Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-09-23  Caio Lima  <ticaiolima@gmail.com>
2
3         Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
4         https://bugs.webkit.org/show_bug.cgi?id=202113
5
6         Unreviewed test gardening, skipped test in ARMv7 and MIPS.
7
8         It is going to be fixed in
9         https://bugs.webkit.org/show_bug.cgi?id=202041
10
11         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
12
13 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
14
15         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
16         https://bugs.webkit.org/show_bug.cgi?id=202072
17
18         Reviewed by Mark Lam.
19
20         * stress/int52rep-with-double-checks-int52-range.js: Added.
21         (shouldBe):
22         (test):
23
24 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
25
26         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
27         https://bugs.webkit.org/show_bug.cgi?id=202011
28
29         Reviewed by Mark Lam.
30
31         We are skipping this test into MIPS and ARMv7 because some of its assumptions
32         are not valid for them. The current behavior of the test in those architectures
33         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
34         because eden collection keeps happening between iterations. The collection
35         is triggered on those architectures because the amount of stress 
36         `new Promise` generates into GC limits is not enough to avoid them
37         while loop is executing.
38
39         Changing the size of `UInt8Array` from `80000000` to `160000000` can
40         be an alternative fix to avoid collection happening during `ArrayBuffer`
41         allocation loop, but we can't guarantee this test is always going to execute
42         without error when Gigacage is disabled, given we can reach an OOM state in
43         some allocations that need to succeed, making this test flaky for those
44         architectures.
45
46         * stress/test-out-of-memory.js:
47
48 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
49
50         AccessCase should strongly visit its dependencies while on stack
51         https://bugs.webkit.org/show_bug.cgi?id=201986
52         <rdar://problem/55521953>
53
54         Reviewed by Saam Barati and Yusuke Suzuki.
55
56         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
57         (foo):
58         (warmup):
59
60 2019-09-20  Saam Barati  <sbarati@apple.com>
61
62         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
63
64         * stress/toctou-having-a-bad-time-new-array.js:
65
66 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
67
68         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
69         https://bugs.webkit.org/show_bug.cgi?id=202014
70
71         Reviewed by Saam Barati.
72
73         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
74         (__v0):
75
76 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
77
78         Syntax checker should report duplicate __proto__ properties
79         https://bugs.webkit.org/show_bug.cgi?id=201897
80         <rdar://problem/53201788>
81
82         Reviewed by Mark Lam.
83
84         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
85         (catch):
86
87 2019-09-18  Saam Barati  <sbarati@apple.com>
88
89         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
90         https://bugs.webkit.org/show_bug.cgi?id=201953
91         <rdar://problem/53803524>
92
93         Reviewed by Yusuke Suzuki.
94
95         * stress/toctou-having-a-bad-time-new-array.js: Added.
96         (let.code):
97
98 2019-09-18  Saam Barati  <sbarati@apple.com>
99
100         Phantom insertion phase may disagree with arguments forwarding about live ranges
101         https://bugs.webkit.org/show_bug.cgi?id=200715
102         <rdar://problem/54301717>
103
104         Reviewed by Yusuke Suzuki.
105
106         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
107         (main.v23):
108         (main.try.v43):
109         (main.):
110         (main):
111
112 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
113
114         [JSC] Generator should have internal fields
115         https://bugs.webkit.org/show_bug.cgi?id=201159
116
117         Reviewed by Keith Miller.
118
119         * stress/create-generator.js: Added.
120         (shouldBe):
121         (test.generator):
122         (test):
123         * stress/generator-construct-failure.js: Added.
124         (shouldThrow):
125         (TypeError):
126         * stress/generator-prototype-change.js: Added.
127         (shouldBe):
128         (gen):
129         * stress/generator-prototype-closure.js: Added.
130         (shouldBe):
131         (test.gen):
132         (test):
133         * stress/object-assign-fast-path.js:
134
135 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
136
137         Follow-up after String.codePointAt optimization
138         https://bugs.webkit.org/show_bug.cgi?id=201889
139
140         Reviewed by Saam Barati.
141
142         * stress/string-char-at-bad-type.js: Added.
143         (shouldBe):
144         (object.toString):
145         (test):
146         * stress/string-char-code-at-bad-type.js: Added.
147         (shouldBe):
148         (object.toString):
149         (test):
150         * stress/string-code-point-at-bad-type.js: Added.
151         (shouldBe):
152         (object.toString):
153         (test):
154
155 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
156
157         [JSC] CheckArray+NonArray is not filtering out Array in AI
158         https://bugs.webkit.org/show_bug.cgi?id=201857
159         <rdar://problem/54194820>
160
161         Reviewed by Keith Miller.
162
163         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
164         (foo):
165
166 2019-09-17  Saam Barati  <sbarati@apple.com>
167
168         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
169         https://bugs.webkit.org/show_bug.cgi?id=201853
170         <rdar://problem/53805461>
171
172         Reviewed by Yusuke Suzuki.
173
174         * stress/direct-arguments-check-array-filter-type.js: Added.
175         (foo):
176
177 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
178
179         Wasm StreamingParser should validate that number of functions matches number of declarations
180         https://bugs.webkit.org/show_bug.cgi?id=201850
181         <rdar://problem/55290186>
182
183         Reviewed by Yusuke Suzuki.
184
185         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
186         (catch):
187
188 2019-09-16  Michael Saboff  <msaboff@apple.com>
189
190         [JSC] Perform check again when we found non-BMP characters
191         https://bugs.webkit.org/show_bug.cgi?id=201647
192
193         Reviewed by Yusuke Suzuki.
194
195         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
196         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
197         (testRegExpInbounds):
198
199 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
200
201         [JSC] Add missing syntax errors for await in function parameter default expressions
202         https://bugs.webkit.org/show_bug.cgi?id=201615
203
204         Reviewed by Darin Adler.
205
206         * stress/async-await-reserved-word.js:
207         * stress/async-await-syntax.js:
208         Add test cases.
209
210         * test262/expectations.yaml:
211         Mark newly-passing test cases.
212
213 2019-09-16  Saam Barati  <sbarati@apple.com>
214
215         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
216         https://bugs.webkit.org/show_bug.cgi?id=200386
217         <rdar://problem/53854946>
218
219         Reviewed by Yusuke Suzuki.
220
221         * stress/proxy-__proto__-in-prototype-chain.js: Added.
222         * stress/proxy-property-replace-structure-transition.js: Added.
223
224 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
225
226         Date.prototype.toJSON does not execute steps 1-2
227         https://bugs.webkit.org/show_bug.cgi?id=105282
228
229         Reviewed by Ross Kirsling.
230
231         * test262/expectations.yaml: Mark 2 test cases as passing.
232
233 2019-09-12  Mark Lam  <mark.lam@apple.com>
234
235         Harden JSC against the abuse of runtime options.
236         https://bugs.webkit.org/show_bug.cgi?id=201597
237         <rdar://problem/55167068>
238
239         Reviewed by Filip Pizlo.
240
241         Remove the call to forceGCSlowPaths().  This utility function will be removed.
242         The modern way to set the required option is to use //@ requireOptions.
243
244         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
245
246 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
247
248         [JSC] Add StringCodePointAt intrinsic
249         https://bugs.webkit.org/show_bug.cgi?id=201673
250
251         Reviewed by Michael Saboff.
252
253         * stress/string-char-at-constant-index-out-of-range.js: Added.
254         (shouldBe):
255         (test):
256         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
257         (shouldBe):
258         (test):
259         * stress/string-code-point-at--out-of-range.js: Added.
260         (shouldBe):
261         (test):
262         * stress/string-code-point-at-basic.js: Added.
263         (test):
264         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
265         (shouldBe):
266         (test):
267         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
268         (shouldBe):
269         (test):
270         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
271         (shouldBe):
272         (test):
273         (breaking):
274         * stress/string-code-point-at-surrogate-pair.js: Added.
275         (shouldBe):
276         * stress/string-code-point-at.js: Added.
277         (shouldBe):
278
279 2019-09-10  Michael Saboff  <msaboff@apple.com>
280
281         JSC crashes due to stack overflow while building RegExp
282         https://bugs.webkit.org/show_bug.cgi?id=201649
283
284         Reviewed by Yusuke Suzuki.
285
286         New regression test.
287
288         * stress/regexp-bol-optimize-out-of-stack.js: Added.
289         (test):
290         (catch):
291
292 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
293
294         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
295         https://bugs.webkit.org/show_bug.cgi?id=189043
296
297         Reviewed by Keith Miller.
298
299         The offset performing the validation becomes a bit different.
300         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
301
302         * wasm/js-api/version.js:
303
304 2019-09-07  Keith Miller  <keith_miller@apple.com>
305
306         OSR entry into wasm misses some contexts
307         https://bugs.webkit.org/show_bug.cgi?id=201569
308
309         Reviewed by Yusuke Suzuki.
310
311         Add a new harness and wast and the generated wasm file for
312         testing. The idea long term is to make it easy to test by creating
313         a C file and converting it to a wast then modify that to produce a
314         test.
315
316         * wasm.yaml:
317         * wasm/wast-tests/harness.js: Added.
318         (async.runWasmFile):
319         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
320         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
321         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
322         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
323         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
324         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
325         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
326         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
327
328 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
329
330         [JSC] Promise resolve/reject functions should be created more efficiently
331         https://bugs.webkit.org/show_bug.cgi?id=201488
332
333         Reviewed by Mark Lam.
334
335         * microbenchmarks/promise-creation-many.js: Added.
336         (executor):
337
338 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
339
340         Unreviewed JSC test gardening.
341
342         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
343         This test allocates a 2GB string before it goes out and tests
344         out-of-memory exception when appending other strings to it. As such,
345         skip the test on memory-limited platforms.
346
347 2019-09-07  Mark Lam  <mark.lam@apple.com>
348
349         The jsc shell should allow disabling of the Gigacage for testing purposes.
350         https://bugs.webkit.org/show_bug.cgi?id=201579
351
352         Reviewed by Michael Saboff.
353
354         Unskip the tests now.
355
356         * stress/disable-gigacage-arrays.js:
357         * stress/disable-gigacage-strings.js:
358         * stress/disable-gigacage-typed-arrays.js:
359
360 2019-09-07  Mark Lam  <mark.lam@apple.com>
361
362         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
363
364         Not reviewed.
365
366         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
367
368         * stress/disable-gigacage-arrays.js:
369         * stress/disable-gigacage-strings.js:
370         * stress/disable-gigacage-typed-arrays.js:
371
372 2019-09-07  Mark Lam  <mark.lam@apple.com>
373
374         Gardening: speculative test fix to green bots [attempt #2].
375         https://bugs.webkit.org/show_bug.cgi?id=201529
376         <rdar://problem/53935772>
377
378         Not reviewed.
379
380         * stress/test-out-of-memory.js:
381
382 2019-09-06  Mark Lam  <mark.lam@apple.com>
383
384         Gardening: speculative test fix to green bots.
385         https://bugs.webkit.org/show_bug.cgi?id=201529
386         <rdar://problem/53935772>
387
388         Not reviewed.
389
390         * stress/test-out-of-memory.js:
391
392 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
393
394         Math.round() produces wrong result for value prior to 0.5
395         https://bugs.webkit.org/show_bug.cgi?id=185115
396
397         Reviewed by Saam Barati.
398
399         * stress/math-round-basics.js:
400         Add positive/negative test cases.
401
402         * test262/expectations.yaml:
403         Mark test passing.
404
405 2019-09-06  Mark Lam  <mark.lam@apple.com>
406
407         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
408         https://bugs.webkit.org/show_bug.cgi?id=201551
409
410         Reviewed by Tadeu Zagallo.
411
412         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
413
414         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
415         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
416
417 2019-09-06  Mark Lam  <mark.lam@apple.com>
418
419         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
420         https://bugs.webkit.org/show_bug.cgi?id=201529
421         <rdar://problem/53935772>
422
423         Reviewed by Yusuke Suzuki.
424
425         * stress/test-out-of-memory.js: Added.
426
427 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
428
429         LazyClassStructure::setConstructor should not store the constructor to the global object
430         https://bugs.webkit.org/show_bug.cgi?id=201484
431         <rdar://problem/50400451>
432
433         Reviewed by Yusuke Suzuki.
434
435         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
436
437 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
438
439         [JSC] Do not use FTLOutput::weakPointer directly
440         https://bugs.webkit.org/show_bug.cgi?id=201495
441
442         Reviewed by Filip Pizlo.
443
444         * stress/create-promise-weak-pointer.js: Added.
445         (foo):
446
447 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
448
449         [JSC] Make Promise implementation faster
450         https://bugs.webkit.org/show_bug.cgi?id=200898
451
452         Reviewed by Saam Barati.
453
454         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
455         (assert.assert.return.throws):
456         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
457         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
458         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
459         (shouldThrow):
460         (new.Promise):
461         (shouldThrow.Promise):
462         * stress/create-promise-should-respect-promise-realm.js: Added.
463         (shouldBe):
464         (other.new.OtherPromise):
465         (DerivedOtherPromise):
466         (i.promise.new.DerivedOtherPromise):
467         (createPromise):
468         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
469         (shouldBe):
470         (DerivedPromise):
471         (i.array.push.new.DerivedPromise):
472         (promise.new.DerivedPromise):
473         * stress/derived-promise-constructor-inlined.js: Added.
474         (shouldBe):
475         (DerivedPromise):
476         (i.array.push.new.DerivedPromise):
477         (DerivedPromise.all.array.then):
478         * stress/derived-promise-prototype-replaced.js: Added.
479         (shouldBe):
480         (DerivedPromise):
481         (i.array.push.new.DerivedPromise):
482         (promise.new.DerivedPromise):
483         * stress/internal-promise-constructor-not-confusing.js: Added.
484         (shouldBe):
485         (InternalPromise.vm.createBuiltin):
486         (DerivedPromise):
487         * stress/internal-promise-is-not-exposed.js: Added.
488         (shouldBe):
489         * stress/new-promise-should-respect-promise-realm.js: Added.
490         (shouldBe):
491         (other.new.OtherPromise):
492         (createPromise):
493         * stress/promise-cannot-be-called.js:
494         (shouldThrow):
495         * stress/promise-capability-fast-path.js: Added.
496         (shouldBe):
497         (i.array.push.new.Promise):
498         (i.array.i.then):
499         * stress/promise-capability-slow-path.js: Added.
500         (shouldBe):
501         (Promise.prototype.then):
502         (i.array.push.new.Promise):
503         (i.array.i.then):
504         * stress/promise-capability-then-slow-path.js: Added.
505         (shouldBe):
506         (DerivedPromise):
507         (DerivedPromise.prototype.then):
508         (i.array.push.new.DerivedPromise):
509         (i.array.i.then):
510         * stress/promise-constructor-inlined.js: Added.
511         (shouldBe):
512         (i.array.push.new.Promise):
513         (Promise.all.array.then):
514         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
515         (shouldBe):
516         (DerivedPromise):
517         (DerivedPromise2):
518         (i.array.push.new.DerivedPromise):
519         (i.array2.push.new.DerivedPromise2):
520         * stress/without-promise-functions.js: Added.
521         (shouldBe):
522         (async):
523
524 2019-09-03  Mark Lam  <mark.lam@apple.com>
525
526         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
527         https://bugs.webkit.org/show_bug.cgi?id=201309
528         <rdar://problem/54832121>
529
530         Reviewed by Yusuke Suzuki.
531
532         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
533
534 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
535
536         [JSC] Generate new.target register only when it is used
537         https://bugs.webkit.org/show_bug.cgi?id=201335
538
539         Reviewed by Mark Lam.
540
541         * stress/ensure-new-register-allocated.js: Added.
542         (shouldBe):
543         (basic):
544         (arrow):
545         (Base):
546         (Derived):
547         (evaluate):
548
549 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
550
551         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
552         https://bugs.webkit.org/show_bug.cgi?id=201331
553
554         Reviewed by Mark Lam.
555
556         * stress/simple-jump-table-copy.js: Added.
557         (let.code):
558         (g2):
559
560 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
561
562         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
563         https://bugs.webkit.org/show_bug.cgi?id=201332
564
565         Reviewed by Mark Lam.
566
567         This test is very flaky, it is hard to reproduce.
568
569         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
570         (code):
571
572 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
573
574         [JSC] Repatch should construct CallCases and CasesValue at the same time
575         https://bugs.webkit.org/show_bug.cgi?id=201325
576
577         Reviewed by Saam Barati.
578
579         * stress/repatch-switch.js: Added.
580         (main.f2.f0):
581         (main.f2.f3):
582         (main.f2.f1):
583         (main.f2):
584         (main):
585
586 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
587
588         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
589         https://bugs.webkit.org/show_bug.cgi?id=198650
590
591         Reviewed by Saam Barati.
592
593         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
594         (main.v0):
595         (main):
596
597 2019-08-28  Mark Lam  <mark.lam@apple.com>
598
599         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
600         https://bugs.webkit.org/show_bug.cgi?id=201281
601         <rdar://problem/54028228>
602
603         Reviewed by Yusuke Suzuki and Saam Barati.
604
605         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
606
607 2019-08-28  Mark Lam  <mark.lam@apple.com>
608
609         Placate exception check validation in DFG's operationHasGenericProperty().
610         https://bugs.webkit.org/show_bug.cgi?id=201245
611         <rdar://problem/54777512>
612
613         Reviewed by Robin Morisset.
614
615         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
616
617 2019-08-27  Mark Lam  <mark.lam@apple.com>
618
619         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
620         https://bugs.webkit.org/show_bug.cgi?id=201196
621         <rdar://problem/54703775>
622
623         Reviewed by Yusuke Suzuki.
624
625         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
626
627 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
628
629         [JSC] Ensure x?.y ?? z is fast
630         https://bugs.webkit.org/show_bug.cgi?id=200875
631
632         Reviewed by Yusuke Suzuki.
633
634         * stress/nullish-coalescing.js:
635
636 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
637
638         Remove MaximalFlushInsertionPhase
639         https://bugs.webkit.org/show_bug.cgi?id=201036
640
641         Reviewed by Saam Barati.
642
643         Remove all the references to maximal flush
644
645         * stress/arith-ceil-on-various-types.js:
646         (checkCompileCountForUselessNegativeZero):
647         * stress/arith-floor-on-various-types.js:
648         (checkCompileCountForUselessNegativeZero):
649         * stress/arith-negate-on-various-types.js:
650         (checkCompileCountForUselessNegativeZero):
651         * stress/arith-round-on-various-types.js:
652         (checkCompileCountForUselessNegativeZero):
653         * stress/arith-trunc-on-various-types.js:
654         (checkCompileCountForUselessNegativeZero):
655         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
656         * stress/has-indexed-property-should-accept-non-int32.js:
657         * stress/has-indexed-property-with-worsening-array-mode.js:
658         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
659         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
660         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
661         * stress/rest-parameter-many-arguments.js:
662         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
663         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
664         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
665
666 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
667
668         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
669         https://bugs.webkit.org/show_bug.cgi?id=200952
670
671         Reviewed by Saam Barati.
672
673         * wasm/references/func_ref.js:
674         (assert.throws):
675
676 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
677
678         Add missing exception check in canonicalizeLocaleList
679         https://bugs.webkit.org/show_bug.cgi?id=201021
680
681         Reviewed by Mark Lam.
682
683         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
684         (catch):
685
686 2019-08-21  Mark Lam  <mark.lam@apple.com>
687
688         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
689         https://bugs.webkit.org/show_bug.cgi?id=201016
690         <rdar://problem/54579911>
691
692         Reviewed by Yusuke Suzuki.
693
694         * wasm/stress/too-many-locals.js: Added.
695         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
696
697 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
698
699         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
700         https://bugs.webkit.org/show_bug.cgi?id=200965
701
702         Reviewed by Saam Barati.
703
704         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
705         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
706
707         * stress/optional-chaining.js:
708
709 2019-08-21  Michael Saboff  <msaboff@apple.com>
710
711         [JSC] incorrent JIT lead to StackOverflow
712         https://bugs.webkit.org/show_bug.cgi?id=197823
713
714         Reviewed by Tadeu Zagallo.
715
716         New test.
717
718         * stress/bound-function-stack-overflow.js: Added.
719         (foo):
720         (catch):
721
722 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
723
724         Identify memcpy loops in b3
725         https://bugs.webkit.org/show_bug.cgi?id=200181
726
727         Reviewed by Saam Barati.
728
729         * microbenchmarks/memcpy-loop.js: Added.
730         (doTest):
731         (let.arr1):
732         * microbenchmarks/memcpy-typed-loop-large.js: Added.
733         (doTest):
734         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
735         (arr2):
736         * microbenchmarks/memcpy-typed-loop-small.js: Added.
737         (doTest):
738         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
739         (16.arr2):
740         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
741         (doTest):
742         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
743         (arr2):
744         * microbenchmarks/memcpy-wasm-large.js: Added.
745         (typeof.WebAssembly.string_appeared_here.eq):
746         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
747         * microbenchmarks/memcpy-wasm-medium.js: Added.
748         (typeof.WebAssembly.string_appeared_here.eq):
749         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
750         * microbenchmarks/memcpy-wasm-small.js: Added.
751         (typeof.WebAssembly.string_appeared_here.eq):
752         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
753         * microbenchmarks/memcpy-wasm.js: Added.
754         (typeof.WebAssembly.string_appeared_here.eq):
755         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
756         * stress/memcpy-typed-loops.js: Added.
757         (noLoop):
758         (invalidStart):
759         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
760         (arr2):
761         * wasm/function-tests/memcpy-wasm-loop.js: Added.
762         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
763         (string_appeared_here):
764
765 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
766
767         [JSC] Array.prototype.toString should not get "join" function each time
768         https://bugs.webkit.org/show_bug.cgi?id=200905
769
770         Reviewed by Mark Lam.
771
772         * stress/array-prototype-join-change.js: Added.
773         (shouldBe):
774         (array2.join):
775         (DerivedArray):
776         (DerivedArray.prototype.join):
777         (array3.__proto__.join):
778         (Array.prototype.join):
779
780 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
781
782         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
783         https://bugs.webkit.org/show_bug.cgi?id=200782
784
785         Reviewed by Saam Barati.
786
787         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
788
789         * microbenchmarks/memcpy-typed-loop.js:
790         * stress/int8-repeat-in-then-out-of-bounds.js:
791
792 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
793
794         Proxy constructor should throw if handler is revoked Proxy
795         https://bugs.webkit.org/show_bug.cgi?id=198755
796
797         Reviewed by Saam Barati.
798
799         * stress/proxy-revoke.js: Adjust error message.
800         * test262/expectations.yaml: Mark 2 test cases as passing.
801
802 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
803
804         [JSC] OSR entry to Wasm OMG
805         https://bugs.webkit.org/show_bug.cgi?id=200362
806
807         Reviewed by Michael Saboff.
808
809         * wasm/stress/osr-entry-basic.js: Added.
810         (instance.exports.loop):
811         * wasm/stress/osr-entry-many-locals-f32.js: Added.
812         * wasm/stress/osr-entry-many-locals-f64.js: Added.
813         * wasm/stress/osr-entry-many-locals-i32.js: Added.
814         * wasm/stress/osr-entry-many-locals-i64.js: Added.
815         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
816         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
817         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
818         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
819
820 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
821
822         Date.prototype.toJSON throws if toISOString returns an object
823         https://bugs.webkit.org/show_bug.cgi?id=198495
824
825         Reviewed by Ross Kirsling.
826
827         * test262/expectations.yaml: Mark 6 test cases as passing.
828
829 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
830
831         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
832         https://bugs.webkit.org/show_bug.cgi?id=200899
833         <rdar://problem/54073341>
834
835         Reviewed by Mark Lam.
836
837         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
838         (i.new.Promise):
839         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
840         (i.new.Promise):
841
842 2019-08-19  Michael Saboff  <msaboff@apple.com>
843
844         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
845         https://bugs.webkit.org/show_bug.cgi?id=197090
846
847         Reviewed by Yusuke Suzuki.
848
849         New test.
850
851         * stress/regexp-nonconsuming-counted-parens.js: Added.
852
853 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
854
855         [JSC] Correct a->an in error messages and API docblocks
856         https://bugs.webkit.org/show_bug.cgi?id=200833
857
858         Reviewed by Don Olmstead.
859
860         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
861         (assert.assert.return.throws):
862         * stress/promise-finally-should-accept-non-promise-objects.js:
863         * wasm/js-api/table.js:
864         (assert.throws):
865
866 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
867
868         [ESNext] Implement optional chaining
869         https://bugs.webkit.org/show_bug.cgi?id=200199
870
871         Reviewed by Yusuke Suzuki.
872
873         * stress/nullish-coalescing.js:
874         * stress/optional-chaining.js: Added.
875         * stress/tail-call-recognize.js:
876
877 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
878
879         [ESNext] Support hashbang.
880         https://bugs.webkit.org/show_bug.cgi?id=200865
881
882         Reviewed by Mark Lam.
883
884         * stress/hashbang.js: Added.
885         * test262/expectations.yaml: Mark 6 cases as passing.
886
887 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
888
889         [JSC] DFG ToNumber should support Boolean in fixup
890         https://bugs.webkit.org/show_bug.cgi?id=200864
891
892         Reviewed by Mark Lam.
893
894         * microbenchmarks/to-number-boolean.js: Added.
895         (test):
896         * stress/to-number-boolean-int32.js: Added.
897         (shouldBe):
898         (test):
899         (check):
900         * stress/to-number-boolean.js: Added.
901         (shouldBe):
902         (test):
903         (check):
904         * stress/to-number-int32.js: Added.
905         (shouldBe):
906         (test):
907         (check):
908
909 2019-08-16  Mark Lam  <mark.lam@apple.com>
910
911         More missing exception checks in string comparison operators.
912         https://bugs.webkit.org/show_bug.cgi?id=200844
913         <rdar://problem/54378684>
914
915         Reviewed by Saam Barati.
916
917         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
918         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
919         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
920         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
921
922 2019-08-16  Mark Lam  <mark.lam@apple.com>
923
924         CodeBlock destructor should clear all of its watchpoints.
925         https://bugs.webkit.org/show_bug.cgi?id=200792
926         <rdar://problem/53947800>
927
928         Reviewed by Yusuke Suzuki.
929
930         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
931
932 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
933
934         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
935         https://bugs.webkit.org/show_bug.cgi?id=200782
936
937         Reviewed by Saam Barati.
938
939         * microbenchmarks/int8-out-of-bounds.js: Added.
940         (foo):
941         * microbenchmarks/memcpy-typed-loop.js: Added.
942         (doTest):
943         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
944         (arr2):
945         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
946         (foo):
947
948 2019-08-16  Mark Lam  <mark.lam@apple.com>
949
950         [Re-land] ProxyObject should not be allow to access its target's private properties.
951         https://bugs.webkit.org/show_bug.cgi?id=200739
952         <rdar://problem/53972768>
953
954         Reviewed by Yusuke Suzuki.
955
956         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
957         * stress/proxy-with-private-symbols.js:
958
959 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
960
961         [JSC] Promise.prototype.finally should accept non-promise objects
962         https://bugs.webkit.org/show_bug.cgi?id=200829
963
964         Reviewed by Mark Lam.
965
966         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
967         (shouldBe):
968         (Thenable):
969         (Thenable.prototype.then):
970
971 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
972
973         Promise constructor should check argument before [[Construct]]
974         https://bugs.webkit.org/show_bug.cgi?id=198976
975
976         Reviewed by Ross Kirsling.
977
978         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
979         * stress/create-subclass-structure-might-throw.js: Fix test.
980         * test262/expectations.yaml: Mark 2 test cases as passing.
981
982 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
983
984         Unreviewed, rolling out r248709.
985
986         Caused test/built-ins/Promise/prototype/finally/this-value-
987         non-promise.js to fail on test262 bot
988
989         Reverted changeset:
990
991         "ProxyObject should not be allow to access its target's
992         private properties."
993         https://bugs.webkit.org/show_bug.cgi?id=200739
994         https://trac.webkit.org/changeset/248709
995
996 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
997
998         DateConversion::formatDateTime incorrectly formats negative years
999         https://bugs.webkit.org/show_bug.cgi?id=199964
1000
1001         Reviewed by Ross Kirsling.
1002
1003         * test262/expectations.yaml: Mark 6 test cases as passing.
1004
1005 2019-08-15  Mark Lam  <mark.lam@apple.com>
1006
1007         More missing exception checks in String.prototype.
1008         https://bugs.webkit.org/show_bug.cgi?id=200762
1009         <rdar://problem/54333896>
1010
1011         Reviewed by Michael Saboff.
1012
1013         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1014         * stress/missing-exception-check-in-string-toLower.js: Added.
1015         * stress/missing-exception-check-in-string-toUpper.js: Added.
1016
1017 2019-08-14  Mark Lam  <mark.lam@apple.com>
1018
1019         ProxyObject should not be allow to access its target's private properties.
1020         https://bugs.webkit.org/show_bug.cgi?id=200739
1021         <rdar://problem/53972768>
1022
1023         Reviewed by Yusuke Suzuki.
1024
1025         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1026         * stress/proxy-with-private-symbols.js: Rebased.
1027
1028 2019-08-14  Mark Lam  <mark.lam@apple.com>
1029
1030         Missing exception check in string compare.
1031         https://bugs.webkit.org/show_bug.cgi?id=200743
1032         <rdar://problem/53975356>
1033
1034         Reviewed by Michael Saboff.
1035
1036         * stress/missing-exception-check-in-string-compare.js: Added.
1037
1038 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1039
1040         [JSC] Add "jump if (not) undefined or null" bytecode ops
1041         https://bugs.webkit.org/show_bug.cgi?id=200480
1042
1043         Reviewed by Saam Barati.
1044
1045         * stress/destructuring-assignment-require-object-coercible.js:
1046         * stress/nullish-coalescing.js:
1047
1048 2019-08-05  Michael Saboff  <msaboff@apple.com>
1049
1050         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1051         https://bugs.webkit.org/show_bug.cgi?id=199997
1052
1053         Reviewed by Saam Barati.
1054
1055         New test.
1056
1057         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1058         (checkIntArray):
1059         (checkFloatArray):
1060
1061 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1062
1063         [JSC] Support WebAssembly in SamplingProfiler
1064         https://bugs.webkit.org/show_bug.cgi?id=200329
1065
1066         Reviewed by Saam Barati.
1067
1068         * stress/sampling-profiler-wasm-name-section.js: Added.
1069         (const.compile):
1070         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1071         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1072         * stress/sampling-profiler-wasm.js: Added.
1073         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1074         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1075         * stress/sampling-profiler/loop.wasm: Added.
1076         * stress/sampling-profiler/loop.wast: Added.
1077         * stress/sampling-profiler/nameSection.wasm: Added.
1078
1079 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1080
1081         [JSC] LazyJSValue should be robust for empty JSValue
1082         https://bugs.webkit.org/show_bug.cgi?id=200388
1083
1084         Reviewed by Saam Barati.
1085
1086         * stress/switch-constant-child-becomes-empty.js: Added.
1087         (foo):
1088
1089 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1090
1091         GetterSetter type confusion during DFG compilation
1092         https://bugs.webkit.org/show_bug.cgi?id=199903
1093
1094         Reviewed by Mark Lam.
1095
1096         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1097
1098 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1099
1100         Update Test262 (2019.08.01)
1101         https://bugs.webkit.org/show_bug.cgi?id=200351
1102
1103         Reviewed by Keith Miller.
1104
1105         * test262/expectations.yaml:
1106         * test262/harness/testIntl.js:
1107         * test262/latest-changes-summary.txt:
1108         * test262/test/:
1109         * test262/test262-Revision.txt:
1110
1111 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1112
1113         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1114         https://bugs.webkit.org/show_bug.cgi?id=200192
1115
1116         Reviewed by Saam Barati.
1117
1118         * stress/structure-chain-stress.js: Added.
1119         (keys):
1120
1121 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1122
1123         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1124         https://bugs.webkit.org/show_bug.cgi?id=200196
1125
1126         Reviewed by Robin Morisset.
1127
1128         * stress/reparsing-unlinked-codeblock.js:
1129
1130 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1131
1132         [X86] Emit BT instruction for shift + mask in B3
1133         https://bugs.webkit.org/show_bug.cgi?id=199891
1134
1135         Reviewed by Robin Morisset.
1136
1137         Lower the number of iterations to fix debug timeouts.
1138
1139         * microbenchmarks/bit-test-load.js:
1140         (i):
1141
1142 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1143
1144         [X86] Emit BT instruction for shift + mask in B3
1145         https://bugs.webkit.org/show_bug.cgi?id=199891
1146
1147         Reviewed by Keith Miller.
1148
1149         * microbenchmarks/bit-test-constant.js: Added.
1150         (let.glob.0.doTest):
1151         * microbenchmarks/bit-test-load.js: Added.
1152         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1153         (i):
1154         * microbenchmarks/bit-test-nonconstant.js: Added.
1155         (let.glob.0.doTest):
1156
1157 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1158
1159         [JSC] Potential GC fix for JSPropertyNameEnumerator
1160         https://bugs.webkit.org/show_bug.cgi?id=200151
1161
1162         Reviewed by Mark Lam.
1163
1164         * stress/for-in-stress.js: Added.
1165         (keys):
1166
1167 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1168
1169         Legacy numeric literals should not permit separators or BigInt
1170         https://bugs.webkit.org/show_bug.cgi?id=199984
1171
1172         Reviewed by Keith Miller.
1173
1174         * stress/big-int-literals.js:
1175         * stress/numeric-literal-separators.js:
1176
1177 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1178
1179         [ESNext] Implement nullish coalescing
1180         https://bugs.webkit.org/show_bug.cgi?id=200072
1181
1182         Reviewed by Darin Adler.
1183
1184         * stress/nullish-coalescing.js: Added.
1185
1186 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1187
1188         Three checks are missing in Proxy internal methods
1189         https://bugs.webkit.org/show_bug.cgi?id=198630
1190
1191         Reviewed by Darin Adler.
1192
1193         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1194         * test262/expectations.yaml: Mark 6 test cases as passing.
1195
1196 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1197
1198         Sometimes we miss removable CheckInBounds
1199         https://bugs.webkit.org/show_bug.cgi?id=200018
1200
1201         Reviewed by Saam Barati.
1202
1203         * microbenchmarks/typed-array-sum.js: Added.
1204         (doTest):
1205
1206 2019-07-16  Mark Lam  <mark.lam@apple.com>
1207
1208         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1209         https://bugs.webkit.org/show_bug.cgi?id=199821
1210         <rdar://problem/52452328>
1211
1212         Reviewed by Filip Pizlo.
1213
1214         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1215
1216 2019-07-16  Keith Miller  <keith_miller@apple.com>
1217
1218         Unreviewed, test262 gardening.
1219
1220         * test262/expectations.yaml:
1221
1222 2019-07-15  Keith Miller  <keith_miller@apple.com>
1223
1224         A Possible Issue of Object.create method
1225         https://bugs.webkit.org/show_bug.cgi?id=199744
1226
1227         Reviewed by Yusuke Suzuki.
1228
1229         * stress/object-create-non-object-properties-parameter.js: Added.
1230         (catch):
1231
1232 2019-07-15  Keith Miller  <keith_miller@apple.com>
1233
1234         Update test262
1235         https://bugs.webkit.org/show_bug.cgi?id=199801
1236
1237         Rubber-stamped by Yusuke Suzuki.
1238
1239         * test262/expectations.yaml:
1240         * test262/latest-changes-summary.txt:
1241         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1242         (fg.new.FinalizationGroup):
1243         (callback):
1244         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1245         (fg.new.FinalizationGroup):
1246         (callback):
1247         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1248         (fg.new.FinalizationGroup):
1249         (callback):
1250         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1251         (fg.new.FinalizationGroup):
1252         (callback):
1253         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1254         (fg.new.FinalizationGroup):
1255         (callback):
1256         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1257         (fg.new.FinalizationGroup):
1258         (callback):
1259         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1260         (fg.new.FinalizationGroup):
1261         (callback):
1262         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1263         (callback):
1264         (fg.new.FinalizationGroup):
1265         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1266         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1267         (cb):
1268         (fg.new.FinalizationGroup):
1269         (emptyCells):
1270         (async.fn):
1271         (fn.then.async):
1272         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1273         (fg.new.FinalizationGroup):
1274         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1275         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1276         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1277         (newTarget):
1278         (fn):
1279         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1280         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1281         (fn):
1282         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1283         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1284         (newTarget):
1285         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1286         (newTarget):
1287         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1288         (fg.new.FinalizationGroup):
1289         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1290         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1291         (callback):
1292         (fg.new.FinalizationGroup):
1293         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1294         (fg.new.FinalizationGroup):
1295         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1296         (cb):
1297         (fg.new.FinalizationGroup):
1298         (emptyCells):
1299         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1300         (fg.new.FinalizationGroup):
1301         (fg.cleanupSome.cb):
1302         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1303         (callback):
1304         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1305         (fn):
1306         (cb):
1307         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1308         (cb):
1309         (fg.new.FinalizationGroup):
1310         (emptyCells):
1311         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1312         (fg.new.FinalizationGroup):
1313         (callback):
1314         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1315         (fg.new.FinalizationGroup):
1316         (callback):
1317         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1318         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1319         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1320         (poisoned):
1321         (fg.new.FinalizationGroup):
1322         (emptyCells):
1323         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1324         (poisoned):
1325         (emptyCells):
1326         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1327         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1328         (fn):
1329         (cb):
1330         (emptyCells):
1331         (prototype.assert.sameValue.fg.cleanupSome):
1332         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1333         (fn):
1334         (cb):
1335         (poisoned):
1336         (assert.sameValue.fg.cleanupSome):
1337         (prototype.assert.sameValue.fg.cleanupSome):
1338         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1339         (cb):
1340         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1341         (cb):
1342         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1343         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1344         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1345         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1346         (fn):
1347         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1348         (fn):
1349         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1350         (fg.new.FinalizationGroup):
1351         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1352         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1353         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1354         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1355         (fn):
1356         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1357         (fn):
1358         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1359         (fg.new.FinalizationGroup):
1360         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1361         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1362         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1363         (fg.new.FinalizationGroup):
1364         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1365         (fg.new.FinalizationGroup):
1366         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1367         (fg.new.FinalizationGroup):
1368         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1369         (fg.new.FinalizationGroup):
1370         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1371         (fn):
1372         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1373         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1374         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1375         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1376         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1377         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1378         (fn):
1379         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1380         (fg.new.FinalizationGroup):
1381         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1382         (cleanupCallback):
1383         (let.key.of.Object.getOwnPropertyNames):
1384         (set for):
1385         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1386         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1387         (FinalizationGroup):
1388         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1389         (cleanupCallback):
1390         (let.key.of.Object.getOwnPropertyNames):
1391         (set for):
1392         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1393         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1394         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1395         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1396         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1397         (asyncProxy.new.Proxy.async):
1398         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1399         (asyncProxy.new.Proxy.async):
1400         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1401         (setIter.set Symbol):
1402         (set defaultTag):
1403         (gen):
1404         (get return):
1405         (set new):
1406         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1407         (generatorProxy.new.Proxy):
1408         (asyncProxy.new.Proxy.async):
1409         * test262/test/built-ins/Object/subclass-object-arg.js:
1410         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1411         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1412         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1413         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1414         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1415         * test262/test/built-ins/Promise/executor-function-name.js:
1416         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1417         * test262/test/built-ins/Promise/reject-function-name.js:
1418         * test262/test/built-ins/Promise/resolve-function-name.js:
1419         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1420         * test262/test/built-ins/WeakRef/constructor.js: Added.
1421         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1422         * test262/test/built-ins/WeakRef/length.js: Added.
1423         * test262/test/built-ins/WeakRef/name.js: Added.
1424         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1425         (newTarget):
1426         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1427         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1428         * test262/test/built-ins/WeakRef/proto.js: Added.
1429         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1430         (newTarget):
1431         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1432         (newTarget):
1433         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1434         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1435         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1436         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1437         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1438         (emptyCells):
1439         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1440         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1441         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1442         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1443         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1444         (fg.new.FinalizationGroup):
1445         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1446         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1447         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1448         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1449         (let.key.of.Object.getOwnPropertyNames):
1450         (set for):
1451         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1452         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1453         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1454         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1455         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1456         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1457         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1458         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1459         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1460         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1461         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1462         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1463         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1464         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1465         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1466         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1467         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1468         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1469         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1470         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1471         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1472         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1473         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1474         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1475         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1476         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1477         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1478         (assertParts):
1479         (assertPartsNumeric):
1480         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1481         (assertParts):
1482         (assertPartsNumeric):
1483         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1484         (assertParts):
1485         (assertPartsNumeric):
1486         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1487         (assertParts):
1488         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1489         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1490         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1491         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1492         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1493         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1494         (C.prototype.method):
1495         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1496         (C.prototype.method.innerFunction):
1497         (C.prototype.method):
1498         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1499         (C):
1500         (C.method):
1501         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1502         (C):
1503         (C.method.innerFunction):
1504         (C.method):
1505         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1506         (C):
1507         (C.checkPrivateGetter):
1508         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1509         (C):
1510         (C.method):
1511         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1512         (C):
1513         (C.method.innerFunction):
1514         (C.method):
1515         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1516         (C):
1517         (C.checkPrivateMethod):
1518         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1519         (C):
1520         (C.method):
1521         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1522         (C):
1523         (C.method.innerFunction):
1524         (C.method):
1525         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1526         (C):
1527         (C.checkPrivateSetter):
1528         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1529         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1530         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1531         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1532         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1533         (let.classStringExpression):
1534         (let.classStringExpression.access):
1535         (let.createAndInstantiateClass):
1536         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1537         (let.classStringExpression):
1538         (let.classStringExpression.access):
1539         (let.createAndInstantiateClass):
1540         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1541         (const.C):
1542         (let.createAndInstantiateClass):
1543         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1544         (let.classStringExpression.return.prototype.m):
1545         (let.classStringExpression.return.prototype.access):
1546         (let.createAndInstantiateClass):
1547         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1548         (let.classStringExpression.return.prototype.m):
1549         (let.classStringExpression.return.prototype.access):
1550         (let.createAndInstantiateClass):
1551         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1552         (let.classStringExpression):
1553         (let.classStringExpression.access):
1554         (let.createAndInstantiateClass):
1555         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1556         (let.classStringExpression.prototype.m):
1557         (let.classStringExpression.prototype.access):
1558         (let.classStringExpression):
1559         (let.createAndInstantiateClass):
1560         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1561         (let.classStringExpression.prototype.m):
1562         (let.classStringExpression.prototype.access):
1563         (let.classStringExpression):
1564         (let.createAndInstantiateClass):
1565         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1566         (const.C):
1567         (let.createAndInstantiateClass):
1568         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1569         (let.classStringExpression.return.C.prototype.m):
1570         (let.classStringExpression.return.C.prototype.access):
1571         (let.classStringExpression.return.C):
1572         (let.createAndInstantiateClass):
1573         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1574         (let.classStringExpression.return.C.prototype.m):
1575         (let.classStringExpression.return.C.prototype.access):
1576         (let.classStringExpression.return.C):
1577         (let.createAndInstantiateClass):
1578         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1579         (let.classStringExpression):
1580         (let.classStringExpression.access):
1581         (let.createAndInstantiateClass):
1582         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1583         (let.classStringExpression):
1584         (let.classStringExpression.access):
1585         (let.createAndInstantiateClass):
1586         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1587         (let.classStringExpression):
1588         (let.classStringExpression.access):
1589         (let.createAndInstantiateClass):
1590         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1591         (const.C):
1592         (let.createAndInstantiateClass):
1593         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1594         (let.classStringExpression.return.prototype.m):
1595         (let.classStringExpression.return.prototype.access):
1596         (let.createAndInstantiateClass):
1597         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1598         (let.classStringExpression.return.prototype.m):
1599         (let.classStringExpression.return.prototype.access):
1600         (let.createAndInstantiateClass):
1601         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1602         (let.classStringExpression):
1603         (let.classStringExpression.access):
1604         (let.createAndInstantiateClass):
1605         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1606         (new):
1607         (async):
1608         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1609         (A):
1610         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1611         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1612         * test262/test/language/identifiers/vals-cjk.js: Added.
1613         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1614         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1615         (C.prototype.method):
1616         (C):
1617         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1618         (C.prototype.method.innerFunction):
1619         (C.prototype.method):
1620         (C):
1621         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1622         (C.prototype.checkPrivateField):
1623         (C):
1624         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1625         (C):
1626         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1627         (C.prototype.getWithEval):
1628         (C):
1629         (D):
1630         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1631         (C.prototype.get m):
1632         (C.prototype.method):
1633         (C):
1634         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1635         (C.prototype.get m):
1636         (C.prototype.method.innerFunction):
1637         (C.prototype.method):
1638         (C):
1639         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1640         (let.createAndInstantiateClass):
1641         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1642         (C.prototype.get m):
1643         (C.prototype.checkPrivateGetter):
1644         (C):
1645         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1646         (C.prototype.get m):
1647         (C.prototype.checkPrivateGetter):
1648         (C):
1649         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1650         (C.prototype.get m):
1651         (C):
1652         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1653         (C.prototype.get m):
1654         (C.prototype.getWithEval):
1655         (C):
1656         (D.prototype.get m):
1657         (D):
1658         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1659         (C.prototype.m):
1660         (C.prototype.method):
1661         (C):
1662         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1663         (C.prototype.m):
1664         (C.prototype.method.innerFunction):
1665         (C.prototype.method):
1666         (C):
1667         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1668         (C.prototype.m):
1669         (C.prototype.checkPrivateMethod):
1670         (C):
1671         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1672         (C.prototype.m):
1673         (C.prototype.checkPrivateMethod):
1674         (C):
1675         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1676         (C.prototype.m):
1677         (C):
1678         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1679         (C.prototype.m):
1680         (C.prototype.getWithEval):
1681         (C):
1682         (D.prototype.m):
1683         (D):
1684         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1685         (C.prototype.set m):
1686         (C.prototype.method):
1687         (C):
1688         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1689         (C.prototype.set m):
1690         (C.prototype.method.innerFunction):
1691         (C.prototype.method):
1692         (C):
1693         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1694         (C.prototype.set m):
1695         (C.prototype.checkPrivateSetter):
1696         (C):
1697         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1698         (C.prototype.set m):
1699         (C.prototype.checkPrivateSetter):
1700         (C):
1701         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1702         (C.prototype.set m):
1703         (C):
1704         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1705         (C.prototype.set m):
1706         (C.prototype.setWithEval):
1707         (C):
1708         (D.prototype.set m):
1709         (D):
1710         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1711         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1712         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1713         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
1714         (A.prototype.method):
1715         (A):
1716         (C.prototype.get m):
1717         (C.prototype.access):
1718         (C):
1719         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
1720         (A.prototype.method):
1721         (A):
1722         (C.prototype.m):
1723         (C.prototype.access):
1724         (C):
1725         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
1726         (A.prototype.method):
1727         (A):
1728         (C.prototype.set m):
1729         (C.prototype.access):
1730         (C):
1731         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
1732         (A):
1733         * test262/test/language/statements/function/13.2-30-s.js:
1734         * test262/test262-Revision.txt:
1735
1736 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1737
1738         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1739         https://bugs.webkit.org/show_bug.cgi?id=199783
1740
1741         Reviewed by Mark Lam.
1742
1743         Fix our spec tests.
1744
1745         * wasm/js-api/Module-compile.js:
1746         * wasm/js-api/test_basic_api.js:
1747         (const.c.in.constructorProperties.switch):
1748         * wasm/js-api/validate.js:
1749         * wasm/js-api/web-assembly-instantiate.js:
1750         * wasm/spec-tests/jsapi.js:
1751         (testJSAPI.get test):
1752         (testJSAPI.set test):
1753
1754 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1755
1756         Unreviewed, rolling out r247440.
1757
1758         Broke builds
1759
1760         Reverted changeset:
1761
1762         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1763         issues"
1764         https://bugs.webkit.org/show_bug.cgi?id=199783
1765         https://trac.webkit.org/changeset/247440
1766
1767 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1768
1769         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1770         https://bugs.webkit.org/show_bug.cgi?id=199783
1771
1772         Reviewed by Mark Lam.
1773
1774         Fix our spec tests.
1775
1776         * wasm/js-api/Module-compile.js:
1777         * wasm/js-api/test_basic_api.js:
1778         (const.c.in.constructorProperties.switch):
1779         * wasm/js-api/validate.js:
1780         * wasm/js-api/web-assembly-instantiate.js:
1781         * wasm/spec-tests/jsapi.js:
1782         (testJSAPI.get test):
1783         (testJSAPI.set test):
1784
1785 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1786
1787         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1788         https://bugs.webkit.org/show_bug.cgi?id=196371
1789
1790         Reviewed by Keith Miller.
1791
1792         * microbenchmarks/mul-immediate-sub.js: Added.
1793         (doTest):
1794
1795 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1796
1797         [BigInt] Add ValueBitLShift into DFG
1798         https://bugs.webkit.org/show_bug.cgi?id=192664
1799
1800         Reviewed by Saam Barati.
1801
1802         We are adding tests to cover ValueBitwise operations AI changes.
1803
1804         * stress/big-int-left-shift-untyped.js: Added.
1805         * stress/bit-op-with-object-returning-int32.js:
1806         * stress/value-bit-and-ai-rule.js: Added.
1807         * stress/value-bit-lshift-ai-rule.js: Added.
1808         * stress/value-bit-or-ai-rule.js: Added.
1809         * stress/value-bit-xor-ai-rule.js: Added.
1810
1811 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
1812
1813         Add b3 macro lowering for CheckMul on arm64
1814         https://bugs.webkit.org/show_bug.cgi?id=199251
1815
1816         Reviewed by Robin Morisset.
1817
1818         * microbenchmarks/check-mul-constant.js: Added.
1819         (doTest):
1820         * microbenchmarks/check-mul-no-constant.js: Added.
1821         (doTest):
1822         * microbenchmarks/check-mul-power-of-two.js: Added.
1823         (doTest):
1824
1825 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
1826
1827         Optimize join of large empty arrays
1828         https://bugs.webkit.org/show_bug.cgi?id=199636
1829
1830         Reviewed by Mark Lam.
1831
1832         * microbenchmarks/large-empty-array-join.js: Added.
1833         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
1834
1835 2019-07-06  Michael Saboff  <msaboff@apple.com>
1836
1837         switch(String) needs to check for exceptions when resolving the string
1838         https://bugs.webkit.org/show_bug.cgi?id=199541
1839
1840         Reviewed by Mark Lam.
1841
1842         New tests.
1843
1844         * stress/switch-string-oom.js: Added.
1845         (test):
1846         (testLowerTiers):
1847         (testFTL):
1848
1849 2019-07-05  Mark Lam  <mark.lam@apple.com>
1850
1851         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
1852         https://bugs.webkit.org/show_bug.cgi?id=199533
1853         <rdar://problem/52669111>
1854
1855         Reviewed by Filip Pizlo.
1856
1857         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
1858
1859 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1860
1861         [JSC] Clean up ArraySpeciesCreate
1862         https://bugs.webkit.org/show_bug.cgi?id=182434
1863
1864         Reviewed by Yusuke Suzuki.
1865
1866         Adjusts error message expectations in stress tests.
1867
1868         * stress/array-flatmap.js:
1869         * stress/array-flatten.js:
1870         * stress/array-species-create-should-handle-masquerader.js:
1871         * test262/expectations.yaml: Mark 4 test cases as passing.
1872
1873 2019-07-02  Michael Saboff  <msaboff@apple.com>
1874
1875         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
1876         https://bugs.webkit.org/show_bug.cgi?id=199395
1877
1878         Reviewed by Filip Pizlo.
1879
1880         New regession test.
1881
1882         * stress/for-of-tdz-with-try-catch.js: Added.
1883         (test):
1884         (i.catch):
1885
1886 2019-07-02  Keith Miller  <keith_miller@apple.com>
1887
1888         Frozen Arrays length assignment should throw in strict mode
1889         https://bugs.webkit.org/show_bug.cgi?id=199365
1890
1891         Reviewed by Yusuke Suzuki.
1892
1893         * stress/frozen-array-length-should-throw-strict.js: Added.
1894         (test):
1895
1896 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
1897
1898         [Wasm-References] Disable references by default
1899         https://bugs.webkit.org/show_bug.cgi?id=199390
1900
1901         Reviewed by Saam Barati.
1902
1903         * wasm/references-spec-tests/ref_is_null.js:
1904         * wasm/references-spec-tests/ref_null.js:
1905         * wasm/references/anyref_globals.js:
1906         * wasm/references/anyref_modules.js:
1907         * wasm/references/anyref_table.js:
1908         * wasm/references/anyref_table_import.js:
1909         * wasm/references/element_parsing.js:
1910         * wasm/references/func_ref.js:
1911         * wasm/references/is_null.js:
1912         * wasm/references/multitable.js:
1913         * wasm/references/table_misc.js:
1914         * wasm/references/validation.js:
1915
1916 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
1917
1918         Unreviewed, rolling out r246946.
1919
1920         Caused JSC test crashes on arm64
1921
1922         Reverted changeset:
1923
1924         "Add b3 macro lowering for CheckMul on arm64"
1925         https://bugs.webkit.org/show_bug.cgi?id=199251
1926         https://trac.webkit.org/changeset/246946
1927
1928 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
1929
1930         Add b3 macro lowering for CheckMul on arm64
1931         https://bugs.webkit.org/show_bug.cgi?id=199251
1932
1933         Reviewed by Robin Morisset.
1934
1935         * microbenchmarks/check-mul-constant.js: Added.
1936         (doTest):
1937         * microbenchmarks/check-mul-no-constant.js: Added.
1938         (doTest):
1939         * microbenchmarks/check-mul-power-of-two.js: Added.
1940         (doTest):
1941
1942 2019-06-26  Keith Miller  <keith_miller@apple.com>
1943
1944         speciesConstruct needs to throw if the result is a DataView
1945         https://bugs.webkit.org/show_bug.cgi?id=199231
1946
1947         Reviewed by Mark Lam.
1948
1949         * stress/typedarray-filter.js:
1950         (subclasses.forEach):
1951         * stress/typedarray-map.js:
1952         (subclasses.forEach):
1953         * stress/typedarray-slice.js:
1954         (typedArrays.forEach):
1955         * stress/typedarray-subarray.js:
1956         (subclasses.forEach):
1957
1958 2019-06-24  Commit Queue  <commit-queue@webkit.org>
1959
1960         Unreviewed, rolling out r246714.
1961         https://bugs.webkit.org/show_bug.cgi?id=199179
1962
1963         revert to do patch in a different way. (Requested by keith_mi_
1964         on #webkit).
1965
1966         Reverted changeset:
1967
1968         "All prototypes should call didBecomePrototype()"
1969         https://bugs.webkit.org/show_bug.cgi?id=196315
1970         https://trac.webkit.org/changeset/246714
1971
1972 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1973
1974         Add Array.prototype.{flat,flatMap} to unscopables
1975         https://bugs.webkit.org/show_bug.cgi?id=194322
1976
1977         Reviewed by Keith Miller.
1978
1979         * stress/unscopables.js: Fix test.
1980         * test262/expectations.yaml: Mark 2 test cases as passing.
1981
1982 2019-06-21  Mark Lam  <mark.lam@apple.com>
1983
1984         ArraySlice needs to keep the source array alive.
1985         https://bugs.webkit.org/show_bug.cgi?id=197374
1986         <rdar://problem/50304429>
1987
1988         Reviewed by Michael Saboff and Filip Pizlo.
1989
1990         * stress/array-slice-must-keep-source-array-alive.js: Added.
1991
1992 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1993
1994         All prototypes should call didBecomePrototype()
1995         https://bugs.webkit.org/show_bug.cgi?id=196315
1996
1997         Reviewed by Saam Barati.
1998
1999         * stress/function-prototype-indexed-accessor.js: Added.
2000
2001 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2002
2003         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
2004         https://bugs.webkit.org/show_bug.cgi?id=197631
2005
2006         Reviewed by Saam Barati.
2007
2008         * stress/has-own-property-arguments.js: Added.
2009         (shouldBe):
2010         (A):
2011
2012 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2013
2014         [JSC] ClassExpr should not store result in the middle of evaluation
2015         https://bugs.webkit.org/show_bug.cgi?id=199106
2016
2017         Reviewed by Tadeu Zagallo.
2018
2019         * stress/class-expression-should-store-result-at-last.js: Added.
2020         (shouldThrow):
2021         (shouldThrow.let.a):
2022
2023 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2024
2025         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2026         https://bugs.webkit.org/show_bug.cgi?id=199044
2027
2028         Reviewed by Saam Barati.
2029
2030         Add wasm references spec tests as well as a worker test.
2031
2032         * wasm.yaml:
2033         * wasm/Builder_WebAssemblyBinary.js:
2034         (const.emitters.Element):
2035         * wasm/js-api/element.js:
2036         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2037         * wasm/references-spec-tests/ref_is_null.js: Added.
2038         (hostref):
2039         (is_hostref):
2040         (is_funcref):
2041         (eq_ref):
2042         (let.handler.get target):
2043         (register):
2044         (module):
2045         (instance):
2046         (call):
2047         (get instance):
2048         (exports):
2049         (run):
2050         (assert_malformed):
2051         (assert_invalid):
2052         (assert_unlinkable):
2053         (assert_uninstantiable):
2054         (assert_trap):
2055         (try.f):
2056         (catch):
2057         (assert_exhaustion):
2058         (assert_return):
2059         (assert_return_canonical_nan):
2060         (assert_return_arithmetic_nan):
2061         (assert_return_ref):
2062         (assert_return_func):
2063         * wasm/references-spec-tests/ref_null.js: Added.
2064         (hostref):
2065         (is_hostref):
2066         (is_funcref):
2067         (eq_ref):
2068         (let.handler.get target):
2069         (register):
2070         (module):
2071         (instance):
2072         (call):
2073         (get instance):
2074         (exports):
2075         (run):
2076         (assert_malformed):
2077         (assert_invalid):
2078         (assert_unlinkable):
2079         (assert_uninstantiable):
2080         (assert_trap):
2081         (try.f):
2082         (catch):
2083         (assert_exhaustion):
2084         (assert_return):
2085         (assert_return_canonical_nan):
2086         (assert_return_arithmetic_nan):
2087         (assert_return_ref):
2088         (assert_return_func):
2089         * wasm/references/element_parsing.js: Added.
2090         (module):
2091         * wasm/references/func_ref.js:
2092         * wasm/references/multitable.js:
2093         * wasm/references/table_misc.js:
2094         (TableSize.0.End.End.WebAssembly):
2095         * wasm/references/validation.js:
2096         (assert.throws):
2097
2098 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2099
2100         Optimize `resolve` method lookup in Promise static methods
2101         https://bugs.webkit.org/show_bug.cgi?id=198864
2102
2103         Reviewed by Yusuke Suzuki.
2104
2105         * test262/expectations.yaml: Mark 18 test cases as passing.
2106
2107 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2108
2109         [WASM-References] Rename anyfunc to funcref
2110         https://bugs.webkit.org/show_bug.cgi?id=198983
2111
2112         Reviewed by Yusuke Suzuki.
2113
2114         * wasm/function-tests/basic-element.js:
2115         * wasm/function-tests/context-switch.js:
2116         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2117         (makeInstance):
2118         (assert.eq.makeInstance):
2119         * wasm/function-tests/exceptions.js:
2120         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2121         * wasm/function-tests/grow-memory-2.js:
2122         (assert.eq.instance.exports.foo):
2123         * wasm/function-tests/nameSection.js:
2124         (const.compile):
2125         * wasm/function-tests/stack-overflow.js:
2126         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2127         (assertOverflows.makeInstance):
2128         * wasm/function-tests/table-basic-2.js:
2129         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2130         * wasm/function-tests/table-basic.js:
2131         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2132         * wasm/function-tests/trap-from-start-async.js:
2133         * wasm/function-tests/trap-from-start.js:
2134         * wasm/js-api/Module.exports.js:
2135         (assert.truthy):
2136         * wasm/js-api/Module.imports.js:
2137         (assert.truthy):
2138         * wasm/js-api/call-indirect.js:
2139         (const.oneTable):
2140         (const.multiTable):
2141         (multiTable.const.makeTable):
2142         (multiTable):
2143         (multiTable.Polyphic2Import):
2144         (multiTable.VirtualImport):
2145         * wasm/js-api/element-data.js:
2146         * wasm/js-api/element.js:
2147         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2148         (assert.throws):
2149         (badInstantiation.makeModule):
2150         (badInstantiation.test):
2151         (badInstantiation):
2152         * wasm/js-api/extension-MemoryMode.js:
2153         * wasm/js-api/table.js:
2154         (new.WebAssembly.Module):
2155         (assert.throws):
2156         (assertBadTableImport):
2157         (assert.throws.WebAssembly.Table.prototype.grow):
2158         (new.WebAssembly.Table):
2159         (assertBadTable):
2160         (assert.truthy):
2161         * wasm/js-api/test_basic_api.js:
2162         (const.c.in.constructorProperties.switch):
2163         * wasm/js-api/unique-signature.js:
2164         (CallIndirectWithDuplicateSignatures):
2165         * wasm/js-api/wrapper-function.js:
2166         * wasm/modules/table.wat:
2167         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2168         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2169         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2170         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2171         * wasm/references/anyref_table.js:
2172         * wasm/references/anyref_table_import.js:
2173         (doSet):
2174         (assert.throws):
2175         * wasm/references/func_ref.js:
2176         (makeFuncrefIdent):
2177         (assert.eq.instance.exports.fix):
2178         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2179         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2180         (let.importedFun.of):
2181         (makeAnyfuncIdent): Deleted.
2182         (makeAnyfuncIdent.fun): Deleted.
2183         * wasm/references/multitable.js:
2184         (assert.eq):
2185         (assert.throws):
2186         * wasm/references/table_misc.js:
2187         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2188         * wasm/references/validation.js:
2189         (assert.throws.new.WebAssembly.Module.bin):
2190         (assert.throws):
2191         * wasm/spec-harness/index.js:
2192         * wasm/spec-harness/wasm-constants.js:
2193         * wasm/spec-harness/wasm-module-builder.js:
2194         (WasmModuleBuilder.prototype.toArray):
2195         * wasm/spec-harness/wast.js:
2196         (elem_type):
2197         (string_of_elem_type):
2198         (string_of_table_type):
2199         * wasm/spec-tests/jsapi.js:
2200         * wasm/stress/wasm-table-grow-initialize.js:
2201         * wasm/wasm.json:
2202
2203 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2204
2205         [WASM-References] Add support for Table.size, grow and fill instructions
2206         https://bugs.webkit.org/show_bug.cgi?id=198761
2207
2208         Reviewed by Yusuke Suzuki.
2209
2210         * wasm/Builder_WebAssemblyBinary.js:
2211         (const.putOp):
2212         * wasm/references/table_misc.js: Added.
2213         (TableSize.End.End.WebAssembly):
2214         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2215         * wasm/wasm.json:
2216
2217 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2218
2219         [WASM-References] Add support for multiple tables
2220         https://bugs.webkit.org/show_bug.cgi?id=198760
2221
2222         Reviewed by Saam Barati.
2223
2224         * wasm/Builder.js:
2225         * wasm/js-api/call-indirect.js:
2226         (const.oneTable):
2227         (const.multiTable):
2228         (multiTable):
2229         (multiTable.Polyphic2Import):
2230         (multiTable.VirtualImport):
2231         (const.wasmModuleWhichImportJS): Deleted.
2232         (const.makeTable): Deleted.
2233         (): Deleted.
2234         (Polyphic2Import): Deleted.
2235         (VirtualImport): Deleted.
2236         * wasm/js-api/table.js:
2237         (new.WebAssembly.Module):
2238         (assert.throws):
2239         (assertBadTableImport):
2240         (assert.truthy):
2241         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2242         * wasm/references/anyref_table.js:
2243         * wasm/references/anyref_table_import.js:
2244         (makeImport):
2245         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2246         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2247         * wasm/references/multitable.js: Added.
2248         (assert.throws.1.exports.set_tbl0):
2249         (assert.throws):
2250         (assert.eq):
2251         * wasm/references/validation.js:
2252         (assert.throws.new.WebAssembly.Module.bin):
2253         (assert.throws):
2254         * wasm/spec-tests/imports.wast.js:
2255         * wasm/wasm.json:
2256
2257         * wasm/Builder.js:
2258         * wasm/js-api/call-indirect.js:
2259         (const.oneTable):
2260         (const.multiTable):
2261         (multiTable):
2262         (multiTable.Polyphic2Import):
2263         (multiTable.VirtualImport):
2264         (const.wasmModuleWhichImportJS): Deleted.
2265         (const.makeTable): Deleted.
2266         (): Deleted.
2267         (Polyphic2Import): Deleted.
2268         (VirtualImport): Deleted.
2269         * wasm/js-api/table.js:
2270         (new.WebAssembly.Module):
2271         (assert.throws):
2272         (assertBadTableImport):
2273         (assert.truthy):
2274         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2275         * wasm/references/anyref_table.js:
2276         * wasm/references/anyref_table_import.js:
2277         (makeImport):
2278         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2279         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2280         * wasm/references/func_ref.js:
2281         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2282         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2283         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2284         * wasm/references/multitable.js: Added.
2285         (assert.throws.1.exports.set_tbl0):
2286         (assert.throws):
2287         (assert.eq):
2288         (string_appeared_here.tableInsanity):
2289         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2290         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2291         * wasm/references/validation.js:
2292         (assert.throws.new.WebAssembly.Module.bin):
2293         (assert.throws):
2294         * wasm/spec-tests/imports.wast.js:
2295         * wasm/wasm.json:
2296
2297 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2298
2299         [ESNExt] String.prototype.matchAll
2300         https://bugs.webkit.org/show_bug.cgi?id=186694
2301
2302         Reviewed by Yusuke Suzuki.
2303
2304         Implement String.prototype.matchAll.
2305         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2306
2307         * test262/config.yaml:
2308
2309 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2310
2311         DFG code should not reify the names of builtin functions with private names
2312         https://bugs.webkit.org/show_bug.cgi?id=198849
2313         <rdar://problem/51733890>
2314
2315         Reviewed by Filip Pizlo.
2316
2317         * stress/builtin-private-function-name.js: Added.
2318         (then):
2319         (PromiseLike):
2320
2321 2019-06-18  Keith Miller  <keith_miller@apple.com>
2322
2323         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2324         https://bugs.webkit.org/show_bug.cgi?id=198969
2325         <rdar://problem/51620714>
2326
2327         Reviewed by Tadeu Zagallo.
2328
2329         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2330         (catch):
2331
2332 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2333
2334         Validate that table element type is funcref if using an element section
2335         https://bugs.webkit.org/show_bug.cgi?id=198910
2336
2337         Reviewed by Yusuke Suzuki.
2338
2339         * wasm/references/anyref_table.js:
2340
2341 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2342
2343         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2344         https://bugs.webkit.org/show_bug.cgi?id=197378
2345
2346         Reviewed by Saam Barati.
2347
2348         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2349         (foo):
2350         (bar):
2351         * stress/disposable-call-site-index.js: Added.
2352         (foo):
2353         (bar):
2354
2355 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2356
2357         [WASM-References] Add support for Funcref in parameters and return types
2358         https://bugs.webkit.org/show_bug.cgi?id=198157
2359
2360         Reviewed by Yusuke Suzuki.
2361
2362         * wasm/Builder.js:
2363         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2364         * wasm/references/anyref_globals.js:
2365         * wasm/references/func_ref.js: Added.
2366         (fullGC.gc.makeExportedFunction):
2367         (makeExportedIdent):
2368         (makeAnyfuncIdent):
2369         (fun):
2370         (assert.eq.instance.exports.fix.fun):
2371         (assert.eq.instance.exports.fix):
2372         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2373         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2374         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2375         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2376         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2377         (assert.throws):
2378         (assert.throws.doTest):
2379         (let.importedFun.of):
2380         (makeAnyfuncIdent.fun):
2381         * wasm/references/validation.js:
2382         (assert.throws):
2383         * wasm/wasm.json:
2384
2385 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2386
2387         Update test262 tests (2019.06.13)
2388         https://bugs.webkit.org/show_bug.cgi?id=198821
2389
2390         Reviewed by Konstantin Tokarev.
2391
2392         * test262/expectations.yaml:
2393         * test262/harness/:
2394         * test262/latest-changes-summary.txt:
2395         * test262/test/:
2396         * test262/test262-Revision.txt:
2397
2398 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2399
2400         [JSC] Grown region of WasmTable should be initialized with null
2401         https://bugs.webkit.org/show_bug.cgi?id=198903
2402
2403         Reviewed by Saam Barati.
2404
2405         * wasm/stress/wasm-table-grow-initialize.js: Added.
2406         (shouldBe):
2407
2408 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2409
2410         Yarr bytecode compilation failure should be gracefully handled
2411         https://bugs.webkit.org/show_bug.cgi?id=198700
2412
2413         Reviewed by Michael Saboff.
2414
2415         * stress/regexp-bytecode-compilation-fail.js: Added.
2416         (shouldThrow):
2417
2418 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2419
2420         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2421         https://bugs.webkit.org/show_bug.cgi?id=198770
2422
2423         Reviewed by Saam Barati.
2424
2425         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2426         (test):
2427
2428 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2429
2430         JSC should throw if proxy set returns falsish in strict mode context
2431         https://bugs.webkit.org/show_bug.cgi?id=177398
2432
2433         Reviewed by Yusuke Suzuki.
2434
2435         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2436         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2437
2438         * stress/proxy-set.js: Add 2 test cases.
2439         * stress/regexp-match-proxy.js: Fix test.
2440         * stress/regexp-replace-proxy.js: Fix test.
2441
2442 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2443
2444         Error message for non-callable Proxy `construct` trap is misleading
2445         https://bugs.webkit.org/show_bug.cgi?id=198637
2446
2447         Reviewed by Saam Barati.
2448
2449         * stress/proxy-construct.js:
2450
2451 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2452
2453         AI BitURShift's result should not be unsigned
2454         https://bugs.webkit.org/show_bug.cgi?id=198689
2455         <rdar://problem/51550063>
2456
2457         Reviewed by Saam Barati.
2458
2459         * stress/urshift-int32-overflow.js: Added.
2460         (foo.):
2461         (foo):
2462
2463 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2464
2465         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2466
2467         Unreviewed gardening.
2468
2469         * stress/ftl-gettypedarrayoffset-wasteful.js:
2470         Skipped on arm/linux as it always times out on the bot since a change
2471         between r246270 and r246278 inclusive.
2472
2473 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2474
2475         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2476         https://bugs.webkit.org/show_bug.cgi?id=198023
2477
2478         Reviewed by Saam Barati.
2479
2480         * stress/reparsing-unlinked-codeblock.js: Added.
2481         (shouldBe):
2482         (hello):
2483
2484 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2485
2486         [JSC] Use mergePrediction in ValuePow prediction propagation
2487         https://bugs.webkit.org/show_bug.cgi?id=198648
2488
2489         Reviewed by Saam Barati.
2490
2491         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2492
2493 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2494
2495         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2496         https://bugs.webkit.org/show_bug.cgi?id=198581
2497         <rdar://problem/51099753>
2498
2499         Reviewed by Saam Barati.
2500
2501         * stress/global-object-proto-getter.js: Added.
2502         (f):
2503         (test):
2504
2505 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2506
2507         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2508         https://bugs.webkit.org/show_bug.cgi?id=198398
2509
2510         Reviewed by Saam Barati.
2511
2512         * wasm/references/anyref_table.js: Added.
2513         (string_appeared_here.doGCSet):
2514         (doGCTest):
2515         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2516         * wasm/references/anyref_table_import.js: Added.
2517         (makeImport):
2518         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2519         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2520         * wasm/references/is_null_error.js: Removed.
2521         * wasm/references/validation.js: Added.
2522         (assert.throws.new.WebAssembly.Module.bin):
2523         (assert.throws):
2524         * wasm/wasm.json:
2525
2526 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2527
2528         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2529         https://bugs.webkit.org/show_bug.cgi?id=198106
2530
2531         Reviewed by Saam Barati.
2532
2533         * wasm/regress/selectf64.js: Added.
2534         * wasm/regress/selectf64.wasm: Added.
2535         * wasm/regress/selectf64.wat: Added.
2536
2537 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2538
2539         Argument elimination should check transitive dependents for interference
2540         https://bugs.webkit.org/show_bug.cgi?id=198520
2541         <rdar://problem/50863343>
2542
2543         Reviewed by Filip Pizlo.
2544
2545         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2546         (f2):
2547         (f3):
2548
2549 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2550
2551         Argument elimination should check for negative indices in GetByVal
2552         https://bugs.webkit.org/show_bug.cgi?id=198302
2553         <rdar://problem/51188095>
2554
2555         Reviewed by Filip Pizlo.
2556
2557         * stress/eliminate-arguments-negative-rest-access.js: Added.
2558         (inlinee):
2559         (opt):
2560
2561 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2562
2563         [ESNext][BigInt] Implement support for "**"
2564         https://bugs.webkit.org/show_bug.cgi?id=190799
2565
2566         Reviewed by Saam Barati.
2567
2568         * stress/big-int-exp-basic.js: Added.
2569         * stress/big-int-exp-jit-osr.js: Added.
2570         * stress/big-int-exp-jit-untyped.js: Added.
2571         * stress/big-int-exp-jit.js: Added.
2572         * stress/big-int-exp-negative-exponent.js: Added.
2573         * stress/big-int-exp-to-primitive.js: Added.
2574         * stress/big-int-exp-type-error.js: Added.
2575         * stress/big-int-exp-wrapped-value.js: Added.
2576         * stress/value-pow-ai-rule.js: Added.
2577
2578 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2579
2580         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2581         https://bugs.webkit.org/show_bug.cgi?id=197979
2582
2583         Reviewed by Filip Pizlo.
2584
2585         * stress/16bit-code.js: Added.
2586         (shouldBe):
2587         * stress/32bit-code.js: Added.
2588         (shouldBe):
2589
2590 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2591
2592         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2593         https://bugs.webkit.org/show_bug.cgi?id=198355
2594
2595         Reviewed by Saam Barati.
2596
2597         * wasm/references/is_null.js:
2598
2599 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2600
2601         [PlayStation] Skip additional tests on PlayStation
2602         https://bugs.webkit.org/show_bug.cgi?id=198352
2603
2604         Reviewed by Don Olmstead.
2605
2606         Skip pow test on PlayStation due to behavior difference in standard library.
2607         Skip incremental marking test due to OOM on PlayStation systems.
2608
2609         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2610         * stress/math-pow-with-constants.js:
2611         * stress/pow-with-constants.js:
2612
2613 2019-05-28  Dean Jackson  <dino@apple.com>
2614
2615         Implement Promise.allSettled
2616         https://bugs.webkit.org/show_bug.cgi?id=197600
2617         <rdar://problem/50483885>
2618
2619         Reviewed by Keith Miller.
2620
2621         Start testing Promise.allSettled. We pass most of the tests.
2622         The ones that fail are similar to the Promise.all tests we already fail.
2623
2624         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2625         * test262/expectations.yaml: Add new expectations for allSettled tests.
2626
2627 2019-05-28  Michael Saboff  <msaboff@apple.com>
2628
2629         [YARR] Properly handle RegExp's that require large ParenContext space
2630         https://bugs.webkit.org/show_bug.cgi?id=198065
2631
2632         Reviewed by Keith Miller.
2633
2634         New test.
2635
2636         * stress/regexp-large-paren-context.js: Added.
2637         (testLargeRegExp):
2638
2639 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2640
2641         JITOperations putByVal should mark negative array indices as out-of-bounds
2642         https://bugs.webkit.org/show_bug.cgi?id=198271
2643
2644         Reviewed by Saam Barati.
2645
2646         * microbenchmarks/get-by-val-negative-array-index.js:
2647         (foo):
2648         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2649         is 4.2x faster than the previous commit.
2650
2651         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2652         (foo):
2653
2654 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2655
2656         JITOperations getByVal should mark negative array indices as out-of-bounds
2657         https://bugs.webkit.org/show_bug.cgi?id=198229
2658
2659         Reviewed by Saam Barati.
2660
2661         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2662         (foo):
2663
2664 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2665
2666         [WASM-References] Support Anyref in globals
2667         https://bugs.webkit.org/show_bug.cgi?id=198102
2668
2669         Reviewed by Saam Barati.
2670
2671         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2672
2673         * wasm/Builder.js:
2674         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2675         * wasm/Builder_WebAssemblyBinary.js:
2676         (const.putInitExpr):
2677         * wasm/references/anyref_globals.js: Added.
2678         (GetGlobal.0.End.End.WebAssembly):
2679         (5.doGCSet):
2680         (doGCTest):
2681         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2682
2683 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2684
2685         DFG::OSREntry should not perform arity check
2686         https://bugs.webkit.org/show_bug.cgi?id=198189
2687
2688         Reviewed by Saam Barati.
2689
2690         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2691         (foo):
2692
2693 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2694
2695         [PlayStation] Skip additional tests on PlayStation
2696         https://bugs.webkit.org/show_bug.cgi?id=198145
2697
2698         Reviewed by Ross Kirsling.
2699
2700         * exceptionFuzz.yaml:
2701         Add skip on hostOS playstation
2702         * executableAllocationFuzz.yaml:
2703         Add skip on hostOS playstation
2704
2705 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2706
2707         createListFromArrayLike should throw if value is not an object
2708         https://bugs.webkit.org/show_bug.cgi?id=198138
2709
2710         Reviewed by Yusuke Suzuki.
2711
2712         * stress/create-list-from-array-like-not-object.js: Added.
2713         (testValid):
2714         (testInvalid):
2715         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
2716         (opt):
2717         * stress/proxy-proto-enumerator.js: Added.
2718         (main):
2719         * stress/proxy-proto-own-keys.js: Added.
2720         (assert):
2721         (ownKeys):
2722
2723 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2724
2725         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
2726         https://bugs.webkit.org/show_bug.cgi?id=197809
2727
2728         Reviewed by Michael Saboff.
2729
2730         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
2731         (foo):
2732
2733 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2734
2735         [ESNext] Implement support for Numeric Separators
2736         https://bugs.webkit.org/show_bug.cgi?id=196351
2737
2738         Reviewed by Keith Miller.
2739
2740         * stress/numeric-literal-separators.js: Added.
2741         Add tests for feature.
2742
2743         * test262/expectations.yaml:
2744         Mark 60 test cases as passing.
2745
2746 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2747
2748         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
2749         https://bugs.webkit.org/show_bug.cgi?id=198120
2750         <rdar://problem/49668795>
2751
2752         Reviewed by Michael Saboff.
2753
2754         * stress/get-array-length-concurrently-change-mode.js: Added.
2755         (main):
2756
2757 2019-05-22  Commit Queue  <commit-queue@webkit.org>
2758
2759         Unreviewed, rolling out r245634.
2760         https://bugs.webkit.org/show_bug.cgi?id=198140
2761
2762         'This patch makes JSC crash on launch in debug builds'
2763         (Requested by tadeuzagallo on #webkit).
2764
2765         Reverted changeset:
2766
2767         "[ESNext] Implement support for Numeric Separators"
2768         https://bugs.webkit.org/show_bug.cgi?id=196351
2769         https://trac.webkit.org/changeset/245634
2770
2771 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2772
2773         Stack-buffer-overflow in decodeURIComponent
2774         https://bugs.webkit.org/show_bug.cgi?id=198109
2775         <rdar://problem/50397550>
2776
2777         Reviewed by Michael Saboff.
2778
2779         * stress/decode-uri-icu-count-trail-bytes.js: Added.
2780         (i.j.try.i.toString):
2781         (i.j.catch):
2782
2783 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2784
2785         Don't clear PropertyNameArray in Proxy code
2786         https://bugs.webkit.org/show_bug.cgi?id=197691
2787
2788         Reviewed by Saam Barati.
2789
2790         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
2791         (shouldBe):
2792         (opt):
2793
2794 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2795
2796         [ESNext] Implement support for Numeric Separators
2797         https://bugs.webkit.org/show_bug.cgi?id=196351
2798
2799         Reviewed by Keith Miller.
2800
2801         * stress/numeric-literal-separators.js: Added.
2802         Add tests for feature.
2803
2804         * test262/expectations.yaml:
2805         Mark 60 test cases as passing.
2806
2807 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2808
2809         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
2810         https://bugs.webkit.org/show_bug.cgi?id=198101
2811
2812         Reviewed by Michael Saboff.
2813
2814         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
2815         (shouldBe):
2816
2817 2019-05-20  Keith Miller  <keith_miller@apple.com>
2818
2819         Cleanup Yarr regexp code around paren contexts.
2820         https://bugs.webkit.org/show_bug.cgi?id=198063
2821
2822         Reviewed by Yusuke Suzuki.
2823
2824         * stress/regexp-many-named-sequential-capture-groups.js: Added.
2825         (i.s):
2826         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2827
2828 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
2829
2830         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
2831         https://bugs.webkit.org/show_bug.cgi?id=197969
2832
2833         Reviewed by Keith Miller.
2834
2835         Support the anyref type in Builder.js, plus add some extra error logging.
2836         Add new folder for wasm references tests.
2837
2838         * wasm.yaml:
2839         * wasm/Builder.js:
2840         (const._isValidValue):
2841         * wasm/references/anyref_modules.js: Added.
2842         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
2843         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
2844         (Call.3.RefIsNull.End.End.WebAssembly):
2845         (undefined):
2846         * wasm/references/is_null.js: Added.
2847         * wasm/references/is_null_error.js: Added.
2848         * wasm/spec-harness/index.js:
2849         * wasm/wasm.json:
2850
2851 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
2852
2853         [JSC] Invalid AssignmentTargetType should be an early error.
2854         https://bugs.webkit.org/show_bug.cgi?id=197603
2855
2856         Reviewed by Keith Miller.
2857
2858         * test262/expectations.yaml:
2859         Update expectations to reflect new SyntaxErrors.
2860         (Ideally, these should all be viewed as passing in the near future.)
2861
2862         * stress/async-await-basic.js:
2863         * stress/big-int-literals.js:
2864         Update tests to reflect new SyntaxErrors.
2865
2866         * ChakraCore.yaml:
2867         * ChakraCore/test/EH/try6.baseline-jsc:
2868         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
2869         Update baselines to reflect new SyntaxErrors.
2870
2871 2019-05-15  Saam Barati  <sbarati@apple.com>
2872
2873         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
2874         https://bugs.webkit.org/show_bug.cgi?id=197855
2875         <rdar://problem/50236506>
2876
2877         Reviewed by Michael Saboff.
2878
2879         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
2880         (f0):
2881         (bar):
2882         (foo):
2883         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
2884         (f1):
2885         (f2):
2886         (foo):
2887
2888 2019-05-14  Keith Miller  <keith_miller@apple.com>
2889
2890         Fix issue with byteOffset on ARM64E
2891         https://bugs.webkit.org/show_bug.cgi?id=197884
2892
2893         Reviewed by Saam Barati.
2894
2895         We didn't have any tests that run with non-byte/non-zero offset
2896         typed arrays.
2897
2898         * stress/ftl-gettypedarrayoffset-wasteful.js:
2899
2900 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2901
2902         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
2903         https://bugs.webkit.org/show_bug.cgi?id=197833
2904
2905         Reviewed by Darin Adler.
2906
2907         * stress/generator-name.js: Added.
2908         (shouldBe):
2909         (gen):
2910         (catch):
2911
2912 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
2913
2914         JSObject::getOwnPropertyDescriptor is missing an exception check
2915         https://bugs.webkit.org/show_bug.cgi?id=197693
2916         <rdar://problem/50441784>
2917
2918         Reviewed by Saam Barati.
2919
2920         * stress/proxy-spread.js: Added.
2921         (foo):
2922
2923 2019-05-10  Saam barati  <sbarati@apple.com>
2924
2925         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
2926         https://bugs.webkit.org/show_bug.cgi?id=197807
2927         <rdar://problem/50530400>
2928
2929         Reviewed by Yusuke Suzuki.
2930
2931         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
2932         (test.getInstance):
2933         (test):
2934
2935 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
2936
2937         [Test262] Unreviewed expectations update following r245188.
2938
2939         * test262/config.yaml:
2940         * test262/expectations.yaml:
2941
2942         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
2943         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
2944         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
2945         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
2946         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
2947         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
2948         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
2949         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
2950         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
2951         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
2952         These files have invalid YAML comments. Will also submit corrections back to Test262.
2953
2954 2019-05-10  Keith Miller  <keith_miller@apple.com>
2955
2956         Update test262 tests.
2957
2958         Rubber-stamped by Yusuke Suzuki.
2959
2960         * test262/*: mega-patch too many things to list individually.
2961
2962 2019-05-09  Keith Miller  <keith_miller@apple.com>
2963
2964         Unreview, fix test to have a try-catch.
2965
2966         * stress/many-nested-functions-parser-stack-overflow.js:
2967         (catch):
2968
2969 2019-05-09  Keith Miller  <keith_miller@apple.com>
2970
2971         parseStatementListItem needs a stack overflow check
2972         https://bugs.webkit.org/show_bug.cgi?id=197749
2973
2974         Reviewed by Saam Barati.
2975
2976         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2977
2978 2019-05-08  Saam barati  <sbarati@apple.com>
2979
2980         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2981         https://bugs.webkit.org/show_bug.cgi?id=197715
2982         <rdar://problem/50399252>
2983
2984         Reviewed by Filip Pizlo.
2985
2986         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2987         (foo):
2988         (bar):
2989
2990 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2991
2992         Unreviewed, rolling out r245068.
2993
2994         Caused debug layout tests to exit early due to an assertion
2995         failure.
2996
2997         Reverted changeset:
2998
2999         "All prototypes should call didBecomePrototype()"
3000         https://bugs.webkit.org/show_bug.cgi?id=196315
3001         https://trac.webkit.org/changeset/245068
3002
3003 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
3004
3005         Invalid DFG JIT genereation in high CPU usage state
3006         https://bugs.webkit.org/show_bug.cgi?id=197453
3007
3008         Reviewed by Saam Barati.
3009
3010         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
3011         (trigger):
3012         (main):
3013
3014 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3015
3016         All prototypes should call didBecomePrototype()
3017         https://bugs.webkit.org/show_bug.cgi?id=196315
3018
3019         Reviewed by Saam Barati.
3020
3021         This changelog already landed, but the commit was missing the actual changes.
3022
3023         * stress/function-prototype-indexed-accessor.js: Added.
3024
3025 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3026
3027         [BigInt] Add ValueMod into DFG
3028         https://bugs.webkit.org/show_bug.cgi?id=186174
3029
3030         Reviewed by Saam Barati.
3031
3032         * microbenchmarks/mod-untyped.js: Added.
3033         * stress/big-int-mod-osr.js: Added.
3034         * stress/value-div-ai-rule.js: Added.
3035         * stress/value-mod-ai-rule.js: Added.
3036
3037 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3038
3039         [JSC] DFG_ASSERT failed in lowInt52
3040         https://bugs.webkit.org/show_bug.cgi?id=197569
3041
3042         Reviewed by Saam Barati.
3043
3044         * stress/getstack-int52.js: Added.
3045         (opt):
3046         (main):
3047
3048 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3049
3050         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3051         https://bugs.webkit.org/show_bug.cgi?id=197479
3052
3053         Reviewed by Saam Barati.
3054
3055         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3056         (shouldBe):
3057
3058 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3059
3060         TemplateObject passed to template literal tags are not always identical for the same source location.
3061         https://bugs.webkit.org/show_bug.cgi?id=190756
3062
3063         Reviewed by Saam Barati.
3064
3065         * complex.yaml:
3066         * complex/tagged-template-regeneration-after.js: Added.
3067         (shouldBe):
3068         * complex/tagged-template-regeneration.js: Added.
3069         (call):
3070         (test):
3071         * modules/tagged-template-inside-module.js: Added.
3072         (from.string_appeared_here.call):
3073         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3074         (call):
3075         (export.otherTaggedTemplates):
3076         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3077         (shouldBe):
3078         (call):
3079         (poly):
3080         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3081         (shouldBe):
3082         (call):
3083         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3084         (shouldBe):
3085         (call):
3086         (test):
3087         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3088         (shouldBe):
3089         (call):
3090         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3091         (shouldBe):
3092         (call):
3093         * stress/tagged-templates-in-multiple-functions.js: Added.
3094         (shouldBe):
3095         (call):
3096         (a):
3097         (b):
3098         (c):
3099         * stress/tagged-templates-with-same-start-offset.js: Added.
3100         (shouldBe):
3101
3102 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3103
3104         All prototypes should call didBecomePrototype()
3105         https://bugs.webkit.org/show_bug.cgi?id=196315
3106
3107         Reviewed by Saam Barati.
3108
3109         * stress/function-prototype-indexed-accessor.js: Added.
3110
3111 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3112
3113         Unreviewed, rolling out r244978.
3114         https://bugs.webkit.org/show_bug.cgi?id=197671
3115
3116         TemplateObject map should use start/end offsets (Requested by
3117         yusukesuzuki on #webkit).
3118
3119         Reverted changeset:
3120
3121         "TemplateObject passed to template literal tags are not always
3122         identical for the same source location."
3123         https://bugs.webkit.org/show_bug.cgi?id=190756
3124         https://trac.webkit.org/changeset/244978
3125
3126 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3127
3128         tryCachePutByID should not crash if target offset changes
3129         https://bugs.webkit.org/show_bug.cgi?id=197311
3130         <rdar://problem/48033612>
3131
3132         Reviewed by Filip Pizlo.
3133
3134         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3135         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3136
3137         * stress/cache-put-by-id-delete-prototype.js: Added.
3138         (A.prototype.set y):
3139         (A):
3140         (B.prototype.set y):
3141         (B):
3142         (C):
3143         * stress/cache-put-by-id-different-__proto__.js: Added.
3144         (A.prototype.set y):
3145         (A):
3146         (B1):
3147         (B2.prototype.set y):
3148         (B2):
3149         (C):
3150         (D):
3151         * stress/cache-put-by-id-different-attributes.js: Added.
3152         (Foo):
3153         (set x):
3154         * stress/cache-put-by-id-different-offset.js: Added.
3155         (Foo):
3156         (set x):
3157         * stress/cache-put-by-id-insert-prototype.js: Added.
3158         (A.prototype.set y):
3159         (A):
3160         (C):
3161         * stress/cache-put-by-id-poly-proto.js: Added.
3162         (Foo):
3163         (set _):
3164         (createBar.Bar):
3165         (createBar):
3166
3167 2019-05-07  Saam Barati  <sbarati@apple.com>
3168
3169         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3170         https://bugs.webkit.org/show_bug.cgi?id=197531
3171         <rdar://problem/50162379>
3172
3173         Reviewed by Yusuke Suzuki.
3174
3175         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3176
3177 2019-05-06  Dean Jackson  <dino@apple.com>
3178
3179         Update test262 expectations for Proxy passes
3180         https://bugs.webkit.org/show_bug.cgi?id=197628
3181
3182         Reviewed by Yusuke Suzuki.
3183
3184         There are two consistent passes in Proxy.ownKeys.
3185
3186         * test262/expectations.yaml:
3187
3188 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3189
3190         [JSC] We should check OOM for description string of Symbol
3191         https://bugs.webkit.org/show_bug.cgi?id=197634
3192
3193         Reviewed by Keith Miller.
3194
3195         * stress/check-symbol-description-oom.js: Added.
3196         (shouldThrow):
3197
3198 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3199
3200         Unreviewed, land one more test
3201         https://bugs.webkit.org/show_bug.cgi?id=197587
3202
3203         * stress/setter-frame-flush.js: Added.
3204         (setter):
3205         (foo):
3206         (bar):
3207
3208 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3209
3210         TemplateObject passed to template literal tags are not always identical for the same source location.
3211         https://bugs.webkit.org/show_bug.cgi?id=190756
3212
3213         Reviewed by Saam Barati.
3214
3215         * complex.yaml:
3216         * complex/tagged-template-regeneration-after.js: Added.
3217         (shouldBe):
3218         * complex/tagged-template-regeneration.js: Added.
3219         (call):
3220         (test):
3221         * modules/tagged-template-inside-module.js: Added.
3222         (from.string_appeared_here.call):
3223         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3224         (call):
3225         (export.otherTaggedTemplates):
3226         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3227         (shouldBe):
3228         (call):
3229         (poly):
3230         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3231         (shouldBe):
3232         (call):
3233         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3234         (shouldBe):
3235         (call):
3236         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3237         (shouldBe):
3238         (call):
3239         * stress/tagged-templates-in-multiple-functions.js: Added.
3240         (shouldBe):
3241         (call):
3242         (a):
3243         (b):
3244         (c):
3245
3246 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3247
3248         [PlayStation] JSC Stress tests failing due to timezone printing
3249         https://bugs.webkit.org/show_bug.cgi?id=197615
3250
3251         PlayStation's strftime does not give timezone strings, which
3252         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3253         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3254         which causes diff failures with the expectations. Add expectations
3255         without the timezone string and use those on playstation.
3256
3257         Reviewed by Ross Kirsling.
3258
3259         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3260         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3261         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3262         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3263
3264 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3265
3266         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3267         https://bugs.webkit.org/show_bug.cgi?id=197587
3268
3269         Reviewed by Sam Weinig.
3270
3271         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3272
3273         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3274
3275 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3276
3277         TypedArrays should not store properties that are canonical numeric indices
3278         https://bugs.webkit.org/show_bug.cgi?id=197228
3279         <rdar://problem/49557381>
3280
3281         Reviewed by Saam Barati.
3282
3283         * stress/array-species-config-array-constructor.js:
3284         (test):
3285         * stress/put-direct-index-broken-2.js:
3286         * stress/typed-array-canonical-numeric-index-string.js: Added.
3287         (makeTest.assert):
3288         (makeTest):
3289         (const.testInvalidIndices.makeTest.set assert):
3290         (const.testInvalidIndices.makeTest):
3291         (const.makeTestValidIndex.configurable.set assert):
3292         (const.makeTestValidIndex.configurable):
3293         * stress/typedarray-access-monomorphic-neutered.js:
3294         (checkNoException):
3295         (testNoException):
3296         (testFTLNoException):
3297         * stress/typedarray-access-neutered.js:
3298         (testNoException):
3299         * stress/typedarray-getownproperty-not-configurable.js:
3300         (foo):
3301         * test262/expectations.yaml:
3302
3303 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3304
3305         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3306         https://bugs.webkit.org/show_bug.cgi?id=197584
3307
3308         Reviewed by Saam Barati.
3309
3310         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3311         (X):
3312         (foo):
3313
3314 2019-05-03  Michael Saboff  <msaboff@apple.com>
3315
3316         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3317         https://bugs.webkit.org/show_bug.cgi?id=197586
3318
3319         Reviewed by Keith Miller.
3320
3321         We should only run one config of this test and only when we think we'll have the memory.
3322
3323         * stress/json-stringify-string-builder-overflow.js:
3324
3325 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3326
3327         [JSC] Generator CodeBlock generation should be idempotent
3328         https://bugs.webkit.org/show_bug.cgi?id=197552
3329
3330         Reviewed by Keith Miller.
3331
3332         Add complex.yaml, which controls how to run JSC shell more.
3333         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3334
3335         * complex.yaml: Added.
3336         * complex/generator-regeneration-after.js: Added.
3337         * complex/generator-regeneration.js: Added.
3338         (gen):
3339
3340 2019-05-02  Michael Saboff  <msaboff@apple.com>
3341
3342         Unreviewed rollout of r244862.
3343
3344         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3345
3346 2019-05-01  Saam barati  <sbarati@apple.com>
3347
3348         Baseline JIT should do argument value profiling after checking for stack overflow
3349         https://bugs.webkit.org/show_bug.cgi?id=197052
3350         <rdar://problem/50009602>
3351
3352         Reviewed by Yusuke Suzuki.
3353
3354         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3355
3356 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3357
3358         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3359         https://bugs.webkit.org/show_bug.cgi?id=197405
3360
3361         Reviewed by Saam Barati.
3362
3363         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3364         (foo):
3365         (test):
3366         (i.o.get f):
3367         (i.o.set f):
3368
3369 2019-05-01  Michael Saboff  <msaboff@apple.com>
3370
3371         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3372         https://bugs.webkit.org/show_bug.cgi?id=197485
3373
3374         Reviewed by Saam Barati.
3375
3376         New test.
3377
3378         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3379         (foo):
3380
3381 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3382
3383         Unreviewed correction to Test262 expectations following r244828.
3384
3385         * test262/expectations.yaml:
3386
3387 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3388
3389         Add memory-limited skipping to some tests generating very large strings
3390         https://bugs.webkit.org/show_bug.cgi?id=197437
3391
3392         Reviewed by Ross Kirsling.
3393
3394         * stress/StringObject-define-length-getter-rope-string-oom.js:
3395         * stress/create-error-out-of-memory-rope-string.js:
3396         * stress/string-16bit-repeat-overflow.js:
3397
3398 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3399
3400         Unreviewed, rolling out r244806.
3401         https://bugs.webkit.org/show_bug.cgi?id=197446
3402
3403         Causing Test262 and JSC test failures on multiple builds
3404         (Requested by ShawnRoberts on #webkit).
3405
3406         Reverted changeset:
3407
3408         "TypeArrays should not store properties that are canonical
3409         numeric indices"
3410         https://bugs.webkit.org/show_bug.cgi?id=197228
3411         https://trac.webkit.org/changeset/244806
3412
3413 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3414
3415         TypeArrays should not store properties that are canonical numeric indices
3416         https://bugs.webkit.org/show_bug.cgi?id=197228
3417         <rdar://problem/49557381>
3418
3419         Reviewed by Darin Adler.
3420
3421         * stress/typed-array-canonical-numeric-index-string.js: Added.
3422         (makeTest.assert):
3423         (makeTest):
3424         (const.testInvalidIndices.makeTest.set assert):
3425         (const.testInvalidIndices.makeTest):
3426         (const.testValidIndices.makeTest.set assert):
3427         (const.testValidIndices.makeTest):
3428
3429 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3430
3431         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3432         https://bugs.webkit.org/show_bug.cgi?id=197362
3433
3434         Reviewed by Saam Barati.
3435
3436         * stress/map-with-nan.js: Added.
3437         (shouldBe):
3438         (div):
3439         (NaN1):
3440         (NaN2):
3441         (NaN3):
3442         (NaN4):
3443         (NaN1NoInline):
3444         (NaN2NoInline):
3445         (NaN3NoInline):
3446         (NaN4NoInline):
3447         (test1):
3448         (test2):
3449         (test3):
3450         (test4):
3451         * stress/set-with-nan.js: Added.
3452         (shouldBe):
3453         (div):
3454         (NaN1):
3455         (NaN2):
3456         (NaN3):
3457         (NaN4):
3458         (NaN1NoInline):
3459         (NaN2NoInline):
3460         (NaN3NoInline):
3461         (NaN4NoInline):
3462         (test2):
3463         (test4):
3464
3465 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3466
3467         Unreviewed, rolling out r244708.
3468         https://bugs.webkit.org/show_bug.cgi?id=197334
3469
3470         "Broke the debug build" (Requested by rmorisset on #webkit).
3471
3472         Reverted changeset:
3473
3474         "All prototypes should call didBecomePrototype()"
3475         https://bugs.webkit.org/show_bug.cgi?id=196315
3476         https://trac.webkit.org/changeset/244708
3477
3478 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3479
3480         [JSC] linkPolymorphicCall now does GC
3481         https://bugs.webkit.org/show_bug.cgi?id=197306
3482
3483         Reviewed by Saam Barati.
3484
3485         * stress/link-polymorphic-call-can-gc.js: Added.
3486         (module):
3487         (instance):
3488
3489 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3490
3491         All prototypes should call didBecomePrototype()
3492         https://bugs.webkit.org/show_bug.cgi?id=196315
3493
3494         Reviewed by Saam Barati.
3495
3496         * stress/function-prototype-indexed-accessor.js: Added.
3497
3498 2019-04-23  Saam Barati  <sbarati@apple.com>
3499
3500         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3501         https://bugs.webkit.org/show_bug.cgi?id=196721
3502         <rdar://problem/49556479> 
3503
3504         Reviewed by Filip Pizlo.
3505
3506         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3507         (foo):
3508
3509 2019-04-19  Saam Barati  <sbarati@apple.com>
3510
3511         AbstractValue can represent more than int52
3512         https://bugs.webkit.org/show_bug.cgi?id=197118
3513         <rdar://problem/49969960>
3514
3515         Reviewed by Michael Saboff.
3516
3517         * stress/abstract-value-can-include-int52.js: Added.
3518         (foo):
3519         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3520
3521 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3522
3523         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3524         https://bugs.webkit.org/show_bug.cgi?id=197053
3525
3526         Reviewed by Saam Barati.
3527
3528         * stress/merge-string-builder-in-dfg.js: Added.
3529         (foo):
3530
3531 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3532
3533         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3534         https://bugs.webkit.org/show_bug.cgi?id=176810
3535
3536         Reviewed by Saam Barati.
3537
3538         Add tests for the DontEnum filtering, and variations of other tests
3539         take the DontEnum-filtering path.
3540
3541         * stress/proxy-own-keys.js:
3542         (i.catch):
3543         (set assert):
3544         (set add):
3545         (let.set new):
3546         (get let):
3547
3548 2019-04-15  Saam barati  <sbarati@apple.com>
3549
3550         Modify how we do SetArgument when we inline varargs calls
3551         https://bugs.webkit.org/show_bug.cgi?id=196712
3552         <rdar://problem/49605012>
3553
3554         Reviewed by Michael Saboff.
3555
3556         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3557         (foo):
3558
3559 2019-04-15  Saam barati  <sbarati@apple.com>
3560
3561         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3562         https://bugs.webkit.org/show_bug.cgi?id=196945
3563         <rdar://problem/49802750>
3564
3565         Reviewed by Filip Pizlo.
3566
3567         * stress/get-by-offset-should-use-correct-child.js: Added.
3568         (foo.bar):
3569         (foo):
3570
3571 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3572
3573         DFG should be able to constant fold Object.create() with a constant prototype operand
3574         https://bugs.webkit.org/show_bug.cgi?id=196886
3575
3576         Reviewed by Yusuke Suzuki.
3577
3578         Note that this new benchmark does not currently see a speedup with inlining removed.
3579         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3580
3581         * microbenchmarks/object-create-constant-prototype.js: Added.
3582         (test):
3583
3584 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3585
3586         Incremental bytecode cache should not append function updates when loaded from memory
3587         https://bugs.webkit.org/show_bug.cgi?id=196865
3588
3589         Reviewed by Filip Pizlo.
3590
3591         * stress/bytecode-cache-shared-code-block.js: Added.
3592         (b):
3593         (program):
3594
3595 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3596
3597         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3598         https://bugs.webkit.org/show_bug.cgi?id=196880
3599
3600         Reviewed by Yusuke Suzuki.
3601
3602         * stress/bytecode-cache-syntax-error.js: Added.
3603         (catch):
3604
3605 2019-04-12  Saam barati  <sbarati@apple.com>
3606
3607         r244079 logically broke shouldSpeculateInt52
3608         https://bugs.webkit.org/show_bug.cgi?id=196884
3609
3610         Reviewed by Yusuke Suzuki.
3611
3612         * microbenchmarks/int52-rand-function.js: Added.
3613         (Math.random):
3614
3615 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3616
3617         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3618         https://bugs.webkit.org/show_bug.cgi?id=196850
3619
3620         Reviewed by Saam Barati.
3621
3622         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3623         (foo):
3624
3625 2019-04-11  Saam barati  <sbarati@apple.com>
3626
3627         Remove invalid assertion in operationInstanceOfCustom
3628         https://bugs.webkit.org/show_bug.cgi?id=196842
3629         <rdar://problem/49725493>
3630
3631         Reviewed by Michael Saboff.
3632
3633         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3634
3635 2019-04-10  Saam Barati  <sbarati@apple.com>
3636
3637         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3638         https://bugs.webkit.org/show_bug.cgi?id=196801
3639         <rdar://problem/49771122>
3640
3641         Reviewed by Yusuke Suzuki.
3642
3643         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3644
3645 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3646
3647         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3648         https://bugs.webkit.org/show_bug.cgi?id=196746
3649
3650         Reviewed by Yusuke Suzuki.
3651
3652         * stress/cyclic-define-properties.js: Added.
3653         (foo):
3654
3655 2019-04-09  Saam barati  <sbarati@apple.com>
3656
3657         Clean up Int52 code and some bugs in it
3658         https://bugs.webkit.org/show_bug.cgi?id=196639
3659         <rdar://problem/49515757>
3660
3661         Reviewed by Yusuke Suzuki.
3662
3663         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3664
3665 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3666
3667         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3668         https://bugs.webkit.org/show_bug.cgi?id=196708
3669         <rdar://problem/49556803>
3670
3671         Reviewed by Yusuke Suzuki.
3672
3673         * stress/proxy-getter-stack-overflow.js: Added.
3674         (const.handler.get target):
3675         (const.handler.has):
3676         (try.with):
3677         (catch):
3678
3679 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3680
3681         [JSC] DFG should respect node's strict flag
3682         https://bugs.webkit.org/show_bug.cgi?id=196617
3683
3684         Reviewed by Saam Barati.
3685
3686         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3687         (shouldEqual):
3688         (makeUnwriteableUnconfigurableObject):
3689         (runTest):
3690         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3691         (shouldBe):
3692         (shouldThrow):
3693         (with.result):
3694         (with.putValueStrict):
3695         (with.putValueSloppy):
3696
3697 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3698
3699         [JSC] isRope jump in StringSlice should not jump over register allocations
3700         https://bugs.webkit.org/show_bug.cgi?id=196716
3701
3702         Reviewed by Saam Barati.
3703
3704         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3705         (foo.bar):
3706         (foo):
3707
3708 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>