JSON.parse has bad is array assert
[WebKit-https.git] / JSTests / ChangeLog
1 2019-10-21  Saam Barati  <sbarati@apple.com>
2
3         JSON.parse has bad is array assert
4         https://bugs.webkit.org/show_bug.cgi?id=203207
5         <rdar://problem/56366913>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/json-parse-array-prototype-is-array-assert.js: Added.
10         (assert):
11
12 2019-10-21  Robin Morisset  <rmorisset@apple.com>
13
14         Throw the right exception upon memory exhaustion in Array::slice
15         https://bugs.webkit.org/show_bug.cgi?id=202650
16
17         Reviewed by Saam Barati.
18
19         * stress/array-slice-memory-exhaustion.js: Added.
20         (foo):
21
22 2019-10-21  Robin Morisset  <rmorisset@apple.com>
23
24         Post increment/decrement should only call ToNumber once
25         https://bugs.webkit.org/show_bug.cgi?id=202711
26
27         Reviewed by Saam Barati.
28
29         * stress/postinc-custom-valueOf.js: Added.
30         (postInc):
31         (postDec):
32
33 2019-10-18  Yusuke Suzuki  <ysuzuki@apple.com>
34
35         [JSC] DFG::CommonData modification by DFG reallyAdd should be guarded by CodeBlock's lock
36         https://bugs.webkit.org/show_bug.cgi?id=203177
37
38         Reviewed by Mark Lam.
39
40         * stress/dfg-really-add-locking.js: Added.
41
42 2019-10-17  Mark Lam  <mark.lam@apple.com>
43
44         Add missing checks after calls to the sameValue() JSValue comparator.
45         https://bugs.webkit.org/show_bug.cgi?id=203126
46         <rdar://problem/56366561>
47
48         Reviewed by Saam Barati.
49
50         * stress/validate-exception-check-in-proxy-object-put.js: Added.
51
52 2019-10-17  Saam Barati  <sbarati@apple.com>
53
54         GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
55         https://bugs.webkit.org/show_bug.cgi?id=203124
56         <rdar://problem/55988183>
57
58         Reviewed by Yusuke Suzuki.
59
60         * stress/licm-array-storage-get-and-put-by-val.js: Added.
61         (assert):
62         (foo):
63
64 2019-10-16  Keith Miller  <keith_miller@apple.com>
65
66         Move assert in Wasm::Plan::fail.
67         https://bugs.webkit.org/show_bug.cgi?id=203052
68
69         Reviewed by Mark Lam.
70
71         * wasm/regress/wasm-plan-fail-bad-error-message-assert.js: Added.
72         (Binary):
73         (Binary.prototype.trunc_buffer):
74         (Binary.prototype.emit_leb_u):
75         (Binary.prototype.emit_u32v):
76         (Binary.prototype.emit_bytes):
77         (Binary.prototype.emit_header):
78         (__f_576):
79         (__f_587):
80
81 2019-10-15  Mark Lam  <mark.lam@apple.com>
82
83         operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string.
84         https://bugs.webkit.org/show_bug.cgi?id=202312
85         <rdar://problem/55782280>
86
87         Reviewed by Yusuke Suzuki.
88
89         * stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings.js: Added.
90         * stress/operationSwitchCharWithUnknownKeyType-should-avoid-resolving-rope-strings2.js: Added.
91         * stress/switch-on-char-llint-rope.js:
92         - Changed this test to make a new rope string for each iterations.  Otherwise,
93           the rope will get resolved, and subsequent tiers will not be testing with a rope.
94
95 2019-10-14  Yusuke Suzuki  <ysuzuki@apple.com>
96
97         [JSC] GetterSetter should be JSCell, not JSObject
98         https://bugs.webkit.org/show_bug.cgi?id=202656
99
100         Reviewed by Tadeu Zagallo and Saam Barati.
101
102         * stress/getter-setter-should-be-cell.js: Added.
103         (foo.with.):
104         (foo.with.get for):
105         (foo.with.bar):
106         (foo):
107
108 2019-10-14  Saam Barati  <sbarati@apple.com>
109
110         Canonicalize how we prepare the prototype chain for inline caching
111         https://bugs.webkit.org/show_bug.cgi?id=202827
112         <rdar://problem/56193919>
113
114         Reviewed by Yusuke Suzuki.
115
116         * stress/cache-correct-offset-after-flattening.js: Added.
117         (assert):
118
119 2019-10-14  Paulo Matos  <pmatos@igalia.com>
120
121         Skip memcpy-typed-loop timing out on ARMv7 pending investigation
122         https://bugs.webkit.org/show_bug.cgi?id=202923
123
124         Reviewed by Adrian Perez de Castro.
125
126         * microbenchmarks/memcpy-typed-loop.js:
127
128 2019-10-11  Keith Miller  <keith_miller@apple.com>
129
130         Wasm B3IRGenerator should use arguments for control data.
131         https://bugs.webkit.org/show_bug.cgi?id=202855
132
133         Reviewed by Yusuke Suzuki.
134
135         * wasm/stress/loop-more-args-than-results.js: Added.
136
137 2019-10-10  Mark Lam  <mark.lam@apple.com>
138
139         Modify JSTests/stress/string-overflow-createError-*.js tests to allow an OOME result.
140         https://bugs.webkit.org/show_bug.cgi?id=202828
141
142         Reviewed by Yusuke Suzuki.
143
144         The tests intentionally allocate a very large string.  Hence, for some memory
145         limited configurations, it is perfectly reasonable for the test to throw an Out
146         Of Memory error.
147
148         * stress/string-overflow-createError-builder.js:
149         * stress/string-overflow-createError-fit.js:
150
151 2019-10-09  Yusuke Suzuki  <ysuzuki@apple.com>
152
153         Unreviewed, roll out r250878
154         https://bugs.webkit.org/show_bug.cgi?id=202656
155
156         Breaking vimeo page.
157
158         * stress/getter-setter-should-be-cell.js: Removed.
159
160 2019-10-08  Yusuke Suzuki  <ysuzuki@apple.com>
161
162         [JSC] GetterSetter should be JSCell, not JSObject
163         https://bugs.webkit.org/show_bug.cgi?id=202656
164
165         Reviewed by Tadeu Zagallo and Saam Barati.
166
167         * stress/getter-setter-should-be-cell.js: Added.
168         (foo.with.):
169         (foo.with.get for):
170         (foo.with.bar):
171         (foo):
172
173 2019-10-08  Alexey Shvayka  <shvaikalesh@gmail.com>
174
175         JSON.parse incorrectly handles array proxies
176         https://bugs.webkit.org/show_bug.cgi?id=199292
177
178         Reviewed by Saam Barati.
179
180         * microbenchmarks/json-parse-array-reviver-same-value.js: Added.
181         * microbenchmarks/json-parse-array-reviver.js: Added.
182         * microbenchmarks/json-parse-object-reviver-same-value.js: Added.
183         * microbenchmarks/json-parse-object-reviver.js: Added.
184         * stress/json-parse-reviver-array-proxy.js: Added.
185         * stress/json-parse-reviver-revoked-proxy.js: Added.
186         * test262/expectations.yaml: Mark 6 test cases as passing.
187
188 2019-10-08  Ross Kirsling  <ross.kirsling@sony.com>
189
190         Update test262 (2019.10.08).
191
192         Rubber-stamped by Keith Miller.
193
194         * test262/config.yaml:
195         * test262/expectations.yaml:
196         * test262/latest-changes-summary.txt:
197         * test262/test/:
198         * test262/test262-Revision.txt:
199
200 2019-10-07  Saam Barati  <sbarati@apple.com>
201
202         Allow OSR exit to the LLInt
203         https://bugs.webkit.org/show_bug.cgi?id=197993
204
205         Reviewed by Tadeu Zagallo.
206
207         * stress/exit-from-getter-by-val.js: Added.
208         * stress/exit-from-setter-by-val.js: Added.
209
210 2019-10-07  Matt Lewis  <jlewis3@apple.com>
211
212         Unreviewed, rolling out r250750.
213
214         Reverting change as this broke interal test over the weekend.
215
216         Reverted changeset:
217
218         "Allow OSR exit to the LLInt"
219         https://bugs.webkit.org/show_bug.cgi?id=197993
220         https://trac.webkit.org/changeset/250750
221
222 2019-10-04  Saam Barati  <sbarati@apple.com>
223
224         Allow OSR exit to the LLInt
225         https://bugs.webkit.org/show_bug.cgi?id=197993
226
227         Reviewed by Tadeu Zagallo.
228
229         * stress/exit-from-getter-by-val.js: Added.
230         * stress/exit-from-setter-by-val.js: Added.
231
232 2019-10-04  Paulo Matos  <pmatos@igalia.com>
233
234         Revert regexp test skip on armv7l and mips
235         https://bugs.webkit.org/show_bug.cgi?id=202310
236
237         Reviewed by Žan Doberšek.
238
239         Test was skipped in bug 202113 on armv7l and mips due to bug 202041.
240         Bug 202041 is fixed and change of bug 202113 can be reverted.
241
242         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
243
244 2019-10-02  Mark Lam  <mark.lam@apple.com>
245
246         DoubleToStringConverter::ToExponential() should null terminate its string.
247         https://bugs.webkit.org/show_bug.cgi?id=202492
248         <rdar://problem/55907708>
249
250         Reviewed by Filip Pizlo.
251
252         * stress/dtoa-AddSubstring-should-uses-strnlen-in-assertion.js: Added.
253
254 2019-10-02  Yusuke Suzuki  <ysuzuki@apple.com>
255
256         [JSC] AsyncGenerator should have internal fields
257         https://bugs.webkit.org/show_bug.cgi?id=201498
258
259         Reviewed by Saam Barati.
260
261         * stress/async-generator-construct-failure.js: Added.
262         (shouldThrow):
263         (async.gen):
264         (TypeError):
265         * stress/async-generator-prototype-change.js: Added.
266         (shouldBe):
267         (async.gen):
268         * stress/async-generator-prototype-closure.js: Added.
269         (shouldBe):
270         (test.async.gen):
271         (test):
272         * stress/create-async-generator.js: Added.
273         (shouldBe):
274         (test.async.generator):
275         (test):
276
277 2019-10-01  Saam Barati  <sbarati@apple.com>
278
279         ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
280         https://bugs.webkit.org/show_bug.cgi?id=199361
281         <rdar://problem/52454940>
282
283         Reviewed by Yusuke Suzuki.
284
285         * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
286         (main.fn):
287         (main.executor):
288         (main):
289         * stress/allocation-sinking-hints-are-valid-ssa.js: Added.
290         (main.fn):
291         (main.executor):
292         (main):
293
294 2019-10-01  Keith Miller  <keith_miller@apple.com>
295
296         skip test until we figure out why it's timing out
297         https://bugs.webkit.org/show_bug.cgi?id=202423
298
299         Reviewed by Mark Lam.
300
301         new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
302         Let's skip it until we figure out what's going on.
303
304         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:
305
306 2019-10-01  Keith Miller  <keith_miller@apple.com>
307
308         Mark toctou test as skipped on debug builds
309         https://bugs.webkit.org/show_bug.cgi?id=202420
310
311         Reviewed by Saam Barati.
312
313         Keeps timing out... Let's just skip it.
314
315         * stress/toctou-having-a-bad-time-new-array.js:
316
317 2019-10-01  Keith Miller  <keith_miller@apple.com>
318
319         Test262 update
320
321         Rubber-stamped by Michael Saboff.
322
323         Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...
324
325         * test262/*:
326
327 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
328
329         [YARR] Properly handle surrogates when matching back references
330         https://bugs.webkit.org/show_bug.cgi?id=202041
331
332         Reviewed by Keith Miller.
333
334         Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.
335
336         Updated test.
337
338         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
339         (testRegExpNotMatch):
340
341 2019-10-01  Keith Miller  <keith_miller@apple.com>
342
343         Add support for the Wasm multi-value proposal
344         https://bugs.webkit.org/show_bug.cgi?id=202250
345
346         Reviewed by Saam Barati.
347
348         This patch adds a new way to run stress tests via the .wat text
349         format. By attaching an asm.js compiled version of the wabt tool
350         we can easily create wat files programatically and convert them
351         into a wasm blob to compile. To make this easy there is a
352         wabt-wrapper.js module file that exports two useful functions that
353         correspond to WebAssembly.compile and WebAssembly.instantiate.
354
355         * wasm.yaml:
356         * wasm/function-tests/if-no-else-non-void.js:
357         * wasm/js-api/web-assembly-instantiate.js:
358         (assert.asyncTest.async.test):
359         (assert.asyncTest):
360         * wasm/libwabt.js: Added.
361         (WabtModule):
362         (set get if):
363         * wasm/references/func_ref.js:
364         * wasm/references/validation.js:
365         (assert.throws):
366         * wasm/spec-harness/index.js:
367         * wasm/spec-tests/block.wast.js:
368         * wasm/spec-tests/br.wast.js:
369         * wasm/spec-tests/br_if.wast.js:
370         * wasm/spec-tests/call.wast.js:
371         * wasm/spec-tests/call_indirect.wast.js:
372         * wasm/spec-tests/func.wast.js:
373         * wasm/spec-tests/if.wast.js:
374         * wasm/spec-tests/loop.wast.js:
375         * wasm/spec-tests/type.wast.js:
376         * wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
377         (buildWat):
378         * wasm/stress/js-wasm-js-varying-arities.js: Added.
379         (paramForwarder):
380         * wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
381         (buildWat):
382         * wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
383         (buildWat.throwError):
384         (buildWat.throwErrorInIterator):
385         (buildWat.tooManyValues):
386         (buildWat.tooFewValues):
387         (buildWat):
388         * wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
389         (buildWat):
390         * wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
391         (buildWat):
392         * wasm/wabt-wrapper.js: Added.
393         (export.compile):
394         * wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
395         * wasm/wast-tests/br-if-at-end-of-block.wast: Added.
396         * wasm/wast-tests/harness.js:
397         (async.runWasmFile):
398         * wasm/wast-tests/single-param-loop-signature.wasm: Added.
399         * wasm/wast-tests/single-param-loop-signature.wast: Added.
400
401 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
402
403         Make assertion in JSObject::putOwnDataProperty more precise
404         https://bugs.webkit.org/show_bug.cgi?id=202379
405         <rdar://problem/49515980>
406
407         Reviewed by Yusuke Suzuki.
408
409         * stress/object-assign-target-proto-setter.js: Added.
410         (get Object):
411
412 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
413
414         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
415         https://bugs.webkit.org/show_bug.cgi?id=202389
416         <rdar://problem/50717564>
417
418         Reviewed by Mark Lam.
419
420         * stress/heap-analyzer-taking-lock.js: Added.
421
422 2019-09-30  Saam Barati  <sbarati@apple.com>
423
424         Inline caching is wrong for custom accessors and custom values
425         https://bugs.webkit.org/show_bug.cgi?id=201994
426         <rdar://problem/50850326>
427
428         Reviewed by Yusuke Suzuki.
429
430         * microbenchmarks/custom-accessor-materialized.js: Added.
431         (assert):
432         (test4.get const):
433         * microbenchmarks/custom-accessor-thin-air.js: Added.
434         (assert):
435         (test5.get const):
436         (test5.get proto):
437         * microbenchmarks/custom-accessor.js: Added.
438         (assert):
439         (test3.get const):
440         * microbenchmarks/custom-value-2.js: Added.
441         (assert):
442         (test1.getMultiline):
443         (test1):
444         * microbenchmarks/custom-value.js: Added.
445         (assert):
446         (test1.getMultiline):
447         (test1):
448         * stress/custom-accessor-delete-1.js: Added.
449         (assert):
450         (test3.get const):
451         * stress/custom-accessor-delete-2.js: Added.
452         (assert):
453         (test4.get const):
454         * stress/custom-accessor-delete-3.js: Added.
455         (assert):
456         (test5.get const):
457         (test5.get proto):
458         * stress/custom-value-delete-property-1.js: Added.
459         (assert):
460         (test1.getMultiline):
461         (test1):
462         * stress/custom-value-delete-property-2.js: Added.
463         (test2.foo):
464         (test2):
465         * stress/custom-value-delete-property-3.js: Added.
466         (test6.foo):
467         (test6):
468
469 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
470
471         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
472         https://bugs.webkit.org/show_bug.cgi?id=202382
473         <rdar://problem/52669112>
474
475         Reviewed by Saam Barati.
476
477         * stress/compare-eq-bool-number-folding.js: Added.
478         (test):
479
480 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
481
482         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
483         https://bugs.webkit.org/show_bug.cgi?id=202330
484
485         Reviewed by Saam Barati.
486
487         * stress/to-lower-case-gc-stress.js: Added.
488
489 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
490
491         Non-standard Error properties should not be enumerable
492         https://bugs.webkit.org/show_bug.cgi?id=198975
493
494         Reviewed by Ross Kirsling.
495
496         * ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
497         * microbenchmarks/let-for-in.js: Adjust test.
498         * test262/expectations.yaml: Mark 6 test cases as passing.
499
500 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
501
502         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
503         https://bugs.webkit.org/show_bug.cgi?id=202299
504         <rdar://problem/52669116>
505
506         Reviewed by Saam Barati.
507
508         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
509         (foo):
510         (test):
511         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
512         (foo):
513         (C1.prototype.baz):
514         (C1):
515         (bar):
516         (noInline.bar.goo):
517         (C2.prototype.baz):
518         (C2):
519         (test):
520
521 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
522
523         toExponential, toFixed, and toPrecision should allow arguments up to 100
524         https://bugs.webkit.org/show_bug.cgi?id=199163
525
526         Reviewed by Ross Kirsling.
527
528         * ChakraCore/test/Number/toString_3.baseline-jsc:
529         * ChakraCore/test/es5/exceptions3.baseline-jsc:
530         * test262/expectations.yaml: Mark 6 test cases as passing.
531
532 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
533
534         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
535         https://bugs.webkit.org/show_bug.cgi?id=154376
536
537         Reviewed by Ross Kirsling.
538
539         Adds 2 test cases:
540         1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
541         2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.
542
543         * stress/proxy-get-own-property.js:
544
545 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
546
547         [BigInt] Add ValueBitRShift into DFG
548         https://bugs.webkit.org/show_bug.cgi?id=192663
549
550         Reviewed by Robin Morisset.
551
552         * stress/big-int-right-shift-jit-osr.js: Added.
553         * stress/big-int-right-shift-jit-untyped.js: Added.
554         * stress/big-int-right-shift-jit.js: Added.
555         * stress/value-rshift-ai-rule.js: Added.
556
557 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
558
559         Array methods should throw TypeError upon attempting to modify a string
560         https://bugs.webkit.org/show_bug.cgi?id=201910
561
562         Reviewed by Keith Miller.
563
564         * stress/array-methods-should-not-modify-string.js: Added.
565
566         * mozilla/js1_6/Array/regress-304828.js:
567         Fix test. Original copy was changed similarly seven years ago:
568         https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js
569
570         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
571         Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.
572
573 2019-09-23  Mark Lam  <mark.lam@apple.com>
574
575         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
576         https://bugs.webkit.org/show_bug.cgi?id=202122
577         <rdar://problem/55535249>
578
579         Reviewed by Yusuke Suzuki.
580
581         * stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.
582
583 2019-09-23  Caio Lima  <ticaiolima@gmail.com>
584
585         Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
586         https://bugs.webkit.org/show_bug.cgi?id=202113
587
588         Unreviewed test gardening, skipped test in ARMv7 and MIPS.
589
590         It is going to be fixed in
591         https://bugs.webkit.org/show_bug.cgi?id=202041
592
593         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
594
595 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
596
597         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
598         https://bugs.webkit.org/show_bug.cgi?id=202072
599
600         Reviewed by Mark Lam.
601
602         * stress/int52rep-with-double-checks-int52-range.js: Added.
603         (shouldBe):
604         (test):
605
606 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
607
608         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
609         https://bugs.webkit.org/show_bug.cgi?id=202011
610
611         Reviewed by Mark Lam.
612
613         We are skipping this test into MIPS and ARMv7 because some of its assumptions
614         are not valid for them. The current behavior of the test in those architectures
615         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
616         because eden collection keeps happening between iterations. The collection
617         is triggered on those architectures because the amount of stress 
618         `new Promise` generates into GC limits is not enough to avoid them
619         while loop is executing.
620
621         Changing the size of `UInt8Array` from `80000000` to `160000000` can
622         be an alternative fix to avoid collection happening during `ArrayBuffer`
623         allocation loop, but we can't guarantee this test is always going to execute
624         without error when Gigacage is disabled, given we can reach an OOM state in
625         some allocations that need to succeed, making this test flaky for those
626         architectures.
627
628         * stress/test-out-of-memory.js:
629
630 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
631
632         AccessCase should strongly visit its dependencies while on stack
633         https://bugs.webkit.org/show_bug.cgi?id=201986
634         <rdar://problem/55521953>
635
636         Reviewed by Saam Barati and Yusuke Suzuki.
637
638         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
639         (foo):
640         (warmup):
641
642 2019-09-20  Saam Barati  <sbarati@apple.com>
643
644         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
645
646         * stress/toctou-having-a-bad-time-new-array.js:
647
648 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
649
650         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
651         https://bugs.webkit.org/show_bug.cgi?id=202014
652
653         Reviewed by Saam Barati.
654
655         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
656         (__v0):
657
658 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
659
660         Syntax checker should report duplicate __proto__ properties
661         https://bugs.webkit.org/show_bug.cgi?id=201897
662         <rdar://problem/53201788>
663
664         Reviewed by Mark Lam.
665
666         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
667         (catch):
668
669 2019-09-18  Saam Barati  <sbarati@apple.com>
670
671         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
672         https://bugs.webkit.org/show_bug.cgi?id=201953
673         <rdar://problem/53803524>
674
675         Reviewed by Yusuke Suzuki.
676
677         * stress/toctou-having-a-bad-time-new-array.js: Added.
678         (let.code):
679
680 2019-09-18  Saam Barati  <sbarati@apple.com>
681
682         Phantom insertion phase may disagree with arguments forwarding about live ranges
683         https://bugs.webkit.org/show_bug.cgi?id=200715
684         <rdar://problem/54301717>
685
686         Reviewed by Yusuke Suzuki.
687
688         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
689         (main.v23):
690         (main.try.v43):
691         (main.):
692         (main):
693
694 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
695
696         [JSC] Generator should have internal fields
697         https://bugs.webkit.org/show_bug.cgi?id=201159
698
699         Reviewed by Keith Miller.
700
701         * stress/create-generator.js: Added.
702         (shouldBe):
703         (test.generator):
704         (test):
705         * stress/generator-construct-failure.js: Added.
706         (shouldThrow):
707         (TypeError):
708         * stress/generator-prototype-change.js: Added.
709         (shouldBe):
710         (gen):
711         * stress/generator-prototype-closure.js: Added.
712         (shouldBe):
713         (test.gen):
714         (test):
715         * stress/object-assign-fast-path.js:
716
717 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
718
719         Follow-up after String.codePointAt optimization
720         https://bugs.webkit.org/show_bug.cgi?id=201889
721
722         Reviewed by Saam Barati.
723
724         * stress/string-char-at-bad-type.js: Added.
725         (shouldBe):
726         (object.toString):
727         (test):
728         * stress/string-char-code-at-bad-type.js: Added.
729         (shouldBe):
730         (object.toString):
731         (test):
732         * stress/string-code-point-at-bad-type.js: Added.
733         (shouldBe):
734         (object.toString):
735         (test):
736
737 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
738
739         [JSC] CheckArray+NonArray is not filtering out Array in AI
740         https://bugs.webkit.org/show_bug.cgi?id=201857
741         <rdar://problem/54194820>
742
743         Reviewed by Keith Miller.
744
745         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
746         (foo):
747
748 2019-09-17  Saam Barati  <sbarati@apple.com>
749
750         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
751         https://bugs.webkit.org/show_bug.cgi?id=201853
752         <rdar://problem/53805461>
753
754         Reviewed by Yusuke Suzuki.
755
756         * stress/direct-arguments-check-array-filter-type.js: Added.
757         (foo):
758
759 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
760
761         Wasm StreamingParser should validate that number of functions matches number of declarations
762         https://bugs.webkit.org/show_bug.cgi?id=201850
763         <rdar://problem/55290186>
764
765         Reviewed by Yusuke Suzuki.
766
767         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
768         (catch):
769
770 2019-09-16  Michael Saboff  <msaboff@apple.com>
771
772         [JSC] Perform check again when we found non-BMP characters
773         https://bugs.webkit.org/show_bug.cgi?id=201647
774
775         Reviewed by Yusuke Suzuki.
776
777         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
778         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
779         (testRegExpInbounds):
780
781 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
782
783         [JSC] Add missing syntax errors for await in function parameter default expressions
784         https://bugs.webkit.org/show_bug.cgi?id=201615
785
786         Reviewed by Darin Adler.
787
788         * stress/async-await-reserved-word.js:
789         * stress/async-await-syntax.js:
790         Add test cases.
791
792         * test262/expectations.yaml:
793         Mark newly-passing test cases.
794
795 2019-09-16  Saam Barati  <sbarati@apple.com>
796
797         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
798         https://bugs.webkit.org/show_bug.cgi?id=200386
799         <rdar://problem/53854946>
800
801         Reviewed by Yusuke Suzuki.
802
803         * stress/proxy-__proto__-in-prototype-chain.js: Added.
804         * stress/proxy-property-replace-structure-transition.js: Added.
805
806 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
807
808         Date.prototype.toJSON does not execute steps 1-2
809         https://bugs.webkit.org/show_bug.cgi?id=105282
810
811         Reviewed by Ross Kirsling.
812
813         * test262/expectations.yaml: Mark 2 test cases as passing.
814
815 2019-09-12  Mark Lam  <mark.lam@apple.com>
816
817         Harden JSC against the abuse of runtime options.
818         https://bugs.webkit.org/show_bug.cgi?id=201597
819         <rdar://problem/55167068>
820
821         Reviewed by Filip Pizlo.
822
823         Remove the call to forceGCSlowPaths().  This utility function will be removed.
824         The modern way to set the required option is to use //@ requireOptions.
825
826         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
827
828 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
829
830         [JSC] Add StringCodePointAt intrinsic
831         https://bugs.webkit.org/show_bug.cgi?id=201673
832
833         Reviewed by Michael Saboff.
834
835         * stress/string-char-at-constant-index-out-of-range.js: Added.
836         (shouldBe):
837         (test):
838         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
839         (shouldBe):
840         (test):
841         * stress/string-code-point-at--out-of-range.js: Added.
842         (shouldBe):
843         (test):
844         * stress/string-code-point-at-basic.js: Added.
845         (test):
846         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
847         (shouldBe):
848         (test):
849         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
850         (shouldBe):
851         (test):
852         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
853         (shouldBe):
854         (test):
855         (breaking):
856         * stress/string-code-point-at-surrogate-pair.js: Added.
857         (shouldBe):
858         * stress/string-code-point-at.js: Added.
859         (shouldBe):
860
861 2019-09-10  Michael Saboff  <msaboff@apple.com>
862
863         JSC crashes due to stack overflow while building RegExp
864         https://bugs.webkit.org/show_bug.cgi?id=201649
865
866         Reviewed by Yusuke Suzuki.
867
868         New regression test.
869
870         * stress/regexp-bol-optimize-out-of-stack.js: Added.
871         (test):
872         (catch):
873
874 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
875
876         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
877         https://bugs.webkit.org/show_bug.cgi?id=189043
878
879         Reviewed by Keith Miller.
880
881         The offset performing the validation becomes a bit different.
882         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
883
884         * wasm/js-api/version.js:
885
886 2019-09-07  Keith Miller  <keith_miller@apple.com>
887
888         OSR entry into wasm misses some contexts
889         https://bugs.webkit.org/show_bug.cgi?id=201569
890
891         Reviewed by Yusuke Suzuki.
892
893         Add a new harness and wast and the generated wasm file for
894         testing. The idea long term is to make it easy to test by creating
895         a C file and converting it to a wast then modify that to produce a
896         test.
897
898         * wasm.yaml:
899         * wasm/wast-tests/harness.js: Added.
900         (async.runWasmFile):
901         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
902         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
903         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
904         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
905         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
906         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
907         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
908         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
909
910 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
911
912         [JSC] Promise resolve/reject functions should be created more efficiently
913         https://bugs.webkit.org/show_bug.cgi?id=201488
914
915         Reviewed by Mark Lam.
916
917         * microbenchmarks/promise-creation-many.js: Added.
918         (executor):
919
920 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
921
922         Unreviewed JSC test gardening.
923
924         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
925         This test allocates a 2GB string before it goes out and tests
926         out-of-memory exception when appending other strings to it. As such,
927         skip the test on memory-limited platforms.
928
929 2019-09-07  Mark Lam  <mark.lam@apple.com>
930
931         The jsc shell should allow disabling of the Gigacage for testing purposes.
932         https://bugs.webkit.org/show_bug.cgi?id=201579
933
934         Reviewed by Michael Saboff.
935
936         Unskip the tests now.
937
938         * stress/disable-gigacage-arrays.js:
939         * stress/disable-gigacage-strings.js:
940         * stress/disable-gigacage-typed-arrays.js:
941
942 2019-09-07  Mark Lam  <mark.lam@apple.com>
943
944         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
945
946         Not reviewed.
947
948         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
949
950         * stress/disable-gigacage-arrays.js:
951         * stress/disable-gigacage-strings.js:
952         * stress/disable-gigacage-typed-arrays.js:
953
954 2019-09-07  Mark Lam  <mark.lam@apple.com>
955
956         Gardening: speculative test fix to green bots [attempt #2].
957         https://bugs.webkit.org/show_bug.cgi?id=201529
958         <rdar://problem/53935772>
959
960         Not reviewed.
961
962         * stress/test-out-of-memory.js:
963
964 2019-09-06  Mark Lam  <mark.lam@apple.com>
965
966         Gardening: speculative test fix to green bots.
967         https://bugs.webkit.org/show_bug.cgi?id=201529
968         <rdar://problem/53935772>
969
970         Not reviewed.
971
972         * stress/test-out-of-memory.js:
973
974 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
975
976         Math.round() produces wrong result for value prior to 0.5
977         https://bugs.webkit.org/show_bug.cgi?id=185115
978
979         Reviewed by Saam Barati.
980
981         * stress/math-round-basics.js:
982         Add positive/negative test cases.
983
984         * test262/expectations.yaml:
985         Mark test passing.
986
987 2019-09-06  Mark Lam  <mark.lam@apple.com>
988
989         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
990         https://bugs.webkit.org/show_bug.cgi?id=201551
991
992         Reviewed by Tadeu Zagallo.
993
994         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
995
996         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
997         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
998
999 2019-09-06  Mark Lam  <mark.lam@apple.com>
1000
1001         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
1002         https://bugs.webkit.org/show_bug.cgi?id=201529
1003         <rdar://problem/53935772>
1004
1005         Reviewed by Yusuke Suzuki.
1006
1007         * stress/test-out-of-memory.js: Added.
1008
1009 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
1010
1011         LazyClassStructure::setConstructor should not store the constructor to the global object
1012         https://bugs.webkit.org/show_bug.cgi?id=201484
1013         <rdar://problem/50400451>
1014
1015         Reviewed by Yusuke Suzuki.
1016
1017         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
1018
1019 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1020
1021         [JSC] Do not use FTLOutput::weakPointer directly
1022         https://bugs.webkit.org/show_bug.cgi?id=201495
1023
1024         Reviewed by Filip Pizlo.
1025
1026         * stress/create-promise-weak-pointer.js: Added.
1027         (foo):
1028
1029 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1030
1031         [JSC] Make Promise implementation faster
1032         https://bugs.webkit.org/show_bug.cgi?id=200898
1033
1034         Reviewed by Saam Barati.
1035
1036         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1037         (assert.assert.return.throws):
1038         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
1039         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
1040         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
1041         (shouldThrow):
1042         (new.Promise):
1043         (shouldThrow.Promise):
1044         * stress/create-promise-should-respect-promise-realm.js: Added.
1045         (shouldBe):
1046         (other.new.OtherPromise):
1047         (DerivedOtherPromise):
1048         (i.promise.new.DerivedOtherPromise):
1049         (createPromise):
1050         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
1051         (shouldBe):
1052         (DerivedPromise):
1053         (i.array.push.new.DerivedPromise):
1054         (promise.new.DerivedPromise):
1055         * stress/derived-promise-constructor-inlined.js: Added.
1056         (shouldBe):
1057         (DerivedPromise):
1058         (i.array.push.new.DerivedPromise):
1059         (DerivedPromise.all.array.then):
1060         * stress/derived-promise-prototype-replaced.js: Added.
1061         (shouldBe):
1062         (DerivedPromise):
1063         (i.array.push.new.DerivedPromise):
1064         (promise.new.DerivedPromise):
1065         * stress/internal-promise-constructor-not-confusing.js: Added.
1066         (shouldBe):
1067         (InternalPromise.vm.createBuiltin):
1068         (DerivedPromise):
1069         * stress/internal-promise-is-not-exposed.js: Added.
1070         (shouldBe):
1071         * stress/new-promise-should-respect-promise-realm.js: Added.
1072         (shouldBe):
1073         (other.new.OtherPromise):
1074         (createPromise):
1075         * stress/promise-cannot-be-called.js:
1076         (shouldThrow):
1077         * stress/promise-capability-fast-path.js: Added.
1078         (shouldBe):
1079         (i.array.push.new.Promise):
1080         (i.array.i.then):
1081         * stress/promise-capability-slow-path.js: Added.
1082         (shouldBe):
1083         (Promise.prototype.then):
1084         (i.array.push.new.Promise):
1085         (i.array.i.then):
1086         * stress/promise-capability-then-slow-path.js: Added.
1087         (shouldBe):
1088         (DerivedPromise):
1089         (DerivedPromise.prototype.then):
1090         (i.array.push.new.DerivedPromise):
1091         (i.array.i.then):
1092         * stress/promise-constructor-inlined.js: Added.
1093         (shouldBe):
1094         (i.array.push.new.Promise):
1095         (Promise.all.array.then):
1096         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
1097         (shouldBe):
1098         (DerivedPromise):
1099         (DerivedPromise2):
1100         (i.array.push.new.DerivedPromise):
1101         (i.array2.push.new.DerivedPromise2):
1102         * stress/without-promise-functions.js: Added.
1103         (shouldBe):
1104         (async):
1105
1106 2019-09-03  Mark Lam  <mark.lam@apple.com>
1107
1108         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
1109         https://bugs.webkit.org/show_bug.cgi?id=201309
1110         <rdar://problem/54832121>
1111
1112         Reviewed by Yusuke Suzuki.
1113
1114         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
1115
1116 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1117
1118         [JSC] Generate new.target register only when it is used
1119         https://bugs.webkit.org/show_bug.cgi?id=201335
1120
1121         Reviewed by Mark Lam.
1122
1123         * stress/ensure-new-register-allocated.js: Added.
1124         (shouldBe):
1125         (basic):
1126         (arrow):
1127         (Base):
1128         (Derived):
1129         (evaluate):
1130
1131 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1132
1133         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
1134         https://bugs.webkit.org/show_bug.cgi?id=201331
1135
1136         Reviewed by Mark Lam.
1137
1138         * stress/simple-jump-table-copy.js: Added.
1139         (let.code):
1140         (g2):
1141
1142 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
1143
1144         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
1145         https://bugs.webkit.org/show_bug.cgi?id=201332
1146
1147         Reviewed by Mark Lam.
1148
1149         This test is very flaky, it is hard to reproduce.
1150
1151         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
1152         (code):
1153
1154 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1155
1156         [JSC] Repatch should construct CallCases and CasesValue at the same time
1157         https://bugs.webkit.org/show_bug.cgi?id=201325
1158
1159         Reviewed by Saam Barati.
1160
1161         * stress/repatch-switch.js: Added.
1162         (main.f2.f0):
1163         (main.f2.f3):
1164         (main.f2.f1):
1165         (main.f2):
1166         (main):
1167
1168 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
1169
1170         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
1171         https://bugs.webkit.org/show_bug.cgi?id=198650
1172
1173         Reviewed by Saam Barati.
1174
1175         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
1176         (main.v0):
1177         (main):
1178
1179 2019-08-28  Mark Lam  <mark.lam@apple.com>
1180
1181         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
1182         https://bugs.webkit.org/show_bug.cgi?id=201281
1183         <rdar://problem/54028228>
1184
1185         Reviewed by Yusuke Suzuki and Saam Barati.
1186
1187         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
1188
1189 2019-08-28  Mark Lam  <mark.lam@apple.com>
1190
1191         Placate exception check validation in DFG's operationHasGenericProperty().
1192         https://bugs.webkit.org/show_bug.cgi?id=201245
1193         <rdar://problem/54777512>
1194
1195         Reviewed by Robin Morisset.
1196
1197         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
1198
1199 2019-08-27  Mark Lam  <mark.lam@apple.com>
1200
1201         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
1202         https://bugs.webkit.org/show_bug.cgi?id=201196
1203         <rdar://problem/54703775>
1204
1205         Reviewed by Yusuke Suzuki.
1206
1207         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
1208
1209 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
1210
1211         [JSC] Ensure x?.y ?? z is fast
1212         https://bugs.webkit.org/show_bug.cgi?id=200875
1213
1214         Reviewed by Yusuke Suzuki.
1215
1216         * stress/nullish-coalescing.js:
1217
1218 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
1219
1220         Remove MaximalFlushInsertionPhase
1221         https://bugs.webkit.org/show_bug.cgi?id=201036
1222
1223         Reviewed by Saam Barati.
1224
1225         Remove all the references to maximal flush
1226
1227         * stress/arith-ceil-on-various-types.js:
1228         (checkCompileCountForUselessNegativeZero):
1229         * stress/arith-floor-on-various-types.js:
1230         (checkCompileCountForUselessNegativeZero):
1231         * stress/arith-negate-on-various-types.js:
1232         (checkCompileCountForUselessNegativeZero):
1233         * stress/arith-round-on-various-types.js:
1234         (checkCompileCountForUselessNegativeZero):
1235         * stress/arith-trunc-on-various-types.js:
1236         (checkCompileCountForUselessNegativeZero):
1237         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
1238         * stress/has-indexed-property-should-accept-non-int32.js:
1239         * stress/has-indexed-property-with-worsening-array-mode.js:
1240         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
1241         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
1242         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1243         * stress/rest-parameter-many-arguments.js:
1244         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
1245         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
1246         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
1247
1248 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
1249
1250         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
1251         https://bugs.webkit.org/show_bug.cgi?id=200952
1252
1253         Reviewed by Saam Barati.
1254
1255         * wasm/references/func_ref.js:
1256         (assert.throws):
1257
1258 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
1259
1260         Add missing exception check in canonicalizeLocaleList
1261         https://bugs.webkit.org/show_bug.cgi?id=201021
1262
1263         Reviewed by Mark Lam.
1264
1265         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
1266         (catch):
1267
1268 2019-08-21  Mark Lam  <mark.lam@apple.com>
1269
1270         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
1271         https://bugs.webkit.org/show_bug.cgi?id=201016
1272         <rdar://problem/54579911>
1273
1274         Reviewed by Yusuke Suzuki.
1275
1276         * wasm/stress/too-many-locals.js: Added.
1277         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
1278
1279 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
1280
1281         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
1282         https://bugs.webkit.org/show_bug.cgi?id=200965
1283
1284         Reviewed by Saam Barati.
1285
1286         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
1287         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
1288
1289         * stress/optional-chaining.js:
1290
1291 2019-08-21  Michael Saboff  <msaboff@apple.com>
1292
1293         [JSC] incorrent JIT lead to StackOverflow
1294         https://bugs.webkit.org/show_bug.cgi?id=197823
1295
1296         Reviewed by Tadeu Zagallo.
1297
1298         New test.
1299
1300         * stress/bound-function-stack-overflow.js: Added.
1301         (foo):
1302         (catch):
1303
1304 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1305
1306         Identify memcpy loops in b3
1307         https://bugs.webkit.org/show_bug.cgi?id=200181
1308
1309         Reviewed by Saam Barati.
1310
1311         * microbenchmarks/memcpy-loop.js: Added.
1312         (doTest):
1313         (let.arr1):
1314         * microbenchmarks/memcpy-typed-loop-large.js: Added.
1315         (doTest):
1316         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
1317         (arr2):
1318         * microbenchmarks/memcpy-typed-loop-small.js: Added.
1319         (doTest):
1320         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1321         (16.arr2):
1322         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
1323         (doTest):
1324         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
1325         (arr2):
1326         * microbenchmarks/memcpy-wasm-large.js: Added.
1327         (typeof.WebAssembly.string_appeared_here.eq):
1328         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1329         * microbenchmarks/memcpy-wasm-medium.js: Added.
1330         (typeof.WebAssembly.string_appeared_here.eq):
1331         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1332         * microbenchmarks/memcpy-wasm-small.js: Added.
1333         (typeof.WebAssembly.string_appeared_here.eq):
1334         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1335         * microbenchmarks/memcpy-wasm.js: Added.
1336         (typeof.WebAssembly.string_appeared_here.eq):
1337         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1338         * stress/memcpy-typed-loops.js: Added.
1339         (noLoop):
1340         (invalidStart):
1341         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1342         (arr2):
1343         * wasm/function-tests/memcpy-wasm-loop.js: Added.
1344         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
1345         (string_appeared_here):
1346
1347 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
1348
1349         [JSC] Array.prototype.toString should not get "join" function each time
1350         https://bugs.webkit.org/show_bug.cgi?id=200905
1351
1352         Reviewed by Mark Lam.
1353
1354         * stress/array-prototype-join-change.js: Added.
1355         (shouldBe):
1356         (array2.join):
1357         (DerivedArray):
1358         (DerivedArray.prototype.join):
1359         (array3.__proto__.join):
1360         (Array.prototype.join):
1361
1362 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1363
1364         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1365         https://bugs.webkit.org/show_bug.cgi?id=200782
1366
1367         Reviewed by Saam Barati.
1368
1369         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
1370
1371         * microbenchmarks/memcpy-typed-loop.js:
1372         * stress/int8-repeat-in-then-out-of-bounds.js:
1373
1374 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1375
1376         Proxy constructor should throw if handler is revoked Proxy
1377         https://bugs.webkit.org/show_bug.cgi?id=198755
1378
1379         Reviewed by Saam Barati.
1380
1381         * stress/proxy-revoke.js: Adjust error message.
1382         * test262/expectations.yaml: Mark 2 test cases as passing.
1383
1384 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1385
1386         [JSC] OSR entry to Wasm OMG
1387         https://bugs.webkit.org/show_bug.cgi?id=200362
1388
1389         Reviewed by Michael Saboff.
1390
1391         * wasm/stress/osr-entry-basic.js: Added.
1392         (instance.exports.loop):
1393         * wasm/stress/osr-entry-many-locals-f32.js: Added.
1394         * wasm/stress/osr-entry-many-locals-f64.js: Added.
1395         * wasm/stress/osr-entry-many-locals-i32.js: Added.
1396         * wasm/stress/osr-entry-many-locals-i64.js: Added.
1397         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
1398         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
1399         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
1400         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
1401
1402 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1403
1404         Date.prototype.toJSON throws if toISOString returns an object
1405         https://bugs.webkit.org/show_bug.cgi?id=198495
1406
1407         Reviewed by Ross Kirsling.
1408
1409         * test262/expectations.yaml: Mark 6 test cases as passing.
1410
1411 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1412
1413         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
1414         https://bugs.webkit.org/show_bug.cgi?id=200899
1415         <rdar://problem/54073341>
1416
1417         Reviewed by Mark Lam.
1418
1419         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
1420         (i.new.Promise):
1421         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
1422         (i.new.Promise):
1423
1424 2019-08-19  Michael Saboff  <msaboff@apple.com>
1425
1426         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
1427         https://bugs.webkit.org/show_bug.cgi?id=197090
1428
1429         Reviewed by Yusuke Suzuki.
1430
1431         New test.
1432
1433         * stress/regexp-nonconsuming-counted-parens.js: Added.
1434
1435 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
1436
1437         [JSC] Correct a->an in error messages and API docblocks
1438         https://bugs.webkit.org/show_bug.cgi?id=200833
1439
1440         Reviewed by Don Olmstead.
1441
1442         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1443         (assert.assert.return.throws):
1444         * stress/promise-finally-should-accept-non-promise-objects.js:
1445         * wasm/js-api/table.js:
1446         (assert.throws):
1447
1448 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1449
1450         [ESNext] Implement optional chaining
1451         https://bugs.webkit.org/show_bug.cgi?id=200199
1452
1453         Reviewed by Yusuke Suzuki.
1454
1455         * stress/nullish-coalescing.js:
1456         * stress/optional-chaining.js: Added.
1457         * stress/tail-call-recognize.js:
1458
1459 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1460
1461         [ESNext] Support hashbang.
1462         https://bugs.webkit.org/show_bug.cgi?id=200865
1463
1464         Reviewed by Mark Lam.
1465
1466         * stress/hashbang.js: Added.
1467         * test262/expectations.yaml: Mark 6 cases as passing.
1468
1469 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
1470
1471         [JSC] DFG ToNumber should support Boolean in fixup
1472         https://bugs.webkit.org/show_bug.cgi?id=200864
1473
1474         Reviewed by Mark Lam.
1475
1476         * microbenchmarks/to-number-boolean.js: Added.
1477         (test):
1478         * stress/to-number-boolean-int32.js: Added.
1479         (shouldBe):
1480         (test):
1481         (check):
1482         * stress/to-number-boolean.js: Added.
1483         (shouldBe):
1484         (test):
1485         (check):
1486         * stress/to-number-int32.js: Added.
1487         (shouldBe):
1488         (test):
1489         (check):
1490
1491 2019-08-16  Mark Lam  <mark.lam@apple.com>
1492
1493         More missing exception checks in string comparison operators.
1494         https://bugs.webkit.org/show_bug.cgi?id=200844
1495         <rdar://problem/54378684>
1496
1497         Reviewed by Saam Barati.
1498
1499         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
1500         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
1501         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
1502         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
1503
1504 2019-08-16  Mark Lam  <mark.lam@apple.com>
1505
1506         CodeBlock destructor should clear all of its watchpoints.
1507         https://bugs.webkit.org/show_bug.cgi?id=200792
1508         <rdar://problem/53947800>
1509
1510         Reviewed by Yusuke Suzuki.
1511
1512         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
1513
1514 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
1515
1516         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1517         https://bugs.webkit.org/show_bug.cgi?id=200782
1518
1519         Reviewed by Saam Barati.
1520
1521         * microbenchmarks/int8-out-of-bounds.js: Added.
1522         (foo):
1523         * microbenchmarks/memcpy-typed-loop.js: Added.
1524         (doTest):
1525         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
1526         (arr2):
1527         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
1528         (foo):
1529
1530 2019-08-16  Mark Lam  <mark.lam@apple.com>
1531
1532         [Re-land] ProxyObject should not be allow to access its target's private properties.
1533         https://bugs.webkit.org/show_bug.cgi?id=200739
1534         <rdar://problem/53972768>
1535
1536         Reviewed by Yusuke Suzuki.
1537
1538         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
1539         * stress/proxy-with-private-symbols.js:
1540
1541 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
1542
1543         [JSC] Promise.prototype.finally should accept non-promise objects
1544         https://bugs.webkit.org/show_bug.cgi?id=200829
1545
1546         Reviewed by Mark Lam.
1547
1548         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
1549         (shouldBe):
1550         (Thenable):
1551         (Thenable.prototype.then):
1552
1553 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
1554
1555         Promise constructor should check argument before [[Construct]]
1556         https://bugs.webkit.org/show_bug.cgi?id=198976
1557
1558         Reviewed by Ross Kirsling.
1559
1560         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
1561         * stress/create-subclass-structure-might-throw.js: Fix test.
1562         * test262/expectations.yaml: Mark 2 test cases as passing.
1563
1564 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
1565
1566         Unreviewed, rolling out r248709.
1567
1568         Caused test/built-ins/Promise/prototype/finally/this-value-
1569         non-promise.js to fail on test262 bot
1570
1571         Reverted changeset:
1572
1573         "ProxyObject should not be allow to access its target's
1574         private properties."
1575         https://bugs.webkit.org/show_bug.cgi?id=200739
1576         https://trac.webkit.org/changeset/248709
1577
1578 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1579
1580         DateConversion::formatDateTime incorrectly formats negative years
1581         https://bugs.webkit.org/show_bug.cgi?id=199964
1582
1583         Reviewed by Ross Kirsling.
1584
1585         * test262/expectations.yaml: Mark 6 test cases as passing.
1586
1587 2019-08-15  Mark Lam  <mark.lam@apple.com>
1588
1589         More missing exception checks in String.prototype.
1590         https://bugs.webkit.org/show_bug.cgi?id=200762
1591         <rdar://problem/54333896>
1592
1593         Reviewed by Michael Saboff.
1594
1595         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1596         * stress/missing-exception-check-in-string-toLower.js: Added.
1597         * stress/missing-exception-check-in-string-toUpper.js: Added.
1598
1599 2019-08-14  Mark Lam  <mark.lam@apple.com>
1600
1601         ProxyObject should not be allow to access its target's private properties.
1602         https://bugs.webkit.org/show_bug.cgi?id=200739
1603         <rdar://problem/53972768>
1604
1605         Reviewed by Yusuke Suzuki.
1606
1607         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1608         * stress/proxy-with-private-symbols.js: Rebased.
1609
1610 2019-08-14  Mark Lam  <mark.lam@apple.com>
1611
1612         Missing exception check in string compare.
1613         https://bugs.webkit.org/show_bug.cgi?id=200743
1614         <rdar://problem/53975356>
1615
1616         Reviewed by Michael Saboff.
1617
1618         * stress/missing-exception-check-in-string-compare.js: Added.
1619
1620 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1621
1622         [JSC] Add "jump if (not) undefined or null" bytecode ops
1623         https://bugs.webkit.org/show_bug.cgi?id=200480
1624
1625         Reviewed by Saam Barati.
1626
1627         * stress/destructuring-assignment-require-object-coercible.js:
1628         * stress/nullish-coalescing.js:
1629
1630 2019-08-05  Michael Saboff  <msaboff@apple.com>
1631
1632         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1633         https://bugs.webkit.org/show_bug.cgi?id=199997
1634
1635         Reviewed by Saam Barati.
1636
1637         New test.
1638
1639         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1640         (checkIntArray):
1641         (checkFloatArray):
1642
1643 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1644
1645         [JSC] Support WebAssembly in SamplingProfiler
1646         https://bugs.webkit.org/show_bug.cgi?id=200329
1647
1648         Reviewed by Saam Barati.
1649
1650         * stress/sampling-profiler-wasm-name-section.js: Added.
1651         (const.compile):
1652         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1653         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1654         * stress/sampling-profiler-wasm.js: Added.
1655         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1656         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1657         * stress/sampling-profiler/loop.wasm: Added.
1658         * stress/sampling-profiler/loop.wast: Added.
1659         * stress/sampling-profiler/nameSection.wasm: Added.
1660
1661 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1662
1663         [JSC] LazyJSValue should be robust for empty JSValue
1664         https://bugs.webkit.org/show_bug.cgi?id=200388
1665
1666         Reviewed by Saam Barati.
1667
1668         * stress/switch-constant-child-becomes-empty.js: Added.
1669         (foo):
1670
1671 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1672
1673         GetterSetter type confusion during DFG compilation
1674         https://bugs.webkit.org/show_bug.cgi?id=199903
1675
1676         Reviewed by Mark Lam.
1677
1678         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1679
1680 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1681
1682         Update Test262 (2019.08.01)
1683         https://bugs.webkit.org/show_bug.cgi?id=200351
1684
1685         Reviewed by Keith Miller.
1686
1687         * test262/expectations.yaml:
1688         * test262/harness/testIntl.js:
1689         * test262/latest-changes-summary.txt:
1690         * test262/test/:
1691         * test262/test262-Revision.txt:
1692
1693 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1694
1695         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1696         https://bugs.webkit.org/show_bug.cgi?id=200192
1697
1698         Reviewed by Saam Barati.
1699
1700         * stress/structure-chain-stress.js: Added.
1701         (keys):
1702
1703 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1704
1705         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1706         https://bugs.webkit.org/show_bug.cgi?id=200196
1707
1708         Reviewed by Robin Morisset.
1709
1710         * stress/reparsing-unlinked-codeblock.js:
1711
1712 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1713
1714         [X86] Emit BT instruction for shift + mask in B3
1715         https://bugs.webkit.org/show_bug.cgi?id=199891
1716
1717         Reviewed by Robin Morisset.
1718
1719         Lower the number of iterations to fix debug timeouts.
1720
1721         * microbenchmarks/bit-test-load.js:
1722         (i):
1723
1724 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1725
1726         [X86] Emit BT instruction for shift + mask in B3
1727         https://bugs.webkit.org/show_bug.cgi?id=199891
1728
1729         Reviewed by Keith Miller.
1730
1731         * microbenchmarks/bit-test-constant.js: Added.
1732         (let.glob.0.doTest):
1733         * microbenchmarks/bit-test-load.js: Added.
1734         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1735         (i):
1736         * microbenchmarks/bit-test-nonconstant.js: Added.
1737         (let.glob.0.doTest):
1738
1739 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1740
1741         [JSC] Potential GC fix for JSPropertyNameEnumerator
1742         https://bugs.webkit.org/show_bug.cgi?id=200151
1743
1744         Reviewed by Mark Lam.
1745
1746         * stress/for-in-stress.js: Added.
1747         (keys):
1748
1749 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1750
1751         Legacy numeric literals should not permit separators or BigInt
1752         https://bugs.webkit.org/show_bug.cgi?id=199984
1753
1754         Reviewed by Keith Miller.
1755
1756         * stress/big-int-literals.js:
1757         * stress/numeric-literal-separators.js:
1758
1759 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1760
1761         [ESNext] Implement nullish coalescing
1762         https://bugs.webkit.org/show_bug.cgi?id=200072
1763
1764         Reviewed by Darin Adler.
1765
1766         * stress/nullish-coalescing.js: Added.
1767
1768 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1769
1770         Three checks are missing in Proxy internal methods
1771         https://bugs.webkit.org/show_bug.cgi?id=198630
1772
1773         Reviewed by Darin Adler.
1774
1775         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1776         * test262/expectations.yaml: Mark 6 test cases as passing.
1777
1778 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1779
1780         Sometimes we miss removable CheckInBounds
1781         https://bugs.webkit.org/show_bug.cgi?id=200018
1782
1783         Reviewed by Saam Barati.
1784
1785         * microbenchmarks/typed-array-sum.js: Added.
1786         (doTest):
1787
1788 2019-07-16  Mark Lam  <mark.lam@apple.com>
1789
1790         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1791         https://bugs.webkit.org/show_bug.cgi?id=199821
1792         <rdar://problem/52452328>
1793
1794         Reviewed by Filip Pizlo.
1795
1796         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1797
1798 2019-07-16  Keith Miller  <keith_miller@apple.com>
1799
1800         Unreviewed, test262 gardening.
1801
1802         * test262/expectations.yaml:
1803
1804 2019-07-15  Keith Miller  <keith_miller@apple.com>
1805
1806         A Possible Issue of Object.create method
1807         https://bugs.webkit.org/show_bug.cgi?id=199744
1808
1809         Reviewed by Yusuke Suzuki.
1810
1811         * stress/object-create-non-object-properties-parameter.js: Added.
1812         (catch):
1813
1814 2019-07-15  Keith Miller  <keith_miller@apple.com>
1815
1816         Update test262
1817         https://bugs.webkit.org/show_bug.cgi?id=199801
1818
1819         Rubber-stamped by Yusuke Suzuki.
1820
1821         * test262/expectations.yaml:
1822         * test262/latest-changes-summary.txt:
1823         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1824         (fg.new.FinalizationGroup):
1825         (callback):
1826         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1827         (fg.new.FinalizationGroup):
1828         (callback):
1829         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1830         (fg.new.FinalizationGroup):
1831         (callback):
1832         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1833         (fg.new.FinalizationGroup):
1834         (callback):
1835         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1836         (fg.new.FinalizationGroup):
1837         (callback):
1838         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1839         (fg.new.FinalizationGroup):
1840         (callback):
1841         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1842         (fg.new.FinalizationGroup):
1843         (callback):
1844         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1845         (callback):
1846         (fg.new.FinalizationGroup):
1847         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1848         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1849         (cb):
1850         (fg.new.FinalizationGroup):
1851         (emptyCells):
1852         (async.fn):
1853         (fn.then.async):
1854         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1855         (fg.new.FinalizationGroup):
1856         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1857         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1858         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1859         (newTarget):
1860         (fn):
1861         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1862         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1863         (fn):
1864         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1865         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1866         (newTarget):
1867         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1868         (newTarget):
1869         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1870         (fg.new.FinalizationGroup):
1871         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1872         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1873         (callback):
1874         (fg.new.FinalizationGroup):
1875         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1876         (fg.new.FinalizationGroup):
1877         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1878         (cb):
1879         (fg.new.FinalizationGroup):
1880         (emptyCells):
1881         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1882         (fg.new.FinalizationGroup):
1883         (fg.cleanupSome.cb):
1884         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1885         (callback):
1886         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1887         (fn):
1888         (cb):
1889         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1890         (cb):
1891         (fg.new.FinalizationGroup):
1892         (emptyCells):
1893         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1894         (fg.new.FinalizationGroup):
1895         (callback):
1896         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1897         (fg.new.FinalizationGroup):
1898         (callback):
1899         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1900         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1901         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1902         (poisoned):
1903         (fg.new.FinalizationGroup):
1904         (emptyCells):
1905         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1906         (poisoned):
1907         (emptyCells):
1908         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1909         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1910         (fn):
1911         (cb):
1912         (emptyCells):
1913         (prototype.assert.sameValue.fg.cleanupSome):
1914         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1915         (fn):
1916         (cb):
1917         (poisoned):
1918         (assert.sameValue.fg.cleanupSome):
1919         (prototype.assert.sameValue.fg.cleanupSome):
1920         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1921         (cb):
1922         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1923         (cb):
1924         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1925         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1926         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1927         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1928         (fn):
1929         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1930         (fn):
1931         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1932         (fg.new.FinalizationGroup):
1933         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1934         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1935         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1936         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1937         (fn):
1938         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1939         (fn):
1940         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1941         (fg.new.FinalizationGroup):
1942         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1943         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1944         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1945         (fg.new.FinalizationGroup):
1946         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1947         (fg.new.FinalizationGroup):
1948         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1949         (fg.new.FinalizationGroup):
1950         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1951         (fg.new.FinalizationGroup):
1952         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1953         (fn):
1954         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1955         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1956         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1957         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1958         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1959         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1960         (fn):
1961         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1962         (fg.new.FinalizationGroup):
1963         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1964         (cleanupCallback):
1965         (let.key.of.Object.getOwnPropertyNames):
1966         (set for):
1967         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1968         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1969         (FinalizationGroup):
1970         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1971         (cleanupCallback):
1972         (let.key.of.Object.getOwnPropertyNames):
1973         (set for):
1974         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1975         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1976         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1977         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1978         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1979         (asyncProxy.new.Proxy.async):
1980         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1981         (asyncProxy.new.Proxy.async):
1982         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1983         (setIter.set Symbol):
1984         (set defaultTag):
1985         (gen):
1986         (get return):
1987         (set new):
1988         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1989         (generatorProxy.new.Proxy):
1990         (asyncProxy.new.Proxy.async):
1991         * test262/test/built-ins/Object/subclass-object-arg.js:
1992         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1993         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1994         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1995         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1996         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1997         * test262/test/built-ins/Promise/executor-function-name.js:
1998         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1999         * test262/test/built-ins/Promise/reject-function-name.js:
2000         * test262/test/built-ins/Promise/resolve-function-name.js:
2001         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
2002         * test262/test/built-ins/WeakRef/constructor.js: Added.
2003         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
2004         * test262/test/built-ins/WeakRef/length.js: Added.
2005         * test262/test/built-ins/WeakRef/name.js: Added.
2006         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
2007         (newTarget):
2008         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
2009         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
2010         * test262/test/built-ins/WeakRef/proto.js: Added.
2011         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
2012         (newTarget):
2013         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
2014         (newTarget):
2015         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
2016         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
2017         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
2018         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
2019         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
2020         (emptyCells):
2021         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
2022         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
2023         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
2024         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
2025         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
2026         (fg.new.FinalizationGroup):
2027         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
2028         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
2029         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
2030         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
2031         (let.key.of.Object.getOwnPropertyNames):
2032         (set for):
2033         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
2034         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
2035         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
2036         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
2037         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
2038         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
2039         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
2040         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
2041         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
2042         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
2043         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
2044         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
2045         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
2046         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
2047         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
2048         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
2049         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
2050         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
2051         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
2052         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
2053         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
2054         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
2055         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
2056         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
2057         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
2058         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
2059         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
2060         (assertParts):
2061         (assertPartsNumeric):
2062         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
2063         (assertParts):
2064         (assertPartsNumeric):
2065         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
2066         (assertParts):
2067         (assertPartsNumeric):
2068         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
2069         (assertParts):
2070         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
2071         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
2072         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
2073         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
2074         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
2075         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
2076         (C.prototype.method):
2077         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
2078         (C.prototype.method.innerFunction):
2079         (C.prototype.method):
2080         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
2081         (C):
2082         (C.method):
2083         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
2084         (C):
2085         (C.method.innerFunction):
2086         (C.method):
2087         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
2088         (C):
2089         (C.checkPrivateGetter):
2090         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
2091         (C):
2092         (C.method):
2093         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
2094         (C):
2095         (C.method.innerFunction):
2096         (C.method):
2097         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
2098         (C):
2099         (C.checkPrivateMethod):
2100         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
2101         (C):
2102         (C.method):
2103         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
2104         (C):
2105         (C.method.innerFunction):
2106         (C.method):
2107         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
2108         (C):
2109         (C.checkPrivateSetter):
2110         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2111         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2112         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2113         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
2114         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2115         (let.classStringExpression):
2116         (let.classStringExpression.access):
2117         (let.createAndInstantiateClass):
2118         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2119         (let.classStringExpression):
2120         (let.classStringExpression.access):
2121         (let.createAndInstantiateClass):
2122         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2123         (const.C):
2124         (let.createAndInstantiateClass):
2125         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2126         (let.classStringExpression.return.prototype.m):
2127         (let.classStringExpression.return.prototype.access):
2128         (let.createAndInstantiateClass):
2129         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2130         (let.classStringExpression.return.prototype.m):
2131         (let.classStringExpression.return.prototype.access):
2132         (let.createAndInstantiateClass):
2133         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2134         (let.classStringExpression):
2135         (let.classStringExpression.access):
2136         (let.createAndInstantiateClass):
2137         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2138         (let.classStringExpression.prototype.m):
2139         (let.classStringExpression.prototype.access):
2140         (let.classStringExpression):
2141         (let.createAndInstantiateClass):
2142         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2143         (let.classStringExpression.prototype.m):
2144         (let.classStringExpression.prototype.access):
2145         (let.classStringExpression):
2146         (let.createAndInstantiateClass):
2147         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2148         (const.C):
2149         (let.createAndInstantiateClass):
2150         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2151         (let.classStringExpression.return.C.prototype.m):
2152         (let.classStringExpression.return.C.prototype.access):
2153         (let.classStringExpression.return.C):
2154         (let.createAndInstantiateClass):
2155         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2156         (let.classStringExpression.return.C.prototype.m):
2157         (let.classStringExpression.return.C.prototype.access):
2158         (let.classStringExpression.return.C):
2159         (let.createAndInstantiateClass):
2160         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2161         (let.classStringExpression):
2162         (let.classStringExpression.access):
2163         (let.createAndInstantiateClass):
2164         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2165         (let.classStringExpression):
2166         (let.classStringExpression.access):
2167         (let.createAndInstantiateClass):
2168         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2169         (let.classStringExpression):
2170         (let.classStringExpression.access):
2171         (let.createAndInstantiateClass):
2172         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2173         (const.C):
2174         (let.createAndInstantiateClass):
2175         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2176         (let.classStringExpression.return.prototype.m):
2177         (let.classStringExpression.return.prototype.access):
2178         (let.createAndInstantiateClass):
2179         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2180         (let.classStringExpression.return.prototype.m):
2181         (let.classStringExpression.return.prototype.access):
2182         (let.createAndInstantiateClass):
2183         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
2184         (let.classStringExpression):
2185         (let.classStringExpression.access):
2186         (let.createAndInstantiateClass):
2187         * test262/test/language/expressions/new.target/unary-expr.js: Added.
2188         (new):
2189         (async):
2190         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
2191         (A):
2192         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
2193         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
2194         * test262/test/language/identifiers/vals-cjk.js: Added.
2195         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
2196         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
2197         (C.prototype.method):
2198         (C):
2199         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
2200         (C.prototype.method.innerFunction):
2201         (C.prototype.method):
2202         (C):
2203         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
2204         (C.prototype.checkPrivateField):
2205         (C):
2206         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
2207         (C):
2208         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
2209         (C.prototype.getWithEval):
2210         (C):
2211         (D):
2212         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
2213         (C.prototype.get m):
2214         (C.prototype.method):
2215         (C):
2216         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
2217         (C.prototype.get m):
2218         (C.prototype.method.innerFunction):
2219         (C.prototype.method):
2220         (C):
2221         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
2222         (let.createAndInstantiateClass):
2223         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
2224         (C.prototype.get m):
2225         (C.prototype.checkPrivateGetter):
2226         (C):
2227         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
2228         (C.prototype.get m):
2229         (C.prototype.checkPrivateGetter):
2230         (C):
2231         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
2232         (C.prototype.get m):
2233         (C):
2234         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
2235         (C.prototype.get m):
2236         (C.prototype.getWithEval):
2237         (C):
2238         (D.prototype.get m):
2239         (D):
2240         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
2241         (C.prototype.m):
2242         (C.prototype.method):
2243         (C):
2244         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
2245         (C.prototype.m):
2246         (C.prototype.method.innerFunction):
2247         (C.prototype.method):
2248         (C):
2249         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
2250         (C.prototype.m):
2251         (C.prototype.checkPrivateMethod):
2252         (C):
2253         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
2254         (C.prototype.m):
2255         (C.prototype.checkPrivateMethod):
2256         (C):
2257         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
2258         (C.prototype.m):
2259         (C):
2260         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
2261         (C.prototype.m):
2262         (C.prototype.getWithEval):
2263         (C):
2264         (D.prototype.m):
2265         (D):
2266         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
2267         (C.prototype.set m):
2268         (C.prototype.method):
2269         (C):
2270         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
2271         (C.prototype.set m):
2272         (C.prototype.method.innerFunction):
2273         (C.prototype.method):
2274         (C):
2275         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
2276         (C.prototype.set m):
2277         (C.prototype.checkPrivateSetter):
2278         (C):
2279         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
2280         (C.prototype.set m):
2281         (C.prototype.checkPrivateSetter):
2282         (C):
2283         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
2284         (C.prototype.set m):
2285         (C):
2286         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
2287         (C.prototype.set m):
2288         (C.prototype.setWithEval):
2289         (C):
2290         (D.prototype.set m):
2291         (D):
2292         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2293         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2294         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2295         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
2296         (A.prototype.method):
2297         (A):
2298         (C.prototype.get m):
2299         (C.prototype.access):
2300         (C):
2301         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
2302         (A.prototype.method):
2303         (A):
2304         (C.prototype.m):
2305         (C.prototype.access):
2306         (C):
2307         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
2308         (A.prototype.method):
2309         (A):
2310         (C.prototype.set m):
2311         (C.prototype.access):
2312         (C):
2313         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
2314         (A):
2315         * test262/test/language/statements/function/13.2-30-s.js:
2316         * test262/test262-Revision.txt:
2317
2318 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2319
2320         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2321         https://bugs.webkit.org/show_bug.cgi?id=199783
2322
2323         Reviewed by Mark Lam.
2324
2325         Fix our spec tests.
2326
2327         * wasm/js-api/Module-compile.js:
2328         * wasm/js-api/test_basic_api.js:
2329         (const.c.in.constructorProperties.switch):
2330         * wasm/js-api/validate.js:
2331         * wasm/js-api/web-assembly-instantiate.js:
2332         * wasm/spec-tests/jsapi.js:
2333         (testJSAPI.get test):
2334         (testJSAPI.set test):
2335
2336 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2337
2338         Unreviewed, rolling out r247440.
2339
2340         Broke builds
2341
2342         Reverted changeset:
2343
2344         "[JSC] Improve wasm wpt test results by fixing miscellaneous
2345         issues"
2346         https://bugs.webkit.org/show_bug.cgi?id=199783
2347         https://trac.webkit.org/changeset/247440
2348
2349 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2350
2351         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2352         https://bugs.webkit.org/show_bug.cgi?id=199783
2353
2354         Reviewed by Mark Lam.
2355
2356         Fix our spec tests.
2357
2358         * wasm/js-api/Module-compile.js:
2359         * wasm/js-api/test_basic_api.js:
2360         (const.c.in.constructorProperties.switch):
2361         * wasm/js-api/validate.js:
2362         * wasm/js-api/web-assembly-instantiate.js:
2363         * wasm/spec-tests/jsapi.js:
2364         (testJSAPI.get test):
2365         (testJSAPI.set test):
2366
2367 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
2368
2369         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
2370         https://bugs.webkit.org/show_bug.cgi?id=196371
2371
2372         Reviewed by Keith Miller.
2373
2374         * microbenchmarks/mul-immediate-sub.js: Added.
2375         (doTest):
2376
2377 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
2378
2379         [BigInt] Add ValueBitLShift into DFG
2380         https://bugs.webkit.org/show_bug.cgi?id=192664
2381
2382         Reviewed by Saam Barati.
2383
2384         We are adding tests to cover ValueBitwise operations AI changes.
2385
2386         * stress/big-int-left-shift-untyped.js: Added.
2387         * stress/bit-op-with-object-returning-int32.js:
2388         * stress/value-bit-and-ai-rule.js: Added.
2389         * stress/value-bit-lshift-ai-rule.js: Added.
2390         * stress/value-bit-or-ai-rule.js: Added.
2391         * stress/value-bit-xor-ai-rule.js: Added.
2392
2393 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2394
2395         Add b3 macro lowering for CheckMul on arm64
2396         https://bugs.webkit.org/show_bug.cgi?id=199251
2397
2398         Reviewed by Robin Morisset.
2399
2400         * microbenchmarks/check-mul-constant.js: Added.
2401         (doTest):
2402         * microbenchmarks/check-mul-no-constant.js: Added.
2403         (doTest):
2404         * microbenchmarks/check-mul-power-of-two.js: Added.
2405         (doTest):
2406
2407 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
2408
2409         Optimize join of large empty arrays
2410         https://bugs.webkit.org/show_bug.cgi?id=199636
2411
2412         Reviewed by Mark Lam.
2413
2414         * microbenchmarks/large-empty-array-join.js: Added.
2415         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
2416
2417 2019-07-06  Michael Saboff  <msaboff@apple.com>
2418
2419         switch(String) needs to check for exceptions when resolving the string
2420         https://bugs.webkit.org/show_bug.cgi?id=199541
2421
2422         Reviewed by Mark Lam.
2423
2424         New tests.
2425
2426         * stress/switch-string-oom.js: Added.
2427         (test):
2428         (testLowerTiers):
2429         (testFTL):
2430
2431 2019-07-05  Mark Lam  <mark.lam@apple.com>
2432
2433         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
2434         https://bugs.webkit.org/show_bug.cgi?id=199533
2435         <rdar://problem/52669111>
2436
2437         Reviewed by Filip Pizlo.
2438
2439         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
2440
2441 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
2442
2443         [JSC] Clean up ArraySpeciesCreate
2444         https://bugs.webkit.org/show_bug.cgi?id=182434
2445
2446         Reviewed by Yusuke Suzuki.
2447
2448         Adjusts error message expectations in stress tests.
2449
2450         * stress/array-flatmap.js:
2451         * stress/array-flatten.js:
2452         * stress/array-species-create-should-handle-masquerader.js:
2453         * test262/expectations.yaml: Mark 4 test cases as passing.
2454
2455 2019-07-02  Michael Saboff  <msaboff@apple.com>
2456
2457         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
2458         https://bugs.webkit.org/show_bug.cgi?id=199395
2459
2460         Reviewed by Filip Pizlo.
2461
2462         New regession test.
2463
2464         * stress/for-of-tdz-with-try-catch.js: Added.
2465         (test):
2466         (i.catch):
2467
2468 2019-07-02  Keith Miller  <keith_miller@apple.com>
2469
2470         Frozen Arrays length assignment should throw in strict mode
2471         https://bugs.webkit.org/show_bug.cgi?id=199365
2472
2473         Reviewed by Yusuke Suzuki.
2474
2475         * stress/frozen-array-length-should-throw-strict.js: Added.
2476         (test):
2477
2478 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
2479
2480         [Wasm-References] Disable references by default
2481         https://bugs.webkit.org/show_bug.cgi?id=199390
2482
2483         Reviewed by Saam Barati.
2484
2485         * wasm/references-spec-tests/ref_is_null.js:
2486         * wasm/references-spec-tests/ref_null.js:
2487         * wasm/references/anyref_globals.js:
2488         * wasm/references/anyref_modules.js:
2489         * wasm/references/anyref_table.js:
2490         * wasm/references/anyref_table_import.js:
2491         * wasm/references/element_parsing.js:
2492         * wasm/references/func_ref.js:
2493         * wasm/references/is_null.js:
2494         * wasm/references/multitable.js:
2495         * wasm/references/table_misc.js:
2496         * wasm/references/validation.js:
2497
2498 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
2499
2500         Unreviewed, rolling out r246946.
2501
2502         Caused JSC test crashes on arm64
2503
2504         Reverted changeset:
2505
2506         "Add b3 macro lowering for CheckMul on arm64"
2507         https://bugs.webkit.org/show_bug.cgi?id=199251
2508         https://trac.webkit.org/changeset/246946
2509
2510 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
2511
2512         Add b3 macro lowering for CheckMul on arm64
2513         https://bugs.webkit.org/show_bug.cgi?id=199251
2514
2515         Reviewed by Robin Morisset.
2516
2517         * microbenchmarks/check-mul-constant.js: Added.
2518         (doTest):
2519         * microbenchmarks/check-mul-no-constant.js: Added.
2520         (doTest):
2521         * microbenchmarks/check-mul-power-of-two.js: Added.
2522         (doTest):
2523
2524 2019-06-26  Keith Miller  <keith_miller@apple.com>
2525
2526         speciesConstruct needs to throw if the result is a DataView
2527         https://bugs.webkit.org/show_bug.cgi?id=199231
2528
2529         Reviewed by Mark Lam.
2530
2531         * stress/typedarray-filter.js:
2532         (subclasses.forEach):
2533         * stress/typedarray-map.js:
2534         (subclasses.forEach):
2535         * stress/typedarray-slice.js:
2536         (typedArrays.forEach):
2537         * stress/typedarray-subarray.js:
2538         (subclasses.forEach):
2539
2540 2019-06-24  Commit Queue  <commit-queue@webkit.org>
2541
2542         Unreviewed, rolling out r246714.
2543         https://bugs.webkit.org/show_bug.cgi?id=199179
2544
2545         revert to do patch in a different way. (Requested by keith_mi_
2546         on #webkit).
2547
2548         Reverted changeset:
2549
2550         "All prototypes should call didBecomePrototype()"
2551         https://bugs.webkit.org/show_bug.cgi?id=196315
2552         https://trac.webkit.org/changeset/246714
2553
2554 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
2555
2556         Add Array.prototype.{flat,flatMap} to unscopables
2557         https://bugs.webkit.org/show_bug.cgi?id=194322
2558
2559         Reviewed by Keith Miller.
2560
2561         * stress/unscopables.js: Fix test.
2562         * test262/expectations.yaml: Mark 2 test cases as passing.
2563
2564 2019-06-21  Mark Lam  <mark.lam@apple.com>
2565
2566         ArraySlice needs to keep the source array alive.
2567         https://bugs.webkit.org/show_bug.cgi?id=197374
2568         <rdar://problem/50304429>
2569
2570         Reviewed by Michael Saboff and Filip Pizlo.
2571
2572         * stress/array-slice-must-keep-source-array-alive.js: Added.
2573
2574 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2575
2576         All prototypes should call didBecomePrototype()
2577         https://bugs.webkit.org/show_bug.cgi?id=196315
2578
2579         Reviewed by Saam Barati.
2580
2581         * stress/function-prototype-indexed-accessor.js: Added.
2582
2583 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2584
2585         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
2586         https://bugs.webkit.org/show_bug.cgi?id=197631
2587
2588         Reviewed by Saam Barati.
2589
2590         * stress/has-own-property-arguments.js: Added.
2591         (shouldBe):
2592         (A):
2593
2594 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2595
2596         [JSC] ClassExpr should not store result in the middle of evaluation
2597         https://bugs.webkit.org/show_bug.cgi?id=199106
2598
2599         Reviewed by Tadeu Zagallo.
2600
2601         * stress/class-expression-should-store-result-at-last.js: Added.
2602         (shouldThrow):
2603         (shouldThrow.let.a):
2604
2605 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2606
2607         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2608         https://bugs.webkit.org/show_bug.cgi?id=199044
2609
2610         Reviewed by Saam Barati.
2611
2612         Add wasm references spec tests as well as a worker test.
2613
2614         * wasm.yaml:
2615         * wasm/Builder_WebAssemblyBinary.js:
2616         (const.emitters.Element):
2617         * wasm/js-api/element.js:
2618         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2619         * wasm/references-spec-tests/ref_is_null.js: Added.
2620         (hostref):
2621         (is_hostref):
2622         (is_funcref):
2623         (eq_ref):
2624         (let.handler.get target):
2625         (register):
2626         (module):
2627         (instance):
2628         (call):
2629         (get instance):
2630         (exports):
2631         (run):
2632         (assert_malformed):
2633         (assert_invalid):
2634         (assert_unlinkable):
2635         (assert_uninstantiable):
2636         (assert_trap):
2637         (try.f):
2638         (catch):
2639         (assert_exhaustion):
2640         (assert_return):
2641         (assert_return_canonical_nan):
2642         (assert_return_arithmetic_nan):
2643         (assert_return_ref):
2644         (assert_return_func):
2645         * wasm/references-spec-tests/ref_null.js: Added.
2646         (hostref):
2647         (is_hostref):
2648         (is_funcref):
2649         (eq_ref):
2650         (let.handler.get target):
2651         (register):
2652         (module):
2653         (instance):
2654         (call):
2655         (get instance):
2656         (exports):
2657         (run):
2658         (assert_malformed):
2659         (assert_invalid):
2660         (assert_unlinkable):
2661         (assert_uninstantiable):
2662         (assert_trap):
2663         (try.f):
2664         (catch):
2665         (assert_exhaustion):
2666         (assert_return):
2667         (assert_return_canonical_nan):
2668         (assert_return_arithmetic_nan):
2669         (assert_return_ref):
2670         (assert_return_func):
2671         * wasm/references/element_parsing.js: Added.
2672         (module):
2673         * wasm/references/func_ref.js:
2674         * wasm/references/multitable.js:
2675         * wasm/references/table_misc.js:
2676         (TableSize.0.End.End.WebAssembly):
2677         * wasm/references/validation.js:
2678         (assert.throws):
2679
2680 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2681
2682         Optimize `resolve` method lookup in Promise static methods
2683         https://bugs.webkit.org/show_bug.cgi?id=198864
2684
2685         Reviewed by Yusuke Suzuki.
2686
2687         * test262/expectations.yaml: Mark 18 test cases as passing.
2688
2689 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2690
2691         [WASM-References] Rename anyfunc to funcref
2692         https://bugs.webkit.org/show_bug.cgi?id=198983
2693
2694         Reviewed by Yusuke Suzuki.
2695
2696         * wasm/function-tests/basic-element.js:
2697         * wasm/function-tests/context-switch.js:
2698         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2699         (makeInstance):
2700         (assert.eq.makeInstance):
2701         * wasm/function-tests/exceptions.js:
2702         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2703         * wasm/function-tests/grow-memory-2.js:
2704         (assert.eq.instance.exports.foo):
2705         * wasm/function-tests/nameSection.js:
2706         (const.compile):
2707         * wasm/function-tests/stack-overflow.js:
2708         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2709         (assertOverflows.makeInstance):
2710         * wasm/function-tests/table-basic-2.js:
2711         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2712         * wasm/function-tests/table-basic.js:
2713         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2714         * wasm/function-tests/trap-from-start-async.js:
2715         * wasm/function-tests/trap-from-start.js:
2716         * wasm/js-api/Module.exports.js:
2717         (assert.truthy):
2718         * wasm/js-api/Module.imports.js:
2719         (assert.truthy):
2720         * wasm/js-api/call-indirect.js:
2721         (const.oneTable):
2722         (const.multiTable):
2723         (multiTable.const.makeTable):
2724         (multiTable):
2725         (multiTable.Polyphic2Import):
2726         (multiTable.VirtualImport):
2727         * wasm/js-api/element-data.js:
2728         * wasm/js-api/element.js:
2729         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2730         (assert.throws):
2731         (badInstantiation.makeModule):
2732         (badInstantiation.test):
2733         (badInstantiation):
2734         * wasm/js-api/extension-MemoryMode.js:
2735         * wasm/js-api/table.js:
2736         (new.WebAssembly.Module):
2737         (assert.throws):
2738         (assertBadTableImport):
2739         (assert.throws.WebAssembly.Table.prototype.grow):
2740         (new.WebAssembly.Table):
2741         (assertBadTable):
2742         (assert.truthy):
2743         * wasm/js-api/test_basic_api.js:
2744         (const.c.in.constructorProperties.switch):
2745         * wasm/js-api/unique-signature.js:
2746         (CallIndirectWithDuplicateSignatures):
2747         * wasm/js-api/wrapper-function.js:
2748         * wasm/modules/table.wat:
2749         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2750         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2751         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2752         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2753         * wasm/references/anyref_table.js:
2754         * wasm/references/anyref_table_import.js:
2755         (doSet):
2756         (assert.throws):
2757         * wasm/references/func_ref.js:
2758         (makeFuncrefIdent):
2759         (assert.eq.instance.exports.fix):
2760         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2761         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2762         (let.importedFun.of):
2763         (makeAnyfuncIdent): Deleted.
2764         (makeAnyfuncIdent.fun): Deleted.
2765         * wasm/references/multitable.js:
2766         (assert.eq):
2767         (assert.throws):
2768         * wasm/references/table_misc.js:
2769         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2770         * wasm/references/validation.js:
2771         (assert.throws.new.WebAssembly.Module.bin):
2772         (assert.throws):
2773         * wasm/spec-harness/index.js:
2774         * wasm/spec-harness/wasm-constants.js:
2775         * wasm/spec-harness/wasm-module-builder.js:
2776         (WasmModuleBuilder.prototype.toArray):
2777         * wasm/spec-harness/wast.js:
2778         (elem_type):
2779         (string_of_elem_type):
2780         (string_of_table_type):
2781         * wasm/spec-tests/jsapi.js:
2782         * wasm/stress/wasm-table-grow-initialize.js:
2783         * wasm/wasm.json:
2784
2785 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2786
2787         [WASM-References] Add support for Table.size, grow and fill instructions
2788         https://bugs.webkit.org/show_bug.cgi?id=198761
2789
2790         Reviewed by Yusuke Suzuki.
2791
2792         * wasm/Builder_WebAssemblyBinary.js:
2793         (const.putOp):
2794         * wasm/references/table_misc.js: Added.
2795         (TableSize.End.End.WebAssembly):
2796         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2797         * wasm/wasm.json:
2798
2799 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2800
2801         [WASM-References] Add support for multiple tables
2802         https://bugs.webkit.org/show_bug.cgi?id=198760
2803
2804         Reviewed by Saam Barati.
2805
2806         * wasm/Builder.js:
2807         * wasm/js-api/call-indirect.js:
2808         (const.oneTable):
2809         (const.multiTable):
2810         (multiTable):
2811         (multiTable.Polyphic2Import):
2812         (multiTable.VirtualImport):
2813         (const.wasmModuleWhichImportJS): Deleted.
2814         (const.makeTable): Deleted.
2815         (): Deleted.
2816         (Polyphic2Import): Deleted.
2817         (VirtualImport): Deleted.
2818         * wasm/js-api/table.js:
2819         (new.WebAssembly.Module):
2820         (assert.throws):
2821         (assertBadTableImport):
2822         (assert.truthy):
2823         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2824         * wasm/references/anyref_table.js:
2825         * wasm/references/anyref_table_import.js:
2826         (makeImport):
2827         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2828         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2829         * wasm/references/multitable.js: Added.
2830         (assert.throws.1.exports.set_tbl0):
2831         (assert.throws):
2832         (assert.eq):
2833         * wasm/references/validation.js:
2834         (assert.throws.new.WebAssembly.Module.bin):
2835         (assert.throws):
2836         * wasm/spec-tests/imports.wast.js:
2837         * wasm/wasm.json:
2838
2839         * wasm/Builder.js:
2840         * wasm/js-api/call-indirect.js:
2841         (const.oneTable):
2842         (const.multiTable):
2843         (multiTable):
2844         (multiTable.Polyphic2Import):
2845         (multiTable.VirtualImport):
2846         (const.wasmModuleWhichImportJS): Deleted.
2847         (const.makeTable): Deleted.
2848         (): Deleted.
2849         (Polyphic2Import): Deleted.
2850         (VirtualImport): Deleted.
2851         * wasm/js-api/table.js:
2852         (new.WebAssembly.Module):
2853         (assert.throws):
2854         (assertBadTableImport):
2855         (assert.truthy):
2856         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2857         * wasm/references/anyref_table.js:
2858         * wasm/references/anyref_table_import.js:
2859         (makeImport):
2860         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2861         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2862         * wasm/references/func_ref.js:
2863         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2864         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2865         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2866         * wasm/references/multitable.js: Added.
2867         (assert.throws.1.exports.set_tbl0):
2868         (assert.throws):
2869         (assert.eq):
2870         (string_appeared_here.tableInsanity):
2871         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2872         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2873         * wasm/references/validation.js:
2874         (assert.throws.new.WebAssembly.Module.bin):
2875         (assert.throws):
2876         * wasm/spec-tests/imports.wast.js:
2877         * wasm/wasm.json:
2878
2879 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2880
2881         [ESNExt] String.prototype.matchAll
2882         https://bugs.webkit.org/show_bug.cgi?id=186694
2883
2884         Reviewed by Yusuke Suzuki.
2885
2886         Implement String.prototype.matchAll.
2887         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2888
2889         * test262/config.yaml:
2890
2891 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2892
2893         DFG code should not reify the names of builtin functions with private names
2894         https://bugs.webkit.org/show_bug.cgi?id=198849
2895         <rdar://problem/51733890>
2896
2897         Reviewed by Filip Pizlo.
2898
2899         * stress/builtin-private-function-name.js: Added.
2900         (then):
2901         (PromiseLike):
2902
2903 2019-06-18  Keith Miller  <keith_miller@apple.com>
2904
2905         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2906         https://bugs.webkit.org/show_bug.cgi?id=198969
2907         <rdar://problem/51620714>
2908
2909         Reviewed by Tadeu Zagallo.
2910
2911         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2912         (catch):
2913
2914 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2915
2916         Validate that table element type is funcref if using an element section
2917         https://bugs.webkit.org/show_bug.cgi?id=198910
2918
2919         Reviewed by Yusuke Suzuki.
2920
2921         * wasm/references/anyref_table.js:
2922
2923 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2924
2925         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2926         https://bugs.webkit.org/show_bug.cgi?id=197378
2927
2928         Reviewed by Saam Barati.
2929
2930         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2931         (foo):
2932         (bar):
2933         * stress/disposable-call-site-index.js: Added.
2934         (foo):
2935         (bar):
2936
2937 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2938
2939         [WASM-References] Add support for Funcref in parameters and return types
2940         https://bugs.webkit.org/show_bug.cgi?id=198157
2941
2942         Reviewed by Yusuke Suzuki.
2943
2944         * wasm/Builder.js:
2945         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2946         * wasm/references/anyref_globals.js:
2947         * wasm/references/func_ref.js: Added.
2948         (fullGC.gc.makeExportedFunction):
2949         (makeExportedIdent):
2950         (makeAnyfuncIdent):
2951         (fun):
2952         (assert.eq.instance.exports.fix.fun):
2953         (assert.eq.instance.exports.fix):
2954         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2955         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2956         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2957         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2958         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2959         (assert.throws):
2960         (assert.throws.doTest):
2961         (let.importedFun.of):
2962         (makeAnyfuncIdent.fun):
2963         * wasm/references/validation.js:
2964         (assert.throws):
2965         * wasm/wasm.json:
2966
2967 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2968
2969         Update test262 tests (2019.06.13)
2970         https://bugs.webkit.org/show_bug.cgi?id=198821
2971
2972         Reviewed by Konstantin Tokarev.
2973
2974         * test262/expectations.yaml:
2975         * test262/harness/:
2976         * test262/latest-changes-summary.txt:
2977         * test262/test/:
2978         * test262/test262-Revision.txt:
2979
2980 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2981
2982         [JSC] Grown region of WasmTable should be initialized with null
2983         https://bugs.webkit.org/show_bug.cgi?id=198903
2984
2985         Reviewed by Saam Barati.
2986
2987         * wasm/stress/wasm-table-grow-initialize.js: Added.
2988         (shouldBe):
2989
2990 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2991
2992         Yarr bytecode compilation failure should be gracefully handled
2993         https://bugs.webkit.org/show_bug.cgi?id=198700
2994
2995         Reviewed by Michael Saboff.
2996
2997         * stress/regexp-bytecode-compilation-fail.js: Added.
2998         (shouldThrow):
2999
3000 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
3001
3002         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
3003         https://bugs.webkit.org/show_bug.cgi?id=198770
3004
3005         Reviewed by Saam Barati.
3006
3007         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
3008         (test):
3009
3010 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
3011
3012         JSC should throw if proxy set returns falsish in strict mode context
3013         https://bugs.webkit.org/show_bug.cgi?id=177398
3014
3015         Reviewed by Yusuke Suzuki.
3016
3017         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
3018         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
3019
3020         * stress/proxy-set.js: Add 2 test cases.
3021         * stress/regexp-match-proxy.js: Fix test.
3022         * stress/regexp-replace-proxy.js: Fix test.
3023
3024 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
3025
3026         Error message for non-callable Proxy `construct` trap is misleading
3027         https://bugs.webkit.org/show_bug.cgi?id=198637
3028
3029         Reviewed by Saam Barati.
3030
3031         * stress/proxy-construct.js:
3032
3033 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
3034
3035         AI BitURShift's result should not be unsigned
3036         https://bugs.webkit.org/show_bug.cgi?id=198689
3037         <rdar://problem/51550063>
3038
3039         Reviewed by Saam Barati.
3040
3041         * stress/urshift-int32-overflow.js: Added.
3042         (foo.):
3043         (foo):
3044
3045 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
3046
3047         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
3048
3049         Unreviewed gardening.
3050
3051         * stress/ftl-gettypedarrayoffset-wasteful.js:
3052         Skipped on arm/linux as it always times out on the bot since a change
3053         between r246270 and r246278 inclusive.
3054
3055 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
3056
3057         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
3058         https://bugs.webkit.org/show_bug.cgi?id=198023
3059
3060         Reviewed by Saam Barati.
3061
3062         * stress/reparsing-unlinked-codeblock.js: Added.
3063         (shouldBe):
3064         (hello):
3065
3066 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
3067
3068         [JSC] Use mergePrediction in ValuePow prediction propagation
3069         https://bugs.webkit.org/show_bug.cgi?id=198648
3070
3071         Reviewed by Saam Barati.
3072
3073         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
3074
3075 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
3076
3077         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
3078         https://bugs.webkit.org/show_bug.cgi?id=198581
3079         <rdar://problem/51099753>
3080
3081         Reviewed by Saam Barati.
3082
3083         * stress/global-object-proto-getter.js: Added.
3084         (f):
3085         (test):
3086
3087 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
3088
3089         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
3090         https://bugs.webkit.org/show_bug.cgi?id=198398
3091
3092         Reviewed by Saam Barati.
3093
3094         * wasm/references/anyref_table.js: Added.
3095         (string_appeared_here.doGCSet):
3096         (doGCTest):
3097         (doGCSet.doGCTest.let.count.0.doBarrierSet):
3098         * wasm/references/anyref_table_import.js: Added.
3099         (makeImport):
3100         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
3101         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
3102         * wasm/references/is_null_error.js: Removed.
3103         * wasm/references/validation.js: Added.
3104         (assert.throws.new.WebAssembly.Module.bin):
3105         (assert.throws):
3106         * wasm/wasm.json:
3107
3108 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
3109
3110         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
3111         https://bugs.webkit.org/show_bug.cgi?id=198106
3112
3113         Reviewed by Saam Barati.
3114
3115         * wasm/regress/selectf64.js: Added.
3116         * wasm/regress/selectf64.wasm: Added.
3117         * wasm/regress/selectf64.wat: Added.
3118
3119 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
3120
3121         Argument elimination should check transitive dependents for interference
3122         https://bugs.webkit.org/show_bug.cgi?id=198520
3123         <rdar://problem/50863343>
3124
3125         Reviewed by Filip Pizlo.
3126
3127         * stress/argument-elimination-inline-rest-past-kill.js: Added.
3128         (f2):
3129         (f3):
3130
3131 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
3132
3133         Argument elimination should check for negative indices in GetByVal
3134         https://bugs.webkit.org/show_bug.cgi?id=198302
3135         <rdar://problem/51188095>
3136
3137         Reviewed by Filip Pizlo.
3138
3139         * stress/eliminate-arguments-negative-rest-access.js: Added.
3140         (inlinee):
3141         (opt):
3142
3143 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
3144
3145         [ESNext][BigInt] Implement support for "**"
3146         https://bugs.webkit.org/show_bug.cgi?id=190799
3147
3148         Reviewed by Saam Barati.
3149
3150         * stress/big-int-exp-basic.js: Added.
3151         * stress/big-int-exp-jit-osr.js: Added.
3152         * stress/big-int-exp-jit-untyped.js: Added.
3153         * stress/big-int-exp-jit.js: Added.
3154         * stress/big-int-exp-negative-exponent.js: Added.
3155         * stress/big-int-exp-to-primitive.js: Added.
3156         * stress/big-int-exp-type-error.js: Added.
3157         * stress/big-int-exp-wrapped-value.js: Added.
3158         * stress/value-pow-ai-rule.js: Added.
3159
3160 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
3161
3162         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
3163         https://bugs.webkit.org/show_bug.cgi?id=197979
3164
3165         Reviewed by Filip Pizlo.
3166
3167         * stress/16bit-code.js: Added.
3168         (shouldBe):
3169         * stress/32bit-code.js: Added.
3170         (shouldBe):
3171
3172 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
3173
3174         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
3175         https://bugs.webkit.org/show_bug.cgi?id=198355
3176
3177         Reviewed by Saam Barati.
3178
3179         * wasm/references/is_null.js:
3180
3181 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
3182
3183         [PlayStation] Skip additional tests on PlayStation
3184         https://bugs.webkit.org/show_bug.cgi?id=198352
3185
3186         Reviewed by Don Olmstead.
3187
3188         Skip pow test on PlayStation due to behavior difference in standard library.
3189         Skip incremental marking test due to OOM on PlayStation systems.
3190
3191         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
3192         * stress/math-pow-with-constants.js:
3193         * stress/pow-with-constants.js:
3194
3195 2019-05-28  Dean Jackson  <dino@apple.com>
3196
3197         Implement Promise.allSettled
3198         https://bugs.webkit.org/show_bug.cgi?id=197600
3199         <rdar://problem/50483885>
3200
3201         Reviewed by Keith Miller.
3202
3203         Start testing Promise.allSettled. We pass most of the tests.
3204         The ones that fail are similar to the Promise.all tests we already fail.
3205
3206         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
3207         * test262/expectations.yaml: Add new expectations for allSettled tests.
3208
3209 2019-05-28  Michael Saboff  <msaboff@apple.com>
3210
3211         [YARR] Properly handle RegExp's that require large ParenContext space
3212         https://bugs.webkit.org/show_bug.cgi?id=198065
3213
3214         Reviewed by Keith Miller.
3215
3216         New test.
3217
3218         * stress/regexp-large-paren-context.js: Added.
3219         (testLargeRegExp):
3220
3221 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
3222
3223         JITOperations putByVal should mark negative array indices as out-of-bounds
3224         https://bugs.webkit.org/show_bug.cgi?id=198271
3225
3226         Reviewed by Saam Barati.
3227
3228         * microbenchmarks/get-by-val-negative-array-index.js:
3229         (foo):
3230         Update the getByVal microbenchmark added in r245769. This now shows that r245769
3231         is 4.2x faster than the previous commit.
3232
3233         * microbenchmarks/put-by-val-negative-array-index.js: Added.
3234         (foo):
3235
3236 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
3237
3238         JITOperations getByVal should mark negative array indices as out-of-bounds
3239         https://bugs.webkit.org/show_bug.cgi?id=198229
3240
3241         Reviewed by Saam Barati.
3242
3243         * microbenchmarks/get-by-val-negative-array-index.js: Added.
3244         (foo):
3245
3246 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
3247
3248         [WASM-References] Support Anyref in globals
3249         https://bugs.webkit.org/show_bug.cgi?id=198102
3250
3251         Reviewed by Saam Barati.
3252
3253         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
3254
3255         * wasm/Builder.js:
3256         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
3257         * wasm/Builder_WebAssemblyBinary.js:
3258         (const.putInitExpr):
3259         * wasm/references/anyref_globals.js: Added.
3260         (GetGlobal.0.End.End.WebAssembly):
3261         (5.doGCSet):
3262         (doGCTest):
3263         (doGCSet.doGCTest.let.count.0.doBarrierSet):
3264
3265 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3266
3267         DFG::OSREntry should not perform arity check
3268         https://bugs.webkit.org/show_bug.cgi?id=198189
3269
3270         Reviewed by Saam Barati.
3271
3272         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
3273         (foo):
3274
3275 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
3276
3277         [PlayStation] Skip additional tests on PlayStation
3278         https://bugs.webkit.org/show_bug.cgi?id=198145
3279
3280         Reviewed by Ross Kirsling.
3281
3282         * exceptionFuzz.yaml:
3283         Add skip on hostOS playstation
3284         * executableAllocationFuzz.yaml:
3285         Add skip on hostOS playstation
3286
3287 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3288
3289         createListFromArrayLike should throw if value is not an object
3290         https://bugs.webkit.org/show_bug.cgi?id=198138
3291
3292         Reviewed by Yusuke Suzuki.
3293
3294         * stress/create-list-from-array-like-not-object.js: Added.
3295         (testValid):
3296         (testInvalid):
3297         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
3298         (opt):
3299         * stress/proxy-proto-enumerator.js: Added.
3300         (main):
3301         * stress/proxy-proto-own-keys.js: Added.
3302         (assert):
3303         (ownKeys):
3304
3305 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3306
3307         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
3308         https://bugs.webkit.org/show_bug.cgi?id=197809
3309
3310         Reviewed by Michael Saboff.
3311
3312         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
3313         (foo):
3314
3315 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3316
3317         [ESNext] Implement support for Numeric Separators
3318         https://bugs.webkit.org/show_bug.cgi?id=196351
3319
3320         Reviewed by Keith Miller.
3321
3322         * stress/numeric-literal-separators.js: Added.
3323         Add tests for feature.
3324
3325         * test262/expectations.yaml:
3326         Mark 60 test cases as passing.
3327
3328 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3329
3330         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
3331         https://bugs.webkit.org/show_bug.cgi?id=198120
3332         <rdar://problem/49668795>
3333
3334         Reviewed by Michael Saboff.
3335
3336         * stress/get-array-length-concurrently-change-mode.js: Added.
3337         (main):
3338
3339 2019-05-22  Commit Queue  <commit-queue@webkit.org>
3340
3341         Unreviewed, rolling out r245634.
3342         https://bugs.webkit.org/show_bug.cgi?id=198140
3343
3344         'This patch makes JSC crash on launch in debug builds'
3345         (Requested by tadeuzagallo on #webkit).
3346
3347         Reverted changeset:
3348
3349         "[ESNext] Implement support for Numeric Separators"
3350         https://bugs.webkit.org/show_bug.cgi?id=196351
3351         https://trac.webkit.org/changeset/245634
3352
3353 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3354
3355         Stack-buffer-overflow in decodeURIComponent
3356         https://bugs.webkit.org/show_bug.cgi?id=198109
3357         <rdar://problem/50397550>
3358
3359         Reviewed by Michael Saboff.
3360
3361         * stress/decode-uri-icu-count-trail-bytes.js: Added.
3362         (i.j.try.i.toString):
3363         (i.j.catch):
3364
3365 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3366
3367         Don't clear PropertyNameArray in Proxy code
3368         https://bugs.webkit.org/show_bug.cgi?id=197691
3369
3370         Reviewed by Saam Barati.
3371
3372         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
3373         (shouldBe):
3374         (opt):
3375
3376 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3377
3378         [ESNext] Implement support for Numeric Separators
3379         https://bugs.webkit.org/show_bug.cgi?id=196351
3380
3381         Reviewed by Keith Miller.
3382
3383         * stress/numeric-literal-separators.js: Added.
3384         Add tests for feature.
3385
3386         * test262/expectations.yaml:
3387         Mark 60 test cases as passing.
3388
3389 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3390
3391         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
3392         https://bugs.webkit.org/show_bug.cgi?id=198101
3393
3394         Reviewed by Michael Saboff.
3395
3396         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
3397         (shouldBe):
3398
3399 2019-05-20  Keith Miller  <keith_miller@apple.com>
3400
3401         Cleanup Yarr regexp code around paren contexts.
3402         https://bugs.webkit.org/show_bug.cgi?id=198063
3403
3404         Reviewed by Yusuke Suzuki.
3405
3406         * stress/regexp-many-named-sequential-capture-groups.js: Added.
3407         (i.s):
3408         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
3409
3410 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
3411
3412         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
3413         https://bugs.webkit.org/show_bug.cgi?id=197969
3414
3415         Reviewed by Keith Miller.
3416
3417         Support the anyref type in Builder.js, plus add some extra error logging.
3418         Add new folder for wasm references tests.
3419
3420         * wasm.yaml:
3421         * wasm/Builder.js:
3422         (const._isValidValue):
3423         * wasm/references/anyref_modules.js: Added.
3424         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
3425         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
3426         (Call.3.RefIsNull.End.End.WebAssembly):
3427         (undefined):
3428         * wasm/references/is_null.js: Added.
3429         * wasm/references/is_null_error.js: Added.
3430         * wasm/spec-harness/index.js:
3431         * wasm/wasm.json:
3432
3433 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
3434
3435         [JSC] Invalid AssignmentTargetType should be an early error.
3436         https://bugs.webkit.org/show_bug.cgi?id=197603
3437
3438         Reviewed by Keith Miller.
3439
3440         * test262/expectations.yaml:
3441         Update expectations to reflect new SyntaxErrors.
3442         (Ideally, these should all be viewed as passing in the near future.)
3443
3444         * stress/async-await-basic.js:
3445         * stress/big-int-literals.js:
3446         Update tests to reflect new SyntaxErrors.
3447
3448         * ChakraCore.yaml:
3449         * ChakraCore/test/EH/try6.baseline-jsc:
3450         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
3451         Update baselines to reflect new SyntaxErrors.
3452
3453 2019-05-15  Saam Barati  <sbarati@apple.com>
3454
3455         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
3456         https://bugs.webkit.org/show_bug.cgi?id=197855
3457         <rdar://problem/50236506>
3458
3459         Reviewed by Michael Saboff.
3460
3461         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
3462         (f0):
3463         (bar):
3464         (foo):
3465         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
3466         (f1):
3467         (f2):
3468         (foo):
3469
3470 2019-05-14  Keith Miller  <keith_miller@apple.com>
3471
3472         Fix issue with byteOffset on ARM64E
3473         https://bugs.webkit.org/show_bug.cgi?id=197884
3474
3475         Reviewed by Saam Barati.
3476
3477         We didn't have any tests that run with non-byte/non-zero offset
3478         typed arrays.
3479
3480         * stress/ftl-gettypedarrayoffset-wasteful.js:
3481
3482 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
3483
3484         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
3485         https://bugs.webkit.org/show_bug.cgi?id=197833
3486
3487         Reviewed by Darin Adler.
3488
3489         * stress/generator-name.js: Added.
3490         (shouldBe):
3491         (gen):
3492         (catch):
3493
3494 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
3495
3496         JSObject::getOwnPropertyDescriptor is missing an exception check
3497         https://bugs.webkit.org/show_bug.cgi?id=197693
3498         <rdar://problem/50441784>
3499
3500         Reviewed by Saam Barati.
3501
3502         * stress/proxy-spread.js: Added.
3503         (foo):
3504
3505 2019-05-10  Saam barati  <sbarati@apple.com>
3506
3507         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
3508         https://bugs.webkit.org/show_bug.cgi?id=197807
3509         <rdar://problem/50530400>
3510
3511         Reviewed by Yusuke Suzuki.
3512
3513         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
3514         (test.getInstance):
3515         (test):
3516
3517 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
3518
3519         [Test262] Unreviewed expectations update following r245188.
3520
3521         * test262/config.yaml:
3522         * test262/expectations.yaml:
3523
3524         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
3525         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
3526         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
3527         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
3528         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
3529         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
3530         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
3531         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
3532         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
3533         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
3534         These files have invalid YAML comments. Will also submit corrections back to Test262.
3535
3536 2019-05-10  Keith Miller  <keith_miller@apple.com>
3537
3538         Update test262 tests.
3539
3540         Rubber-stamped by Yusuke Suzuki.
3541
3542         * test262/*: mega-patch too many things to list individually.
3543
3544 2019-05-09  Keith Miller  <keith_miller@apple.com>
3545
3546         Unreview, fix test to have a try-catch.
3547
3548         * stress/many-nested-functions-parser-stack-overflow.js:
3549         (catch):
3550
3551 2019-05-09  Keith Miller  <keith_miller@apple.com>
3552
3553         parseStatementListItem needs a stack overflow check
3554         https://bugs.webkit.org/show_bug.cgi?id=197749
3555
3556         Reviewed by Saam Barati.
3557
3558         * stress/many-nested-functions-parser-stack-overflow.js: Added.
3559
3560 2019-05-08  Saam barati  <sbarati@apple.com>
3561
3562         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
3563         https://bugs.webkit.org/show_bug.cgi?id=197715
3564         <rdar://problem/50399252>
3565
3566         Reviewed by Filip Pizlo.
3567
3568         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
3569         (foo):
3570         (bar):
3571
3572 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
3573
3574         Unreviewed, rolling out r245068.
3575
3576         Caused debug layout tests to exit early due to an assertion
3577         failure.
3578
3579         Reverted changeset:
3580
3581         "All prototypes should call didBecomePrototype()"
3582         https://bugs.webkit.org/show_bug.cgi?id=196315
3583         https://trac.webkit.org/changeset/245068
3584
3585 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
3586
3587         Invalid DFG JIT genereation in high CPU usage state
3588         https://bugs.webkit.org/show_bug.cgi?id=197453
3589
3590         Reviewed by Saam Barati.
3591
3592         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
3593         (trigger):
3594         (main):
3595
3596 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3597
3598         All prototypes should call didBecomePrototype()
3599         https://bugs.webkit.org/show_bug.cgi?id=196315
3600
3601         Reviewed by Saam Barati.
3602
3603         This changelog already landed, but the commit was missing the actual changes.
3604
3605         * stress/function-prototype-indexed-accessor.js: Added.
3606
3607 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3608
3609         [BigInt] Add ValueMod into DFG
3610         https://bugs.webkit.org/show_bug.cgi?id=186174
3611
3612         Reviewed by Saam Barati.
3613
3614         * microbenchmarks/mod-untyped.js: Added.
3615         * stress/big-int-mod-osr.js: Added.
3616         * stress/value-div-ai-rule.js: Added.
3617         * stress/value-mod-ai-rule.js: Added.
3618
3619 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3620
3621         [JSC] DFG_ASSERT failed in lowInt52
3622         https://bugs.webkit.org/show_bug.cgi?id=197569
3623
3624         Reviewed by Saam Barati.
3625
3626         * stress/getstack-int52.js: Added.
3627         (opt):
3628         (main):
3629
3630 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3631
3632         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3633         https://bugs.webkit.org/show_bug.cgi?id=197479
3634
3635         Reviewed by Saam Barati.
3636
3637         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3638         (shouldBe):
3639
3640 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3641
3642         TemplateObject passed to template literal tags are not always identical for the same source location.
3643         https://bugs.webkit.org/show_bug.cgi?id=190756
3644
3645         Reviewed by Saam Barati.
3646
3647         * complex.yaml:
3648         * complex/tagged-template-regeneration-after.js: Added.
3649         (shouldBe):
3650         * complex/tagged-template-regeneration.js: Added.
3651         (call):
3652         (test):
3653         * modules/tagged-template-inside-module.js: Added.
3654         (from.string_appeared_here.call):
3655         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3656         (call):
3657         (export.otherTaggedTemplates):
3658         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3659         (shouldBe):
3660         (call):
3661         (poly):
3662         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3663         (shouldBe):
3664         (call):
3665         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3666         (shouldBe):
3667         (call):
3668         (test):
3669         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3670         (shouldBe):
3671         (call):
3672         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3673         (shouldBe):
3674         (call):
3675         * stress/tagged-templates-in-multiple-functions.js: Added.
3676         (shouldBe):
3677         (call):
3678         (a):
3679         (b):
3680         (c):
3681         * stress/tagged-templates-with-same-start-offset.js: Added.
3682         (shouldBe):
3683
3684 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3685
3686         All prototypes should call didBecomePrototype()
3687         https://bugs.webkit.org/show_bug.cgi?id=196315
3688
3689         Reviewed by Saam Barati.
3690
3691         * stress/function-prototype-indexed-accessor.js: Added.
3692
3693 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3694
3695         Unreviewed, rolling out r244978.
3696         https://bugs.webkit.org/show_bug.cgi?id=197671
3697
3698         TemplateObject map should use start/end offsets (Requested by
3699         yusukesuzuki on #webkit).
3700
3701         Reverted changeset:
3702
3703         "TemplateObject passed to template literal tags are not always
3704         identical for the same source location."