[JSC] CheckArray+NonArray is not filtering out Array in AI
[WebKit-https.git] / JSTests / ChangeLog
1 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] CheckArray+NonArray is not filtering out Array in AI
4         https://bugs.webkit.org/show_bug.cgi?id=201857
5         <rdar://problem/54194820>
6
7         Reviewed by Keith Miller.
8
9         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
10         (foo):
11
12 2019-09-17  Saam Barati  <sbarati@apple.com>
13
14         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
15         https://bugs.webkit.org/show_bug.cgi?id=201853
16         <rdar://problem/53805461>
17
18         Reviewed by Yusuke Suzuki.
19
20         * stress/direct-arguments-check-array-filter-type.js: Added.
21         (foo):
22
23 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
24
25         Wasm StreamingParser should validate that number of functions matches number of declarations
26         https://bugs.webkit.org/show_bug.cgi?id=201850
27         <rdar://problem/55290186>
28
29         Reviewed by Yusuke Suzuki.
30
31         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
32         (catch):
33
34 2019-09-16  Michael Saboff  <msaboff@apple.com>
35
36         [JSC] Perform check again when we found non-BMP characters
37         https://bugs.webkit.org/show_bug.cgi?id=201647
38
39         Reviewed by Yusuke Suzuki.
40
41         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
42         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
43         (testRegExpInbounds):
44
45 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
46
47         [JSC] Add missing syntax errors for await in function parameter default expressions
48         https://bugs.webkit.org/show_bug.cgi?id=201615
49
50         Reviewed by Darin Adler.
51
52         * stress/async-await-reserved-word.js:
53         * stress/async-await-syntax.js:
54         Add test cases.
55
56         * test262/expectations.yaml:
57         Mark newly-passing test cases.
58
59 2019-09-16  Saam Barati  <sbarati@apple.com>
60
61         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
62         https://bugs.webkit.org/show_bug.cgi?id=200386
63         <rdar://problem/53854946>
64
65         Reviewed by Yusuke Suzuki.
66
67         * stress/proxy-__proto__-in-prototype-chain.js: Added.
68         * stress/proxy-property-replace-structure-transition.js: Added.
69
70 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
71
72         Date.prototype.toJSON does not execute steps 1-2
73         https://bugs.webkit.org/show_bug.cgi?id=105282
74
75         Reviewed by Ross Kirsling.
76
77         * test262/expectations.yaml: Mark 2 test cases as passing.
78
79 2019-09-12  Mark Lam  <mark.lam@apple.com>
80
81         Harden JSC against the abuse of runtime options.
82         https://bugs.webkit.org/show_bug.cgi?id=201597
83         <rdar://problem/55167068>
84
85         Reviewed by Filip Pizlo.
86
87         Remove the call to forceGCSlowPaths().  This utility function will be removed.
88         The modern way to set the required option is to use //@ requireOptions.
89
90         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
91
92 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
93
94         [JSC] Add StringCodePointAt intrinsic
95         https://bugs.webkit.org/show_bug.cgi?id=201673
96
97         Reviewed by Michael Saboff.
98
99         * stress/string-char-at-constant-index-out-of-range.js: Added.
100         (shouldBe):
101         (test):
102         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
103         (shouldBe):
104         (test):
105         * stress/string-code-point-at--out-of-range.js: Added.
106         (shouldBe):
107         (test):
108         * stress/string-code-point-at-basic.js: Added.
109         (test):
110         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
111         (shouldBe):
112         (test):
113         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
114         (shouldBe):
115         (test):
116         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
117         (shouldBe):
118         (test):
119         (breaking):
120         * stress/string-code-point-at-surrogate-pair.js: Added.
121         (shouldBe):
122         * stress/string-code-point-at.js: Added.
123         (shouldBe):
124
125 2019-09-10  Michael Saboff  <msaboff@apple.com>
126
127         JSC crashes due to stack overflow while building RegExp
128         https://bugs.webkit.org/show_bug.cgi?id=201649
129
130         Reviewed by Yusuke Suzuki.
131
132         New regression test.
133
134         * stress/regexp-bol-optimize-out-of-stack.js: Added.
135         (test):
136         (catch):
137
138 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
139
140         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
141         https://bugs.webkit.org/show_bug.cgi?id=189043
142
143         Reviewed by Keith Miller.
144
145         The offset performing the validation becomes a bit different.
146         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
147
148         * wasm/js-api/version.js:
149
150 2019-09-07  Keith Miller  <keith_miller@apple.com>
151
152         OSR entry into wasm misses some contexts
153         https://bugs.webkit.org/show_bug.cgi?id=201569
154
155         Reviewed by Yusuke Suzuki.
156
157         Add a new harness and wast and the generated wasm file for
158         testing. The idea long term is to make it easy to test by creating
159         a C file and converting it to a wast then modify that to produce a
160         test.
161
162         * wasm.yaml:
163         * wasm/wast-tests/harness.js: Added.
164         (async.runWasmFile):
165         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
166         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
167         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
168         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
169         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
170         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
171         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
172         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
173
174 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
175
176         [JSC] Promise resolve/reject functions should be created more efficiently
177         https://bugs.webkit.org/show_bug.cgi?id=201488
178
179         Reviewed by Mark Lam.
180
181         * microbenchmarks/promise-creation-many.js: Added.
182         (executor):
183
184 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
185
186         Unreviewed JSC test gardening.
187
188         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
189         This test allocates a 2GB string before it goes out and tests
190         out-of-memory exception when appending other strings to it. As such,
191         skip the test on memory-limited platforms.
192
193 2019-09-07  Mark Lam  <mark.lam@apple.com>
194
195         The jsc shell should allow disabling of the Gigacage for testing purposes.
196         https://bugs.webkit.org/show_bug.cgi?id=201579
197
198         Reviewed by Michael Saboff.
199
200         Unskip the tests now.
201
202         * stress/disable-gigacage-arrays.js:
203         * stress/disable-gigacage-strings.js:
204         * stress/disable-gigacage-typed-arrays.js:
205
206 2019-09-07  Mark Lam  <mark.lam@apple.com>
207
208         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
209
210         Not reviewed.
211
212         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
213
214         * stress/disable-gigacage-arrays.js:
215         * stress/disable-gigacage-strings.js:
216         * stress/disable-gigacage-typed-arrays.js:
217
218 2019-09-07  Mark Lam  <mark.lam@apple.com>
219
220         Gardening: speculative test fix to green bots [attempt #2].
221         https://bugs.webkit.org/show_bug.cgi?id=201529
222         <rdar://problem/53935772>
223
224         Not reviewed.
225
226         * stress/test-out-of-memory.js:
227
228 2019-09-06  Mark Lam  <mark.lam@apple.com>
229
230         Gardening: speculative test fix to green bots.
231         https://bugs.webkit.org/show_bug.cgi?id=201529
232         <rdar://problem/53935772>
233
234         Not reviewed.
235
236         * stress/test-out-of-memory.js:
237
238 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
239
240         Math.round() produces wrong result for value prior to 0.5
241         https://bugs.webkit.org/show_bug.cgi?id=185115
242
243         Reviewed by Saam Barati.
244
245         * stress/math-round-basics.js:
246         Add positive/negative test cases.
247
248         * test262/expectations.yaml:
249         Mark test passing.
250
251 2019-09-06  Mark Lam  <mark.lam@apple.com>
252
253         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
254         https://bugs.webkit.org/show_bug.cgi?id=201551
255
256         Reviewed by Tadeu Zagallo.
257
258         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
259
260         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
261         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
262
263 2019-09-06  Mark Lam  <mark.lam@apple.com>
264
265         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
266         https://bugs.webkit.org/show_bug.cgi?id=201529
267         <rdar://problem/53935772>
268
269         Reviewed by Yusuke Suzuki.
270
271         * stress/test-out-of-memory.js: Added.
272
273 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
274
275         LazyClassStructure::setConstructor should not store the constructor to the global object
276         https://bugs.webkit.org/show_bug.cgi?id=201484
277         <rdar://problem/50400451>
278
279         Reviewed by Yusuke Suzuki.
280
281         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
282
283 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
284
285         [JSC] Do not use FTLOutput::weakPointer directly
286         https://bugs.webkit.org/show_bug.cgi?id=201495
287
288         Reviewed by Filip Pizlo.
289
290         * stress/create-promise-weak-pointer.js: Added.
291         (foo):
292
293 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
294
295         [JSC] Make Promise implementation faster
296         https://bugs.webkit.org/show_bug.cgi?id=200898
297
298         Reviewed by Saam Barati.
299
300         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
301         (assert.assert.return.throws):
302         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
303         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
304         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
305         (shouldThrow):
306         (new.Promise):
307         (shouldThrow.Promise):
308         * stress/create-promise-should-respect-promise-realm.js: Added.
309         (shouldBe):
310         (other.new.OtherPromise):
311         (DerivedOtherPromise):
312         (i.promise.new.DerivedOtherPromise):
313         (createPromise):
314         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
315         (shouldBe):
316         (DerivedPromise):
317         (i.array.push.new.DerivedPromise):
318         (promise.new.DerivedPromise):
319         * stress/derived-promise-constructor-inlined.js: Added.
320         (shouldBe):
321         (DerivedPromise):
322         (i.array.push.new.DerivedPromise):
323         (DerivedPromise.all.array.then):
324         * stress/derived-promise-prototype-replaced.js: Added.
325         (shouldBe):
326         (DerivedPromise):
327         (i.array.push.new.DerivedPromise):
328         (promise.new.DerivedPromise):
329         * stress/internal-promise-constructor-not-confusing.js: Added.
330         (shouldBe):
331         (InternalPromise.vm.createBuiltin):
332         (DerivedPromise):
333         * stress/internal-promise-is-not-exposed.js: Added.
334         (shouldBe):
335         * stress/new-promise-should-respect-promise-realm.js: Added.
336         (shouldBe):
337         (other.new.OtherPromise):
338         (createPromise):
339         * stress/promise-cannot-be-called.js:
340         (shouldThrow):
341         * stress/promise-capability-fast-path.js: Added.
342         (shouldBe):
343         (i.array.push.new.Promise):
344         (i.array.i.then):
345         * stress/promise-capability-slow-path.js: Added.
346         (shouldBe):
347         (Promise.prototype.then):
348         (i.array.push.new.Promise):
349         (i.array.i.then):
350         * stress/promise-capability-then-slow-path.js: Added.
351         (shouldBe):
352         (DerivedPromise):
353         (DerivedPromise.prototype.then):
354         (i.array.push.new.DerivedPromise):
355         (i.array.i.then):
356         * stress/promise-constructor-inlined.js: Added.
357         (shouldBe):
358         (i.array.push.new.Promise):
359         (Promise.all.array.then):
360         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
361         (shouldBe):
362         (DerivedPromise):
363         (DerivedPromise2):
364         (i.array.push.new.DerivedPromise):
365         (i.array2.push.new.DerivedPromise2):
366         * stress/without-promise-functions.js: Added.
367         (shouldBe):
368         (async):
369
370 2019-09-03  Mark Lam  <mark.lam@apple.com>
371
372         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
373         https://bugs.webkit.org/show_bug.cgi?id=201309
374         <rdar://problem/54832121>
375
376         Reviewed by Yusuke Suzuki.
377
378         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
379
380 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
381
382         [JSC] Generate new.target register only when it is used
383         https://bugs.webkit.org/show_bug.cgi?id=201335
384
385         Reviewed by Mark Lam.
386
387         * stress/ensure-new-register-allocated.js: Added.
388         (shouldBe):
389         (basic):
390         (arrow):
391         (Base):
392         (Derived):
393         (evaluate):
394
395 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
396
397         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
398         https://bugs.webkit.org/show_bug.cgi?id=201331
399
400         Reviewed by Mark Lam.
401
402         * stress/simple-jump-table-copy.js: Added.
403         (let.code):
404         (g2):
405
406 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
407
408         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
409         https://bugs.webkit.org/show_bug.cgi?id=201332
410
411         Reviewed by Mark Lam.
412
413         This test is very flaky, it is hard to reproduce.
414
415         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
416         (code):
417
418 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
419
420         [JSC] Repatch should construct CallCases and CasesValue at the same time
421         https://bugs.webkit.org/show_bug.cgi?id=201325
422
423         Reviewed by Saam Barati.
424
425         * stress/repatch-switch.js: Added.
426         (main.f2.f0):
427         (main.f2.f3):
428         (main.f2.f1):
429         (main.f2):
430         (main):
431
432 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
433
434         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
435         https://bugs.webkit.org/show_bug.cgi?id=198650
436
437         Reviewed by Saam Barati.
438
439         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
440         (main.v0):
441         (main):
442
443 2019-08-28  Mark Lam  <mark.lam@apple.com>
444
445         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
446         https://bugs.webkit.org/show_bug.cgi?id=201281
447         <rdar://problem/54028228>
448
449         Reviewed by Yusuke Suzuki and Saam Barati.
450
451         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
452
453 2019-08-28  Mark Lam  <mark.lam@apple.com>
454
455         Placate exception check validation in DFG's operationHasGenericProperty().
456         https://bugs.webkit.org/show_bug.cgi?id=201245
457         <rdar://problem/54777512>
458
459         Reviewed by Robin Morisset.
460
461         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
462
463 2019-08-27  Mark Lam  <mark.lam@apple.com>
464
465         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
466         https://bugs.webkit.org/show_bug.cgi?id=201196
467         <rdar://problem/54703775>
468
469         Reviewed by Yusuke Suzuki.
470
471         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
472
473 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
474
475         [JSC] Ensure x?.y ?? z is fast
476         https://bugs.webkit.org/show_bug.cgi?id=200875
477
478         Reviewed by Yusuke Suzuki.
479
480         * stress/nullish-coalescing.js:
481
482 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
483
484         Remove MaximalFlushInsertionPhase
485         https://bugs.webkit.org/show_bug.cgi?id=201036
486
487         Reviewed by Saam Barati.
488
489         Remove all the references to maximal flush
490
491         * stress/arith-ceil-on-various-types.js:
492         (checkCompileCountForUselessNegativeZero):
493         * stress/arith-floor-on-various-types.js:
494         (checkCompileCountForUselessNegativeZero):
495         * stress/arith-negate-on-various-types.js:
496         (checkCompileCountForUselessNegativeZero):
497         * stress/arith-round-on-various-types.js:
498         (checkCompileCountForUselessNegativeZero):
499         * stress/arith-trunc-on-various-types.js:
500         (checkCompileCountForUselessNegativeZero):
501         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
502         * stress/has-indexed-property-should-accept-non-int32.js:
503         * stress/has-indexed-property-with-worsening-array-mode.js:
504         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
505         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
506         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
507         * stress/rest-parameter-many-arguments.js:
508         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
509         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
510         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
511
512 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
513
514         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
515         https://bugs.webkit.org/show_bug.cgi?id=200952
516
517         Reviewed by Saam Barati.
518
519         * wasm/references/func_ref.js:
520         (assert.throws):
521
522 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
523
524         Add missing exception check in canonicalizeLocaleList
525         https://bugs.webkit.org/show_bug.cgi?id=201021
526
527         Reviewed by Mark Lam.
528
529         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
530         (catch):
531
532 2019-08-21  Mark Lam  <mark.lam@apple.com>
533
534         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
535         https://bugs.webkit.org/show_bug.cgi?id=201016
536         <rdar://problem/54579911>
537
538         Reviewed by Yusuke Suzuki.
539
540         * wasm/stress/too-many-locals.js: Added.
541         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
542
543 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
544
545         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
546         https://bugs.webkit.org/show_bug.cgi?id=200965
547
548         Reviewed by Saam Barati.
549
550         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
551         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
552
553         * stress/optional-chaining.js:
554
555 2019-08-21  Michael Saboff  <msaboff@apple.com>
556
557         [JSC] incorrent JIT lead to StackOverflow
558         https://bugs.webkit.org/show_bug.cgi?id=197823
559
560         Reviewed by Tadeu Zagallo.
561
562         New test.
563
564         * stress/bound-function-stack-overflow.js: Added.
565         (foo):
566         (catch):
567
568 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
569
570         Identify memcpy loops in b3
571         https://bugs.webkit.org/show_bug.cgi?id=200181
572
573         Reviewed by Saam Barati.
574
575         * microbenchmarks/memcpy-loop.js: Added.
576         (doTest):
577         (let.arr1):
578         * microbenchmarks/memcpy-typed-loop-large.js: Added.
579         (doTest):
580         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
581         (arr2):
582         * microbenchmarks/memcpy-typed-loop-small.js: Added.
583         (doTest):
584         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
585         (16.arr2):
586         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
587         (doTest):
588         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
589         (arr2):
590         * microbenchmarks/memcpy-wasm-large.js: Added.
591         (typeof.WebAssembly.string_appeared_here.eq):
592         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
593         * microbenchmarks/memcpy-wasm-medium.js: Added.
594         (typeof.WebAssembly.string_appeared_here.eq):
595         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
596         * microbenchmarks/memcpy-wasm-small.js: Added.
597         (typeof.WebAssembly.string_appeared_here.eq):
598         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
599         * microbenchmarks/memcpy-wasm.js: Added.
600         (typeof.WebAssembly.string_appeared_here.eq):
601         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
602         * stress/memcpy-typed-loops.js: Added.
603         (noLoop):
604         (invalidStart):
605         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
606         (arr2):
607         * wasm/function-tests/memcpy-wasm-loop.js: Added.
608         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
609         (string_appeared_here):
610
611 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
612
613         [JSC] Array.prototype.toString should not get "join" function each time
614         https://bugs.webkit.org/show_bug.cgi?id=200905
615
616         Reviewed by Mark Lam.
617
618         * stress/array-prototype-join-change.js: Added.
619         (shouldBe):
620         (array2.join):
621         (DerivedArray):
622         (DerivedArray.prototype.join):
623         (array3.__proto__.join):
624         (Array.prototype.join):
625
626 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
627
628         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
629         https://bugs.webkit.org/show_bug.cgi?id=200782
630
631         Reviewed by Saam Barati.
632
633         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
634
635         * microbenchmarks/memcpy-typed-loop.js:
636         * stress/int8-repeat-in-then-out-of-bounds.js:
637
638 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
639
640         Proxy constructor should throw if handler is revoked Proxy
641         https://bugs.webkit.org/show_bug.cgi?id=198755
642
643         Reviewed by Saam Barati.
644
645         * stress/proxy-revoke.js: Adjust error message.
646         * test262/expectations.yaml: Mark 2 test cases as passing.
647
648 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
649
650         [JSC] OSR entry to Wasm OMG
651         https://bugs.webkit.org/show_bug.cgi?id=200362
652
653         Reviewed by Michael Saboff.
654
655         * wasm/stress/osr-entry-basic.js: Added.
656         (instance.exports.loop):
657         * wasm/stress/osr-entry-many-locals-f32.js: Added.
658         * wasm/stress/osr-entry-many-locals-f64.js: Added.
659         * wasm/stress/osr-entry-many-locals-i32.js: Added.
660         * wasm/stress/osr-entry-many-locals-i64.js: Added.
661         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
662         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
663         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
664         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
665
666 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
667
668         Date.prototype.toJSON throws if toISOString returns an object
669         https://bugs.webkit.org/show_bug.cgi?id=198495
670
671         Reviewed by Ross Kirsling.
672
673         * test262/expectations.yaml: Mark 6 test cases as passing.
674
675 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
676
677         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
678         https://bugs.webkit.org/show_bug.cgi?id=200899
679         <rdar://problem/54073341>
680
681         Reviewed by Mark Lam.
682
683         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
684         (i.new.Promise):
685         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
686         (i.new.Promise):
687
688 2019-08-19  Michael Saboff  <msaboff@apple.com>
689
690         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
691         https://bugs.webkit.org/show_bug.cgi?id=197090
692
693         Reviewed by Yusuke Suzuki.
694
695         New test.
696
697         * stress/regexp-nonconsuming-counted-parens.js: Added.
698
699 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
700
701         [JSC] Correct a->an in error messages and API docblocks
702         https://bugs.webkit.org/show_bug.cgi?id=200833
703
704         Reviewed by Don Olmstead.
705
706         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
707         (assert.assert.return.throws):
708         * stress/promise-finally-should-accept-non-promise-objects.js:
709         * wasm/js-api/table.js:
710         (assert.throws):
711
712 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
713
714         [ESNext] Implement optional chaining
715         https://bugs.webkit.org/show_bug.cgi?id=200199
716
717         Reviewed by Yusuke Suzuki.
718
719         * stress/nullish-coalescing.js:
720         * stress/optional-chaining.js: Added.
721         * stress/tail-call-recognize.js:
722
723 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
724
725         [ESNext] Support hashbang.
726         https://bugs.webkit.org/show_bug.cgi?id=200865
727
728         Reviewed by Mark Lam.
729
730         * stress/hashbang.js: Added.
731         * test262/expectations.yaml: Mark 6 cases as passing.
732
733 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
734
735         [JSC] DFG ToNumber should support Boolean in fixup
736         https://bugs.webkit.org/show_bug.cgi?id=200864
737
738         Reviewed by Mark Lam.
739
740         * microbenchmarks/to-number-boolean.js: Added.
741         (test):
742         * stress/to-number-boolean-int32.js: Added.
743         (shouldBe):
744         (test):
745         (check):
746         * stress/to-number-boolean.js: Added.
747         (shouldBe):
748         (test):
749         (check):
750         * stress/to-number-int32.js: Added.
751         (shouldBe):
752         (test):
753         (check):
754
755 2019-08-16  Mark Lam  <mark.lam@apple.com>
756
757         More missing exception checks in string comparison operators.
758         https://bugs.webkit.org/show_bug.cgi?id=200844
759         <rdar://problem/54378684>
760
761         Reviewed by Saam Barati.
762
763         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
764         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
765         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
766         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
767
768 2019-08-16  Mark Lam  <mark.lam@apple.com>
769
770         CodeBlock destructor should clear all of its watchpoints.
771         https://bugs.webkit.org/show_bug.cgi?id=200792
772         <rdar://problem/53947800>
773
774         Reviewed by Yusuke Suzuki.
775
776         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
777
778 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
779
780         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
781         https://bugs.webkit.org/show_bug.cgi?id=200782
782
783         Reviewed by Saam Barati.
784
785         * microbenchmarks/int8-out-of-bounds.js: Added.
786         (foo):
787         * microbenchmarks/memcpy-typed-loop.js: Added.
788         (doTest):
789         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
790         (arr2):
791         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
792         (foo):
793
794 2019-08-16  Mark Lam  <mark.lam@apple.com>
795
796         [Re-land] ProxyObject should not be allow to access its target's private properties.
797         https://bugs.webkit.org/show_bug.cgi?id=200739
798         <rdar://problem/53972768>
799
800         Reviewed by Yusuke Suzuki.
801
802         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
803         * stress/proxy-with-private-symbols.js:
804
805 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
806
807         [JSC] Promise.prototype.finally should accept non-promise objects
808         https://bugs.webkit.org/show_bug.cgi?id=200829
809
810         Reviewed by Mark Lam.
811
812         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
813         (shouldBe):
814         (Thenable):
815         (Thenable.prototype.then):
816
817 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
818
819         Promise constructor should check argument before [[Construct]]
820         https://bugs.webkit.org/show_bug.cgi?id=198976
821
822         Reviewed by Ross Kirsling.
823
824         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
825         * stress/create-subclass-structure-might-throw.js: Fix test.
826         * test262/expectations.yaml: Mark 2 test cases as passing.
827
828 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
829
830         Unreviewed, rolling out r248709.
831
832         Caused test/built-ins/Promise/prototype/finally/this-value-
833         non-promise.js to fail on test262 bot
834
835         Reverted changeset:
836
837         "ProxyObject should not be allow to access its target's
838         private properties."
839         https://bugs.webkit.org/show_bug.cgi?id=200739
840         https://trac.webkit.org/changeset/248709
841
842 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
843
844         DateConversion::formatDateTime incorrectly formats negative years
845         https://bugs.webkit.org/show_bug.cgi?id=199964
846
847         Reviewed by Ross Kirsling.
848
849         * test262/expectations.yaml: Mark 6 test cases as passing.
850
851 2019-08-15  Mark Lam  <mark.lam@apple.com>
852
853         More missing exception checks in String.prototype.
854         https://bugs.webkit.org/show_bug.cgi?id=200762
855         <rdar://problem/54333896>
856
857         Reviewed by Michael Saboff.
858
859         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
860         * stress/missing-exception-check-in-string-toLower.js: Added.
861         * stress/missing-exception-check-in-string-toUpper.js: Added.
862
863 2019-08-14  Mark Lam  <mark.lam@apple.com>
864
865         ProxyObject should not be allow to access its target's private properties.
866         https://bugs.webkit.org/show_bug.cgi?id=200739
867         <rdar://problem/53972768>
868
869         Reviewed by Yusuke Suzuki.
870
871         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
872         * stress/proxy-with-private-symbols.js: Rebased.
873
874 2019-08-14  Mark Lam  <mark.lam@apple.com>
875
876         Missing exception check in string compare.
877         https://bugs.webkit.org/show_bug.cgi?id=200743
878         <rdar://problem/53975356>
879
880         Reviewed by Michael Saboff.
881
882         * stress/missing-exception-check-in-string-compare.js: Added.
883
884 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
885
886         [JSC] Add "jump if (not) undefined or null" bytecode ops
887         https://bugs.webkit.org/show_bug.cgi?id=200480
888
889         Reviewed by Saam Barati.
890
891         * stress/destructuring-assignment-require-object-coercible.js:
892         * stress/nullish-coalescing.js:
893
894 2019-08-05  Michael Saboff  <msaboff@apple.com>
895
896         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
897         https://bugs.webkit.org/show_bug.cgi?id=199997
898
899         Reviewed by Saam Barati.
900
901         New test.
902
903         * stress/typedarray-no-alreadyChecked-assert.js: Added.
904         (checkIntArray):
905         (checkFloatArray):
906
907 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
908
909         [JSC] Support WebAssembly in SamplingProfiler
910         https://bugs.webkit.org/show_bug.cgi?id=200329
911
912         Reviewed by Saam Barati.
913
914         * stress/sampling-profiler-wasm-name-section.js: Added.
915         (const.compile):
916         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
917         (platformSupportsSamplingProfiler.vm.isWasmSupported):
918         * stress/sampling-profiler-wasm.js: Added.
919         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
920         (platformSupportsSamplingProfiler.vm.isWasmSupported):
921         * stress/sampling-profiler/loop.wasm: Added.
922         * stress/sampling-profiler/loop.wast: Added.
923         * stress/sampling-profiler/nameSection.wasm: Added.
924
925 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
926
927         [JSC] LazyJSValue should be robust for empty JSValue
928         https://bugs.webkit.org/show_bug.cgi?id=200388
929
930         Reviewed by Saam Barati.
931
932         * stress/switch-constant-child-becomes-empty.js: Added.
933         (foo):
934
935 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
936
937         GetterSetter type confusion during DFG compilation
938         https://bugs.webkit.org/show_bug.cgi?id=199903
939
940         Reviewed by Mark Lam.
941
942         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
943
944 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
945
946         Update Test262 (2019.08.01)
947         https://bugs.webkit.org/show_bug.cgi?id=200351
948
949         Reviewed by Keith Miller.
950
951         * test262/expectations.yaml:
952         * test262/harness/testIntl.js:
953         * test262/latest-changes-summary.txt:
954         * test262/test/:
955         * test262/test262-Revision.txt:
956
957 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
958
959         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
960         https://bugs.webkit.org/show_bug.cgi?id=200192
961
962         Reviewed by Saam Barati.
963
964         * stress/structure-chain-stress.js: Added.
965         (keys):
966
967 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
968
969         [JSC] Increment bytecode age only when SlotVisitor is first-visit
970         https://bugs.webkit.org/show_bug.cgi?id=200196
971
972         Reviewed by Robin Morisset.
973
974         * stress/reparsing-unlinked-codeblock.js:
975
976 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
977
978         [X86] Emit BT instruction for shift + mask in B3
979         https://bugs.webkit.org/show_bug.cgi?id=199891
980
981         Reviewed by Robin Morisset.
982
983         Lower the number of iterations to fix debug timeouts.
984
985         * microbenchmarks/bit-test-load.js:
986         (i):
987
988 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
989
990         [X86] Emit BT instruction for shift + mask in B3
991         https://bugs.webkit.org/show_bug.cgi?id=199891
992
993         Reviewed by Keith Miller.
994
995         * microbenchmarks/bit-test-constant.js: Added.
996         (let.glob.0.doTest):
997         * microbenchmarks/bit-test-load.js: Added.
998         (let.glob.0.let.arr.new.Int32Array.8.doTest):
999         (i):
1000         * microbenchmarks/bit-test-nonconstant.js: Added.
1001         (let.glob.0.doTest):
1002
1003 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1004
1005         [JSC] Potential GC fix for JSPropertyNameEnumerator
1006         https://bugs.webkit.org/show_bug.cgi?id=200151
1007
1008         Reviewed by Mark Lam.
1009
1010         * stress/for-in-stress.js: Added.
1011         (keys):
1012
1013 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1014
1015         Legacy numeric literals should not permit separators or BigInt
1016         https://bugs.webkit.org/show_bug.cgi?id=199984
1017
1018         Reviewed by Keith Miller.
1019
1020         * stress/big-int-literals.js:
1021         * stress/numeric-literal-separators.js:
1022
1023 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1024
1025         [ESNext] Implement nullish coalescing
1026         https://bugs.webkit.org/show_bug.cgi?id=200072
1027
1028         Reviewed by Darin Adler.
1029
1030         * stress/nullish-coalescing.js: Added.
1031
1032 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1033
1034         Three checks are missing in Proxy internal methods
1035         https://bugs.webkit.org/show_bug.cgi?id=198630
1036
1037         Reviewed by Darin Adler.
1038
1039         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1040         * test262/expectations.yaml: Mark 6 test cases as passing.
1041
1042 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1043
1044         Sometimes we miss removable CheckInBounds
1045         https://bugs.webkit.org/show_bug.cgi?id=200018
1046
1047         Reviewed by Saam Barati.
1048
1049         * microbenchmarks/typed-array-sum.js: Added.
1050         (doTest):
1051
1052 2019-07-16  Mark Lam  <mark.lam@apple.com>
1053
1054         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1055         https://bugs.webkit.org/show_bug.cgi?id=199821
1056         <rdar://problem/52452328>
1057
1058         Reviewed by Filip Pizlo.
1059
1060         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1061
1062 2019-07-16  Keith Miller  <keith_miller@apple.com>
1063
1064         Unreviewed, test262 gardening.
1065
1066         * test262/expectations.yaml:
1067
1068 2019-07-15  Keith Miller  <keith_miller@apple.com>
1069
1070         A Possible Issue of Object.create method
1071         https://bugs.webkit.org/show_bug.cgi?id=199744
1072
1073         Reviewed by Yusuke Suzuki.
1074
1075         * stress/object-create-non-object-properties-parameter.js: Added.
1076         (catch):
1077
1078 2019-07-15  Keith Miller  <keith_miller@apple.com>
1079
1080         Update test262
1081         https://bugs.webkit.org/show_bug.cgi?id=199801
1082
1083         Rubber-stamped by Yusuke Suzuki.
1084
1085         * test262/expectations.yaml:
1086         * test262/latest-changes-summary.txt:
1087         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1088         (fg.new.FinalizationGroup):
1089         (callback):
1090         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1091         (fg.new.FinalizationGroup):
1092         (callback):
1093         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1094         (fg.new.FinalizationGroup):
1095         (callback):
1096         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1097         (fg.new.FinalizationGroup):
1098         (callback):
1099         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1100         (fg.new.FinalizationGroup):
1101         (callback):
1102         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1103         (fg.new.FinalizationGroup):
1104         (callback):
1105         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1106         (fg.new.FinalizationGroup):
1107         (callback):
1108         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1109         (callback):
1110         (fg.new.FinalizationGroup):
1111         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1112         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1113         (cb):
1114         (fg.new.FinalizationGroup):
1115         (emptyCells):
1116         (async.fn):
1117         (fn.then.async):
1118         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1119         (fg.new.FinalizationGroup):
1120         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1121         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1122         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1123         (newTarget):
1124         (fn):
1125         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1126         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1127         (fn):
1128         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1129         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1130         (newTarget):
1131         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1132         (newTarget):
1133         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1134         (fg.new.FinalizationGroup):
1135         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1136         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1137         (callback):
1138         (fg.new.FinalizationGroup):
1139         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1140         (fg.new.FinalizationGroup):
1141         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1142         (cb):
1143         (fg.new.FinalizationGroup):
1144         (emptyCells):
1145         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1146         (fg.new.FinalizationGroup):
1147         (fg.cleanupSome.cb):
1148         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1149         (callback):
1150         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1151         (fn):
1152         (cb):
1153         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1154         (cb):
1155         (fg.new.FinalizationGroup):
1156         (emptyCells):
1157         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1158         (fg.new.FinalizationGroup):
1159         (callback):
1160         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1161         (fg.new.FinalizationGroup):
1162         (callback):
1163         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1164         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1165         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1166         (poisoned):
1167         (fg.new.FinalizationGroup):
1168         (emptyCells):
1169         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1170         (poisoned):
1171         (emptyCells):
1172         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1173         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1174         (fn):
1175         (cb):
1176         (emptyCells):
1177         (prototype.assert.sameValue.fg.cleanupSome):
1178         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1179         (fn):
1180         (cb):
1181         (poisoned):
1182         (assert.sameValue.fg.cleanupSome):
1183         (prototype.assert.sameValue.fg.cleanupSome):
1184         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1185         (cb):
1186         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1187         (cb):
1188         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1189         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1190         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1191         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1192         (fn):
1193         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1194         (fn):
1195         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1196         (fg.new.FinalizationGroup):
1197         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1198         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1199         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1200         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1201         (fn):
1202         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1203         (fn):
1204         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1205         (fg.new.FinalizationGroup):
1206         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1207         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1208         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1209         (fg.new.FinalizationGroup):
1210         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1211         (fg.new.FinalizationGroup):
1212         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1213         (fg.new.FinalizationGroup):
1214         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1215         (fg.new.FinalizationGroup):
1216         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1217         (fn):
1218         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1219         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1220         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1221         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1222         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1223         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1224         (fn):
1225         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1226         (fg.new.FinalizationGroup):
1227         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1228         (cleanupCallback):
1229         (let.key.of.Object.getOwnPropertyNames):
1230         (set for):
1231         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1232         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1233         (FinalizationGroup):
1234         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1235         (cleanupCallback):
1236         (let.key.of.Object.getOwnPropertyNames):
1237         (set for):
1238         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1239         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1240         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1241         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1242         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1243         (asyncProxy.new.Proxy.async):
1244         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1245         (asyncProxy.new.Proxy.async):
1246         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1247         (setIter.set Symbol):
1248         (set defaultTag):
1249         (gen):
1250         (get return):
1251         (set new):
1252         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1253         (generatorProxy.new.Proxy):
1254         (asyncProxy.new.Proxy.async):
1255         * test262/test/built-ins/Object/subclass-object-arg.js:
1256         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1257         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1258         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1259         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1260         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1261         * test262/test/built-ins/Promise/executor-function-name.js:
1262         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1263         * test262/test/built-ins/Promise/reject-function-name.js:
1264         * test262/test/built-ins/Promise/resolve-function-name.js:
1265         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1266         * test262/test/built-ins/WeakRef/constructor.js: Added.
1267         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1268         * test262/test/built-ins/WeakRef/length.js: Added.
1269         * test262/test/built-ins/WeakRef/name.js: Added.
1270         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1271         (newTarget):
1272         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1273         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1274         * test262/test/built-ins/WeakRef/proto.js: Added.
1275         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1276         (newTarget):
1277         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1278         (newTarget):
1279         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1280         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1281         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1282         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1283         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1284         (emptyCells):
1285         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1286         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1287         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1288         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1289         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1290         (fg.new.FinalizationGroup):
1291         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1292         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1293         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1294         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1295         (let.key.of.Object.getOwnPropertyNames):
1296         (set for):
1297         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1298         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1299         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1300         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1301         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1302         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1303         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1304         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1305         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1306         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1307         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1308         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1309         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1310         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1311         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1312         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1313         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1314         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1315         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1316         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1317         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1318         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1319         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1320         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1321         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1322         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1323         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1324         (assertParts):
1325         (assertPartsNumeric):
1326         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1327         (assertParts):
1328         (assertPartsNumeric):
1329         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1330         (assertParts):
1331         (assertPartsNumeric):
1332         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1333         (assertParts):
1334         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1335         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1336         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1337         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1338         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1339         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1340         (C.prototype.method):
1341         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1342         (C.prototype.method.innerFunction):
1343         (C.prototype.method):
1344         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1345         (C):
1346         (C.method):
1347         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1348         (C):
1349         (C.method.innerFunction):
1350         (C.method):
1351         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1352         (C):
1353         (C.checkPrivateGetter):
1354         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1355         (C):
1356         (C.method):
1357         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1358         (C):
1359         (C.method.innerFunction):
1360         (C.method):
1361         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1362         (C):
1363         (C.checkPrivateMethod):
1364         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1365         (C):
1366         (C.method):
1367         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1368         (C):
1369         (C.method.innerFunction):
1370         (C.method):
1371         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1372         (C):
1373         (C.checkPrivateSetter):
1374         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1375         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1376         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1377         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1378         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1379         (let.classStringExpression):
1380         (let.classStringExpression.access):
1381         (let.createAndInstantiateClass):
1382         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1383         (let.classStringExpression):
1384         (let.classStringExpression.access):
1385         (let.createAndInstantiateClass):
1386         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1387         (const.C):
1388         (let.createAndInstantiateClass):
1389         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1390         (let.classStringExpression.return.prototype.m):
1391         (let.classStringExpression.return.prototype.access):
1392         (let.createAndInstantiateClass):
1393         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1394         (let.classStringExpression.return.prototype.m):
1395         (let.classStringExpression.return.prototype.access):
1396         (let.createAndInstantiateClass):
1397         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1398         (let.classStringExpression):
1399         (let.classStringExpression.access):
1400         (let.createAndInstantiateClass):
1401         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1402         (let.classStringExpression.prototype.m):
1403         (let.classStringExpression.prototype.access):
1404         (let.classStringExpression):
1405         (let.createAndInstantiateClass):
1406         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1407         (let.classStringExpression.prototype.m):
1408         (let.classStringExpression.prototype.access):
1409         (let.classStringExpression):
1410         (let.createAndInstantiateClass):
1411         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1412         (const.C):
1413         (let.createAndInstantiateClass):
1414         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1415         (let.classStringExpression.return.C.prototype.m):
1416         (let.classStringExpression.return.C.prototype.access):
1417         (let.classStringExpression.return.C):
1418         (let.createAndInstantiateClass):
1419         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1420         (let.classStringExpression.return.C.prototype.m):
1421         (let.classStringExpression.return.C.prototype.access):
1422         (let.classStringExpression.return.C):
1423         (let.createAndInstantiateClass):
1424         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1425         (let.classStringExpression):
1426         (let.classStringExpression.access):
1427         (let.createAndInstantiateClass):
1428         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1429         (let.classStringExpression):
1430         (let.classStringExpression.access):
1431         (let.createAndInstantiateClass):
1432         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1433         (let.classStringExpression):
1434         (let.classStringExpression.access):
1435         (let.createAndInstantiateClass):
1436         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1437         (const.C):
1438         (let.createAndInstantiateClass):
1439         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1440         (let.classStringExpression.return.prototype.m):
1441         (let.classStringExpression.return.prototype.access):
1442         (let.createAndInstantiateClass):
1443         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1444         (let.classStringExpression.return.prototype.m):
1445         (let.classStringExpression.return.prototype.access):
1446         (let.createAndInstantiateClass):
1447         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1448         (let.classStringExpression):
1449         (let.classStringExpression.access):
1450         (let.createAndInstantiateClass):
1451         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1452         (new):
1453         (async):
1454         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1455         (A):
1456         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1457         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1458         * test262/test/language/identifiers/vals-cjk.js: Added.
1459         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1460         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1461         (C.prototype.method):
1462         (C):
1463         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1464         (C.prototype.method.innerFunction):
1465         (C.prototype.method):
1466         (C):
1467         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1468         (C.prototype.checkPrivateField):
1469         (C):
1470         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1471         (C):
1472         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1473         (C.prototype.getWithEval):
1474         (C):
1475         (D):
1476         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1477         (C.prototype.get m):
1478         (C.prototype.method):
1479         (C):
1480         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1481         (C.prototype.get m):
1482         (C.prototype.method.innerFunction):
1483         (C.prototype.method):
1484         (C):
1485         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1486         (let.createAndInstantiateClass):
1487         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1488         (C.prototype.get m):
1489         (C.prototype.checkPrivateGetter):
1490         (C):
1491         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1492         (C.prototype.get m):
1493         (C.prototype.checkPrivateGetter):
1494         (C):
1495         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1496         (C.prototype.get m):
1497         (C):
1498         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1499         (C.prototype.get m):
1500         (C.prototype.getWithEval):
1501         (C):
1502         (D.prototype.get m):
1503         (D):
1504         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1505         (C.prototype.m):
1506         (C.prototype.method):
1507         (C):
1508         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1509         (C.prototype.m):
1510         (C.prototype.method.innerFunction):
1511         (C.prototype.method):
1512         (C):
1513         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1514         (C.prototype.m):
1515         (C.prototype.checkPrivateMethod):
1516         (C):
1517         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1518         (C.prototype.m):
1519         (C.prototype.checkPrivateMethod):
1520         (C):
1521         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1522         (C.prototype.m):
1523         (C):
1524         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1525         (C.prototype.m):
1526         (C.prototype.getWithEval):
1527         (C):
1528         (D.prototype.m):
1529         (D):
1530         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1531         (C.prototype.set m):
1532         (C.prototype.method):
1533         (C):
1534         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1535         (C.prototype.set m):
1536         (C.prototype.method.innerFunction):
1537         (C.prototype.method):
1538         (C):
1539         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1540         (C.prototype.set m):
1541         (C.prototype.checkPrivateSetter):
1542         (C):
1543         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1544         (C.prototype.set m):
1545         (C.prototype.checkPrivateSetter):
1546         (C):
1547         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1548         (C.prototype.set m):
1549         (C):
1550         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1551         (C.prototype.set m):
1552         (C.prototype.setWithEval):
1553         (C):
1554         (D.prototype.set m):
1555         (D):
1556         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1557         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1558         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1559         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
1560         (A.prototype.method):
1561         (A):
1562         (C.prototype.get m):
1563         (C.prototype.access):
1564         (C):
1565         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
1566         (A.prototype.method):
1567         (A):
1568         (C.prototype.m):
1569         (C.prototype.access):
1570         (C):
1571         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
1572         (A.prototype.method):
1573         (A):
1574         (C.prototype.set m):
1575         (C.prototype.access):
1576         (C):
1577         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
1578         (A):
1579         * test262/test/language/statements/function/13.2-30-s.js:
1580         * test262/test262-Revision.txt:
1581
1582 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1583
1584         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1585         https://bugs.webkit.org/show_bug.cgi?id=199783
1586
1587         Reviewed by Mark Lam.
1588
1589         Fix our spec tests.
1590
1591         * wasm/js-api/Module-compile.js:
1592         * wasm/js-api/test_basic_api.js:
1593         (const.c.in.constructorProperties.switch):
1594         * wasm/js-api/validate.js:
1595         * wasm/js-api/web-assembly-instantiate.js:
1596         * wasm/spec-tests/jsapi.js:
1597         (testJSAPI.get test):
1598         (testJSAPI.set test):
1599
1600 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1601
1602         Unreviewed, rolling out r247440.
1603
1604         Broke builds
1605
1606         Reverted changeset:
1607
1608         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1609         issues"
1610         https://bugs.webkit.org/show_bug.cgi?id=199783
1611         https://trac.webkit.org/changeset/247440
1612
1613 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1614
1615         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1616         https://bugs.webkit.org/show_bug.cgi?id=199783
1617
1618         Reviewed by Mark Lam.
1619
1620         Fix our spec tests.
1621
1622         * wasm/js-api/Module-compile.js:
1623         * wasm/js-api/test_basic_api.js:
1624         (const.c.in.constructorProperties.switch):
1625         * wasm/js-api/validate.js:
1626         * wasm/js-api/web-assembly-instantiate.js:
1627         * wasm/spec-tests/jsapi.js:
1628         (testJSAPI.get test):
1629         (testJSAPI.set test):
1630
1631 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1632
1633         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1634         https://bugs.webkit.org/show_bug.cgi?id=196371
1635
1636         Reviewed by Keith Miller.
1637
1638         * microbenchmarks/mul-immediate-sub.js: Added.
1639         (doTest):
1640
1641 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1642
1643         [BigInt] Add ValueBitLShift into DFG
1644         https://bugs.webkit.org/show_bug.cgi?id=192664
1645
1646         Reviewed by Saam Barati.
1647
1648         We are adding tests to cover ValueBitwise operations AI changes.
1649
1650         * stress/big-int-left-shift-untyped.js: Added.
1651         * stress/bit-op-with-object-returning-int32.js:
1652         * stress/value-bit-and-ai-rule.js: Added.
1653         * stress/value-bit-lshift-ai-rule.js: Added.
1654         * stress/value-bit-or-ai-rule.js: Added.
1655         * stress/value-bit-xor-ai-rule.js: Added.
1656
1657 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
1658
1659         Add b3 macro lowering for CheckMul on arm64
1660         https://bugs.webkit.org/show_bug.cgi?id=199251
1661
1662         Reviewed by Robin Morisset.
1663
1664         * microbenchmarks/check-mul-constant.js: Added.
1665         (doTest):
1666         * microbenchmarks/check-mul-no-constant.js: Added.
1667         (doTest):
1668         * microbenchmarks/check-mul-power-of-two.js: Added.
1669         (doTest):
1670
1671 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
1672
1673         Optimize join of large empty arrays
1674         https://bugs.webkit.org/show_bug.cgi?id=199636
1675
1676         Reviewed by Mark Lam.
1677
1678         * microbenchmarks/large-empty-array-join.js: Added.
1679         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
1680
1681 2019-07-06  Michael Saboff  <msaboff@apple.com>
1682
1683         switch(String) needs to check for exceptions when resolving the string
1684         https://bugs.webkit.org/show_bug.cgi?id=199541
1685
1686         Reviewed by Mark Lam.
1687
1688         New tests.
1689
1690         * stress/switch-string-oom.js: Added.
1691         (test):
1692         (testLowerTiers):
1693         (testFTL):
1694
1695 2019-07-05  Mark Lam  <mark.lam@apple.com>
1696
1697         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
1698         https://bugs.webkit.org/show_bug.cgi?id=199533
1699         <rdar://problem/52669111>
1700
1701         Reviewed by Filip Pizlo.
1702
1703         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
1704
1705 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1706
1707         [JSC] Clean up ArraySpeciesCreate
1708         https://bugs.webkit.org/show_bug.cgi?id=182434
1709
1710         Reviewed by Yusuke Suzuki.
1711
1712         Adjusts error message expectations in stress tests.
1713
1714         * stress/array-flatmap.js:
1715         * stress/array-flatten.js:
1716         * stress/array-species-create-should-handle-masquerader.js:
1717         * test262/expectations.yaml: Mark 4 test cases as passing.
1718
1719 2019-07-02  Michael Saboff  <msaboff@apple.com>
1720
1721         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
1722         https://bugs.webkit.org/show_bug.cgi?id=199395
1723
1724         Reviewed by Filip Pizlo.
1725
1726         New regession test.
1727
1728         * stress/for-of-tdz-with-try-catch.js: Added.
1729         (test):
1730         (i.catch):
1731
1732 2019-07-02  Keith Miller  <keith_miller@apple.com>
1733
1734         Frozen Arrays length assignment should throw in strict mode
1735         https://bugs.webkit.org/show_bug.cgi?id=199365
1736
1737         Reviewed by Yusuke Suzuki.
1738
1739         * stress/frozen-array-length-should-throw-strict.js: Added.
1740         (test):
1741
1742 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
1743
1744         [Wasm-References] Disable references by default
1745         https://bugs.webkit.org/show_bug.cgi?id=199390
1746
1747         Reviewed by Saam Barati.
1748
1749         * wasm/references-spec-tests/ref_is_null.js:
1750         * wasm/references-spec-tests/ref_null.js:
1751         * wasm/references/anyref_globals.js:
1752         * wasm/references/anyref_modules.js:
1753         * wasm/references/anyref_table.js:
1754         * wasm/references/anyref_table_import.js:
1755         * wasm/references/element_parsing.js:
1756         * wasm/references/func_ref.js:
1757         * wasm/references/is_null.js:
1758         * wasm/references/multitable.js:
1759         * wasm/references/table_misc.js:
1760         * wasm/references/validation.js:
1761
1762 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
1763
1764         Unreviewed, rolling out r246946.
1765
1766         Caused JSC test crashes on arm64
1767
1768         Reverted changeset:
1769
1770         "Add b3 macro lowering for CheckMul on arm64"
1771         https://bugs.webkit.org/show_bug.cgi?id=199251
1772         https://trac.webkit.org/changeset/246946
1773
1774 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
1775
1776         Add b3 macro lowering for CheckMul on arm64
1777         https://bugs.webkit.org/show_bug.cgi?id=199251
1778
1779         Reviewed by Robin Morisset.
1780
1781         * microbenchmarks/check-mul-constant.js: Added.
1782         (doTest):
1783         * microbenchmarks/check-mul-no-constant.js: Added.
1784         (doTest):
1785         * microbenchmarks/check-mul-power-of-two.js: Added.
1786         (doTest):
1787
1788 2019-06-26  Keith Miller  <keith_miller@apple.com>
1789
1790         speciesConstruct needs to throw if the result is a DataView
1791         https://bugs.webkit.org/show_bug.cgi?id=199231
1792
1793         Reviewed by Mark Lam.
1794
1795         * stress/typedarray-filter.js:
1796         (subclasses.forEach):
1797         * stress/typedarray-map.js:
1798         (subclasses.forEach):
1799         * stress/typedarray-slice.js:
1800         (typedArrays.forEach):
1801         * stress/typedarray-subarray.js:
1802         (subclasses.forEach):
1803
1804 2019-06-24  Commit Queue  <commit-queue@webkit.org>
1805
1806         Unreviewed, rolling out r246714.
1807         https://bugs.webkit.org/show_bug.cgi?id=199179
1808
1809         revert to do patch in a different way. (Requested by keith_mi_
1810         on #webkit).
1811
1812         Reverted changeset:
1813
1814         "All prototypes should call didBecomePrototype()"
1815         https://bugs.webkit.org/show_bug.cgi?id=196315
1816         https://trac.webkit.org/changeset/246714
1817
1818 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1819
1820         Add Array.prototype.{flat,flatMap} to unscopables
1821         https://bugs.webkit.org/show_bug.cgi?id=194322
1822
1823         Reviewed by Keith Miller.
1824
1825         * stress/unscopables.js: Fix test.
1826         * test262/expectations.yaml: Mark 2 test cases as passing.
1827
1828 2019-06-21  Mark Lam  <mark.lam@apple.com>
1829
1830         ArraySlice needs to keep the source array alive.
1831         https://bugs.webkit.org/show_bug.cgi?id=197374
1832         <rdar://problem/50304429>
1833
1834         Reviewed by Michael Saboff and Filip Pizlo.
1835
1836         * stress/array-slice-must-keep-source-array-alive.js: Added.
1837
1838 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1839
1840         All prototypes should call didBecomePrototype()
1841         https://bugs.webkit.org/show_bug.cgi?id=196315
1842
1843         Reviewed by Saam Barati.
1844
1845         * stress/function-prototype-indexed-accessor.js: Added.
1846
1847 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1848
1849         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1850         https://bugs.webkit.org/show_bug.cgi?id=197631
1851
1852         Reviewed by Saam Barati.
1853
1854         * stress/has-own-property-arguments.js: Added.
1855         (shouldBe):
1856         (A):
1857
1858 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1859
1860         [JSC] ClassExpr should not store result in the middle of evaluation
1861         https://bugs.webkit.org/show_bug.cgi?id=199106
1862
1863         Reviewed by Tadeu Zagallo.
1864
1865         * stress/class-expression-should-store-result-at-last.js: Added.
1866         (shouldThrow):
1867         (shouldThrow.let.a):
1868
1869 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
1870
1871         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
1872         https://bugs.webkit.org/show_bug.cgi?id=199044
1873
1874         Reviewed by Saam Barati.
1875
1876         Add wasm references spec tests as well as a worker test.
1877
1878         * wasm.yaml:
1879         * wasm/Builder_WebAssemblyBinary.js:
1880         (const.emitters.Element):
1881         * wasm/js-api/element.js:
1882         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1883         * wasm/references-spec-tests/ref_is_null.js: Added.
1884         (hostref):
1885         (is_hostref):
1886         (is_funcref):
1887         (eq_ref):
1888         (let.handler.get target):
1889         (register):
1890         (module):
1891         (instance):
1892         (call):
1893         (get instance):
1894         (exports):
1895         (run):
1896         (assert_malformed):
1897         (assert_invalid):
1898         (assert_unlinkable):
1899         (assert_uninstantiable):
1900         (assert_trap):
1901         (try.f):
1902         (catch):
1903         (assert_exhaustion):
1904         (assert_return):
1905         (assert_return_canonical_nan):
1906         (assert_return_arithmetic_nan):
1907         (assert_return_ref):
1908         (assert_return_func):
1909         * wasm/references-spec-tests/ref_null.js: Added.
1910         (hostref):
1911         (is_hostref):
1912         (is_funcref):
1913         (eq_ref):
1914         (let.handler.get target):
1915         (register):
1916         (module):
1917         (instance):
1918         (call):
1919         (get instance):
1920         (exports):
1921         (run):
1922         (assert_malformed):
1923         (assert_invalid):
1924         (assert_unlinkable):
1925         (assert_uninstantiable):
1926         (assert_trap):
1927         (try.f):
1928         (catch):
1929         (assert_exhaustion):
1930         (assert_return):
1931         (assert_return_canonical_nan):
1932         (assert_return_arithmetic_nan):
1933         (assert_return_ref):
1934         (assert_return_func):
1935         * wasm/references/element_parsing.js: Added.
1936         (module):
1937         * wasm/references/func_ref.js:
1938         * wasm/references/multitable.js:
1939         * wasm/references/table_misc.js:
1940         (TableSize.0.End.End.WebAssembly):
1941         * wasm/references/validation.js:
1942         (assert.throws):
1943
1944 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1945
1946         Optimize `resolve` method lookup in Promise static methods
1947         https://bugs.webkit.org/show_bug.cgi?id=198864
1948
1949         Reviewed by Yusuke Suzuki.
1950
1951         * test262/expectations.yaml: Mark 18 test cases as passing.
1952
1953 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
1954
1955         [WASM-References] Rename anyfunc to funcref
1956         https://bugs.webkit.org/show_bug.cgi?id=198983
1957
1958         Reviewed by Yusuke Suzuki.
1959
1960         * wasm/function-tests/basic-element.js:
1961         * wasm/function-tests/context-switch.js:
1962         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1963         (makeInstance):
1964         (assert.eq.makeInstance):
1965         * wasm/function-tests/exceptions.js:
1966         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1967         * wasm/function-tests/grow-memory-2.js:
1968         (assert.eq.instance.exports.foo):
1969         * wasm/function-tests/nameSection.js:
1970         (const.compile):
1971         * wasm/function-tests/stack-overflow.js:
1972         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1973         (assertOverflows.makeInstance):
1974         * wasm/function-tests/table-basic-2.js:
1975         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1976         * wasm/function-tests/table-basic.js:
1977         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1978         * wasm/function-tests/trap-from-start-async.js:
1979         * wasm/function-tests/trap-from-start.js:
1980         * wasm/js-api/Module.exports.js:
1981         (assert.truthy):
1982         * wasm/js-api/Module.imports.js:
1983         (assert.truthy):
1984         * wasm/js-api/call-indirect.js:
1985         (const.oneTable):
1986         (const.multiTable):
1987         (multiTable.const.makeTable):
1988         (multiTable):
1989         (multiTable.Polyphic2Import):
1990         (multiTable.VirtualImport):
1991         * wasm/js-api/element-data.js:
1992         * wasm/js-api/element.js:
1993         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1994         (assert.throws):
1995         (badInstantiation.makeModule):
1996         (badInstantiation.test):
1997         (badInstantiation):
1998         * wasm/js-api/extension-MemoryMode.js:
1999         * wasm/js-api/table.js:
2000         (new.WebAssembly.Module):
2001         (assert.throws):
2002         (assertBadTableImport):
2003         (assert.throws.WebAssembly.Table.prototype.grow):
2004         (new.WebAssembly.Table):
2005         (assertBadTable):
2006         (assert.truthy):
2007         * wasm/js-api/test_basic_api.js:
2008         (const.c.in.constructorProperties.switch):
2009         * wasm/js-api/unique-signature.js:
2010         (CallIndirectWithDuplicateSignatures):
2011         * wasm/js-api/wrapper-function.js:
2012         * wasm/modules/table.wat:
2013         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2014         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2015         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2016         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2017         * wasm/references/anyref_table.js:
2018         * wasm/references/anyref_table_import.js:
2019         (doSet):
2020         (assert.throws):
2021         * wasm/references/func_ref.js:
2022         (makeFuncrefIdent):
2023         (assert.eq.instance.exports.fix):
2024         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2025         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2026         (let.importedFun.of):
2027         (makeAnyfuncIdent): Deleted.
2028         (makeAnyfuncIdent.fun): Deleted.
2029         * wasm/references/multitable.js:
2030         (assert.eq):
2031         (assert.throws):
2032         * wasm/references/table_misc.js:
2033         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2034         * wasm/references/validation.js:
2035         (assert.throws.new.WebAssembly.Module.bin):
2036         (assert.throws):
2037         * wasm/spec-harness/index.js:
2038         * wasm/spec-harness/wasm-constants.js:
2039         * wasm/spec-harness/wasm-module-builder.js:
2040         (WasmModuleBuilder.prototype.toArray):
2041         * wasm/spec-harness/wast.js:
2042         (elem_type):
2043         (string_of_elem_type):
2044         (string_of_table_type):
2045         * wasm/spec-tests/jsapi.js:
2046         * wasm/stress/wasm-table-grow-initialize.js:
2047         * wasm/wasm.json:
2048
2049 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2050
2051         [WASM-References] Add support for Table.size, grow and fill instructions
2052         https://bugs.webkit.org/show_bug.cgi?id=198761
2053
2054         Reviewed by Yusuke Suzuki.
2055
2056         * wasm/Builder_WebAssemblyBinary.js:
2057         (const.putOp):
2058         * wasm/references/table_misc.js: Added.
2059         (TableSize.End.End.WebAssembly):
2060         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2061         * wasm/wasm.json:
2062
2063 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2064
2065         [WASM-References] Add support for multiple tables
2066         https://bugs.webkit.org/show_bug.cgi?id=198760
2067
2068         Reviewed by Saam Barati.
2069
2070         * wasm/Builder.js:
2071         * wasm/js-api/call-indirect.js:
2072         (const.oneTable):
2073         (const.multiTable):
2074         (multiTable):
2075         (multiTable.Polyphic2Import):
2076         (multiTable.VirtualImport):
2077         (const.wasmModuleWhichImportJS): Deleted.
2078         (const.makeTable): Deleted.
2079         (): Deleted.
2080         (Polyphic2Import): Deleted.
2081         (VirtualImport): Deleted.
2082         * wasm/js-api/table.js:
2083         (new.WebAssembly.Module):
2084         (assert.throws):
2085         (assertBadTableImport):
2086         (assert.truthy):
2087         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2088         * wasm/references/anyref_table.js:
2089         * wasm/references/anyref_table_import.js:
2090         (makeImport):
2091         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2092         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2093         * wasm/references/multitable.js: Added.
2094         (assert.throws.1.exports.set_tbl0):
2095         (assert.throws):
2096         (assert.eq):
2097         * wasm/references/validation.js:
2098         (assert.throws.new.WebAssembly.Module.bin):
2099         (assert.throws):
2100         * wasm/spec-tests/imports.wast.js:
2101         * wasm/wasm.json:
2102
2103         * wasm/Builder.js:
2104         * wasm/js-api/call-indirect.js:
2105         (const.oneTable):
2106         (const.multiTable):
2107         (multiTable):
2108         (multiTable.Polyphic2Import):
2109         (multiTable.VirtualImport):
2110         (const.wasmModuleWhichImportJS): Deleted.
2111         (const.makeTable): Deleted.
2112         (): Deleted.
2113         (Polyphic2Import): Deleted.
2114         (VirtualImport): Deleted.
2115         * wasm/js-api/table.js:
2116         (new.WebAssembly.Module):
2117         (assert.throws):
2118         (assertBadTableImport):
2119         (assert.truthy):
2120         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2121         * wasm/references/anyref_table.js:
2122         * wasm/references/anyref_table_import.js:
2123         (makeImport):
2124         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2125         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2126         * wasm/references/func_ref.js:
2127         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2128         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2129         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2130         * wasm/references/multitable.js: Added.
2131         (assert.throws.1.exports.set_tbl0):
2132         (assert.throws):
2133         (assert.eq):
2134         (string_appeared_here.tableInsanity):
2135         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2136         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2137         * wasm/references/validation.js:
2138         (assert.throws.new.WebAssembly.Module.bin):
2139         (assert.throws):
2140         * wasm/spec-tests/imports.wast.js:
2141         * wasm/wasm.json:
2142
2143 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2144
2145         [ESNExt] String.prototype.matchAll
2146         https://bugs.webkit.org/show_bug.cgi?id=186694
2147
2148         Reviewed by Yusuke Suzuki.
2149
2150         Implement String.prototype.matchAll.
2151         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2152
2153         * test262/config.yaml:
2154
2155 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2156
2157         DFG code should not reify the names of builtin functions with private names
2158         https://bugs.webkit.org/show_bug.cgi?id=198849
2159         <rdar://problem/51733890>
2160
2161         Reviewed by Filip Pizlo.
2162
2163         * stress/builtin-private-function-name.js: Added.
2164         (then):
2165         (PromiseLike):
2166
2167 2019-06-18  Keith Miller  <keith_miller@apple.com>
2168
2169         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2170         https://bugs.webkit.org/show_bug.cgi?id=198969
2171         <rdar://problem/51620714>
2172
2173         Reviewed by Tadeu Zagallo.
2174
2175         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2176         (catch):
2177
2178 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2179
2180         Validate that table element type is funcref if using an element section
2181         https://bugs.webkit.org/show_bug.cgi?id=198910
2182
2183         Reviewed by Yusuke Suzuki.
2184
2185         * wasm/references/anyref_table.js:
2186
2187 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2188
2189         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2190         https://bugs.webkit.org/show_bug.cgi?id=197378
2191
2192         Reviewed by Saam Barati.
2193
2194         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2195         (foo):
2196         (bar):
2197         * stress/disposable-call-site-index.js: Added.
2198         (foo):
2199         (bar):
2200
2201 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2202
2203         [WASM-References] Add support for Funcref in parameters and return types
2204         https://bugs.webkit.org/show_bug.cgi?id=198157
2205
2206         Reviewed by Yusuke Suzuki.
2207
2208         * wasm/Builder.js:
2209         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2210         * wasm/references/anyref_globals.js:
2211         * wasm/references/func_ref.js: Added.
2212         (fullGC.gc.makeExportedFunction):
2213         (makeExportedIdent):
2214         (makeAnyfuncIdent):
2215         (fun):
2216         (assert.eq.instance.exports.fix.fun):
2217         (assert.eq.instance.exports.fix):
2218         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2219         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2220         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2221         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2222         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2223         (assert.throws):
2224         (assert.throws.doTest):
2225         (let.importedFun.of):
2226         (makeAnyfuncIdent.fun):
2227         * wasm/references/validation.js:
2228         (assert.throws):
2229         * wasm/wasm.json:
2230
2231 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2232
2233         Update test262 tests (2019.06.13)
2234         https://bugs.webkit.org/show_bug.cgi?id=198821
2235
2236         Reviewed by Konstantin Tokarev.
2237
2238         * test262/expectations.yaml:
2239         * test262/harness/:
2240         * test262/latest-changes-summary.txt:
2241         * test262/test/:
2242         * test262/test262-Revision.txt:
2243
2244 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2245
2246         [JSC] Grown region of WasmTable should be initialized with null
2247         https://bugs.webkit.org/show_bug.cgi?id=198903
2248
2249         Reviewed by Saam Barati.
2250
2251         * wasm/stress/wasm-table-grow-initialize.js: Added.
2252         (shouldBe):
2253
2254 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2255
2256         Yarr bytecode compilation failure should be gracefully handled
2257         https://bugs.webkit.org/show_bug.cgi?id=198700
2258
2259         Reviewed by Michael Saboff.
2260
2261         * stress/regexp-bytecode-compilation-fail.js: Added.
2262         (shouldThrow):
2263
2264 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2265
2266         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2267         https://bugs.webkit.org/show_bug.cgi?id=198770
2268
2269         Reviewed by Saam Barati.
2270
2271         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2272         (test):
2273
2274 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2275
2276         JSC should throw if proxy set returns falsish in strict mode context
2277         https://bugs.webkit.org/show_bug.cgi?id=177398
2278
2279         Reviewed by Yusuke Suzuki.
2280
2281         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2282         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2283
2284         * stress/proxy-set.js: Add 2 test cases.
2285         * stress/regexp-match-proxy.js: Fix test.
2286         * stress/regexp-replace-proxy.js: Fix test.
2287
2288 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2289
2290         Error message for non-callable Proxy `construct` trap is misleading
2291         https://bugs.webkit.org/show_bug.cgi?id=198637
2292
2293         Reviewed by Saam Barati.
2294
2295         * stress/proxy-construct.js:
2296
2297 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2298
2299         AI BitURShift's result should not be unsigned
2300         https://bugs.webkit.org/show_bug.cgi?id=198689
2301         <rdar://problem/51550063>
2302
2303         Reviewed by Saam Barati.
2304
2305         * stress/urshift-int32-overflow.js: Added.
2306         (foo.):
2307         (foo):
2308
2309 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2310
2311         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2312
2313         Unreviewed gardening.
2314
2315         * stress/ftl-gettypedarrayoffset-wasteful.js:
2316         Skipped on arm/linux as it always times out on the bot since a change
2317         between r246270 and r246278 inclusive.
2318
2319 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2320
2321         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2322         https://bugs.webkit.org/show_bug.cgi?id=198023
2323
2324         Reviewed by Saam Barati.
2325
2326         * stress/reparsing-unlinked-codeblock.js: Added.
2327         (shouldBe):
2328         (hello):
2329
2330 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2331
2332         [JSC] Use mergePrediction in ValuePow prediction propagation
2333         https://bugs.webkit.org/show_bug.cgi?id=198648
2334
2335         Reviewed by Saam Barati.
2336
2337         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2338
2339 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2340
2341         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2342         https://bugs.webkit.org/show_bug.cgi?id=198581
2343         <rdar://problem/51099753>
2344
2345         Reviewed by Saam Barati.
2346
2347         * stress/global-object-proto-getter.js: Added.
2348         (f):
2349         (test):
2350
2351 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2352
2353         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2354         https://bugs.webkit.org/show_bug.cgi?id=198398
2355
2356         Reviewed by Saam Barati.
2357
2358         * wasm/references/anyref_table.js: Added.
2359         (string_appeared_here.doGCSet):
2360         (doGCTest):
2361         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2362         * wasm/references/anyref_table_import.js: Added.
2363         (makeImport):
2364         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2365         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2366         * wasm/references/is_null_error.js: Removed.
2367         * wasm/references/validation.js: Added.
2368         (assert.throws.new.WebAssembly.Module.bin):
2369         (assert.throws):
2370         * wasm/wasm.json:
2371
2372 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2373
2374         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2375         https://bugs.webkit.org/show_bug.cgi?id=198106
2376
2377         Reviewed by Saam Barati.
2378
2379         * wasm/regress/selectf64.js: Added.
2380         * wasm/regress/selectf64.wasm: Added.
2381         * wasm/regress/selectf64.wat: Added.
2382
2383 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2384
2385         Argument elimination should check transitive dependents for interference
2386         https://bugs.webkit.org/show_bug.cgi?id=198520
2387         <rdar://problem/50863343>
2388
2389         Reviewed by Filip Pizlo.
2390
2391         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2392         (f2):
2393         (f3):
2394
2395 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2396
2397         Argument elimination should check for negative indices in GetByVal
2398         https://bugs.webkit.org/show_bug.cgi?id=198302
2399         <rdar://problem/51188095>
2400
2401         Reviewed by Filip Pizlo.
2402
2403         * stress/eliminate-arguments-negative-rest-access.js: Added.
2404         (inlinee):
2405         (opt):
2406
2407 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2408
2409         [ESNext][BigInt] Implement support for "**"
2410         https://bugs.webkit.org/show_bug.cgi?id=190799
2411
2412         Reviewed by Saam Barati.
2413
2414         * stress/big-int-exp-basic.js: Added.
2415         * stress/big-int-exp-jit-osr.js: Added.
2416         * stress/big-int-exp-jit-untyped.js: Added.
2417         * stress/big-int-exp-jit.js: Added.
2418         * stress/big-int-exp-negative-exponent.js: Added.
2419         * stress/big-int-exp-to-primitive.js: Added.
2420         * stress/big-int-exp-type-error.js: Added.
2421         * stress/big-int-exp-wrapped-value.js: Added.
2422         * stress/value-pow-ai-rule.js: Added.
2423
2424 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2425
2426         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2427         https://bugs.webkit.org/show_bug.cgi?id=197979
2428
2429         Reviewed by Filip Pizlo.
2430
2431         * stress/16bit-code.js: Added.
2432         (shouldBe):
2433         * stress/32bit-code.js: Added.
2434         (shouldBe):
2435
2436 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2437
2438         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2439         https://bugs.webkit.org/show_bug.cgi?id=198355
2440
2441         Reviewed by Saam Barati.
2442
2443         * wasm/references/is_null.js:
2444
2445 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2446
2447         [PlayStation] Skip additional tests on PlayStation
2448         https://bugs.webkit.org/show_bug.cgi?id=198352
2449
2450         Reviewed by Don Olmstead.
2451
2452         Skip pow test on PlayStation due to behavior difference in standard library.
2453         Skip incremental marking test due to OOM on PlayStation systems.
2454
2455         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2456         * stress/math-pow-with-constants.js:
2457         * stress/pow-with-constants.js:
2458
2459 2019-05-28  Dean Jackson  <dino@apple.com>
2460
2461         Implement Promise.allSettled
2462         https://bugs.webkit.org/show_bug.cgi?id=197600
2463         <rdar://problem/50483885>
2464
2465         Reviewed by Keith Miller.
2466
2467         Start testing Promise.allSettled. We pass most of the tests.
2468         The ones that fail are similar to the Promise.all tests we already fail.
2469
2470         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2471         * test262/expectations.yaml: Add new expectations for allSettled tests.
2472
2473 2019-05-28  Michael Saboff  <msaboff@apple.com>
2474
2475         [YARR] Properly handle RegExp's that require large ParenContext space
2476         https://bugs.webkit.org/show_bug.cgi?id=198065
2477
2478         Reviewed by Keith Miller.
2479
2480         New test.
2481
2482         * stress/regexp-large-paren-context.js: Added.
2483         (testLargeRegExp):
2484
2485 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2486
2487         JITOperations putByVal should mark negative array indices as out-of-bounds
2488         https://bugs.webkit.org/show_bug.cgi?id=198271
2489
2490         Reviewed by Saam Barati.
2491
2492         * microbenchmarks/get-by-val-negative-array-index.js:
2493         (foo):
2494         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2495         is 4.2x faster than the previous commit.
2496
2497         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2498         (foo):
2499
2500 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2501
2502         JITOperations getByVal should mark negative array indices as out-of-bounds
2503         https://bugs.webkit.org/show_bug.cgi?id=198229
2504
2505         Reviewed by Saam Barati.
2506
2507         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2508         (foo):
2509
2510 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2511
2512         [WASM-References] Support Anyref in globals
2513         https://bugs.webkit.org/show_bug.cgi?id=198102
2514
2515         Reviewed by Saam Barati.
2516
2517         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2518
2519         * wasm/Builder.js:
2520         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2521         * wasm/Builder_WebAssemblyBinary.js:
2522         (const.putInitExpr):
2523         * wasm/references/anyref_globals.js: Added.
2524         (GetGlobal.0.End.End.WebAssembly):
2525         (5.doGCSet):
2526         (doGCTest):
2527         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2528
2529 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2530
2531         DFG::OSREntry should not perform arity check
2532         https://bugs.webkit.org/show_bug.cgi?id=198189
2533
2534         Reviewed by Saam Barati.
2535
2536         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2537         (foo):
2538
2539 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2540
2541         [PlayStation] Skip additional tests on PlayStation
2542         https://bugs.webkit.org/show_bug.cgi?id=198145
2543
2544         Reviewed by Ross Kirsling.
2545
2546         * exceptionFuzz.yaml:
2547         Add skip on hostOS playstation
2548         * executableAllocationFuzz.yaml:
2549         Add skip on hostOS playstation
2550
2551 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2552
2553         createListFromArrayLike should throw if value is not an object
2554         https://bugs.webkit.org/show_bug.cgi?id=198138
2555
2556         Reviewed by Yusuke Suzuki.
2557
2558         * stress/create-list-from-array-like-not-object.js: Added.
2559         (testValid):
2560         (testInvalid):
2561         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
2562         (opt):
2563         * stress/proxy-proto-enumerator.js: Added.
2564         (main):
2565         * stress/proxy-proto-own-keys.js: Added.
2566         (assert):
2567         (ownKeys):
2568
2569 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2570
2571         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
2572         https://bugs.webkit.org/show_bug.cgi?id=197809
2573
2574         Reviewed by Michael Saboff.
2575
2576         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
2577         (foo):
2578
2579 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2580
2581         [ESNext] Implement support for Numeric Separators
2582         https://bugs.webkit.org/show_bug.cgi?id=196351
2583
2584         Reviewed by Keith Miller.
2585
2586         * stress/numeric-literal-separators.js: Added.
2587         Add tests for feature.
2588
2589         * test262/expectations.yaml:
2590         Mark 60 test cases as passing.
2591
2592 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2593
2594         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
2595         https://bugs.webkit.org/show_bug.cgi?id=198120
2596         <rdar://problem/49668795>
2597
2598         Reviewed by Michael Saboff.
2599
2600         * stress/get-array-length-concurrently-change-mode.js: Added.
2601         (main):
2602
2603 2019-05-22  Commit Queue  <commit-queue@webkit.org>
2604
2605         Unreviewed, rolling out r245634.
2606         https://bugs.webkit.org/show_bug.cgi?id=198140
2607
2608         'This patch makes JSC crash on launch in debug builds'
2609         (Requested by tadeuzagallo on #webkit).
2610
2611         Reverted changeset:
2612
2613         "[ESNext] Implement support for Numeric Separators"
2614         https://bugs.webkit.org/show_bug.cgi?id=196351
2615         https://trac.webkit.org/changeset/245634
2616
2617 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2618
2619         Stack-buffer-overflow in decodeURIComponent
2620         https://bugs.webkit.org/show_bug.cgi?id=198109
2621         <rdar://problem/50397550>
2622
2623         Reviewed by Michael Saboff.
2624
2625         * stress/decode-uri-icu-count-trail-bytes.js: Added.
2626         (i.j.try.i.toString):
2627         (i.j.catch):
2628
2629 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2630
2631         Don't clear PropertyNameArray in Proxy code
2632         https://bugs.webkit.org/show_bug.cgi?id=197691
2633
2634         Reviewed by Saam Barati.
2635
2636         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
2637         (shouldBe):
2638         (opt):
2639
2640 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2641
2642         [ESNext] Implement support for Numeric Separators
2643         https://bugs.webkit.org/show_bug.cgi?id=196351
2644
2645         Reviewed by Keith Miller.
2646
2647         * stress/numeric-literal-separators.js: Added.
2648         Add tests for feature.
2649
2650         * test262/expectations.yaml:
2651         Mark 60 test cases as passing.
2652
2653 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2654
2655         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
2656         https://bugs.webkit.org/show_bug.cgi?id=198101
2657
2658         Reviewed by Michael Saboff.
2659
2660         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
2661         (shouldBe):
2662
2663 2019-05-20  Keith Miller  <keith_miller@apple.com>
2664
2665         Cleanup Yarr regexp code around paren contexts.
2666         https://bugs.webkit.org/show_bug.cgi?id=198063
2667
2668         Reviewed by Yusuke Suzuki.
2669
2670         * stress/regexp-many-named-sequential-capture-groups.js: Added.
2671         (i.s):
2672         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2673
2674 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
2675
2676         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
2677         https://bugs.webkit.org/show_bug.cgi?id=197969
2678
2679         Reviewed by Keith Miller.
2680
2681         Support the anyref type in Builder.js, plus add some extra error logging.
2682         Add new folder for wasm references tests.
2683
2684         * wasm.yaml:
2685         * wasm/Builder.js:
2686         (const._isValidValue):
2687         * wasm/references/anyref_modules.js: Added.
2688         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
2689         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
2690         (Call.3.RefIsNull.End.End.WebAssembly):
2691         (undefined):
2692         * wasm/references/is_null.js: Added.
2693         * wasm/references/is_null_error.js: Added.
2694         * wasm/spec-harness/index.js:
2695         * wasm/wasm.json:
2696
2697 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
2698
2699         [JSC] Invalid AssignmentTargetType should be an early error.
2700         https://bugs.webkit.org/show_bug.cgi?id=197603
2701
2702         Reviewed by Keith Miller.
2703
2704         * test262/expectations.yaml:
2705         Update expectations to reflect new SyntaxErrors.
2706         (Ideally, these should all be viewed as passing in the near future.)
2707
2708         * stress/async-await-basic.js:
2709         * stress/big-int-literals.js:
2710         Update tests to reflect new SyntaxErrors.
2711
2712         * ChakraCore.yaml:
2713         * ChakraCore/test/EH/try6.baseline-jsc:
2714         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
2715         Update baselines to reflect new SyntaxErrors.
2716
2717 2019-05-15  Saam Barati  <sbarati@apple.com>
2718
2719         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
2720         https://bugs.webkit.org/show_bug.cgi?id=197855
2721         <rdar://problem/50236506>
2722
2723         Reviewed by Michael Saboff.
2724
2725         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
2726         (f0):
2727         (bar):
2728         (foo):
2729         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
2730         (f1):
2731         (f2):
2732         (foo):
2733
2734 2019-05-14  Keith Miller  <keith_miller@apple.com>
2735
2736         Fix issue with byteOffset on ARM64E
2737         https://bugs.webkit.org/show_bug.cgi?id=197884
2738
2739         Reviewed by Saam Barati.
2740
2741         We didn't have any tests that run with non-byte/non-zero offset
2742         typed arrays.
2743
2744         * stress/ftl-gettypedarrayoffset-wasteful.js:
2745
2746 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2747
2748         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
2749         https://bugs.webkit.org/show_bug.cgi?id=197833
2750
2751         Reviewed by Darin Adler.
2752
2753         * stress/generator-name.js: Added.
2754         (shouldBe):
2755         (gen):
2756         (catch):
2757
2758 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
2759
2760         JSObject::getOwnPropertyDescriptor is missing an exception check
2761         https://bugs.webkit.org/show_bug.cgi?id=197693
2762         <rdar://problem/50441784>
2763
2764         Reviewed by Saam Barati.
2765
2766         * stress/proxy-spread.js: Added.
2767         (foo):
2768
2769 2019-05-10  Saam barati  <sbarati@apple.com>
2770
2771         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
2772         https://bugs.webkit.org/show_bug.cgi?id=197807
2773         <rdar://problem/50530400>
2774
2775         Reviewed by Yusuke Suzuki.
2776
2777         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
2778         (test.getInstance):
2779         (test):
2780
2781 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
2782
2783         [Test262] Unreviewed expectations update following r245188.
2784
2785         * test262/config.yaml:
2786         * test262/expectations.yaml:
2787
2788         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
2789         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
2790         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
2791         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
2792         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
2793         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
2794         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
2795         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
2796         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
2797         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
2798         These files have invalid YAML comments. Will also submit corrections back to Test262.
2799
2800 2019-05-10  Keith Miller  <keith_miller@apple.com>
2801
2802         Update test262 tests.
2803
2804         Rubber-stamped by Yusuke Suzuki.
2805
2806         * test262/*: mega-patch too many things to list individually.
2807
2808 2019-05-09  Keith Miller  <keith_miller@apple.com>
2809
2810         Unreview, fix test to have a try-catch.
2811
2812         * stress/many-nested-functions-parser-stack-overflow.js:
2813         (catch):
2814
2815 2019-05-09  Keith Miller  <keith_miller@apple.com>
2816
2817         parseStatementListItem needs a stack overflow check
2818         https://bugs.webkit.org/show_bug.cgi?id=197749
2819
2820         Reviewed by Saam Barati.
2821
2822         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2823
2824 2019-05-08  Saam barati  <sbarati@apple.com>
2825
2826         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2827         https://bugs.webkit.org/show_bug.cgi?id=197715
2828         <rdar://problem/50399252>
2829
2830         Reviewed by Filip Pizlo.
2831
2832         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2833         (foo):
2834         (bar):
2835
2836 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2837
2838         Unreviewed, rolling out r245068.
2839
2840         Caused debug layout tests to exit early due to an assertion
2841         failure.
2842
2843         Reverted changeset:
2844
2845         "All prototypes should call didBecomePrototype()"
2846         https://bugs.webkit.org/show_bug.cgi?id=196315
2847         https://trac.webkit.org/changeset/245068
2848
2849 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2850
2851         Invalid DFG JIT genereation in high CPU usage state
2852         https://bugs.webkit.org/show_bug.cgi?id=197453
2853
2854         Reviewed by Saam Barati.
2855
2856         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2857         (trigger):
2858         (main):
2859
2860 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2861
2862         All prototypes should call didBecomePrototype()
2863         https://bugs.webkit.org/show_bug.cgi?id=196315
2864
2865         Reviewed by Saam Barati.
2866
2867         This changelog already landed, but the commit was missing the actual changes.
2868
2869         * stress/function-prototype-indexed-accessor.js: Added.
2870
2871 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
2872
2873         [BigInt] Add ValueMod into DFG
2874         https://bugs.webkit.org/show_bug.cgi?id=186174
2875
2876         Reviewed by Saam Barati.
2877
2878         * microbenchmarks/mod-untyped.js: Added.
2879         * stress/big-int-mod-osr.js: Added.
2880         * stress/value-div-ai-rule.js: Added.
2881         * stress/value-mod-ai-rule.js: Added.
2882
2883 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2884
2885         [JSC] DFG_ASSERT failed in lowInt52
2886         https://bugs.webkit.org/show_bug.cgi?id=197569
2887
2888         Reviewed by Saam Barati.
2889
2890         * stress/getstack-int52.js: Added.
2891         (opt):
2892         (main):
2893
2894 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2895
2896         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
2897         https://bugs.webkit.org/show_bug.cgi?id=197479
2898
2899         Reviewed by Saam Barati.
2900
2901         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
2902         (shouldBe):
2903
2904 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2905
2906         TemplateObject passed to template literal tags are not always identical for the same source location.
2907         https://bugs.webkit.org/show_bug.cgi?id=190756
2908
2909         Reviewed by Saam Barati.
2910
2911         * complex.yaml:
2912         * complex/tagged-template-regeneration-after.js: Added.
2913         (shouldBe):
2914         * complex/tagged-template-regeneration.js: Added.
2915         (call):
2916         (test):
2917         * modules/tagged-template-inside-module.js: Added.
2918         (from.string_appeared_here.call):
2919         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2920         (call):
2921         (export.otherTaggedTemplates):
2922         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2923         (shouldBe):
2924         (call):
2925         (poly):
2926         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2927         (shouldBe):
2928         (call):
2929         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
2930         (shouldBe):
2931         (call):
2932         (test):
2933         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2934         (shouldBe):
2935         (call):
2936         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2937         (shouldBe):
2938         (call):
2939         * stress/tagged-templates-in-multiple-functions.js: Added.
2940         (shouldBe):
2941         (call):
2942         (a):
2943         (b):
2944         (c):
2945         * stress/tagged-templates-with-same-start-offset.js: Added.
2946         (shouldBe):
2947
2948 2019-05-07  Robin Morisset  <rmorisset@apple.com>
2949
2950         All prototypes should call didBecomePrototype()
2951         https://bugs.webkit.org/show_bug.cgi?id=196315
2952
2953         Reviewed by Saam Barati.
2954
2955         * stress/function-prototype-indexed-accessor.js: Added.
2956
2957 2019-05-07  Commit Queue  <commit-queue@webkit.org>
2958
2959         Unreviewed, rolling out r244978.
2960         https://bugs.webkit.org/show_bug.cgi?id=197671
2961
2962         TemplateObject map should use start/end offsets (Requested by
2963         yusukesuzuki on #webkit).
2964
2965         Reverted changeset:
2966
2967         "TemplateObject passed to template literal tags are not always
2968         identical for the same source location."
2969         https://bugs.webkit.org/show_bug.cgi?id=190756
2970         https://trac.webkit.org/changeset/244978
2971
2972 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
2973
2974         tryCachePutByID should not crash if target offset changes
2975         https://bugs.webkit.org/show_bug.cgi?id=197311
2976         <rdar://problem/48033612>
2977
2978         Reviewed by Filip Pizlo.
2979
2980         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
2981         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
2982
2983         * stress/cache-put-by-id-delete-prototype.js: Added.
2984         (A.prototype.set y):
2985         (A):
2986         (B.prototype.set y):
2987         (B):
2988         (C):
2989         * stress/cache-put-by-id-different-__proto__.js: Added.
2990         (A.prototype.set y):
2991         (A):
2992         (B1):
2993         (B2.prototype.set y):
2994         (B2):
2995         (C):
2996         (D):
2997         * stress/cache-put-by-id-different-attributes.js: Added.
2998         (Foo):
2999         (set x):
3000         * stress/cache-put-by-id-different-offset.js: Added.
3001         (Foo):
3002         (set x):
3003         * stress/cache-put-by-id-insert-prototype.js: Added.
3004         (A.prototype.set y):
3005         (A):
3006         (C):
3007         * stress/cache-put-by-id-poly-proto.js: Added.
3008         (Foo):
3009         (set _):
3010         (createBar.Bar):
3011         (createBar):
3012
3013 2019-05-07  Saam Barati  <sbarati@apple.com>
3014
3015         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3016         https://bugs.webkit.org/show_bug.cgi?id=197531
3017         <rdar://problem/50162379>
3018
3019         Reviewed by Yusuke Suzuki.
3020
3021         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3022
3023 2019-05-06  Dean Jackson  <dino@apple.com>
3024
3025         Update test262 expectations for Proxy passes
3026         https://bugs.webkit.org/show_bug.cgi?id=197628
3027
3028         Reviewed by Yusuke Suzuki.
3029
3030         There are two consistent passes in Proxy.ownKeys.
3031
3032         * test262/expectations.yaml:
3033
3034 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3035
3036         [JSC] We should check OOM for description string of Symbol
3037         https://bugs.webkit.org/show_bug.cgi?id=197634
3038
3039         Reviewed by Keith Miller.
3040
3041         * stress/check-symbol-description-oom.js: Added.
3042         (shouldThrow):
3043
3044 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3045
3046         Unreviewed, land one more test
3047         https://bugs.webkit.org/show_bug.cgi?id=197587
3048
3049         * stress/setter-frame-flush.js: Added.
3050         (setter):
3051         (foo):
3052         (bar):
3053
3054 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3055
3056         TemplateObject passed to template literal tags are not always identical for the same source location.
3057         https://bugs.webkit.org/show_bug.cgi?id=190756
3058
3059         Reviewed by Saam Barati.
3060
3061         * complex.yaml:
3062         * complex/tagged-template-regeneration-after.js: Added.
3063         (shouldBe):
3064         * complex/tagged-template-regeneration.js: Added.
3065         (call):
3066         (test):
3067         * modules/tagged-template-inside-module.js: Added.
3068         (from.string_appeared_here.call):
3069         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3070         (call):
3071         (export.otherTaggedTemplates):
3072         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3073         (shouldBe):
3074         (call):
3075         (poly):
3076         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3077         (shouldBe):
3078         (call):
3079         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3080         (shouldBe):
3081         (call):
3082         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3083         (shouldBe):
3084         (call):
3085         * stress/tagged-templates-in-multiple-functions.js: Added.
3086         (shouldBe):
3087         (call):
3088         (a):
3089         (b):
3090         (c):
3091
3092 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3093
3094         [PlayStation] JSC Stress tests failing due to timezone printing
3095         https://bugs.webkit.org/show_bug.cgi?id=197615
3096
3097         PlayStation's strftime does not give timezone strings, which
3098         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3099         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3100         which causes diff failures with the expectations. Add expectations
3101         without the timezone string and use those on playstation.
3102
3103         Reviewed by Ross Kirsling.
3104
3105         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3106         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3107         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3108         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3109
3110 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3111
3112         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3113         https://bugs.webkit.org/show_bug.cgi?id=197587
3114
3115         Reviewed by Sam Weinig.
3116
3117         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3118
3119         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3120
3121 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3122
3123         TypedArrays should not store properties that are canonical numeric indices
3124         https://bugs.webkit.org/show_bug.cgi?id=197228
3125         <rdar://problem/49557381>
3126
3127         Reviewed by Saam Barati.
3128
3129         * stress/array-species-config-array-constructor.js:
3130         (test):
3131         * stress/put-direct-index-broken-2.js:
3132         * stress/typed-array-canonical-numeric-index-string.js: Added.
3133         (makeTest.assert):
3134         (makeTest):
3135         (const.testInvalidIndices.makeTest.set assert):
3136         (const.testInvalidIndices.makeTest):
3137         (const.makeTestValidIndex.configurable.set assert):
3138         (const.makeTestValidIndex.configurable):
3139         * stress/typedarray-access-monomorphic-neutered.js:
3140         (checkNoException):
3141         (testNoException):
3142         (testFTLNoException):
3143         * stress/typedarray-access-neutered.js:
3144         (testNoException):
3145         * stress/typedarray-getownproperty-not-configurable.js:
3146         (foo):
3147         * test262/expectations.yaml:
3148
3149 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3150
3151         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3152         https://bugs.webkit.org/show_bug.cgi?id=197584
3153
3154         Reviewed by Saam Barati.
3155
3156         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3157         (X):
3158         (foo):
3159
3160 2019-05-03  Michael Saboff  <msaboff@apple.com>
3161
3162         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3163         https://bugs.webkit.org/show_bug.cgi?id=197586
3164
3165         Reviewed by Keith Miller.
3166
3167         We should only run one config of this test and only when we think we'll have the memory.
3168
3169         * stress/json-stringify-string-builder-overflow.js:
3170
3171 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3172
3173         [JSC] Generator CodeBlock generation should be idempotent
3174         https://bugs.webkit.org/show_bug.cgi?id=197552
3175
3176         Reviewed by Keith Miller.
3177
3178         Add complex.yaml, which controls how to run JSC shell more.
3179         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3180
3181         * complex.yaml: Added.
3182         * complex/generator-regeneration-after.js: Added.
3183         * complex/generator-regeneration.js: Added.
3184         (gen):
3185
3186 2019-05-02  Michael Saboff  <msaboff@apple.com>
3187
3188         Unreviewed rollout of r244862.
3189
3190         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3191
3192 2019-05-01  Saam barati  <sbarati@apple.com>
3193
3194         Baseline JIT should do argument value profiling after checking for stack overflow
3195         https://bugs.webkit.org/show_bug.cgi?id=197052
3196         <rdar://problem/50009602>
3197
3198         Reviewed by Yusuke Suzuki.
3199
3200         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3201
3202 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3203
3204         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3205         https://bugs.webkit.org/show_bug.cgi?id=197405
3206
3207         Reviewed by Saam Barati.
3208
3209         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3210         (foo):
3211         (test):
3212         (i.o.get f):
3213         (i.o.set f):
3214
3215 2019-05-01  Michael Saboff  <msaboff@apple.com>
3216
3217         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3218         https://bugs.webkit.org/show_bug.cgi?id=197485
3219
3220         Reviewed by Saam Barati.
3221
3222         New test.
3223
3224         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3225         (foo):
3226
3227 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3228
3229         Unreviewed correction to Test262 expectations following r244828.
3230
3231         * test262/expectations.yaml:
3232
3233 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3234
3235         Add memory-limited skipping to some tests generating very large strings
3236         https://bugs.webkit.org/show_bug.cgi?id=197437
3237
3238         Reviewed by Ross Kirsling.
3239
3240         * stress/StringObject-define-length-getter-rope-string-oom.js:
3241         * stress/create-error-out-of-memory-rope-string.js:
3242         * stress/string-16bit-repeat-overflow.js:
3243
3244 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3245
3246         Unreviewed, rolling out r244806.
3247         https://bugs.webkit.org/show_bug.cgi?id=197446
3248
3249         Causing Test262 and JSC test failures on multiple builds
3250         (Requested by ShawnRoberts on #webkit).
3251
3252         Reverted changeset:
3253
3254         "TypeArrays should not store properties that are canonical
3255         numeric indices"
3256         https://bugs.webkit.org/show_bug.cgi?id=197228
3257         https://trac.webkit.org/changeset/244806
3258
3259 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3260
3261         TypeArrays should not store properties that are canonical numeric indices
3262         https://bugs.webkit.org/show_bug.cgi?id=197228
3263         <rdar://problem/49557381>
3264
3265         Reviewed by Darin Adler.
3266
3267         * stress/typed-array-canonical-numeric-index-string.js: Added.
3268         (makeTest.assert):
3269         (makeTest):
3270         (const.testInvalidIndices.makeTest.set assert):
3271         (const.testInvalidIndices.makeTest):
3272         (const.testValidIndices.makeTest.set assert):
3273         (const.testValidIndices.makeTest):
3274
3275 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3276
3277         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3278         https://bugs.webkit.org/show_bug.cgi?id=197362
3279
3280         Reviewed by Saam Barati.
3281
3282         * stress/map-with-nan.js: Added.
3283         (shouldBe):
3284         (div):
3285         (NaN1):
3286         (NaN2):
3287         (NaN3):
3288         (NaN4):
3289         (NaN1NoInline):
3290         (NaN2NoInline):
3291         (NaN3NoInline):
3292         (NaN4NoInline):
3293         (test1):
3294         (test2):
3295         (test3):
3296         (test4):
3297         * stress/set-with-nan.js: Added.
3298         (shouldBe):
3299         (div):
3300         (NaN1):
3301         (NaN2):
3302         (NaN3):
3303         (NaN4):
3304         (NaN1NoInline):
3305         (NaN2NoInline):
3306         (NaN3NoInline):
3307         (NaN4NoInline):
3308         (test2):
3309         (test4):
3310
3311 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3312
3313         Unreviewed, rolling out r244708.
3314         https://bugs.webkit.org/show_bug.cgi?id=197334
3315
3316         "Broke the debug build" (Requested by rmorisset on #webkit).
3317
3318         Reverted changeset:
3319
3320         "All prototypes should call didBecomePrototype()"
3321         https://bugs.webkit.org/show_bug.cgi?id=196315
3322         https://trac.webkit.org/changeset/244708
3323
3324 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3325
3326         [JSC] linkPolymorphicCall now does GC
3327         https://bugs.webkit.org/show_bug.cgi?id=197306
3328
3329         Reviewed by Saam Barati.
3330
3331         * stress/link-polymorphic-call-can-gc.js: Added.
3332         (module):
3333         (instance):
3334
3335 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3336
3337         All prototypes should call didBecomePrototype()
3338         https://bugs.webkit.org/show_bug.cgi?id=196315
3339
3340         Reviewed by Saam Barati.
3341
3342         * stress/function-prototype-indexed-accessor.js: Added.
3343
3344 2019-04-23  Saam Barati  <sbarati@apple.com>
3345
3346         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3347         https://bugs.webkit.org/show_bug.cgi?id=196721
3348         <rdar://problem/49556479> 
3349
3350         Reviewed by Filip Pizlo.
3351
3352         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3353         (foo):
3354
3355 2019-04-19  Saam Barati  <sbarati@apple.com>
3356
3357         AbstractValue can represent more than int52
3358         https://bugs.webkit.org/show_bug.cgi?id=197118
3359         <rdar://problem/49969960>
3360
3361         Reviewed by Michael Saboff.
3362
3363         * stress/abstract-value-can-include-int52.js: Added.
3364         (foo):
3365         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3366
3367 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3368
3369         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3370         https://bugs.webkit.org/show_bug.cgi?id=197053
3371
3372         Reviewed by Saam Barati.
3373
3374         * stress/merge-string-builder-in-dfg.js: Added.
3375         (foo):
3376
3377 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3378
3379         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3380         https://bugs.webkit.org/show_bug.cgi?id=176810
3381
3382         Reviewed by Saam Barati.
3383
3384         Add tests for the DontEnum filtering, and variations of other tests
3385         take the DontEnum-filtering path.
3386
3387         * stress/proxy-own-keys.js:
3388         (i.catch):
3389         (set assert):
3390         (set add):
3391         (let.set new):
3392         (get let):
3393
3394 2019-04-15  Saam barati  <sbarati@apple.com>
3395
3396         Modify how we do SetArgument when we inline varargs calls
3397         https://bugs.webkit.org/show_bug.cgi?id=196712
3398         <rdar://problem/49605012>
3399
3400         Reviewed by Michael Saboff.
3401
3402         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3403         (foo):
3404
3405 2019-04-15  Saam barati  <sbarati@apple.com>
3406
3407         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3408         https://bugs.webkit.org/show_bug.cgi?id=196945
3409         <rdar://problem/49802750>
3410
3411         Reviewed by Filip Pizlo.
3412
3413         * stress/get-by-offset-should-use-correct-child.js: Added.
3414         (foo.bar):
3415         (foo):
3416
3417 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3418
3419         DFG should be able to constant fold Object.create() with a constant prototype operand
3420         https://bugs.webkit.org/show_bug.cgi?id=196886
3421
3422         Reviewed by Yusuke Suzuki.
3423
3424         Note that this new benchmark does not currently see a speedup with inlining removed.
3425         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3426
3427         * microbenchmarks/object-create-constant-prototype.js: Added.
3428         (test):
3429
3430 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3431
3432         Incremental bytecode cache should not append function updates when loaded from memory
3433         https://bugs.webkit.org/show_bug.cgi?id=196865
3434
3435         Reviewed by Filip Pizlo.
3436
3437         * stress/bytecode-cache-shared-code-block.js: Added.
3438         (b):
3439         (program):
3440
3441 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3442
3443         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3444         https://bugs.webkit.org/show_bug.cgi?id=196880
3445
3446         Reviewed by Yusuke Suzuki.
3447
3448         * stress/bytecode-cache-syntax-error.js: Added.
3449         (catch):
3450
3451 2019-04-12  Saam barati  <sbarati@apple.com>
3452
3453         r244079 logically broke shouldSpeculateInt52
3454         https://bugs.webkit.org/show_bug.cgi?id=196884
3455
3456         Reviewed by Yusuke Suzuki.
3457
3458         * microbenchmarks/int52-rand-function.js: Added.
3459         (Math.random):
3460
3461 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3462
3463         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3464         https://bugs.webkit.org/show_bug.cgi?id=196850
3465
3466         Reviewed by Saam Barati.
3467
3468         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3469         (foo):
3470
3471 2019-04-11  Saam barati  <sbarati@apple.com>
3472
3473         Remove invalid assertion in operationInstanceOfCustom
3474         https://bugs.webkit.org/show_bug.cgi?id=196842
3475         <rdar://problem/49725493>
3476
3477         Reviewed by Michael Saboff.
3478
3479         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3480
3481 2019-04-10  Saam Barati  <sbarati@apple.com>
3482
3483         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3484         https://bugs.webkit.org/show_bug.cgi?id=196801
3485         <rdar://problem/49771122>
3486
3487         Reviewed by Yusuke Suzuki.
3488
3489         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3490
3491 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3492
3493         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3494         https://bugs.webkit.org/show_bug.cgi?id=196746
3495
3496         Reviewed by Yusuke Suzuki.
3497
3498         * stress/cyclic-define-properties.js: Added.
3499         (foo):
3500
3501 2019-04-09  Saam barati  <sbarati@apple.com>
3502
3503         Clean up Int52 code and some bugs in it
3504         https://bugs.webkit.org/show_bug.cgi?id=196639
3505         <rdar://problem/49515757>
3506
3507         Reviewed by Yusuke Suzuki.
3508
3509         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3510
3511 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3512
3513         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3514         https://bugs.webkit.org/show_bug.cgi?id=196708
3515         <rdar://problem/49556803>
3516
3517         Reviewed by Yusuke Suzuki.
3518
3519         * stress/proxy-getter-stack-overflow.js: Added.
3520         (const.handler.get target):
3521         (const.handler.has):
3522         (try.with):
3523         (catch):
3524
3525 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3526
3527         [JSC] DFG should respect node's strict flag
3528         https://bugs.webkit.org/show_bug.cgi?id=196617
3529
3530         Reviewed by Saam Barati.
3531
3532         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3533         (shouldEqual):
3534         (makeUnwriteableUnconfigurableObject):
3535         (runTest):
3536         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3537         (shouldBe):
3538         (shouldThrow):
3539         (with.result):
3540         (with.putValueStrict):
3541         (with.putValueSloppy):
3542
3543 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3544
3545         [JSC] isRope jump in StringSlice should not jump over register allocations
3546         https://bugs.webkit.org/show_bug.cgi?id=196716
3547
3548         Reviewed by Saam Barati.
3549
3550         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3551         (foo.bar):
3552         (foo):
3553
3554 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3555
3556         [JSC] to_index_string should not assume incoming value is Uint32
3557         https://bugs.webkit.org/show_bug.cgi?id=196713
3558
3559         Reviewed by Saam Barati.
3560
3561         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
3562         (foo):
3563
3564 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3565
3566         [JSC] Add more tests for r243966
3567         https://bugs.webkit.org/show_bug.cgi?id=196711
3568
3569         Reviewed by Saam Barati.
3570
3571         Adding one more test for r243966 fix. The added test will not crash after r243966.
3572
3573         * stress/stress-cleared-calllinkinfo.js: Added.
3574         (runNearStackLimit.t):
3575         (runNearStackLimit):
3576         (repeat):
3577         (cls):
3578         (let.item.of.array.runNearStackLimit):
3579
3580 2019-04-08  Saam Barati  <sbarati@apple.com>
3581
3582         WebAssembly.RuntimeError missing exception check
3583         https://bugs.webkit.org/show_bug.cgi?id=196700
3584         <rdar://problem/49693932>
3585
3586         Reviewed by Yusuke Suzuki.
3587
3588         * wasm/js-api/runtime-error-should-exception-check.js: Added.
3589
3590 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3591
3592         Unreviewed, rolling in r243948 with test fix
3593         https://bugs.webkit.org/show_bug.cgi?id=196486
3594
3595         * stress/arrow-function-and-use-strict-directive.js: Added.
3596         * stress/arrow-function-syntax.js: Added.
3597         (checkSyntax):
3598         (checkSyntaxError):
3599
3600 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3601
3602         Unreviewed, rolling out r243948.
3603
3604         Caused inspector/runtime/parse.html to fail
3605
3606         Reverted changeset:
3607
3608         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
3609         https://bugs.webkit.org/show_bug.cgi?id=196486
3610         https://trac.webkit.org/changeset/243948
3611
3612 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3613
3614         Unreviewed, rolling out r243943.
3615
3616         Caused test262 failures.
3617
3618         Reverted changeset:
3619
3620         "[JSC] Filter DontEnum properties in
3621         ProxyObject::getOwnPropertyNames()"
3622         https://bugs.webkit.org/show_bug.cgi?id=176810
3623         https://trac.webkit.org/changeset/243943
3624
3625 2019-04-07  Michael Saboff  <msaboff@apple.com>
3626
3627         REGRESSION (r243642): Crash in reddit.com page
3628         https://bugs.webkit.org/show_bug.cgi?id=196684
3629
3630         Reviewed by Geoffrey Garen.
3631
3632         New regression test.
3633
3634         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
3635
3636 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
3637
3638         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
3639         https://bugs.webkit.org/show_bug.cgi?id=196683
3640
3641         Reviewed by Saam Barati.
3642
3643         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
3644         (foo):
3645
3646 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3647
3648         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
3649         https://bugs.webkit.org/show_bug.cgi?id=196582
3650
3651         Reviewed by Saam Barati.
3652
3653         * stress/add-overflow-check-with-three-same-registers.js: Added.
3654         (foo):
3655         (Number.prototype.valueOf):
3656         (runWithNumber):
3657
3658 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
3659
3660         Unreviewed, rolling out r243665.
3661
3662         Caused iOS JSC tests to exit with an exception.
3663
3664         Reverted changeset:
3665
3666         "Assertion failed in JSC::createError"
3667         https://bugs.webkit.org/show_bug.cgi?id=196305
3668         https://trac.webkit.org/changeset/243665
3669
3670 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3671
3672         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
3673         https://bugs.webkit.org/show_bug.cgi?id=196486
3674
3675         Reviewed by Saam Barati.
3676
3677         * stress/arrow-function-and-use-strict-directive.js: Added.
3678         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
3679         (checkSyntax):
3680         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
3681
3682 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3683
3684         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3685         https://bugs.webkit.org/show_bug.cgi?id=176810
3686
3687         Reviewed by Saam Barati.
3688
3689         Add tests for the DontEnum filtering, and variations of other tests
3690         take the DontEnum-filtering path.
3691
3692         * stress/proxy-own-keys.js:
3693         (i.catch):
3694         (set assert):
3695         (set add):
3696         (let.set new):
3697         (get let):
3698
3699 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3700
3701         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
3702         https://bugs.webkit.org/show_bug.cgi?id=185211
3703
3704         Reviewed by Saam Barati.
3705
3706         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
3707
3708         This changes several assertions to expect a TypeError to be thrown (in some cases,
3709         changing thee expected message).
3710
3711         * es6/Proxy_ownKeys_duplicates.js:
3712         (handler):