991c0997f668b7a3c5e1eab1b124200e5e43d547
[WebKit-https.git] / JSTests / ChangeLog
1 2019-10-08  Ross Kirsling  <ross.kirsling@sony.com>
2
3         Update test262 (2019.10.08).
4
5         Rubber-stamped by Keith Miller.
6
7         * test262/config.yaml:
8         * test262/expectations.yaml:
9         * test262/latest-changes-summary.txt:
10         * test262/test/:
11         * test262/test262-Revision.txt:
12
13 2019-10-07  Saam Barati  <sbarati@apple.com>
14
15         Allow OSR exit to the LLInt
16         https://bugs.webkit.org/show_bug.cgi?id=197993
17
18         Reviewed by Tadeu Zagallo.
19
20         * stress/exit-from-getter-by-val.js: Added.
21         * stress/exit-from-setter-by-val.js: Added.
22
23 2019-10-07  Matt Lewis  <jlewis3@apple.com>
24
25         Unreviewed, rolling out r250750.
26
27         Reverting change as this broke interal test over the weekend.
28
29         Reverted changeset:
30
31         "Allow OSR exit to the LLInt"
32         https://bugs.webkit.org/show_bug.cgi?id=197993
33         https://trac.webkit.org/changeset/250750
34
35 2019-10-04  Saam Barati  <sbarati@apple.com>
36
37         Allow OSR exit to the LLInt
38         https://bugs.webkit.org/show_bug.cgi?id=197993
39
40         Reviewed by Tadeu Zagallo.
41
42         * stress/exit-from-getter-by-val.js: Added.
43         * stress/exit-from-setter-by-val.js: Added.
44
45 2019-10-04  Paulo Matos  <pmatos@igalia.com>
46
47         Revert regexp test skip on armv7l and mips
48         https://bugs.webkit.org/show_bug.cgi?id=202310
49
50         Reviewed by Žan Doberšek.
51
52         Test was skipped in bug 202113 on armv7l and mips due to bug 202041.
53         Bug 202041 is fixed and change of bug 202113 can be reverted.
54
55         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
56
57 2019-10-02  Mark Lam  <mark.lam@apple.com>
58
59         DoubleToStringConverter::ToExponential() should null terminate its string.
60         https://bugs.webkit.org/show_bug.cgi?id=202492
61         <rdar://problem/55907708>
62
63         Reviewed by Filip Pizlo.
64
65         * stress/dtoa-AddSubstring-should-uses-strnlen-in-assertion.js: Added.
66
67 2019-10-02  Yusuke Suzuki  <ysuzuki@apple.com>
68
69         [JSC] AsyncGenerator should have internal fields
70         https://bugs.webkit.org/show_bug.cgi?id=201498
71
72         Reviewed by Saam Barati.
73
74         * stress/async-generator-construct-failure.js: Added.
75         (shouldThrow):
76         (async.gen):
77         (TypeError):
78         * stress/async-generator-prototype-change.js: Added.
79         (shouldBe):
80         (async.gen):
81         * stress/async-generator-prototype-closure.js: Added.
82         (shouldBe):
83         (test.async.gen):
84         (test):
85         * stress/create-async-generator.js: Added.
86         (shouldBe):
87         (test.async.generator):
88         (test):
89
90 2019-10-01  Saam Barati  <sbarati@apple.com>
91
92         ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
93         https://bugs.webkit.org/show_bug.cgi?id=199361
94         <rdar://problem/52454940>
95
96         Reviewed by Yusuke Suzuki.
97
98         * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
99         (main.fn):
100         (main.executor):
101         (main):
102         * stress/allocation-sinking-hints-are-valid-ssa.js: Added.
103         (main.fn):
104         (main.executor):
105         (main):
106
107 2019-10-01  Keith Miller  <keith_miller@apple.com>
108
109         skip test until we figure out why it's timing out
110         https://bugs.webkit.org/show_bug.cgi?id=202423
111
112         Reviewed by Mark Lam.
113
114         new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js consistently times out on the bots.
115         Let's skip it until we figure out what's going on.
116
117         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js:
118
119 2019-10-01  Keith Miller  <keith_miller@apple.com>
120
121         Mark toctou test as skipped on debug builds
122         https://bugs.webkit.org/show_bug.cgi?id=202420
123
124         Reviewed by Saam Barati.
125
126         Keeps timing out... Let's just skip it.
127
128         * stress/toctou-having-a-bad-time-new-array.js:
129
130 2019-10-01  Keith Miller  <keith_miller@apple.com>
131
132         Test262 update
133
134         Rubber-stamped by Michael Saboff.
135
136         Note, this was too big to effectivetly put on bugzilla as it's a 10MB patch...
137
138         * test262/*:
139
140 2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>
141
142         [YARR] Properly handle surrogates when matching back references
143         https://bugs.webkit.org/show_bug.cgi?id=202041
144
145         Reviewed by Keith Miller.
146
147         Unchanged from the workin progress patch posted by Paulo Matos <pmatos@igalia.com>.
148
149         Updated test.
150
151         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
152         (testRegExpNotMatch):
153
154 2019-10-01  Keith Miller  <keith_miller@apple.com>
155
156         Add support for the Wasm multi-value proposal
157         https://bugs.webkit.org/show_bug.cgi?id=202250
158
159         Reviewed by Saam Barati.
160
161         This patch adds a new way to run stress tests via the .wat text
162         format. By attaching an asm.js compiled version of the wabt tool
163         we can easily create wat files programatically and convert them
164         into a wasm blob to compile. To make this easy there is a
165         wabt-wrapper.js module file that exports two useful functions that
166         correspond to WebAssembly.compile and WebAssembly.instantiate.
167
168         * wasm.yaml:
169         * wasm/function-tests/if-no-else-non-void.js:
170         * wasm/js-api/web-assembly-instantiate.js:
171         (assert.asyncTest.async.test):
172         (assert.asyncTest):
173         * wasm/libwabt.js: Added.
174         (WabtModule):
175         (set get if):
176         * wasm/references/func_ref.js:
177         * wasm/references/validation.js:
178         (assert.throws):
179         * wasm/spec-harness/index.js:
180         * wasm/spec-tests/block.wast.js:
181         * wasm/spec-tests/br.wast.js:
182         * wasm/spec-tests/br_if.wast.js:
183         * wasm/spec-tests/call.wast.js:
184         * wasm/spec-tests/call_indirect.wast.js:
185         * wasm/spec-tests/func.wast.js:
186         * wasm/spec-tests/if.wast.js:
187         * wasm/spec-tests/loop.wast.js:
188         * wasm/spec-tests/type.wast.js:
189         * wasm/stress/js-wasm-call-many-return-types-on-stack-no-args.js: Added.
190         (buildWat):
191         * wasm/stress/js-wasm-js-varying-arities.js: Added.
192         (paramForwarder):
193         * wasm/stress/wasm-js-call-many-return-types-on-stack-no-args.js: Added.
194         (buildWat):
195         * wasm/stress/wasm-js-multi-value-exception-in-iterator.js: Added.
196         (buildWat.throwError):
197         (buildWat.throwErrorInIterator):
198         (buildWat.tooManyValues):
199         (buildWat.tooFewValues):
200         (buildWat):
201         * wasm/stress/wasm-wasm-call-indirect-many-return-types-on-stack.js: Added.
202         (buildWat):
203         * wasm/stress/wasm-wasm-call-many-return-types-on-stack-no-args.js: Added.
204         (buildWat):
205         * wasm/wabt-wrapper.js: Added.
206         (export.compile):
207         * wasm/wast-tests/br-if-at-end-of-block.wasm: Added.
208         * wasm/wast-tests/br-if-at-end-of-block.wast: Added.
209         * wasm/wast-tests/harness.js:
210         (async.runWasmFile):
211         * wasm/wast-tests/single-param-loop-signature.wasm: Added.
212         * wasm/wast-tests/single-param-loop-signature.wast: Added.
213
214 2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>
215
216         Make assertion in JSObject::putOwnDataProperty more precise
217         https://bugs.webkit.org/show_bug.cgi?id=202379
218         <rdar://problem/49515980>
219
220         Reviewed by Yusuke Suzuki.
221
222         * stress/object-assign-target-proto-setter.js: Added.
223         (get Object):
224
225 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
226
227         [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
228         https://bugs.webkit.org/show_bug.cgi?id=202389
229         <rdar://problem/50717564>
230
231         Reviewed by Mark Lam.
232
233         * stress/heap-analyzer-taking-lock.js: Added.
234
235 2019-09-30  Saam Barati  <sbarati@apple.com>
236
237         Inline caching is wrong for custom accessors and custom values
238         https://bugs.webkit.org/show_bug.cgi?id=201994
239         <rdar://problem/50850326>
240
241         Reviewed by Yusuke Suzuki.
242
243         * microbenchmarks/custom-accessor-materialized.js: Added.
244         (assert):
245         (test4.get const):
246         * microbenchmarks/custom-accessor-thin-air.js: Added.
247         (assert):
248         (test5.get const):
249         (test5.get proto):
250         * microbenchmarks/custom-accessor.js: Added.
251         (assert):
252         (test3.get const):
253         * microbenchmarks/custom-value-2.js: Added.
254         (assert):
255         (test1.getMultiline):
256         (test1):
257         * microbenchmarks/custom-value.js: Added.
258         (assert):
259         (test1.getMultiline):
260         (test1):
261         * stress/custom-accessor-delete-1.js: Added.
262         (assert):
263         (test3.get const):
264         * stress/custom-accessor-delete-2.js: Added.
265         (assert):
266         (test4.get const):
267         * stress/custom-accessor-delete-3.js: Added.
268         (assert):
269         (test5.get const):
270         (test5.get proto):
271         * stress/custom-value-delete-property-1.js: Added.
272         (assert):
273         (test1.getMultiline):
274         (test1):
275         * stress/custom-value-delete-property-2.js: Added.
276         (test2.foo):
277         (test2):
278         * stress/custom-value-delete-property-3.js: Added.
279         (test6.foo):
280         (test6):
281
282 2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>
283
284         [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
285         https://bugs.webkit.org/show_bug.cgi?id=202382
286         <rdar://problem/52669112>
287
288         Reviewed by Saam Barati.
289
290         * stress/compare-eq-bool-number-folding.js: Added.
291         (test):
292
293 2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>
294
295         [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
296         https://bugs.webkit.org/show_bug.cgi?id=202330
297
298         Reviewed by Saam Barati.
299
300         * stress/to-lower-case-gc-stress.js: Added.
301
302 2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>
303
304         Non-standard Error properties should not be enumerable
305         https://bugs.webkit.org/show_bug.cgi?id=198975
306
307         Reviewed by Ross Kirsling.
308
309         * ChakraCore/test/Error/NativeErrors_v4.baseline-jsc: Adjust expectations.
310         * microbenchmarks/let-for-in.js: Adjust test.
311         * test262/expectations.yaml: Mark 6 test cases as passing.
312
313 2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
314
315         [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
316         https://bugs.webkit.org/show_bug.cgi?id=202299
317         <rdar://problem/52669116>
318
319         Reviewed by Saam Barati.
320
321         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs-simple.js: Added.
322         (foo):
323         (test):
324         * stress/recursive-tail-call-optimization-should-not-jump-into-call-frame-with-varargs.js: Added.
325         (foo):
326         (C1.prototype.baz):
327         (C1):
328         (bar):
329         (noInline.bar.goo):
330         (C2.prototype.baz):
331         (C2):
332         (test):
333
334 2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>
335
336         toExponential, toFixed, and toPrecision should allow arguments up to 100
337         https://bugs.webkit.org/show_bug.cgi?id=199163
338
339         Reviewed by Ross Kirsling.
340
341         * ChakraCore/test/Number/toString_3.baseline-jsc:
342         * ChakraCore/test/es5/exceptions3.baseline-jsc:
343         * test262/expectations.yaml: Mark 6 test cases as passing.
344
345 2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>
346
347         [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
348         https://bugs.webkit.org/show_bug.cgi?id=154376
349
350         Reviewed by Ross Kirsling.
351
352         Adds 2 test cases:
353         1. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is non-extensible, TypeError is thrown.
354         2. If [[GetOwnProperty]] trap result is `undefined` and Proxy's target is another Proxy, its "isExtensible" trap is called.
355
356         * stress/proxy-get-own-property.js:
357
358 2019-09-24  Caio Lima  <ticaiolima@gmail.com>
359
360         [BigInt] Add ValueBitRShift into DFG
361         https://bugs.webkit.org/show_bug.cgi?id=192663
362
363         Reviewed by Robin Morisset.
364
365         * stress/big-int-right-shift-jit-osr.js: Added.
366         * stress/big-int-right-shift-jit-untyped.js: Added.
367         * stress/big-int-right-shift-jit.js: Added.
368         * stress/value-rshift-ai-rule.js: Added.
369
370 2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>
371
372         Array methods should throw TypeError upon attempting to modify a string
373         https://bugs.webkit.org/show_bug.cgi?id=201910
374
375         Reviewed by Keith Miller.
376
377         * stress/array-methods-should-not-modify-string.js: Added.
378
379         * mozilla/js1_6/Array/regress-304828.js:
380         Fix test. Original copy was changed similarly seven years ago:
381         https://searchfox.org/mozilla-central/source/js/src/tests/non262/Array/regress-304828.js
382
383         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js:
384         Fix test. `Object.__proto__ = []; Object.shift();` shouldn't be valid JS.
385
386 2019-09-23  Mark Lam  <mark.lam@apple.com>
387
388         Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
389         https://bugs.webkit.org/show_bug.cgi?id=202122
390         <rdar://problem/55535249>
391
392         Reviewed by Yusuke Suzuki.
393
394         * stress/lazy-global-object-property-materialization-should-not-putDirectWithoutTransition.js: Added.
395
396 2019-09-23  Caio Lima  <ticaiolima@gmail.com>
397
398         Skip stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js into ARMv7 and MIPS
399         https://bugs.webkit.org/show_bug.cgi?id=202113
400
401         Unreviewed test gardening, skipped test in ARMv7 and MIPS.
402
403         It is going to be fixed in
404         https://bugs.webkit.org/show_bug.cgi?id=202041
405
406         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js:
407
408 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
409
410         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
411         https://bugs.webkit.org/show_bug.cgi?id=202072
412
413         Reviewed by Mark Lam.
414
415         * stress/int52rep-with-double-checks-int52-range.js: Added.
416         (shouldBe):
417         (test):
418
419 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
420
421         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
422         https://bugs.webkit.org/show_bug.cgi?id=202011
423
424         Reviewed by Mark Lam.
425
426         We are skipping this test into MIPS and ARMv7 because some of its assumptions
427         are not valid for them. The current behavior of the test in those architectures
428         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
429         because eden collection keeps happening between iterations. The collection
430         is triggered on those architectures because the amount of stress 
431         `new Promise` generates into GC limits is not enough to avoid them
432         while loop is executing.
433
434         Changing the size of `UInt8Array` from `80000000` to `160000000` can
435         be an alternative fix to avoid collection happening during `ArrayBuffer`
436         allocation loop, but we can't guarantee this test is always going to execute
437         without error when Gigacage is disabled, given we can reach an OOM state in
438         some allocations that need to succeed, making this test flaky for those
439         architectures.
440
441         * stress/test-out-of-memory.js:
442
443 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
444
445         AccessCase should strongly visit its dependencies while on stack
446         https://bugs.webkit.org/show_bug.cgi?id=201986
447         <rdar://problem/55521953>
448
449         Reviewed by Saam Barati and Yusuke Suzuki.
450
451         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
452         (foo):
453         (warmup):
454
455 2019-09-20  Saam Barati  <sbarati@apple.com>
456
457         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
458
459         * stress/toctou-having-a-bad-time-new-array.js:
460
461 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
462
463         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
464         https://bugs.webkit.org/show_bug.cgi?id=202014
465
466         Reviewed by Saam Barati.
467
468         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
469         (__v0):
470
471 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
472
473         Syntax checker should report duplicate __proto__ properties
474         https://bugs.webkit.org/show_bug.cgi?id=201897
475         <rdar://problem/53201788>
476
477         Reviewed by Mark Lam.
478
479         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
480         (catch):
481
482 2019-09-18  Saam Barati  <sbarati@apple.com>
483
484         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
485         https://bugs.webkit.org/show_bug.cgi?id=201953
486         <rdar://problem/53803524>
487
488         Reviewed by Yusuke Suzuki.
489
490         * stress/toctou-having-a-bad-time-new-array.js: Added.
491         (let.code):
492
493 2019-09-18  Saam Barati  <sbarati@apple.com>
494
495         Phantom insertion phase may disagree with arguments forwarding about live ranges
496         https://bugs.webkit.org/show_bug.cgi?id=200715
497         <rdar://problem/54301717>
498
499         Reviewed by Yusuke Suzuki.
500
501         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
502         (main.v23):
503         (main.try.v43):
504         (main.):
505         (main):
506
507 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
508
509         [JSC] Generator should have internal fields
510         https://bugs.webkit.org/show_bug.cgi?id=201159
511
512         Reviewed by Keith Miller.
513
514         * stress/create-generator.js: Added.
515         (shouldBe):
516         (test.generator):
517         (test):
518         * stress/generator-construct-failure.js: Added.
519         (shouldThrow):
520         (TypeError):
521         * stress/generator-prototype-change.js: Added.
522         (shouldBe):
523         (gen):
524         * stress/generator-prototype-closure.js: Added.
525         (shouldBe):
526         (test.gen):
527         (test):
528         * stress/object-assign-fast-path.js:
529
530 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
531
532         Follow-up after String.codePointAt optimization
533         https://bugs.webkit.org/show_bug.cgi?id=201889
534
535         Reviewed by Saam Barati.
536
537         * stress/string-char-at-bad-type.js: Added.
538         (shouldBe):
539         (object.toString):
540         (test):
541         * stress/string-char-code-at-bad-type.js: Added.
542         (shouldBe):
543         (object.toString):
544         (test):
545         * stress/string-code-point-at-bad-type.js: Added.
546         (shouldBe):
547         (object.toString):
548         (test):
549
550 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
551
552         [JSC] CheckArray+NonArray is not filtering out Array in AI
553         https://bugs.webkit.org/show_bug.cgi?id=201857
554         <rdar://problem/54194820>
555
556         Reviewed by Keith Miller.
557
558         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
559         (foo):
560
561 2019-09-17  Saam Barati  <sbarati@apple.com>
562
563         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
564         https://bugs.webkit.org/show_bug.cgi?id=201853
565         <rdar://problem/53805461>
566
567         Reviewed by Yusuke Suzuki.
568
569         * stress/direct-arguments-check-array-filter-type.js: Added.
570         (foo):
571
572 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
573
574         Wasm StreamingParser should validate that number of functions matches number of declarations
575         https://bugs.webkit.org/show_bug.cgi?id=201850
576         <rdar://problem/55290186>
577
578         Reviewed by Yusuke Suzuki.
579
580         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
581         (catch):
582
583 2019-09-16  Michael Saboff  <msaboff@apple.com>
584
585         [JSC] Perform check again when we found non-BMP characters
586         https://bugs.webkit.org/show_bug.cgi?id=201647
587
588         Reviewed by Yusuke Suzuki.
589
590         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
591         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
592         (testRegExpInbounds):
593
594 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
595
596         [JSC] Add missing syntax errors for await in function parameter default expressions
597         https://bugs.webkit.org/show_bug.cgi?id=201615
598
599         Reviewed by Darin Adler.
600
601         * stress/async-await-reserved-word.js:
602         * stress/async-await-syntax.js:
603         Add test cases.
604
605         * test262/expectations.yaml:
606         Mark newly-passing test cases.
607
608 2019-09-16  Saam Barati  <sbarati@apple.com>
609
610         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
611         https://bugs.webkit.org/show_bug.cgi?id=200386
612         <rdar://problem/53854946>
613
614         Reviewed by Yusuke Suzuki.
615
616         * stress/proxy-__proto__-in-prototype-chain.js: Added.
617         * stress/proxy-property-replace-structure-transition.js: Added.
618
619 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
620
621         Date.prototype.toJSON does not execute steps 1-2
622         https://bugs.webkit.org/show_bug.cgi?id=105282
623
624         Reviewed by Ross Kirsling.
625
626         * test262/expectations.yaml: Mark 2 test cases as passing.
627
628 2019-09-12  Mark Lam  <mark.lam@apple.com>
629
630         Harden JSC against the abuse of runtime options.
631         https://bugs.webkit.org/show_bug.cgi?id=201597
632         <rdar://problem/55167068>
633
634         Reviewed by Filip Pizlo.
635
636         Remove the call to forceGCSlowPaths().  This utility function will be removed.
637         The modern way to set the required option is to use //@ requireOptions.
638
639         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
640
641 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
642
643         [JSC] Add StringCodePointAt intrinsic
644         https://bugs.webkit.org/show_bug.cgi?id=201673
645
646         Reviewed by Michael Saboff.
647
648         * stress/string-char-at-constant-index-out-of-range.js: Added.
649         (shouldBe):
650         (test):
651         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
652         (shouldBe):
653         (test):
654         * stress/string-code-point-at--out-of-range.js: Added.
655         (shouldBe):
656         (test):
657         * stress/string-code-point-at-basic.js: Added.
658         (test):
659         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
660         (shouldBe):
661         (test):
662         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
663         (shouldBe):
664         (test):
665         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
666         (shouldBe):
667         (test):
668         (breaking):
669         * stress/string-code-point-at-surrogate-pair.js: Added.
670         (shouldBe):
671         * stress/string-code-point-at.js: Added.
672         (shouldBe):
673
674 2019-09-10  Michael Saboff  <msaboff@apple.com>
675
676         JSC crashes due to stack overflow while building RegExp
677         https://bugs.webkit.org/show_bug.cgi?id=201649
678
679         Reviewed by Yusuke Suzuki.
680
681         New regression test.
682
683         * stress/regexp-bol-optimize-out-of-stack.js: Added.
684         (test):
685         (catch):
686
687 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
688
689         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
690         https://bugs.webkit.org/show_bug.cgi?id=189043
691
692         Reviewed by Keith Miller.
693
694         The offset performing the validation becomes a bit different.
695         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
696
697         * wasm/js-api/version.js:
698
699 2019-09-07  Keith Miller  <keith_miller@apple.com>
700
701         OSR entry into wasm misses some contexts
702         https://bugs.webkit.org/show_bug.cgi?id=201569
703
704         Reviewed by Yusuke Suzuki.
705
706         Add a new harness and wast and the generated wasm file for
707         testing. The idea long term is to make it easy to test by creating
708         a C file and converting it to a wast then modify that to produce a
709         test.
710
711         * wasm.yaml:
712         * wasm/wast-tests/harness.js: Added.
713         (async.runWasmFile):
714         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
715         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
716         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
717         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
718         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
719         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
720         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
721         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
722
723 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
724
725         [JSC] Promise resolve/reject functions should be created more efficiently
726         https://bugs.webkit.org/show_bug.cgi?id=201488
727
728         Reviewed by Mark Lam.
729
730         * microbenchmarks/promise-creation-many.js: Added.
731         (executor):
732
733 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
734
735         Unreviewed JSC test gardening.
736
737         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
738         This test allocates a 2GB string before it goes out and tests
739         out-of-memory exception when appending other strings to it. As such,
740         skip the test on memory-limited platforms.
741
742 2019-09-07  Mark Lam  <mark.lam@apple.com>
743
744         The jsc shell should allow disabling of the Gigacage for testing purposes.
745         https://bugs.webkit.org/show_bug.cgi?id=201579
746
747         Reviewed by Michael Saboff.
748
749         Unskip the tests now.
750
751         * stress/disable-gigacage-arrays.js:
752         * stress/disable-gigacage-strings.js:
753         * stress/disable-gigacage-typed-arrays.js:
754
755 2019-09-07  Mark Lam  <mark.lam@apple.com>
756
757         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
758
759         Not reviewed.
760
761         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
762
763         * stress/disable-gigacage-arrays.js:
764         * stress/disable-gigacage-strings.js:
765         * stress/disable-gigacage-typed-arrays.js:
766
767 2019-09-07  Mark Lam  <mark.lam@apple.com>
768
769         Gardening: speculative test fix to green bots [attempt #2].
770         https://bugs.webkit.org/show_bug.cgi?id=201529
771         <rdar://problem/53935772>
772
773         Not reviewed.
774
775         * stress/test-out-of-memory.js:
776
777 2019-09-06  Mark Lam  <mark.lam@apple.com>
778
779         Gardening: speculative test fix to green bots.
780         https://bugs.webkit.org/show_bug.cgi?id=201529
781         <rdar://problem/53935772>
782
783         Not reviewed.
784
785         * stress/test-out-of-memory.js:
786
787 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
788
789         Math.round() produces wrong result for value prior to 0.5
790         https://bugs.webkit.org/show_bug.cgi?id=185115
791
792         Reviewed by Saam Barati.
793
794         * stress/math-round-basics.js:
795         Add positive/negative test cases.
796
797         * test262/expectations.yaml:
798         Mark test passing.
799
800 2019-09-06  Mark Lam  <mark.lam@apple.com>
801
802         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
803         https://bugs.webkit.org/show_bug.cgi?id=201551
804
805         Reviewed by Tadeu Zagallo.
806
807         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
808
809         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
810         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
811
812 2019-09-06  Mark Lam  <mark.lam@apple.com>
813
814         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
815         https://bugs.webkit.org/show_bug.cgi?id=201529
816         <rdar://problem/53935772>
817
818         Reviewed by Yusuke Suzuki.
819
820         * stress/test-out-of-memory.js: Added.
821
822 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
823
824         LazyClassStructure::setConstructor should not store the constructor to the global object
825         https://bugs.webkit.org/show_bug.cgi?id=201484
826         <rdar://problem/50400451>
827
828         Reviewed by Yusuke Suzuki.
829
830         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
831
832 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
833
834         [JSC] Do not use FTLOutput::weakPointer directly
835         https://bugs.webkit.org/show_bug.cgi?id=201495
836
837         Reviewed by Filip Pizlo.
838
839         * stress/create-promise-weak-pointer.js: Added.
840         (foo):
841
842 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
843
844         [JSC] Make Promise implementation faster
845         https://bugs.webkit.org/show_bug.cgi?id=200898
846
847         Reviewed by Saam Barati.
848
849         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
850         (assert.assert.return.throws):
851         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
852         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
853         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
854         (shouldThrow):
855         (new.Promise):
856         (shouldThrow.Promise):
857         * stress/create-promise-should-respect-promise-realm.js: Added.
858         (shouldBe):
859         (other.new.OtherPromise):
860         (DerivedOtherPromise):
861         (i.promise.new.DerivedOtherPromise):
862         (createPromise):
863         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
864         (shouldBe):
865         (DerivedPromise):
866         (i.array.push.new.DerivedPromise):
867         (promise.new.DerivedPromise):
868         * stress/derived-promise-constructor-inlined.js: Added.
869         (shouldBe):
870         (DerivedPromise):
871         (i.array.push.new.DerivedPromise):
872         (DerivedPromise.all.array.then):
873         * stress/derived-promise-prototype-replaced.js: Added.
874         (shouldBe):
875         (DerivedPromise):
876         (i.array.push.new.DerivedPromise):
877         (promise.new.DerivedPromise):
878         * stress/internal-promise-constructor-not-confusing.js: Added.
879         (shouldBe):
880         (InternalPromise.vm.createBuiltin):
881         (DerivedPromise):
882         * stress/internal-promise-is-not-exposed.js: Added.
883         (shouldBe):
884         * stress/new-promise-should-respect-promise-realm.js: Added.
885         (shouldBe):
886         (other.new.OtherPromise):
887         (createPromise):
888         * stress/promise-cannot-be-called.js:
889         (shouldThrow):
890         * stress/promise-capability-fast-path.js: Added.
891         (shouldBe):
892         (i.array.push.new.Promise):
893         (i.array.i.then):
894         * stress/promise-capability-slow-path.js: Added.
895         (shouldBe):
896         (Promise.prototype.then):
897         (i.array.push.new.Promise):
898         (i.array.i.then):
899         * stress/promise-capability-then-slow-path.js: Added.
900         (shouldBe):
901         (DerivedPromise):
902         (DerivedPromise.prototype.then):
903         (i.array.push.new.DerivedPromise):
904         (i.array.i.then):
905         * stress/promise-constructor-inlined.js: Added.
906         (shouldBe):
907         (i.array.push.new.Promise):
908         (Promise.all.array.then):
909         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
910         (shouldBe):
911         (DerivedPromise):
912         (DerivedPromise2):
913         (i.array.push.new.DerivedPromise):
914         (i.array2.push.new.DerivedPromise2):
915         * stress/without-promise-functions.js: Added.
916         (shouldBe):
917         (async):
918
919 2019-09-03  Mark Lam  <mark.lam@apple.com>
920
921         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
922         https://bugs.webkit.org/show_bug.cgi?id=201309
923         <rdar://problem/54832121>
924
925         Reviewed by Yusuke Suzuki.
926
927         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
928
929 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
930
931         [JSC] Generate new.target register only when it is used
932         https://bugs.webkit.org/show_bug.cgi?id=201335
933
934         Reviewed by Mark Lam.
935
936         * stress/ensure-new-register-allocated.js: Added.
937         (shouldBe):
938         (basic):
939         (arrow):
940         (Base):
941         (Derived):
942         (evaluate):
943
944 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
945
946         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
947         https://bugs.webkit.org/show_bug.cgi?id=201331
948
949         Reviewed by Mark Lam.
950
951         * stress/simple-jump-table-copy.js: Added.
952         (let.code):
953         (g2):
954
955 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
956
957         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
958         https://bugs.webkit.org/show_bug.cgi?id=201332
959
960         Reviewed by Mark Lam.
961
962         This test is very flaky, it is hard to reproduce.
963
964         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
965         (code):
966
967 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
968
969         [JSC] Repatch should construct CallCases and CasesValue at the same time
970         https://bugs.webkit.org/show_bug.cgi?id=201325
971
972         Reviewed by Saam Barati.
973
974         * stress/repatch-switch.js: Added.
975         (main.f2.f0):
976         (main.f2.f3):
977         (main.f2.f1):
978         (main.f2):
979         (main):
980
981 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
982
983         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
984         https://bugs.webkit.org/show_bug.cgi?id=198650
985
986         Reviewed by Saam Barati.
987
988         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
989         (main.v0):
990         (main):
991
992 2019-08-28  Mark Lam  <mark.lam@apple.com>
993
994         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
995         https://bugs.webkit.org/show_bug.cgi?id=201281
996         <rdar://problem/54028228>
997
998         Reviewed by Yusuke Suzuki and Saam Barati.
999
1000         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
1001
1002 2019-08-28  Mark Lam  <mark.lam@apple.com>
1003
1004         Placate exception check validation in DFG's operationHasGenericProperty().
1005         https://bugs.webkit.org/show_bug.cgi?id=201245
1006         <rdar://problem/54777512>
1007
1008         Reviewed by Robin Morisset.
1009
1010         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
1011
1012 2019-08-27  Mark Lam  <mark.lam@apple.com>
1013
1014         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
1015         https://bugs.webkit.org/show_bug.cgi?id=201196
1016         <rdar://problem/54703775>
1017
1018         Reviewed by Yusuke Suzuki.
1019
1020         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
1021
1022 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
1023
1024         [JSC] Ensure x?.y ?? z is fast
1025         https://bugs.webkit.org/show_bug.cgi?id=200875
1026
1027         Reviewed by Yusuke Suzuki.
1028
1029         * stress/nullish-coalescing.js:
1030
1031 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
1032
1033         Remove MaximalFlushInsertionPhase
1034         https://bugs.webkit.org/show_bug.cgi?id=201036
1035
1036         Reviewed by Saam Barati.
1037
1038         Remove all the references to maximal flush
1039
1040         * stress/arith-ceil-on-various-types.js:
1041         (checkCompileCountForUselessNegativeZero):
1042         * stress/arith-floor-on-various-types.js:
1043         (checkCompileCountForUselessNegativeZero):
1044         * stress/arith-negate-on-various-types.js:
1045         (checkCompileCountForUselessNegativeZero):
1046         * stress/arith-round-on-various-types.js:
1047         (checkCompileCountForUselessNegativeZero):
1048         * stress/arith-trunc-on-various-types.js:
1049         (checkCompileCountForUselessNegativeZero):
1050         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
1051         * stress/has-indexed-property-should-accept-non-int32.js:
1052         * stress/has-indexed-property-with-worsening-array-mode.js:
1053         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
1054         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
1055         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
1056         * stress/rest-parameter-many-arguments.js:
1057         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
1058         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
1059         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
1060
1061 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
1062
1063         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
1064         https://bugs.webkit.org/show_bug.cgi?id=200952
1065
1066         Reviewed by Saam Barati.
1067
1068         * wasm/references/func_ref.js:
1069         (assert.throws):
1070
1071 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
1072
1073         Add missing exception check in canonicalizeLocaleList
1074         https://bugs.webkit.org/show_bug.cgi?id=201021
1075
1076         Reviewed by Mark Lam.
1077
1078         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
1079         (catch):
1080
1081 2019-08-21  Mark Lam  <mark.lam@apple.com>
1082
1083         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
1084         https://bugs.webkit.org/show_bug.cgi?id=201016
1085         <rdar://problem/54579911>
1086
1087         Reviewed by Yusuke Suzuki.
1088
1089         * wasm/stress/too-many-locals.js: Added.
1090         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
1091
1092 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
1093
1094         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
1095         https://bugs.webkit.org/show_bug.cgi?id=200965
1096
1097         Reviewed by Saam Barati.
1098
1099         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
1100         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
1101
1102         * stress/optional-chaining.js:
1103
1104 2019-08-21  Michael Saboff  <msaboff@apple.com>
1105
1106         [JSC] incorrent JIT lead to StackOverflow
1107         https://bugs.webkit.org/show_bug.cgi?id=197823
1108
1109         Reviewed by Tadeu Zagallo.
1110
1111         New test.
1112
1113         * stress/bound-function-stack-overflow.js: Added.
1114         (foo):
1115         (catch):
1116
1117 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1118
1119         Identify memcpy loops in b3
1120         https://bugs.webkit.org/show_bug.cgi?id=200181
1121
1122         Reviewed by Saam Barati.
1123
1124         * microbenchmarks/memcpy-loop.js: Added.
1125         (doTest):
1126         (let.arr1):
1127         * microbenchmarks/memcpy-typed-loop-large.js: Added.
1128         (doTest):
1129         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
1130         (arr2):
1131         * microbenchmarks/memcpy-typed-loop-small.js: Added.
1132         (doTest):
1133         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1134         (16.arr2):
1135         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
1136         (doTest):
1137         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
1138         (arr2):
1139         * microbenchmarks/memcpy-wasm-large.js: Added.
1140         (typeof.WebAssembly.string_appeared_here.eq):
1141         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1142         * microbenchmarks/memcpy-wasm-medium.js: Added.
1143         (typeof.WebAssembly.string_appeared_here.eq):
1144         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1145         * microbenchmarks/memcpy-wasm-small.js: Added.
1146         (typeof.WebAssembly.string_appeared_here.eq):
1147         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1148         * microbenchmarks/memcpy-wasm.js: Added.
1149         (typeof.WebAssembly.string_appeared_here.eq):
1150         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
1151         * stress/memcpy-typed-loops.js: Added.
1152         (noLoop):
1153         (invalidStart):
1154         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
1155         (arr2):
1156         * wasm/function-tests/memcpy-wasm-loop.js: Added.
1157         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
1158         (string_appeared_here):
1159
1160 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
1161
1162         [JSC] Array.prototype.toString should not get "join" function each time
1163         https://bugs.webkit.org/show_bug.cgi?id=200905
1164
1165         Reviewed by Mark Lam.
1166
1167         * stress/array-prototype-join-change.js: Added.
1168         (shouldBe):
1169         (array2.join):
1170         (DerivedArray):
1171         (DerivedArray.prototype.join):
1172         (array3.__proto__.join):
1173         (Array.prototype.join):
1174
1175 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
1176
1177         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1178         https://bugs.webkit.org/show_bug.cgi?id=200782
1179
1180         Reviewed by Saam Barati.
1181
1182         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
1183
1184         * microbenchmarks/memcpy-typed-loop.js:
1185         * stress/int8-repeat-in-then-out-of-bounds.js:
1186
1187 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1188
1189         Proxy constructor should throw if handler is revoked Proxy
1190         https://bugs.webkit.org/show_bug.cgi?id=198755
1191
1192         Reviewed by Saam Barati.
1193
1194         * stress/proxy-revoke.js: Adjust error message.
1195         * test262/expectations.yaml: Mark 2 test cases as passing.
1196
1197 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1198
1199         [JSC] OSR entry to Wasm OMG
1200         https://bugs.webkit.org/show_bug.cgi?id=200362
1201
1202         Reviewed by Michael Saboff.
1203
1204         * wasm/stress/osr-entry-basic.js: Added.
1205         (instance.exports.loop):
1206         * wasm/stress/osr-entry-many-locals-f32.js: Added.
1207         * wasm/stress/osr-entry-many-locals-f64.js: Added.
1208         * wasm/stress/osr-entry-many-locals-i32.js: Added.
1209         * wasm/stress/osr-entry-many-locals-i64.js: Added.
1210         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
1211         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
1212         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
1213         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
1214
1215 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1216
1217         Date.prototype.toJSON throws if toISOString returns an object
1218         https://bugs.webkit.org/show_bug.cgi?id=198495
1219
1220         Reviewed by Ross Kirsling.
1221
1222         * test262/expectations.yaml: Mark 6 test cases as passing.
1223
1224 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
1225
1226         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
1227         https://bugs.webkit.org/show_bug.cgi?id=200899
1228         <rdar://problem/54073341>
1229
1230         Reviewed by Mark Lam.
1231
1232         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
1233         (i.new.Promise):
1234         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
1235         (i.new.Promise):
1236
1237 2019-08-19  Michael Saboff  <msaboff@apple.com>
1238
1239         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
1240         https://bugs.webkit.org/show_bug.cgi?id=197090
1241
1242         Reviewed by Yusuke Suzuki.
1243
1244         New test.
1245
1246         * stress/regexp-nonconsuming-counted-parens.js: Added.
1247
1248 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
1249
1250         [JSC] Correct a->an in error messages and API docblocks
1251         https://bugs.webkit.org/show_bug.cgi?id=200833
1252
1253         Reviewed by Don Olmstead.
1254
1255         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1256         (assert.assert.return.throws):
1257         * stress/promise-finally-should-accept-non-promise-objects.js:
1258         * wasm/js-api/table.js:
1259         (assert.throws):
1260
1261 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1262
1263         [ESNext] Implement optional chaining
1264         https://bugs.webkit.org/show_bug.cgi?id=200199
1265
1266         Reviewed by Yusuke Suzuki.
1267
1268         * stress/nullish-coalescing.js:
1269         * stress/optional-chaining.js: Added.
1270         * stress/tail-call-recognize.js:
1271
1272 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
1273
1274         [ESNext] Support hashbang.
1275         https://bugs.webkit.org/show_bug.cgi?id=200865
1276
1277         Reviewed by Mark Lam.
1278
1279         * stress/hashbang.js: Added.
1280         * test262/expectations.yaml: Mark 6 cases as passing.
1281
1282 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
1283
1284         [JSC] DFG ToNumber should support Boolean in fixup
1285         https://bugs.webkit.org/show_bug.cgi?id=200864
1286
1287         Reviewed by Mark Lam.
1288
1289         * microbenchmarks/to-number-boolean.js: Added.
1290         (test):
1291         * stress/to-number-boolean-int32.js: Added.
1292         (shouldBe):
1293         (test):
1294         (check):
1295         * stress/to-number-boolean.js: Added.
1296         (shouldBe):
1297         (test):
1298         (check):
1299         * stress/to-number-int32.js: Added.
1300         (shouldBe):
1301         (test):
1302         (check):
1303
1304 2019-08-16  Mark Lam  <mark.lam@apple.com>
1305
1306         More missing exception checks in string comparison operators.
1307         https://bugs.webkit.org/show_bug.cgi?id=200844
1308         <rdar://problem/54378684>
1309
1310         Reviewed by Saam Barati.
1311
1312         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
1313         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
1314         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
1315         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
1316
1317 2019-08-16  Mark Lam  <mark.lam@apple.com>
1318
1319         CodeBlock destructor should clear all of its watchpoints.
1320         https://bugs.webkit.org/show_bug.cgi?id=200792
1321         <rdar://problem/53947800>
1322
1323         Reviewed by Yusuke Suzuki.
1324
1325         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
1326
1327 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
1328
1329         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
1330         https://bugs.webkit.org/show_bug.cgi?id=200782
1331
1332         Reviewed by Saam Barati.
1333
1334         * microbenchmarks/int8-out-of-bounds.js: Added.
1335         (foo):
1336         * microbenchmarks/memcpy-typed-loop.js: Added.
1337         (doTest):
1338         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
1339         (arr2):
1340         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
1341         (foo):
1342
1343 2019-08-16  Mark Lam  <mark.lam@apple.com>
1344
1345         [Re-land] ProxyObject should not be allow to access its target's private properties.
1346         https://bugs.webkit.org/show_bug.cgi?id=200739
1347         <rdar://problem/53972768>
1348
1349         Reviewed by Yusuke Suzuki.
1350
1351         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
1352         * stress/proxy-with-private-symbols.js:
1353
1354 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
1355
1356         [JSC] Promise.prototype.finally should accept non-promise objects
1357         https://bugs.webkit.org/show_bug.cgi?id=200829
1358
1359         Reviewed by Mark Lam.
1360
1361         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
1362         (shouldBe):
1363         (Thenable):
1364         (Thenable.prototype.then):
1365
1366 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
1367
1368         Promise constructor should check argument before [[Construct]]
1369         https://bugs.webkit.org/show_bug.cgi?id=198976
1370
1371         Reviewed by Ross Kirsling.
1372
1373         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
1374         * stress/create-subclass-structure-might-throw.js: Fix test.
1375         * test262/expectations.yaml: Mark 2 test cases as passing.
1376
1377 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
1378
1379         Unreviewed, rolling out r248709.
1380
1381         Caused test/built-ins/Promise/prototype/finally/this-value-
1382         non-promise.js to fail on test262 bot
1383
1384         Reverted changeset:
1385
1386         "ProxyObject should not be allow to access its target's
1387         private properties."
1388         https://bugs.webkit.org/show_bug.cgi?id=200739
1389         https://trac.webkit.org/changeset/248709
1390
1391 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
1392
1393         DateConversion::formatDateTime incorrectly formats negative years
1394         https://bugs.webkit.org/show_bug.cgi?id=199964
1395
1396         Reviewed by Ross Kirsling.
1397
1398         * test262/expectations.yaml: Mark 6 test cases as passing.
1399
1400 2019-08-15  Mark Lam  <mark.lam@apple.com>
1401
1402         More missing exception checks in String.prototype.
1403         https://bugs.webkit.org/show_bug.cgi?id=200762
1404         <rdar://problem/54333896>
1405
1406         Reviewed by Michael Saboff.
1407
1408         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1409         * stress/missing-exception-check-in-string-toLower.js: Added.
1410         * stress/missing-exception-check-in-string-toUpper.js: Added.
1411
1412 2019-08-14  Mark Lam  <mark.lam@apple.com>
1413
1414         ProxyObject should not be allow to access its target's private properties.
1415         https://bugs.webkit.org/show_bug.cgi?id=200739
1416         <rdar://problem/53972768>
1417
1418         Reviewed by Yusuke Suzuki.
1419
1420         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1421         * stress/proxy-with-private-symbols.js: Rebased.
1422
1423 2019-08-14  Mark Lam  <mark.lam@apple.com>
1424
1425         Missing exception check in string compare.
1426         https://bugs.webkit.org/show_bug.cgi?id=200743
1427         <rdar://problem/53975356>
1428
1429         Reviewed by Michael Saboff.
1430
1431         * stress/missing-exception-check-in-string-compare.js: Added.
1432
1433 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1434
1435         [JSC] Add "jump if (not) undefined or null" bytecode ops
1436         https://bugs.webkit.org/show_bug.cgi?id=200480
1437
1438         Reviewed by Saam Barati.
1439
1440         * stress/destructuring-assignment-require-object-coercible.js:
1441         * stress/nullish-coalescing.js:
1442
1443 2019-08-05  Michael Saboff  <msaboff@apple.com>
1444
1445         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1446         https://bugs.webkit.org/show_bug.cgi?id=199997
1447
1448         Reviewed by Saam Barati.
1449
1450         New test.
1451
1452         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1453         (checkIntArray):
1454         (checkFloatArray):
1455
1456 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1457
1458         [JSC] Support WebAssembly in SamplingProfiler
1459         https://bugs.webkit.org/show_bug.cgi?id=200329
1460
1461         Reviewed by Saam Barati.
1462
1463         * stress/sampling-profiler-wasm-name-section.js: Added.
1464         (const.compile):
1465         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1466         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1467         * stress/sampling-profiler-wasm.js: Added.
1468         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1469         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1470         * stress/sampling-profiler/loop.wasm: Added.
1471         * stress/sampling-profiler/loop.wast: Added.
1472         * stress/sampling-profiler/nameSection.wasm: Added.
1473
1474 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1475
1476         [JSC] LazyJSValue should be robust for empty JSValue
1477         https://bugs.webkit.org/show_bug.cgi?id=200388
1478
1479         Reviewed by Saam Barati.
1480
1481         * stress/switch-constant-child-becomes-empty.js: Added.
1482         (foo):
1483
1484 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1485
1486         GetterSetter type confusion during DFG compilation
1487         https://bugs.webkit.org/show_bug.cgi?id=199903
1488
1489         Reviewed by Mark Lam.
1490
1491         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1492
1493 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1494
1495         Update Test262 (2019.08.01)
1496         https://bugs.webkit.org/show_bug.cgi?id=200351
1497
1498         Reviewed by Keith Miller.
1499
1500         * test262/expectations.yaml:
1501         * test262/harness/testIntl.js:
1502         * test262/latest-changes-summary.txt:
1503         * test262/test/:
1504         * test262/test262-Revision.txt:
1505
1506 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1507
1508         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1509         https://bugs.webkit.org/show_bug.cgi?id=200192
1510
1511         Reviewed by Saam Barati.
1512
1513         * stress/structure-chain-stress.js: Added.
1514         (keys):
1515
1516 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1517
1518         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1519         https://bugs.webkit.org/show_bug.cgi?id=200196
1520
1521         Reviewed by Robin Morisset.
1522
1523         * stress/reparsing-unlinked-codeblock.js:
1524
1525 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1526
1527         [X86] Emit BT instruction for shift + mask in B3
1528         https://bugs.webkit.org/show_bug.cgi?id=199891
1529
1530         Reviewed by Robin Morisset.
1531
1532         Lower the number of iterations to fix debug timeouts.
1533
1534         * microbenchmarks/bit-test-load.js:
1535         (i):
1536
1537 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1538
1539         [X86] Emit BT instruction for shift + mask in B3
1540         https://bugs.webkit.org/show_bug.cgi?id=199891
1541
1542         Reviewed by Keith Miller.
1543
1544         * microbenchmarks/bit-test-constant.js: Added.
1545         (let.glob.0.doTest):
1546         * microbenchmarks/bit-test-load.js: Added.
1547         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1548         (i):
1549         * microbenchmarks/bit-test-nonconstant.js: Added.
1550         (let.glob.0.doTest):
1551
1552 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1553
1554         [JSC] Potential GC fix for JSPropertyNameEnumerator
1555         https://bugs.webkit.org/show_bug.cgi?id=200151
1556
1557         Reviewed by Mark Lam.
1558
1559         * stress/for-in-stress.js: Added.
1560         (keys):
1561
1562 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1563
1564         Legacy numeric literals should not permit separators or BigInt
1565         https://bugs.webkit.org/show_bug.cgi?id=199984
1566
1567         Reviewed by Keith Miller.
1568
1569         * stress/big-int-literals.js:
1570         * stress/numeric-literal-separators.js:
1571
1572 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1573
1574         [ESNext] Implement nullish coalescing
1575         https://bugs.webkit.org/show_bug.cgi?id=200072
1576
1577         Reviewed by Darin Adler.
1578
1579         * stress/nullish-coalescing.js: Added.
1580
1581 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1582
1583         Three checks are missing in Proxy internal methods
1584         https://bugs.webkit.org/show_bug.cgi?id=198630
1585
1586         Reviewed by Darin Adler.
1587
1588         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1589         * test262/expectations.yaml: Mark 6 test cases as passing.
1590
1591 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1592
1593         Sometimes we miss removable CheckInBounds
1594         https://bugs.webkit.org/show_bug.cgi?id=200018
1595
1596         Reviewed by Saam Barati.
1597
1598         * microbenchmarks/typed-array-sum.js: Added.
1599         (doTest):
1600
1601 2019-07-16  Mark Lam  <mark.lam@apple.com>
1602
1603         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1604         https://bugs.webkit.org/show_bug.cgi?id=199821
1605         <rdar://problem/52452328>
1606
1607         Reviewed by Filip Pizlo.
1608
1609         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1610
1611 2019-07-16  Keith Miller  <keith_miller@apple.com>
1612
1613         Unreviewed, test262 gardening.
1614
1615         * test262/expectations.yaml:
1616
1617 2019-07-15  Keith Miller  <keith_miller@apple.com>
1618
1619         A Possible Issue of Object.create method
1620         https://bugs.webkit.org/show_bug.cgi?id=199744
1621
1622         Reviewed by Yusuke Suzuki.
1623
1624         * stress/object-create-non-object-properties-parameter.js: Added.
1625         (catch):
1626
1627 2019-07-15  Keith Miller  <keith_miller@apple.com>
1628
1629         Update test262
1630         https://bugs.webkit.org/show_bug.cgi?id=199801
1631
1632         Rubber-stamped by Yusuke Suzuki.
1633
1634         * test262/expectations.yaml:
1635         * test262/latest-changes-summary.txt:
1636         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1637         (fg.new.FinalizationGroup):
1638         (callback):
1639         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1640         (fg.new.FinalizationGroup):
1641         (callback):
1642         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1643         (fg.new.FinalizationGroup):
1644         (callback):
1645         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1646         (fg.new.FinalizationGroup):
1647         (callback):
1648         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1649         (fg.new.FinalizationGroup):
1650         (callback):
1651         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1652         (fg.new.FinalizationGroup):
1653         (callback):
1654         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1655         (fg.new.FinalizationGroup):
1656         (callback):
1657         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1658         (callback):
1659         (fg.new.FinalizationGroup):
1660         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1661         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1662         (cb):
1663         (fg.new.FinalizationGroup):
1664         (emptyCells):
1665         (async.fn):
1666         (fn.then.async):
1667         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1668         (fg.new.FinalizationGroup):
1669         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1670         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1671         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1672         (newTarget):
1673         (fn):
1674         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1675         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1676         (fn):
1677         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1678         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1679         (newTarget):
1680         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1681         (newTarget):
1682         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1683         (fg.new.FinalizationGroup):
1684         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1685         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1686         (callback):
1687         (fg.new.FinalizationGroup):
1688         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1689         (fg.new.FinalizationGroup):
1690         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1691         (cb):
1692         (fg.new.FinalizationGroup):
1693         (emptyCells):
1694         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1695         (fg.new.FinalizationGroup):
1696         (fg.cleanupSome.cb):
1697         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1698         (callback):
1699         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1700         (fn):
1701         (cb):
1702         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1703         (cb):
1704         (fg.new.FinalizationGroup):
1705         (emptyCells):
1706         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1707         (fg.new.FinalizationGroup):
1708         (callback):
1709         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1710         (fg.new.FinalizationGroup):
1711         (callback):
1712         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1713         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1714         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1715         (poisoned):
1716         (fg.new.FinalizationGroup):
1717         (emptyCells):
1718         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1719         (poisoned):
1720         (emptyCells):
1721         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1722         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1723         (fn):
1724         (cb):
1725         (emptyCells):
1726         (prototype.assert.sameValue.fg.cleanupSome):
1727         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1728         (fn):
1729         (cb):
1730         (poisoned):
1731         (assert.sameValue.fg.cleanupSome):
1732         (prototype.assert.sameValue.fg.cleanupSome):
1733         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1734         (cb):
1735         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1736         (cb):
1737         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1738         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1739         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1740         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1741         (fn):
1742         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1743         (fn):
1744         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1745         (fg.new.FinalizationGroup):
1746         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1747         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1748         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1749         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1750         (fn):
1751         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1752         (fn):
1753         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1754         (fg.new.FinalizationGroup):
1755         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1756         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1757         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1758         (fg.new.FinalizationGroup):
1759         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1760         (fg.new.FinalizationGroup):
1761         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1762         (fg.new.FinalizationGroup):
1763         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1764         (fg.new.FinalizationGroup):
1765         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1766         (fn):
1767         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1768         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1769         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1770         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1771         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1772         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1773         (fn):
1774         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1775         (fg.new.FinalizationGroup):
1776         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1777         (cleanupCallback):
1778         (let.key.of.Object.getOwnPropertyNames):
1779         (set for):
1780         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1781         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1782         (FinalizationGroup):
1783         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1784         (cleanupCallback):
1785         (let.key.of.Object.getOwnPropertyNames):
1786         (set for):
1787         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1788         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1789         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1790         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1791         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1792         (asyncProxy.new.Proxy.async):
1793         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1794         (asyncProxy.new.Proxy.async):
1795         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1796         (setIter.set Symbol):
1797         (set defaultTag):
1798         (gen):
1799         (get return):
1800         (set new):
1801         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1802         (generatorProxy.new.Proxy):
1803         (asyncProxy.new.Proxy.async):
1804         * test262/test/built-ins/Object/subclass-object-arg.js:
1805         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1806         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1807         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1808         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1809         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1810         * test262/test/built-ins/Promise/executor-function-name.js:
1811         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1812         * test262/test/built-ins/Promise/reject-function-name.js:
1813         * test262/test/built-ins/Promise/resolve-function-name.js:
1814         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1815         * test262/test/built-ins/WeakRef/constructor.js: Added.
1816         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1817         * test262/test/built-ins/WeakRef/length.js: Added.
1818         * test262/test/built-ins/WeakRef/name.js: Added.
1819         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1820         (newTarget):
1821         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1822         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1823         * test262/test/built-ins/WeakRef/proto.js: Added.
1824         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1825         (newTarget):
1826         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1827         (newTarget):
1828         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1829         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1830         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1831         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1832         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1833         (emptyCells):
1834         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1835         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1836         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1837         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1838         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1839         (fg.new.FinalizationGroup):
1840         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1841         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1842         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1843         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1844         (let.key.of.Object.getOwnPropertyNames):
1845         (set for):
1846         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1847         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1848         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1849         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1850         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1851         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1852         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1853         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1854         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1855         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1856         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1857         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1858         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1859         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1860         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1861         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1862         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1863         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1864         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1865         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1866         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1867         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1868         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1869         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1870         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1871         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1872         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1873         (assertParts):
1874         (assertPartsNumeric):
1875         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1876         (assertParts):
1877         (assertPartsNumeric):
1878         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1879         (assertParts):
1880         (assertPartsNumeric):
1881         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1882         (assertParts):
1883         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1884         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1885         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1886         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1887         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1888         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1889         (C.prototype.method):
1890         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1891         (C.prototype.method.innerFunction):
1892         (C.prototype.method):
1893         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1894         (C):
1895         (C.method):
1896         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1897         (C):
1898         (C.method.innerFunction):
1899         (C.method):
1900         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1901         (C):
1902         (C.checkPrivateGetter):
1903         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1904         (C):
1905         (C.method):
1906         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1907         (C):
1908         (C.method.innerFunction):
1909         (C.method):
1910         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1911         (C):
1912         (C.checkPrivateMethod):
1913         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1914         (C):
1915         (C.method):
1916         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1917         (C):
1918         (C.method.innerFunction):
1919         (C.method):
1920         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1921         (C):
1922         (C.checkPrivateSetter):
1923         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1924         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1925         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1926         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1927         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1928         (let.classStringExpression):
1929         (let.classStringExpression.access):
1930         (let.createAndInstantiateClass):
1931         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1932         (let.classStringExpression):
1933         (let.classStringExpression.access):
1934         (let.createAndInstantiateClass):
1935         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1936         (const.C):
1937         (let.createAndInstantiateClass):
1938         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1939         (let.classStringExpression.return.prototype.m):
1940         (let.classStringExpression.return.prototype.access):
1941         (let.createAndInstantiateClass):
1942         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1943         (let.classStringExpression.return.prototype.m):
1944         (let.classStringExpression.return.prototype.access):
1945         (let.createAndInstantiateClass):
1946         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1947         (let.classStringExpression):
1948         (let.classStringExpression.access):
1949         (let.createAndInstantiateClass):
1950         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1951         (let.classStringExpression.prototype.m):
1952         (let.classStringExpression.prototype.access):
1953         (let.classStringExpression):
1954         (let.createAndInstantiateClass):
1955         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1956         (let.classStringExpression.prototype.m):
1957         (let.classStringExpression.prototype.access):
1958         (let.classStringExpression):
1959         (let.createAndInstantiateClass):
1960         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1961         (const.C):
1962         (let.createAndInstantiateClass):
1963         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1964         (let.classStringExpression.return.C.prototype.m):
1965         (let.classStringExpression.return.C.prototype.access):
1966         (let.classStringExpression.return.C):
1967         (let.createAndInstantiateClass):
1968         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1969         (let.classStringExpression.return.C.prototype.m):
1970         (let.classStringExpression.return.C.prototype.access):
1971         (let.classStringExpression.return.C):
1972         (let.createAndInstantiateClass):
1973         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1974         (let.classStringExpression):
1975         (let.classStringExpression.access):
1976         (let.createAndInstantiateClass):
1977         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1978         (let.classStringExpression):
1979         (let.classStringExpression.access):
1980         (let.createAndInstantiateClass):
1981         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1982         (let.classStringExpression):
1983         (let.classStringExpression.access):
1984         (let.createAndInstantiateClass):
1985         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1986         (const.C):
1987         (let.createAndInstantiateClass):
1988         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1989         (let.classStringExpression.return.prototype.m):
1990         (let.classStringExpression.return.prototype.access):
1991         (let.createAndInstantiateClass):
1992         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1993         (let.classStringExpression.return.prototype.m):
1994         (let.classStringExpression.return.prototype.access):
1995         (let.createAndInstantiateClass):
1996         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1997         (let.classStringExpression):
1998         (let.classStringExpression.access):
1999         (let.createAndInstantiateClass):
2000         * test262/test/language/expressions/new.target/unary-expr.js: Added.
2001         (new):
2002         (async):
2003         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
2004         (A):
2005         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
2006         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
2007         * test262/test/language/identifiers/vals-cjk.js: Added.
2008         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
2009         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
2010         (C.prototype.method):
2011         (C):
2012         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
2013         (C.prototype.method.innerFunction):
2014         (C.prototype.method):
2015         (C):
2016         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
2017         (C.prototype.checkPrivateField):
2018         (C):
2019         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
2020         (C):
2021         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
2022         (C.prototype.getWithEval):
2023         (C):
2024         (D):
2025         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
2026         (C.prototype.get m):
2027         (C.prototype.method):
2028         (C):
2029         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
2030         (C.prototype.get m):
2031         (C.prototype.method.innerFunction):
2032         (C.prototype.method):
2033         (C):
2034         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
2035         (let.createAndInstantiateClass):
2036         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
2037         (C.prototype.get m):
2038         (C.prototype.checkPrivateGetter):
2039         (C):
2040         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
2041         (C.prototype.get m):
2042         (C.prototype.checkPrivateGetter):
2043         (C):
2044         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
2045         (C.prototype.get m):
2046         (C):
2047         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
2048         (C.prototype.get m):
2049         (C.prototype.getWithEval):
2050         (C):
2051         (D.prototype.get m):
2052         (D):
2053         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
2054         (C.prototype.m):
2055         (C.prototype.method):
2056         (C):
2057         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
2058         (C.prototype.m):
2059         (C.prototype.method.innerFunction):
2060         (C.prototype.method):
2061         (C):
2062         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
2063         (C.prototype.m):
2064         (C.prototype.checkPrivateMethod):
2065         (C):
2066         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
2067         (C.prototype.m):
2068         (C.prototype.checkPrivateMethod):
2069         (C):
2070         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
2071         (C.prototype.m):
2072         (C):
2073         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
2074         (C.prototype.m):
2075         (C.prototype.getWithEval):
2076         (C):
2077         (D.prototype.m):
2078         (D):
2079         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
2080         (C.prototype.set m):
2081         (C.prototype.method):
2082         (C):
2083         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
2084         (C.prototype.set m):
2085         (C.prototype.method.innerFunction):
2086         (C.prototype.method):
2087         (C):
2088         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
2089         (C.prototype.set m):
2090         (C.prototype.checkPrivateSetter):
2091         (C):
2092         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
2093         (C.prototype.set m):
2094         (C.prototype.checkPrivateSetter):
2095         (C):
2096         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
2097         (C.prototype.set m):
2098         (C):
2099         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
2100         (C.prototype.set m):
2101         (C.prototype.setWithEval):
2102         (C):
2103         (D.prototype.set m):
2104         (D):
2105         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
2106         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
2107         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
2108         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
2109         (A.prototype.method):
2110         (A):
2111         (C.prototype.get m):
2112         (C.prototype.access):
2113         (C):
2114         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
2115         (A.prototype.method):
2116         (A):
2117         (C.prototype.m):
2118         (C.prototype.access):
2119         (C):
2120         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
2121         (A.prototype.method):
2122         (A):
2123         (C.prototype.set m):
2124         (C.prototype.access):
2125         (C):
2126         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
2127         (A):
2128         * test262/test/language/statements/function/13.2-30-s.js:
2129         * test262/test262-Revision.txt:
2130
2131 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2132
2133         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2134         https://bugs.webkit.org/show_bug.cgi?id=199783
2135
2136         Reviewed by Mark Lam.
2137
2138         Fix our spec tests.
2139
2140         * wasm/js-api/Module-compile.js:
2141         * wasm/js-api/test_basic_api.js:
2142         (const.c.in.constructorProperties.switch):
2143         * wasm/js-api/validate.js:
2144         * wasm/js-api/web-assembly-instantiate.js:
2145         * wasm/spec-tests/jsapi.js:
2146         (testJSAPI.get test):
2147         (testJSAPI.set test):
2148
2149 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2150
2151         Unreviewed, rolling out r247440.
2152
2153         Broke builds
2154
2155         Reverted changeset:
2156
2157         "[JSC] Improve wasm wpt test results by fixing miscellaneous
2158         issues"
2159         https://bugs.webkit.org/show_bug.cgi?id=199783
2160         https://trac.webkit.org/changeset/247440
2161
2162 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
2163
2164         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
2165         https://bugs.webkit.org/show_bug.cgi?id=199783
2166
2167         Reviewed by Mark Lam.
2168
2169         Fix our spec tests.
2170
2171         * wasm/js-api/Module-compile.js:
2172         * wasm/js-api/test_basic_api.js:
2173         (const.c.in.constructorProperties.switch):
2174         * wasm/js-api/validate.js:
2175         * wasm/js-api/web-assembly-instantiate.js:
2176         * wasm/spec-tests/jsapi.js:
2177         (testJSAPI.get test):
2178         (testJSAPI.set test):
2179
2180 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
2181
2182         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
2183         https://bugs.webkit.org/show_bug.cgi?id=196371
2184
2185         Reviewed by Keith Miller.
2186
2187         * microbenchmarks/mul-immediate-sub.js: Added.
2188         (doTest):
2189
2190 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
2191
2192         [BigInt] Add ValueBitLShift into DFG
2193         https://bugs.webkit.org/show_bug.cgi?id=192664
2194
2195         Reviewed by Saam Barati.
2196
2197         We are adding tests to cover ValueBitwise operations AI changes.
2198
2199         * stress/big-int-left-shift-untyped.js: Added.
2200         * stress/bit-op-with-object-returning-int32.js:
2201         * stress/value-bit-and-ai-rule.js: Added.
2202         * stress/value-bit-lshift-ai-rule.js: Added.
2203         * stress/value-bit-or-ai-rule.js: Added.
2204         * stress/value-bit-xor-ai-rule.js: Added.
2205
2206 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
2207
2208         Add b3 macro lowering for CheckMul on arm64
2209         https://bugs.webkit.org/show_bug.cgi?id=199251
2210
2211         Reviewed by Robin Morisset.
2212
2213         * microbenchmarks/check-mul-constant.js: Added.
2214         (doTest):
2215         * microbenchmarks/check-mul-no-constant.js: Added.
2216         (doTest):
2217         * microbenchmarks/check-mul-power-of-two.js: Added.
2218         (doTest):
2219
2220 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
2221
2222         Optimize join of large empty arrays
2223         https://bugs.webkit.org/show_bug.cgi?id=199636
2224
2225         Reviewed by Mark Lam.
2226
2227         * microbenchmarks/large-empty-array-join.js: Added.
2228         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
2229
2230 2019-07-06  Michael Saboff  <msaboff@apple.com>
2231
2232         switch(String) needs to check for exceptions when resolving the string
2233         https://bugs.webkit.org/show_bug.cgi?id=199541
2234
2235         Reviewed by Mark Lam.
2236
2237         New tests.
2238
2239         * stress/switch-string-oom.js: Added.
2240         (test):
2241         (testLowerTiers):
2242         (testFTL):
2243
2244 2019-07-05  Mark Lam  <mark.lam@apple.com>
2245
2246         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
2247         https://bugs.webkit.org/show_bug.cgi?id=199533
2248         <rdar://problem/52669111>
2249
2250         Reviewed by Filip Pizlo.
2251
2252         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
2253
2254 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
2255
2256         [JSC] Clean up ArraySpeciesCreate
2257         https://bugs.webkit.org/show_bug.cgi?id=182434
2258
2259         Reviewed by Yusuke Suzuki.
2260
2261         Adjusts error message expectations in stress tests.
2262
2263         * stress/array-flatmap.js:
2264         * stress/array-flatten.js:
2265         * stress/array-species-create-should-handle-masquerader.js:
2266         * test262/expectations.yaml: Mark 4 test cases as passing.
2267
2268 2019-07-02  Michael Saboff  <msaboff@apple.com>
2269
2270         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
2271         https://bugs.webkit.org/show_bug.cgi?id=199395
2272
2273         Reviewed by Filip Pizlo.
2274
2275         New regession test.
2276
2277         * stress/for-of-tdz-with-try-catch.js: Added.
2278         (test):
2279         (i.catch):
2280
2281 2019-07-02  Keith Miller  <keith_miller@apple.com>
2282
2283         Frozen Arrays length assignment should throw in strict mode
2284         https://bugs.webkit.org/show_bug.cgi?id=199365
2285
2286         Reviewed by Yusuke Suzuki.
2287
2288         * stress/frozen-array-length-should-throw-strict.js: Added.
2289         (test):
2290
2291 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
2292
2293         [Wasm-References] Disable references by default
2294         https://bugs.webkit.org/show_bug.cgi?id=199390
2295
2296         Reviewed by Saam Barati.
2297
2298         * wasm/references-spec-tests/ref_is_null.js:
2299         * wasm/references-spec-tests/ref_null.js:
2300         * wasm/references/anyref_globals.js:
2301         * wasm/references/anyref_modules.js:
2302         * wasm/references/anyref_table.js:
2303         * wasm/references/anyref_table_import.js:
2304         * wasm/references/element_parsing.js:
2305         * wasm/references/func_ref.js:
2306         * wasm/references/is_null.js:
2307         * wasm/references/multitable.js:
2308         * wasm/references/table_misc.js:
2309         * wasm/references/validation.js:
2310
2311 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
2312
2313         Unreviewed, rolling out r246946.
2314
2315         Caused JSC test crashes on arm64
2316
2317         Reverted changeset:
2318
2319         "Add b3 macro lowering for CheckMul on arm64"
2320         https://bugs.webkit.org/show_bug.cgi?id=199251
2321         https://trac.webkit.org/changeset/246946
2322
2323 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
2324
2325         Add b3 macro lowering for CheckMul on arm64
2326         https://bugs.webkit.org/show_bug.cgi?id=199251
2327
2328         Reviewed by Robin Morisset.
2329
2330         * microbenchmarks/check-mul-constant.js: Added.
2331         (doTest):
2332         * microbenchmarks/check-mul-no-constant.js: Added.
2333         (doTest):
2334         * microbenchmarks/check-mul-power-of-two.js: Added.
2335         (doTest):
2336
2337 2019-06-26  Keith Miller  <keith_miller@apple.com>
2338
2339         speciesConstruct needs to throw if the result is a DataView
2340         https://bugs.webkit.org/show_bug.cgi?id=199231
2341
2342         Reviewed by Mark Lam.
2343
2344         * stress/typedarray-filter.js:
2345         (subclasses.forEach):
2346         * stress/typedarray-map.js:
2347         (subclasses.forEach):
2348         * stress/typedarray-slice.js:
2349         (typedArrays.forEach):
2350         * stress/typedarray-subarray.js:
2351         (subclasses.forEach):
2352
2353 2019-06-24  Commit Queue  <commit-queue@webkit.org>
2354
2355         Unreviewed, rolling out r246714.
2356         https://bugs.webkit.org/show_bug.cgi?id=199179
2357
2358         revert to do patch in a different way. (Requested by keith_mi_
2359         on #webkit).
2360
2361         Reverted changeset:
2362
2363         "All prototypes should call didBecomePrototype()"
2364         https://bugs.webkit.org/show_bug.cgi?id=196315
2365         https://trac.webkit.org/changeset/246714
2366
2367 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
2368
2369         Add Array.prototype.{flat,flatMap} to unscopables
2370         https://bugs.webkit.org/show_bug.cgi?id=194322
2371
2372         Reviewed by Keith Miller.
2373
2374         * stress/unscopables.js: Fix test.
2375         * test262/expectations.yaml: Mark 2 test cases as passing.
2376
2377 2019-06-21  Mark Lam  <mark.lam@apple.com>
2378
2379         ArraySlice needs to keep the source array alive.
2380         https://bugs.webkit.org/show_bug.cgi?id=197374
2381         <rdar://problem/50304429>
2382
2383         Reviewed by Michael Saboff and Filip Pizlo.
2384
2385         * stress/array-slice-must-keep-source-array-alive.js: Added.
2386
2387 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2388
2389         All prototypes should call didBecomePrototype()
2390         https://bugs.webkit.org/show_bug.cgi?id=196315
2391
2392         Reviewed by Saam Barati.
2393
2394         * stress/function-prototype-indexed-accessor.js: Added.
2395
2396 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2397
2398         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
2399         https://bugs.webkit.org/show_bug.cgi?id=197631
2400
2401         Reviewed by Saam Barati.
2402
2403         * stress/has-own-property-arguments.js: Added.
2404         (shouldBe):
2405         (A):
2406
2407 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2408
2409         [JSC] ClassExpr should not store result in the middle of evaluation
2410         https://bugs.webkit.org/show_bug.cgi?id=199106
2411
2412         Reviewed by Tadeu Zagallo.
2413
2414         * stress/class-expression-should-store-result-at-last.js: Added.
2415         (shouldThrow):
2416         (shouldThrow.let.a):
2417
2418 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2419
2420         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2421         https://bugs.webkit.org/show_bug.cgi?id=199044
2422
2423         Reviewed by Saam Barati.
2424
2425         Add wasm references spec tests as well as a worker test.
2426
2427         * wasm.yaml:
2428         * wasm/Builder_WebAssemblyBinary.js:
2429         (const.emitters.Element):
2430         * wasm/js-api/element.js:
2431         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2432         * wasm/references-spec-tests/ref_is_null.js: Added.
2433         (hostref):
2434         (is_hostref):
2435         (is_funcref):
2436         (eq_ref):
2437         (let.handler.get target):
2438         (register):
2439         (module):
2440         (instance):
2441         (call):
2442         (get instance):
2443         (exports):
2444         (run):
2445         (assert_malformed):
2446         (assert_invalid):
2447         (assert_unlinkable):
2448         (assert_uninstantiable):
2449         (assert_trap):
2450         (try.f):
2451         (catch):
2452         (assert_exhaustion):
2453         (assert_return):
2454         (assert_return_canonical_nan):
2455         (assert_return_arithmetic_nan):
2456         (assert_return_ref):
2457         (assert_return_func):
2458         * wasm/references-spec-tests/ref_null.js: Added.
2459         (hostref):
2460         (is_hostref):
2461         (is_funcref):
2462         (eq_ref):
2463         (let.handler.get target):
2464         (register):
2465         (module):
2466         (instance):
2467         (call):
2468         (get instance):
2469         (exports):
2470         (run):
2471         (assert_malformed):
2472         (assert_invalid):
2473         (assert_unlinkable):
2474         (assert_uninstantiable):
2475         (assert_trap):
2476         (try.f):
2477         (catch):
2478         (assert_exhaustion):
2479         (assert_return):
2480         (assert_return_canonical_nan):
2481         (assert_return_arithmetic_nan):
2482         (assert_return_ref):
2483         (assert_return_func):
2484         * wasm/references/element_parsing.js: Added.
2485         (module):
2486         * wasm/references/func_ref.js:
2487         * wasm/references/multitable.js:
2488         * wasm/references/table_misc.js:
2489         (TableSize.0.End.End.WebAssembly):
2490         * wasm/references/validation.js:
2491         (assert.throws):
2492
2493 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2494
2495         Optimize `resolve` method lookup in Promise static methods
2496         https://bugs.webkit.org/show_bug.cgi?id=198864
2497
2498         Reviewed by Yusuke Suzuki.
2499
2500         * test262/expectations.yaml: Mark 18 test cases as passing.
2501
2502 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2503
2504         [WASM-References] Rename anyfunc to funcref
2505         https://bugs.webkit.org/show_bug.cgi?id=198983
2506
2507         Reviewed by Yusuke Suzuki.
2508
2509         * wasm/function-tests/basic-element.js:
2510         * wasm/function-tests/context-switch.js:
2511         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2512         (makeInstance):
2513         (assert.eq.makeInstance):
2514         * wasm/function-tests/exceptions.js:
2515         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2516         * wasm/function-tests/grow-memory-2.js:
2517         (assert.eq.instance.exports.foo):
2518         * wasm/function-tests/nameSection.js:
2519         (const.compile):
2520         * wasm/function-tests/stack-overflow.js:
2521         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2522         (assertOverflows.makeInstance):
2523         * wasm/function-tests/table-basic-2.js:
2524         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2525         * wasm/function-tests/table-basic.js:
2526         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2527         * wasm/function-tests/trap-from-start-async.js:
2528         * wasm/function-tests/trap-from-start.js:
2529         * wasm/js-api/Module.exports.js:
2530         (assert.truthy):
2531         * wasm/js-api/Module.imports.js:
2532         (assert.truthy):
2533         * wasm/js-api/call-indirect.js:
2534         (const.oneTable):
2535         (const.multiTable):
2536         (multiTable.const.makeTable):
2537         (multiTable):
2538         (multiTable.Polyphic2Import):
2539         (multiTable.VirtualImport):
2540         * wasm/js-api/element-data.js:
2541         * wasm/js-api/element.js:
2542         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2543         (assert.throws):
2544         (badInstantiation.makeModule):
2545         (badInstantiation.test):
2546         (badInstantiation):
2547         * wasm/js-api/extension-MemoryMode.js:
2548         * wasm/js-api/table.js:
2549         (new.WebAssembly.Module):
2550         (assert.throws):
2551         (assertBadTableImport):
2552         (assert.throws.WebAssembly.Table.prototype.grow):
2553         (new.WebAssembly.Table):
2554         (assertBadTable):
2555         (assert.truthy):
2556         * wasm/js-api/test_basic_api.js:
2557         (const.c.in.constructorProperties.switch):
2558         * wasm/js-api/unique-signature.js:
2559         (CallIndirectWithDuplicateSignatures):
2560         * wasm/js-api/wrapper-function.js:
2561         * wasm/modules/table.wat:
2562         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2563         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2564         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2565         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2566         * wasm/references/anyref_table.js:
2567         * wasm/references/anyref_table_import.js:
2568         (doSet):
2569         (assert.throws):
2570         * wasm/references/func_ref.js:
2571         (makeFuncrefIdent):
2572         (assert.eq.instance.exports.fix):
2573         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2574         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2575         (let.importedFun.of):
2576         (makeAnyfuncIdent): Deleted.
2577         (makeAnyfuncIdent.fun): Deleted.
2578         * wasm/references/multitable.js:
2579         (assert.eq):
2580         (assert.throws):
2581         * wasm/references/table_misc.js:
2582         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2583         * wasm/references/validation.js:
2584         (assert.throws.new.WebAssembly.Module.bin):
2585         (assert.throws):
2586         * wasm/spec-harness/index.js:
2587         * wasm/spec-harness/wasm-constants.js:
2588         * wasm/spec-harness/wasm-module-builder.js:
2589         (WasmModuleBuilder.prototype.toArray):
2590         * wasm/spec-harness/wast.js:
2591         (elem_type):
2592         (string_of_elem_type):
2593         (string_of_table_type):
2594         * wasm/spec-tests/jsapi.js:
2595         * wasm/stress/wasm-table-grow-initialize.js:
2596         * wasm/wasm.json:
2597
2598 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2599
2600         [WASM-References] Add support for Table.size, grow and fill instructions
2601         https://bugs.webkit.org/show_bug.cgi?id=198761
2602
2603         Reviewed by Yusuke Suzuki.
2604
2605         * wasm/Builder_WebAssemblyBinary.js:
2606         (const.putOp):
2607         * wasm/references/table_misc.js: Added.
2608         (TableSize.End.End.WebAssembly):
2609         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2610         * wasm/wasm.json:
2611
2612 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2613
2614         [WASM-References] Add support for multiple tables
2615         https://bugs.webkit.org/show_bug.cgi?id=198760
2616
2617         Reviewed by Saam Barati.
2618
2619         * wasm/Builder.js:
2620         * wasm/js-api/call-indirect.js:
2621         (const.oneTable):
2622         (const.multiTable):
2623         (multiTable):
2624         (multiTable.Polyphic2Import):
2625         (multiTable.VirtualImport):
2626         (const.wasmModuleWhichImportJS): Deleted.
2627         (const.makeTable): Deleted.
2628         (): Deleted.
2629         (Polyphic2Import): Deleted.
2630         (VirtualImport): Deleted.
2631         * wasm/js-api/table.js:
2632         (new.WebAssembly.Module):
2633         (assert.throws):
2634         (assertBadTableImport):
2635         (assert.truthy):
2636         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2637         * wasm/references/anyref_table.js:
2638         * wasm/references/anyref_table_import.js:
2639         (makeImport):
2640         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2641         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2642         * wasm/references/multitable.js: Added.
2643         (assert.throws.1.exports.set_tbl0):
2644         (assert.throws):
2645         (assert.eq):
2646         * wasm/references/validation.js:
2647         (assert.throws.new.WebAssembly.Module.bin):
2648         (assert.throws):
2649         * wasm/spec-tests/imports.wast.js:
2650         * wasm/wasm.json:
2651
2652         * wasm/Builder.js:
2653         * wasm/js-api/call-indirect.js:
2654         (const.oneTable):
2655         (const.multiTable):
2656         (multiTable):
2657         (multiTable.Polyphic2Import):
2658         (multiTable.VirtualImport):
2659         (const.wasmModuleWhichImportJS): Deleted.
2660         (const.makeTable): Deleted.
2661         (): Deleted.
2662         (Polyphic2Import): Deleted.
2663         (VirtualImport): Deleted.
2664         * wasm/js-api/table.js:
2665         (new.WebAssembly.Module):
2666         (assert.throws):
2667         (assertBadTableImport):
2668         (assert.truthy):
2669         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2670         * wasm/references/anyref_table.js:
2671         * wasm/references/anyref_table_import.js:
2672         (makeImport):
2673         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2674         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2675         * wasm/references/func_ref.js:
2676         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2677         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2678         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2679         * wasm/references/multitable.js: Added.
2680         (assert.throws.1.exports.set_tbl0):
2681         (assert.throws):
2682         (assert.eq):
2683         (string_appeared_here.tableInsanity):
2684         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2685         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2686         * wasm/references/validation.js:
2687         (assert.throws.new.WebAssembly.Module.bin):
2688         (assert.throws):
2689         * wasm/spec-tests/imports.wast.js:
2690         * wasm/wasm.json:
2691
2692 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2693
2694         [ESNExt] String.prototype.matchAll
2695         https://bugs.webkit.org/show_bug.cgi?id=186694
2696
2697         Reviewed by Yusuke Suzuki.
2698
2699         Implement String.prototype.matchAll.
2700         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2701
2702         * test262/config.yaml:
2703
2704 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2705
2706         DFG code should not reify the names of builtin functions with private names
2707         https://bugs.webkit.org/show_bug.cgi?id=198849
2708         <rdar://problem/51733890>
2709
2710         Reviewed by Filip Pizlo.
2711
2712         * stress/builtin-private-function-name.js: Added.
2713         (then):
2714         (PromiseLike):
2715
2716 2019-06-18  Keith Miller  <keith_miller@apple.com>
2717
2718         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2719         https://bugs.webkit.org/show_bug.cgi?id=198969
2720         <rdar://problem/51620714>
2721
2722         Reviewed by Tadeu Zagallo.
2723
2724         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2725         (catch):
2726
2727 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2728
2729         Validate that table element type is funcref if using an element section
2730         https://bugs.webkit.org/show_bug.cgi?id=198910
2731
2732         Reviewed by Yusuke Suzuki.
2733
2734         * wasm/references/anyref_table.js:
2735
2736 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2737
2738         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2739         https://bugs.webkit.org/show_bug.cgi?id=197378
2740
2741         Reviewed by Saam Barati.
2742
2743         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2744         (foo):
2745         (bar):
2746         * stress/disposable-call-site-index.js: Added.
2747         (foo):
2748         (bar):
2749
2750 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2751
2752         [WASM-References] Add support for Funcref in parameters and return types
2753         https://bugs.webkit.org/show_bug.cgi?id=198157
2754
2755         Reviewed by Yusuke Suzuki.
2756
2757         * wasm/Builder.js:
2758         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2759         * wasm/references/anyref_globals.js:
2760         * wasm/references/func_ref.js: Added.
2761         (fullGC.gc.makeExportedFunction):
2762         (makeExportedIdent):
2763         (makeAnyfuncIdent):
2764         (fun):
2765         (assert.eq.instance.exports.fix.fun):
2766         (assert.eq.instance.exports.fix):
2767         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2768         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2769         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2770         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2771         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2772         (assert.throws):
2773         (assert.throws.doTest):
2774         (let.importedFun.of):
2775         (makeAnyfuncIdent.fun):
2776         * wasm/references/validation.js:
2777         (assert.throws):
2778         * wasm/wasm.json:
2779
2780 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2781
2782         Update test262 tests (2019.06.13)
2783         https://bugs.webkit.org/show_bug.cgi?id=198821
2784
2785         Reviewed by Konstantin Tokarev.
2786
2787         * test262/expectations.yaml:
2788         * test262/harness/:
2789         * test262/latest-changes-summary.txt:
2790         * test262/test/:
2791         * test262/test262-Revision.txt:
2792
2793 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2794
2795         [JSC] Grown region of WasmTable should be initialized with null
2796         https://bugs.webkit.org/show_bug.cgi?id=198903
2797
2798         Reviewed by Saam Barati.
2799
2800         * wasm/stress/wasm-table-grow-initialize.js: Added.
2801         (shouldBe):
2802
2803 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2804
2805         Yarr bytecode compilation failure should be gracefully handled
2806         https://bugs.webkit.org/show_bug.cgi?id=198700
2807
2808         Reviewed by Michael Saboff.
2809
2810         * stress/regexp-bytecode-compilation-fail.js: Added.
2811         (shouldThrow):
2812
2813 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2814
2815         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2816         https://bugs.webkit.org/show_bug.cgi?id=198770
2817
2818         Reviewed by Saam Barati.
2819
2820         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2821         (test):
2822
2823 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2824
2825         JSC should throw if proxy set returns falsish in strict mode context
2826         https://bugs.webkit.org/show_bug.cgi?id=177398
2827
2828         Reviewed by Yusuke Suzuki.
2829
2830         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2831         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2832
2833         * stress/proxy-set.js: Add 2 test cases.
2834         * stress/regexp-match-proxy.js: Fix test.
2835         * stress/regexp-replace-proxy.js: Fix test.
2836
2837 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2838
2839         Error message for non-callable Proxy `construct` trap is misleading
2840         https://bugs.webkit.org/show_bug.cgi?id=198637
2841
2842         Reviewed by Saam Barati.
2843
2844         * stress/proxy-construct.js:
2845
2846 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2847
2848         AI BitURShift's result should not be unsigned
2849         https://bugs.webkit.org/show_bug.cgi?id=198689
2850         <rdar://problem/51550063>
2851
2852         Reviewed by Saam Barati.
2853
2854         * stress/urshift-int32-overflow.js: Added.
2855         (foo.):
2856         (foo):
2857
2858 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2859
2860         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2861
2862         Unreviewed gardening.
2863
2864         * stress/ftl-gettypedarrayoffset-wasteful.js:
2865         Skipped on arm/linux as it always times out on the bot since a change
2866         between r246270 and r246278 inclusive.
2867
2868 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2869
2870         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2871         https://bugs.webkit.org/show_bug.cgi?id=198023
2872
2873         Reviewed by Saam Barati.
2874
2875         * stress/reparsing-unlinked-codeblock.js: Added.
2876         (shouldBe):
2877         (hello):
2878
2879 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2880
2881         [JSC] Use mergePrediction in ValuePow prediction propagation
2882         https://bugs.webkit.org/show_bug.cgi?id=198648
2883
2884         Reviewed by Saam Barati.
2885
2886         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2887
2888 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2889
2890         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2891         https://bugs.webkit.org/show_bug.cgi?id=198581
2892         <rdar://problem/51099753>
2893
2894         Reviewed by Saam Barati.
2895
2896         * stress/global-object-proto-getter.js: Added.
2897         (f):
2898         (test):
2899
2900 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2901
2902         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2903         https://bugs.webkit.org/show_bug.cgi?id=198398
2904
2905         Reviewed by Saam Barati.
2906
2907         * wasm/references/anyref_table.js: Added.
2908         (string_appeared_here.doGCSet):
2909         (doGCTest):
2910         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2911         * wasm/references/anyref_table_import.js: Added.
2912         (makeImport):
2913         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2914         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2915         * wasm/references/is_null_error.js: Removed.
2916         * wasm/references/validation.js: Added.
2917         (assert.throws.new.WebAssembly.Module.bin):
2918         (assert.throws):
2919         * wasm/wasm.json:
2920
2921 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2922
2923         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2924         https://bugs.webkit.org/show_bug.cgi?id=198106
2925
2926         Reviewed by Saam Barati.
2927
2928         * wasm/regress/selectf64.js: Added.
2929         * wasm/regress/selectf64.wasm: Added.
2930         * wasm/regress/selectf64.wat: Added.
2931
2932 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2933
2934         Argument elimination should check transitive dependents for interference
2935         https://bugs.webkit.org/show_bug.cgi?id=198520
2936         <rdar://problem/50863343>
2937
2938         Reviewed by Filip Pizlo.
2939
2940         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2941         (f2):
2942         (f3):
2943
2944 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2945
2946         Argument elimination should check for negative indices in GetByVal
2947         https://bugs.webkit.org/show_bug.cgi?id=198302
2948         <rdar://problem/51188095>
2949
2950         Reviewed by Filip Pizlo.
2951
2952         * stress/eliminate-arguments-negative-rest-access.js: Added.
2953         (inlinee):
2954         (opt):
2955
2956 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2957
2958         [ESNext][BigInt] Implement support for "**"
2959         https://bugs.webkit.org/show_bug.cgi?id=190799
2960
2961         Reviewed by Saam Barati.
2962
2963         * stress/big-int-exp-basic.js: Added.
2964         * stress/big-int-exp-jit-osr.js: Added.
2965         * stress/big-int-exp-jit-untyped.js: Added.
2966         * stress/big-int-exp-jit.js: Added.
2967         * stress/big-int-exp-negative-exponent.js: Added.
2968         * stress/big-int-exp-to-primitive.js: Added.
2969         * stress/big-int-exp-type-error.js: Added.
2970         * stress/big-int-exp-wrapped-value.js: Added.
2971         * stress/value-pow-ai-rule.js: Added.
2972
2973 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2974
2975         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2976         https://bugs.webkit.org/show_bug.cgi?id=197979
2977
2978         Reviewed by Filip Pizlo.
2979
2980         * stress/16bit-code.js: Added.
2981         (shouldBe):
2982         * stress/32bit-code.js: Added.
2983         (shouldBe):
2984
2985 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2986
2987         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2988         https://bugs.webkit.org/show_bug.cgi?id=198355
2989
2990         Reviewed by Saam Barati.
2991
2992         * wasm/references/is_null.js:
2993
2994 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2995
2996         [PlayStation] Skip additional tests on PlayStation
2997         https://bugs.webkit.org/show_bug.cgi?id=198352
2998
2999         Reviewed by Don Olmstead.
3000
3001         Skip pow test on PlayStation due to behavior difference in standard library.
3002         Skip incremental marking test due to OOM on PlayStation systems.
3003
3004         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
3005         * stress/math-pow-with-constants.js:
3006         * stress/pow-with-constants.js:
3007
3008 2019-05-28  Dean Jackson  <dino@apple.com>
3009
3010         Implement Promise.allSettled
3011         https://bugs.webkit.org/show_bug.cgi?id=197600
3012         <rdar://problem/50483885>
3013
3014         Reviewed by Keith Miller.
3015
3016         Start testing Promise.allSettled. We pass most of the tests.
3017         The ones that fail are similar to the Promise.all tests we already fail.
3018
3019         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
3020         * test262/expectations.yaml: Add new expectations for allSettled tests.
3021
3022 2019-05-28  Michael Saboff  <msaboff@apple.com>
3023
3024         [YARR] Properly handle RegExp's that require large ParenContext space
3025         https://bugs.webkit.org/show_bug.cgi?id=198065
3026
3027         Reviewed by Keith Miller.
3028
3029         New test.
3030
3031         * stress/regexp-large-paren-context.js: Added.
3032         (testLargeRegExp):
3033
3034 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
3035
3036         JITOperations putByVal should mark negative array indices as out-of-bounds
3037         https://bugs.webkit.org/show_bug.cgi?id=198271
3038
3039         Reviewed by Saam Barati.
3040
3041         * microbenchmarks/get-by-val-negative-array-index.js:
3042         (foo):
3043         Update the getByVal microbenchmark added in r245769. This now shows that r245769
3044         is 4.2x faster than the previous commit.
3045
3046         * microbenchmarks/put-by-val-negative-array-index.js: Added.
3047         (foo):
3048
3049 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
3050
3051         JITOperations getByVal should mark negative array indices as out-of-bounds
3052         https://bugs.webkit.org/show_bug.cgi?id=198229
3053
3054         Reviewed by Saam Barati.
3055
3056         * microbenchmarks/get-by-val-negative-array-index.js: Added.
3057         (foo):
3058
3059 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
3060
3061         [WASM-References] Support Anyref in globals
3062         https://bugs.webkit.org/show_bug.cgi?id=198102
3063
3064         Reviewed by Saam Barati.
3065
3066         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
3067
3068         * wasm/Builder.js:
3069         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
3070         * wasm/Builder_WebAssemblyBinary.js:
3071         (const.putInitExpr):
3072         * wasm/references/anyref_globals.js: Added.
3073         (GetGlobal.0.End.End.WebAssembly):
3074         (5.doGCSet):
3075         (doGCTest):
3076         (doGCSet.doGCTest.let.count.0.doBarrierSet):
3077
3078 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3079
3080         DFG::OSREntry should not perform arity check
3081         https://bugs.webkit.org/show_bug.cgi?id=198189
3082
3083         Reviewed by Saam Barati.
3084
3085         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
3086         (foo):
3087
3088 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
3089
3090         [PlayStation] Skip additional tests on PlayStation
3091         https://bugs.webkit.org/show_bug.cgi?id=198145
3092
3093         Reviewed by Ross Kirsling.
3094
3095         * exceptionFuzz.yaml:
3096         Add skip on hostOS playstation
3097         * executableAllocationFuzz.yaml:
3098         Add skip on hostOS playstation
3099
3100 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
3101
3102         createListFromArrayLike should throw if value is not an object
3103         https://bugs.webkit.org/show_bug.cgi?id=198138
3104
3105         Reviewed by Yusuke Suzuki.
3106
3107         * stress/create-list-from-array-like-not-object.js: Added.
3108         (testValid):
3109         (testInvalid):
3110         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
3111         (opt):
3112         * stress/proxy-proto-enumerator.js: Added.
3113         (main):
3114         * stress/proxy-proto-own-keys.js: Added.
3115         (assert):
3116         (ownKeys):
3117
3118 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3119
3120         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
3121         https://bugs.webkit.org/show_bug.cgi?id=197809
3122
3123         Reviewed by Michael Saboff.
3124
3125         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
3126         (foo):
3127
3128 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3129
3130         [ESNext] Implement support for Numeric Separators
3131         https://bugs.webkit.org/show_bug.cgi?id=196351
3132
3133         Reviewed by Keith Miller.
3134
3135         * stress/numeric-literal-separators.js: Added.
3136         Add tests for feature.
3137
3138         * test262/expectations.yaml:
3139         Mark 60 test cases as passing.
3140
3141 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3142
3143         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
3144         https://bugs.webkit.org/show_bug.cgi?id=198120
3145         <rdar://problem/49668795>
3146
3147         Reviewed by Michael Saboff.
3148
3149         * stress/get-array-length-concurrently-change-mode.js: Added.
3150         (main):
3151
3152 2019-05-22  Commit Queue  <commit-queue@webkit.org>
3153
3154         Unreviewed, rolling out r245634.
3155         https://bugs.webkit.org/show_bug.cgi?id=198140
3156
3157         'This patch makes JSC crash on launch in debug builds'
3158         (Requested by tadeuzagallo on #webkit).
3159
3160         Reverted changeset:
3161
3162         "[ESNext] Implement support for Numeric Separators"
3163         https://bugs.webkit.org/show_bug.cgi?id=196351
3164         https://trac.webkit.org/changeset/245634
3165
3166 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
3167
3168         Stack-buffer-overflow in decodeURIComponent
3169         https://bugs.webkit.org/show_bug.cgi?id=198109
3170         <rdar://problem/50397550>
3171
3172         Reviewed by Michael Saboff.
3173
3174         * stress/decode-uri-icu-count-trail-bytes.js: Added.
3175         (i.j.try.i.toString):
3176         (i.j.catch):
3177
3178 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3179
3180         Don't clear PropertyNameArray in Proxy code
3181         https://bugs.webkit.org/show_bug.cgi?id=197691
3182
3183         Reviewed by Saam Barati.
3184
3185         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
3186         (shouldBe):
3187         (opt):
3188
3189 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
3190
3191         [ESNext] Implement support for Numeric Separators
3192         https://bugs.webkit.org/show_bug.cgi?id=196351
3193
3194         Reviewed by Keith Miller.
3195
3196         * stress/numeric-literal-separators.js: Added.
3197         Add tests for feature.
3198
3199         * test262/expectations.yaml:
3200         Mark 60 test cases as passing.
3201
3202 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
3203
3204         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
3205         https://bugs.webkit.org/show_bug.cgi?id=198101
3206
3207         Reviewed by Michael Saboff.
3208
3209         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
3210         (shouldBe):
3211
3212 2019-05-20  Keith Miller  <keith_miller@apple.com>
3213
3214         Cleanup Yarr regexp code around paren contexts.
3215         https://bugs.webkit.org/show_bug.cgi?id=198063
3216
3217         Reviewed by Yusuke Suzuki.
3218
3219         * stress/regexp-many-named-sequential-capture-groups.js: Added.
3220         (i.s):
3221         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
3222
3223 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
3224
3225         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
3226         https://bugs.webkit.org/show_bug.cgi?id=197969
3227
3228         Reviewed by Keith Miller.
3229
3230         Support the anyref type in Builder.js, plus add some extra error logging.
3231         Add new folder for wasm references tests.
3232
3233         * wasm.yaml:
3234         * wasm/Builder.js:
3235         (const._isValidValue):
3236         * wasm/references/anyref_modules.js: Added.
3237         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
3238         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
3239         (Call.3.RefIsNull.End.End.WebAssembly):
3240         (undefined):
3241         * wasm/references/is_null.js: Added.
3242         * wasm/references/is_null_error.js: Added.
3243         * wasm/spec-harness/index.js:
3244         * wasm/wasm.json:
3245
3246 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
3247
3248         [JSC] Invalid AssignmentTargetType should be an early error.
3249         https://bugs.webkit.org/show_bug.cgi?id=197603
3250
3251         Reviewed by Keith Miller.
3252
3253         * test262/expectations.yaml:
3254         Update expectations to reflect new SyntaxErrors.
3255         (Ideally, these should all be viewed as passing in the near future.)
3256
3257         * stress/async-await-basic.js:
3258         * stress/big-int-literals.js:
3259         Update tests to reflect new SyntaxErrors.
3260
3261         * ChakraCore.yaml:
3262         * ChakraCore/test/EH/try6.baseline-jsc:
3263         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
3264         Update baselines to reflect new SyntaxErrors.
3265
3266 2019-05-15  Saam Barati  <sbarati@apple.com>
3267
3268         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
3269         https://bugs.webkit.org/show_bug.cgi?id=197855
3270         <rdar://problem/50236506>
3271
3272         Reviewed by Michael Saboff.
3273
3274         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
3275         (f0):
3276         (bar):
3277         (foo):
3278         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
3279         (f1):
3280         (f2):
3281         (foo):
3282
3283 2019-05-14  Keith Miller  <keith_miller@apple.com>
3284
3285         Fix issue with byteOffset on ARM64E
3286         https://bugs.webkit.org/show_bug.cgi?id=197884
3287
3288         Reviewed by Saam Barati.
3289
3290         We didn't have any tests that run with non-byte/non-zero offset
3291         typed arrays.
3292
3293         * stress/ftl-gettypedarrayoffset-wasteful.js:
3294
3295 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
3296
3297         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
3298         https://bugs.webkit.org/show_bug.cgi?id=197833
3299
3300         Reviewed by Darin Adler.
3301
3302         * stress/generator-name.js: Added.
3303         (shouldBe):
3304         (gen):
3305         (catch):
3306
3307 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
3308
3309         JSObject::getOwnPropertyDescriptor is missing an exception check
3310         https://bugs.webkit.org/show_bug.cgi?id=197693
3311         <rdar://problem/50441784>
3312
3313         Reviewed by Saam Barati.
3314
3315         * stress/proxy-spread.js: Added.
3316         (foo):
3317
3318 2019-05-10  Saam barati  <sbarati@apple.com>
3319
3320         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
3321         https://bugs.webkit.org/show_bug.cgi?id=197807
3322         <rdar://problem/50530400>
3323
3324         Reviewed by Yusuke Suzuki.
3325
3326         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
3327         (test.getInstance):
3328         (test):
3329
3330 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
3331
3332         [Test262] Unreviewed expectations update following r245188.
3333
3334         * test262/config.yaml:
3335         * test262/expectations.yaml:
3336
3337         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
3338         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
3339         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
3340         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
3341         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
3342         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
3343         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
3344         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
3345         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
3346         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
3347         These files have invalid YAML comments. Will also submit corrections back to Test262.
3348
3349 2019-05-10  Keith Miller  <keith_miller@apple.com>
3350
3351         Update test262 tests.
3352
3353         Rubber-stamped by Yusuke Suzuki.
3354
3355         * test262/*: mega-patch too many things to list individually.
3356
3357 2019-05-09  Keith Miller  <keith_miller@apple.com>
3358
3359         Unreview, fix test to have a try-catch.
3360
3361         * stress/many-nested-functions-parser-stack-overflow.js:
3362         (catch):
3363
3364 2019-05-09  Keith Miller  <keith_miller@apple.com>
3365
3366         parseStatementListItem needs a stack overflow check
3367         https://bugs.webkit.org/show_bug.cgi?id=197749
3368
3369         Reviewed by Saam Barati.
3370
3371         * stress/many-nested-functions-parser-stack-overflow.js: Added.
3372
3373 2019-05-08  Saam barati  <sbarati@apple.com>
3374
3375         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
3376         https://bugs.webkit.org/show_bug.cgi?id=197715
3377         <rdar://problem/50399252>
3378
3379         Reviewed by Filip Pizlo.
3380
3381         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
3382         (foo):
3383         (bar):
3384
3385 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
3386
3387         Unreviewed, rolling out r245068.
3388
3389         Caused debug layout tests to exit early due to an assertion
3390         failure.
3391
3392         Reverted changeset:
3393
3394         "All prototypes should call didBecomePrototype()"
3395         https://bugs.webkit.org/show_bug.cgi?id=196315
3396         https://trac.webkit.org/changeset/245068
3397
3398 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
3399
3400         Invalid DFG JIT genereation in high CPU usage state
3401         https://bugs.webkit.org/show_bug.cgi?id=197453
3402
3403         Reviewed by Saam Barati.
3404
3405         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
3406         (trigger):
3407         (main):
3408
3409 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3410
3411         All prototypes should call didBecomePrototype()
3412         https://bugs.webkit.org/show_bug.cgi?id=196315
3413
3414         Reviewed by Saam Barati.
3415
3416         This changelog already landed, but the commit was missing the actual changes.
3417
3418         * stress/function-prototype-indexed-accessor.js: Added.
3419
3420 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3421
3422         [BigInt] Add ValueMod into DFG
3423         https://bugs.webkit.org/show_bug.cgi?id=186174
3424
3425         Reviewed by Saam Barati.
3426
3427         * microbenchmarks/mod-untyped.js: Added.
3428         * stress/big-int-mod-osr.js: Added.
3429         * stress/value-div-ai-rule.js: Added.
3430         * stress/value-mod-ai-rule.js: Added.
3431
3432 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3433
3434         [JSC] DFG_ASSERT failed in lowInt52
3435         https://bugs.webkit.org/show_bug.cgi?id=197569
3436
3437         Reviewed by Saam Barati.
3438
3439         * stress/getstack-int52.js: Added.
3440         (opt):
3441         (main):
3442
3443 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3444
3445         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3446         https://bugs.webkit.org/show_bug.cgi?id=197479
3447
3448         Reviewed by Saam Barati.
3449
3450         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3451         (shouldBe):
3452
3453 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3454
3455         TemplateObject passed to template literal tags are not always identical for the same source location.
3456         https://bugs.webkit.org/show_bug.cgi?id=190756
3457
3458         Reviewed by Saam Barati.
3459
3460         * complex.yaml:
3461         * complex/tagged-template-regeneration-after.js: Added.
3462         (shouldBe):
3463         * complex/tagged-template-regeneration.js: Added.
3464         (call):
3465         (test):
3466         * modules/tagged-template-inside-module.js: Added.
3467         (from.string_appeared_here.call):
3468         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3469         (call):
3470         (export.otherTaggedTemplates):
3471         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3472         (shouldBe):
3473         (call):
3474         (poly):
3475         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3476         (shouldBe):
3477         (call):
3478         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3479         (shouldBe):
3480         (call):
3481         (test):
3482         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3483         (shouldBe):
3484         (call):
3485         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3486         (shouldBe):
3487         (call):
3488         * stress/tagged-templates-in-multiple-functions.js: Added.
3489         (shouldBe):
3490         (call):
3491         (a):
3492         (b):
3493         (c):
3494         * stress/tagged-templates-with-same-start-offset.js: Added.
3495         (shouldBe):
3496
3497 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3498
3499         All prototypes should call didBecomePrototype()
3500         https://bugs.webkit.org/show_bug.cgi?id=196315
3501
3502         Reviewed by Saam Barati.
3503
3504         * stress/function-prototype-indexed-accessor.js: Added.
3505
3506 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3507
3508         Unreviewed, rolling out r244978.
3509         https://bugs.webkit.org/show_bug.cgi?id=197671
3510
3511         TemplateObject map should use start/end offsets (Requested by
3512         yusukesuzuki on #webkit).
3513
3514         Reverted changeset:
3515
3516         "TemplateObject passed to template literal tags are not always
3517         identical for the same source location."
3518         https://bugs.webkit.org/show_bug.cgi?id=190756
3519         https://trac.webkit.org/changeset/244978
3520
3521 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3522
3523         tryCachePutByID should not crash if target offset changes
3524         https://bugs.webkit.org/show_bug.cgi?id=197311
3525         <rdar://problem/48033612>
3526
3527         Reviewed by Filip Pizlo.
3528
3529         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3530         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3531
3532         * stress/cache-put-by-id-delete-prototype.js: Added.
3533         (A.prototype.set y):
3534         (A):
3535         (B.prototype.set y):
3536         (B):
3537         (C):
3538         * stress/cache-put-by-id-different-__proto__.js: Added.
3539         (A.prototype.set y):
3540         (A):
3541         (B1):
3542         (B2.prototype.set y):
3543         (B2):
3544         (C):
3545         (D):
3546         * stress/cache-put-by-id-different-attributes.js: Added.
3547         (Foo):
3548         (set x):
3549         * stress/cache-put-by-id-different-offset.js: Added.
3550         (Foo):
3551         (set x):
3552         * stress/cache-put-by-id-insert-prototype.js: Added.
3553         (A.prototype.set y):
3554         (A):
3555         (C):
3556         * stress/cache-put-by-id-poly-proto.js: Added.
3557         (Foo):
3558         (set _):
3559         (createBar.Bar):
3560         (createBar):
3561
3562 2019-05-07  Saam Barati  <sbarati@apple.com>
3563
3564         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3565         https://bugs.webkit.org/show_bug.cgi?id=197531
3566         <rdar://problem/50162379>
3567
3568         Reviewed by Yusuke Suzuki.
3569
3570         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3571
3572 2019-05-06  Dean Jackson  <dino@apple.com>
3573
3574         Update test262 expectations for Proxy passes
3575         https://bugs.webkit.org/show_bug.cgi?id=197628
3576
3577         Reviewed by Yusuke Suzuki.
3578
3579         There are two consistent passes in Proxy.ownKeys.
3580
3581         * test262/expectations.yaml:
3582
3583 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3584
3585         [JSC] We should check OOM for description string of Symbol
3586         https://bugs.webkit.org/show_bug.cgi?id=197634
3587
3588         Reviewed by Keith Miller.
3589
3590         * stress/check-symbol-description-oom.js: Added.
3591         (shouldThrow):
3592
3593 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3594
3595         Unreviewed, land one more test
3596         https://bugs.webkit.org/show_bug.cgi?id=197587
3597
3598         * stress/setter-frame-flush.js: Added.
3599         (setter):
3600         (foo):
3601         (bar):
3602
3603 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3604
3605         TemplateObject passed to template literal tags are not always identical for the same source location.
3606         https://bugs.webkit.org/show_bug.cgi?id=190756
3607
3608         Reviewed by Saam Barati.
3609
3610         * complex.yaml:
3611         * complex/tagged-template-regeneration-after.js: Added.
3612         (shouldBe):
3613         * complex/tagged-template-regeneration.js: Added.
3614         (call):
3615         (test):
3616         * modules/tagged-template-inside-module.js: Added.
3617         (from.string_appeared_here.call):
3618         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3619         (call):
3620         (export.otherTaggedTemplates):
3621         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3622         (shouldBe):
3623         (call):
3624         (poly):
3625         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3626         (shouldBe):
3627         (call):
3628         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3629         (shouldBe):
3630         (call):
3631         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3632         (shouldBe):
3633         (call):
3634         * stress/tagged-templates-in-multiple-functions.js: Added.
3635         (shouldBe):
3636         (call):
3637         (a):
3638         (b):
3639         (c):
3640
3641 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3642
3643         [PlayStation] JSC Stress tests failing due to timezone printing
3644         https://bugs.webkit.org/show_bug.cgi?id=197615
3645
3646         PlayStation's strftime does not give timezone strings, which
3647         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3648         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3649         which causes diff failures with the expectations. Add expectations
3650         without the timezone string and use those on playstation.
3651
3652         Reviewed by Ross Kirsling.
3653
3654         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3655         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3656         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3657         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3658
3659 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3660
3661         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3662         https://bugs.webkit.org/show_bug.cgi?id=197587
3663
3664         Reviewed by Sam Weinig.
3665
3666         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3667
3668         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3669
3670 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3671
3672         TypedArrays should not store properties that are canonical numeric indices
3673         https://bugs.webkit.org/show_bug.cgi?id=197228
3674         <rdar://problem/49557381>
3675
3676         Reviewed by Saam Barati.
3677
3678         * stress/array-species-config-array-constructor.js:
3679         (test):
3680         * stress/put-direct-index-broken-2.js:
3681         * stress/typed-array-canonical-numeric-index-string.js: Added.
3682         (makeTest.assert):
3683         (makeTest):
3684         (const.testInvalidIndices.makeTest.set assert):
3685         (const.testInvalidIndices.makeTest):
3686         (const.makeTestValidIndex.configurable.set assert):
3687         (const.makeTestValidIndex.configurable):
3688         * stress/typedarray-access-monomorphic-neutered.js:
3689         (checkNoException):
3690         (testNoException):
3691         (testFTLNoException):
3692         * stress/typedarray-access-neutered.js:
3693         (testNoException):
3694         * stress/typedarray-getownproperty-not-configurable.js:
3695         (foo):
3696         * test262/expectations.yaml:
3697
3698 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3699
3700         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3701         https://bugs.webkit.org/show_bug.cgi?id=197584
3702
3703         Reviewed by Saam Barati.
3704
3705         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3706         (X):
3707         (foo):
3708
3709 2019-05-03  Michael Saboff  <msaboff@apple.com>
3710
3711         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3712         https://bugs.webkit.org/show_bug.cgi?id=197586
3713
3714         Reviewed by Keith Miller.
3715
3716         We should only run one config of this test and only when we think we'll have the memory.
3717
3718         * stress/json-stringify-string-builder-overflow.js:
3719
3720 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3721
3722         [JSC] Generator CodeBlock generation should be idempotent
3723         https://bugs.webkit.org/show_bug.cgi?id=197552
3724
3725         Reviewed by Keith Miller.
3726
3727         Add complex.yaml, which controls how to run JSC shell more.
3728         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3729
3730         * complex.yaml: Added.
3731         * complex/generator-regeneration-after.js: Added.
3732         * complex/generator-regeneration.js: Added.
3733         (gen):
3734
3735 2019-05-02  Michael Saboff  <msaboff@apple.com>
3736
3737         Unreviewed rollout of r244862.
3738
3739         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3740
3741 2019-05-01  Saam barati  <sbarati@apple.com>
3742
3743         Baseline JIT should do argument value profiling after checking for stack overflow
3744         https://bugs.webkit.org/show_bug.cgi?id=197052
3745         <rdar://problem/50009602>
3746
3747         Reviewed by Yusuke Suzuki.
3748
3749         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3750
3751 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3752
3753         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3754         https://bugs.webkit.org/show_bug.cgi?id=197405
3755
3756         Reviewed by Saam Barati.
3757
3758         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3759         (foo):
3760         (test):
3761         (i.o.get f):
3762         (i.o.set f):
3763
3764 2019-05-01  Michael Saboff  <msaboff@apple.com>
3765
3766         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3767         https://bugs.webkit.org/show_bug.cgi?id=197485
3768
3769         Reviewed by Saam Barati.
3770
3771         New test.
3772
3773         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3774         (foo):
3775
3776 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3777
3778         Unreviewed correction to Test262 expectations following r244828.
3779
3780         * test262/expectations.yaml:
3781
3782 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3783
3784         Add memory-limited skipping to some tests generating very large strings
3785         https://bugs.webkit.org/show_bug.cgi?id=197437
3786
3787         Reviewed by Ross Kirsling.
3788
3789         * stress/StringObject-define-length-getter-rope-string-oom.js:
3790         * stress/create-error-out-of-memory-rope-string.js:
3791         * stress/string-16bit-repeat-overflow.js:
3792
3793 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3794
3795         Unreviewed, rolling out r244806.
3796         https://bugs.webkit.org/show_bug.cgi?id=197446
3797
3798         Causing Test262 and JSC test failures on multiple builds
3799         (Requested by ShawnRoberts on #webkit).
3800
3801         Reverted changeset:
3802
3803         "TypeArrays should not store properties that are canonical
3804         numeric indices"
3805         https://bugs.webkit.org/show_bug.cgi?id=197228
3806         https://trac.webkit.org/changeset/244806
3807
3808 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3809
3810         TypeArrays should not store properties that are canonical numeric indices
3811         https://bugs.webkit.org/show_bug.cgi?id=197228
3812         <rdar://problem/49557381>
3813
3814         Reviewed by Darin Adler.
3815
3816         * stress/typed-array-canonical-numeric-index-string.js: Added.
3817         (makeTest.assert):
3818         (makeTest):
3819         (const.testInvalidIndices.makeTest.set assert):
3820         (const.testInvalidIndices.makeTest):
3821         (const.testValidIndices.makeTest.set assert):
3822         (const.testValidIndices.makeTest):
3823
3824 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3825
3826         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3827         https://bugs.webkit.org/show_bug.cgi?id=197362
3828
3829         Reviewed by Saam Barati.
3830
3831         * stress/map-with-nan.js: Added.
3832         (shouldBe):
3833         (div):
3834         (NaN1):
3835         (NaN2):
3836         (NaN3):
3837         (NaN4):
3838         (NaN1NoInline):
3839         (NaN2NoInline):
3840         (NaN3NoInline):
3841         (NaN4NoInline):
3842         (test1):
3843         (test2):
3844         (test3):
3845         (test4):
3846         * stress/set-with-nan.js: Added.
3847         (shouldBe):
3848         (div):
3849         (NaN1):
3850         (NaN2):
3851         (NaN3):
3852         (NaN4):
3853         (NaN1NoInline):
3854         (NaN2NoInline):
3855         (NaN3NoInline):
3856         (NaN4NoInline):
3857         (test2):
3858         (test4):
3859
3860 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3861
3862         Unreviewed, rolling out r244708.
3863         https://bugs.webkit.org/show_bug.cgi?id=197334
3864
3865         "Broke the debug build" (Requested by rmorisset on #webkit).
3866
3867         Reverted changeset:
3868
3869         "All prototypes should call didBecomePrototype()"
3870         https://bugs.webkit.org/show_bug.cgi?id=196315
3871         https://trac.webkit.org/changeset/244708
3872
3873 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3874
3875         [JSC] linkPolymorphicCall now does GC
3876         https://bugs.webkit.org/show_bug.cgi?id=197306
3877
3878         Reviewed by Saam Barati.
3879
3880         * stress/link-polymorphic-call-can-gc.js: Added.
3881         (module):
3882         (instance):
3883
3884 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3885
3886         All prototypes should call didBecomePrototype()
3887         https://bugs.webkit.org/show_bug.cgi?id=196315
3888
3889         Reviewed by Saam Barati.
3890
3891         * stress/function-prototype-indexed-accessor.js: Added.
3892
3893 2019-04-23  Saam Barati  <sbarati@apple.com>
3894
3895         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3896         https://bugs.webkit.org/show_bug.cgi?id=196721
3897         <rdar://problem/49556479> 
3898
3899         Reviewed by Filip Pizlo.
3900
3901         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3902         (foo):
3903
3904 2019-04-19  Saam Barati  <sbarati@apple.com>
3905
3906         AbstractValue can represent more than int52
3907         https://bugs.webkit.org/show_bug.cgi?id=197118
3908         <rdar://problem/49969960>
3909
3910         Reviewed by Michael Saboff.
3911
3912         * stress/abstract-value-can-include-int52.js: Added.
3913         (foo):
3914         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3915
3916 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3917
3918         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3919         https://bugs.webkit.org/show_bug.cgi?id=197053
3920
3921         Reviewed by Saam Barati.
3922
3923         * stress/merge-string-builder-in-dfg.js: Added.
3924         (foo):
3925
3926 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3927
3928         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3929         https://bugs.webkit.org/show_bug.cgi?id=176810
3930
3931         Reviewed by Saam Barati.
3932
3933         Add tests for the DontEnum filtering, and variations of other tests
3934         take the DontEnum-filtering path.
3935
3936         * stress/proxy-own-keys.js:
3937         (i.catch):
3938         (set assert):
3939         (set add):
3940         (let.set new):
3941         (get let):
3942
3943 2019-04-15  Saam barati  <sbarati@apple.com>
3944
3945         Modify how we do SetArgument when we inline varargs calls
3946         https://bugs.webkit.org/show_bug.cgi?id=196712
3947         <rdar://problem/49605012>
3948
3949         Reviewed by Michael Saboff.
3950
3951         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3952         (foo):
3953
3954 2019-04-15  Saam barati  <sbarati@apple.com>
3955
3956         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3957         https://bugs.webkit.org/show_bug.cgi?id=196945
3958         <rdar://problem/49802750>
3959
3960         Reviewed by Filip Pizlo.
3961
3962         * stress/get-by-offset-should-use-correct-child.js: Added.
3963         (foo.bar):
3964         (foo):
3965
3966 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3967
3968         DFG should be able to constant fold Object.create() with a constant prototype operand
3969         https://bugs.webkit.org/show_bug.cgi?id=196886
3970
3971         Reviewed by Yusuke Suzuki.
3972
3973         Note that this new benchmark does not currently see a speedup with inlining removed.
3974         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3975
3976         * microbenchmarks/object-create-constant-prototype.js: Added.
3977         (test):
3978
3979 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3980
3981         Incremental bytecode cache should not append function updates when loaded from memory
3982         https://bugs.webkit.org/show_bug.cgi?id=196865
3983
3984         Reviewed by Filip Pizlo.
3985
3986         * stress/bytecode-cache-shared-code-block.js: Added.
3987         (b):
3988         (program):
3989
3990 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3991
3992         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3993         https://bugs.webkit.org/show_bug.cgi?id=196880
3994
3995         Reviewed by Yusuke Suzuki.
3996
3997         * stress/bytecode-cache-syntax-error.js: Added.
3998         (catch):
3999
4000 2019-04-12  Saam barati  <sbarati@apple.com>
4001
4002         r244079 logically broke shouldSpeculateInt52
4003         https://bugs.webkit.org/show_bug.cgi?id=196884
4004
4005         Reviewed by Yusuke Suzuki.
4006
4007         * microbenchmarks/int52-rand-function.js: Added.
4008         (Math.random):
4009
4010 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
4011
4012         [JSC] op_has_indexed_property should not assume subscript part is Uint32
4013         https://bugs.webkit.org/show_bug.cgi?id=196850
4014
4015         Reviewed by Saam Barati.
4016
4017         * stress/has-indexed-property-should-accept-non-int32.js: Added.
4018         (foo):
4019
4020 2019-04-11  Saam barati  <sbarati@apple.com>
4021
4022         Remove invalid assertion in operationInstanceOfCustom
4023         https://bugs.webkit.org/show_bug.cgi?id=196842
4024         <rdar://problem/49725493>
4025
4026         Reviewed by Michael Saboff.
4027
4028         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
4029
4030 2019-04-10  Saam Barati  <sbarati@apple.com>
4031
4032         AbstractValue::validateOSREntryValue is wrong for Int52 constants
4033         https://bugs.webkit.org/show_bug.cgi?id=196801
4034         <rdar://problem/49771122>
4035
4036         Reviewed by Yusuke Suzuki.
4037
4038         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
4039
4040 2019-04-10  Robin Morisset  <rmorisset@apple.com>
4041
4042         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
4043         https://bugs.webkit.org/show_bug.cgi?id=196746
4044
4045         Reviewed by Yusuke Suzuki.
4046
4047         * stress/cyclic-define-properties.js: Added.
4048         (foo):
4049
4050 2019-04-09  Saam barati  <sbarati@apple.com>
4051
4052         Clean up Int52 code and some bugs in it
4053         https://bugs.webkit.org/show_bug.cgi?id=196639
4054         <rdar://problem/49515757>
4055
4056         Reviewed by Yusuke Suzuki.
4057
4058         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
4059
4060 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
4061
4062         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
4063         https://bugs.webkit.org/show_bug.cgi?id=196708
4064         <rdar://problem/49556803>
4065
4066         Reviewed by Yusuke Suzuki.
4067
4068         * stress/proxy-getter-stack-overflow.js: Added.
4069         (const.handler.get target):
4070         (const.handler.has):
4071         (try.with):
4072         (catch):
4073
4074 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4075
4076         [JSC] DFG should respect node's strict flag
4077         https://bugs.webkit.org/show_bug.cgi?id=196617
4078
4079         Reviewed by Saam Barati.
4080
4081         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
4082         (shouldEqual):
4083         (makeUnwriteableUnconfigurableObject):
4084         (runTest):
4085         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
4086         (shouldBe):
4087         (shouldThrow):
4088         (with.result):
4089         (with.putValueStrict):
4090         (with.putValueSloppy):
4091
4092 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4093
4094         [JSC] isRope jump in StringSlice should not jump over register allocations
4095         https://bugs.webkit.org/show_bug.cgi?id=196716
4096
4097         Reviewed by Saam Barati.
4098
4099         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
4100         (foo.bar):
4101         (foo):
4102
4103 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4104
4105         [JSC] to_index_string should not assume incoming value is Uint32
4106         https://bugs.webkit.org/show_bug.cgi?id=196713
4107
4108         Reviewed by Saam Barati.
4109
4110         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
4111         (foo):
4112
4113 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4114
4115         [JSC] Add more tests for r243966
4116         https://bugs.webkit.org/show_bug.cgi?id=196711
4117
4118         Reviewed by Saam Barati.
4119
4120         Adding one more test for r243966 fix. The added test will not crash after r243966.
4121
4122         * stress/stress-cleared-calllinkinfo.js: Added.
4123         (runNearStackLimit.t):
4124         (runNearStackLimit):
4125         (repeat):
4126         (cls):
4127         (let.item.of.array.runNearStackLimit):
4128
4129 2019-04-08  Saam Barati  <sbarati@apple.com>
4130
4131         WebAssembly.RuntimeError missing exception check
4132         https://bugs.webkit.org/show_bug.cgi?id=196700
4133         <rdar://problem/49693932>
4134
4135         Reviewed by Yusuke Suzuki.
4136
4137         * wasm/js-api/runtime-error-should-exception-check.js: Added.
4138
4139 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
4140
4141         Unreviewed, rolling in r243948 with test fix
4142         https://bugs.webkit.org/show_bug.cgi?id=196486
4143
4144         * stress/arrow-function-and-use-strict-directive.js: Added.
4145         * stress/arrow-function-syntax.js: Added.
4146         (checkSyntax):
4147         (checkSyntaxError):
4148
4149 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
4150
4151         Unreviewed, rolling out r243948.
4152
4153         Caused inspector/runtime/parse.html to fail
4154
4155         Reverted changeset:
4156
4157         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
4158         https://bugs.webkit.org/show_bug.cgi?id=196486
4159         https://trac.webkit.org/changeset/243948
4160
4161 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
4162
4163         Unreviewed, rolling out r243943.
4164
4165         Caused test262 failures.
4166
4167         Reverted changeset:
4168
4169         "[JSC] Filter DontEnum properties in
4170         ProxyObject::getOwnPropertyNames()"
4171         https://bugs.webkit.org/show_bug.cgi?id=176810
4172         https://trac.webkit.org/changeset/243943
4173
4174 2019-04-07  Michael Saboff  <msaboff@apple.com>
4175
4176         REGRESSION (r243642): Crash in reddit.com page
4177         https://bugs.webkit.org/show_bug.cgi?id=196684
4178
4179         Reviewed by Geoffrey Garen.
4180
4181         New regression test.
4182
4183         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
4184
4185 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
4186
4187         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
4188         https://bugs.webkit.org/show_bug.cgi?id=196683
4189
4190         Reviewed by Saam Barati.
4191
4192         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
4193         (foo):
4194
4195 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
4196
4197         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
4198         https://bugs.webkit.org/show_bug.cgi?id=196582
4199
4200         Reviewed by Saam Barati.
4201
4202         * stress/add-overflow-check-with-three-same-registers.js: Added.
4203         (foo):
4204         (Number.prototype.valueOf):
4205         (runWithNumber):
4206
4207 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
4208
4209         Unreviewed, rolling out r243665.
4210
4211         Caused iOS JSC tests to exit with an exception.
4212
4213         Reverted changeset:
4214
4215         "Assertion failed in JSC::createError"
4216         https://bugs.webkit.org/show_bug.cgi?id=196305
4217         https://trac.webkit.org/changeset/243665
4218
4219 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
4220
4221         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
4222         https://bugs.webkit.org/show_bug.cgi?id=196486
4223
4224         Reviewed by Saam Barati.
4225
4226         * stress/arrow-function-and-use-strict-directive.js: Added.
4227         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
4228         (checkSyntax):
4229         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
4230
4231 2019-04-05  Caitlin Potter  <caitp@igalia.com>
4232
4233         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
4234         https://bugs.webkit.org/show_bug.cgi?id=176810
4235
4236         Reviewed by Saam Barati.
4237
4238         Add tests for the DontEnum filtering, and variations of other tests
4239         take the DontEnum-filtering path.
4240
4241         * stress/proxy-own-keys.js:
4242         (i.catch):
4243         (set assert):
4244         (set add):
4245         (let.set new):
4246         (get let):
4247
4248 2019-04-05  Caitlin Potter  <caitp@igalia.com>
4249
4250         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
4251         https://bugs.webkit.org/show_bug.cgi?id=185211
4252
4253         Reviewed by Saam Barati.
4254
4255         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
4256
4257         This changes several assertions to expect a TypeError to be thrown (in some cases,
4258         changing thee expected message).
4259
4260         * es6/Proxy_ownKeys_duplicates.js:
4261         (handler):
4262         (shouldThrow):
4263         (test):
4264         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
4265         (shouldThrow):
4266         * stress/proxy-own-keys.js:
4267         (i.catch):
4268         (assert):
4269
4270 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
4271
4272         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
4273         https://bugs.webkit.org/show_bug.cgi?id=196631
4274
4275         Reviewed by Saam Barati.
4276
4277         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
4278         (assert):
4279         (test):
4280         (foo):
4281
4282 2019-04-04  Saam Barati  <sbarati@apple.com>
4283
4284         Unreviewed. Make the test from r243906 catch the thrown exceptions.
4285
4286         * stress/inferred-types-regex-matches-array.js:
4287
4288 2019-04-04  Saam Barati  <sbarati@apple.com>
4289
4290         createRegExpMatchesArray does not respect inferred types
4291         https://bugs.webkit.org/show_bug.cgi?id=193287
4292
4293         Reviewed by Yusuke Suzuki.
4294
4295         This checks in the test case for 193287. This issue was discovered by
4296         Samuel Groß of Google Project Zero.
4297
4298         * stress/inferred-types-regex-matches-array.js: Added.
4299
4300 2019-04-04  Saam barati  <sbarati@apple.com>
4301
4302         Teach Call ICs how to call Wasm
4303         https://bugs.webkit.org/show_bug.cgi?id=196387
4304
4305         Reviewed by Filip Pizlo.
4306
4307         * wasm/function-tests/stack-trace.js:
4308
4309 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
4310
4311         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
4312         https://bugs.webkit.org/show_bug.cgi?id=194944
4313
4314         Reviewed by Keith Miller.
4315
4316         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
4317
4318 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
4319
4320         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
4321         https://bugs.webkit.org/show_bug.cgi?id=196409
4322
4323         Reviewed by Saam Barati.
4324
4325         * stress/bytecode-cache-cached-string-impl.js: Added.
4326         (f):
4327         (g):
4328         * stress/bytecode-cache-run-string.js: Added.
4329
4330 2019-04-03  Robin Morisset  <rmorisset@apple.com>
4331
4332         B3 should use associativity to optimize expression trees
4333         https://bugs.webkit.org/show_bug.cgi?id=194081
4334
4335         Reviewed by Filip Pizlo.
4336
4337         Added three microbenchmarks:
4338         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
4339         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
4340           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
4341         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
4342
4343         * microbenchmarks/add-tree.js: Added.
4344         * microbenchmarks/bit-or-tree.js: Added.
4345         * microbenchmarks/bit-xor-tree.js: Added.
4346
4347 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
4348
4349         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
4350         https://bugs.webkit.org/show_bug.cgi?id=196574
4351
4352         Reviewed by Saam Barati.
4353
4354         * stress/string-index-of-exception-check.js: Added.
4355         (blurType):
4356         (1.forEach):
4357
4358 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
4359
4360         Assertion failed in JSC::createError
4361         https://bugs.webkit.org/show_bug.cgi?id=196305
4362         <rdar://problem/49387382>
4363
4364         Reviewed by Saam Barati.
4365
4366         * stress/create-error-out-of-memory-rope-string-2.js: Added.
4367         (assert):
4368         (catch):
4369
4370 2019-03-28  Saam Barati  <sbarati@apple.com>
4371
4372         BackwardsGraph needs to consider back edges as the backward's root successor
4373         https://bugs.webkit.org/show_bug.cgi?id=195991
4374
4375         Reviewed by Filip Pizlo.
4376
4377         * stress/map-b3-licm-infinite-loop.js: Added.
4378
4379 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
4380
4381         CodeBlock::jettison() should disallow repatching its own calls
4382         https://bugs.webkit.org/show_bug.cgi?id=196359
4383         <rdar://problem/48973663>
4384
4385         Reviewed by Saam Barati.
4386
4387         * stress/call-link-info-osrexit-repatch.js: Added.
4388         (foo):
4389
4390 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
4391
4392         [JSC] imports-oom.js intermittently fails
4393         https://bugs.webkit.org/show_bug.cgi?id=196373
4394
4395         Reviewed by Saam Barati.
4396
4397         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
4398         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
4399         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
4400         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
4401         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
4402
4403         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
4404         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
4405
4406         * wasm/lowExecutableMemory/imports-oom.js:
4407