581adf9cff7794d1b54824310079c16f604de5b8
[WebKit-https.git] / JSTests / ChangeLog
1 2019-10-21  Robin Morisset  <rmorisset@apple.com>
2
3         Throw the right exception upon memory exhaustion in Array::slice
4         https://bugs.webkit.org/show_bug.cgi?id=202650
5
6         Reviewed by Saam Barati.
7
8         * stress/array-slice-memory-exhaustion.js: Added.
9         (foo):
10
11 2019-10-21  Robin Morisset  <rmorisset@apple.com>
12
13         Post increment/decrement should only call ToNumber once
14         https://bugs.webkit.org/show_bug.cgi?id=202711
15
16         Reviewed by Saam Barati.
17
18         * stress/postinc-custom-valueOf.js: Added.
19         (postInc):
20         (postDec):
21
22 2019-10-18  Yusuke Suzuki  <ysuzuki@apple.com>
23
24         [JSC] DFG::CommonData modification by DFG reallyAdd should be guarded by CodeBlock's lock
25         https://bugs.webkit.org/show_bug.cgi?id=203177
26
27         Reviewed by Mark Lam.
28
29         * stress/dfg-really-add-locking.js: Added.
30
31 2019-10-17  Mark Lam  <mark.lam@apple.com>
32
33         Add missing checks after calls to the sameValue() JSValue comparator.
34         https://bugs.webkit.org/show_bug.cgi?id=203126
35         <rdar://problem/56366561>
36
37         Reviewed by Saam Barati.
38
39         * stress/validate-exception-check-in-proxy-object-put.js: Added.
40
41 2019-10-17  Saam Barati  <sbarati@apple.com>
42
43         GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
44         https://bugs.webkit.org/show_bug.cgi?id=203124
45         <rdar://problem/55988183>
46
47         Reviewed by Yusuke Suzuki.
48
49         * stress/licm-array-storage-get-and-put-by-val.js: Added.
50         (assert):
51         (foo):
52
53 2019-10-16  Keith Miller  <keith_miller@apple.com>
54
55         Move assert in Wasm::Plan::fail.
56         https://bugs.webkit.org/show_bug.cgi?id=203052
57
58         Reviewed by Mark Lam.
59
60         * wasm/regress/wasm-plan-fail-bad-error-message-assert.js: Added.
61         (Binary):
62         (Binary.prototype.trunc_buffer):
63         (Binary.prototype.emit_leb_u):
64         (Binary.prototype.emit_u32v):
65         (Binary.prototype.emit_bytes):
66         (Binary.prototype.emit_header):
67         (__f_576):
68         (__f_587):
69
70 2019-10-15  Mark Lam  <mark.lam@apple.com>
71
72         operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string.
73         https://bugs.webkit.org/show_bug.cgi?id=202312
74         <rdar://problem/55782280>
75
76         Reviewed by Yusuke Suzuki.
77
78         * stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings.js: Added.
79         * stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings2.js: Added.
80         * stress/switch-on-char-llint-rope.js:
81         - Changed this test to make a new rope string for each iterations.  Otherwise,
82           the rope will get resolved, and subsequent tiers will not be testing with a rope.
83
84 2019-10-14  Yusuke Suzuki  <ysuzuki@apple.com>
85
86         [JSC] GetterSetter should be JSCell, not JSObject
87         https://bugs.webkit.org/show_bug.cgi?id=202656
88
89         Reviewed by Tadeu Zagallo and Saam Barati.
90
91         * stress/getter-setter-should-be-cell.js: Added.
92         (foo.with.):
93         (foo.with.get for):
94         (foo.with.bar):
95         (foo):
96
97 2019-10-14  Saam Barati  <sbarati@apple.com>
98
99         Canonicalize how we prepare the prototype chain for inline caching
100         https://bugs.webkit.org/show_bug.cgi?id=202827
101         <rdar://problem/56193919>
102
103         Reviewed by Yusuke Suzuki.
104
105         * stress/cache-correct-offset-after-flattening.js: Added.
106         (assert):
107
108 2019-10-14  Paulo Matos  <pmatos@igalia.com>
109
110         Skip memcpy-typed-loop timing out on ARMv7 pending investigation
111         https://bugs.webkit.org/show_bug.cgi?id=202923
112
113         Reviewed by Adrian Perez de Castro.
114
115         * microbenchmarks/memcpy-typed-loop.js:
116
117 2019-10-11  Keith Miller  <keith_miller@apple.com>
118
119         Wasm B3IRGenerator should use arguments for control data.
120         https://bugs.webkit.org/show_bug.cgi?id=202855
121
122         Reviewed by Yusuke Suzuki.
123
124         * wasm/stress/loop-more-args-than-results.js: Added.
125
126 2019-10-10  Mark Lam  <mark.lam@apple.com>
127
128         Modify JSTests/stress/string-overflow-createError-*.js tests to allow an OOME result.
129         https://bugs.webkit.org/show_bug.cgi?id=202828
130
131         Reviewed by Yusuke Suzuki.
132
133         The tests intentionally allocate a very large string.  Hence, for some memory
134         limited configurations, it is perfectly reasonable for the test to throw an Out
135         Of Memory error.
136
137         * stress/string-overflow-createError-builder.js:
138         * stress/string-overflow-createError-fit.js:
139
140 2019-10-09  Yusuke Suzuki  <ysuzuki@apple.com>
141
142         Unreviewed, roll out r250878
143         https://bugs.webkit.org/show_bug.cgi?id=202656
144
145         Breaking vimeo page.
146
147         * stress/getter-setter-should-be-cell.js: Removed.
148
149 2019-10-08  Yusuke Suzuki  <ysuzuki@apple.com>
150
151         [JSC] GetterSetter should be JSCell, not JSObject
152         https://bugs.webkit.org/show_bug.cgi?id=202656
153
154         Reviewed by Tadeu Zagallo and Saam Barati.
155
156         * stress/getter-setter-should-be-cell.js: Added.
157         (foo.with.):
158         (foo.with.get for):
159         (foo.with.bar):
160         (foo):
161
162 2019-10-08  Alexey Shvayka  <shvaikalesh@gmail.com>
163
164         JSON.parse incorrectly handles array proxies
165         https://bugs.webkit.org/show_bug.cgi?id=199292
166
167         Reviewed by Saam Barati.
168
169         * microbenchmarks/json-parse-array-reviver-same-value.js: Added.
170         * microbenchmarks/json-parse-array-reviver.js: Added.
171         * microbenchmarks/json-parse-object-reviver-same-value.js: Added.
172         * microbenchmarks/json-parse-object-reviver.js: Added.
173         * stress/json-parse-reviver-array-proxy.js: Added.
174         * stress/json-parse-reviver-revoked-proxy.js: Added.
175         * test262/expectations.yaml: Mark 6 test cases as passing.
176
177 2019-10-08  Ross Kirsling  <ross.kirsling@sony.com>
178
179         Update test262 (2019.10.08).
180
181         Rubber-stamped by Keith Miller.
182
183         * test262/config.yaml:
184         * test262/expectations.yaml:
185         * test262/latest-changes-summary.txt:
186         * test262/test/:
187         * test262/test262-Revision.txt:
188
189 2019-10-07  Saam Barati  <sbarati@apple.com>
190
191         Allow OSR exit to the LLInt
192         https://bugs.webkit.org/show_bug.cgi?id=197993
193
194         Reviewed by Tadeu Zagallo.
195
196         * stress/exit-from-getter-by-val.js: Added.
197         * stress/exit-from-setter-by-val.js: Added.
198
199 2019-10-07  Matt Lewis  <jlewis3@apple.com>
200
201         Unreviewed, rolling out r250750.
202
203         Reverting change as this broke interal test over the weekend.
204
205         Reverted changeset:
206
207         "Allow OSR exit to the LLInt"
208         https://bugs.webkit.org/show_bug.cgi?id=197993
209         https://trac.webkit.org/changeset/250750
210
211 2019-10-04  Saam Barati  <sbarati@apple.com>
212
213         Allow OSR exit to the LLInt
214         https://bugs.webkit.org/show_bug.cgi?id=197993
215
216         Reviewed by Tadeu Zagallo.
217
218         * stress/exit-from-getter-by-val.js: Added.
219         * stress/exit-from-setter-by-val.js: Added.
220
221 2019-10-04  Paulo Matos  <pmatos@igalia.com>
222
223         Revert regexp test skip on armv7l and mips
224         https://bugs.webkit.org/show_bug.cgi?id=202310
225
226         Reviewed by Žan Doberšek.
227
228         Test was skipped in bug 202113 on armv7l and mips due to bug 202041.
229         Bug 202041 is fixed and change of bug 202113 can be reverted.
230
231         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
232
233 2019-10-02  Mark Lam  <mark.lam@apple.com>
234
235         DoubleToStringConverter::ToExponential() should null terminate its string.
236         https://bugs.webkit.org/show_bug.cgi?id=202492
237         <rdar://problem/55907708>
238
239         Reviewed by Filip Pizlo.
240
241         * stress/dtoa-AddSubstring-should-uses-strnlen-in-assertion.js: Added.
242
243 2019-10-02  Yusuke Suzuki  <ysuzuki@apple.com>
244
245         [JSC] AsyncGenerator should have internal fields
246         https://bugs.webkit.org/show_bug.cgi?id=201498
247
248         Reviewed by Saam Barati.
249
250         * stress/async-generator-construct-failure.js: Added.
251         (shouldThrow):
252         (async.gen):
253         (TypeError):
254         * stress/async-generator-prototype-change.js: Added.
255         (shouldBe):
256         (async.gen):
257         * stress/async-generator-prototype-closure.js: Added.
258         (shouldBe):
259         (test.async.gen):
260         (test):
261         * stress/create-async-generator.js: Added.
262         (shouldBe):
263         (test.async.generator):
264         (test):
265
266 2019-10-01  Saam Barati  <sbarati@apple.com>
267
268         ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
269         https://bugs.webkit.org/show_bug.cgi?id=199361
270         <rdar://problem/52454940>
271
272         Reviewed by Yusuke Suzuki.
273
274         * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
275         (main.fn):
276         (main.executor):
277         (main):
278         * stress/allocation-sinking-hints-are-valid-ssa.js: Added.
279         (main.fn):
280         (main.executor):
281         (main):
282
283 2019-10-01  Keith Miller  <keith_miller@apple.com>
284
285         skip test until we figure out why it's timing out
286         https://bugs.webkit.org/show_bug.cgi?id=202423
287
288         Reviewed by Mark Lam.
289
290         new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
291         Let's skip it until we figure out what's going on.
292
293         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:
294
295 2019-10-01  Keith Miller  <keith_miller@apple.com>
296
297         Mark toctou test as skipped on debug builds
298         https://bugs.webkit.org/show_bug.cgi?id=202420
299
300         Reviewed by Saam Barati.
301
302         Keeps timing out... Let's just skip it.
303
304         * stress/toctou-having-a-bad-time-new-array.js:
305
306 2019-10-01  Keith Miller  <keith_miller@apple.com>
307
308         Test262 update
309
310         Rubber-stamped by Michael Saboff.
311
312         Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...
313
314         * test262/*:
315
316 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
317
318         [YARR] Properly handle surrogates when matching back references
319         https://bugs.webkit.org/show_bug.cgi?id=202041
320
321         Reviewed by Keith Miller.
322
323         Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.
324
325         Updated test.
326
327         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
328         (testRegExpNotMatch):
329
330 2019-10-01  Keith Miller  <keith_miller@apple.com>
331
332         Add support for the Wasm multi-value proposal
333         https://bugs.webkit.org/show_bug.cgi?id=202250
334
335         Reviewed by Saam Barati.
336
337         This patch adds a new way to run stress tests via the .wat text
338         format. By attaching an asm.js compiled version of the wabt tool
339         we can easily create wat files programatically and convert them
340         into a wasm blob to compile. To make this easy there is a
341         wabt-wrapper.js module file that exports two useful functions that
342         correspond to WebAssembly.compile and WebAssembly.instantiate.
343
344         * wasm.yaml:
345         * wasm/function-tests/if-no-else-non-void.js:
346         * wasm/js-api/web-assembly-instantiate.js:
347         (assert.asyncTest.async.test):
348         (assert.asyncTest):
349         * wasm/libwabt.js: Added.
350         (WabtModule):
351         (set get if):
352         * wasm/references/func_ref.js:
353         * wasm/references/validation.js:
354         (assert.throws):
355         * wasm/spec-harness/index.js:
356         * wasm/spec-tests/block.wast.js:
357         * wasm/spec-tests/br.wast.js:
358         * wasm/spec-tests/br_if.wast.js:
359         * wasm/spec-tests/call.wast.js:
360         * wasm/spec-tests/call_indirect.wast.js:
361         * wasm/spec-tests/func.wast.js:
362         * wasm/spec-tests/if.wast.js:
363         * wasm/spec-tests/loop.wast.js:
364         * wasm/spec-tests/type.wast.js:
365         * wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
366         (buildWat):
367         * wasm/stress/js-wasm-js-varying-arities.js: Added.
368         (paramForwarder):
369         * wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
370         (buildWat):
371         * wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
372         (buildWat.throwError):
373         (buildWat.throwErrorInIterator):
374         (buildWat.tooManyValues):
375         (buildWat.tooFewValues):
376         (buildWat):
377         * wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
378         (buildWat):
379         * wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
380         (buildWat):
381         * wasm/wabt-wrapper.js: Added.
382         (export.compile):
383         * wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
384         * wasm/wast-tests/br-if-at-end-of-block.wast: Added.
385         * wasm/wast-tests/harness.js:
386         (async.runWasmFile):
387         * wasm/wast-tests/single-param-loop-signature.wasm: Added.
388         * wasm/wast-tests/single-param-loop-signature.wast: Added.
389
390 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
391
392         Make assertion in JSObject::putOwnDataProperty more precise
393         https://bugs.webkit.org/show_bug.cgi?id=202379
394         <rdar://problem/49515980>
395
396         Reviewed by Yusuke Suzuki.
397
398         * stress/object-assign-target-proto-setter.js: Added.
399         (get Object):
400
401 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
402
403         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
404         https://bugs.webkit.org/show_bug.cgi?id=202389
405         <rdar://problem/50717564>
406
407         Reviewed by Mark Lam.
408
409         * stress/heap-analyzer-taking-lock.js: Added.
410
411 2019-09-30  Saam Barati  <sbarati@apple.com>
412
413         Inline caching is wrong for custom accessors and custom values
414         https://bugs.webkit.org/show_bug.cgi?id=201994
415         <rdar://problem/50850326>
416
417         Reviewed by Yusuke Suzuki.
418
419         * microbenchmarks/custom-accessor-materialized.js: Added.
420         (assert):
421         (test4.get const):
422         * microbenchmarks/custom-accessor-thin-air.js: Added.
423         (assert):
424         (test5.get const):
425         (test5.get proto):
426         * microbenchmarks/custom-accessor.js: Added.
427         (assert):
428         (test3.get const):
429         * microbenchmarks/custom-value-2.js: Added.
430         (assert):
431         (test1.getMultiline):
432         (test1):
433         * microbenchmarks/custom-value.js: Added.
434         (assert):
435         (test1.getMultiline):
436         (test1):
437         * stress/custom-accessor-delete-1.js: Added.
438         (assert):
439         (test3.get const):
440         * stress/custom-accessor-delete-2.js: Added.
441         (assert):
442         (test4.get const):
443         * stress/custom-accessor-delete-3.js: Added.
444         (assert):
445         (test5.get const):
446         (test5.get proto):
447         * stress/custom-value-delete-property-1.js: Added.
448         (assert):
449         (test1.getMultiline):
450         (test1):
451         * stress/custom-value-delete-property-2.js: Added.
452         (test2.foo):
453         (test2):
454         * stress/custom-value-delete-property-3.js: Added.
455         (test6.foo):
456         (test6):
457
458 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
459
460         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
461         https://bugs.webkit.org/show_bug.cgi?id=202382
462         <rdar://problem/52669112>
463
464         Reviewed by Saam Barati.
465
466         * stress/compare-eq-bool-number-folding.js: Added.
467         (test):
468
469 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
470
471         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
472         https://bugs.webkit.org/show_bug.cgi?id=202330
473
474         Reviewed by Saam Barati.
475
476         * stress/to-lower-case-gc-stress.js: Added.
477
478 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
479
480         Non-standard Error properties should not be enumerable
481         https://bugs.webkit.org/show_bug.cgi?id=198975
482
483         Reviewed by Ross Kirsling.
484
485         * ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
486         * microbenchmarks/let-for-in.js: Adjust test.
487         * test262/expectations.yaml: Mark 6 test cases as passing.
488
489 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
490
491         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
492         https://bugs.webkit.org/show_bug.cgi?id=202299
493         <rdar://problem/52669116>
494
495         Reviewed by Saam Barati.
496
497         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
498         (foo):
499         (test):
500         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
501         (foo):
502         (C1.prototype.baz):
503         (C1):
504         (bar):
505         (noInline.bar.goo):
506         (C2.prototype.baz):
507         (C2):
508         (test):
509
510 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
511
512         toExponential, toFixed, and toPrecision should allow arguments up to 100
513         https://bugs.webkit.org/show_bug.cgi?id=199163
514
515         Reviewed by Ross Kirsling.
516
517         * ChakraCore/test/Number/toString_3.baseline-jsc:
518         * ChakraCore/test/es5/exceptions3.baseline-jsc:
519         * test262/expectations.yaml: Mark 6 test cases as passing.
520
521 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
522
523         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
524         https://bugs.webkit.org/show_bug.cgi?id=154376
525
526         Reviewed by Ross Kirsling.
527
528         Adds 2 test cases:
529         1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
530         2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.
531
532         * stress/proxy-get-own-property.js:
533
534 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
535
536         [BigInt] Add ValueBitRShift into DFG
537         https://bugs.webkit.org/show_bug.cgi?id=192663
538
539         Reviewed by Robin Morisset.
540
541         * stress/big-int-right-shift-jit-osr.js: Added.
542         * stress/big-int-right-shift-jit-untyped.js: Added.
543         * stress/big-int-right-shift-jit.js: Added.
544         * stress/value-rshift-ai-rule.js: Added.
545
546 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
547
548         Array methods should throw TypeError upon attempting to modify a string
549         https://bugs.webkit.org/show_bug.cgi?id=201910
550
551         Reviewed by Keith Miller.
552
553         * stress/array-methods-should-not-modify-string.js: Added.
554
555         * mozilla/js1_6/Array/regress-304828.js:
556         Fix test. Original copy was changed similarly seven years ago:
557         https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js
558
559         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
560         Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.
561
562 2019-09-23  Mark Lam  <mark.lam@apple.com>
563
564         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
565         https://bugs.webkit.org/show_bug.cgi?id=202122
566         <rdar://problem/55535249>
567
568         Reviewed by Yusuke Suzuki.
569
570         * stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.
571
572 2019-09-23  Caio Lima  <ticaiolima@gmail.com>
573
574         Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
575         https://bugs.webkit.org/show_bug.cgi?id=202113
576
577         Unreviewed test gardening, skipped test in ARMv7 and MIPS.
578
579         It is going to be fixed in
580         https://bugs.webkit.org/show_bug.cgi?id=202041
581
582         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
583
584 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
585
586         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
587         https://bugs.webkit.org/show_bug.cgi?id=202072
588
589         Reviewed by Mark Lam.
590
591         * stress/int52rep-with-double-checks-int52-range.js: Added.
592         (shouldBe):
593         (test):
594
595 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
596
597         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
598         https://bugs.webkit.org/show_bug.cgi?id=202011
599
600         Reviewed by Mark Lam.
601
602         We are skipping this test into MIPS and ARMv7 because some of its assumptions
603         are not valid for them. The current behavior of the test in those architectures
604         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
605         because eden collection keeps happening between iterations. The collection
606         is triggered on those architectures because the amount of stress 
607         `new Promise` generates into GC limits is not enough to avoid them
608         while loop is executing.
609
610         Changing the size of `UInt8Array` from `80000000` to `160000000` can
611         be an alternative fix to avoid collection happening during `ArrayBuffer`
612         allocation loop, but we can't guarantee this test is always going to execute
613         without error when Gigacage is disabled, given we can reach an OOM state in
614         some allocations that need to succeed, making this test flaky for those
615         architectures.
616
617         * stress/test-out-of-memory.js:
618
619 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
620
621         AccessCase should strongly visit its dependencies while on stack
622         https://bugs.webkit.org/show_bug.cgi?id=201986
623         <rdar://problem/55521953>
624
625         Reviewed by Saam Barati and Yusuke Suzuki.
626
627         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
628         (foo):
629         (warmup):
630
631 2019-09-20  Saam Barati  <sbarati@apple.com>
632
633         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
634
635         * stress/toctou-having-a-bad-time-new-array.js:
636
637 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
638
639         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
640         https://bugs.webkit.org/show_bug.cgi?id=202014
641
642         Reviewed by Saam Barati.
643
644         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
645         (__v0):
646
647 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
648
649         Syntax checker should report duplicate __proto__ properties
650         https://bugs.webkit.org/show_bug.cgi?id=201897
651         <rdar://problem/53201788>
652
653         Reviewed by Mark Lam.
654
655         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
656         (catch):
657
658 2019-09-18  Saam Barati  <sbarati@apple.com>
659
660         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
661         https://bugs.webkit.org/show_bug.cgi?id=201953
662         <rdar://problem/53803524>
663
664         Reviewed by Yusuke Suzuki.
665
666         * stress/toctou-having-a-bad-time-new-array.js: Added.
667         (let.code):
668
669 2019-09-18  Saam Barati  <sbarati@apple.com>
670
671         Phantom insertion phase may disagree with arguments forwarding about live ranges
672         https://bugs.webkit.org/show_bug.cgi?id=200715
673         <rdar://problem/54301717>
674
675         Reviewed by Yusuke Suzuki.
676
677         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
678         (main.v23):
679         (main.try.v43):
680         (main.):
681         (main):
682
683 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
684
685         [JSC] Generator should have internal fields
686         https://bugs.webkit.org/show_bug.cgi?id=201159
687
688         Reviewed by Keith Miller.
689
690         * stress/create-generator.js: Added.
691         (shouldBe):
692         (test.generator):
693         (test):
694         * stress/generator-construct-failure.js: Added.
695         (shouldThrow):
696         (TypeError):
697         * stress/generator-prototype-change.js: Added.
698         (shouldBe):
699         (gen):
700         * stress/generator-prototype-closure.js: Added.
701         (shouldBe):
702         (test.gen):
703         (test):
704         * stress/object-assign-fast-path.js:
705
706 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
707
708         Follow-up after String.codePointAt optimization
709         https://bugs.webkit.org/show_bug.cgi?id=201889
710
711         Reviewed by Saam Barati.
712
713         * stress/string-char-at-bad-type.js: Added.
714         (shouldBe):
715         (object.toString):
716         (test):
717         * stress/string-char-code-at-bad-type.js: Added.
718         (shouldBe):
719         (object.toString):
720         (test):
721         * stress/string-code-point-at-bad-type.js: Added.
722         (shouldBe):
723         (object.toString):
724         (test):
725
726 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
727
728         [JSC] CheckArray+NonArray is not filtering out Array in AI
729         https://bugs.webkit.org/show_bug.cgi?id=201857
730         <rdar://problem/54194820>
731
732         Reviewed by Keith Miller.
733
734         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
735         (foo):
736
737 2019-09-17  Saam Barati  <sbarati@apple.com>
738
739         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
740         https://bugs.webkit.org/show_bug.cgi?id=201853
741         <rdar://problem/53805461>
742
743         Reviewed by Yusuke Suzuki.
744
745         * stress/direct-arguments-check-array-filter-type.js: Added.
746         (foo):
747
748 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
749
750         Wasm StreamingParser should validate that number of functions matches number of declarations
751         https://bugs.webkit.org/show_bug.cgi?id=201850
752         <rdar://problem/55290186>
753
754         Reviewed by Yusuke Suzuki.
755
756         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
757         (catch):
758
759 2019-09-16  Michael Saboff  <msaboff@apple.com>
760
761         [JSC] Perform check again when we found non-BMP characters
762         https://bugs.webkit.org/show_bug.cgi?id=201647
763
764         Reviewed by Yusuke Suzuki.
765
766         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
767         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
768         (testRegExpInbounds):
769
770 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
771
772         [JSC] Add missing syntax errors for await in function parameter default expressions
773         https://bugs.webkit.org/show_bug.cgi?id=201615
774
775         Reviewed by Darin Adler.
776
777         * stress/async-await-reserved-word.js:
778         * stress/async-await-syntax.js:
779         Add test cases.
780
781         * test262/expectations.yaml:
782         Mark newly-passing test cases.
783
784 2019-09-16  Saam Barati  <sbarati@apple.com>
785
786         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
787         https://bugs.webkit.org/show_bug.cgi?id=200386
788         <rdar://problem/53854946>
789
790         Reviewed by Yusuke Suzuki.
791
792         * stress/proxy-__proto__-in-prototype-chain.js: Added.
793         * stress/proxy-property-replace-structure-transition.js: Added.
794
795 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
796
797         Date.prototype.toJSON does not execute steps 1-2
798         https://bugs.webkit.org/show_bug.cgi?id=105282
799
800         Reviewed by Ross Kirsling.
801
802         * test262/expectations.yaml: Mark 2 test cases as passing.
803
804 2019-09-12  Mark Lam  <mark.lam@apple.com>
805
806         Harden JSC against the abuse of runtime options.
807         https://bugs.webkit.org/show_bug.cgi?id=201597
808         <rdar://problem/55167068>
809
810         Reviewed by Filip Pizlo.
811
812         Remove the call to forceGCSlowPaths().  This utility function will be removed.
813         The modern way to set the required option is to use //@ requireOptions.
814
815         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
816
817 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
818
819         [JSC] Add StringCodePointAt intrinsic
820         https://bugs.webkit.org/show_bug.cgi?id=201673
821
822         Reviewed by Michael Saboff.
823
824         * stress/string-char-at-constant-index-out-of-range.js: Added.
825         (shouldBe):
826         (test):
827         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
828         (shouldBe):
829         (test):
830         * stress/string-code-point-at--out-of-range.js: Added.
831         (shouldBe):
832         (test):
833         * stress/string-code-point-at-basic.js: Added.
834         (test):
835         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
836         (shouldBe):
837         (test):
838         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
839         (shouldBe):
840         (test):
841         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
842         (shouldBe):
843         (test):
844         (breaking):
845         * stress/string-code-point-at-surrogate-pair.js: Added.
846         (shouldBe):
847         * stress/string-code-point-at.js: Added.
848         (shouldBe):
849
850 2019-09-10  Michael Saboff  <msaboff@apple.com>
851
852         JSC crashes due to stack overflow while building RegExp
853         https://bugs.webkit.org/show_bug.cgi?id=201649
854
855         Reviewed by Yusuke Suzuki.
856
857         New regression test.
858
859         * stress/regexp-bol-optimize-out-of-stack.js: Added.
860         (test):
861         (catch):
862
863 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
864
865         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
866         https://bugs.webkit.org/show_bug.cgi?id=189043
867
868         Reviewed by Keith Miller.
869
870         The offset performing the validation becomes a bit different.
871         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
872
873         * wasm/js-api/version.js:
874
875 2019-09-07  Keith Miller  <keith_miller@apple.com>
876
877         OSR entry into wasm misses some contexts
878         https://bugs.webkit.org/show_bug.cgi?id=201569
879
880         Reviewed by Yusuke Suzuki.
881
882         Add a new harness and wast and the generated wasm file for
883         testing. The idea long term is to make it easy to test by creating
884         a C file and converting it to a wast then modify that to produce a
885         test.
886
887         * wasm.yaml:
888         * wasm/wast-tests/harness.js: Added.
889         (async.runWasmFile):
890         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
891         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
892         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
893         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
894         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
895         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
896         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
897         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
898
899 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
900
901         [JSC] Promise resolve/reject functions should be created more efficiently
902         https://bugs.webkit.org/show_bug.cgi?id=201488
903
904         Reviewed by Mark Lam.
905
906         * microbenchmarks/promise-creation-many.js: Added.
907         (executor):
908
909 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
910
911         Unreviewed JSC test gardening.
912
913         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
914         This test allocates a 2GB string before it goes out and tests
915         out-of-memory exception when appending other strings to it. As such,
916         skip the test on memory-limited platforms.
917
918 2019-09-07  Mark Lam  <mark.lam@apple.com>
919
920         The jsc shell should allow disabling of the Gigacage for testing purposes.
921         https://bugs.webkit.org/show_bug.cgi?id=201579
922
923         Reviewed by Michael Saboff.
924
925         Unskip the tests now.
926
927         * stress/disable-gigacage-arrays.js:
928         * stress/disable-gigacage-strings.js:
929         * stress/disable-gigacage-typed-arrays.js:
930
931 2019-09-07  Mark Lam  <mark.lam@apple.com>
932
933         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
934
935         Not reviewed.
936
937         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
938
939         * stress/disable-gigacage-arrays.js:
940         * stress/disable-gigacage-strings.js:
941         * stress/disable-gigacage-typed-arrays.js:
942
943 2019-09-07  Mark Lam  <mark.lam@apple.com>
944
945         Gardening: speculative test fix to green bots [attempt #2].
946         https://bugs.webkit.org/show_bug.cgi?id=201529
947         <rdar://problem/53935772>
948
949         Not reviewed.
950
951         * stress/test-out-of-memory.js:
952
953 2019-09-06  Mark Lam  <mark.lam@apple.com>
954
955         Gardening: speculative test fix to green bots.
956         https://bugs.webkit.org/show_bug.cgi?id=201529
957         <rdar://problem/53935772>
958
959         Not reviewed.
960
961         * stress/test-out-of-memory.js:
962
963 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
964
965         Math.round() produces wrong result for value prior to 0.5
966         https://bugs.webkit.org/show_bug.cgi?id=185115
967
968         Reviewed by Saam Barati.
969
970         * stress/math-round-basics.js:
971         Add positive/negative test cases.
972
973         * test262/expectations.yaml:
974         Mark test passing.
975
976 2019-09-06  Mark Lam  <mark.lam@apple.com>
977
978         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
979         https://bugs.webkit.org/show_bug.cgi?id=201551
980
981         Reviewed by Tadeu Zagallo.
982
983         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
984
985         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
986         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
987
988 2019-09-06  Mark Lam  <mark.lam@apple.com>
989
990         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
991         https://bugs.webkit.org/show_bug.cgi?id=201529
992         <rdar://problem/53935772>
993
994         Reviewed by Yusuke Suzuki.
995
996         * stress/test-out-of-memory.js: Added.
997
998 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
999
1000         LazyClassStructure::setConstructor should not store the constructor to the global object
1001         https://bugs.webkit.org/show_bug.cgi?id=201484
1002         <rdar://problem/50400451>
1003
1004         Reviewed by Yusuke Suzuki.
1005
1006         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
1007
1008 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1009
1010         [JSC] Do not use FTLOutput::weakPointer directly
1011         https://bugs.webkit.org/show_bug.cgi?id=201495
1012
1013         Reviewed by Filip Pizlo.
1014
1015         * stress/create-promise-weak-pointer.js: Added.
1016         (foo):
1017
1018 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1019
1020         [JSC] Make Promise implementation faster
1021         https://bugs.webkit.org/show_bug.cgi?id=200898
1022
1023         Reviewed by Saam Barati.
1024
1025         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1026         (assert.assert.return.throws):
1027         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
1028         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
1029         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
1030         (shouldThrow):
1031         (new.Promise):
1032         (shouldThrow.Promise):
1033         * stress/create-promise-should-respect-promise-realm.js: Added.
1034         (shouldBe):
1035         (other.new.OtherPromise):
1036         (DerivedOtherPromise):
1037         (i.promise.new.DerivedOtherPromise):
1038         (createPromise):
1039         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
1040         (shouldBe):
1041         (DerivedPromise):
1042         (i.array.push.new.DerivedPromise):
1043         (promise.new.DerivedPromise):
1044         * stress/derived-promise-constructor-inlined.js: Added.
1045         (shouldBe):
1046         (DerivedPromise):
1047         (i.array.push.new.DerivedPromise):
1048         (DerivedPromise.all.array.then):
1049         * stress/derived-promise-prototype-replaced.js: Added.
1050         (shouldBe):
1051         (DerivedPromise):
1052         (i.array.push.new.DerivedPromise):
1053         (promise.new.DerivedPromise):
1054         * stress/internal-promise-constructor-not-confusing.js: Added.
1055         (shouldBe):
1056         (InternalPromise.vm.createBuiltin):
1057         (DerivedPromise):
1058         * stress/internal-promise-is-not-exposed.js: Added.
1059         (shouldBe):
1060         * stress/new-promise-should-respect-promise-realm.js: Added.
1061         (shouldBe):
1062         (other.new.OtherPromise):
1063         (createPromise):
1064         * stress/promise-cannot-be-called.js:
1065         (shouldThrow):
1066         * stress/promise-capability-fast-path.js: Added.
1067         (shouldBe):
1068         (i.array.push.new.Promise):
1069         (i.array.i.then):
1070         * stress/promise-capability-slow-path.js: Added.
1071         (shouldBe):
1072         (Promise.prototype.then):
1073         (i.array.push.new.Promise):
1074         (i.array.i.then):
1075         * stress/promise-capability-then-slow-path.js: Added.
1076         (shouldBe):
1077         (DerivedPromise):
1078         (DerivedPromise.prototype.then):
1079         (i.array.push.new.DerivedPromise):
1080         (i.array.i.then):
1081         * stress/promise-constructor-inlined.js: Added.
1082         (shouldBe):
1083         (i.array.push.new.Promise):
1084         (Promise.all.array.then):
1085         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
1086         (shouldBe):
1087         (DerivedPromise):
1088         (DerivedPromise2):
1089         (i.array.push.new.DerivedPromise):
1090         (i.array2.push.new.DerivedPromise2):
1091         * stress/without-promise-functions.js: Added.
1092         (shouldBe):
1093         (async):
1094
1095 2019-09-03  Mark Lam  <mark.lam@apple.com>
1096
1097         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
1098         https://bugs.webkit.org/show_bug.cgi?id=201309
1099         <rdar://problem/54832121>
1100
1101         Reviewed by Yusuke Suzuki.
1102
1103         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
1104
1105 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1106
1107         [JSC] Generate new.target register only when it is used
1108         https://bugs.webkit.org/show_bug.cgi?id=201335
1109
1110         Reviewed by Mark Lam.
1111
1112         * stress/ensure-new-register-allocated.js: Added.
1113         (shouldBe):
1114         (basic):
1115         (arrow):
1116         (Base):
1117         (Derived):
1118         (evaluate):
1119
1120 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1121
1122         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
1123         https://bugs.webkit.org/show_bug.cgi?id=201331
1124
1125         Reviewed by Mark Lam.
1126
1127         * stress/simple-jump-table-copy.js: Added.
1128         (let.code):
1129         (g2):
1130
1131 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1132
1133         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
1134         https://bugs.webkit.org/show_bug.cgi?id=201332
1135
1136         Reviewed by Mark Lam.
1137
1138         This test is very flaky, it is hard to reproduce.
1139
1140         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
1141         (code):
1142
1143 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1144
1145         [JSC] Repatch should construct CallCases and CasesValue at the same time
1146         https://bugs.webkit.org/show_bug.cgi?id=201325
1147
1148         Reviewed by Saam Barati.
1149
1150         * stress/repatch-switch.js: Added.
1151         (main.f2.f0):
1152         (main.f2.f3):
1153         (main.f2.f1):
1154         (main.f2):
1155         (main):
1156
1157 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1158
1159         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
1160         https://bugs.webkit.org/show_bug.cgi?id=198650
1161
1162         Reviewed by Saam Barati.
1163
1164         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
1165         (main.v0):
1166         (main):
1167
1168 2019-08-28  Mark Lam  <mark.lam@apple.com>
1169
1170         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
1171         https://bugs.webkit.org/show_bug.cgi?id=201281
1172         <rdar://problem/54028228>
1173
1174         Reviewed by Yusuke Suzuki and Saam Barati.
1175
1176         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
1177
1178 2019-08-28  Mark Lam  <mark.lam@apple.com>
1179
1180         Placate exception check validation in DFG's operationHasGenericProperty().
1181         https://bugs.webkit.org/show_bug.cgi?id=201245
1182         <rdar://problem/54777512>
1183
1184         Reviewed by Robin Morisset.
1185
1186         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
1187
1188 2019-08-27  Mark Lam  <mark.lam@apple.com>
1189
1190         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
1191         https://bugs.webkit.org/show_bug.cgi?id=201196
1192         <rdar://problem/54703775>
1193
1194         Reviewed by Yusuke Suzuki.
1195
1196         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
1197
1198 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
1199
1200         [JSC] Ensure x?.y ?? z is fast
1201         https://bugs.webkit.org/show_bug.cgi?id=200875
1202
1203         Reviewed by Yusuke Suzuki.
1204
1205         * stress/nullish-coalescing.js:
1206
1207 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
1208
1209         Remove MaximalFlushInsertionPhase
1210         https://bugs.webkit.org/show_bug.cgi?id=201036
1211
1212         Reviewed by Saam Barati.
1213
1214         Remove all the references to maximal flush
1215
1216         * stress/arith-ceil-on-various-types.js:
1217         (checkCompileCountForUselessNegativeZero):
1218         * stress/arith-floor-on-various-types.js:
1219         (checkCompileCountForUselessNegativeZero):
1220         * stress/arith-negate-on-various-types.js:
1221         (checkCompileCountForUselessNegativeZero):
1222         * stress/arith-round-on-various-types.js:
1223         (checkCompileCountForUselessNegativeZero):
1224         * stress/arith-trunc-on-various-types.js:
1225         (checkCompileCountForUselessNegativeZero):
1226         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
1227         * stress/has-indexed-property-should-accept-non-int32.js:
1228         * stress/has-indexed-property-with-worsening-array-mode.js:
1229         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
1230         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
1231         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1232         * stress/rest-parameter-many-arguments.js:
1233         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
1234         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
1235         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
1236
1237 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
1238
1239         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
1240         https://bugs.webkit.org/show_bug.cgi?id=200952
1241
1242         Reviewed by Saam Barati.
1243
1244         * wasm/references/func_ref.js:
1245         (assert.throws):
1246
1247 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
1248
1249         Add missing exception check in canonicalizeLocaleList
1250         https://bugs.webkit.org/show_bug.cgi?id=201021
1251
1252         Reviewed by Mark Lam.
1253
1254         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
1255         (catch):
1256
1257 2019-08-21  Mark Lam  <mark.lam@apple.com>
1258
1259         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
1260         https://bugs.webkit.org/show_bug.cgi?id=201016
1261         <rdar://problem/54579911>
1262
1263         Reviewed by Yusuke Suzuki.
1264
1265         * wasm/stress/too-many-locals.js: Added.
1266         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
1267
1268 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
1269
1270         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
1271         https://bugs.webkit.org/show_bug.cgi?id=200965
1272
1273         Reviewed by Saam Barati.
1274
1275         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
1276         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
1277
1278         * stress/optional-chaining.js:
1279
1280 2019-08-21  Michael Saboff  <msaboff@apple.com>
1281
1282         [JSC] incorrent JIT lead to StackOverflow
1283         https://bugs.webkit.org/show_bug.cgi?id=197823
1284
1285         Reviewed by Tadeu Zagallo.
1286
1287         New test.
1288
1289         * stress/bound-function-stack-overflow.js: Added.
1290         (foo):
1291         (catch):
1292
1293 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1294
1295         Identify memcpy loops in b3
1296         https://bugs.webkit.org/show_bug.cgi?id=200181
1297
1298         Reviewed by Saam Barati.
1299
1300         * microbenchmarks/memcpy-loop.js: Added.
1301         (doTest):
1302         (let.arr1):
1303         * microbenchmarks/memcpy-typed-loop-large.js: Added.
1304         (doTest):
1305         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
1306         (arr2):
1307         * microbenchmarks/memcpy-typed-loop-small.js: Added.
1308         (doTest):
1309         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1310         (16.arr2):
1311         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
1312         (doTest):
1313         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
1314         (arr2):
1315         * microbenchmarks/memcpy-wasm-large.js: Added.
1316         (typeof.WebAssembly.string_appeared_here.eq):
1317         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1318         * microbenchmarks/memcpy-wasm-medium.js: Added.
1319         (typeof.WebAssembly.string_appeared_here.eq):
1320         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1321         * microbenchmarks/memcpy-wasm-small.js: Added.
1322         (typeof.WebAssembly.string_appeared_here.eq):
1323         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1324         * microbenchmarks/memcpy-wasm.js: Added.
1325         (typeof.WebAssembly.string_appeared_here.eq):
1326         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1327         * stress/memcpy-typed-loops.js: Added.
1328         (noLoop):
1329         (invalidStart):
1330         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1331         (arr2):
1332         * wasm/function-tests/memcpy-wasm-loop.js: Added.
1333         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
1334         (string_appeared_here):
1335
1336 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
1337
1338         [JSC] Array.prototype.toString should not get "join" function each time
1339         https://bugs.webkit.org/show_bug.cgi?id=200905
1340
1341         Reviewed by Mark Lam.
1342
1343         * stress/array-prototype-join-change.js: Added.
1344         (shouldBe):
1345         (array2.join):
1346         (DerivedArray):
1347         (DerivedArray.prototype.join):
1348         (array3.__proto__.join):
1349         (Array.prototype.join):
1350
1351 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1352
1353         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1354         https://bugs.webkit.org/show_bug.cgi?id=200782
1355
1356         Reviewed by Saam Barati.
1357
1358         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
1359
1360         * microbenchmarks/memcpy-typed-loop.js:
1361         * stress/int8-repeat-in-then-out-of-bounds.js:
1362
1363 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1364
1365         Proxy constructor should throw if handler is revoked Proxy
1366         https://bugs.webkit.org/show_bug.cgi?id=198755
1367
1368         Reviewed by Saam Barati.
1369
1370         * stress/proxy-revoke.js: Adjust error message.
1371         * test262/expectations.yaml: Mark 2 test cases as passing.
1372
1373 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1374
1375         [JSC] OSR entry to Wasm OMG
1376         https://bugs.webkit.org/show_bug.cgi?id=200362
1377
1378         Reviewed by Michael Saboff.
1379
1380         * wasm/stress/osr-entry-basic.js: Added.
1381         (instance.exports.loop):
1382         * wasm/stress/osr-entry-many-locals-f32.js: Added.
1383         * wasm/stress/osr-entry-many-locals-f64.js: Added.
1384         * wasm/stress/osr-entry-many-locals-i32.js: Added.
1385         * wasm/stress/osr-entry-many-locals-i64.js: Added.
1386         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
1387         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
1388         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
1389         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
1390
1391 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1392
1393         Date.prototype.toJSON throws if toISOString returns an object
1394         https://bugs.webkit.org/show_bug.cgi?id=198495
1395
1396         Reviewed by Ross Kirsling.
1397
1398         * test262/expectations.yaml: Mark 6 test cases as passing.
1399
1400 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1401
1402         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
1403         https://bugs.webkit.org/show_bug.cgi?id=200899
1404         <rdar://problem/54073341>
1405
1406         Reviewed by Mark Lam.
1407
1408         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
1409         (i.new.Promise):
1410         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
1411         (i.new.Promise):
1412
1413 2019-08-19  Michael Saboff  <msaboff@apple.com>
1414
1415         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
1416         https://bugs.webkit.org/show_bug.cgi?id=197090
1417
1418         Reviewed by Yusuke Suzuki.
1419
1420         New test.
1421
1422         * stress/regexp-nonconsuming-counted-parens.js: Added.
1423
1424 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
1425
1426         [JSC] Correct a->an in error messages and API docblocks
1427         https://bugs.webkit.org/show_bug.cgi?id=200833
1428
1429         Reviewed by Don Olmstead.
1430
1431         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1432         (assert.assert.return.throws):
1433         * stress/promise-finally-should-accept-non-promise-objects.js:
1434         * wasm/js-api/table.js:
1435         (assert.throws):
1436
1437 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1438
1439         [ESNext] Implement optional chaining
1440         https://bugs.webkit.org/show_bug.cgi?id=200199
1441
1442         Reviewed by Yusuke Suzuki.
1443
1444         * stress/nullish-coalescing.js:
1445         * stress/optional-chaining.js: Added.
1446         * stress/tail-call-recognize.js:
1447
1448 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1449
1450         [ESNext] Support hashbang.
1451         https://bugs.webkit.org/show_bug.cgi?id=200865
1452
1453         Reviewed by Mark Lam.
1454
1455         * stress/hashbang.js: Added.
1456         * test262/expectations.yaml: Mark 6 cases as passing.
1457
1458 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
1459
1460         [JSC] DFG ToNumber should support Boolean in fixup
1461         https://bugs.webkit.org/show_bug.cgi?id=200864
1462
1463         Reviewed by Mark Lam.
1464
1465         * microbenchmarks/to-number-boolean.js: Added.
1466         (test):
1467         * stress/to-number-boolean-int32.js: Added.
1468         (shouldBe):
1469         (test):
1470         (check):
1471         * stress/to-number-boolean.js: Added.
1472         (shouldBe):
1473         (test):
1474         (check):
1475         * stress/to-number-int32.js: Added.
1476         (shouldBe):
1477         (test):
1478         (check):
1479
1480 2019-08-16  Mark Lam  <mark.lam@apple.com>
1481
1482         More missing exception checks in string comparison operators.
1483         https://bugs.webkit.org/show_bug.cgi?id=200844
1484         <rdar://problem/54378684>
1485
1486         Reviewed by Saam Barati.
1487
1488         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
1489         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
1490         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
1491         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
1492
1493 2019-08-16  Mark Lam  <mark.lam@apple.com>
1494
1495         CodeBlock destructor should clear all of its watchpoints.
1496         https://bugs.webkit.org/show_bug.cgi?id=200792
1497         <rdar://problem/53947800>
1498
1499         Reviewed by Yusuke Suzuki.
1500
1501         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
1502
1503 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
1504
1505         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1506         https://bugs.webkit.org/show_bug.cgi?id=200782
1507
1508         Reviewed by Saam Barati.
1509
1510         * microbenchmarks/int8-out-of-bounds.js: Added.
1511         (foo):
1512         * microbenchmarks/memcpy-typed-loop.js: Added.
1513         (doTest):
1514         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
1515         (arr2):
1516         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
1517         (foo):
1518
1519 2019-08-16  Mark Lam  <mark.lam@apple.com>
1520
1521         [Re-land] ProxyObject should not be allow to access its target's private properties.
1522         https://bugs.webkit.org/show_bug.cgi?id=200739
1523         <rdar://problem/53972768>
1524
1525         Reviewed by Yusuke Suzuki.
1526
1527         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
1528         * stress/proxy-with-private-symbols.js:
1529
1530 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
1531
1532         [JSC] Promise.prototype.finally should accept non-promise objects
1533         https://bugs.webkit.org/show_bug.cgi?id=200829
1534
1535         Reviewed by Mark Lam.
1536
1537         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
1538         (shouldBe):
1539         (Thenable):
1540         (Thenable.prototype.then):
1541
1542 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
1543
1544         Promise constructor should check argument before [[Construct]]
1545         https://bugs.webkit.org/show_bug.cgi?id=198976
1546
1547         Reviewed by Ross Kirsling.
1548
1549         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
1550         * stress/create-subclass-structure-might-throw.js: Fix test.
1551         * test262/expectations.yaml: Mark 2 test cases as passing.
1552
1553 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
1554
1555         Unreviewed, rolling out r248709.
1556
1557         Caused test/built-ins/Promise/prototype/finally/this-value-
1558         non-promise.js to fail on test262 bot
1559
1560         Reverted changeset:
1561
1562         "ProxyObject should not be allow to access its target's
1563         private properties."
1564         https://bugs.webkit.org/show_bug.cgi?id=200739
1565         https://trac.webkit.org/changeset/248709
1566
1567 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1568
1569         DateConversion::formatDateTime incorrectly formats negative years
1570         https://bugs.webkit.org/show_bug.cgi?id=199964
1571
1572         Reviewed by Ross Kirsling.
1573
1574         * test262/expectations.yaml: Mark 6 test cases as passing.
1575
1576 2019-08-15  Mark Lam  <mark.lam@apple.com>
1577
1578         More missing exception checks in String.prototype.
1579         https://bugs.webkit.org/show_bug.cgi?id=200762
1580         <rdar://problem/54333896>
1581
1582         Reviewed by Michael Saboff.
1583
1584         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1585         * stress/missing-exception-check-in-string-toLower.js: Added.
1586         * stress/missing-exception-check-in-string-toUpper.js: Added.
1587
1588 2019-08-14  Mark Lam  <mark.lam@apple.com>
1589
1590         ProxyObject should not be allow to access its target's private properties.
1591         https://bugs.webkit.org/show_bug.cgi?id=200739
1592         <rdar://problem/53972768>
1593
1594         Reviewed by Yusuke Suzuki.
1595
1596         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1597         * stress/proxy-with-private-symbols.js: Rebased.
1598
1599 2019-08-14  Mark Lam  <mark.lam@apple.com>
1600
1601         Missing exception check in string compare.
1602         https://bugs.webkit.org/show_bug.cgi?id=200743
1603         <rdar://problem/53975356>
1604
1605         Reviewed by Michael Saboff.
1606
1607         * stress/missing-exception-check-in-string-compare.js: Added.
1608
1609 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1610
1611         [JSC] Add "jump if (not) undefined or null" bytecode ops
1612         https://bugs.webkit.org/show_bug.cgi?id=200480
1613
1614         Reviewed by Saam Barati.
1615
1616         * stress/destructuring-assignment-require-object-coercible.js:
1617         * stress/nullish-coalescing.js:
1618
1619 2019-08-05  Michael Saboff  <msaboff@apple.com>
1620
1621         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1622         https://bugs.webkit.org/show_bug.cgi?id=199997
1623
1624         Reviewed by Saam Barati.
1625
1626         New test.
1627
1628         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1629         (checkIntArray):
1630         (checkFloatArray):
1631
1632 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1633
1634         [JSC] Support WebAssembly in SamplingProfiler
1635         https://bugs.webkit.org/show_bug.cgi?id=200329
1636
1637         Reviewed by Saam Barati.
1638
1639         * stress/sampling-profiler-wasm-name-section.js: Added.
1640         (const.compile):
1641         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1642         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1643         * stress/sampling-profiler-wasm.js: Added.
1644         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1645         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1646         * stress/sampling-profiler/loop.wasm: Added.
1647         * stress/sampling-profiler/loop.wast: Added.
1648         * stress/sampling-profiler/nameSection.wasm: Added.
1649
1650 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1651
1652         [JSC] LazyJSValue should be robust for empty JSValue
1653         https://bugs.webkit.org/show_bug.cgi?id=200388
1654
1655         Reviewed by Saam Barati.
1656
1657         * stress/switch-constant-child-becomes-empty.js: Added.
1658         (foo):
1659
1660 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1661
1662         GetterSetter type confusion during DFG compilation
1663         https://bugs.webkit.org/show_bug.cgi?id=199903
1664
1665         Reviewed by Mark Lam.
1666
1667         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1668
1669 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1670
1671         Update Test262 (2019.08.01)
1672         https://bugs.webkit.org/show_bug.cgi?id=200351
1673
1674         Reviewed by Keith Miller.
1675
1676         * test262/expectations.yaml:
1677         * test262/harness/testIntl.js:
1678         * test262/latest-changes-summary.txt:
1679         * test262/test/:
1680         * test262/test262-Revision.txt:
1681
1682 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1683
1684         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1685         https://bugs.webkit.org/show_bug.cgi?id=200192
1686
1687         Reviewed by Saam Barati.
1688
1689         * stress/structure-chain-stress.js: Added.
1690         (keys):
1691
1692 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1693
1694         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1695         https://bugs.webkit.org/show_bug.cgi?id=200196
1696
1697         Reviewed by Robin Morisset.
1698
1699         * stress/reparsing-unlinked-codeblock.js:
1700
1701 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1702
1703         [X86] Emit BT instruction for shift + mask in B3
1704         https://bugs.webkit.org/show_bug.cgi?id=199891
1705
1706         Reviewed by Robin Morisset.
1707
1708         Lower the number of iterations to fix debug timeouts.
1709
1710         * microbenchmarks/bit-test-load.js:
1711         (i):
1712
1713 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1714
1715         [X86] Emit BT instruction for shift + mask in B3
1716         https://bugs.webkit.org/show_bug.cgi?id=199891
1717
1718         Reviewed by Keith Miller.
1719
1720         * microbenchmarks/bit-test-constant.js: Added.
1721         (let.glob.0.doTest):
1722         * microbenchmarks/bit-test-load.js: Added.
1723         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1724         (i):
1725         * microbenchmarks/bit-test-nonconstant.js: Added.
1726         (let.glob.0.doTest):
1727
1728 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1729
1730         [JSC] Potential GC fix for JSPropertyNameEnumerator
1731         https://bugs.webkit.org/show_bug.cgi?id=200151
1732
1733         Reviewed by Mark Lam.
1734
1735         * stress/for-in-stress.js: Added.
1736         (keys):
1737
1738 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1739
1740         Legacy numeric literals should not permit separators or BigInt
1741         https://bugs.webkit.org/show_bug.cgi?id=199984
1742
1743         Reviewed by Keith Miller.
1744
1745         * stress/big-int-literals.js:
1746         * stress/numeric-literal-separators.js:
1747
1748 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1749
1750         [ESNext] Implement nullish coalescing
1751         https://bugs.webkit.org/show_bug.cgi?id=200072
1752
1753         Reviewed by Darin Adler.
1754
1755         * stress/nullish-coalescing.js: Added.
1756
1757 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1758
1759         Three checks are missing in Proxy internal methods
1760         https://bugs.webkit.org/show_bug.cgi?id=198630
1761
1762         Reviewed by Darin Adler.
1763
1764         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1765         * test262/expectations.yaml: Mark 6 test cases as passing.
1766
1767 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1768
1769         Sometimes we miss removable CheckInBounds
1770         https://bugs.webkit.org/show_bug.cgi?id=200018
1771
1772         Reviewed by Saam Barati.
1773
1774         * microbenchmarks/typed-array-sum.js: Added.
1775         (doTest):
1776
1777 2019-07-16  Mark Lam  <mark.lam@apple.com>
1778
1779         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1780         https://bugs.webkit.org/show_bug.cgi?id=199821
1781         <rdar://problem/52452328>
1782
1783         Reviewed by Filip Pizlo.
1784
1785         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1786
1787 2019-07-16  Keith Miller  <keith_miller@apple.com>
1788
1789         Unreviewed, test262 gardening.
1790
1791         * test262/expectations.yaml:
1792
1793 2019-07-15  Keith Miller  <keith_miller@apple.com>
1794
1795         A Possible Issue of Object.create method
1796         https://bugs.webkit.org/show_bug.cgi?id=199744
1797
1798         Reviewed by Yusuke Suzuki.
1799
1800         * stress/object-create-non-object-properties-parameter.js: Added.
1801         (catch):
1802
1803 2019-07-15  Keith Miller  <keith_miller@apple.com>
1804
1805         Update test262
1806         https://bugs.webkit.org/show_bug.cgi?id=199801
1807
1808         Rubber-stamped by Yusuke Suzuki.
1809
1810         * test262/expectations.yaml:
1811         * test262/latest-changes-summary.txt:
1812         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1813         (fg.new.FinalizationGroup):
1814         (callback):
1815         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1816         (fg.new.FinalizationGroup):
1817         (callback):
1818         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1819         (fg.new.FinalizationGroup):
1820         (callback):
1821         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1822         (fg.new.FinalizationGroup):
1823         (callback):
1824         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1825         (fg.new.FinalizationGroup):
1826         (callback):
1827         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1828         (fg.new.FinalizationGroup):
1829         (callback):
1830         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1831         (fg.new.FinalizationGroup):
1832         (callback):
1833         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1834         (callback):
1835         (fg.new.FinalizationGroup):
1836         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1837         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1838         (cb):
1839         (fg.new.FinalizationGroup):
1840         (emptyCells):
1841         (async.fn):
1842         (fn.then.async):
1843         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1844         (fg.new.FinalizationGroup):
1845         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1846         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1847         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1848         (newTarget):
1849         (fn):
1850         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1851         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1852         (fn):
1853         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1854         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1855         (newTarget):
1856         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1857         (newTarget):
1858         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1859         (fg.new.FinalizationGroup):
1860         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1861         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1862         (callback):
1863         (fg.new.FinalizationGroup):
1864         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1865         (fg.new.FinalizationGroup):
1866         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1867         (cb):
1868         (fg.new.FinalizationGroup):
1869         (emptyCells):
1870         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1871         (fg.new.FinalizationGroup):
1872         (fg.cleanupSome.cb):
1873         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1874         (callback):
1875         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1876         (fn):
1877         (cb):
1878         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1879         (cb):
1880         (fg.new.FinalizationGroup):
1881         (emptyCells):
1882         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1883         (fg.new.FinalizationGroup):
1884         (callback):
1885         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1886         (fg.new.FinalizationGroup):
1887         (callback):
1888         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1889         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1890         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1891         (poisoned):
1892         (fg.new.FinalizationGroup):
1893         (emptyCells):
1894         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1895         (poisoned):
1896         (emptyCells):
1897         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1898         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1899         (fn):
1900         (cb):
1901         (emptyCells):
1902         (prototype.assert.sameValue.fg.cleanupSome):
1903         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1904         (fn):
1905         (cb):
1906         (poisoned):
1907         (assert.sameValue.fg.cleanupSome):
1908         (prototype.assert.sameValue.fg.cleanupSome):
1909         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1910         (cb):
1911         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1912         (cb):
1913         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1914         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1915         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1916         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1917         (fn):
1918         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1919         (fn):
1920         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1921         (fg.new.FinalizationGroup):
1922         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1923         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1924         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1925         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1926         (fn):
1927         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1928         (fn):
1929         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1930         (fg.new.FinalizationGroup):
1931         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1932         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1933         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1934         (fg.new.FinalizationGroup):
1935         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1936         (fg.new.FinalizationGroup):
1937         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1938         (fg.new.FinalizationGroup):
1939         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1940         (fg.new.FinalizationGroup):
1941         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1942         (fn):
1943         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1944         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1945         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1946         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1947         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1948         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1949         (fn):
1950         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1951         (fg.new.FinalizationGroup):
1952         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1953         (cleanupCallback):
1954         (let.key.of.Object.getOwnPropertyNames):
1955         (set for):
1956         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1957         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1958         (FinalizationGroup):
1959         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1960         (cleanupCallback):
1961         (let.key.of.Object.getOwnPropertyNames):
1962         (set for):
1963         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1964         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1965         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1966         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1967         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1968         (asyncProxy.new.Proxy.async):
1969         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1970         (asyncProxy.new.Proxy.async):
1971         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1972         (setIter.set Symbol):
1973         (set defaultTag):
1974         (gen):
1975         (get return):
1976         (set new):
1977         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1978         (generatorProxy.new.Proxy):
1979         (asyncProxy.new.Proxy.async):
1980         * test262/test/built-ins/Object/subclass-object-arg.js:
1981         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1982         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1983         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1984         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1985         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1986         * test262/test/built-ins/Promise/executor-function-name.js:
1987         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1988         * test262/test/built-ins/Promise/reject-function-name.js:
1989         * test262/test/built-ins/Promise/resolve-function-name.js:
1990         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1991         * test262/test/built-ins/WeakRef/constructor.js: Added.
1992         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1993         * test262/test/built-ins/WeakRef/length.js: Added.
1994         * test262/test/built-ins/WeakRef/name.js: Added.
1995         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1996         (newTarget):
1997         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1998         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1999         * test262/test/built-ins/WeakRef/proto.js: Added.
2000         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
2001         (newTarget):
2002         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
2003         (newTarget):
2004         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
2005         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
2006         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
2007         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
2008         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
2009         (emptyCells):
2010         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
2011         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
2012         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
2013         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
2014         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
2015         (fg.new.FinalizationGroup):
2016         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
2017         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
2018         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
2019         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
2020         (let.key.of.Object.getOwnPropertyNames):
2021         (set for):
2022         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
2023         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
2024         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
2025         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
2026         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
2027         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
2028         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
2029         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
2030         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
2031         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
2032         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
2033         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
2034         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
2035         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
2036         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
2037         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
2038         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
2039         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
2040         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
2041         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
2042         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
2043         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
2044         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
2045         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
2046         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
2047         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
2048         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
2049         (assertParts):
2050         (assertPartsNumeric):
2051         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
2052         (assertParts):
2053         (assertPartsNumeric):
2054         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
2055         (assertParts):
2056         (assertPartsNumeric):
2057         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
2058         (assertParts):
2059         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
2060         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
2061         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
2062         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
2063         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
2064         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
2065         (C.prototype.method):
2066         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
2067         (C.prototype.method.innerFunction):
2068         (C.prototype.method):
2069         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
2070         (C):
2071         (C.method):
2072         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
2073         (C):
2074         (C.method.innerFunction):
2075         (C.method):
2076         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
2077         (C):
2078         (C.checkPrivateGetter):
2079         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
2080         (C):
2081         (C.method):
2082         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
2083         (C):
2084         (C.method.innerFunction):
2085         (C.method):
2086         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
2087         (C):
2088         (C.checkPrivateMethod):
2089         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
2090         (C):
2091         (C.method):
2092         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
2093         (C):
2094         (C.method.innerFunction):
2095         (C.method):
2096         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
2097         (C):
2098         (C.checkPrivateSetter):
2099         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2100         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2101         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2102         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
2103         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2104         (let.classStringExpression):
2105         (let.classStringExpression.access):
2106         (let.createAndInstantiateClass):
2107         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2108         (let.classStringExpression):
2109         (let.classStringExpression.access):
2110         (let.createAndInstantiateClass):
2111         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2112         (const.C):
2113         (let.createAndInstantiateClass):
2114         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2115         (let.classStringExpression.return.prototype.m):
2116         (let.classStringExpression.return.prototype.access):
2117         (let.createAndInstantiateClass):
2118         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2119         (let.classStringExpression.return.prototype.m):
2120         (let.classStringExpression.return.prototype.access):
2121         (let.createAndInstantiateClass):
2122         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2123         (let.classStringExpression):
2124         (let.classStringExpression.access):
2125         (let.createAndInstantiateClass):
2126         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2127         (let.classStringExpression.prototype.m):
2128         (let.classStringExpression.prototype.access):
2129         (let.classStringExpression):
2130         (let.createAndInstantiateClass):
2131         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2132         (let.classStringExpression.prototype.m):
2133         (let.classStringExpression.prototype.access):
2134         (let.classStringExpression):
2135         (let.createAndInstantiateClass):
2136         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2137         (const.C):
2138         (let.createAndInstantiateClass):
2139         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2140         (let.classStringExpression.return.C.prototype.m):
2141         (let.classStringExpression.return.C.prototype.access):
2142         (let.classStringExpression.return.C):
2143         (let.createAndInstantiateClass):
2144         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2145         (let.classStringExpression.return.C.prototype.m):
2146         (let.classStringExpression.return.C.prototype.access):
2147         (let.classStringExpression.return.C):
2148         (let.createAndInstantiateClass):
2149         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2150         (let.classStringExpression):
2151         (let.classStringExpression.access):
2152         (let.createAndInstantiateClass):
2153         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2154         (let.classStringExpression):
2155         (let.classStringExpression.access):
2156         (let.createAndInstantiateClass):
2157         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2158         (let.classStringExpression):
2159         (let.classStringExpression.access):
2160         (let.createAndInstantiateClass):
2161         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2162         (const.C):
2163         (let.createAndInstantiateClass):
2164         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2165         (let.classStringExpression.return.prototype.m):
2166         (let.classStringExpression.return.prototype.access):
2167         (let.createAndInstantiateClass):
2168         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2169         (let.classStringExpression.return.prototype.m):
2170         (let.classStringExpression.return.prototype.access):
2171         (let.createAndInstantiateClass):
2172         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2173         (let.classStringExpression):
2174         (let.classStringExpression.access):
2175         (let.createAndInstantiateClass):
2176         * test262/test/language/expressions/new.target/unary-expr.js: Added.
2177         (new):
2178         (async):
2179         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
2180         (A):
2181         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
2182         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
2183         * test262/test/language/identifiers/vals-cjk.js: Added.
2184         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
2185         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
2186         (C.prototype.method):
2187         (C):
2188         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
2189         (C.prototype.method.innerFunction):
2190         (C.prototype.method):
2191         (C):
2192         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
2193         (C.prototype.checkPrivateField):
2194         (C):
2195         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
2196         (C):
2197         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
2198         (C.prototype.getWithEval):
2199         (C):
2200         (D):
2201         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
2202         (C.prototype.get m):
2203         (C.prototype.method):
2204         (C):
2205         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
2206         (C.prototype.get m):
2207         (C.prototype.method.innerFunction):
2208         (C.prototype.method):
2209         (C):
2210         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
2211         (let.createAndInstantiateClass):
2212         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
2213         (C.prototype.get m):
2214         (C.prototype.checkPrivateGetter):
2215         (C):
2216         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
2217         (C.prototype.get m):
2218         (C.prototype.checkPrivateGetter):
2219         (C):
2220         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
2221         (C.prototype.get m):
2222         (C):
2223         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
2224         (C.prototype.get m):
2225         (C.prototype.getWithEval):
2226         (C):
2227         (D.prototype.get m):
2228         (D):
2229         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
2230         (C.prototype.m):
2231         (C.prototype.method):
2232         (C):
2233         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
2234         (C.prototype.m):
2235         (C.prototype.method.innerFunction):
2236         (C.prototype.method):
2237         (C):
2238         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
2239         (C.prototype.m):
2240         (C.prototype.checkPrivateMethod):
2241         (C):
2242         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
2243         (C.prototype.m):
2244         (C.prototype.checkPrivateMethod):
2245         (C):
2246         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
2247         (C.prototype.m):
2248         (C):
2249         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
2250         (C.prototype.m):
2251         (C.prototype.getWithEval):
2252         (C):
2253         (D.prototype.m):
2254         (D):
2255         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
2256         (C.prototype.set m):
2257         (C.prototype.method):
2258         (C):
2259         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
2260         (C.prototype.set m):
2261         (C.prototype.method.innerFunction):
2262         (C.prototype.method):
2263         (C):
2264         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
2265         (C.prototype.set m):
2266         (C.prototype.checkPrivateSetter):
2267         (C):
2268         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
2269         (C.prototype.set m):
2270         (C.prototype.checkPrivateSetter):
2271         (C):
2272         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
2273         (C.prototype.set m):
2274         (C):
2275         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
2276         (C.prototype.set m):
2277         (C.prototype.setWithEval):
2278         (C):
2279         (D.prototype.set m):
2280         (D):
2281         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2282         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2283         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2284         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
2285         (A.prototype.method):
2286         (A):
2287         (C.prototype.get m):
2288         (C.prototype.access):
2289         (C):
2290         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
2291         (A.prototype.method):
2292         (A):
2293         (C.prototype.m):
2294         (C.prototype.access):
2295         (C):
2296         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
2297         (A.prototype.method):
2298         (A):
2299         (C.prototype.set m):
2300         (C.prototype.access):
2301         (C):
2302         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
2303         (A):
2304         * test262/test/language/statements/function/13.2-30-s.js:
2305         * test262/test262-Revision.txt:
2306
2307 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2308
2309         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2310         https://bugs.webkit.org/show_bug.cgi?id=199783
2311
2312         Reviewed by Mark Lam.
2313
2314         Fix our spec tests.
2315
2316         * wasm/js-api/Module-compile.js:
2317         * wasm/js-api/test_basic_api.js:
2318         (const.c.in.constructorProperties.switch):
2319         * wasm/js-api/validate.js:
2320         * wasm/js-api/web-assembly-instantiate.js:
2321         * wasm/spec-tests/jsapi.js:
2322         (testJSAPI.get test):
2323         (testJSAPI.set test):
2324
2325 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2326
2327         Unreviewed, rolling out r247440.
2328
2329         Broke builds
2330
2331         Reverted changeset:
2332
2333         "[JSC] Improve wasm wpt test results by fixing miscellaneous
2334         issues"
2335         https://bugs.webkit.org/show_bug.cgi?id=199783
2336         https://trac.webkit.org/changeset/247440
2337
2338 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2339
2340         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2341         https://bugs.webkit.org/show_bug.cgi?id=199783
2342
2343         Reviewed by Mark Lam.
2344
2345         Fix our spec tests.
2346
2347         * wasm/js-api/Module-compile.js:
2348         * wasm/js-api/test_basic_api.js:
2349         (const.c.in.constructorProperties.switch):
2350         * wasm/js-api/validate.js:
2351         * wasm/js-api/web-assembly-instantiate.js:
2352         * wasm/spec-tests/jsapi.js:
2353         (testJSAPI.get test):
2354         (testJSAPI.set test):
2355
2356 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
2357
2358         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
2359         https://bugs.webkit.org/show_bug.cgi?id=196371
2360
2361         Reviewed by Keith Miller.
2362
2363         * microbenchmarks/mul-immediate-sub.js: Added.
2364         (doTest):
2365
2366 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
2367
2368         [BigInt] Add ValueBitLShift into DFG
2369         https://bugs.webkit.org/show_bug.cgi?id=192664
2370
2371         Reviewed by Saam Barati.
2372
2373         We are adding tests to cover ValueBitwise operations AI changes.
2374
2375         * stress/big-int-left-shift-untyped.js: Added.
2376         * stress/bit-op-with-object-returning-int32.js:
2377         * stress/value-bit-and-ai-rule.js: Added.
2378         * stress/value-bit-lshift-ai-rule.js: Added.
2379         * stress/value-bit-or-ai-rule.js: Added.
2380         * stress/value-bit-xor-ai-rule.js: Added.
2381
2382 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2383
2384         Add b3 macro lowering for CheckMul on arm64
2385         https://bugs.webkit.org/show_bug.cgi?id=199251
2386
2387         Reviewed by Robin Morisset.
2388
2389         * microbenchmarks/check-mul-constant.js: Added.
2390         (doTest):
2391         * microbenchmarks/check-mul-no-constant.js: Added.
2392         (doTest):
2393         * microbenchmarks/check-mul-power-of-two.js: Added.
2394         (doTest):
2395
2396 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
2397
2398         Optimize join of large empty arrays
2399         https://bugs.webkit.org/show_bug.cgi?id=199636
2400
2401         Reviewed by Mark Lam.
2402
2403         * microbenchmarks/large-empty-array-join.js: Added.
2404         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
2405
2406 2019-07-06  Michael Saboff  <msaboff@apple.com>
2407
2408         switch(String) needs to check for exceptions when resolving the string
2409         https://bugs.webkit.org/show_bug.cgi?id=199541
2410
2411         Reviewed by Mark Lam.
2412
2413         New tests.
2414
2415         * stress/switch-string-oom.js: Added.
2416         (test):
2417         (testLowerTiers):
2418         (testFTL):
2419
2420 2019-07-05  Mark Lam  <mark.lam@apple.com>
2421
2422         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
2423         https://bugs.webkit.org/show_bug.cgi?id=199533
2424         <rdar://problem/52669111>
2425
2426         Reviewed by Filip Pizlo.
2427
2428         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
2429
2430 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
2431
2432         [JSC] Clean up ArraySpeciesCreate
2433         https://bugs.webkit.org/show_bug.cgi?id=182434
2434
2435         Reviewed by Yusuke Suzuki.
2436
2437         Adjusts error message expectations in stress tests.
2438
2439         * stress/array-flatmap.js:
2440         * stress/array-flatten.js:
2441         * stress/array-species-create-should-handle-masquerader.js:
2442         * test262/expectations.yaml: Mark 4 test cases as passing.
2443
2444 2019-07-02  Michael Saboff  <msaboff@apple.com>
2445
2446         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
2447         https://bugs.webkit.org/show_bug.cgi?id=199395
2448
2449         Reviewed by Filip Pizlo.
2450
2451         New regession test.
2452
2453         * stress/for-of-tdz-with-try-catch.js: Added.
2454         (test):
2455         (i.catch):
2456
2457 2019-07-02  Keith Miller  <keith_miller@apple.com>
2458
2459         Frozen Arrays length assignment should throw in strict mode
2460         https://bugs.webkit.org/show_bug.cgi?id=199365
2461
2462         Reviewed by Yusuke Suzuki.
2463
2464         * stress/frozen-array-length-should-throw-strict.js: Added.
2465         (test):
2466
2467 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
2468
2469         [Wasm-References] Disable references by default
2470         https://bugs.webkit.org/show_bug.cgi?id=199390
2471
2472         Reviewed by Saam Barati.
2473
2474         * wasm/references-spec-tests/ref_is_null.js:
2475         * wasm/references-spec-tests/ref_null.js:
2476         * wasm/references/anyref_globals.js:
2477         * wasm/references/anyref_modules.js:
2478         * wasm/references/anyref_table.js:
2479         * wasm/references/anyref_table_import.js:
2480         * wasm/references/element_parsing.js:
2481         * wasm/references/func_ref.js:
2482         * wasm/references/is_null.js:
2483         * wasm/references/multitable.js:
2484         * wasm/references/table_misc.js:
2485         * wasm/references/validation.js:
2486
2487 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
2488
2489         Unreviewed, rolling out r246946.
2490
2491         Caused JSC test crashes on arm64
2492
2493         Reverted changeset:
2494
2495         "Add b3 macro lowering for CheckMul on arm64"
2496         https://bugs.webkit.org/show_bug.cgi?id=199251
2497         https://trac.webkit.org/changeset/246946
2498
2499 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
2500
2501         Add b3 macro lowering for CheckMul on arm64
2502         https://bugs.webkit.org/show_bug.cgi?id=199251
2503
2504         Reviewed by Robin Morisset.
2505
2506         * microbenchmarks/check-mul-constant.js: Added.
2507         (doTest):
2508         * microbenchmarks/check-mul-no-constant.js: Added.
2509         (doTest):
2510         * microbenchmarks/check-mul-power-of-two.js: Added.
2511         (doTest):
2512
2513 2019-06-26  Keith Miller  <keith_miller@apple.com>
2514
2515         speciesConstruct needs to throw if the result is a DataView
2516         https://bugs.webkit.org/show_bug.cgi?id=199231
2517
2518         Reviewed by Mark Lam.
2519
2520         * stress/typedarray-filter.js:
2521         (subclasses.forEach):
2522         * stress/typedarray-map.js:
2523         (subclasses.forEach):
2524         * stress/typedarray-slice.js:
2525         (typedArrays.forEach):
2526         * stress/typedarray-subarray.js:
2527         (subclasses.forEach):
2528
2529 2019-06-24  Commit Queue  <commit-queue@webkit.org>
2530
2531         Unreviewed, rolling out r246714.
2532         https://bugs.webkit.org/show_bug.cgi?id=199179
2533
2534         revert to do patch in a different way. (Requested by keith_mi_
2535         on #webkit).
2536
2537         Reverted changeset:
2538
2539         "All prototypes should call didBecomePrototype()"
2540         https://bugs.webkit.org/show_bug.cgi?id=196315
2541         https://trac.webkit.org/changeset/246714
2542
2543 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
2544
2545         Add Array.prototype.{flat,flatMap} to unscopables
2546         https://bugs.webkit.org/show_bug.cgi?id=194322
2547
2548         Reviewed by Keith Miller.
2549
2550         * stress/unscopables.js: Fix test.
2551         * test262/expectations.yaml: Mark 2 test cases as passing.
2552
2553 2019-06-21  Mark Lam  <mark.lam@apple.com>
2554
2555         ArraySlice needs to keep the source array alive.
2556         https://bugs.webkit.org/show_bug.cgi?id=197374
2557         <rdar://problem/50304429>
2558
2559         Reviewed by Michael Saboff and Filip Pizlo.
2560
2561         * stress/array-slice-must-keep-source-array-alive.js: Added.
2562
2563 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2564
2565         All prototypes should call didBecomePrototype()
2566         https://bugs.webkit.org/show_bug.cgi?id=196315
2567
2568         Reviewed by Saam Barati.
2569
2570         * stress/function-prototype-indexed-accessor.js: Added.
2571
2572 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2573
2574         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
2575         https://bugs.webkit.org/show_bug.cgi?id=197631
2576
2577         Reviewed by Saam Barati.
2578
2579         * stress/has-own-property-arguments.js: Added.
2580         (shouldBe):
2581         (A):
2582
2583 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2584
2585         [JSC] ClassExpr should not store result in the middle of evaluation
2586         https://bugs.webkit.org/show_bug.cgi?id=199106
2587
2588         Reviewed by Tadeu Zagallo.
2589
2590         * stress/class-expression-should-store-result-at-last.js: Added.
2591         (shouldThrow):
2592         (shouldThrow.let.a):
2593
2594 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2595
2596         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2597         https://bugs.webkit.org/show_bug.cgi?id=199044
2598
2599         Reviewed by Saam Barati.
2600
2601         Add wasm references spec tests as well as a worker test.
2602
2603         * wasm.yaml:
2604         * wasm/Builder_WebAssemblyBinary.js:
2605         (const.emitters.Element):
2606         * wasm/js-api/element.js:
2607         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2608         * wasm/references-spec-tests/ref_is_null.js: Added.
2609         (hostref):
2610         (is_hostref):
2611         (is_funcref):
2612         (eq_ref):
2613         (let.handler.get target):
2614         (register):
2615         (module):
2616         (instance):
2617         (call):
2618         (get instance):
2619         (exports):
2620         (run):
2621         (assert_malformed):
2622         (assert_invalid):
2623         (assert_unlinkable):
2624         (assert_uninstantiable):
2625         (assert_trap):
2626         (try.f):
2627         (catch):
2628         (assert_exhaustion):
2629         (assert_return):
2630         (assert_return_canonical_nan):
2631         (assert_return_arithmetic_nan):
2632         (assert_return_ref):
2633         (assert_return_func):
2634         * wasm/references-spec-tests/ref_null.js: Added.
2635         (hostref):
2636         (is_hostref):
2637         (is_funcref):
2638         (eq_ref):
2639         (let.handler.get target):
2640         (register):
2641         (module):
2642         (instance):
2643         (call):
2644         (get instance):
2645         (exports):
2646         (run):
2647         (assert_malformed):
2648         (assert_invalid):
2649         (assert_unlinkable):
2650         (assert_uninstantiable):
2651         (assert_trap):
2652         (try.f):
2653         (catch):
2654         (assert_exhaustion):
2655         (assert_return):
2656         (assert_return_canonical_nan):
2657         (assert_return_arithmetic_nan):
2658         (assert_return_ref):
2659         (assert_return_func):
2660         * wasm/references/element_parsing.js: Added.
2661         (module):
2662         * wasm/references/func_ref.js:
2663         * wasm/references/multitable.js:
2664         * wasm/references/table_misc.js:
2665         (TableSize.0.End.End.WebAssembly):
2666         * wasm/references/validation.js:
2667         (assert.throws):
2668
2669 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2670
2671         Optimize `resolve` method lookup in Promise static methods
2672         https://bugs.webkit.org/show_bug.cgi?id=198864
2673
2674         Reviewed by Yusuke Suzuki.
2675
2676         * test262/expectations.yaml: Mark 18 test cases as passing.
2677
2678 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2679
2680         [WASM-References] Rename anyfunc to funcref
2681         https://bugs.webkit.org/show_bug.cgi?id=198983
2682
2683         Reviewed by Yusuke Suzuki.
2684
2685         * wasm/function-tests/basic-element.js:
2686         * wasm/function-tests/context-switch.js:
2687         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2688         (makeInstance):
2689         (assert.eq.makeInstance):
2690         * wasm/function-tests/exceptions.js:
2691         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2692         * wasm/function-tests/grow-memory-2.js:
2693         (assert.eq.instance.exports.foo):
2694         * wasm/function-tests/nameSection.js:
2695         (const.compile):
2696         * wasm/function-tests/stack-overflow.js:
2697         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2698         (assertOverflows.makeInstance):
2699         * wasm/function-tests/table-basic-2.js:
2700         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2701         * wasm/function-tests/table-basic.js:
2702         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2703         * wasm/function-tests/trap-from-start-async.js:
2704         * wasm/function-tests/trap-from-start.js:
2705         * wasm/js-api/Module.exports.js:
2706         (assert.truthy):
2707         * wasm/js-api/Module.imports.js:
2708         (assert.truthy):
2709         * wasm/js-api/call-indirect.js:
2710         (const.oneTable):
2711         (const.multiTable):
2712         (multiTable.const.makeTable):
2713         (multiTable):
2714         (multiTable.Polyphic2Import):
2715         (multiTable.VirtualImport):
2716         * wasm/js-api/element-data.js:
2717         * wasm/js-api/element.js:
2718         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2719         (assert.throws):
2720         (badInstantiation.makeModule):
2721         (badInstantiation.test):
2722         (badInstantiation):
2723         * wasm/js-api/extension-MemoryMode.js:
2724         * wasm/js-api/table.js:
2725         (new.WebAssembly.Module):
2726         (assert.throws):
2727         (assertBadTableImport):
2728         (assert.throws.WebAssembly.Table.prototype.grow):
2729         (new.WebAssembly.Table):
2730         (assertBadTable):
2731         (assert.truthy):
2732         * wasm/js-api/test_basic_api.js:
2733         (const.c.in.constructorProperties.switch):
2734         * wasm/js-api/unique-signature.js:
2735         (CallIndirectWithDuplicateSignatures):
2736         * wasm/js-api/wrapper-function.js:
2737         * wasm/modules/table.wat:
2738         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2739         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2740         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2741         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2742         * wasm/references/anyref_table.js:
2743         * wasm/references/anyref_table_import.js:
2744         (doSet):
2745         (assert.throws):
2746         * wasm/references/func_ref.js:
2747         (makeFuncrefIdent):
2748         (assert.eq.instance.exports.fix):
2749         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2750         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2751         (let.importedFun.of):
2752         (makeAnyfuncIdent): Deleted.
2753         (makeAnyfuncIdent.fun): Deleted.
2754         * wasm/references/multitable.js:
2755         (assert.eq):
2756         (assert.throws):
2757         * wasm/references/table_misc.js:
2758         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2759         * wasm/references/validation.js:
2760         (assert.throws.new.WebAssembly.Module.bin):
2761         (assert.throws):
2762         * wasm/spec-harness/index.js:
2763         * wasm/spec-harness/wasm-constants.js:
2764         * wasm/spec-harness/wasm-module-builder.js:
2765         (WasmModuleBuilder.prototype.toArray):
2766         * wasm/spec-harness/wast.js:
2767         (elem_type):
2768         (string_of_elem_type):
2769         (string_of_table_type):
2770         * wasm/spec-tests/jsapi.js:
2771         * wasm/stress/wasm-table-grow-initialize.js:
2772         * wasm/wasm.json:
2773
2774 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2775
2776         [WASM-References] Add support for Table.size, grow and fill instructions
2777         https://bugs.webkit.org/show_bug.cgi?id=198761
2778
2779         Reviewed by Yusuke Suzuki.
2780
2781         * wasm/Builder_WebAssemblyBinary.js:
2782         (const.putOp):
2783         * wasm/references/table_misc.js: Added.
2784         (TableSize.End.End.WebAssembly):
2785         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2786         * wasm/wasm.json:
2787
2788 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2789
2790         [WASM-References] Add support for multiple tables
2791         https://bugs.webkit.org/show_bug.cgi?id=198760
2792
2793         Reviewed by Saam Barati.
2794
2795         * wasm/Builder.js:
2796         * wasm/js-api/call-indirect.js:
2797         (const.oneTable):
2798         (const.multiTable):
2799         (multiTable):
2800         (multiTable.Polyphic2Import):
2801         (multiTable.VirtualImport):
2802         (const.wasmModuleWhichImportJS): Deleted.
2803         (const.makeTable): Deleted.
2804         (): Deleted.
2805         (Polyphic2Import): Deleted.
2806         (VirtualImport): Deleted.
2807         * wasm/js-api/table.js:
2808         (new.WebAssembly.Module):
2809         (assert.throws):
2810         (assertBadTableImport):
2811         (assert.truthy):
2812         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2813         * wasm/references/anyref_table.js:
2814         * wasm/references/anyref_table_import.js:
2815         (makeImport):
2816         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2817         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2818         * wasm/references/multitable.js: Added.
2819         (assert.throws.1.exports.set_tbl0):
2820         (assert.throws):
2821         (assert.eq):
2822         * wasm/references/validation.js:
2823         (assert.throws.new.WebAssembly.Module.bin):
2824         (assert.throws):
2825         * wasm/spec-tests/imports.wast.js:
2826         * wasm/wasm.json:
2827
2828         * wasm/Builder.js:
2829         * wasm/js-api/call-indirect.js:
2830         (const.oneTable):
2831         (const.multiTable):
2832         (multiTable):
2833         (multiTable.Polyphic2Import):
2834         (multiTable.VirtualImport):
2835         (const.wasmModuleWhichImportJS): Deleted.
2836         (const.makeTable): Deleted.
2837         (): Deleted.
2838         (Polyphic2Import): Deleted.
2839         (VirtualImport): Deleted.
2840         * wasm/js-api/table.js:
2841         (new.WebAssembly.Module):
2842         (assert.throws):
2843         (assertBadTableImport):
2844         (assert.truthy):
2845         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2846         * wasm/references/anyref_table.js:
2847         * wasm/references/anyref_table_import.js:
2848         (makeImport):
2849         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2850         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2851         * wasm/references/func_ref.js:
2852         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2853         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2854         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2855         * wasm/references/multitable.js: Added.
2856         (assert.throws.1.exports.set_tbl0):
2857         (assert.throws):
2858         (assert.eq):
2859         (string_appeared_here.tableInsanity):
2860         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2861         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2862         * wasm/references/validation.js:
2863         (assert.throws.new.WebAssembly.Module.bin):
2864         (assert.throws):
2865         * wasm/spec-tests/imports.wast.js:
2866         * wasm/wasm.json:
2867
2868 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2869
2870         [ESNExt] String.prototype.matchAll
2871         https://bugs.webkit.org/show_bug.cgi?id=186694
2872
2873         Reviewed by Yusuke Suzuki.
2874
2875         Implement String.prototype.matchAll.
2876         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2877
2878         * test262/config.yaml:
2879
2880 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2881
2882         DFG code should not reify the names of builtin functions with private names
2883         https://bugs.webkit.org/show_bug.cgi?id=198849
2884         <rdar://problem/51733890>
2885
2886         Reviewed by Filip Pizlo.
2887
2888         * stress/builtin-private-function-name.js: Added.
2889         (then):
2890         (PromiseLike):
2891
2892 2019-06-18  Keith Miller  <keith_miller@apple.com>
2893
2894         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2895         https://bugs.webkit.org/show_bug.cgi?id=198969
2896         <rdar://problem/51620714>
2897
2898         Reviewed by Tadeu Zagallo.
2899
2900         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2901         (catch):
2902
2903 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2904
2905         Validate that table element type is funcref if using an element section
2906         https://bugs.webkit.org/show_bug.cgi?id=198910
2907
2908         Reviewed by Yusuke Suzuki.
2909
2910         * wasm/references/anyref_table.js:
2911
2912 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2913
2914         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2915         https://bugs.webkit.org/show_bug.cgi?id=197378
2916
2917         Reviewed by Saam Barati.
2918
2919         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2920         (foo):
2921         (bar):
2922         * stress/disposable-call-site-index.js: Added.
2923         (foo):
2924         (bar):
2925
2926 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2927
2928         [WASM-References] Add support for Funcref in parameters and return types
2929         https://bugs.webkit.org/show_bug.cgi?id=198157
2930
2931         Reviewed by Yusuke Suzuki.
2932
2933         * wasm/Builder.js:
2934         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2935         * wasm/references/anyref_globals.js:
2936         * wasm/references/func_ref.js: Added.
2937         (fullGC.gc.makeExportedFunction):
2938         (makeExportedIdent):
2939         (makeAnyfuncIdent):
2940         (fun):
2941         (assert.eq.instance.exports.fix.fun):
2942         (assert.eq.instance.exports.fix):
2943         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2944         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2945         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2946         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2947         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2948         (assert.throws):
2949         (assert.throws.doTest):
2950         (let.importedFun.of):
2951         (makeAnyfuncIdent.fun):
2952         * wasm/references/validation.js:
2953         (assert.throws):
2954         * wasm/wasm.json:
2955
2956 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2957
2958         Update test262 tests (2019.06.13)
2959         https://bugs.webkit.org/show_bug.cgi?id=198821
2960
2961         Reviewed by Konstantin Tokarev.
2962
2963         * test262/expectations.yaml:
2964         * test262/harness/:
2965         * test262/latest-changes-summary.txt:
2966         * test262/test/:
2967         * test262/test262-Revision.txt:
2968
2969 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2970
2971         [JSC] Grown region of WasmTable should be initialized with null
2972         https://bugs.webkit.org/show_bug.cgi?id=198903
2973
2974         Reviewed by Saam Barati.
2975
2976         * wasm/stress/wasm-table-grow-initialize.js: Added.
2977         (shouldBe):
2978
2979 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2980
2981         Yarr bytecode compilation failure should be gracefully handled
2982         https://bugs.webkit.org/show_bug.cgi?id=198700
2983
2984         Reviewed by Michael Saboff.
2985
2986         * stress/regexp-bytecode-compilation-fail.js: Added.
2987         (shouldThrow):
2988
2989 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2990
2991         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2992         https://bugs.webkit.org/show_bug.cgi?id=198770
2993
2994         Reviewed by Saam Barati.
2995
2996         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2997         (test):
2998
2999 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
3000
3001         JSC should throw if proxy set returns falsish in strict mode context
3002         https://bugs.webkit.org/show_bug.cgi?id=177398
3003
3004         Reviewed by Yusuke Suzuki.
3005
3006         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
3007         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
3008
3009         * stress/proxy-set.js: Add 2 test cases.
3010         * stress/regexp-match-proxy.js: Fix test.
3011         * stress/regexp-replace-proxy.js: Fix test.
3012
3013 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
3014
3015         Error message for non-callable Proxy `construct` trap is misleading
3016         https://bugs.webkit.org/show_bug.cgi?id=198637
3017
3018         Reviewed by Saam Barati.
3019
3020         * stress/proxy-construct.js:
3021
3022 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
3023
3024         AI BitURShift's result should not be unsigned
3025         https://bugs.webkit.org/show_bug.cgi?id=198689
3026         <rdar://problem/51550063>
3027
3028         Reviewed by Saam Barati.
3029
3030         * stress/urshift-int32-overflow.js: Added.
3031         (foo.):
3032         (foo):
3033
3034 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
3035
3036         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
3037
3038         Unreviewed gardening.
3039
3040         * stress/ftl-gettypedarrayoffset-wasteful.js:
3041         Skipped on arm/linux as it always times out on the bot since a change
3042         between r246270 and r246278 inclusive.
3043
3044 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
3045
3046         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
3047         https://bugs.webkit.org/show_bug.cgi?id=198023
3048
3049         Reviewed by Saam Barati.
3050
3051         * stress/reparsing-unlinked-codeblock.js: Added.
3052         (shouldBe):
3053         (hello):
3054
3055 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
3056
3057         [JSC] Use mergePrediction in ValuePow prediction propagation
3058         https://bugs.webkit.org/show_bug.cgi?id=198648
3059
3060         Reviewed by Saam Barati.
3061
3062         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
3063
3064 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
3065
3066         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
3067         https://bugs.webkit.org/show_bug.cgi?id=198581
3068         <rdar://problem/51099753>
3069
3070         Reviewed by Saam Barati.
3071
3072         * stress/global-object-proto-getter.js: Added.
3073         (f):
3074         (test):
3075
3076 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
3077
3078         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
3079         https://bugs.webkit.org/show_bug.cgi?id=198398
3080
3081         Reviewed by Saam Barati.
3082
3083         * wasm/references/anyref_table.js: Added.
3084         (string_appeared_here.doGCSet):
3085         (doGCTest):
3086         (doGCSet.doGCTest.let.count.0.doBarrierSet):
3087         * wasm/references/anyref_table_import.js: Added.
3088         (makeImport):
3089         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
3090         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
3091         * wasm/references/is_null_error.js: Removed.
3092         * wasm/references/validation.js: Added.
3093         (assert.throws.new.WebAssembly.Module.bin):
3094         (assert.throws):
3095         * wasm/wasm.json:
3096
3097 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
3098
3099         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
3100         https://bugs.webkit.org/show_bug.cgi?id=198106
3101
3102         Reviewed by Saam Barati.
3103
3104         * wasm/regress/selectf64.js: Added.
3105         * wasm/regress/selectf64.wasm: Added.
3106         * wasm/regress/selectf64.wat: Added.
3107
3108 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
3109
3110         Argument elimination should check transitive dependents for interference
3111         https://bugs.webkit.org/show_bug.cgi?id=198520
3112         <rdar://problem/50863343>
3113
3114         Reviewed by Filip Pizlo.
3115
3116         * stress/argument-elimination-inline-rest-past-kill.js: Added.
3117         (f2):
3118         (f3):
3119
3120 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
3121
3122         Argument elimination should check for negative indices in GetByVal
3123         https://bugs.webkit.org/show_bug.cgi?id=198302
3124         <rdar://problem/51188095>
3125
3126         Reviewed by Filip Pizlo.
3127
3128         * stress/eliminate-arguments-negative-rest-access.js: Added.
3129         (inlinee):
3130         (opt):
3131
3132 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
3133
3134         [ESNext][BigInt] Implement support for "**"
3135         https://bugs.webkit.org/show_bug.cgi?id=190799
3136
3137         Reviewed by Saam Barati.
3138
3139         * stress/big-int-exp-basic.js: Added.
3140         * stress/big-int-exp-jit-osr.js: Added.
3141         * stress/big-int-exp-jit-untyped.js: Added.
3142         * stress/big-int-exp-jit.js: Added.
3143         * stress/big-int-exp-negative-exponent.js: Added.
3144         * stress/big-int-exp-to-primitive.js: Added.
3145         * stress/big-int-exp-type-error.js: Added.
3146         * stress/big-int-exp-wrapped-value.js: Added.
3147         * stress/value-pow-ai-rule.js: Added.
3148
3149 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
3150
3151         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
3152         https://bugs.webkit.org/show_bug.cgi?id=197979
3153
3154         Reviewed by Filip Pizlo.
3155
3156         * stress/16bit-code.js: Added.
3157         (shouldBe):
3158         * stress/32bit-code.js: Added.
3159         (shouldBe):
3160
3161 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
3162
3163         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
3164         https://bugs.webkit.org/show_bug.cgi?id=198355
3165
3166         Reviewed by Saam Barati.
3167
3168         * wasm/references/is_null.js:
3169
3170 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
3171
3172         [PlayStation] Skip additional tests on PlayStation
3173         https://bugs.webkit.org/show_bug.cgi?id=198352
3174
3175         Reviewed by Don Olmstead.
3176
3177         Skip pow test on PlayStation due to behavior difference in standard library.
3178         Skip incremental marking test due to OOM on PlayStation systems.
3179
3180         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
3181         * stress/math-pow-with-constants.js:
3182         * stress/pow-with-constants.js:
3183
3184 2019-05-28  Dean Jackson  <dino@apple.com>
3185
3186         Implement Promise.allSettled
3187         https://bugs.webkit.org/show_bug.cgi?id=197600
3188         <rdar://problem/50483885>
3189
3190         Reviewed by Keith Miller.
3191
3192         Start testing Promise.allSettled. We pass most of the tests.
3193         The ones that fail are similar to the Promise.all tests we already fail.
3194
3195         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
3196         * test262/expectations.yaml: Add new expectations for allSettled tests.
3197
3198 2019-05-28  Michael Saboff  <msaboff@apple.com>
3199
3200         [YARR] Properly handle RegExp's that require large ParenContext space
3201         https://bugs.webkit.org/show_bug.cgi?id=198065
3202
3203         Reviewed by Keith Miller.
3204
3205         New test.
3206
3207         * stress/regexp-large-paren-context.js: Added.
3208         (testLargeRegExp):
3209
3210 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
3211
3212         JITOperations putByVal should mark negative array indices as out-of-bounds
3213         https://bugs.webkit.org/show_bug.cgi?id=198271
3214
3215         Reviewed by Saam Barati.
3216
3217         * microbenchmarks/get-by-val-negative-array-index.js:
3218         (foo):
3219         Update the getByVal microbenchmark added in r245769. This now shows that r245769
3220         is 4.2x faster than the previous commit.
3221
3222         * microbenchmarks/put-by-val-negative-array-index.js: Added.
3223         (foo):
3224
3225 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
3226
3227         JITOperations getByVal should mark negative array indices as out-of-bounds
3228         https://bugs.webkit.org/show_bug.cgi?id=198229
3229
3230         Reviewed by Saam Barati.
3231
3232         * microbenchmarks/get-by-val-negative-array-index.js: Added.
3233         (foo):
3234
3235 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
3236
3237         [WASM-References] Support Anyref in globals
3238         https://bugs.webkit.org/show_bug.cgi?id=198102
3239
3240         Reviewed by Saam Barati.
3241
3242         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
3243
3244         * wasm/Builder.js:
3245         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
3246         * wasm/Builder_WebAssemblyBinary.js:
3247         (const.putInitExpr):
3248         * wasm/references/anyref_globals.js: Added.
3249         (GetGlobal.0.End.End.WebAssembly):
3250         (5.doGCSet):
3251         (doGCTest):
3252         (doGCSet.doGCTest.let.count.0.doBarrierSet):
3253
3254 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3255
3256         DFG::OSREntry should not perform arity check
3257         https://bugs.webkit.org/show_bug.cgi?id=198189
3258
3259         Reviewed by Saam Barati.
3260
3261         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
3262         (foo):
3263
3264 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
3265
3266         [PlayStation] Skip additional tests on PlayStation
3267         https://bugs.webkit.org/show_bug.cgi?id=198145
3268
3269         Reviewed by Ross Kirsling.
3270
3271         * exceptionFuzz.yaml:
3272         Add skip on hostOS playstation
3273         * executableAllocationFuzz.yaml:
3274         Add skip on hostOS playstation
3275
3276 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3277
3278         createListFromArrayLike should throw if value is not an object
3279         https://bugs.webkit.org/show_bug.cgi?id=198138
3280
3281         Reviewed by Yusuke Suzuki.
3282
3283         * stress/create-list-from-array-like-not-object.js: Added.
3284         (testValid):
3285         (testInvalid):
3286         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
3287         (opt):
3288         * stress/proxy-proto-enumerator.js: Added.
3289         (main):
3290         * stress/proxy-proto-own-keys.js: Added.
3291         (assert):
3292         (ownKeys):
3293
3294 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3295
3296         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
3297         https://bugs.webkit.org/show_bug.cgi?id=197809
3298
3299         Reviewed by Michael Saboff.
3300
3301         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
3302         (foo):
3303
3304 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3305
3306         [ESNext] Implement support for Numeric Separators
3307         https://bugs.webkit.org/show_bug.cgi?id=196351
3308
3309         Reviewed by Keith Miller.
3310
3311         * stress/numeric-literal-separators.js: Added.
3312         Add tests for feature.
3313
3314         * test262/expectations.yaml:
3315         Mark 60 test cases as passing.
3316
3317 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3318
3319         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
3320         https://bugs.webkit.org/show_bug.cgi?id=198120
3321         <rdar://problem/49668795>
3322
3323         Reviewed by Michael Saboff.
3324
3325         * stress/get-array-length-concurrently-change-mode.js: Added.
3326         (main):
3327
3328 2019-05-22  Commit Queue  <commit-queue@webkit.org>
3329
3330         Unreviewed, rolling out r245634.
3331         https://bugs.webkit.org/show_bug.cgi?id=198140
3332
3333         'This patch makes JSC crash on launch in debug builds'
3334         (Requested by tadeuzagallo on #webkit).
3335
3336         Reverted changeset:
3337
3338         "[ESNext] Implement support for Numeric Separators"
3339         https://bugs.webkit.org/show_bug.cgi?id=196351
3340         https://trac.webkit.org/changeset/245634
3341
3342 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3343
3344         Stack-buffer-overflow in decodeURIComponent
3345         https://bugs.webkit.org/show_bug.cgi?id=198109
3346         <rdar://problem/50397550>
3347
3348         Reviewed by Michael Saboff.
3349
3350         * stress/decode-uri-icu-count-trail-bytes.js: Added.
3351         (i.j.try.i.toString):
3352         (i.j.catch):
3353
3354 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3355
3356         Don't clear PropertyNameArray in Proxy code
3357         https://bugs.webkit.org/show_bug.cgi?id=197691
3358
3359         Reviewed by Saam Barati.
3360
3361         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
3362         (shouldBe):
3363         (opt):
3364
3365 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3366
3367         [ESNext] Implement support for Numeric Separators
3368         https://bugs.webkit.org/show_bug.cgi?id=196351
3369
3370         Reviewed by Keith Miller.
3371
3372         * stress/numeric-literal-separators.js: Added.
3373         Add tests for feature.
3374
3375         * test262/expectations.yaml:
3376         Mark 60 test cases as passing.
3377
3378 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3379
3380         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
3381         https://bugs.webkit.org/show_bug.cgi?id=198101
3382
3383         Reviewed by Michael Saboff.
3384
3385         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
3386         (shouldBe):
3387
3388 2019-05-20  Keith Miller  <keith_miller@apple.com>
3389
3390         Cleanup Yarr regexp code around paren contexts.
3391         https://bugs.webkit.org/show_bug.cgi?id=198063
3392
3393         Reviewed by Yusuke Suzuki.
3394
3395         * stress/regexp-many-named-sequential-capture-groups.js: Added.
3396         (i.s):
3397         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
3398
3399 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
3400
3401         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
3402         https://bugs.webkit.org/show_bug.cgi?id=197969
3403
3404         Reviewed by Keith Miller.
3405
3406         Support the anyref type in Builder.js, plus add some extra error logging.
3407         Add new folder for wasm references tests.
3408
3409         * wasm.yaml:
3410         * wasm/Builder.js:
3411         (const._isValidValue):
3412         * wasm/references/anyref_modules.js: Added.
3413         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
3414         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
3415         (Call.3.RefIsNull.End.End.WebAssembly):
3416         (undefined):
3417         * wasm/references/is_null.js: Added.
3418         * wasm/references/is_null_error.js: Added.
3419         * wasm/spec-harness/index.js:
3420         * wasm/wasm.json:
3421
3422 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
3423
3424         [JSC] Invalid AssignmentTargetType should be an early error.
3425         https://bugs.webkit.org/show_bug.cgi?id=197603
3426
3427         Reviewed by Keith Miller.
3428
3429         * test262/expectations.yaml:
3430         Update expectations to reflect new SyntaxErrors.
3431         (Ideally, these should all be viewed as passing in the near future.)
3432
3433         * stress/async-await-basic.js:
3434         * stress/big-int-literals.js:
3435         Update tests to reflect new SyntaxErrors.
3436
3437         * ChakraCore.yaml:
3438         * ChakraCore/test/EH/try6.baseline-jsc:
3439         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
3440         Update baselines to reflect new SyntaxErrors.
3441
3442 2019-05-15  Saam Barati  <sbarati@apple.com>
3443
3444         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
3445         https://bugs.webkit.org/show_bug.cgi?id=197855
3446         <rdar://problem/50236506>
3447
3448         Reviewed by Michael Saboff.
3449
3450         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
3451         (f0):
3452         (bar):
3453         (foo):
3454         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
3455         (f1):
3456         (f2):
3457         (foo):
3458
3459 2019-05-14  Keith Miller  <keith_miller@apple.com>
3460
3461         Fix issue with byteOffset on ARM64E
3462         https://bugs.webkit.org/show_bug.cgi?id=197884
3463
3464         Reviewed by Saam Barati.
3465
3466         We didn't have any tests that run with non-byte/non-zero offset
3467         typed arrays.
3468
3469         * stress/ftl-gettypedarrayoffset-wasteful.js:
3470
3471 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
3472
3473         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
3474         https://bugs.webkit.org/show_bug.cgi?id=197833
3475
3476         Reviewed by Darin Adler.
3477
3478         * stress/generator-name.js: Added.
3479         (shouldBe):
3480         (gen):
3481         (catch):
3482
3483 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
3484
3485         JSObject::getOwnPropertyDescriptor is missing an exception check
3486         https://bugs.webkit.org/show_bug.cgi?id=197693
3487         <rdar://problem/50441784>
3488
3489         Reviewed by Saam Barati.
3490
3491         * stress/proxy-spread.js: Added.
3492         (foo):
3493
3494 2019-05-10  Saam barati  <sbarati@apple.com>
3495
3496         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
3497         https://bugs.webkit.org/show_bug.cgi?id=197807
3498         <rdar://problem/50530400>
3499
3500         Reviewed by Yusuke Suzuki.
3501
3502         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
3503         (test.getInstance):
3504         (test):
3505
3506 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
3507
3508         [Test262] Unreviewed expectations update following r245188.
3509
3510         * test262/config.yaml:
3511         * test262/expectations.yaml:
3512
3513         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
3514         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
3515         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
3516         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
3517         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
3518         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
3519         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
3520         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
3521         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
3522         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
3523         These files have invalid YAML comments. Will also submit corrections back to Test262.
3524
3525 2019-05-10  Keith Miller  <keith_miller@apple.com>
3526
3527         Update test262 tests.
3528
3529         Rubber-stamped by Yusuke Suzuki.
3530
3531         * test262/*: mega-patch too many things to list individually.
3532
3533 2019-05-09  Keith Miller  <keith_miller@apple.com>
3534
3535         Unreview, fix test to have a try-catch.
3536
3537         * stress/many-nested-functions-parser-stack-overflow.js:
3538         (catch):
3539
3540 2019-05-09  Keith Miller  <keith_miller@apple.com>
3541
3542         parseStatementListItem needs a stack overflow check
3543         https://bugs.webkit.org/show_bug.cgi?id=197749
3544
3545         Reviewed by Saam Barati.
3546
3547         * stress/many-nested-functions-parser-stack-overflow.js: Added.
3548
3549 2019-05-08  Saam barati  <sbarati@apple.com>
3550
3551         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
3552         https://bugs.webkit.org/show_bug.cgi?id=197715
3553         <rdar://problem/50399252>
3554
3555         Reviewed by Filip Pizlo.
3556
3557         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
3558         (foo):
3559         (bar):
3560
3561 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
3562
3563         Unreviewed, rolling out r245068.
3564
3565         Caused debug layout tests to exit early due to an assertion
3566         failure.
3567
3568         Reverted changeset:
3569
3570         "All prototypes should call didBecomePrototype()"
3571         https://bugs.webkit.org/show_bug.cgi?id=196315
3572         https://trac.webkit.org/changeset/245068
3573
3574 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
3575
3576         Invalid DFG JIT genereation in high CPU usage state
3577         https://bugs.webkit.org/show_bug.cgi?id=197453
3578
3579         Reviewed by Saam Barati.
3580
3581         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
3582         (trigger):
3583         (main):
3584
3585 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3586
3587         All prototypes should call didBecomePrototype()
3588         https://bugs.webkit.org/show_bug.cgi?id=196315
3589
3590         Reviewed by Saam Barati.
3591
3592         This changelog already landed, but the commit was missing the actual changes.
3593
3594         * stress/function-prototype-indexed-accessor.js: Added.
3595
3596 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3597
3598         [BigInt] Add ValueMod into DFG
3599         https://bugs.webkit.org/show_bug.cgi?id=186174
3600
3601         Reviewed by Saam Barati.
3602
3603         * microbenchmarks/mod-untyped.js: Added.
3604         * stress/big-int-mod-osr.js: Added.
3605         * stress/value-div-ai-rule.js: Added.
3606         * stress/value-mod-ai-rule.js: Added.
3607
3608 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3609
3610         [JSC] DFG_ASSERT failed in lowInt52
3611         https://bugs.webkit.org/show_bug.cgi?id=197569
3612
3613         Reviewed by Saam Barati.
3614
3615         * stress/getstack-int52.js: Added.
3616         (opt):
3617         (main):
3618
3619 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3620
3621         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3622         https://bugs.webkit.org/show_bug.cgi?id=197479
3623
3624         Reviewed by Saam Barati.
3625
3626         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3627         (shouldBe):
3628
3629 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3630
3631         TemplateObject passed to template literal tags are not always identical for the same source location.
3632         https://bugs.webkit.org/show_bug.cgi?id=190756
3633
3634         Reviewed by Saam Barati.
3635
3636         * complex.yaml:
3637         * complex/tagged-template-regeneration-after.js: Added.
3638         (shouldBe):
3639         * complex/tagged-template-regeneration.js: Added.
3640         (call):
3641         (test):
3642         * modules/tagged-template-inside-module.js: Added.
3643         (from.string_appeared_here.call):
3644         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3645         (call):
3646         (export.otherTaggedTemplates):
3647         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3648         (shouldBe):
3649         (call):
3650         (poly):
3651         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3652         (shouldBe):
3653         (call):
3654         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3655         (shouldBe):
3656         (call):
3657         (test):
3658         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3659         (shouldBe):
3660         (call):
3661         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3662         (shouldBe):
3663         (call):
3664         * stress/tagged-templates-in-multiple-functions.js: Added.
3665         (shouldBe):
3666         (call):
3667         (a):
3668         (b):
3669         (c):
3670         * stress/tagged-templates-with-same-start-offset.js: Added.
3671         (shouldBe):
3672
3673 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3674
3675         All prototypes should call didBecomePrototype()
3676         https://bugs.webkit.org/show_bug.cgi?id=196315
3677
3678         Reviewed by Saam Barati.
3679
3680         * stress/function-prototype-indexed-accessor.js: Added.
3681
3682 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3683
3684         Unreviewed, rolling out r244978.
3685         https://bugs.webkit.org/show_bug.cgi?id=197671
3686
3687         TemplateObject map should use start/end offsets (Requested by
3688         yusukesuzuki on #webkit).
3689
3690         Reverted changeset:
3691
3692         "TemplateObject passed to template literal tags are not always
3693         identical for the same source location."
3694         https://bugs.webkit.org/show_bug.cgi?id=190756
3695         https://trac.webkit.org/changeset/244978
3696
3697 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3698
3699         tryCachePutByID should not crash if target offset changes
3700         https://bugs.webkit.org/show_bug.cgi?id=197311
3701         <rdar://problem/48033612>
3702
3703         Reviewed by Filip Pizlo.
3704
3705         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3706         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3707
3708         * stress/cache-put-by-id-delete-prototype.js: Added.
3709         (A.prototype.set y):
3710         (A):
3711         (B.prototype.set y):
3712         (B):
3713         (C):
3714         * stress/cache-put-by-id-different-__proto__.js: Added.
3715         (A.prototype.set y):
3716         (A):
3717         (B1):
3718         (B2.prototype.set y):
3719         (B2):
3720         (C):
3721         (D):
3722         * stress/cache-put-by-id-different-attributes.js: Added.
3723         (Foo):
3724         (set x):
3725         * stress/cache-put-by-id-different-offset.js: Added.
3726         (Foo):
3727         (set x):
3728         * stress/cache-put-by-id-insert-prototype.js: Added.
3729         (A.prototype.set y):
3730         (A):
3731         (C):
3732         * stress/cache-put-by-id-poly-proto.js: Added.
3733         (Foo):
3734         (set _):
3735         (createBar.Bar):
3736         (createBar):
3737
3738 2019-05-07  Saam Barati  <sbarati@apple.com>
3739
3740         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3741         https://bugs.webkit.org/show_bug.cgi?id=197531
3742         <rdar://problem/50162379>
3743
3744         Reviewed by Yusuke Suzuki.
3745
3746         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3747
3748 2019-05-06  Dean Jackson  <dino@apple.com>
3749
3750         Update test262 expectations for Proxy passes
3751         https://bugs.webkit.org/show_bug.cgi?id=197628
3752
3753         Reviewed by Yusuke Suzuki.
3754
3755         There are two consistent passes in Proxy.ownKeys.
3756
3757         * test262/expectations.yaml:
3758
3759 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3760
3761         [JSC] We should check OOM for description string of Symbol
3762         https://bugs.webkit.org/show_bug.cgi?id=197634
3763
3764         Reviewed by Keith Miller.
3765
3766         * stress/check-symbol-description-oom.js: Added.
3767         (shouldThrow):
3768
3769 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3770
3771         Unreviewed, land one more test
3772         https://bugs.webkit.org/show_bug.cgi?id=197587
3773
3774         * stress/setter-frame-flush.js: Added.
3775         (setter):
3776         (foo):
3777         (bar):
3778
3779 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3780
3781         TemplateObject passed to template literal tags are not always identical for the same source location.
3782         https://bugs.webkit.org/show_bug.cgi?id=190756
3783
3784         Reviewed by Saam Barati.
3785
3786         * complex.yaml:
3787         * complex/tagged-template-regeneration-after.js: Added.
3788         (shouldBe):
3789         * complex/tagged-template-regeneration.js: Added.
3790         (call):
3791         (test):
3792         * modules/tagged-template-inside-module.js: Added.
3793         (from.string_appeared_here.call):
3794         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3795         (call):
3796         (export.otherTaggedTemplates):
3797         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3798         (shouldBe):
3799         (call):
3800         (poly):
3801         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3802         (shouldBe):
3803         (call):
3804         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3805         (shouldBe):
3806         (call):
3807         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3808         (shouldBe):
3809         (call):
3810         * stress/tagged-templates-in-multiple-functions.js: Added.
3811         (shouldBe):
3812         (call):
3813         (a):
3814         (b):
3815         (c):
3816
3817 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3818
3819         [PlayStation] JSC Stress tests failing due to timezone printing
3820         https://bugs.webkit.org/show_bug.cgi?id=197615
3821
3822         PlayStation's strftime does not give timezone strings, which
3823         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3824         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3825         which causes diff failures with the expectations. Add expectations
3826         without the timezone string and use those on playstation.
3827
3828         Reviewed by Ross Kirsling.
3829
3830         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3831         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3832         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3833         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3834
3835 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3836
3837         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3838         https://bugs.webkit.org/show_bug.cgi?id=197587
3839
3840         Reviewed by Sam Weinig.
3841
3842         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3843
3844         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3845
3846 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3847
3848         TypedArrays should not store properties that are canonical numeric indices
3849         https://bugs.webkit.org/show_bug.cgi?id=197228
3850         <rdar://problem/49557381>
3851
3852         Reviewed by Saam Barati.
3853
3854         * stress/array-species-config-array-constructor.js:
3855         (test):
3856         * stress/put-direct-index-broken-2.js:
3857         * stress/typed-array-canonical-numeric-index-string.js: Added.
3858         (makeTest.assert):
3859         (makeTest):
3860         (const.testInvalidIndices.makeTest.set assert):
3861         (const.testInvalidIndices.makeTest):
3862         (const.makeTestValidIndex.configurable.set assert):
3863         (const.makeTestValidIndex.configurable):
3864         * stress/typedarray-access-monomorphic-neutered.js:
3865         (checkNoException):
3866         (testNoException):
3867         (testFTLNoException):
3868         * stress/typedarray-access-neutered.js:
3869         (testNoException):
3870         * stress/typedarray-getownproperty-not-configurable.js:
3871         (foo):
3872         * test262/expectations.yaml:
3873
3874 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3875
3876         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3877         https://bugs.webkit.org/show_bug.cgi?id=197584
3878
3879         Reviewed by Saam Barati.
3880
3881         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3882         (X):
3883         (foo):
3884
3885 2019-05-03  Michael Saboff  <msaboff@apple.com>
3886
3887         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3888         https://bugs.webkit.org/show_bug.cgi?id=197586
3889
3890         Reviewed by Keith Miller.
3891
3892         We should only run one config of this test and only when we think we'll have the memory.
3893
3894         * stress/json-stringify-string-builder-overflow.js:
3895
3896 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3897
3898         [JSC] Generator CodeBlock generation should be idempotent
3899         https://bugs.webkit.org/show_bug.cgi?id=197552
3900
3901         Reviewed by Keith Miller.
3902
3903         Add complex.yaml, which controls how to run JSC shell more.
3904         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3905
3906         * complex.yaml: Added.
3907         * complex/generator-regeneration-after.js: Added.
3908         * complex/generator-regeneration.js: Added.
3909         (gen):
3910
3911 2019-05-02  Michael Saboff  <msaboff@apple.com>
3912
3913         Unreviewed rollout of r244862.
3914
3915         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3916
3917 2019-05-01  Saam barati  <sbarati@apple.com>
3918
3919         Baseline JIT should do argument value profiling after checking for stack overflow
3920         https://bugs.webkit.org/show_bug.cgi?id=197052
3921         <rdar://problem/50009602>
3922
3923         Reviewed by Yusuke Suzuki.
3924
3925         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3926
3927 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3928
3929         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3930         https://bugs.webkit.org/show_bug.cgi?id=197405
3931
3932         Reviewed by Saam Barati.
3933
3934         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3935         (foo):
3936         (test):
3937         (i.o.get f):
3938         (i.o.set f):
3939
3940 2019-05-01  Michael Saboff  <msaboff@apple.com>
3941
3942         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3943         https://bugs.webkit.org/show_bug.cgi?id=197485
3944
3945         Reviewed by Saam Barati.
3946
3947         New test.
3948
3949         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3950         (foo):
3951
3952 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3953
3954         Unreviewed correction to Test262 expectations following r244828.
3955
3956         * test262/expectations.yaml:
3957
3958 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3959
3960         Add memory-limited skipping to some tests generating very large strings
3961         https://bugs.webkit.org/show_bug.cgi?id=197437
3962
3963         Reviewed by Ross Kirsling.
3964
3965         * stress/StringObject-define-length-getter-rope-string-oom.js:
3966         * stress/create-error-out-of-memory-rope-string.js:
3967         * stress/string-16bit-repeat-overflow.js:
3968
3969 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3970
3971         Unreviewed, rolling out r244806.
3972         https://bugs.webkit.org/show_bug.cgi?id=197446
3973
3974         Causing Test262 and JSC test failures on multiple builds
3975         (Requested by ShawnRoberts on #webkit).
3976
3977         Reverted changeset:
3978
3979         "TypeArrays should not store properties that are canonical
3980         numeric indices"
3981         https://bugs.webkit.org/show_bug.cgi?id=197228
3982         https://trac.webkit.org/changeset/244806
3983
3984 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3985
3986         TypeArrays should not store properties that are canonical numeric indices
3987         https://bugs.webkit.org/show_bug.cgi?id=197228
3988         <rdar://problem/49557381>
3989
3990         Reviewed by Darin Adler.
3991
3992         * stress/typed-array-canonical-numeric-index-string.js: Added.
3993         (makeTest.assert):
3994         (makeTest):
3995         (const.testInvalidIndices.makeTest.set assert):
3996         (const.testInvalidIndices.makeTest):
3997         (const.testValidIndices.makeTest.set assert):
3998         (const.testValidIndices.makeTest):
3999
4000 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
4001
4002         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
4003         https://bugs.webkit.org/show_bug.cgi?id=197362
4004
4005         Reviewed by Saam Barati.
4006
4007         * stress/map-with-nan.js: Added.
4008         (shouldBe):
4009         (div):
4010         (NaN1):
4011         (NaN2):
4012         (NaN3):
4013         (NaN4):
4014         (NaN1NoInline):
4015         (NaN2NoInline):
4016         (NaN3NoInline):
4017         (NaN4NoInline):
4018         (test1):
4019         (test2):
4020         (test3):
4021         (test4):
4022         * stress/set-with-nan.js: Added.
4023         (shouldBe):
4024         (div):
4025         (NaN1):
4026         (NaN2):
4027         (NaN3):
4028         (NaN4):
4029         (NaN1NoInline):
4030         (NaN2NoInline):
4031         (NaN3NoInline):
4032         (NaN4NoInline):
4033         (test2):
4034         (test4):
4035
4036 2019-04-26  Commit Queue  <commit-queue@webkit.org>
4037
4038         Unreviewed, rolling out r244708.
4039         https://bugs.webkit.org/show_bug.cgi?id=197334
4040
4041         "Broke the debug build" (Requested by rmorisset on #webkit).
4042
4043         Reverted changeset:
4044
4045         "All prototypes should call didBecomePrototype()"
4046         https://bugs.webkit.org/show_bug.cgi?id=196315
4047         https://trac.webkit.org/changeset/244708
4048
4049 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
4050
4051         [JSC] linkPolymorphicCall now does GC
4052         https://bugs.webkit.org/show_bug.cgi?id=197306
4053
4054         Reviewed by Saam Barati.
4055
4056         * stress/link-polymorphic-call-can-gc.js: Added.
4057         (module):
4058         (instance):
4059
4060 2019-04-26  Robin Morisset  <rmorisset@apple.com>
4061
4062         All prototypes should call didBecomePrototype()
4063         https://bugs.webkit.org/show_bug.cgi?id=196315
4064
4065         Reviewed by Saam Barati.
4066
4067         * stress/function-prototype-indexed-accessor.js: Added.
4068
4069 2019-04-23  Saam Barati  <sbarati@apple.com>
4070
4071         LICM incorrectly assumes it'll never insert a node which provably OSR exits
4072         https://bugs.webkit.org/show_bug.cgi?id=196721
4073         <rdar://problem/49556479> 
4074
4075         Reviewed by Filip Pizlo.
4076
4077         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
4078         (foo):
4079
4080 2019-04-19  Saam Barati  <sbarati@apple.com>
4081
4082         AbstractValue can represent more than int52
4083         https://bugs.webkit.org/show_bug.cgi?id=197118
4084         <rdar://problem/49969960>
4085
4086         Reviewed by Michael Saboff.
4087
4088         * stress/abstract-value-can-include-int52.js: Added.
4089         (foo):
4090         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
4091
4092 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
4093
4094         [WTF] StringBuilder should set correct m_is8Bit flag when merging
4095         https://bugs.webkit.org/show_bug.cgi?id=197053
4096
4097         Reviewed by Saam Barati.
4098
4099         * stress/merge-string-builder-in-dfg.js: Added.
4100         (foo):
4101
4102 2019-04-16  Caitlin Potter  <caitp@igalia.com>
4103
4104         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
4105         https://bugs.webkit.org/show_bug.cgi?id=176810
4106
4107         Reviewed by Saam Barati.
4108
4109         Add tests for the DontEnum filtering, and variations of other tests
4110         take the DontEnum-filtering path.
4111
4112         * stress/proxy-own-keys.js:
4113         (i.catch):
4114         (set assert):
4115         (set add):
4116         (let.set new):
4117         (get let):
4118
4119 2019-04-15  Saam barati  <sbarati@apple.com>
4120
4121         Modify how we do SetArgument when we inline varargs calls
4122         https://bugs.webkit.org/show_bug.cgi?id=196712
4123         <rdar://problem/49605012>
4124
4125         Reviewed by Michael Saboff.
4126
4127         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
4128         (foo):
4129
4130 2019-04-15  Saam barati  <sbarati@apple.com>
4131
4132         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
4133         https://bugs.webkit.org/show_bug.cgi?id=196945
4134         <rdar://problem/49802750>
4135
4136         Reviewed by Filip Pizlo.
4137
4138         * stress/get-by-offset-should-use-correct-child.js: Added.
4139         (foo.bar):
4140         (foo):
4141
4142 2019-04-15  Robin Morisset  <rmorisset@apple.com>
4143
4144         DFG should be able to constant fold Object.create() with a constant prototype operand
4145         https://bugs.webkit.org/show_bug.cgi?id=196886
4146
4147         Reviewed by Yusuke Suzuki.
4148
4149         Note that this new benchmark does not currently see a speedup with inlining removed.
4150         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
4151
4152         * microbenchmarks/object-create-constant-prototype.js: Added.
4153         (test):
4154
4155 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
4156
4157         Incremental bytecode cache should not append function updates when loaded from memory
4158         https://bugs.webkit.org/show_bug.cgi?id=196865
4159
4160         Reviewed by Filip Pizlo.
4161
4162         * stress/bytecode-cache-shared-code-block.js: Added.
4163         (b):
4164         (program):
4165
4166 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
4167
4168         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
4169         https://bugs.webkit.org/show_bug.cgi?id=196880
4170
4171         Reviewed by Yusuke Suzuki.
4172
4173         * stress/bytecode-cache-syntax-error.js: Added.
4174         (catch):
4175
4176 2019-04-12  Saam barati  <sbarati@apple.com>
4177
4178         r244079 logically broke shouldSpeculateInt52
4179         https://bugs.webkit.org/show_bug.cgi?id=196884
4180
4181         Reviewed by Yusuke Suzuki.
4182
4183         * microbenchmarks/int52-rand-function.js: Added.
4184         (Math.random):
4185
4186 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
4187
4188         [JSC] op_has_indexed_property should not assume subscript part is Uint32
4189         https://bugs.webkit.org/show_bug.cgi?id=196850
4190
4191         Reviewed by Saam Barati.
4192
4193         * stress/has-indexed-property-should-accept-non-int32.js: Added.
4194         (foo):
4195
4196 2019-04-11  Saam barati  <sbarati@apple.com>
4197
4198         Remove invalid assertion in operationInstanceOfCustom
4199         https://bugs.webkit.org/show_bug.cgi?id=196842
4200         <rdar://problem/49725493>
4201
4202         Reviewed by Michael Saboff.
4203
4204         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
4205
4206 2019-04-10  Saam Barati  <sbarati@apple.com>
4207
4208         AbstractValue::validateOSREntryValue is wrong for Int52 constants
4209         https://bugs.webkit.org/show_bug.cgi?id=196801
4210         <rdar://problem/49771122>
4211
4212         Reviewed by Yusuke Suzuki.
4213
4214         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
4215
4216 2019-04-10  Robin Morisset  <rmorisset@apple.com>
4217
4218         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
4219         https://bugs.webkit.org/show_bug.cgi?id=196746
4220
4221         Reviewed by Yusuke Suzuki.
4222
4223         * stress/cyclic-define-properties.js: Added.
4224         (foo):
4225
4226 2019-04-09  Saam barati  <sbarati@apple.com>
4227
4228         Clean up Int52 code and some bugs in it
4229         https://bugs.webkit.org/show_bug.cgi?id=196639
4230         <rdar://problem/49515757>
4231
4232         Reviewed by Yusuke Suzuki.
4233
4234         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
4235
4236 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
4237
4238         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
4239         https://bugs.webkit.org/show_bug.cgi?id=196708
4240         <rdar://problem/49556803>
4241
4242         Reviewed by Yusuke Suzuki.
4243
4244         * stress/proxy-getter-stack-overflow.js: Added.
4245         (const.handler.get target):
4246         (const.handler.has):
4247         (try.with):
4248         (catch):
4249
4250 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4251
4252         [JSC] DFG should respect node's strict flag
4253         https://bugs.webkit.org/show_bug.cgi?id=196617
4254
4255         Reviewed by Saam Barati.
4256
4257         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
4258         (shouldEqual):
4259         (makeUnwriteableUnconfigurableObject):
4260         (runTest):
4261         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
4262         (shouldBe):
4263         (shouldThrow):
4264         (with.result):
4265         (with.putValueStrict):
4266         (with.putValueSloppy):
4267
4268 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4269
4270         [JSC] isRope jump in StringSlice should not jump over register allocations
4271         https://bugs.webkit.org/show_bug.cgi?id=196716
4272
4273         Reviewed by Saam Barati.
4274
4275         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
4276         (foo.bar):
4277         (foo):
4278
4279 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4280
4281         [JSC] to_index_string should not assume incoming value is Uint32
4282         https://bugs.webkit.org/show_bug.cgi?id=196713
4283
4284         Reviewed by Saam Barati.
4285
4286         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
4287         (foo):
4288
4289 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4290
4291         [JSC] Add more tests for r243966
4292         https://bugs.webkit.org/show_bug.cgi?id=196711
4293
4294         Reviewed by Saam Barati.
4295
4296         Adding one more test for r243966 fix. The added test will not crash after r243966.
4297
4298         * stress/stress-cleared-calllinkinfo.js: Added.
4299         (runNearStackLimit.t):
4300         (runNearStackLimit):
4301         (repeat):
4302         (cls):
4303         (let.item.of.array.runNearStackLimit):
4304
4305 2019-04-08  Saam Barati  <sbarati@apple.com>
4306
4307         WebAssembly.RuntimeError missing exception check
4308         https://bugs.webkit.org/show_bug.cgi?id=196700
4309         <rdar://problem/49693932>
4310
4311         Reviewed by Yusuke Suzuki.
4312
4313         * wasm/js-api/runtime-error-should-exception-check.js: Added.
4314
4315 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4316
4317         Unreviewed, rolling in r243948 with test fix
4318         https://bugs.webkit.org/show_bug.cgi?id=196486
4319
4320         * stress/arrow-function-and-use-strict-directive.js: Added.
4321         * stress/arrow-function-syntax.js: Added.
4322         (checkSyntax):
4323         (checkSyntaxError):
4324
4325 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
4326
4327         Unreviewed, rolling out r243948.
4328
4329         Caused inspector/runtime/parse.html to fail
4330
4331         Reverted changeset:
4332
4333         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
4334         https://bugs.webkit.org/show_bug.cgi?id=196486
4335         https://trac.webkit.org/changeset/243948
4336
4337 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
4338
4339         Unreviewed, rolling out r243943.
4340
4341         Caused test262 failures.
4342
4343         Reverted changeset:
4344
4345         "[JSC] Filter DontEnum properties in
4346         ProxyObject::getOwnPropertyNames()"
4347         https://bugs.webkit.org/show_bug.cgi?id=176810
4348         https://trac.webkit.org/changeset/243943
4349
4350 2019-04-07  Michael Saboff  <msaboff@apple.com>
4351
4352         REGRESSION (r243642): Crash in reddit.com page
4353         https://bugs.webkit.org/show_bug.cgi?id=196684
4354
4355         Reviewed by Geoffrey Garen.
4356
4357         New regression test.
4358
4359         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
4360
4361 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
4362
4363         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
4364         https://bugs.webkit.org/show_bug.cgi?id=196683
4365
4366         Reviewed by Saam Barati.
4367
4368         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
4369         (foo):
4370
4371 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
4372
4373         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
4374         https://bugs.webkit.org/show_bug.cgi?id=196582
4375
4376         Reviewed by Saam Barati.
4377
4378         * stress/add-overflow-check-with-three-same-registers.js: Added.
4379         (foo):
4380         (Number.prototype.valueOf):
4381         (runWithNumber):
4382
4383 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
4384
4385         Unreviewed, rolling out r243665.
4386
4387         Caused iOS JSC tests to exit with an exception.
4388
4389         Reverted changeset:
4390
4391         "Assertion failed in JSC::createError"
4392         https://bugs.webkit.org/show_bug.cgi?id=196305
4393         https://trac.webkit.org/changeset/243665
4394
4395 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
4396
4397         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
4398         https://bugs.webkit.org/show_bug.cgi?id=196486
4399
4400         Reviewed by Saam Barati.
4401
4402         * stress/arrow-function-and-use-strict-directive.js: Added.
4403         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
4404         (checkSyntax):
4405         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
4406
4407 2019-04-05  Caitlin Potter  <caitp@igalia.com>
4408
4409         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
4410         https://bugs.webkit.org/show_bug.cgi?id=176810
4411
4412         Reviewed by Saam Barati.
4413
4414         Add tests for the DontEnum filtering, and variations of other tests
4415       &nbs