3392         <rdar://problem/50399252>
3393
3394         Reviewed by Filip Pizlo.
3395
3396         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
3397         (foo):
3398         (bar):
3399
3400 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
3401
3402         Unreviewed, rolling out r245068.
3403
3404         Caused debug layout tests to exit early due to an assertion
3405         failure.
3406
3407         Reverted changeset:
3408
3409         "All prototypes should call didBecomePrototype()"
3410         https://bugs.webkit.org/show_bug.cgi?id=196315
3411         https://trac.webkit.org/changeset/245068
3412
3413 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
3414
3415         Invalid DFG JIT genereation in high CPU usage state
3416         https://bugs.webkit.org/show_bug.cgi?id=197453
3417
3418         Reviewed by Saam Barati.
3419
3420         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
3421         (trigger):
3422         (main):
3423
3424 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3425
3426         All prototypes should call didBecomePrototype()
3427         https://bugs.webkit.org/show_bug.cgi?id=196315
3428
3429         Reviewed by Saam Barati.
3430
3431         This changelog already landed, but the commit was missing the actual changes.
3432
3433         * stress/function-prototype-indexed-accessor.js: Added.
3434
3435 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3436
3437         [BigInt] Add ValueMod into DFG
3438         https://bugs.webkit.org/show_bug.cgi?id=186174
3439
3440         Reviewed by Saam Barati.
3441
3442         * microbenchmarks/mod-untyped.js: Added.
3443         * stress/big-int-mod-osr.js: Added.
3444         * stress/value-div-ai-rule.js: Added.
3445         * stress/value-mod-ai-rule.js: Added.
3446
3447 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3448
3449         [JSC] DFG_ASSERT failed in lowInt52
3450         https://bugs.webkit.org/show_bug.cgi?id=197569
3451
3452         Reviewed by Saam Barati.
3453
3454         * stress/getstack-int52.js: Added.
3455         (opt):
3456         (main):
3457
3458 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3459
3460         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3461         https://bugs.webkit.org/show_bug.cgi?id=197479
3462
3463         Reviewed by Saam Barati.
3464
3465         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3466         (shouldBe):
3467
3468 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3469
3470         TemplateObject passed to template literal tags are not always identical for the same source location.
3471         https://bugs.webkit.org/show_bug.cgi?id=190756
3472
3473         Reviewed by Saam Barati.
3474
3475         * complex.yaml:
3476         * complex/tagged-template-regeneration-after.js: Added.
3477         (shouldBe):
3478         * complex/tagged-template-regeneration.js: Added.
3479         (call):
3480         (test):
3481         * modules/tagged-template-inside-module.js: Added.
3482         (from.string_appeared_here.call):
3483         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3484         (call):
3485         (export.otherTaggedTemplates):
3486         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3487         (shouldBe):
3488         (call):
3489         (poly):
3490         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3491         (shouldBe):
3492         (call):
3493         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3494         (shouldBe):
3495         (call):
3496         (test):
3497         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3498         (shouldBe):
3499         (call):
3500         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3501         (shouldBe):
3502         (call):
3503         * stress/tagged-templates-in-multiple-functions.js: Added.
3504         (shouldBe):
3505         (call):
3506         (a):
3507         (b):
3508         (c):
3509         * stress/tagged-templates-with-same-start-offset.js: Added.
3510         (shouldBe):
3511
3512 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3513
3514         All prototypes should call didBecomePrototype()
3515         https://bugs.webkit.org/show_bug.cgi?id=196315
3516
3517         Reviewed by Saam Barati.
3518
3519         * stress/function-prototype-indexed-accessor.js: Added.
3520
3521 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3522
3523         Unreviewed, rolling out r244978.
3524         https://bugs.webkit.org/show_bug.cgi?id=197671
3525
3526         TemplateObject map should use start/end offsets (Requested by
3527         yusukesuzuki on #webkit).
3528
3529         Reverted changeset:
3530
3531         "TemplateObject passed to template literal tags are not always
3532         identical for the same source location."
3533         https://bugs.webkit.org/show_bug.cgi?id=190756
3534         https://trac.webkit.org/changeset/244978
3535
3536 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3537
3538         tryCachePutByID should not crash if target offset changes
3539         https://bugs.webkit.org/show_bug.cgi?id=197311
3540         <rdar://problem/48033612>
3541
3542         Reviewed by Filip Pizlo.
3543
3544         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3545         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3546
3547         * stress/cache-put-by-id-delete-prototype.js: Added.
3548         (A.prototype.set y):
3549         (A):
3550         (B.prototype.set y):
3551         (B):
3552         (C):
3553         * stress/cache-put-by-id-different-__proto__.js: Added.
3554         (A.prototype.set y):
3555         (A):
3556         (B1):
3557         (B2.prototype.set y):
3558         (B2):
3559         (C):
3560         (D):
3561         * stress/cache-put-by-id-different-attributes.js: Added.
3562         (Foo):
3563         (set x):
3564         * stress/cache-put-by-id-different-offset.js: Added.
3565         (Foo):
3566         (set x):
3567         * stress/cache-put-by-id-insert-prototype.js: Added.
3568         (A.prototype.set y):
3569         (A):
3570         (C):
3571         * stress/cache-put-by-id-poly-proto.js: Added.
3572         (Foo):
3573         (set _):
3574         (createBar.Bar):
3575         (createBar):
3576
3577 2019-05-07  Saam Barati  <sbarati@apple.com>
3578
3579         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3580         https://bugs.webkit.org/show_bug.cgi?id=197531
3581         <rdar://problem/50162379>
3582
3583         Reviewed by Yusuke Suzuki.
3584
3585         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3586
3587 2019-05-06  Dean Jackson  <dino@apple.com>
3588
3589         Update test262 expectations for Proxy passes
3590         https://bugs.webkit.org/show_bug.cgi?id=197628
3591
3592         Reviewed by Yusuke Suzuki.
3593
3594         There are two consistent passes in Proxy.ownKeys.
3595
3596         * test262/expectations.yaml:
3597
3598 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3599
3600         [JSC] We should check OOM for description string of Symbol
3601         https://bugs.webkit.org/show_bug.cgi?id=197634
3602
3603         Reviewed by Keith Miller.
3604
3605         * stress/check-symbol-description-oom.js: Added.
3606         (shouldThrow):
3607
3608 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3609
3610         Unreviewed, land one more test
3611         https://bugs.webkit.org/show_bug.cgi?id=197587
3612
3613         * stress/setter-frame-flush.js: Added.
3614         (setter):
3615         (foo):
3616         (bar):
3617
3618 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3619
3620         TemplateObject passed to template literal tags are not always identical for the same source location.
3621         https://bugs.webkit.org/show_bug.cgi?id=190756
3622
3623         Reviewed by Saam Barati.
3624
3625         * complex.yaml:
3626         * complex/tagged-template-regeneration-after.js: Added.
3627         (shouldBe):
3628         * complex/tagged-template-regeneration.js: Added.
3629         (call):
3630         (test):
3631         * modules/tagged-template-inside-module.js: Added.
3632         (from.string_appeared_here.call):
3633         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3634         (call):
3635         (export.otherTaggedTemplates):
3636         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3637         (shouldBe):
3638         (call):
3639         (poly):
3640         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3641         (shouldBe):
3642         (call):
3643         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3644         (shouldBe):
3645         (call):
3646         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3647         (shouldBe):
3648         (call):
3649         * stress/tagged-templates-in-multiple-functions.js: Added.
3650         (shouldBe):
3651         (call):
3652         (a):
3653         (b):
3654         (c):
3655
3656 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3657
3658         [PlayStation] JSC Stress tests failing due to timezone printing
3659         https://bugs.webkit.org/show_bug.cgi?id=197615
3660
3661         PlayStation's strftime does not give timezone strings, which
3662         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3663         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3664         which causes diff failures with the expectations. Add expectations
3665         without the timezone string and use those on playstation.
3666
3667         Reviewed by Ross Kirsling.
3668
3669         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3670         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3671         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3672         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3673
3674 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3675
3676         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3677         https://bugs.webkit.org/show_bug.cgi?id=197587
3678
3679         Reviewed by Sam Weinig.
3680
3681         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3682
3683         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3684
3685 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3686
3687         TypedArrays should not store properties that are canonical numeric indices
3688         https://bugs.webkit.org/show_bug.cgi?id=197228
3689         <rdar://problem/49557381>
3690
3691         Reviewed by Saam Barati.
3692
3693         * stress/array-species-config-array-constructor.js:
3694         (test):
3695         * stress/put-direct-index-broken-2.js:
3696         * stress/typed-array-canonical-numeric-index-string.js: Added.
3697         (makeTest.assert):
3698         (makeTest):
3699         (const.testInvalidIndices.makeTest.set assert):
3700         (const.testInvalidIndices.makeTest):
3701         (const.makeTestValidIndex.configurable.set assert):
3702         (const.makeTestValidIndex.configurable):
3703         * stress/typedarray-access-monomorphic-neutered.js:
3704         (checkNoException):
3705         (testNoException):
3706         (testFTLNoException):
3707         * stress/typedarray-access-neutered.js:
3708         (testNoException):
3709         * stress/typedarray-getownproperty-not-configurable.js:
3710         (foo):
3711         * test262/expectations.yaml:
3712
3713 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3714
3715         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3716         https://bugs.webkit.org/show_bug.cgi?id=197584
3717
3718         Reviewed by Saam Barati.
3719
3720         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3721         (X):
3722         (foo):
3723
3724 2019-05-03  Michael Saboff  <msaboff@apple.com>
3725
3726         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3727         https://bugs.webkit.org/show_bug.cgi?id=197586
3728
3729         Reviewed by Keith Miller.
3730
3731         We should only run one config of this test and only when we think we'll have the memory.
3732
3733         * stress/json-stringify-string-builder-overflow.js:
3734
3735 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3736
3737         [JSC] Generator CodeBlock generation should be idempotent
3738         https://bugs.webkit.org/show_bug.cgi?id=197552
3739
3740         Reviewed by Keith Miller.
3741
3742         Add complex.yaml, which controls how to run JSC shell more.
3743         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3744
3745         * complex.yaml: Added.
3746         * complex/generator-regeneration-after.js: Added.
3747         * complex/generator-regeneration.js: Added.
3748         (gen):
3749
3750 2019-05-02  Michael Saboff  <msaboff@apple.com>
3751
3752         Unreviewed rollout of r244862.
3753
3754         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3755
3756 2019-05-01  Saam barati  <sbarati@apple.com>
3757
3758         Baseline JIT should do argument value profiling after checking for stack overflow
3759         https://bugs.webkit.org/show_bug.cgi?id=197052
3760         <rdar://problem/50009602>
3761
3762         Reviewed by Yusuke Suzuki.
3763
3764         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3765
3766 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3767
3768         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3769         https://bugs.webkit.org/show_bug.cgi?id=197405
3770
3771         Reviewed by Saam Barati.
3772
3773         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3774         (foo):
3775         (test):
3776         (i.o.get f):
3777         (i.o.set f):
3778
3779 2019-05-01  Michael Saboff  <msaboff@apple.com>
3780
3781         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3782         https://bugs.webkit.org/show_bug.cgi?id=197485
3783
3784         Reviewed by Saam Barati.
3785
3786         New test.
3787
3788         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3789         (foo):
3790
3791 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3792
3793         Unreviewed correction to Test262 expectations following r244828.
3794
3795         * test262/expectations.yaml:
3796
3797 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3798
3799         Add memory-limited skipping to some tests generating very large strings
3800         https://bugs.webkit.org/show_bug.cgi?id=197437
3801
3802         Reviewed by Ross Kirsling.
3803
3804         * stress/StringObject-define-length-getter-rope-string-oom.js:
3805         * stress/create-error-out-of-memory-rope-string.js:
3806         * stress/string-16bit-repeat-overflow.js:
3807
3808 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3809
3810         Unreviewed, rolling out r244806.
3811         https://bugs.webkit.org/show_bug.cgi?id=197446
3812
3813         Causing Test262 and JSC test failures on multiple builds
3814         (Requested by ShawnRoberts on #webkit).
3815
3816         Reverted changeset:
3817
3818         "TypeArrays should not store properties that are canonical
3819         numeric indices"
3820         https://bugs.webkit.org/show_bug.cgi?id=197228
3821         https://trac.webkit.org/changeset/244806
3822
3823 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3824
3825         TypeArrays should not store properties that are canonical numeric indices
3826         https://bugs.webkit.org/show_bug.cgi?id=197228
3827         <rdar://problem/49557381>
3828
3829         Reviewed by Darin Adler.
3830
3831         * stress/typed-array-canonical-numeric-index-string.js: Added.
3832         (makeTest.assert):
3833         (makeTest):
3834         (const.testInvalidIndices.makeTest.set assert):
3835         (const.testInvalidIndices.makeTest):
3836         (const.testValidIndices.makeTest.set assert):
3837         (const.testValidIndices.makeTest):
3838
3839 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3840
3841         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3842         https://bugs.webkit.org/show_bug.cgi?id=197362
3843
3844         Reviewed by Saam Barati.
3845
3846         * stress/map-with-nan.js: Added.
3847         (shouldBe):
3848         (div):
3849         (NaN1):
3850         (NaN2):
3851         (NaN3):
3852         (NaN4):
3853         (NaN1NoInline):
3854         (NaN2NoInline):
3855         (NaN3NoInline):
3856         (NaN4NoInline):
3857         (test1):
3858         (test2):
3859         (test3):
3860         (test4):
3861         * stress/set-with-nan.js: Added.
3862         (shouldBe):
3863         (div):
3864         (NaN1):
3865         (NaN2):
3866         (NaN3):
3867         (NaN4):
3868         (NaN1NoInline):
3869         (NaN2NoInline):
3870         (NaN3NoInline):
3871         (NaN4NoInline):
3872         (test2):
3873         (test4):
3874
3875 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3876
3877         Unreviewed, rolling out r244708.
3878         https://bugs.webkit.org/show_bug.cgi?id=197334
3879
3880         "Broke the debug build" (Requested by rmorisset on #webkit).
3881
3882         Reverted changeset:
3883
3884         "All prototypes should call didBecomePrototype()"
3885         https://bugs.webkit.org/show_bug.cgi?id=196315
3886         https://trac.webkit.org/changeset/244708
3887
3888 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3889
3890         [JSC] linkPolymorphicCall now does GC
3891         https://bugs.webkit.org/show_bug.cgi?id=197306
3892
3893         Reviewed by Saam Barati.
3894
3895         * stress/link-polymorphic-call-can-gc.js: Added.
3896         (module):
3897         (instance):
3898
3899 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3900
3901         All prototypes should call didBecomePrototype()
3902         https://bugs.webkit.org/show_bug.cgi?id=196315
3903
3904         Reviewed by Saam Barati.
3905
3906         * stress/function-prototype-indexed-accessor.js: Added.
3907
3908 2019-04-23  Saam Barati  <sbarati@apple.com>
3909
3910         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3911         https://bugs.webkit.org/show_bug.cgi?id=196721
3912         <rdar://problem/49556479> 
3913
3914         Reviewed by Filip Pizlo.
3915
3916         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3917         (foo):
3918
3919 2019-04-19  Saam Barati  <sbarati@apple.com>
3920
3921         AbstractValue can represent more than int52
3922         https://bugs.webkit.org/show_bug.cgi?id=197118
3923         <rdar://problem/49969960>
3924
3925         Reviewed by Michael Saboff.
3926
3927         * stress/abstract-value-can-include-int52.js: Added.
3928         (foo):
3929         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3930
3931 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3932
3933         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3934         https://bugs.webkit.org/show_bug.cgi?id=197053
3935
3936         Reviewed by Saam Barati.
3937
3938         * stress/merge-string-builder-in-dfg.js: Added.
3939         (foo):
3940
3941 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3942
3943         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3944         https://bugs.webkit.org/show_bug.cgi?id=176810
3945
3946         Reviewed by Saam Barati.
3947
3948         Add tests for the DontEnum filtering, and variations of other tests
3949         take the DontEnum-filtering path.
3950
3951         * stress/proxy-own-keys.js:
3952         (i.catch):
3953         (set assert):
3954         (set add):
3955         (let.set new):
3956         (get let):
3957
3958 2019-04-15  Saam barati  <sbarati@apple.com>
3959
3960         Modify how we do SetArgument when we inline varargs calls
3961         https://bugs.webkit.org/show_bug.cgi?id=196712
3962         <rdar://problem/49605012>
3963
3964         Reviewed by Michael Saboff.
3965
3966         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3967         (foo):
3968
3969 2019-04-15  Saam barati  <sbarati@apple.com>
3970
3971         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3972         https://bugs.webkit.org/show_bug.cgi?id=196945
3973         <rdar://problem/49802750>
3974
3975         Reviewed by Filip Pizlo.
3976
3977         * stress/get-by-offset-should-use-correct-child.js: Added.
3978         (foo.bar):
3979         (foo):
3980
3981 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3982
3983         DFG should be able to constant fold Object.create() with a constant prototype operand
3984         https://bugs.webkit.org/show_bug.cgi?id=196886
3985
3986         Reviewed by Yusuke Suzuki.
3987
3988         Note that this new benchmark does not currently see a speedup with inlining removed.
3989         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3990
3991         * microbenchmarks/object-create-constant-prototype.js: Added.
3992         (test):
3993
3994 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3995
3996         Incremental bytecode cache should not append function updates when loaded from memory
3997         https://bugs.webkit.org/show_bug.cgi?id=196865
3998
3999         Reviewed by Filip Pizlo.
4000
4001         * stress/bytecode-cache-shared-code-block.js: Added.
4002         (b):
4003         (program):
4004
4005 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
4006
4007         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
4008         https://bugs.webkit.org/show_bug.cgi?id=196880
4009
4010         Reviewed by Yusuke Suzuki.
4011
4012         * stress/bytecode-cache-syntax-error.js: Added.
4013         (catch):
4014
4015 2019-04-12  Saam barati  <sbarati@apple.com>
4016
4017         r244079 logically broke shouldSpeculateInt52
4018         https://bugs.webkit.org/show_bug.cgi?id=196884
4019
4020         Reviewed by Yusuke Suzuki.
4021
4022         * microbenchmarks/int52-rand-function.js: Added.
4023         (Math.random):
4024
4025 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
4026
4027         [JSC] op_has_indexed_property should not assume subscript part is Uint32
4028         https://bugs.webkit.org/show_bug.cgi?id=196850
4029
4030         Reviewed by Saam Barati.
4031
4032         * stress/has-indexed-property-should-accept-non-int32.js: Added.
4033         (foo):
4034
4035 2019-04-11  Saam barati  <sbarati@apple.com>
4036
4037         Remove invalid assertion in operationInstanceOfCustom
4038         https://bugs.webkit.org/show_bug.cgi?id=196842
4039         <rdar://problem/49725493>
4040
4041         Reviewed by Michael Saboff.
4042
4043         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
4044
4045 2019-04-10  Saam Barati  <sbarati@apple.com>
4046
4047         AbstractValue::validateOSREntryValue is wrong for Int52 constants
4048         https://bugs.webkit.org/show_bug.cgi?id=196801
4049         <rdar://problem/49771122>
4050
4051         Reviewed by Yusuke Suzuki.
4052
4053         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
4054
4055 2019-04-10  Robin Morisset  <rmorisset@apple.com>
4056
4057         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
4058         https://bugs.webkit.org/show_bug.cgi?id=196746
4059
4060         Reviewed by Yusuke Suzuki.
4061
4062         * stress/cyclic-define-properties.js: Added.
4063         (foo):
4064
4065 2019-04-09  Saam barati  <sbarati@apple.com>
4066
4067         Clean up Int52 code and some bugs in it
4068         https://bugs.webkit.org/show_bug.cgi?id=196639
4069         <rdar://problem/49515757>
4070
4071         Reviewed by Yusuke Suzuki.
4072
4073         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
4074
4075 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
4076
4077         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
4078         https://bugs.webkit.org/show_bug.cgi?id=196708
4079         <rdar://problem/49556803>
4080
4081         Reviewed by Yusuke Suzuki.
4082
4083         * stress/proxy-getter-stack-overflow.js: Added.
4084         (const.handler.get target):
4085         (const.handler.has):
4086         (try.with):
4087         (catch):
4088
4089 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4090
4091         [JSC] DFG should respect node's strict flag
4092         https://bugs.webkit.org/show_bug.cgi?id=196617
4093
4094         Reviewed by Saam Barati.
4095
4096         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
4097         (shouldEqual):
4098         (makeUnwriteableUnconfigurableObject):
4099         (runTest):
4100         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
4101         (shouldBe):
4102         (shouldThrow):
4103         (with.result):
4104         (with.putValueStrict):
4105         (with.putValueSloppy):
4106
4107 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4108
4109         [JSC] isRope jump in StringSlice should not jump over register allocations
4110         https://bugs.webkit.org/show_bug.cgi?id=196716
4111
4112         Reviewed by Saam Barati.
4113
4114         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
4115         (foo.bar):
4116         (foo):
4117
4118 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4119
4120         [JSC] to_index_string should not assume incoming value is Uint32
4121         https://bugs.webkit.org/show_bug.cgi?id=196713
4122
4123         Reviewed by Saam Barati.
4124
4125         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
4126         (foo):
4127
4128 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4129
4130         [JSC] Add more tests for r243966
4131         https://bugs.webkit.org/show_bug.cgi?id=196711
4132
4133         Reviewed by Saam Barati.
4134
4135         Adding one more test for r243966 fix. The added test will not crash after r243966.
4136
4137         * stress/stress-cleared-calllinkinfo.js: Added.
4138         (runNearStackLimit.t):
4139         (runNearStackLimit):
4140         (repeat):
4141         (cls):
4142         (let.item.of.array.runNearStackLimit):
4143
4144 2019-04-08  Saam Barati  <sbarati@apple.com>
4145
4146         WebAssembly.RuntimeError missing exception check
4147         https://bugs.webkit.org/show_bug.cgi?id=196700
4148         <rdar://problem/49693932>
4149
4150         Reviewed by Yusuke Suzuki.
4151
4152         * wasm/js-api/runtime-error-should-exception-check.js: Added.
4153
4154 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4155
4156         Unreviewed, rolling in r243948 with test fix
4157         https://bugs.webkit.org/show_bug.cgi?id=196486
4158
4159         * stress/arrow-function-and-use-strict-directive.js: Added.
4160         * stress/arrow-function-syntax.js: Added.
4161         (checkSyntax):
4162         (checkSyntaxError):
4163
4164 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
4165
4166         Unreviewed, rolling out r243948.
4167
4168         Caused inspector/runtime/parse.html to fail
4169
4170         Reverted changeset:
4171
4172         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
4173         https://bugs.webkit.org/show_bug.cgi?id=196486
4174         https://trac.webkit.org/changeset/243948
4175
4176 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
4177
4178         Unreviewed, rolling out r243943.
4179
4180         Caused test262 failures.
4181
4182         Reverted changeset:
4183
4184         "[JSC] Filter DontEnum properties in
4185         ProxyObject::getOwnPropertyNames()"
4186         https://bugs.webkit.org/show_bug.cgi?id=176810
4187         https://trac.webkit.org/changeset/243943
4188
4189 2019-04-07  Michael Saboff  <msaboff@apple.com>
4190
4191         REGRESSION (r243642): Crash in reddit.com page
4192         https://bugs.webkit.org/show_bug.cgi?id=196684
4193
4194         Reviewed by Geoffrey Garen.
4195
4196         New regression test.
4197
4198         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
4199
4200 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
4201
4202         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
4203         https://bugs.webkit.org/show_bug.cgi?id=196683
4204
4205         Reviewed by Saam Barati.
4206
4207         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
4208         (foo):
4209
4210 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
4211
4212         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
4213         https://bugs.webkit.org/show_bug.cgi?id=196582
4214
4215         Reviewed by Saam Barati.
4216
4217         * stress/add-overflow-check-with-three-same-registers.js: Added.
4218         (foo):
4219         (Number.prototype.valueOf):
4220         (runWithNumber):
4221
4222 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
4223
4224         Unreviewed, rolling out r243665.
4225
4226         Caused iOS JSC tests to exit with an exception.
4227
4228         Reverted changeset:
4229
4230         "Assertion failed in JSC::createError"
4231         https://bugs.webkit.org/show_bug.cgi?id=196305
4232         https://trac.webkit.org/changeset/243665
4233
4234 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
4235
4236         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
4237         https://bugs.webkit.org/show_bug.cgi?id=196486
4238
4239         Reviewed by Saam Barati.
4240
4241         * stress/arrow-function-and-use-strict-directive.js: Added.
4242         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
4243         (checkSyntax):
4244         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
4245
4246 2019-04-05  Caitlin Potter  <caitp@igalia.com>
4247
4248         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
4249         https://bugs.webkit.org/show_bug.cgi?id=176810
4250
4251         Reviewed by Saam Barati.
4252
4253         Add tests for the DontEnum filtering, and variations of other tests
4254         take the DontEnum-filtering path.
4255
4256         * stress/proxy-own-keys.js:
4257         (i.catch):
4258         (set assert):
4259         (set add):
4260         (let.set new):
4261         (get let):
4262
4263 2019-04-05  Caitlin Potter  <caitp@igalia.com>
4264
4265         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
4266         https://bugs.webkit.org/show_bug.cgi?id=185211
4267
4268         Reviewed by Saam Barati.
4269
4270         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
4271
4272         This changes several assertions to expect a TypeError to be thrown (in some cases,
4273         changing thee expected message).
4274
4275         * es6/Proxy_ownKeys_duplicates.js:
4276         (handler):
4277         (shouldThrow):
4278         (test):
4279         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
4280         (shouldThrow):
4281         * stress/proxy-own-keys.js:
4282         (i.catch):
4283         (assert):
4284
4285 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
4286
4287         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
4288         https://bugs.webkit.org/show_bug.cgi?id=196631
4289
4290         Reviewed by Saam Barati.
4291
4292         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
4293         (assert):
4294         (test):
4295         (foo):
4296
4297 2019-04-04  Saam Barati  <sbarati@apple.com>
4298
4299         Unreviewed. Make the test from r243906 catch the thrown exceptions.
4300
4301         * stress/inferred-types-regex-matches-array.js:
4302
4303 2019-04-04  Saam Barati  <sbarati@apple.com>
4304
4305         createRegExpMatchesArray does not respect inferred types
4306         https://bugs.webkit.org/show_bug.cgi?id=193287
4307
4308         Reviewed by Yusuke Suzuki.
4309
4310         This checks in the test case for 193287. This issue was discovered by
4311         Samuel Groß of Google Project Zero.
4312
4313         * stress/inferred-types-regex-matches-array.js: Added.
4314
4315 2019-04-04  Saam barati  <sbarati@apple.com>
4316
4317         Teach Call ICs how to call Wasm
4318         https://bugs.webkit.org/show_bug.cgi?id=196387
4319
4320         Reviewed by Filip Pizlo.
4321
4322         * wasm/function-tests/stack-trace.js:
4323
4324 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
4325
4326         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
4327         https://bugs.webkit.org/show_bug.cgi?id=194944
4328
4329         Reviewed by Keith Miller.
4330
4331         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
4332
4333 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
4334
4335         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
4336         https://bugs.webkit.org/show_bug.cgi?id=196409
4337
4338         Reviewed by Saam Barati.
4339
4340         * stress/bytecode-cache-cached-string-impl.js: Added.
4341         (f):
4342         (g):
4343         * stress/bytecode-cache-run-string.js: Added.
4344
4345 2019-04-03  Robin Morisset  <rmorisset@apple.com>
4346
4347         B3 should use associativity to optimize expression trees
4348         https://bugs.webkit.org/show_bug.cgi?id=194081
4349
4350         Reviewed by Filip Pizlo.
4351
4352         Added three microbenchmarks:
4353         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
4354         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
4355           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
4356         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
4357
4358         * microbenchmarks/add-tree.js: Added.
4359         * microbenchmarks/bit-or-tree.js: Added.
4360         * microbenchmarks/bit-xor-tree.js: Added.
4361
4362 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
4363
4364         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
4365         https://bugs.webkit.org/show_bug.cgi?id=196574
4366
4367         Reviewed by Saam Barati.
4368
4369         * stress/string-index-of-exception-check.js: Added.
4370         (blurType):
4371         (1.forEach):
4372
4373 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
4374
4375         Assertion failed in JSC::createError
4376         https://bugs.webkit.org/show_bug.cgi?id=196305
4377         <rdar://problem/49387382>
4378
4379         Reviewed by Saam Barati.
4380
4381         * stress/create-error-out-of-memory-rope-string-2.js: Added.
4382         (assert):
4383         (catch):
4384
4385 2019-03-28  Saam Barati  <sbarati@apple.com>
4386
4387         BackwardsGraph needs to consider back edges as the backward's root successor
4388         https://bugs.webkit.org/show_bug.cgi?id=195991
4389
4390         Reviewed by Filip Pizlo.
4391
4392         * stress/map-b3-licm-infinite-loop.js: Added.
4393
4394 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
4395
4396         CodeBlock::jettison() should disallow repatching its own calls
4397         https://bugs.webkit.org/show_bug.cgi?id=196359
4398         <rdar://problem/48973663>
4399
4400         Reviewed by Saam Barati.
4401
4402         * stress/call-link-info-osrexit-repatch.js: Added.
4403         (foo):
4404
4405 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
4406
4407         [JSC] imports-oom.js intermittently fails
4408         https://bugs.webkit.org/show_bug.cgi?id=196373
4409
4410         Reviewed by Saam Barati.
4411
4412         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points