[JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
[WebKit-https.git] / JSTests / ChangeLog
1 2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
4         https://bugs.webkit.org/show_bug.cgi?id=202072
5
6         Reviewed by Mark Lam.
7
8         * stress/int52rep-with-double-checks-int52-range.js: Added.
9         (shouldBe):
10         (test):
11
12 2019-09-21  Caio Lima  <ticaiolima@gmail.com>
13
14         stress/test-out-of-memory.js is not throwing OOM into ARMv7 and MIPS
15         https://bugs.webkit.org/show_bug.cgi?id=202011
16
17         Reviewed by Mark Lam.
18
19         We are skipping this test into MIPS and ARMv7 because some of its assumptions
20         are not valid for them. The current behavior of the test in those architectures
21         is that it does not throw during `new ArrayBuffer(1000)` allocation site,
22         because eden collection keeps happening between iterations. The collection
23         is triggered on those architectures because the amount of stress 
24         `new Promise` generates into GC limits is not enough to avoid them
25         while loop is executing.
26
27         Changing the size of `UInt8Array` from `80000000` to `160000000` can
28         be an alternative fix to avoid collection happening during `ArrayBuffer`
29         allocation loop, but we can't guarantee this test is always going to execute
30         without error when Gigacage is disabled, given we can reach an OOM state in
31         some allocations that need to succeed, making this test flaky for those
32         architectures.
33
34         * stress/test-out-of-memory.js:
35
36 2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>
37
38         AccessCase should strongly visit its dependencies while on stack
39         https://bugs.webkit.org/show_bug.cgi?id=201986
40         <rdar://problem/55521953>
41
42         Reviewed by Saam Barati and Yusuke Suzuki.
43
44         * stress/ftl-put-by-id-setter-exception-interesting-live-state-2.js: Added.
45         (foo):
46         (warmup):
47
48 2019-09-20  Saam Barati  <sbarati@apple.com>
49
50         Unreviewed. Make toctou-having-a-bad-time-new-array.js run for less time because it's timing out on the debug bots.
51
52         * stress/toctou-having-a-bad-time-new-array.js:
53
54 2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>
55
56         [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
57         https://bugs.webkit.org/show_bug.cgi?id=202014
58
59         Reviewed by Saam Barati.
60
61         * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
62         (__v0):
63
64 2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>
65
66         Syntax checker should report duplicate __proto__ properties
67         https://bugs.webkit.org/show_bug.cgi?id=201897
68         <rdar://problem/53201788>
69
70         Reviewed by Mark Lam.
71
72         * stress/syntax-checker-duplicate-underscore-proto.js: Added.
73         (catch):
74
75 2019-09-18  Saam Barati  <sbarati@apple.com>
76
77         TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
78         https://bugs.webkit.org/show_bug.cgi?id=201953
79         <rdar://problem/53803524>
80
81         Reviewed by Yusuke Suzuki.
82
83         * stress/toctou-having-a-bad-time-new-array.js: Added.
84         (let.code):
85
86 2019-09-18  Saam Barati  <sbarati@apple.com>
87
88         Phantom insertion phase may disagree with arguments forwarding about live ranges
89         https://bugs.webkit.org/show_bug.cgi?id=200715
90         <rdar://problem/54301717>
91
92         Reviewed by Yusuke Suzuki.
93
94         * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
95         (main.v23):
96         (main.try.v43):
97         (main.):
98         (main):
99
100 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
101
102         [JSC] Generator should have internal fields
103         https://bugs.webkit.org/show_bug.cgi?id=201159
104
105         Reviewed by Keith Miller.
106
107         * stress/create-generator.js: Added.
108         (shouldBe):
109         (test.generator):
110         (test):
111         * stress/generator-construct-failure.js: Added.
112         (shouldThrow):
113         (TypeError):
114         * stress/generator-prototype-change.js: Added.
115         (shouldBe):
116         (gen):
117         * stress/generator-prototype-closure.js: Added.
118         (shouldBe):
119         (test.gen):
120         (test):
121         * stress/object-assign-fast-path.js:
122
123 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
124
125         Follow-up after String.codePointAt optimization
126         https://bugs.webkit.org/show_bug.cgi?id=201889
127
128         Reviewed by Saam Barati.
129
130         * stress/string-char-at-bad-type.js: Added.
131         (shouldBe):
132         (object.toString):
133         (test):
134         * stress/string-char-code-at-bad-type.js: Added.
135         (shouldBe):
136         (object.toString):
137         (test):
138         * stress/string-code-point-at-bad-type.js: Added.
139         (shouldBe):
140         (object.toString):
141         (test):
142
143 2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>
144
145         [JSC] CheckArray+NonArray is not filtering out Array in AI
146         https://bugs.webkit.org/show_bug.cgi?id=201857
147         <rdar://problem/54194820>
148
149         Reviewed by Keith Miller.
150
151         * stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
152         (foo):
153
154 2019-09-17  Saam Barati  <sbarati@apple.com>
155
156         CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
157         https://bugs.webkit.org/show_bug.cgi?id=201853
158         <rdar://problem/53805461>
159
160         Reviewed by Yusuke Suzuki.
161
162         * stress/direct-arguments-check-array-filter-type.js: Added.
163         (foo):
164
165 2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>
166
167         Wasm StreamingParser should validate that number of functions matches number of declarations
168         https://bugs.webkit.org/show_bug.cgi?id=201850
169         <rdar://problem/55290186>
170
171         Reviewed by Yusuke Suzuki.
172
173         * wasm/regress/validate-number-of-functions-match-declarations.js: Added.
174         (catch):
175
176 2019-09-16  Michael Saboff  <msaboff@apple.com>
177
178         [JSC] Perform check again when we found non-BMP characters
179         https://bugs.webkit.org/show_bug.cgi?id=201647
180
181         Reviewed by Yusuke Suzuki.
182
183         * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
184         * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
185         (testRegExpInbounds):
186
187 2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>
188
189         [JSC] Add missing syntax errors for await in function parameter default expressions
190         https://bugs.webkit.org/show_bug.cgi?id=201615
191
192         Reviewed by Darin Adler.
193
194         * stress/async-await-reserved-word.js:
195         * stress/async-await-syntax.js:
196         Add test cases.
197
198         * test262/expectations.yaml:
199         Mark newly-passing test cases.
200
201 2019-09-16  Saam Barati  <sbarati@apple.com>
202
203         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
204         https://bugs.webkit.org/show_bug.cgi?id=200386
205         <rdar://problem/53854946>
206
207         Reviewed by Yusuke Suzuki.
208
209         * stress/proxy-__proto__-in-prototype-chain.js: Added.
210         * stress/proxy-property-replace-structure-transition.js: Added.
211
212 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
213
214         Date.prototype.toJSON does not execute steps 1-2
215         https://bugs.webkit.org/show_bug.cgi?id=105282
216
217         Reviewed by Ross Kirsling.
218
219         * test262/expectations.yaml: Mark 2 test cases as passing.
220
221 2019-09-12  Mark Lam  <mark.lam@apple.com>
222
223         Harden JSC against the abuse of runtime options.
224         https://bugs.webkit.org/show_bug.cgi?id=201597
225         <rdar://problem/55167068>
226
227         Reviewed by Filip Pizlo.
228
229         Remove the call to forceGCSlowPaths().  This utility function will be removed.
230         The modern way to set the required option is to use //@ requireOptions.
231
232         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
233
234 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
235
236         [JSC] Add StringCodePointAt intrinsic
237         https://bugs.webkit.org/show_bug.cgi?id=201673
238
239         Reviewed by Michael Saboff.
240
241         * stress/string-char-at-constant-index-out-of-range.js: Added.
242         (shouldBe):
243         (test):
244         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
245         (shouldBe):
246         (test):
247         * stress/string-code-point-at--out-of-range.js: Added.
248         (shouldBe):
249         (test):
250         * stress/string-code-point-at-basic.js: Added.
251         (test):
252         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
253         (shouldBe):
254         (test):
255         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
256         (shouldBe):
257         (test):
258         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
259         (shouldBe):
260         (test):
261         (breaking):
262         * stress/string-code-point-at-surrogate-pair.js: Added.
263         (shouldBe):
264         * stress/string-code-point-at.js: Added.
265         (shouldBe):
266
267 2019-09-10  Michael Saboff  <msaboff@apple.com>
268
269         JSC crashes due to stack overflow while building RegExp
270         https://bugs.webkit.org/show_bug.cgi?id=201649
271
272         Reviewed by Yusuke Suzuki.
273
274         New regression test.
275
276         * stress/regexp-bol-optimize-out-of-stack.js: Added.
277         (test):
278         (catch):
279
280 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
281
282         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
283         https://bugs.webkit.org/show_bug.cgi?id=189043
284
285         Reviewed by Keith Miller.
286
287         The offset performing the validation becomes a bit different.
288         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
289
290         * wasm/js-api/version.js:
291
292 2019-09-07  Keith Miller  <keith_miller@apple.com>
293
294         OSR entry into wasm misses some contexts
295         https://bugs.webkit.org/show_bug.cgi?id=201569
296
297         Reviewed by Yusuke Suzuki.
298
299         Add a new harness and wast and the generated wasm file for
300         testing. The idea long term is to make it easy to test by creating
301         a C file and converting it to a wast then modify that to produce a
302         test.
303
304         * wasm.yaml:
305         * wasm/wast-tests/harness.js: Added.
306         (async.runWasmFile):
307         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
308         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
309         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
310         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
311         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
312         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
313         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
314         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
315
316 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
317
318         [JSC] Promise resolve/reject functions should be created more efficiently
319         https://bugs.webkit.org/show_bug.cgi?id=201488
320
321         Reviewed by Mark Lam.
322
323         * microbenchmarks/promise-creation-many.js: Added.
324         (executor):
325
326 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
327
328         Unreviewed JSC test gardening.
329
330         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
331         This test allocates a 2GB string before it goes out and tests
332         out-of-memory exception when appending other strings to it. As such,
333         skip the test on memory-limited platforms.
334
335 2019-09-07  Mark Lam  <mark.lam@apple.com>
336
337         The jsc shell should allow disabling of the Gigacage for testing purposes.
338         https://bugs.webkit.org/show_bug.cgi?id=201579
339
340         Reviewed by Michael Saboff.
341
342         Unskip the tests now.
343
344         * stress/disable-gigacage-arrays.js:
345         * stress/disable-gigacage-strings.js:
346         * stress/disable-gigacage-typed-arrays.js:
347
348 2019-09-07  Mark Lam  <mark.lam@apple.com>
349
350         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
351
352         Not reviewed.
353
354         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
355
356         * stress/disable-gigacage-arrays.js:
357         * stress/disable-gigacage-strings.js:
358         * stress/disable-gigacage-typed-arrays.js:
359
360 2019-09-07  Mark Lam  <mark.lam@apple.com>
361
362         Gardening: speculative test fix to green bots [attempt #2].
363         https://bugs.webkit.org/show_bug.cgi?id=201529
364         <rdar://problem/53935772>
365
366         Not reviewed.
367
368         * stress/test-out-of-memory.js:
369
370 2019-09-06  Mark Lam  <mark.lam@apple.com>
371
372         Gardening: speculative test fix to green bots.
373         https://bugs.webkit.org/show_bug.cgi?id=201529
374         <rdar://problem/53935772>
375
376         Not reviewed.
377
378         * stress/test-out-of-memory.js:
379
380 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
381
382         Math.round() produces wrong result for value prior to 0.5
383         https://bugs.webkit.org/show_bug.cgi?id=185115
384
385         Reviewed by Saam Barati.
386
387         * stress/math-round-basics.js:
388         Add positive/negative test cases.
389
390         * test262/expectations.yaml:
391         Mark test passing.
392
393 2019-09-06  Mark Lam  <mark.lam@apple.com>
394
395         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
396         https://bugs.webkit.org/show_bug.cgi?id=201551
397
398         Reviewed by Tadeu Zagallo.
399
400         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
401
402         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
403         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
404
405 2019-09-06  Mark Lam  <mark.lam@apple.com>
406
407         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
408         https://bugs.webkit.org/show_bug.cgi?id=201529
409         <rdar://problem/53935772>
410
411         Reviewed by Yusuke Suzuki.
412
413         * stress/test-out-of-memory.js: Added.
414
415 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
416
417         LazyClassStructure::setConstructor should not store the constructor to the global object
418         https://bugs.webkit.org/show_bug.cgi?id=201484
419         <rdar://problem/50400451>
420
421         Reviewed by Yusuke Suzuki.
422
423         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
424
425 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
426
427         [JSC] Do not use FTLOutput::weakPointer directly
428         https://bugs.webkit.org/show_bug.cgi?id=201495
429
430         Reviewed by Filip Pizlo.
431
432         * stress/create-promise-weak-pointer.js: Added.
433         (foo):
434
435 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
436
437         [JSC] Make Promise implementation faster
438         https://bugs.webkit.org/show_bug.cgi?id=200898
439
440         Reviewed by Saam Barati.
441
442         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
443         (assert.assert.return.throws):
444         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
445         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
446         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
447         (shouldThrow):
448         (new.Promise):
449         (shouldThrow.Promise):
450         * stress/create-promise-should-respect-promise-realm.js: Added.
451         (shouldBe):
452         (other.new.OtherPromise):
453         (DerivedOtherPromise):
454         (i.promise.new.DerivedOtherPromise):
455         (createPromise):
456         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
457         (shouldBe):
458         (DerivedPromise):
459         (i.array.push.new.DerivedPromise):
460         (promise.new.DerivedPromise):
461         * stress/derived-promise-constructor-inlined.js: Added.
462         (shouldBe):
463         (DerivedPromise):
464         (i.array.push.new.DerivedPromise):
465         (DerivedPromise.all.array.then):
466         * stress/derived-promise-prototype-replaced.js: Added.
467         (shouldBe):
468         (DerivedPromise):
469         (i.array.push.new.DerivedPromise):
470         (promise.new.DerivedPromise):
471         * stress/internal-promise-constructor-not-confusing.js: Added.
472         (shouldBe):
473         (InternalPromise.vm.createBuiltin):
474         (DerivedPromise):
475         * stress/internal-promise-is-not-exposed.js: Added.
476         (shouldBe):
477         * stress/new-promise-should-respect-promise-realm.js: Added.
478         (shouldBe):
479         (other.new.OtherPromise):
480         (createPromise):
481         * stress/promise-cannot-be-called.js:
482         (shouldThrow):
483         * stress/promise-capability-fast-path.js: Added.
484         (shouldBe):
485         (i.array.push.new.Promise):
486         (i.array.i.then):
487         * stress/promise-capability-slow-path.js: Added.
488         (shouldBe):
489         (Promise.prototype.then):
490         (i.array.push.new.Promise):
491         (i.array.i.then):
492         * stress/promise-capability-then-slow-path.js: Added.
493         (shouldBe):
494         (DerivedPromise):
495         (DerivedPromise.prototype.then):
496         (i.array.push.new.DerivedPromise):
497         (i.array.i.then):
498         * stress/promise-constructor-inlined.js: Added.
499         (shouldBe):
500         (i.array.push.new.Promise):
501         (Promise.all.array.then):
502         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
503         (shouldBe):
504         (DerivedPromise):
505         (DerivedPromise2):
506         (i.array.push.new.DerivedPromise):
507         (i.array2.push.new.DerivedPromise2):
508         * stress/without-promise-functions.js: Added.
509         (shouldBe):
510         (async):
511
512 2019-09-03  Mark Lam  <mark.lam@apple.com>
513
514         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
515         https://bugs.webkit.org/show_bug.cgi?id=201309
516         <rdar://problem/54832121>
517
518         Reviewed by Yusuke Suzuki.
519
520         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
521
522 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
523
524         [JSC] Generate new.target register only when it is used
525         https://bugs.webkit.org/show_bug.cgi?id=201335
526
527         Reviewed by Mark Lam.
528
529         * stress/ensure-new-register-allocated.js: Added.
530         (shouldBe):
531         (basic):
532         (arrow):
533         (Base):
534         (Derived):
535         (evaluate):
536
537 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
538
539         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
540         https://bugs.webkit.org/show_bug.cgi?id=201331
541
542         Reviewed by Mark Lam.
543
544         * stress/simple-jump-table-copy.js: Added.
545         (let.code):
546         (g2):
547
548 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
549
550         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
551         https://bugs.webkit.org/show_bug.cgi?id=201332
552
553         Reviewed by Mark Lam.
554
555         This test is very flaky, it is hard to reproduce.
556
557         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
558         (code):
559
560 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
561
562         [JSC] Repatch should construct CallCases and CasesValue at the same time
563         https://bugs.webkit.org/show_bug.cgi?id=201325
564
565         Reviewed by Saam Barati.
566
567         * stress/repatch-switch.js: Added.
568         (main.f2.f0):
569         (main.f2.f3):
570         (main.f2.f1):
571         (main.f2):
572         (main):
573
574 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
575
576         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
577         https://bugs.webkit.org/show_bug.cgi?id=198650
578
579         Reviewed by Saam Barati.
580
581         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
582         (main.v0):
583         (main):
584
585 2019-08-28  Mark Lam  <mark.lam@apple.com>
586
587         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
588         https://bugs.webkit.org/show_bug.cgi?id=201281
589         <rdar://problem/54028228>
590
591         Reviewed by Yusuke Suzuki and Saam Barati.
592
593         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
594
595 2019-08-28  Mark Lam  <mark.lam@apple.com>
596
597         Placate exception check validation in DFG's operationHasGenericProperty().
598         https://bugs.webkit.org/show_bug.cgi?id=201245
599         <rdar://problem/54777512>
600
601         Reviewed by Robin Morisset.
602
603         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
604
605 2019-08-27  Mark Lam  <mark.lam@apple.com>
606
607         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
608         https://bugs.webkit.org/show_bug.cgi?id=201196
609         <rdar://problem/54703775>
610
611         Reviewed by Yusuke Suzuki.
612
613         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
614
615 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
616
617         [JSC] Ensure x?.y ?? z is fast
618         https://bugs.webkit.org/show_bug.cgi?id=200875
619
620         Reviewed by Yusuke Suzuki.
621
622         * stress/nullish-coalescing.js:
623
624 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
625
626         Remove MaximalFlushInsertionPhase
627         https://bugs.webkit.org/show_bug.cgi?id=201036
628
629         Reviewed by Saam Barati.
630
631         Remove all the references to maximal flush
632
633         * stress/arith-ceil-on-various-types.js:
634         (checkCompileCountForUselessNegativeZero):
635         * stress/arith-floor-on-various-types.js:
636         (checkCompileCountForUselessNegativeZero):
637         * stress/arith-negate-on-various-types.js:
638         (checkCompileCountForUselessNegativeZero):
639         * stress/arith-round-on-various-types.js:
640         (checkCompileCountForUselessNegativeZero):
641         * stress/arith-trunc-on-various-types.js:
642         (checkCompileCountForUselessNegativeZero):
643         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
644         * stress/has-indexed-property-should-accept-non-int32.js:
645         * stress/has-indexed-property-with-worsening-array-mode.js:
646         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
647         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
648         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
649         * stress/rest-parameter-many-arguments.js:
650         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
651         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
652         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
653
654 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
655
656         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
657         https://bugs.webkit.org/show_bug.cgi?id=200952
658
659         Reviewed by Saam Barati.
660
661         * wasm/references/func_ref.js:
662         (assert.throws):
663
664 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
665
666         Add missing exception check in canonicalizeLocaleList
667         https://bugs.webkit.org/show_bug.cgi?id=201021
668
669         Reviewed by Mark Lam.
670
671         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
672         (catch):
673
674 2019-08-21  Mark Lam  <mark.lam@apple.com>
675
676         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
677         https://bugs.webkit.org/show_bug.cgi?id=201016
678         <rdar://problem/54579911>
679
680         Reviewed by Yusuke Suzuki.
681
682         * wasm/stress/too-many-locals.js: Added.
683         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
684
685 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
686
687         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
688         https://bugs.webkit.org/show_bug.cgi?id=200965
689
690         Reviewed by Saam Barati.
691
692         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
693         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
694
695         * stress/optional-chaining.js:
696
697 2019-08-21  Michael Saboff  <msaboff@apple.com>
698
699         [JSC] incorrent JIT lead to StackOverflow
700         https://bugs.webkit.org/show_bug.cgi?id=197823
701
702         Reviewed by Tadeu Zagallo.
703
704         New test.
705
706         * stress/bound-function-stack-overflow.js: Added.
707         (foo):
708         (catch):
709
710 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
711
712         Identify memcpy loops in b3
713         https://bugs.webkit.org/show_bug.cgi?id=200181
714
715         Reviewed by Saam Barati.
716
717         * microbenchmarks/memcpy-loop.js: Added.
718         (doTest):
719         (let.arr1):
720         * microbenchmarks/memcpy-typed-loop-large.js: Added.
721         (doTest):
722         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
723         (arr2):
724         * microbenchmarks/memcpy-typed-loop-small.js: Added.
725         (doTest):
726         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
727         (16.arr2):
728         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
729         (doTest):
730         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
731         (arr2):
732         * microbenchmarks/memcpy-wasm-large.js: Added.
733         (typeof.WebAssembly.string_appeared_here.eq):
734         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
735         * microbenchmarks/memcpy-wasm-medium.js: Added.
736         (typeof.WebAssembly.string_appeared_here.eq):
737         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
738         * microbenchmarks/memcpy-wasm-small.js: Added.
739         (typeof.WebAssembly.string_appeared_here.eq):
740         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
741         * microbenchmarks/memcpy-wasm.js: Added.
742         (typeof.WebAssembly.string_appeared_here.eq):
743         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
744         * stress/memcpy-typed-loops.js: Added.
745         (noLoop):
746         (invalidStart):
747         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
748         (arr2):
749         * wasm/function-tests/memcpy-wasm-loop.js: Added.
750         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
751         (string_appeared_here):
752
753 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
754
755         [JSC] Array.prototype.toString should not get "join" function each time
756         https://bugs.webkit.org/show_bug.cgi?id=200905
757
758         Reviewed by Mark Lam.
759
760         * stress/array-prototype-join-change.js: Added.
761         (shouldBe):
762         (array2.join):
763         (DerivedArray):
764         (DerivedArray.prototype.join):
765         (array3.__proto__.join):
766         (Array.prototype.join):
767
768 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
769
770         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
771         https://bugs.webkit.org/show_bug.cgi?id=200782
772
773         Reviewed by Saam Barati.
774
775         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
776
777         * microbenchmarks/memcpy-typed-loop.js:
778         * stress/int8-repeat-in-then-out-of-bounds.js:
779
780 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
781
782         Proxy constructor should throw if handler is revoked Proxy
783         https://bugs.webkit.org/show_bug.cgi?id=198755
784
785         Reviewed by Saam Barati.
786
787         * stress/proxy-revoke.js: Adjust error message.
788         * test262/expectations.yaml: Mark 2 test cases as passing.
789
790 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
791
792         [JSC] OSR entry to Wasm OMG
793         https://bugs.webkit.org/show_bug.cgi?id=200362
794
795         Reviewed by Michael Saboff.
796
797         * wasm/stress/osr-entry-basic.js: Added.
798         (instance.exports.loop):
799         * wasm/stress/osr-entry-many-locals-f32.js: Added.
800         * wasm/stress/osr-entry-many-locals-f64.js: Added.
801         * wasm/stress/osr-entry-many-locals-i32.js: Added.
802         * wasm/stress/osr-entry-many-locals-i64.js: Added.
803         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
804         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
805         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
806         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
807
808 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
809
810         Date.prototype.toJSON throws if toISOString returns an object
811         https://bugs.webkit.org/show_bug.cgi?id=198495
812
813         Reviewed by Ross Kirsling.
814
815         * test262/expectations.yaml: Mark 6 test cases as passing.
816
817 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
818
819         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
820         https://bugs.webkit.org/show_bug.cgi?id=200899
821         <rdar://problem/54073341>
822
823         Reviewed by Mark Lam.
824
825         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
826         (i.new.Promise):
827         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
828         (i.new.Promise):
829
830 2019-08-19  Michael Saboff  <msaboff@apple.com>
831
832         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
833         https://bugs.webkit.org/show_bug.cgi?id=197090
834
835         Reviewed by Yusuke Suzuki.
836
837         New test.
838
839         * stress/regexp-nonconsuming-counted-parens.js: Added.
840
841 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
842
843         [JSC] Correct a->an in error messages and API docblocks
844         https://bugs.webkit.org/show_bug.cgi?id=200833
845
846         Reviewed by Don Olmstead.
847
848         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
849         (assert.assert.return.throws):
850         * stress/promise-finally-should-accept-non-promise-objects.js:
851         * wasm/js-api/table.js:
852         (assert.throws):
853
854 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
855
856         [ESNext] Implement optional chaining
857         https://bugs.webkit.org/show_bug.cgi?id=200199
858
859         Reviewed by Yusuke Suzuki.
860
861         * stress/nullish-coalescing.js:
862         * stress/optional-chaining.js: Added.
863         * stress/tail-call-recognize.js:
864
865 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
866
867         [ESNext] Support hashbang.
868         https://bugs.webkit.org/show_bug.cgi?id=200865
869
870         Reviewed by Mark Lam.
871
872         * stress/hashbang.js: Added.
873         * test262/expectations.yaml: Mark 6 cases as passing.
874
875 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
876
877         [JSC] DFG ToNumber should support Boolean in fixup
878         https://bugs.webkit.org/show_bug.cgi?id=200864
879
880         Reviewed by Mark Lam.
881
882         * microbenchmarks/to-number-boolean.js: Added.
883         (test):
884         * stress/to-number-boolean-int32.js: Added.
885         (shouldBe):
886         (test):
887         (check):
888         * stress/to-number-boolean.js: Added.
889         (shouldBe):
890         (test):
891         (check):
892         * stress/to-number-int32.js: Added.
893         (shouldBe):
894         (test):
895         (check):
896
897 2019-08-16  Mark Lam  <mark.lam@apple.com>
898
899         More missing exception checks in string comparison operators.
900         https://bugs.webkit.org/show_bug.cgi?id=200844
901         <rdar://problem/54378684>
902
903         Reviewed by Saam Barati.
904
905         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
906         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
907         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
908         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
909
910 2019-08-16  Mark Lam  <mark.lam@apple.com>
911
912         CodeBlock destructor should clear all of its watchpoints.
913         https://bugs.webkit.org/show_bug.cgi?id=200792
914         <rdar://problem/53947800>
915
916         Reviewed by Yusuke Suzuki.
917
918         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
919
920 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
921
922         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
923         https://bugs.webkit.org/show_bug.cgi?id=200782
924
925         Reviewed by Saam Barati.
926
927         * microbenchmarks/int8-out-of-bounds.js: Added.
928         (foo):
929         * microbenchmarks/memcpy-typed-loop.js: Added.
930         (doTest):
931         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
932         (arr2):
933         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
934         (foo):
935
936 2019-08-16  Mark Lam  <mark.lam@apple.com>
937
938         [Re-land] ProxyObject should not be allow to access its target's private properties.
939         https://bugs.webkit.org/show_bug.cgi?id=200739
940         <rdar://problem/53972768>
941
942         Reviewed by Yusuke Suzuki.
943
944         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
945         * stress/proxy-with-private-symbols.js:
946
947 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
948
949         [JSC] Promise.prototype.finally should accept non-promise objects
950         https://bugs.webkit.org/show_bug.cgi?id=200829
951
952         Reviewed by Mark Lam.
953
954         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
955         (shouldBe):
956         (Thenable):
957         (Thenable.prototype.then):
958
959 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
960
961         Promise constructor should check argument before [[Construct]]
962         https://bugs.webkit.org/show_bug.cgi?id=198976
963
964         Reviewed by Ross Kirsling.
965
966         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
967         * stress/create-subclass-structure-might-throw.js: Fix test.
968         * test262/expectations.yaml: Mark 2 test cases as passing.
969
970 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
971
972         Unreviewed, rolling out r248709.
973
974         Caused test/built-ins/Promise/prototype/finally/this-value-
975         non-promise.js to fail on test262 bot
976
977         Reverted changeset:
978
979         "ProxyObject should not be allow to access its target's
980         private properties."
981         https://bugs.webkit.org/show_bug.cgi?id=200739
982         https://trac.webkit.org/changeset/248709
983
984 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
985
986         DateConversion::formatDateTime incorrectly formats negative years
987         https://bugs.webkit.org/show_bug.cgi?id=199964
988
989         Reviewed by Ross Kirsling.
990
991         * test262/expectations.yaml: Mark 6 test cases as passing.
992
993 2019-08-15  Mark Lam  <mark.lam@apple.com>
994
995         More missing exception checks in String.prototype.
996         https://bugs.webkit.org/show_bug.cgi?id=200762
997         <rdar://problem/54333896>
998
999         Reviewed by Michael Saboff.
1000
1001         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
1002         * stress/missing-exception-check-in-string-toLower.js: Added.
1003         * stress/missing-exception-check-in-string-toUpper.js: Added.
1004
1005 2019-08-14  Mark Lam  <mark.lam@apple.com>
1006
1007         ProxyObject should not be allow to access its target's private properties.
1008         https://bugs.webkit.org/show_bug.cgi?id=200739
1009         <rdar://problem/53972768>
1010
1011         Reviewed by Yusuke Suzuki.
1012
1013         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
1014         * stress/proxy-with-private-symbols.js: Rebased.
1015
1016 2019-08-14  Mark Lam  <mark.lam@apple.com>
1017
1018         Missing exception check in string compare.
1019         https://bugs.webkit.org/show_bug.cgi?id=200743
1020         <rdar://problem/53975356>
1021
1022         Reviewed by Michael Saboff.
1023
1024         * stress/missing-exception-check-in-string-compare.js: Added.
1025
1026 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
1027
1028         [JSC] Add "jump if (not) undefined or null" bytecode ops
1029         https://bugs.webkit.org/show_bug.cgi?id=200480
1030
1031         Reviewed by Saam Barati.
1032
1033         * stress/destructuring-assignment-require-object-coercible.js:
1034         * stress/nullish-coalescing.js:
1035
1036 2019-08-05  Michael Saboff  <msaboff@apple.com>
1037
1038         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
1039         https://bugs.webkit.org/show_bug.cgi?id=199997
1040
1041         Reviewed by Saam Barati.
1042
1043         New test.
1044
1045         * stress/typedarray-no-alreadyChecked-assert.js: Added.
1046         (checkIntArray):
1047         (checkFloatArray):
1048
1049 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1050
1051         [JSC] Support WebAssembly in SamplingProfiler
1052         https://bugs.webkit.org/show_bug.cgi?id=200329
1053
1054         Reviewed by Saam Barati.
1055
1056         * stress/sampling-profiler-wasm-name-section.js: Added.
1057         (const.compile):
1058         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1059         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1060         * stress/sampling-profiler-wasm.js: Added.
1061         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
1062         (platformSupportsSamplingProfiler.vm.isWasmSupported):
1063         * stress/sampling-profiler/loop.wasm: Added.
1064         * stress/sampling-profiler/loop.wast: Added.
1065         * stress/sampling-profiler/nameSection.wasm: Added.
1066
1067 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
1068
1069         [JSC] LazyJSValue should be robust for empty JSValue
1070         https://bugs.webkit.org/show_bug.cgi?id=200388
1071
1072         Reviewed by Saam Barati.
1073
1074         * stress/switch-constant-child-becomes-empty.js: Added.
1075         (foo):
1076
1077 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
1078
1079         GetterSetter type confusion during DFG compilation
1080         https://bugs.webkit.org/show_bug.cgi?id=199903
1081
1082         Reviewed by Mark Lam.
1083
1084         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
1085
1086 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
1087
1088         Update Test262 (2019.08.01)
1089         https://bugs.webkit.org/show_bug.cgi?id=200351
1090
1091         Reviewed by Keith Miller.
1092
1093         * test262/expectations.yaml:
1094         * test262/harness/testIntl.js:
1095         * test262/latest-changes-summary.txt:
1096         * test262/test/:
1097         * test262/test262-Revision.txt:
1098
1099 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
1100
1101         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
1102         https://bugs.webkit.org/show_bug.cgi?id=200192
1103
1104         Reviewed by Saam Barati.
1105
1106         * stress/structure-chain-stress.js: Added.
1107         (keys):
1108
1109 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
1110
1111         [JSC] Increment bytecode age only when SlotVisitor is first-visit
1112         https://bugs.webkit.org/show_bug.cgi?id=200196
1113
1114         Reviewed by Robin Morisset.
1115
1116         * stress/reparsing-unlinked-codeblock.js:
1117
1118 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
1119
1120         [X86] Emit BT instruction for shift + mask in B3
1121         https://bugs.webkit.org/show_bug.cgi?id=199891
1122
1123         Reviewed by Robin Morisset.
1124
1125         Lower the number of iterations to fix debug timeouts.
1126
1127         * microbenchmarks/bit-test-load.js:
1128         (i):
1129
1130 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
1131
1132         [X86] Emit BT instruction for shift + mask in B3
1133         https://bugs.webkit.org/show_bug.cgi?id=199891
1134
1135         Reviewed by Keith Miller.
1136
1137         * microbenchmarks/bit-test-constant.js: Added.
1138         (let.glob.0.doTest):
1139         * microbenchmarks/bit-test-load.js: Added.
1140         (let.glob.0.let.arr.new.Int32Array.8.doTest):
1141         (i):
1142         * microbenchmarks/bit-test-nonconstant.js: Added.
1143         (let.glob.0.doTest):
1144
1145 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
1146
1147         [JSC] Potential GC fix for JSPropertyNameEnumerator
1148         https://bugs.webkit.org/show_bug.cgi?id=200151
1149
1150         Reviewed by Mark Lam.
1151
1152         * stress/for-in-stress.js: Added.
1153         (keys):
1154
1155 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1156
1157         Legacy numeric literals should not permit separators or BigInt
1158         https://bugs.webkit.org/show_bug.cgi?id=199984
1159
1160         Reviewed by Keith Miller.
1161
1162         * stress/big-int-literals.js:
1163         * stress/numeric-literal-separators.js:
1164
1165 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
1166
1167         [ESNext] Implement nullish coalescing
1168         https://bugs.webkit.org/show_bug.cgi?id=200072
1169
1170         Reviewed by Darin Adler.
1171
1172         * stress/nullish-coalescing.js: Added.
1173
1174 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1175
1176         Three checks are missing in Proxy internal methods
1177         https://bugs.webkit.org/show_bug.cgi?id=198630
1178
1179         Reviewed by Darin Adler.
1180
1181         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
1182         * test262/expectations.yaml: Mark 6 test cases as passing.
1183
1184 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
1185
1186         Sometimes we miss removable CheckInBounds
1187         https://bugs.webkit.org/show_bug.cgi?id=200018
1188
1189         Reviewed by Saam Barati.
1190
1191         * microbenchmarks/typed-array-sum.js: Added.
1192         (doTest):
1193
1194 2019-07-16  Mark Lam  <mark.lam@apple.com>
1195
1196         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
1197         https://bugs.webkit.org/show_bug.cgi?id=199821
1198         <rdar://problem/52452328>
1199
1200         Reviewed by Filip Pizlo.
1201
1202         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1203
1204 2019-07-16  Keith Miller  <keith_miller@apple.com>
1205
1206         Unreviewed, test262 gardening.
1207
1208         * test262/expectations.yaml:
1209
1210 2019-07-15  Keith Miller  <keith_miller@apple.com>
1211
1212         A Possible Issue of Object.create method
1213         https://bugs.webkit.org/show_bug.cgi?id=199744
1214
1215         Reviewed by Yusuke Suzuki.
1216
1217         * stress/object-create-non-object-properties-parameter.js: Added.
1218         (catch):
1219
1220 2019-07-15  Keith Miller  <keith_miller@apple.com>
1221
1222         Update test262
1223         https://bugs.webkit.org/show_bug.cgi?id=199801
1224
1225         Rubber-stamped by Yusuke Suzuki.
1226
1227         * test262/expectations.yaml:
1228         * test262/latest-changes-summary.txt:
1229         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1230         (fg.new.FinalizationGroup):
1231         (callback):
1232         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1233         (fg.new.FinalizationGroup):
1234         (callback):
1235         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1236         (fg.new.FinalizationGroup):
1237         (callback):
1238         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1239         (fg.new.FinalizationGroup):
1240         (callback):
1241         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1242         (fg.new.FinalizationGroup):
1243         (callback):
1244         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1245         (fg.new.FinalizationGroup):
1246         (callback):
1247         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1248         (fg.new.FinalizationGroup):
1249         (callback):
1250         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1251         (callback):
1252         (fg.new.FinalizationGroup):
1253         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1254         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1255         (cb):
1256         (fg.new.FinalizationGroup):
1257         (emptyCells):
1258         (async.fn):
1259         (fn.then.async):
1260         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1261         (fg.new.FinalizationGroup):
1262         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1263         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1264         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1265         (newTarget):
1266         (fn):
1267         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1268         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1269         (fn):
1270         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1271         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1272         (newTarget):
1273         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1274         (newTarget):
1275         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1276         (fg.new.FinalizationGroup):
1277         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1278         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1279         (callback):
1280         (fg.new.FinalizationGroup):
1281         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1282         (fg.new.FinalizationGroup):
1283         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1284         (cb):
1285         (fg.new.FinalizationGroup):
1286         (emptyCells):
1287         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1288         (fg.new.FinalizationGroup):
1289         (fg.cleanupSome.cb):
1290         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1291         (callback):
1292         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1293         (fn):
1294         (cb):
1295         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1296         (cb):
1297         (fg.new.FinalizationGroup):
1298         (emptyCells):
1299         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1300         (fg.new.FinalizationGroup):
1301         (callback):
1302         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1303         (fg.new.FinalizationGroup):
1304         (callback):
1305         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1306         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1307         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1308         (poisoned):
1309         (fg.new.FinalizationGroup):
1310         (emptyCells):
1311         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1312         (poisoned):
1313         (emptyCells):
1314         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1315         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1316         (fn):
1317         (cb):
1318         (emptyCells):
1319         (prototype.assert.sameValue.fg.cleanupSome):
1320         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1321         (fn):
1322         (cb):
1323         (poisoned):
1324         (assert.sameValue.fg.cleanupSome):
1325         (prototype.assert.sameValue.fg.cleanupSome):
1326         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1327         (cb):
1328         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1329         (cb):
1330         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1331         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1332         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1333         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1334         (fn):
1335         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1336         (fn):
1337         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1338         (fg.new.FinalizationGroup):
1339         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1340         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1341         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1342         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1343         (fn):
1344         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1345         (fn):
1346         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1347         (fg.new.FinalizationGroup):
1348         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1349         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1350         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1351         (fg.new.FinalizationGroup):
1352         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1353         (fg.new.FinalizationGroup):
1354         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1355         (fg.new.FinalizationGroup):
1356         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1357         (fg.new.FinalizationGroup):
1358         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1359         (fn):
1360         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1361         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1362         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1363         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1364         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1365         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1366         (fn):
1367         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1368         (fg.new.FinalizationGroup):
1369         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1370         (cleanupCallback):
1371         (let.key.of.Object.getOwnPropertyNames):
1372         (set for):
1373         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1374         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1375         (FinalizationGroup):
1376         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1377         (cleanupCallback):
1378         (let.key.of.Object.getOwnPropertyNames):
1379         (set for):
1380         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1381         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1382         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1383         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1384         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1385         (asyncProxy.new.Proxy.async):
1386         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1387         (asyncProxy.new.Proxy.async):
1388         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1389         (setIter.set Symbol):
1390         (set defaultTag):
1391         (gen):
1392         (get return):
1393         (set new):
1394         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1395         (generatorProxy.new.Proxy):
1396         (asyncProxy.new.Proxy.async):
1397         * test262/test/built-ins/Object/subclass-object-arg.js:
1398         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1399         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1400         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1401         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1402         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1403         * test262/test/built-ins/Promise/executor-function-name.js:
1404         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1405         * test262/test/built-ins/Promise/reject-function-name.js:
1406         * test262/test/built-ins/Promise/resolve-function-name.js:
1407         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1408         * test262/test/built-ins/WeakRef/constructor.js: Added.
1409         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1410         * test262/test/built-ins/WeakRef/length.js: Added.
1411         * test262/test/built-ins/WeakRef/name.js: Added.
1412         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1413         (newTarget):
1414         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1415         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1416         * test262/test/built-ins/WeakRef/proto.js: Added.
1417         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1418         (newTarget):
1419         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1420         (newTarget):
1421         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1422         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1423         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1424         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1425         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1426         (emptyCells):
1427         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1428         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1429         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1430         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1431         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1432         (fg.new.FinalizationGroup):
1433         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1434         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1435         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1436         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1437         (let.key.of.Object.getOwnPropertyNames):
1438         (set for):
1439         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1440         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1441         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1442         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1443         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1444         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1445         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1446         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1447         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1448         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1449         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1450         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1451         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1452         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1453         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1454         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1455         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1456         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1457         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1458         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1459         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1460         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1461         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1462         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1463         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1464         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1465         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1466         (assertParts):
1467         (assertPartsNumeric):
1468         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1469         (assertParts):
1470         (assertPartsNumeric):
1471         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1472         (assertParts):
1473         (assertPartsNumeric):
1474         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1475         (assertParts):
1476         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1477         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1478         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1479         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1480         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1481         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1482         (C.prototype.method):
1483         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1484         (C.prototype.method.innerFunction):
1485         (C.prototype.method):
1486         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1487         (C):
1488         (C.method):
1489         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1490         (C):
1491         (C.method.innerFunction):
1492         (C.method):
1493         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1494         (C):
1495         (C.checkPrivateGetter):
1496         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1497         (C):
1498         (C.method):
1499         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1500         (C):
1501         (C.method.innerFunction):
1502         (C.method):
1503         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1504         (C):
1505         (C.checkPrivateMethod):
1506         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1507         (C):
1508         (C.method):
1509         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1510         (C):
1511         (C.method.innerFunction):
1512         (C.method):
1513         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1514         (C):
1515         (C.checkPrivateSetter):
1516         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1517         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1518         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1519         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1520         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1521         (let.classStringExpression):
1522         (let.classStringExpression.access):
1523         (let.createAndInstantiateClass):
1524         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1525         (let.classStringExpression):
1526         (let.classStringExpression.access):
1527         (let.createAndInstantiateClass):
1528         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1529         (const.C):
1530         (let.createAndInstantiateClass):
1531         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1532         (let.classStringExpression.return.prototype.m):
1533         (let.classStringExpression.return.prototype.access):
1534         (let.createAndInstantiateClass):
1535         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1536         (let.classStringExpression.return.prototype.m):
1537         (let.classStringExpression.return.prototype.access):
1538         (let.createAndInstantiateClass):
1539         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1540         (let.classStringExpression):
1541         (let.classStringExpression.access):
1542         (let.createAndInstantiateClass):
1543         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1544         (let.classStringExpression.prototype.m):
1545         (let.classStringExpression.prototype.access):
1546         (let.classStringExpression):
1547         (let.createAndInstantiateClass):
1548         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1549         (let.classStringExpression.prototype.m):
1550         (let.classStringExpression.prototype.access):
1551         (let.classStringExpression):
1552         (let.createAndInstantiateClass):
1553         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1554         (const.C):
1555         (let.createAndInstantiateClass):
1556         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1557         (let.classStringExpression.return.C.prototype.m):
1558         (let.classStringExpression.return.C.prototype.access):
1559         (let.classStringExpression.return.C):
1560         (let.createAndInstantiateClass):
1561         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1562         (let.classStringExpression.return.C.prototype.m):
1563         (let.classStringExpression.return.C.prototype.access):
1564         (let.classStringExpression.return.C):
1565         (let.createAndInstantiateClass):
1566         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1567         (let.classStringExpression):
1568         (let.classStringExpression.access):
1569         (let.createAndInstantiateClass):
1570         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1571         (let.classStringExpression):
1572         (let.classStringExpression.access):
1573         (let.createAndInstantiateClass):
1574         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1575         (let.classStringExpression):
1576         (let.classStringExpression.access):
1577         (let.createAndInstantiateClass):
1578         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1579         (const.C):
1580         (let.createAndInstantiateClass):
1581         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1582         (let.classStringExpression.return.prototype.m):
1583         (let.classStringExpression.return.prototype.access):
1584         (let.createAndInstantiateClass):
1585         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1586         (let.classStringExpression.return.prototype.m):
1587         (let.classStringExpression.return.prototype.access):
1588         (let.createAndInstantiateClass):
1589         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1590         (let.classStringExpression):
1591         (let.classStringExpression.access):
1592         (let.createAndInstantiateClass):
1593         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1594         (new):
1595         (async):
1596         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1597         (A):
1598         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1599         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1600         * test262/test/language/identifiers/vals-cjk.js: Added.
1601         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1602         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1603         (C.prototype.method):
1604         (C):
1605         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1606         (C.prototype.method.innerFunction):
1607         (C.prototype.method):
1608         (C):
1609         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1610         (C.prototype.checkPrivateField):
1611         (C):
1612         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1613         (C):
1614         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1615         (C.prototype.getWithEval):
1616         (C):
1617         (D):
1618         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1619         (C.prototype.get m):
1620         (C.prototype.method):
1621         (C):
1622         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1623         (C.prototype.get m):
1624         (C.prototype.method.innerFunction):
1625         (C.prototype.method):
1626         (C):
1627         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1628         (let.createAndInstantiateClass):
1629         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1630         (C.prototype.get m):
1631         (C.prototype.checkPrivateGetter):
1632         (C):
1633         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1634         (C.prototype.get m):
1635         (C.prototype.checkPrivateGetter):
1636         (C):
1637         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1638         (C.prototype.get m):
1639         (C):
1640         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1641         (C.prototype.get m):
1642         (C.prototype.getWithEval):
1643         (C):
1644         (D.prototype.get m):
1645         (D):
1646         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1647         (C.prototype.m):
1648         (C.prototype.method):
1649         (C):
1650         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1651         (C.prototype.m):
1652         (C.prototype.method.innerFunction):
1653         (C.prototype.method):
1654         (C):
1655         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1656         (C.prototype.m):
1657         (C.prototype.checkPrivateMethod):
1658         (C):
1659         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1660         (C.prototype.m):
1661         (C.prototype.checkPrivateMethod):
1662         (C):
1663         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1664         (C.prototype.m):
1665         (C):
1666         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1667         (C.prototype.m):
1668         (C.prototype.getWithEval):
1669         (C):
1670         (D.prototype.m):
1671         (D):
1672         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1673         (C.prototype.set m):
1674         (C.prototype.method):
1675         (C):
1676         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1677         (C.prototype.set m):
1678         (C.prototype.method.innerFunction):
1679         (C.prototype.method):
1680         (C):
1681         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1682         (C.prototype.set m):
1683         (C.prototype.checkPrivateSetter):
1684         (C):
1685         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1686         (C.prototype.set m):
1687         (C.prototype.checkPrivateSetter):
1688         (C):
1689         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1690         (C.prototype.set m):
1691         (C):
1692         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1693         (C.prototype.set m):
1694         (C.prototype.setWithEval):
1695         (C):
1696         (D.prototype.set m):
1697         (D):
1698         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1699         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1700         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1701         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
1702         (A.prototype.method):
1703         (A):
1704         (C.prototype.get m):
1705         (C.prototype.access):
1706         (C):
1707         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
1708         (A.prototype.method):
1709         (A):
1710         (C.prototype.m):
1711         (C.prototype.access):
1712         (C):
1713         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
1714         (A.prototype.method):
1715         (A):
1716         (C.prototype.set m):
1717         (C.prototype.access):
1718         (C):
1719         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
1720         (A):
1721         * test262/test/language/statements/function/13.2-30-s.js:
1722         * test262/test262-Revision.txt:
1723
1724 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1725
1726         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1727         https://bugs.webkit.org/show_bug.cgi?id=199783
1728
1729         Reviewed by Mark Lam.
1730
1731         Fix our spec tests.
1732
1733         * wasm/js-api/Module-compile.js:
1734         * wasm/js-api/test_basic_api.js:
1735         (const.c.in.constructorProperties.switch):
1736         * wasm/js-api/validate.js:
1737         * wasm/js-api/web-assembly-instantiate.js:
1738         * wasm/spec-tests/jsapi.js:
1739         (testJSAPI.get test):
1740         (testJSAPI.set test):
1741
1742 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1743
1744         Unreviewed, rolling out r247440.
1745
1746         Broke builds
1747
1748         Reverted changeset:
1749
1750         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1751         issues"
1752         https://bugs.webkit.org/show_bug.cgi?id=199783
1753         https://trac.webkit.org/changeset/247440
1754
1755 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1756
1757         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1758         https://bugs.webkit.org/show_bug.cgi?id=199783
1759
1760         Reviewed by Mark Lam.
1761
1762         Fix our spec tests.
1763
1764         * wasm/js-api/Module-compile.js:
1765         * wasm/js-api/test_basic_api.js:
1766         (const.c.in.constructorProperties.switch):
1767         * wasm/js-api/validate.js:
1768         * wasm/js-api/web-assembly-instantiate.js:
1769         * wasm/spec-tests/jsapi.js:
1770         (testJSAPI.get test):
1771         (testJSAPI.set test):
1772
1773 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1774
1775         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1776         https://bugs.webkit.org/show_bug.cgi?id=196371
1777
1778         Reviewed by Keith Miller.
1779
1780         * microbenchmarks/mul-immediate-sub.js: Added.
1781         (doTest):
1782
1783 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1784
1785         [BigInt] Add ValueBitLShift into DFG
1786         https://bugs.webkit.org/show_bug.cgi?id=192664
1787
1788         Reviewed by Saam Barati.
1789
1790         We are adding tests to cover ValueBitwise operations AI changes.
1791
1792         * stress/big-int-left-shift-untyped.js: Added.
1793         * stress/bit-op-with-object-returning-int32.js:
1794         * stress/value-bit-and-ai-rule.js: Added.
1795         * stress/value-bit-lshift-ai-rule.js: Added.
1796         * stress/value-bit-or-ai-rule.js: Added.
1797         * stress/value-bit-xor-ai-rule.js: Added.
1798
1799 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
1800
1801         Add b3 macro lowering for CheckMul on arm64
1802         https://bugs.webkit.org/show_bug.cgi?id=199251
1803
1804         Reviewed by Robin Morisset.
1805
1806         * microbenchmarks/check-mul-constant.js: Added.
1807         (doTest):
1808         * microbenchmarks/check-mul-no-constant.js: Added.
1809         (doTest):
1810         * microbenchmarks/check-mul-power-of-two.js: Added.
1811         (doTest):
1812
1813 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
1814
1815         Optimize join of large empty arrays
1816         https://bugs.webkit.org/show_bug.cgi?id=199636
1817
1818         Reviewed by Mark Lam.
1819
1820         * microbenchmarks/large-empty-array-join.js: Added.
1821         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
1822
1823 2019-07-06  Michael Saboff  <msaboff@apple.com>
1824
1825         switch(String) needs to check for exceptions when resolving the string
1826         https://bugs.webkit.org/show_bug.cgi?id=199541
1827
1828         Reviewed by Mark Lam.
1829
1830         New tests.
1831
1832         * stress/switch-string-oom.js: Added.
1833         (test):
1834         (testLowerTiers):
1835         (testFTL):
1836
1837 2019-07-05  Mark Lam  <mark.lam@apple.com>
1838
1839         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
1840         https://bugs.webkit.org/show_bug.cgi?id=199533
1841         <rdar://problem/52669111>
1842
1843         Reviewed by Filip Pizlo.
1844
1845         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
1846
1847 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1848
1849         [JSC] Clean up ArraySpeciesCreate
1850         https://bugs.webkit.org/show_bug.cgi?id=182434
1851
1852         Reviewed by Yusuke Suzuki.
1853
1854         Adjusts error message expectations in stress tests.
1855
1856         * stress/array-flatmap.js:
1857         * stress/array-flatten.js:
1858         * stress/array-species-create-should-handle-masquerader.js:
1859         * test262/expectations.yaml: Mark 4 test cases as passing.
1860
1861 2019-07-02  Michael Saboff  <msaboff@apple.com>
1862
1863         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
1864         https://bugs.webkit.org/show_bug.cgi?id=199395
1865
1866         Reviewed by Filip Pizlo.
1867
1868         New regession test.
1869
1870         * stress/for-of-tdz-with-try-catch.js: Added.
1871         (test):
1872         (i.catch):
1873
1874 2019-07-02  Keith Miller  <keith_miller@apple.com>
1875
1876         Frozen Arrays length assignment should throw in strict mode
1877         https://bugs.webkit.org/show_bug.cgi?id=199365
1878
1879         Reviewed by Yusuke Suzuki.
1880
1881         * stress/frozen-array-length-should-throw-strict.js: Added.
1882         (test):
1883
1884 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
1885
1886         [Wasm-References] Disable references by default
1887         https://bugs.webkit.org/show_bug.cgi?id=199390
1888
1889         Reviewed by Saam Barati.
1890
1891         * wasm/references-spec-tests/ref_is_null.js:
1892         * wasm/references-spec-tests/ref_null.js:
1893         * wasm/references/anyref_globals.js:
1894         * wasm/references/anyref_modules.js:
1895         * wasm/references/anyref_table.js:
1896         * wasm/references/anyref_table_import.js:
1897         * wasm/references/element_parsing.js:
1898         * wasm/references/func_ref.js:
1899         * wasm/references/is_null.js:
1900         * wasm/references/multitable.js:
1901         * wasm/references/table_misc.js:
1902         * wasm/references/validation.js:
1903
1904 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
1905
1906         Unreviewed, rolling out r246946.
1907
1908         Caused JSC test crashes on arm64
1909
1910         Reverted changeset:
1911
1912         "Add b3 macro lowering for CheckMul on arm64"
1913         https://bugs.webkit.org/show_bug.cgi?id=199251
1914         https://trac.webkit.org/changeset/246946
1915
1916 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
1917
1918         Add b3 macro lowering for CheckMul on arm64
1919         https://bugs.webkit.org/show_bug.cgi?id=199251
1920
1921         Reviewed by Robin Morisset.
1922
1923         * microbenchmarks/check-mul-constant.js: Added.
1924         (doTest):
1925         * microbenchmarks/check-mul-no-constant.js: Added.
1926         (doTest):
1927         * microbenchmarks/check-mul-power-of-two.js: Added.
1928         (doTest):
1929
1930 2019-06-26  Keith Miller  <keith_miller@apple.com>
1931
1932         speciesConstruct needs to throw if the result is a DataView
1933         https://bugs.webkit.org/show_bug.cgi?id=199231
1934
1935         Reviewed by Mark Lam.
1936
1937         * stress/typedarray-filter.js:
1938         (subclasses.forEach):
1939         * stress/typedarray-map.js:
1940         (subclasses.forEach):
1941         * stress/typedarray-slice.js:
1942         (typedArrays.forEach):
1943         * stress/typedarray-subarray.js:
1944         (subclasses.forEach):
1945
1946 2019-06-24  Commit Queue  <commit-queue@webkit.org>
1947
1948         Unreviewed, rolling out r246714.
1949         https://bugs.webkit.org/show_bug.cgi?id=199179
1950
1951         revert to do patch in a different way. (Requested by keith_mi_
1952         on #webkit).
1953
1954         Reverted changeset:
1955
1956         "All prototypes should call didBecomePrototype()"
1957         https://bugs.webkit.org/show_bug.cgi?id=196315
1958         https://trac.webkit.org/changeset/246714
1959
1960 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1961
1962         Add Array.prototype.{flat,flatMap} to unscopables
1963         https://bugs.webkit.org/show_bug.cgi?id=194322
1964
1965         Reviewed by Keith Miller.
1966
1967         * stress/unscopables.js: Fix test.
1968         * test262/expectations.yaml: Mark 2 test cases as passing.
1969
1970 2019-06-21  Mark Lam  <mark.lam@apple.com>
1971
1972         ArraySlice needs to keep the source array alive.
1973         https://bugs.webkit.org/show_bug.cgi?id=197374
1974         <rdar://problem/50304429>
1975
1976         Reviewed by Michael Saboff and Filip Pizlo.
1977
1978         * stress/array-slice-must-keep-source-array-alive.js: Added.
1979
1980 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1981
1982         All prototypes should call didBecomePrototype()
1983         https://bugs.webkit.org/show_bug.cgi?id=196315
1984
1985         Reviewed by Saam Barati.
1986
1987         * stress/function-prototype-indexed-accessor.js: Added.
1988
1989 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1990
1991         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1992         https://bugs.webkit.org/show_bug.cgi?id=197631
1993
1994         Reviewed by Saam Barati.
1995
1996         * stress/has-own-property-arguments.js: Added.
1997         (shouldBe):
1998         (A):
1999
2000 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
2001
2002         [JSC] ClassExpr should not store result in the middle of evaluation
2003         https://bugs.webkit.org/show_bug.cgi?id=199106
2004
2005         Reviewed by Tadeu Zagallo.
2006
2007         * stress/class-expression-should-store-result-at-last.js: Added.
2008         (shouldThrow):
2009         (shouldThrow.let.a):
2010
2011 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
2012
2013         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
2014         https://bugs.webkit.org/show_bug.cgi?id=199044
2015
2016         Reviewed by Saam Barati.
2017
2018         Add wasm references spec tests as well as a worker test.
2019
2020         * wasm.yaml:
2021         * wasm/Builder_WebAssemblyBinary.js:
2022         (const.emitters.Element):
2023         * wasm/js-api/element.js:
2024         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2025         * wasm/references-spec-tests/ref_is_null.js: Added.
2026         (hostref):
2027         (is_hostref):
2028         (is_funcref):
2029         (eq_ref):
2030         (let.handler.get target):
2031         (register):
2032         (module):
2033         (instance):
2034         (call):
2035         (get instance):
2036         (exports):
2037         (run):
2038         (assert_malformed):
2039         (assert_invalid):
2040         (assert_unlinkable):
2041         (assert_uninstantiable):
2042         (assert_trap):
2043         (try.f):
2044         (catch):
2045         (assert_exhaustion):
2046         (assert_return):
2047         (assert_return_canonical_nan):
2048         (assert_return_arithmetic_nan):
2049         (assert_return_ref):
2050         (assert_return_func):
2051         * wasm/references-spec-tests/ref_null.js: Added.
2052         (hostref):
2053         (is_hostref):
2054         (is_funcref):
2055         (eq_ref):
2056         (let.handler.get target):
2057         (register):
2058         (module):
2059         (instance):
2060         (call):
2061         (get instance):
2062         (exports):
2063         (run):
2064         (assert_malformed):
2065         (assert_invalid):
2066         (assert_unlinkable):
2067         (assert_uninstantiable):
2068         (assert_trap):
2069         (try.f):
2070         (catch):
2071         (assert_exhaustion):
2072         (assert_return):
2073         (assert_return_canonical_nan):
2074         (assert_return_arithmetic_nan):
2075         (assert_return_ref):
2076         (assert_return_func):
2077         * wasm/references/element_parsing.js: Added.
2078         (module):
2079         * wasm/references/func_ref.js:
2080         * wasm/references/multitable.js:
2081         * wasm/references/table_misc.js:
2082         (TableSize.0.End.End.WebAssembly):
2083         * wasm/references/validation.js:
2084         (assert.throws):
2085
2086 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
2087
2088         Optimize `resolve` method lookup in Promise static methods
2089         https://bugs.webkit.org/show_bug.cgi?id=198864
2090
2091         Reviewed by Yusuke Suzuki.
2092
2093         * test262/expectations.yaml: Mark 18 test cases as passing.
2094
2095 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
2096
2097         [WASM-References] Rename anyfunc to funcref
2098         https://bugs.webkit.org/show_bug.cgi?id=198983
2099
2100         Reviewed by Yusuke Suzuki.
2101
2102         * wasm/function-tests/basic-element.js:
2103         * wasm/function-tests/context-switch.js:
2104         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2105         (makeInstance):
2106         (assert.eq.makeInstance):
2107         * wasm/function-tests/exceptions.js:
2108         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2109         * wasm/function-tests/grow-memory-2.js:
2110         (assert.eq.instance.exports.foo):
2111         * wasm/function-tests/nameSection.js:
2112         (const.compile):
2113         * wasm/function-tests/stack-overflow.js:
2114         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2115         (assertOverflows.makeInstance):
2116         * wasm/function-tests/table-basic-2.js:
2117         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2118         * wasm/function-tests/table-basic.js:
2119         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
2120         * wasm/function-tests/trap-from-start-async.js:
2121         * wasm/function-tests/trap-from-start.js:
2122         * wasm/js-api/Module.exports.js:
2123         (assert.truthy):
2124         * wasm/js-api/Module.imports.js:
2125         (assert.truthy):
2126         * wasm/js-api/call-indirect.js:
2127         (const.oneTable):
2128         (const.multiTable):
2129         (multiTable.const.makeTable):
2130         (multiTable):
2131         (multiTable.Polyphic2Import):
2132         (multiTable.VirtualImport):
2133         * wasm/js-api/element-data.js:
2134         * wasm/js-api/element.js:
2135         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
2136         (assert.throws):
2137         (badInstantiation.makeModule):
2138         (badInstantiation.test):
2139         (badInstantiation):
2140         * wasm/js-api/extension-MemoryMode.js:
2141         * wasm/js-api/table.js:
2142         (new.WebAssembly.Module):
2143         (assert.throws):
2144         (assertBadTableImport):
2145         (assert.throws.WebAssembly.Table.prototype.grow):
2146         (new.WebAssembly.Table):
2147         (assertBadTable):
2148         (assert.truthy):
2149         * wasm/js-api/test_basic_api.js:
2150         (const.c.in.constructorProperties.switch):
2151         * wasm/js-api/unique-signature.js:
2152         (CallIndirectWithDuplicateSignatures):
2153         * wasm/js-api/wrapper-function.js:
2154         * wasm/modules/table.wat:
2155         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
2156         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
2157         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
2158         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
2159         * wasm/references/anyref_table.js:
2160         * wasm/references/anyref_table_import.js:
2161         (doSet):
2162         (assert.throws):
2163         * wasm/references/func_ref.js:
2164         (makeFuncrefIdent):
2165         (assert.eq.instance.exports.fix):
2166         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
2167         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
2168         (let.importedFun.of):
2169         (makeAnyfuncIdent): Deleted.
2170         (makeAnyfuncIdent.fun): Deleted.
2171         * wasm/references/multitable.js:
2172         (assert.eq):
2173         (assert.throws):
2174         * wasm/references/table_misc.js:
2175         (GetLocal.0.TableFill.0.End.End.WebAssembly):
2176         * wasm/references/validation.js:
2177         (assert.throws.new.WebAssembly.Module.bin):
2178         (assert.throws):
2179         * wasm/spec-harness/index.js:
2180         * wasm/spec-harness/wasm-constants.js:
2181         * wasm/spec-harness/wasm-module-builder.js:
2182         (WasmModuleBuilder.prototype.toArray):
2183         * wasm/spec-harness/wast.js:
2184         (elem_type):
2185         (string_of_elem_type):
2186         (string_of_table_type):
2187         * wasm/spec-tests/jsapi.js:
2188         * wasm/stress/wasm-table-grow-initialize.js:
2189         * wasm/wasm.json:
2190
2191 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2192
2193         [WASM-References] Add support for Table.size, grow and fill instructions
2194         https://bugs.webkit.org/show_bug.cgi?id=198761
2195
2196         Reviewed by Yusuke Suzuki.
2197
2198         * wasm/Builder_WebAssemblyBinary.js:
2199         (const.putOp):
2200         * wasm/references/table_misc.js: Added.
2201         (TableSize.End.End.WebAssembly):
2202         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2203         * wasm/wasm.json:
2204
2205 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2206
2207         [WASM-References] Add support for multiple tables
2208         https://bugs.webkit.org/show_bug.cgi?id=198760
2209
2210         Reviewed by Saam Barati.
2211
2212         * wasm/Builder.js:
2213         * wasm/js-api/call-indirect.js:
2214         (const.oneTable):
2215         (const.multiTable):
2216         (multiTable):
2217         (multiTable.Polyphic2Import):
2218         (multiTable.VirtualImport):
2219         (const.wasmModuleWhichImportJS): Deleted.
2220         (const.makeTable): Deleted.
2221         (): Deleted.
2222         (Polyphic2Import): Deleted.
2223         (VirtualImport): Deleted.
2224         * wasm/js-api/table.js:
2225         (new.WebAssembly.Module):
2226         (assert.throws):
2227         (assertBadTableImport):
2228         (assert.truthy):
2229         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2230         * wasm/references/anyref_table.js:
2231         * wasm/references/anyref_table_import.js:
2232         (makeImport):
2233         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2234         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2235         * wasm/references/multitable.js: Added.
2236         (assert.throws.1.exports.set_tbl0):
2237         (assert.throws):
2238         (assert.eq):
2239         * wasm/references/validation.js:
2240         (assert.throws.new.WebAssembly.Module.bin):
2241         (assert.throws):
2242         * wasm/spec-tests/imports.wast.js:
2243         * wasm/wasm.json:
2244
2245         * wasm/Builder.js:
2246         * wasm/js-api/call-indirect.js:
2247         (const.oneTable):
2248         (const.multiTable):
2249         (multiTable):
2250         (multiTable.Polyphic2Import):
2251         (multiTable.VirtualImport):
2252         (const.wasmModuleWhichImportJS): Deleted.
2253         (const.makeTable): Deleted.
2254         (): Deleted.
2255         (Polyphic2Import): Deleted.
2256         (VirtualImport): Deleted.
2257         * wasm/js-api/table.js:
2258         (new.WebAssembly.Module):
2259         (assert.throws):
2260         (assertBadTableImport):
2261         (assert.truthy):
2262         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2263         * wasm/references/anyref_table.js:
2264         * wasm/references/anyref_table_import.js:
2265         (makeImport):
2266         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2267         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2268         * wasm/references/func_ref.js:
2269         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2270         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2271         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2272         * wasm/references/multitable.js: Added.
2273         (assert.throws.1.exports.set_tbl0):
2274         (assert.throws):
2275         (assert.eq):
2276         (string_appeared_here.tableInsanity):
2277         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2278         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2279         * wasm/references/validation.js:
2280         (assert.throws.new.WebAssembly.Module.bin):
2281         (assert.throws):
2282         * wasm/spec-tests/imports.wast.js:
2283         * wasm/wasm.json:
2284
2285 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2286
2287         [ESNExt] String.prototype.matchAll
2288         https://bugs.webkit.org/show_bug.cgi?id=186694
2289
2290         Reviewed by Yusuke Suzuki.
2291
2292         Implement String.prototype.matchAll.
2293         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2294
2295         * test262/config.yaml:
2296
2297 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2298
2299         DFG code should not reify the names of builtin functions with private names
2300         https://bugs.webkit.org/show_bug.cgi?id=198849
2301         <rdar://problem/51733890>
2302
2303         Reviewed by Filip Pizlo.
2304
2305         * stress/builtin-private-function-name.js: Added.
2306         (then):
2307         (PromiseLike):
2308
2309 2019-06-18  Keith Miller  <keith_miller@apple.com>
2310
2311         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2312         https://bugs.webkit.org/show_bug.cgi?id=198969
2313         <rdar://problem/51620714>
2314
2315         Reviewed by Tadeu Zagallo.
2316
2317         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2318         (catch):
2319
2320 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2321
2322         Validate that table element type is funcref if using an element section
2323         https://bugs.webkit.org/show_bug.cgi?id=198910
2324
2325         Reviewed by Yusuke Suzuki.
2326
2327         * wasm/references/anyref_table.js:
2328
2329 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2330
2331         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2332         https://bugs.webkit.org/show_bug.cgi?id=197378
2333
2334         Reviewed by Saam Barati.
2335
2336         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2337         (foo):
2338         (bar):
2339         * stress/disposable-call-site-index.js: Added.
2340         (foo):
2341         (bar):
2342
2343 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2344
2345         [WASM-References] Add support for Funcref in parameters and return types
2346         https://bugs.webkit.org/show_bug.cgi?id=198157
2347
2348         Reviewed by Yusuke Suzuki.
2349
2350         * wasm/Builder.js:
2351         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2352         * wasm/references/anyref_globals.js:
2353         * wasm/references/func_ref.js: Added.
2354         (fullGC.gc.makeExportedFunction):
2355         (makeExportedIdent):
2356         (makeAnyfuncIdent):
2357         (fun):
2358         (assert.eq.instance.exports.fix.fun):
2359         (assert.eq.instance.exports.fix):
2360         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2361         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2362         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2363         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2364         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2365         (assert.throws):
2366         (assert.throws.doTest):
2367         (let.importedFun.of):
2368         (makeAnyfuncIdent.fun):
2369         * wasm/references/validation.js:
2370         (assert.throws):
2371         * wasm/wasm.json:
2372
2373 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2374
2375         Update test262 tests (2019.06.13)
2376         https://bugs.webkit.org/show_bug.cgi?id=198821
2377
2378         Reviewed by Konstantin Tokarev.
2379
2380         * test262/expectations.yaml:
2381         * test262/harness/:
2382         * test262/latest-changes-summary.txt:
2383         * test262/test/:
2384         * test262/test262-Revision.txt:
2385
2386 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2387
2388         [JSC] Grown region of WasmTable should be initialized with null
2389         https://bugs.webkit.org/show_bug.cgi?id=198903
2390
2391         Reviewed by Saam Barati.
2392
2393         * wasm/stress/wasm-table-grow-initialize.js: Added.
2394         (shouldBe):
2395
2396 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2397
2398         Yarr bytecode compilation failure should be gracefully handled
2399         https://bugs.webkit.org/show_bug.cgi?id=198700
2400
2401         Reviewed by Michael Saboff.
2402
2403         * stress/regexp-bytecode-compilation-fail.js: Added.
2404         (shouldThrow):
2405
2406 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2407
2408         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2409         https://bugs.webkit.org/show_bug.cgi?id=198770
2410
2411         Reviewed by Saam Barati.
2412
2413         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2414         (test):
2415
2416 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2417
2418         JSC should throw if proxy set returns falsish in strict mode context
2419         https://bugs.webkit.org/show_bug.cgi?id=177398
2420
2421         Reviewed by Yusuke Suzuki.
2422
2423         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2424         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2425
2426         * stress/proxy-set.js: Add 2 test cases.
2427         * stress/regexp-match-proxy.js: Fix test.
2428         * stress/regexp-replace-proxy.js: Fix test.
2429
2430 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2431
2432         Error message for non-callable Proxy `construct` trap is misleading
2433         https://bugs.webkit.org/show_bug.cgi?id=198637
2434
2435         Reviewed by Saam Barati.
2436
2437         * stress/proxy-construct.js:
2438
2439 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2440
2441         AI BitURShift's result should not be unsigned
2442         https://bugs.webkit.org/show_bug.cgi?id=198689
2443         <rdar://problem/51550063>
2444
2445         Reviewed by Saam Barati.
2446
2447         * stress/urshift-int32-overflow.js: Added.
2448         (foo.):
2449         (foo):
2450
2451 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2452
2453         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2454
2455         Unreviewed gardening.
2456
2457         * stress/ftl-gettypedarrayoffset-wasteful.js:
2458         Skipped on arm/linux as it always times out on the bot since a change
2459         between r246270 and r246278 inclusive.
2460
2461 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2462
2463         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2464         https://bugs.webkit.org/show_bug.cgi?id=198023
2465
2466         Reviewed by Saam Barati.
2467
2468         * stress/reparsing-unlinked-codeblock.js: Added.
2469         (shouldBe):
2470         (hello):
2471
2472 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2473
2474         [JSC] Use mergePrediction in ValuePow prediction propagation
2475         https://bugs.webkit.org/show_bug.cgi?id=198648
2476
2477         Reviewed by Saam Barati.
2478
2479         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2480
2481 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2482
2483         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2484         https://bugs.webkit.org/show_bug.cgi?id=198581
2485         <rdar://problem/51099753>
2486
2487         Reviewed by Saam Barati.
2488
2489         * stress/global-object-proto-getter.js: Added.
2490         (f):
2491         (test):
2492
2493 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2494
2495         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2496         https://bugs.webkit.org/show_bug.cgi?id=198398
2497
2498         Reviewed by Saam Barati.
2499
2500         * wasm/references/anyref_table.js: Added.
2501         (string_appeared_here.doGCSet):
2502         (doGCTest):
2503         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2504         * wasm/references/anyref_table_import.js: Added.
2505         (makeImport):
2506         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2507         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2508         * wasm/references/is_null_error.js: Removed.
2509         * wasm/references/validation.js: Added.
2510         (assert.throws.new.WebAssembly.Module.bin):
2511         (assert.throws):
2512         * wasm/wasm.json:
2513
2514 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2515
2516         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2517         https://bugs.webkit.org/show_bug.cgi?id=198106
2518
2519         Reviewed by Saam Barati.
2520
2521         * wasm/regress/selectf64.js: Added.
2522         * wasm/regress/selectf64.wasm: Added.
2523         * wasm/regress/selectf64.wat: Added.
2524
2525 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2526
2527         Argument elimination should check transitive dependents for interference
2528         https://bugs.webkit.org/show_bug.cgi?id=198520
2529         <rdar://problem/50863343>
2530
2531         Reviewed by Filip Pizlo.
2532
2533         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2534         (f2):
2535         (f3):
2536
2537 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2538
2539         Argument elimination should check for negative indices in GetByVal
2540         https://bugs.webkit.org/show_bug.cgi?id=198302
2541         <rdar://problem/51188095>
2542
2543         Reviewed by Filip Pizlo.
2544
2545         * stress/eliminate-arguments-negative-rest-access.js: Added.
2546         (inlinee):
2547         (opt):
2548
2549 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2550
2551         [ESNext][BigInt] Implement support for "**"
2552         https://bugs.webkit.org/show_bug.cgi?id=190799
2553
2554         Reviewed by Saam Barati.
2555
2556         * stress/big-int-exp-basic.js: Added.
2557         * stress/big-int-exp-jit-osr.js: Added.
2558         * stress/big-int-exp-jit-untyped.js: Added.
2559         * stress/big-int-exp-jit.js: Added.
2560         * stress/big-int-exp-negative-exponent.js: Added.
2561         * stress/big-int-exp-to-primitive.js: Added.
2562         * stress/big-int-exp-type-error.js: Added.
2563         * stress/big-int-exp-wrapped-value.js: Added.
2564         * stress/value-pow-ai-rule.js: Added.
2565
2566 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2567
2568         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2569         https://bugs.webkit.org/show_bug.cgi?id=197979
2570
2571         Reviewed by Filip Pizlo.
2572
2573         * stress/16bit-code.js: Added.
2574         (shouldBe):
2575         * stress/32bit-code.js: Added.
2576         (shouldBe):
2577
2578 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2579
2580         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2581         https://bugs.webkit.org/show_bug.cgi?id=198355
2582
2583         Reviewed by Saam Barati.
2584
2585         * wasm/references/is_null.js:
2586
2587 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2588
2589         [PlayStation] Skip additional tests on PlayStation
2590         https://bugs.webkit.org/show_bug.cgi?id=198352
2591
2592         Reviewed by Don Olmstead.
2593
2594         Skip pow test on PlayStation due to behavior difference in standard library.
2595         Skip incremental marking test due to OOM on PlayStation systems.
2596
2597         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2598         * stress/math-pow-with-constants.js:
2599         * stress/pow-with-constants.js:
2600
2601 2019-05-28  Dean Jackson  <dino@apple.com>
2602
2603         Implement Promise.allSettled
2604         https://bugs.webkit.org/show_bug.cgi?id=197600
2605         <rdar://problem/50483885>
2606
2607         Reviewed by Keith Miller.
2608
2609         Start testing Promise.allSettled. We pass most of the tests.
2610         The ones that fail are similar to the Promise.all tests we already fail.
2611
2612         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2613         * test262/expectations.yaml: Add new expectations for allSettled tests.
2614
2615 2019-05-28  Michael Saboff  <msaboff@apple.com>
2616
2617         [YARR] Properly handle RegExp's that require large ParenContext space
2618         https://bugs.webkit.org/show_bug.cgi?id=198065
2619
2620         Reviewed by Keith Miller.
2621
2622         New test.
2623
2624         * stress/regexp-large-paren-context.js: Added.
2625         (testLargeRegExp):
2626
2627 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2628
2629         JITOperations putByVal should mark negative array indices as out-of-bounds
2630         https://bugs.webkit.org/show_bug.cgi?id=198271
2631
2632         Reviewed by Saam Barati.
2633
2634         * microbenchmarks/get-by-val-negative-array-index.js:
2635         (foo):
2636         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2637         is 4.2x faster than the previous commit.
2638
2639         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2640         (foo):
2641
2642 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2643
2644         JITOperations getByVal should mark negative array indices as out-of-bounds
2645         https://bugs.webkit.org/show_bug.cgi?id=198229
2646
2647         Reviewed by Saam Barati.
2648
2649         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2650         (foo):
2651
2652 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2653
2654         [WASM-References] Support Anyref in globals
2655         https://bugs.webkit.org/show_bug.cgi?id=198102
2656
2657         Reviewed by Saam Barati.
2658
2659         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2660
2661         * wasm/Builder.js:
2662         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2663         * wasm/Builder_WebAssemblyBinary.js:
2664         (const.putInitExpr):
2665         * wasm/references/anyref_globals.js: Added.
2666         (GetGlobal.0.End.End.WebAssembly):
2667         (5.doGCSet):
2668         (doGCTest):
2669         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2670
2671 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2672
2673         DFG::OSREntry should not perform arity check
2674         https://bugs.webkit.org/show_bug.cgi?id=198189
2675
2676         Reviewed by Saam Barati.
2677
2678         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2679         (foo):
2680
2681 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2682
2683         [PlayStation] Skip additional tests on PlayStation
2684         https://bugs.webkit.org/show_bug.cgi?id=198145
2685
2686         Reviewed by Ross Kirsling.
2687
2688         * exceptionFuzz.yaml:
2689         Add skip on hostOS playstation
2690         * executableAllocationFuzz.yaml:
2691         Add skip on hostOS playstation
2692
2693 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2694
2695         createListFromArrayLike should throw if value is not an object
2696         https://bugs.webkit.org/show_bug.cgi?id=198138
2697
2698         Reviewed by Yusuke Suzuki.
2699
2700         * stress/create-list-from-array-like-not-object.js: Added.
2701         (testValid):
2702         (testInvalid):
2703         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
2704         (opt):
2705         * stress/proxy-proto-enumerator.js: Added.
2706         (main):
2707         * stress/proxy-proto-own-keys.js: Added.
2708         (assert):
2709         (ownKeys):
2710
2711 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2712
2713         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
2714         https://bugs.webkit.org/show_bug.cgi?id=197809
2715
2716         Reviewed by Michael Saboff.
2717
2718         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
2719         (foo):
2720
2721 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2722
2723         [ESNext] Implement support for Numeric Separators
2724         https://bugs.webkit.org/show_bug.cgi?id=196351
2725
2726         Reviewed by Keith Miller.
2727
2728         * stress/numeric-literal-separators.js: Added.
2729         Add tests for feature.
2730
2731         * test262/expectations.yaml:
2732         Mark 60 test cases as passing.
2733
2734 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2735
2736         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
2737         https://bugs.webkit.org/show_bug.cgi?id=198120
2738         <rdar://problem/49668795>
2739
2740         Reviewed by Michael Saboff.
2741
2742         * stress/get-array-length-concurrently-change-mode.js: Added.
2743         (main):
2744
2745 2019-05-22  Commit Queue  <commit-queue@webkit.org>
2746
2747         Unreviewed, rolling out r245634.
2748         https://bugs.webkit.org/show_bug.cgi?id=198140
2749
2750         'This patch makes JSC crash on launch in debug builds'
2751         (Requested by tadeuzagallo on #webkit).
2752
2753         Reverted changeset:
2754
2755         "[ESNext] Implement support for Numeric Separators"
2756         https://bugs.webkit.org/show_bug.cgi?id=196351
2757         https://trac.webkit.org/changeset/245634
2758
2759 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2760
2761         Stack-buffer-overflow in decodeURIComponent
2762         https://bugs.webkit.org/show_bug.cgi?id=198109
2763         <rdar://problem/50397550>
2764
2765         Reviewed by Michael Saboff.
2766
2767         * stress/decode-uri-icu-count-trail-bytes.js: Added.
2768         (i.j.try.i.toString):
2769         (i.j.catch):
2770
2771 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2772
2773         Don't clear PropertyNameArray in Proxy code
2774         https://bugs.webkit.org/show_bug.cgi?id=197691
2775
2776         Reviewed by Saam Barati.
2777
2778         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
2779         (shouldBe):
2780         (opt):
2781
2782 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2783
2784         [ESNext] Implement support for Numeric Separators
2785         https://bugs.webkit.org/show_bug.cgi?id=196351
2786
2787         Reviewed by Keith Miller.
2788
2789         * stress/numeric-literal-separators.js: Added.
2790         Add tests for feature.
2791
2792         * test262/expectations.yaml:
2793         Mark 60 test cases as passing.
2794
2795 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2796
2797         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
2798         https://bugs.webkit.org/show_bug.cgi?id=198101
2799
2800         Reviewed by Michael Saboff.
2801
2802         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
2803         (shouldBe):
2804
2805 2019-05-20  Keith Miller  <keith_miller@apple.com>
2806
2807         Cleanup Yarr regexp code around paren contexts.
2808         https://bugs.webkit.org/show_bug.cgi?id=198063
2809
2810         Reviewed by Yusuke Suzuki.
2811
2812         * stress/regexp-many-named-sequential-capture-groups.js: Added.
2813         (i.s):
2814         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2815
2816 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
2817
2818         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
2819         https://bugs.webkit.org/show_bug.cgi?id=197969
2820
2821         Reviewed by Keith Miller.
2822
2823         Support the anyref type in Builder.js, plus add some extra error logging.
2824         Add new folder for wasm references tests.
2825
2826         * wasm.yaml:
2827         * wasm/Builder.js:
2828         (const._isValidValue):
2829         * wasm/references/anyref_modules.js: Added.
2830         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
2831         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
2832         (Call.3.RefIsNull.End.End.WebAssembly):
2833         (undefined):
2834         * wasm/references/is_null.js: Added.
2835         * wasm/references/is_null_error.js: Added.
2836         * wasm/spec-harness/index.js:
2837         * wasm/wasm.json:
2838
2839 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
2840
2841         [JSC] Invalid AssignmentTargetType should be an early error.
2842         https://bugs.webkit.org/show_bug.cgi?id=197603
2843
2844         Reviewed by Keith Miller.
2845
2846         * test262/expectations.yaml:
2847         Update expectations to reflect new SyntaxErrors.
2848         (Ideally, these should all be viewed as passing in the near future.)
2849
2850         * stress/async-await-basic.js:
2851         * stress/big-int-literals.js:
2852         Update tests to reflect new SyntaxErrors.
2853
2854         * ChakraCore.yaml:
2855         * ChakraCore/test/EH/try6.baseline-jsc:
2856         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
2857         Update baselines to reflect new SyntaxErrors.
2858
2859 2019-05-15  Saam Barati  <sbarati@apple.com>
2860
2861         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
2862         https://bugs.webkit.org/show_bug.cgi?id=197855
2863         <rdar://problem/50236506>
2864
2865         Reviewed by Michael Saboff.
2866
2867         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
2868         (f0):
2869         (bar):
2870         (foo):
2871         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
2872         (f1):
2873         (f2):
2874         (foo):
2875
2876 2019-05-14  Keith Miller  <keith_miller@apple.com>
2877
2878         Fix issue with byteOffset on ARM64E
2879         https://bugs.webkit.org/show_bug.cgi?id=197884
2880
2881         Reviewed by Saam Barati.
2882
2883         We didn't have any tests that run with non-byte/non-zero offset
2884         typed arrays.
2885
2886         * stress/ftl-gettypedarrayoffset-wasteful.js:
2887
2888 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2889
2890         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
2891         https://bugs.webkit.org/show_bug.cgi?id=197833
2892
2893         Reviewed by Darin Adler.
2894
2895         * stress/generator-name.js: Added.
2896         (shouldBe):
2897         (gen):
2898         (catch):
2899
2900 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
2901
2902         JSObject::getOwnPropertyDescriptor is missing an exception check
2903         https://bugs.webkit.org/show_bug.cgi?id=197693
2904         <rdar://problem/50441784>
2905
2906         Reviewed by Saam Barati.
2907
2908         * stress/proxy-spread.js: Added.
2909         (foo):
2910
2911 2019-05-10  Saam barati  <sbarati@apple.com>
2912
2913         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
2914         https://bugs.webkit.org/show_bug.cgi?id=197807
2915         <rdar://problem/50530400>
2916
2917         Reviewed by Yusuke Suzuki.
2918
2919         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
2920         (test.getInstance):
2921         (test):
2922
2923 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
2924
2925         [Test262] Unreviewed expectations update following r245188.
2926
2927         * test262/config.yaml:
2928         * test262/expectations.yaml:
2929
2930         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
2931         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
2932         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
2933         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
2934         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
2935         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
2936         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
2937         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
2938         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
2939         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
2940         These files have invalid YAML comments. Will also submit corrections back to Test262.
2941
2942 2019-05-10  Keith Miller  <keith_miller@apple.com>
2943
2944         Update test262 tests.
2945
2946         Rubber-stamped by Yusuke Suzuki.
2947
2948         * test262/*: mega-patch too many things to list individually.
2949
2950 2019-05-09  Keith Miller  <keith_miller@apple.com>
2951
2952         Unreview, fix test to have a try-catch.
2953
2954         * stress/many-nested-functions-parser-stack-overflow.js:
2955         (catch):
2956
2957 2019-05-09  Keith Miller  <keith_miller@apple.com>
2958
2959         parseStatementListItem needs a stack overflow check
2960         https://bugs.webkit.org/show_bug.cgi?id=197749
2961
2962         Reviewed by Saam Barati.
2963
2964         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2965
2966 2019-05-08  Saam barati  <sbarati@apple.com>
2967
2968         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2969         https://bugs.webkit.org/show_bug.cgi?id=197715
2970         <rdar://problem/50399252>
2971
2972         Reviewed by Filip Pizlo.
2973
2974         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2975         (foo):
2976         (bar):
2977
2978 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2979
2980         Unreviewed, rolling out r245068.
2981
2982         Caused debug layout tests to exit early due to an assertion
2983         failure.
2984
2985         Reverted changeset:
2986
2987         "All prototypes should call didBecomePrototype()"
2988         https://bugs.webkit.org/show_bug.cgi?id=196315
2989         https://trac.webkit.org/changeset/245068
2990
2991 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2992
2993         Invalid DFG JIT genereation in high CPU usage state
2994         https://bugs.webkit.org/show_bug.cgi?id=197453
2995
2996         Reviewed by Saam Barati.
2997
2998         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2999         (trigger):
3000         (main):
3001
3002 2019-05-08  Robin Morisset  <rmorisset@apple.com>
3003
3004         All prototypes should call didBecomePrototype()
3005         https://bugs.webkit.org/show_bug.cgi?id=196315
3006
3007         Reviewed by Saam Barati.
3008
3009         This changelog already landed, but the commit was missing the actual changes.
3010
3011         * stress/function-prototype-indexed-accessor.js: Added.
3012
3013 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
3014
3015         [BigInt] Add ValueMod into DFG
3016         https://bugs.webkit.org/show_bug.cgi?id=186174
3017
3018         Reviewed by Saam Barati.
3019
3020         * microbenchmarks/mod-untyped.js: Added.
3021         * stress/big-int-mod-osr.js: Added.
3022         * stress/value-div-ai-rule.js: Added.
3023         * stress/value-mod-ai-rule.js: Added.
3024
3025 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3026
3027         [JSC] DFG_ASSERT failed in lowInt52
3028         https://bugs.webkit.org/show_bug.cgi?id=197569
3029
3030         Reviewed by Saam Barati.
3031
3032         * stress/getstack-int52.js: Added.
3033         (opt):
3034         (main):
3035
3036 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3037
3038         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
3039         https://bugs.webkit.org/show_bug.cgi?id=197479
3040
3041         Reviewed by Saam Barati.
3042
3043         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
3044         (shouldBe):
3045
3046 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
3047
3048         TemplateObject passed to template literal tags are not always identical for the same source location.
3049         https://bugs.webkit.org/show_bug.cgi?id=190756
3050
3051         Reviewed by Saam Barati.
3052
3053         * complex.yaml:
3054         * complex/tagged-template-regeneration-after.js: Added.
3055         (shouldBe):
3056         * complex/tagged-template-regeneration.js: Added.
3057         (call):
3058         (test):
3059         * modules/tagged-template-inside-module.js: Added.
3060         (from.string_appeared_here.call):
3061         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3062         (call):
3063         (export.otherTaggedTemplates):
3064         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3065         (shouldBe):
3066         (call):
3067         (poly):
3068         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3069         (shouldBe):
3070         (call):
3071         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
3072         (shouldBe):
3073         (call):
3074         (test):
3075         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3076         (shouldBe):
3077         (call):
3078         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3079         (shouldBe):
3080         (call):
3081         * stress/tagged-templates-in-multiple-functions.js: Added.
3082         (shouldBe):
3083         (call):
3084         (a):
3085         (b):
3086         (c):
3087         * stress/tagged-templates-with-same-start-offset.js: Added.
3088         (shouldBe):
3089
3090 2019-05-07  Robin Morisset  <rmorisset@apple.com>
3091
3092         All prototypes should call didBecomePrototype()
3093         https://bugs.webkit.org/show_bug.cgi?id=196315
3094
3095         Reviewed by Saam Barati.
3096
3097         * stress/function-prototype-indexed-accessor.js: Added.
3098
3099 2019-05-07  Commit Queue  <commit-queue@webkit.org>
3100
3101         Unreviewed, rolling out r244978.
3102         https://bugs.webkit.org/show_bug.cgi?id=197671
3103
3104         TemplateObject map should use start/end offsets (Requested by
3105         yusukesuzuki on #webkit).
3106
3107         Reverted changeset:
3108
3109         "TemplateObject passed to template literal tags are not always
3110         identical for the same source location."
3111         https://bugs.webkit.org/show_bug.cgi?id=190756
3112         https://trac.webkit.org/changeset/244978
3113
3114 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
3115
3116         tryCachePutByID should not crash if target offset changes
3117         https://bugs.webkit.org/show_bug.cgi?id=197311
3118         <rdar://problem/48033612>
3119
3120         Reviewed by Filip Pizlo.
3121
3122         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
3123         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
3124
3125         * stress/cache-put-by-id-delete-prototype.js: Added.
3126         (A.prototype.set y):
3127         (A):
3128         (B.prototype.set y):
3129         (B):
3130         (C):
3131         * stress/cache-put-by-id-different-__proto__.js: Added.
3132         (A.prototype.set y):
3133         (A):
3134         (B1):
3135         (B2.prototype.set y):
3136         (B2):
3137         (C):
3138         (D):
3139         * stress/cache-put-by-id-different-attributes.js: Added.
3140         (Foo):
3141         (set x):
3142         * stress/cache-put-by-id-different-offset.js: Added.
3143         (Foo):
3144         (set x):
3145         * stress/cache-put-by-id-insert-prototype.js: Added.
3146         (A.prototype.set y):
3147         (A):
3148         (C):
3149         * stress/cache-put-by-id-poly-proto.js: Added.
3150         (Foo):
3151         (set _):
3152         (createBar.Bar):
3153         (createBar):
3154
3155 2019-05-07  Saam Barati  <sbarati@apple.com>
3156
3157         Don't OSR enter into an FTL CodeBlock that has been jettisoned
3158         https://bugs.webkit.org/show_bug.cgi?id=197531
3159         <rdar://problem/50162379>
3160
3161         Reviewed by Yusuke Suzuki.
3162
3163         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
3164
3165 2019-05-06  Dean Jackson  <dino@apple.com>
3166
3167         Update test262 expectations for Proxy passes
3168         https://bugs.webkit.org/show_bug.cgi?id=197628
3169
3170         Reviewed by Yusuke Suzuki.
3171
3172         There are two consistent passes in Proxy.ownKeys.
3173
3174         * test262/expectations.yaml:
3175
3176 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3177
3178         [JSC] We should check OOM for description string of Symbol
3179         https://bugs.webkit.org/show_bug.cgi?id=197634
3180
3181         Reviewed by Keith Miller.
3182
3183         * stress/check-symbol-description-oom.js: Added.
3184         (shouldThrow):
3185
3186 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3187
3188         Unreviewed, land one more test
3189         https://bugs.webkit.org/show_bug.cgi?id=197587
3190
3191         * stress/setter-frame-flush.js: Added.
3192         (setter):
3193         (foo):
3194         (bar):
3195
3196 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3197
3198         TemplateObject passed to template literal tags are not always identical for the same source location.
3199         https://bugs.webkit.org/show_bug.cgi?id=190756
3200
3201         Reviewed by Saam Barati.
3202
3203         * complex.yaml:
3204         * complex/tagged-template-regeneration-after.js: Added.
3205         (shouldBe):
3206         * complex/tagged-template-regeneration.js: Added.
3207         (call):
3208         (test):
3209         * modules/tagged-template-inside-module.js: Added.
3210         (from.string_appeared_here.call):
3211         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3212         (call):
3213         (export.otherTaggedTemplates):
3214         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3215         (shouldBe):
3216         (call):
3217         (poly):
3218         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3219         (shouldBe):
3220         (call):
3221         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3222         (shouldBe):
3223         (call):
3224         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3225         (shouldBe):
3226         (call):
3227         * stress/tagged-templates-in-multiple-functions.js: Added.
3228         (shouldBe):
3229         (call):
3230         (a):
3231         (b):
3232         (c):
3233
3234 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3235
3236         [PlayStation] JSC Stress tests failing due to timezone printing
3237         https://bugs.webkit.org/show_bug.cgi?id=197615
3238
3239         PlayStation's strftime does not give timezone strings, which
3240         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3241         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3242         which causes diff failures with the expectations. Add expectations
3243         without the timezone string and use those on playstation.
3244
3245         Reviewed by Ross Kirsling.
3246
3247         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3248         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3249         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3250         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3251
3252 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3253
3254         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3255         https://bugs.webkit.org/show_bug.cgi?id=197587
3256
3257         Reviewed by Sam Weinig.
3258
3259         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3260
3261         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3262
3263 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3264
3265         TypedArrays should not store properties that are canonical numeric indices
3266         https://bugs.webkit.org/show_bug.cgi?id=197228
3267         <rdar://problem/49557381>
3268
3269         Reviewed by Saam Barati.
3270
3271         * stress/array-species-config-array-constructor.js:
3272         (test):
3273         * stress/put-direct-index-broken-2.js:
3274         * stress/typed-array-canonical-numeric-index-string.js: Added.
3275         (makeTest.assert):
3276         (makeTest):
3277         (const.testInvalidIndices.makeTest.set assert):
3278         (const.testInvalidIndices.makeTest):
3279         (const.makeTestValidIndex.configurable.set assert):
3280         (const.makeTestValidIndex.configurable):
3281         * stress/typedarray-access-monomorphic-neutered.js:
3282         (checkNoException):
3283         (testNoException):
3284         (testFTLNoException):
3285         * stress/typedarray-access-neutered.js:
3286         (testNoException):
3287         * stress/typedarray-getownproperty-not-configurable.js:
3288         (foo):
3289         * test262/expectations.yaml:
3290
3291 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3292
3293         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3294         https://bugs.webkit.org/show_bug.cgi?id=197584
3295
3296         Reviewed by Saam Barati.
3297
3298         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3299         (X):
3300         (foo):
3301
3302 2019-05-03  Michael Saboff  <msaboff@apple.com>
3303
3304         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3305         https://bugs.webkit.org/show_bug.cgi?id=197586
3306
3307         Reviewed by Keith Miller.
3308
3309         We should only run one config of this test and only when we think we'll have the memory.
3310
3311         * stress/json-stringify-string-builder-overflow.js:
3312
3313 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3314
3315         [JSC] Generator CodeBlock generation should be idempotent
3316         https://bugs.webkit.org/show_bug.cgi?id=197552
3317
3318         Reviewed by Keith Miller.
3319
3320         Add complex.yaml, which controls how to run JSC shell more.
3321         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3322
3323         * complex.yaml: Added.
3324         * complex/generator-regeneration-after.js: Added.
3325         * complex/generator-regeneration.js: Added.
3326         (gen):
3327
3328 2019-05-02  Michael Saboff  <msaboff@apple.com>
3329
3330         Unreviewed rollout of r244862.
3331
3332         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3333
3334 2019-05-01  Saam barati  <sbarati@apple.com>
3335
3336         Baseline JIT should do argument value profiling after checking for stack overflow
3337         https://bugs.webkit.org/show_bug.cgi?id=197052
3338         <rdar://problem/50009602>
3339
3340         Reviewed by Yusuke Suzuki.
3341
3342         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3343
3344 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3345
3346         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3347         https://bugs.webkit.org/show_bug.cgi?id=197405
3348
3349         Reviewed by Saam Barati.
3350
3351         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3352         (foo):
3353         (test):
3354         (i.o.get f):
3355         (i.o.set f):
3356
3357 2019-05-01  Michael Saboff  <msaboff@apple.com>
3358
3359         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3360         https://bugs.webkit.org/show_bug.cgi?id=197485
3361
3362         Reviewed by Saam Barati.
3363
3364         New test.
3365
3366         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3367         (foo):
3368
3369 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3370
3371         Unreviewed correction to Test262 expectations following r244828.
3372
3373         * test262/expectations.yaml:
3374
3375 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3376
3377         Add memory-limited skipping to some tests generating very large strings
3378         https://bugs.webkit.org/show_bug.cgi?id=197437
3379
3380         Reviewed by Ross Kirsling.
3381
3382         * stress/StringObject-define-length-getter-rope-string-oom.js:
3383         * stress/create-error-out-of-memory-rope-string.js:
3384         * stress/string-16bit-repeat-overflow.js:
3385
3386 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3387
3388         Unreviewed, rolling out r244806.
3389         https://bugs.webkit.org/show_bug.cgi?id=197446
3390
3391         Causing Test262 and JSC test failures on multiple builds
3392         (Requested by ShawnRoberts on #webkit).
3393
3394         Reverted changeset:
3395
3396         "TypeArrays should not store properties that are canonical
3397         numeric indices"
3398         https://bugs.webkit.org/show_bug.cgi?id=197228
3399         https://trac.webkit.org/changeset/244806
3400
3401 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3402
3403         TypeArrays should not store properties that are canonical numeric indices
3404         https://bugs.webkit.org/show_bug.cgi?id=197228
3405         <rdar://problem/49557381>
3406
3407         Reviewed by Darin Adler.
3408
3409         * stress/typed-array-canonical-numeric-index-string.js: Added.
3410         (makeTest.assert):
3411         (makeTest):
3412         (const.testInvalidIndices.makeTest.set assert):
3413         (const.testInvalidIndices.makeTest):
3414         (const.testValidIndices.makeTest.set assert):
3415         (const.testValidIndices.makeTest):
3416
3417 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3418
3419         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3420         https://bugs.webkit.org/show_bug.cgi?id=197362
3421
3422         Reviewed by Saam Barati.
3423
3424         * stress/map-with-nan.js: Added.
3425         (shouldBe):
3426         (div):
3427         (NaN1):
3428         (NaN2):
3429         (NaN3):
3430         (NaN4):
3431         (NaN1NoInline):
3432         (NaN2NoInline):
3433         (NaN3NoInline):
3434         (NaN4NoInline):
3435         (test1):
3436         (test2):
3437         (test3):
3438         (test4):
3439         * stress/set-with-nan.js: Added.
3440         (shouldBe):
3441         (div):
3442         (NaN1):
3443         (NaN2):
3444         (NaN3):
3445         (NaN4):
3446         (NaN1NoInline):
3447         (NaN2NoInline):
3448         (NaN3NoInline):
3449         (NaN4NoInline):
3450         (test2):
3451         (test4):
3452
3453 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3454
3455         Unreviewed, rolling out r244708.
3456         https://bugs.webkit.org/show_bug.cgi?id=197334
3457
3458         "Broke the debug build" (Requested by rmorisset on #webkit).
3459
3460         Reverted changeset:
3461
3462         "All prototypes should call didBecomePrototype()"
3463         https://bugs.webkit.org/show_bug.cgi?id=196315
3464         https://trac.webkit.org/changeset/244708
3465
3466 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3467
3468         [JSC] linkPolymorphicCall now does GC
3469         https://bugs.webkit.org/show_bug.cgi?id=197306
3470
3471         Reviewed by Saam Barati.
3472
3473         * stress/link-polymorphic-call-can-gc.js: Added.
3474         (module):
3475         (instance):
3476
3477 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3478
3479         All prototypes should call didBecomePrototype()
3480         https://bugs.webkit.org/show_bug.cgi?id=196315
3481
3482         Reviewed by Saam Barati.
3483
3484         * stress/function-prototype-indexed-accessor.js: Added.
3485
3486 2019-04-23  Saam Barati  <sbarati@apple.com>
3487
3488         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3489         https://bugs.webkit.org/show_bug.cgi?id=196721
3490         <rdar://problem/49556479> 
3491
3492         Reviewed by Filip Pizlo.
3493
3494         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3495         (foo):
3496
3497 2019-04-19  Saam Barati  <sbarati@apple.com>
3498
3499         AbstractValue can represent more than int52
3500         https://bugs.webkit.org/show_bug.cgi?id=197118
3501         <rdar://problem/49969960>
3502
3503         Reviewed by Michael Saboff.
3504
3505         * stress/abstract-value-can-include-int52.js: Added.
3506         (foo):
3507         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3508
3509 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3510
3511         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3512         https://bugs.webkit.org/show_bug.cgi?id=197053
3513
3514         Reviewed by Saam Barati.
3515
3516         * stress/merge-string-builder-in-dfg.js: Added.
3517         (foo):
3518
3519 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3520
3521         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3522         https://bugs.webkit.org/show_bug.cgi?id=176810
3523
3524         Reviewed by Saam Barati.
3525
3526         Add tests for the DontEnum filtering, and variations of other tests
3527         take the DontEnum-filtering path.
3528
3529         * stress/proxy-own-keys.js:
3530         (i.catch):
3531         (set assert):
3532         (set add):
3533         (let.set new):
3534         (get let):
3535
3536 2019-04-15  Saam barati  <sbarati@apple.com>
3537
3538         Modify how we do SetArgument when we inline varargs calls
3539         https://bugs.webkit.org/show_bug.cgi?id=196712
3540         <rdar://problem/49605012>
3541
3542         Reviewed by Michael Saboff.
3543
3544         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3545         (foo):
3546
3547 2019-04-15  Saam barati  <sbarati@apple.com>
3548
3549         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3550         https://bugs.webkit.org/show_bug.cgi?id=196945
3551         <rdar://problem/49802750>
3552
3553         Reviewed by Filip Pizlo.
3554
3555         * stress/get-by-offset-should-use-correct-child.js: Added.
3556         (foo.bar):
3557         (foo):
3558
3559 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3560
3561         DFG should be able to constant fold Object.create() with a constant prototype operand
3562         https://bugs.webkit.org/show_bug.cgi?id=196886
3563
3564         Reviewed by Yusuke Suzuki.
3565
3566         Note that this new benchmark does not currently see a speedup with inlining removed.
3567         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3568
3569         * microbenchmarks/object-create-constant-prototype.js: Added.
3570         (test):
3571
3572 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3573
3574         Incremental bytecode cache should not append function updates when loaded from memory
3575         https://bugs.webkit.org/show_bug.cgi?id=196865
3576
3577         Reviewed by Filip Pizlo.
3578
3579         * stress/bytecode-cache-shared-code-block.js: Added.
3580         (b):
3581         (program):
3582
3583 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3584
3585         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3586         https://bugs.webkit.org/show_bug.cgi?id=196880
3587
3588         Reviewed by Yusuke Suzuki.
3589
3590         * stress/bytecode-cache-syntax-error.js: Added.
3591         (catch):
3592
3593 2019-04-12  Saam barati  <sbarati@apple.com>
3594
3595         r244079 logically broke shouldSpeculateInt52
3596         https://bugs.webkit.org/show_bug.cgi?id=196884
3597
3598         Reviewed by Yusuke Suzuki.
3599
3600         * microbenchmarks/int52-rand-function.js: Added.
3601         (Math.random):
3602
3603 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3604
3605         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3606         https://bugs.webkit.org/show_bug.cgi?id=196850
3607
3608         Reviewed by Saam Barati.
3609
3610         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3611         (foo):
3612
3613 2019-04-11  Saam barati  <sbarati@apple.com>
3614
3615         Remove invalid assertion in operationInstanceOfCustom
3616         https://bugs.webkit.org/show_bug.cgi?id=196842
3617         <rdar://problem/49725493>
3618
3619         Reviewed by Michael Saboff.
3620
3621         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3622
3623 2019-04-10  Saam Barati  <sbarati@apple.com>
3624
3625         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3626         https://bugs.webkit.org/show_bug.cgi?id=196801
3627         <rdar://problem/49771122>
3628
3629         Reviewed by Yusuke Suzuki.
3630
3631         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3632
3633 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3634
3635         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3636         https://bugs.webkit.org/show_bug.cgi?id=196746
3637
3638         Reviewed by Yusuke Suzuki.
3639
3640         * stress/cyclic-define-properties.js: Added.
3641         (foo):
3642
3643 2019-04-09  Saam barati  <sbarati@apple.com>
3644
3645         Clean up Int52 code and some bugs in it
3646         https://bugs.webkit.org/show_bug.cgi?id=196639
3647         <rdar://problem/49515757>
3648
3649         Reviewed by Yusuke Suzuki.
3650
3651         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3652
3653 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3654
3655         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3656         https://bugs.webkit.org/show_bug.cgi?id=196708
3657         <rdar://problem/49556803>
3658
3659         Reviewed by Yusuke Suzuki.
3660
3661         * stress/proxy-getter-stack-overflow.js: Added.
3662         (const.handler.get target):
3663         (const.handler.has):
3664         (try.with):
3665         (catch):
3666
3667 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3668
3669         [JSC] DFG should respect node's strict flag
3670         https://bugs.webkit.org/show_bug.cgi?id=196617
3671
3672         Reviewed by Saam Barati.
3673
3674         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3675         (shouldEqual):
3676         (makeUnwriteableUnconfigurableObject):
3677         (runTest):
3678         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3679         (shouldBe):
3680         (shouldThrow):
3681         (with.result):
3682         (with.putValueStrict):
3683         (with.putValueSloppy):
3684
3685 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3686
3687         [JSC] isRope jump in StringSlice should not jump over register allocations
3688         https://bugs.webkit.org/show_bug.cgi?id=196716
3689
3690         Reviewed by Saam Barati.
3691
3692         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3693         (foo.bar):
3694         (foo):
3695
3696 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3697
3698         [JSC] to_index_string should not assume incoming value is Uint32
3699         https://bugs.webkit.org/show_bug.cgi?id=196713
3700
3701         Reviewed by Saam Barati.
3702
3703         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
3704         (foo):
3705
3706 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3707
3708         [JSC] Add more tests for r243966
3709 &n