4f288e0df08739a2d1ea9499d41dc8c6fecdbf6f
[WebKit-https.git] / JSTests / ChangeLog
1 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
2
3         Date.prototype.toJSON does not execute steps 1-2
4         https://bugs.webkit.org/show_bug.cgi?id=105282
5
6         Reviewed by Ross Kirsling.
7
8         * test262/expectations.yaml: Mark 2 test cases as passing.
9
10 2019-09-12  Mark Lam  <mark.lam@apple.com>
11
12         Harden JSC against the abuse of runtime options.
13         https://bugs.webkit.org/show_bug.cgi?id=201597
14         <rdar://problem/55167068>
15
16         Reviewed by Filip Pizlo.
17
18         Remove the call to forceGCSlowPaths().  This utility function will be removed.
19         The modern way to set the required option is to use //@ requireOptions.
20
21         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
22
23 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
24
25         [JSC] Add StringCodePointAt intrinsic
26         https://bugs.webkit.org/show_bug.cgi?id=201673
27
28         Reviewed by Michael Saboff.
29
30         * stress/string-char-at-constant-index-out-of-range.js: Added.
31         (shouldBe):
32         (test):
33         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
34         (shouldBe):
35         (test):
36         * stress/string-code-point-at--out-of-range.js: Added.
37         (shouldBe):
38         (test):
39         * stress/string-code-point-at-basic.js: Added.
40         (test):
41         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
42         (shouldBe):
43         (test):
44         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
45         (shouldBe):
46         (test):
47         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
48         (shouldBe):
49         (test):
50         (breaking):
51         * stress/string-code-point-at-surrogate-pair.js: Added.
52         (shouldBe):
53         * stress/string-code-point-at.js: Added.
54         (shouldBe):
55
56 2019-09-10  Michael Saboff  <msaboff@apple.com>
57
58         JSC crashes due to stack overflow while building RegExp
59         https://bugs.webkit.org/show_bug.cgi?id=201649
60
61         Reviewed by Yusuke Suzuki.
62
63         New regression test.
64
65         * stress/regexp-bol-optimize-out-of-stack.js: Added.
66         (test):
67         (catch):
68
69 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
70
71         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
72         https://bugs.webkit.org/show_bug.cgi?id=189043
73
74         Reviewed by Keith Miller.
75
76         The offset performing the validation becomes a bit different.
77         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
78
79         * wasm/js-api/version.js:
80
81 2019-09-07  Keith Miller  <keith_miller@apple.com>
82
83         OSR entry into wasm misses some contexts
84         https://bugs.webkit.org/show_bug.cgi?id=201569
85
86         Reviewed by Yusuke Suzuki.
87
88         Add a new harness and wast and the generated wasm file for
89         testing. The idea long term is to make it easy to test by creating
90         a C file and converting it to a wast then modify that to produce a
91         test.
92
93         * wasm.yaml:
94         * wasm/wast-tests/harness.js: Added.
95         (async.runWasmFile):
96         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
97         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
98         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
99         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
100         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
101         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
102         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
103         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
104
105 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
106
107         [JSC] Promise resolve/reject functions should be created more efficiently
108         https://bugs.webkit.org/show_bug.cgi?id=201488
109
110         Reviewed by Mark Lam.
111
112         * microbenchmarks/promise-creation-many.js: Added.
113         (executor):
114
115 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
116
117         Unreviewed JSC test gardening.
118
119         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
120         This test allocates a 2GB string before it goes out and tests
121         out-of-memory exception when appending other strings to it. As such,
122         skip the test on memory-limited platforms.
123
124 2019-09-07  Mark Lam  <mark.lam@apple.com>
125
126         The jsc shell should allow disabling of the Gigacage for testing purposes.
127         https://bugs.webkit.org/show_bug.cgi?id=201579
128
129         Reviewed by Michael Saboff.
130
131         Unskip the tests now.
132
133         * stress/disable-gigacage-arrays.js:
134         * stress/disable-gigacage-strings.js:
135         * stress/disable-gigacage-typed-arrays.js:
136
137 2019-09-07  Mark Lam  <mark.lam@apple.com>
138
139         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
140
141         Not reviewed.
142
143         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
144
145         * stress/disable-gigacage-arrays.js:
146         * stress/disable-gigacage-strings.js:
147         * stress/disable-gigacage-typed-arrays.js:
148
149 2019-09-07  Mark Lam  <mark.lam@apple.com>
150
151         Gardening: speculative test fix to green bots [attempt #2].
152         https://bugs.webkit.org/show_bug.cgi?id=201529
153         <rdar://problem/53935772>
154
155         Not reviewed.
156
157         * stress/test-out-of-memory.js:
158
159 2019-09-06  Mark Lam  <mark.lam@apple.com>
160
161         Gardening: speculative test fix to green bots.
162         https://bugs.webkit.org/show_bug.cgi?id=201529
163         <rdar://problem/53935772>
164
165         Not reviewed.
166
167         * stress/test-out-of-memory.js:
168
169 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
170
171         Math.round() produces wrong result for value prior to 0.5
172         https://bugs.webkit.org/show_bug.cgi?id=185115
173
174         Reviewed by Saam Barati.
175
176         * stress/math-round-basics.js:
177         Add positive/negative test cases.
178
179         * test262/expectations.yaml:
180         Mark test passing.
181
182 2019-09-06  Mark Lam  <mark.lam@apple.com>
183
184         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
185         https://bugs.webkit.org/show_bug.cgi?id=201551
186
187         Reviewed by Tadeu Zagallo.
188
189         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
190
191         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
192         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
193
194 2019-09-06  Mark Lam  <mark.lam@apple.com>
195
196         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
197         https://bugs.webkit.org/show_bug.cgi?id=201529
198         <rdar://problem/53935772>
199
200         Reviewed by Yusuke Suzuki.
201
202         * stress/test-out-of-memory.js: Added.
203
204 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
205
206         LazyClassStructure::setConstructor should not store the constructor to the global object
207         https://bugs.webkit.org/show_bug.cgi?id=201484
208         <rdar://problem/50400451>
209
210         Reviewed by Yusuke Suzuki.
211
212         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
213
214 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
215
216         [JSC] Do not use FTLOutput::weakPointer directly
217         https://bugs.webkit.org/show_bug.cgi?id=201495
218
219         Reviewed by Filip Pizlo.
220
221         * stress/create-promise-weak-pointer.js: Added.
222         (foo):
223
224 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
225
226         [JSC] Make Promise implementation faster
227         https://bugs.webkit.org/show_bug.cgi?id=200898
228
229         Reviewed by Saam Barati.
230
231         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
232         (assert.assert.return.throws):
233         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
234         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
235         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
236         (shouldThrow):
237         (new.Promise):
238         (shouldThrow.Promise):
239         * stress/create-promise-should-respect-promise-realm.js: Added.
240         (shouldBe):
241         (other.new.OtherPromise):
242         (DerivedOtherPromise):
243         (i.promise.new.DerivedOtherPromise):
244         (createPromise):
245         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
246         (shouldBe):
247         (DerivedPromise):
248         (i.array.push.new.DerivedPromise):
249         (promise.new.DerivedPromise):
250         * stress/derived-promise-constructor-inlined.js: Added.
251         (shouldBe):
252         (DerivedPromise):
253         (i.array.push.new.DerivedPromise):
254         (DerivedPromise.all.array.then):
255         * stress/derived-promise-prototype-replaced.js: Added.
256         (shouldBe):
257         (DerivedPromise):
258         (i.array.push.new.DerivedPromise):
259         (promise.new.DerivedPromise):
260         * stress/internal-promise-constructor-not-confusing.js: Added.
261         (shouldBe):
262         (InternalPromise.vm.createBuiltin):
263         (DerivedPromise):
264         * stress/internal-promise-is-not-exposed.js: Added.
265         (shouldBe):
266         * stress/new-promise-should-respect-promise-realm.js: Added.
267         (shouldBe):
268         (other.new.OtherPromise):
269         (createPromise):
270         * stress/promise-cannot-be-called.js:
271         (shouldThrow):
272         * stress/promise-capability-fast-path.js: Added.
273         (shouldBe):
274         (i.array.push.new.Promise):
275         (i.array.i.then):
276         * stress/promise-capability-slow-path.js: Added.
277         (shouldBe):
278         (Promise.prototype.then):
279         (i.array.push.new.Promise):
280         (i.array.i.then):
281         * stress/promise-capability-then-slow-path.js: Added.
282         (shouldBe):
283         (DerivedPromise):
284         (DerivedPromise.prototype.then):
285         (i.array.push.new.DerivedPromise):
286         (i.array.i.then):
287         * stress/promise-constructor-inlined.js: Added.
288         (shouldBe):
289         (i.array.push.new.Promise):
290         (Promise.all.array.then):
291         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
292         (shouldBe):
293         (DerivedPromise):
294         (DerivedPromise2):
295         (i.array.push.new.DerivedPromise):
296         (i.array2.push.new.DerivedPromise2):
297         * stress/without-promise-functions.js: Added.
298         (shouldBe):
299         (async):
300
301 2019-09-03  Mark Lam  <mark.lam@apple.com>
302
303         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
304         https://bugs.webkit.org/show_bug.cgi?id=201309
305         <rdar://problem/54832121>
306
307         Reviewed by Yusuke Suzuki.
308
309         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
310
311 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
312
313         [JSC] Generate new.target register only when it is used
314         https://bugs.webkit.org/show_bug.cgi?id=201335
315
316         Reviewed by Mark Lam.
317
318         * stress/ensure-new-register-allocated.js: Added.
319         (shouldBe):
320         (basic):
321         (arrow):
322         (Base):
323         (Derived):
324         (evaluate):
325
326 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
327
328         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
329         https://bugs.webkit.org/show_bug.cgi?id=201331
330
331         Reviewed by Mark Lam.
332
333         * stress/simple-jump-table-copy.js: Added.
334         (let.code):
335         (g2):
336
337 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
338
339         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
340         https://bugs.webkit.org/show_bug.cgi?id=201332
341
342         Reviewed by Mark Lam.
343
344         This test is very flaky, it is hard to reproduce.
345
346         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
347         (code):
348
349 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
350
351         [JSC] Repatch should construct CallCases and CasesValue at the same time
352         https://bugs.webkit.org/show_bug.cgi?id=201325
353
354         Reviewed by Saam Barati.
355
356         * stress/repatch-switch.js: Added.
357         (main.f2.f0):
358         (main.f2.f3):
359         (main.f2.f1):
360         (main.f2):
361         (main):
362
363 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
364
365         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
366         https://bugs.webkit.org/show_bug.cgi?id=198650
367
368         Reviewed by Saam Barati.
369
370         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
371         (main.v0):
372         (main):
373
374 2019-08-28  Mark Lam  <mark.lam@apple.com>
375
376         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
377         https://bugs.webkit.org/show_bug.cgi?id=201281
378         <rdar://problem/54028228>
379
380         Reviewed by Yusuke Suzuki and Saam Barati.
381
382         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
383
384 2019-08-28  Mark Lam  <mark.lam@apple.com>
385
386         Placate exception check validation in DFG's operationHasGenericProperty().
387         https://bugs.webkit.org/show_bug.cgi?id=201245
388         <rdar://problem/54777512>
389
390         Reviewed by Robin Morisset.
391
392         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
393
394 2019-08-27  Mark Lam  <mark.lam@apple.com>
395
396         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
397         https://bugs.webkit.org/show_bug.cgi?id=201196
398         <rdar://problem/54703775>
399
400         Reviewed by Yusuke Suzuki.
401
402         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
403
404 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
405
406         [JSC] Ensure x?.y ?? z is fast
407         https://bugs.webkit.org/show_bug.cgi?id=200875
408
409         Reviewed by Yusuke Suzuki.
410
411         * stress/nullish-coalescing.js:
412
413 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
414
415         Remove MaximalFlushInsertionPhase
416         https://bugs.webkit.org/show_bug.cgi?id=201036
417
418         Reviewed by Saam Barati.
419
420         Remove all the references to maximal flush
421
422         * stress/arith-ceil-on-various-types.js:
423         (checkCompileCountForUselessNegativeZero):
424         * stress/arith-floor-on-various-types.js:
425         (checkCompileCountForUselessNegativeZero):
426         * stress/arith-negate-on-various-types.js:
427         (checkCompileCountForUselessNegativeZero):
428         * stress/arith-round-on-various-types.js:
429         (checkCompileCountForUselessNegativeZero):
430         * stress/arith-trunc-on-various-types.js:
431         (checkCompileCountForUselessNegativeZero):
432         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
433         * stress/has-indexed-property-should-accept-non-int32.js:
434         * stress/has-indexed-property-with-worsening-array-mode.js:
435         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
436         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
437         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
438         * stress/rest-parameter-many-arguments.js:
439         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
440         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
441         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
442
443 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
444
445         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
446         https://bugs.webkit.org/show_bug.cgi?id=200952
447
448         Reviewed by Saam Barati.
449
450         * wasm/references/func_ref.js:
451         (assert.throws):
452
453 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
454
455         Add missing exception check in canonicalizeLocaleList
456         https://bugs.webkit.org/show_bug.cgi?id=201021
457
458         Reviewed by Mark Lam.
459
460         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
461         (catch):
462
463 2019-08-21  Mark Lam  <mark.lam@apple.com>
464
465         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
466         https://bugs.webkit.org/show_bug.cgi?id=201016
467         <rdar://problem/54579911>
468
469         Reviewed by Yusuke Suzuki.
470
471         * wasm/stress/too-many-locals.js: Added.
472         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
473
474 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
475
476         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
477         https://bugs.webkit.org/show_bug.cgi?id=200965
478
479         Reviewed by Saam Barati.
480
481         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
482         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
483
484         * stress/optional-chaining.js:
485
486 2019-08-21  Michael Saboff  <msaboff@apple.com>
487
488         [JSC] incorrent JIT lead to StackOverflow
489         https://bugs.webkit.org/show_bug.cgi?id=197823
490
491         Reviewed by Tadeu Zagallo.
492
493         New test.
494
495         * stress/bound-function-stack-overflow.js: Added.
496         (foo):
497         (catch):
498
499 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
500
501         Identify memcpy loops in b3
502         https://bugs.webkit.org/show_bug.cgi?id=200181
503
504         Reviewed by Saam Barati.
505
506         * microbenchmarks/memcpy-loop.js: Added.
507         (doTest):
508         (let.arr1):
509         * microbenchmarks/memcpy-typed-loop-large.js: Added.
510         (doTest):
511         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
512         (arr2):
513         * microbenchmarks/memcpy-typed-loop-small.js: Added.
514         (doTest):
515         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
516         (16.arr2):
517         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
518         (doTest):
519         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
520         (arr2):
521         * microbenchmarks/memcpy-wasm-large.js: Added.
522         (typeof.WebAssembly.string_appeared_here.eq):
523         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
524         * microbenchmarks/memcpy-wasm-medium.js: Added.
525         (typeof.WebAssembly.string_appeared_here.eq):
526         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
527         * microbenchmarks/memcpy-wasm-small.js: Added.
528         (typeof.WebAssembly.string_appeared_here.eq):
529         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
530         * microbenchmarks/memcpy-wasm.js: Added.
531         (typeof.WebAssembly.string_appeared_here.eq):
532         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
533         * stress/memcpy-typed-loops.js: Added.
534         (noLoop):
535         (invalidStart):
536         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
537         (arr2):
538         * wasm/function-tests/memcpy-wasm-loop.js: Added.
539         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
540         (string_appeared_here):
541
542 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
543
544         [JSC] Array.prototype.toString should not get "join" function each time
545         https://bugs.webkit.org/show_bug.cgi?id=200905
546
547         Reviewed by Mark Lam.
548
549         * stress/array-prototype-join-change.js: Added.
550         (shouldBe):
551         (array2.join):
552         (DerivedArray):
553         (DerivedArray.prototype.join):
554         (array3.__proto__.join):
555         (Array.prototype.join):
556
557 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
558
559         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
560         https://bugs.webkit.org/show_bug.cgi?id=200782
561
562         Reviewed by Saam Barati.
563
564         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
565
566         * microbenchmarks/memcpy-typed-loop.js:
567         * stress/int8-repeat-in-then-out-of-bounds.js:
568
569 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
570
571         Proxy constructor should throw if handler is revoked Proxy
572         https://bugs.webkit.org/show_bug.cgi?id=198755
573
574         Reviewed by Saam Barati.
575
576         * stress/proxy-revoke.js: Adjust error message.
577         * test262/expectations.yaml: Mark 2 test cases as passing.
578
579 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
580
581         [JSC] OSR entry to Wasm OMG
582         https://bugs.webkit.org/show_bug.cgi?id=200362
583
584         Reviewed by Michael Saboff.
585
586         * wasm/stress/osr-entry-basic.js: Added.
587         (instance.exports.loop):
588         * wasm/stress/osr-entry-many-locals-f32.js: Added.
589         * wasm/stress/osr-entry-many-locals-f64.js: Added.
590         * wasm/stress/osr-entry-many-locals-i32.js: Added.
591         * wasm/stress/osr-entry-many-locals-i64.js: Added.
592         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
593         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
594         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
595         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
596
597 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
598
599         Date.prototype.toJSON throws if toISOString returns an object
600         https://bugs.webkit.org/show_bug.cgi?id=198495
601
602         Reviewed by Ross Kirsling.
603
604         * test262/expectations.yaml: Mark 6 test cases as passing.
605
606 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
607
608         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
609         https://bugs.webkit.org/show_bug.cgi?id=200899
610         <rdar://problem/54073341>
611
612         Reviewed by Mark Lam.
613
614         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
615         (i.new.Promise):
616         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
617         (i.new.Promise):
618
619 2019-08-19  Michael Saboff  <msaboff@apple.com>
620
621         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
622         https://bugs.webkit.org/show_bug.cgi?id=197090
623
624         Reviewed by Yusuke Suzuki.
625
626         New test.
627
628         * stress/regexp-nonconsuming-counted-parens.js: Added.
629
630 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
631
632         [JSC] Correct a->an in error messages and API docblocks
633         https://bugs.webkit.org/show_bug.cgi?id=200833
634
635         Reviewed by Don Olmstead.
636
637         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
638         (assert.assert.return.throws):
639         * stress/promise-finally-should-accept-non-promise-objects.js:
640         * wasm/js-api/table.js:
641         (assert.throws):
642
643 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
644
645         [ESNext] Implement optional chaining
646         https://bugs.webkit.org/show_bug.cgi?id=200199
647
648         Reviewed by Yusuke Suzuki.
649
650         * stress/nullish-coalescing.js:
651         * stress/optional-chaining.js: Added.
652         * stress/tail-call-recognize.js:
653
654 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
655
656         [ESNext] Support hashbang.
657         https://bugs.webkit.org/show_bug.cgi?id=200865
658
659         Reviewed by Mark Lam.
660
661         * stress/hashbang.js: Added.
662         * test262/expectations.yaml: Mark 6 cases as passing.
663
664 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
665
666         [JSC] DFG ToNumber should support Boolean in fixup
667         https://bugs.webkit.org/show_bug.cgi?id=200864
668
669         Reviewed by Mark Lam.
670
671         * microbenchmarks/to-number-boolean.js: Added.
672         (test):
673         * stress/to-number-boolean-int32.js: Added.
674         (shouldBe):
675         (test):
676         (check):
677         * stress/to-number-boolean.js: Added.
678         (shouldBe):
679         (test):
680         (check):
681         * stress/to-number-int32.js: Added.
682         (shouldBe):
683         (test):
684         (check):
685
686 2019-08-16  Mark Lam  <mark.lam@apple.com>
687
688         More missing exception checks in string comparison operators.
689         https://bugs.webkit.org/show_bug.cgi?id=200844
690         <rdar://problem/54378684>
691
692         Reviewed by Saam Barati.
693
694         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
695         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
696         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
697         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
698
699 2019-08-16  Mark Lam  <mark.lam@apple.com>
700
701         CodeBlock destructor should clear all of its watchpoints.
702         https://bugs.webkit.org/show_bug.cgi?id=200792
703         <rdar://problem/53947800>
704
705         Reviewed by Yusuke Suzuki.
706
707         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
708
709 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
710
711         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
712         https://bugs.webkit.org/show_bug.cgi?id=200782
713
714         Reviewed by Saam Barati.
715
716         * microbenchmarks/int8-out-of-bounds.js: Added.
717         (foo):
718         * microbenchmarks/memcpy-typed-loop.js: Added.
719         (doTest):
720         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
721         (arr2):
722         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
723         (foo):
724
725 2019-08-16  Mark Lam  <mark.lam@apple.com>
726
727         [Re-land] ProxyObject should not be allow to access its target's private properties.
728         https://bugs.webkit.org/show_bug.cgi?id=200739
729         <rdar://problem/53972768>
730
731         Reviewed by Yusuke Suzuki.
732
733         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
734         * stress/proxy-with-private-symbols.js:
735
736 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
737
738         [JSC] Promise.prototype.finally should accept non-promise objects
739         https://bugs.webkit.org/show_bug.cgi?id=200829
740
741         Reviewed by Mark Lam.
742
743         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
744         (shouldBe):
745         (Thenable):
746         (Thenable.prototype.then):
747
748 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
749
750         Promise constructor should check argument before [[Construct]]
751         https://bugs.webkit.org/show_bug.cgi?id=198976
752
753         Reviewed by Ross Kirsling.
754
755         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
756         * stress/create-subclass-structure-might-throw.js: Fix test.
757         * test262/expectations.yaml: Mark 2 test cases as passing.
758
759 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
760
761         Unreviewed, rolling out r248709.
762
763         Caused test/built-ins/Promise/prototype/finally/this-value-
764         non-promise.js to fail on test262 bot
765
766         Reverted changeset:
767
768         "ProxyObject should not be allow to access its target's
769         private properties."
770         https://bugs.webkit.org/show_bug.cgi?id=200739
771         https://trac.webkit.org/changeset/248709
772
773 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
774
775         DateConversion::formatDateTime incorrectly formats negative years
776         https://bugs.webkit.org/show_bug.cgi?id=199964
777
778         Reviewed by Ross Kirsling.
779
780         * test262/expectations.yaml: Mark 6 test cases as passing.
781
782 2019-08-15  Mark Lam  <mark.lam@apple.com>
783
784         More missing exception checks in String.prototype.
785         https://bugs.webkit.org/show_bug.cgi?id=200762
786         <rdar://problem/54333896>
787
788         Reviewed by Michael Saboff.
789
790         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
791         * stress/missing-exception-check-in-string-toLower.js: Added.
792         * stress/missing-exception-check-in-string-toUpper.js: Added.
793
794 2019-08-14  Mark Lam  <mark.lam@apple.com>
795
796         ProxyObject should not be allow to access its target's private properties.
797         https://bugs.webkit.org/show_bug.cgi?id=200739
798         <rdar://problem/53972768>
799
800         Reviewed by Yusuke Suzuki.
801
802         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
803         * stress/proxy-with-private-symbols.js: Rebased.
804
805 2019-08-14  Mark Lam  <mark.lam@apple.com>
806
807         Missing exception check in string compare.
808         https://bugs.webkit.org/show_bug.cgi?id=200743
809         <rdar://problem/53975356>
810
811         Reviewed by Michael Saboff.
812
813         * stress/missing-exception-check-in-string-compare.js: Added.
814
815 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
816
817         [JSC] Add "jump if (not) undefined or null" bytecode ops
818         https://bugs.webkit.org/show_bug.cgi?id=200480
819
820         Reviewed by Saam Barati.
821
822         * stress/destructuring-assignment-require-object-coercible.js:
823         * stress/nullish-coalescing.js:
824
825 2019-08-05  Michael Saboff  <msaboff@apple.com>
826
827         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
828         https://bugs.webkit.org/show_bug.cgi?id=199997
829
830         Reviewed by Saam Barati.
831
832         New test.
833
834         * stress/typedarray-no-alreadyChecked-assert.js: Added.
835         (checkIntArray):
836         (checkFloatArray):
837
838 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
839
840         [JSC] Support WebAssembly in SamplingProfiler
841         https://bugs.webkit.org/show_bug.cgi?id=200329
842
843         Reviewed by Saam Barati.
844
845         * stress/sampling-profiler-wasm-name-section.js: Added.
846         (const.compile):
847         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
848         (platformSupportsSamplingProfiler.vm.isWasmSupported):
849         * stress/sampling-profiler-wasm.js: Added.
850         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
851         (platformSupportsSamplingProfiler.vm.isWasmSupported):
852         * stress/sampling-profiler/loop.wasm: Added.
853         * stress/sampling-profiler/loop.wast: Added.
854         * stress/sampling-profiler/nameSection.wasm: Added.
855
856 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
857
858         [JSC] LazyJSValue should be robust for empty JSValue
859         https://bugs.webkit.org/show_bug.cgi?id=200388
860
861         Reviewed by Saam Barati.
862
863         * stress/switch-constant-child-becomes-empty.js: Added.
864         (foo):
865
866 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
867
868         GetterSetter type confusion during DFG compilation
869         https://bugs.webkit.org/show_bug.cgi?id=199903
870
871         Reviewed by Mark Lam.
872
873         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
874
875 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
876
877         Update Test262 (2019.08.01)
878         https://bugs.webkit.org/show_bug.cgi?id=200351
879
880         Reviewed by Keith Miller.
881
882         * test262/expectations.yaml:
883         * test262/harness/testIntl.js:
884         * test262/latest-changes-summary.txt:
885         * test262/test/:
886         * test262/test262-Revision.txt:
887
888 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
889
890         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
891         https://bugs.webkit.org/show_bug.cgi?id=200192
892
893         Reviewed by Saam Barati.
894
895         * stress/structure-chain-stress.js: Added.
896         (keys):
897
898 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
899
900         [JSC] Increment bytecode age only when SlotVisitor is first-visit
901         https://bugs.webkit.org/show_bug.cgi?id=200196
902
903         Reviewed by Robin Morisset.
904
905         * stress/reparsing-unlinked-codeblock.js:
906
907 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
908
909         [X86] Emit BT instruction for shift + mask in B3
910         https://bugs.webkit.org/show_bug.cgi?id=199891
911
912         Reviewed by Robin Morisset.
913
914         Lower the number of iterations to fix debug timeouts.
915
916         * microbenchmarks/bit-test-load.js:
917         (i):
918
919 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
920
921         [X86] Emit BT instruction for shift + mask in B3
922         https://bugs.webkit.org/show_bug.cgi?id=199891
923
924         Reviewed by Keith Miller.
925
926         * microbenchmarks/bit-test-constant.js: Added.
927         (let.glob.0.doTest):
928         * microbenchmarks/bit-test-load.js: Added.
929         (let.glob.0.let.arr.new.Int32Array.8.doTest):
930         (i):
931         * microbenchmarks/bit-test-nonconstant.js: Added.
932         (let.glob.0.doTest):
933
934 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
935
936         [JSC] Potential GC fix for JSPropertyNameEnumerator
937         https://bugs.webkit.org/show_bug.cgi?id=200151
938
939         Reviewed by Mark Lam.
940
941         * stress/for-in-stress.js: Added.
942         (keys):
943
944 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
945
946         Legacy numeric literals should not permit separators or BigInt
947         https://bugs.webkit.org/show_bug.cgi?id=199984
948
949         Reviewed by Keith Miller.
950
951         * stress/big-int-literals.js:
952         * stress/numeric-literal-separators.js:
953
954 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
955
956         [ESNext] Implement nullish coalescing
957         https://bugs.webkit.org/show_bug.cgi?id=200072
958
959         Reviewed by Darin Adler.
960
961         * stress/nullish-coalescing.js: Added.
962
963 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
964
965         Three checks are missing in Proxy internal methods
966         https://bugs.webkit.org/show_bug.cgi?id=198630
967
968         Reviewed by Darin Adler.
969
970         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
971         * test262/expectations.yaml: Mark 6 test cases as passing.
972
973 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
974
975         Sometimes we miss removable CheckInBounds
976         https://bugs.webkit.org/show_bug.cgi?id=200018
977
978         Reviewed by Saam Barati.
979
980         * microbenchmarks/typed-array-sum.js: Added.
981         (doTest):
982
983 2019-07-16  Mark Lam  <mark.lam@apple.com>
984
985         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
986         https://bugs.webkit.org/show_bug.cgi?id=199821
987         <rdar://problem/52452328>
988
989         Reviewed by Filip Pizlo.
990
991         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
992
993 2019-07-16  Keith Miller  <keith_miller@apple.com>
994
995         Unreviewed, test262 gardening.
996
997         * test262/expectations.yaml:
998
999 2019-07-15  Keith Miller  <keith_miller@apple.com>
1000
1001         A Possible Issue of Object.create method
1002         https://bugs.webkit.org/show_bug.cgi?id=199744
1003
1004         Reviewed by Yusuke Suzuki.
1005
1006         * stress/object-create-non-object-properties-parameter.js: Added.
1007         (catch):
1008
1009 2019-07-15  Keith Miller  <keith_miller@apple.com>
1010
1011         Update test262
1012         https://bugs.webkit.org/show_bug.cgi?id=199801
1013
1014         Rubber-stamped by Yusuke Suzuki.
1015
1016         * test262/expectations.yaml:
1017         * test262/latest-changes-summary.txt:
1018         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1019         (fg.new.FinalizationGroup):
1020         (callback):
1021         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1022         (fg.new.FinalizationGroup):
1023         (callback):
1024         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1025         (fg.new.FinalizationGroup):
1026         (callback):
1027         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1028         (fg.new.FinalizationGroup):
1029         (callback):
1030         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1031         (fg.new.FinalizationGroup):
1032         (callback):
1033         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1034         (fg.new.FinalizationGroup):
1035         (callback):
1036         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1037         (fg.new.FinalizationGroup):
1038         (callback):
1039         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1040         (callback):
1041         (fg.new.FinalizationGroup):
1042         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1043         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1044         (cb):
1045         (fg.new.FinalizationGroup):
1046         (emptyCells):
1047         (async.fn):
1048         (fn.then.async):
1049         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1050         (fg.new.FinalizationGroup):
1051         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1052         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1053         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1054         (newTarget):
1055         (fn):
1056         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1057         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1058         (fn):
1059         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1060         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1061         (newTarget):
1062         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1063         (newTarget):
1064         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1065         (fg.new.FinalizationGroup):
1066         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1067         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1068         (callback):
1069         (fg.new.FinalizationGroup):
1070         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1071         (fg.new.FinalizationGroup):
1072         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1073         (cb):
1074         (fg.new.FinalizationGroup):
1075         (emptyCells):
1076         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1077         (fg.new.FinalizationGroup):
1078         (fg.cleanupSome.cb):
1079         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1080         (callback):
1081         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1082         (fn):
1083         (cb):
1084         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1085         (cb):
1086         (fg.new.FinalizationGroup):
1087         (emptyCells):
1088         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1089         (fg.new.FinalizationGroup):
1090         (callback):
1091         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1092         (fg.new.FinalizationGroup):
1093         (callback):
1094         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1095         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1096         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1097         (poisoned):
1098         (fg.new.FinalizationGroup):
1099         (emptyCells):
1100         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1101         (poisoned):
1102         (emptyCells):
1103         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1104         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1105         (fn):
1106         (cb):
1107         (emptyCells):
1108         (prototype.assert.sameValue.fg.cleanupSome):
1109         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1110         (fn):
1111         (cb):
1112         (poisoned):
1113         (assert.sameValue.fg.cleanupSome):
1114         (prototype.assert.sameValue.fg.cleanupSome):
1115         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1116         (cb):
1117         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1118         (cb):
1119         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1120         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1121         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1122         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1123         (fn):
1124         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1125         (fn):
1126         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1127         (fg.new.FinalizationGroup):
1128         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1129         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1130         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1131         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1132         (fn):
1133         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1134         (fn):
1135         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1136         (fg.new.FinalizationGroup):
1137         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1138         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1139         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1140         (fg.new.FinalizationGroup):
1141         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1142         (fg.new.FinalizationGroup):
1143         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1144         (fg.new.FinalizationGroup):
1145         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1146         (fg.new.FinalizationGroup):
1147         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1148         (fn):
1149         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1150         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1151         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1152         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1153         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1154         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1155         (fn):
1156         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1157         (fg.new.FinalizationGroup):
1158         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1159         (cleanupCallback):
1160         (let.key.of.Object.getOwnPropertyNames):
1161         (set for):
1162         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1163         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1164         (FinalizationGroup):
1165         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1166         (cleanupCallback):
1167         (let.key.of.Object.getOwnPropertyNames):
1168         (set for):
1169         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1170         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1171         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1172         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1173         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1174         (asyncProxy.new.Proxy.async):
1175         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1176         (asyncProxy.new.Proxy.async):
1177         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1178         (setIter.set Symbol):
1179         (set defaultTag):
1180         (gen):
1181         (get return):
1182         (set new):
1183         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1184         (generatorProxy.new.Proxy):
1185         (asyncProxy.new.Proxy.async):
1186         * test262/test/built-ins/Object/subclass-object-arg.js:
1187         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1188         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1189         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1190         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1191         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1192         * test262/test/built-ins/Promise/executor-function-name.js:
1193         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1194         * test262/test/built-ins/Promise/reject-function-name.js:
1195         * test262/test/built-ins/Promise/resolve-function-name.js:
1196         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1197         * test262/test/built-ins/WeakRef/constructor.js: Added.
1198         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1199         * test262/test/built-ins/WeakRef/length.js: Added.
1200         * test262/test/built-ins/WeakRef/name.js: Added.
1201         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1202         (newTarget):
1203         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1204         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1205         * test262/test/built-ins/WeakRef/proto.js: Added.
1206         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1207         (newTarget):
1208         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1209         (newTarget):
1210         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1211         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1212         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1213         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1214         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1215         (emptyCells):
1216         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1217         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1218         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1219         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1220         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1221         (fg.new.FinalizationGroup):
1222         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1223         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1224         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1225         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1226         (let.key.of.Object.getOwnPropertyNames):
1227         (set for):
1228         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1229         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1230         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1231         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1232         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1233         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1234         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1235         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1236         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1237         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1238         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1239         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1240         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1241         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1242         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1243         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1244         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1245         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1246         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1247         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1248         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1249         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1250         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1251         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1252         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1253         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1254         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1255         (assertParts):
1256         (assertPartsNumeric):
1257         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1258         (assertParts):
1259         (assertPartsNumeric):
1260         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1261         (assertParts):
1262         (assertPartsNumeric):
1263         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1264         (assertParts):
1265         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1266         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1267         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1268         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1269         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1270         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1271         (C.prototype.method):
1272         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1273         (C.prototype.method.innerFunction):
1274         (C.prototype.method):
1275         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1276         (C):
1277         (C.method):
1278         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1279         (C):
1280         (C.method.innerFunction):
1281         (C.method):
1282         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1283         (C):
1284         (C.checkPrivateGetter):
1285         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1286         (C):
1287         (C.method):
1288         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1289         (C):
1290         (C.method.innerFunction):
1291         (C.method):
1292         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1293         (C):
1294         (C.checkPrivateMethod):
1295         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1296         (C):
1297         (C.method):
1298         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1299         (C):
1300         (C.method.innerFunction):
1301         (C.method):
1302         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1303         (C):
1304         (C.checkPrivateSetter):
1305         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1306         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1307         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1308         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1309         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1310         (let.classStringExpression):
1311         (let.classStringExpression.access):
1312         (let.createAndInstantiateClass):
1313         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1314         (let.classStringExpression):
1315         (let.classStringExpression.access):
1316         (let.createAndInstantiateClass):
1317         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1318         (const.C):
1319         (let.createAndInstantiateClass):
1320         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1321         (let.classStringExpression.return.prototype.m):
1322         (let.classStringExpression.return.prototype.access):
1323         (let.createAndInstantiateClass):
1324         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1325         (let.classStringExpression.return.prototype.m):
1326         (let.classStringExpression.return.prototype.access):
1327         (let.createAndInstantiateClass):
1328         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1329         (let.classStringExpression):
1330         (let.classStringExpression.access):
1331         (let.createAndInstantiateClass):
1332         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1333         (let.classStringExpression.prototype.m):
1334         (let.classStringExpression.prototype.access):
1335         (let.classStringExpression):
1336         (let.createAndInstantiateClass):
1337         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1338         (let.classStringExpression.prototype.m):
1339         (let.classStringExpression.prototype.access):
1340         (let.classStringExpression):
1341         (let.createAndInstantiateClass):
1342         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1343         (const.C):
1344         (let.createAndInstantiateClass):
1345         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1346         (let.classStringExpression.return.C.prototype.m):
1347         (let.classStringExpression.return.C.prototype.access):
1348         (let.classStringExpression.return.C):
1349         (let.createAndInstantiateClass):
1350         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1351         (let.classStringExpression.return.C.prototype.m):
1352         (let.classStringExpression.return.C.prototype.access):
1353         (let.classStringExpression.return.C):
1354         (let.createAndInstantiateClass):
1355         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1356         (let.classStringExpression):
1357         (let.classStringExpression.access):
1358         (let.createAndInstantiateClass):
1359         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1360         (let.classStringExpression):
1361         (let.classStringExpression.access):
1362         (let.createAndInstantiateClass):
1363         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1364         (let.classStringExpression):
1365         (let.classStringExpression.access):
1366         (let.createAndInstantiateClass):
1367         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1368         (const.C):
1369         (let.createAndInstantiateClass):
1370         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1371         (let.classStringExpression.return.prototype.m):
1372         (let.classStringExpression.return.prototype.access):
1373         (let.createAndInstantiateClass):
1374         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1375         (let.classStringExpression.return.prototype.m):
1376         (let.classStringExpression.return.prototype.access):
1377         (let.createAndInstantiateClass):
1378         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1379         (let.classStringExpression):
1380         (let.classStringExpression.access):
1381         (let.createAndInstantiateClass):
1382         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1383         (new):
1384         (async):
1385         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1386         (A):
1387         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1388         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1389         * test262/test/language/identifiers/vals-cjk.js: Added.
1390         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1391         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1392         (C.prototype.method):
1393         (C):
1394         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1395         (C.prototype.method.innerFunction):
1396         (C.prototype.method):
1397         (C):
1398         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1399         (C.prototype.checkPrivateField):
1400         (C):
1401         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1402         (C):
1403         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1404         (C.prototype.getWithEval):
1405         (C):
1406         (D):
1407         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1408         (C.prototype.get m):
1409         (C.prototype.method):
1410         (C):
1411         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1412         (C.prototype.get m):
1413         (C.prototype.method.innerFunction):
1414         (C.prototype.method):
1415         (C):
1416         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1417         (let.createAndInstantiateClass):
1418         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1419         (C.prototype.get m):
1420         (C.prototype.checkPrivateGetter):
1421         (C):
1422         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1423         (C.prototype.get m):
1424         (C.prototype.checkPrivateGetter):
1425         (C):
1426         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1427         (C.prototype.get m):
1428         (C):
1429         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1430         (C.prototype.get m):
1431         (C.prototype.getWithEval):
1432         (C):
1433         (D.prototype.get m):
1434         (D):
1435         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1436         (C.prototype.m):
1437         (C.prototype.method):
1438         (C):
1439         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1440         (C.prototype.m):
1441         (C.prototype.method.innerFunction):
1442         (C.prototype.method):
1443         (C):
1444         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1445         (C.prototype.m):
1446         (C.prototype.checkPrivateMethod):
1447         (C):
1448         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1449         (C.prototype.m):
1450         (C.prototype.checkPrivateMethod):
1451         (C):
1452         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1453         (C.prototype.m):
1454         (C):
1455         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1456         (C.prototype.m):
1457         (C.prototype.getWithEval):
1458         (C):
1459         (D.prototype.m):
1460         (D):
1461         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1462         (C.prototype.set m):
1463         (C.prototype.method):
1464         (C):
1465         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1466         (C.prototype.set m):
1467         (C.prototype.method.innerFunction):
1468         (C.prototype.method):
1469         (C):
1470         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1471         (C.prototype.set m):
1472         (C.prototype.checkPrivateSetter):
1473         (C):
1474         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1475         (C.prototype.set m):
1476         (C.prototype.checkPrivateSetter):
1477         (C):
1478         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1479         (C.prototype.set m):
1480         (C):
1481         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1482         (C.prototype.set m):
1483         (C.prototype.setWithEval):
1484         (C):
1485         (D.prototype.set m):
1486         (D):
1487         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1488         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1489         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1490         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
1491         (A.prototype.method):
1492         (A):
1493         (C.prototype.get m):
1494         (C.prototype.access):
1495         (C):
1496         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
1497         (A.prototype.method):
1498         (A):
1499         (C.prototype.m):
1500         (C.prototype.access):
1501         (C):
1502         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
1503         (A.prototype.method):
1504         (A):
1505         (C.prototype.set m):
1506         (C.prototype.access):
1507         (C):
1508         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
1509         (A):
1510         * test262/test/language/statements/function/13.2-30-s.js:
1511         * test262/test262-Revision.txt:
1512
1513 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1514
1515         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1516         https://bugs.webkit.org/show_bug.cgi?id=199783
1517
1518         Reviewed by Mark Lam.
1519
1520         Fix our spec tests.
1521
1522         * wasm/js-api/Module-compile.js:
1523         * wasm/js-api/test_basic_api.js:
1524         (const.c.in.constructorProperties.switch):
1525         * wasm/js-api/validate.js:
1526         * wasm/js-api/web-assembly-instantiate.js:
1527         * wasm/spec-tests/jsapi.js:
1528         (testJSAPI.get test):
1529         (testJSAPI.set test):
1530
1531 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1532
1533         Unreviewed, rolling out r247440.
1534
1535         Broke builds
1536
1537         Reverted changeset:
1538
1539         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1540         issues"
1541         https://bugs.webkit.org/show_bug.cgi?id=199783
1542         https://trac.webkit.org/changeset/247440
1543
1544 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1545
1546         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1547         https://bugs.webkit.org/show_bug.cgi?id=199783
1548
1549         Reviewed by Mark Lam.
1550
1551         Fix our spec tests.
1552
1553         * wasm/js-api/Module-compile.js:
1554         * wasm/js-api/test_basic_api.js:
1555         (const.c.in.constructorProperties.switch):
1556         * wasm/js-api/validate.js:
1557         * wasm/js-api/web-assembly-instantiate.js:
1558         * wasm/spec-tests/jsapi.js:
1559         (testJSAPI.get test):
1560         (testJSAPI.set test):
1561
1562 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1563
1564         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1565         https://bugs.webkit.org/show_bug.cgi?id=196371
1566
1567         Reviewed by Keith Miller.
1568
1569         * microbenchmarks/mul-immediate-sub.js: Added.
1570         (doTest):
1571
1572 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1573
1574         [BigInt] Add ValueBitLShift into DFG
1575         https://bugs.webkit.org/show_bug.cgi?id=192664
1576
1577         Reviewed by Saam Barati.
1578
1579         We are adding tests to cover ValueBitwise operations AI changes.
1580
1581         * stress/big-int-left-shift-untyped.js: Added.
1582         * stress/bit-op-with-object-returning-int32.js:
1583         * stress/value-bit-and-ai-rule.js: Added.
1584         * stress/value-bit-lshift-ai-rule.js: Added.
1585         * stress/value-bit-or-ai-rule.js: Added.
1586         * stress/value-bit-xor-ai-rule.js: Added.
1587
1588 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
1589
1590         Add b3 macro lowering for CheckMul on arm64
1591         https://bugs.webkit.org/show_bug.cgi?id=199251
1592
1593         Reviewed by Robin Morisset.
1594
1595         * microbenchmarks/check-mul-constant.js: Added.
1596         (doTest):
1597         * microbenchmarks/check-mul-no-constant.js: Added.
1598         (doTest):
1599         * microbenchmarks/check-mul-power-of-two.js: Added.
1600         (doTest):
1601
1602 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
1603
1604         Optimize join of large empty arrays
1605         https://bugs.webkit.org/show_bug.cgi?id=199636
1606
1607         Reviewed by Mark Lam.
1608
1609         * microbenchmarks/large-empty-array-join.js: Added.
1610         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
1611
1612 2019-07-06  Michael Saboff  <msaboff@apple.com>
1613
1614         switch(String) needs to check for exceptions when resolving the string
1615         https://bugs.webkit.org/show_bug.cgi?id=199541
1616
1617         Reviewed by Mark Lam.
1618
1619         New tests.
1620
1621         * stress/switch-string-oom.js: Added.
1622         (test):
1623         (testLowerTiers):
1624         (testFTL):
1625
1626 2019-07-05  Mark Lam  <mark.lam@apple.com>
1627
1628         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
1629         https://bugs.webkit.org/show_bug.cgi?id=199533
1630         <rdar://problem/52669111>
1631
1632         Reviewed by Filip Pizlo.
1633
1634         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
1635
1636 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1637
1638         [JSC] Clean up ArraySpeciesCreate
1639         https://bugs.webkit.org/show_bug.cgi?id=182434
1640
1641         Reviewed by Yusuke Suzuki.
1642
1643         Adjusts error message expectations in stress tests.
1644
1645         * stress/array-flatmap.js:
1646         * stress/array-flatten.js:
1647         * stress/array-species-create-should-handle-masquerader.js:
1648         * test262/expectations.yaml: Mark 4 test cases as passing.
1649
1650 2019-07-02  Michael Saboff  <msaboff@apple.com>
1651
1652         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
1653         https://bugs.webkit.org/show_bug.cgi?id=199395
1654
1655         Reviewed by Filip Pizlo.
1656
1657         New regession test.
1658
1659         * stress/for-of-tdz-with-try-catch.js: Added.
1660         (test):
1661         (i.catch):
1662
1663 2019-07-02  Keith Miller  <keith_miller@apple.com>
1664
1665         Frozen Arrays length assignment should throw in strict mode
1666         https://bugs.webkit.org/show_bug.cgi?id=199365
1667
1668         Reviewed by Yusuke Suzuki.
1669
1670         * stress/frozen-array-length-should-throw-strict.js: Added.
1671         (test):
1672
1673 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
1674
1675         [Wasm-References] Disable references by default
1676         https://bugs.webkit.org/show_bug.cgi?id=199390
1677
1678         Reviewed by Saam Barati.
1679
1680         * wasm/references-spec-tests/ref_is_null.js:
1681         * wasm/references-spec-tests/ref_null.js:
1682         * wasm/references/anyref_globals.js:
1683         * wasm/references/anyref_modules.js:
1684         * wasm/references/anyref_table.js:
1685         * wasm/references/anyref_table_import.js:
1686         * wasm/references/element_parsing.js:
1687         * wasm/references/func_ref.js:
1688         * wasm/references/is_null.js:
1689         * wasm/references/multitable.js:
1690         * wasm/references/table_misc.js:
1691         * wasm/references/validation.js:
1692
1693 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
1694
1695         Unreviewed, rolling out r246946.
1696
1697         Caused JSC test crashes on arm64
1698
1699         Reverted changeset:
1700
1701         "Add b3 macro lowering for CheckMul on arm64"
1702         https://bugs.webkit.org/show_bug.cgi?id=199251
1703         https://trac.webkit.org/changeset/246946
1704
1705 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
1706
1707         Add b3 macro lowering for CheckMul on arm64
1708         https://bugs.webkit.org/show_bug.cgi?id=199251
1709
1710         Reviewed by Robin Morisset.
1711
1712         * microbenchmarks/check-mul-constant.js: Added.
1713         (doTest):
1714         * microbenchmarks/check-mul-no-constant.js: Added.
1715         (doTest):
1716         * microbenchmarks/check-mul-power-of-two.js: Added.
1717         (doTest):
1718
1719 2019-06-26  Keith Miller  <keith_miller@apple.com>
1720
1721         speciesConstruct needs to throw if the result is a DataView
1722         https://bugs.webkit.org/show_bug.cgi?id=199231
1723
1724         Reviewed by Mark Lam.
1725
1726         * stress/typedarray-filter.js:
1727         (subclasses.forEach):
1728         * stress/typedarray-map.js:
1729         (subclasses.forEach):
1730         * stress/typedarray-slice.js:
1731         (typedArrays.forEach):
1732         * stress/typedarray-subarray.js:
1733         (subclasses.forEach):
1734
1735 2019-06-24  Commit Queue  <commit-queue@webkit.org>
1736
1737         Unreviewed, rolling out r246714.
1738         https://bugs.webkit.org/show_bug.cgi?id=199179
1739
1740         revert to do patch in a different way. (Requested by keith_mi_
1741         on #webkit).
1742
1743         Reverted changeset:
1744
1745         "All prototypes should call didBecomePrototype()"
1746         https://bugs.webkit.org/show_bug.cgi?id=196315
1747         https://trac.webkit.org/changeset/246714
1748
1749 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1750
1751         Add Array.prototype.{flat,flatMap} to unscopables
1752         https://bugs.webkit.org/show_bug.cgi?id=194322
1753
1754         Reviewed by Keith Miller.
1755
1756         * stress/unscopables.js: Fix test.
1757         * test262/expectations.yaml: Mark 2 test cases as passing.
1758
1759 2019-06-21  Mark Lam  <mark.lam@apple.com>
1760
1761         ArraySlice needs to keep the source array alive.
1762         https://bugs.webkit.org/show_bug.cgi?id=197374
1763         <rdar://problem/50304429>
1764
1765         Reviewed by Michael Saboff and Filip Pizlo.
1766
1767         * stress/array-slice-must-keep-source-array-alive.js: Added.
1768
1769 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1770
1771         All prototypes should call didBecomePrototype()
1772         https://bugs.webkit.org/show_bug.cgi?id=196315
1773
1774         Reviewed by Saam Barati.
1775
1776         * stress/function-prototype-indexed-accessor.js: Added.
1777
1778 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1779
1780         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1781         https://bugs.webkit.org/show_bug.cgi?id=197631
1782
1783         Reviewed by Saam Barati.
1784
1785         * stress/has-own-property-arguments.js: Added.
1786         (shouldBe):
1787         (A):
1788
1789 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1790
1791         [JSC] ClassExpr should not store result in the middle of evaluation
1792         https://bugs.webkit.org/show_bug.cgi?id=199106
1793
1794         Reviewed by Tadeu Zagallo.
1795
1796         * stress/class-expression-should-store-result-at-last.js: Added.
1797         (shouldThrow):
1798         (shouldThrow.let.a):
1799
1800 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
1801
1802         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
1803         https://bugs.webkit.org/show_bug.cgi?id=199044
1804
1805         Reviewed by Saam Barati.
1806
1807         Add wasm references spec tests as well as a worker test.
1808
1809         * wasm.yaml:
1810         * wasm/Builder_WebAssemblyBinary.js:
1811         (const.emitters.Element):
1812         * wasm/js-api/element.js:
1813         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1814         * wasm/references-spec-tests/ref_is_null.js: Added.
1815         (hostref):
1816         (is_hostref):
1817         (is_funcref):
1818         (eq_ref):
1819         (let.handler.get target):
1820         (register):
1821         (module):
1822         (instance):
1823         (call):
1824         (get instance):
1825         (exports):
1826         (run):
1827         (assert_malformed):
1828         (assert_invalid):
1829         (assert_unlinkable):
1830         (assert_uninstantiable):
1831         (assert_trap):
1832         (try.f):
1833         (catch):
1834         (assert_exhaustion):
1835         (assert_return):
1836         (assert_return_canonical_nan):
1837         (assert_return_arithmetic_nan):
1838         (assert_return_ref):
1839         (assert_return_func):
1840         * wasm/references-spec-tests/ref_null.js: Added.
1841         (hostref):
1842         (is_hostref):
1843         (is_funcref):
1844         (eq_ref):
1845         (let.handler.get target):
1846         (register):
1847         (module):
1848         (instance):
1849         (call):
1850         (get instance):
1851         (exports):
1852         (run):
1853         (assert_malformed):
1854         (assert_invalid):
1855         (assert_unlinkable):
1856         (assert_uninstantiable):
1857         (assert_trap):
1858         (try.f):
1859         (catch):
1860         (assert_exhaustion):
1861         (assert_return):
1862         (assert_return_canonical_nan):
1863         (assert_return_arithmetic_nan):
1864         (assert_return_ref):
1865         (assert_return_func):
1866         * wasm/references/element_parsing.js: Added.
1867         (module):
1868         * wasm/references/func_ref.js:
1869         * wasm/references/multitable.js:
1870         * wasm/references/table_misc.js:
1871         (TableSize.0.End.End.WebAssembly):
1872         * wasm/references/validation.js:
1873         (assert.throws):
1874
1875 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1876
1877         Optimize `resolve` method lookup in Promise static methods
1878         https://bugs.webkit.org/show_bug.cgi?id=198864
1879
1880         Reviewed by Yusuke Suzuki.
1881
1882         * test262/expectations.yaml: Mark 18 test cases as passing.
1883
1884 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
1885
1886         [WASM-References] Rename anyfunc to funcref
1887         https://bugs.webkit.org/show_bug.cgi?id=198983
1888
1889         Reviewed by Yusuke Suzuki.
1890
1891         * wasm/function-tests/basic-element.js:
1892         * wasm/function-tests/context-switch.js:
1893         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1894         (makeInstance):
1895         (assert.eq.makeInstance):
1896         * wasm/function-tests/exceptions.js:
1897         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1898         * wasm/function-tests/grow-memory-2.js:
1899         (assert.eq.instance.exports.foo):
1900         * wasm/function-tests/nameSection.js:
1901         (const.compile):
1902         * wasm/function-tests/stack-overflow.js:
1903         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1904         (assertOverflows.makeInstance):
1905         * wasm/function-tests/table-basic-2.js:
1906         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1907         * wasm/function-tests/table-basic.js:
1908         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1909         * wasm/function-tests/trap-from-start-async.js:
1910         * wasm/function-tests/trap-from-start.js:
1911         * wasm/js-api/Module.exports.js:
1912         (assert.truthy):
1913         * wasm/js-api/Module.imports.js:
1914         (assert.truthy):
1915         * wasm/js-api/call-indirect.js:
1916         (const.oneTable):
1917         (const.multiTable):
1918         (multiTable.const.makeTable):
1919         (multiTable):
1920         (multiTable.Polyphic2Import):
1921         (multiTable.VirtualImport):
1922         * wasm/js-api/element-data.js:
1923         * wasm/js-api/element.js:
1924         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1925         (assert.throws):
1926         (badInstantiation.makeModule):
1927         (badInstantiation.test):
1928         (badInstantiation):
1929         * wasm/js-api/extension-MemoryMode.js:
1930         * wasm/js-api/table.js:
1931         (new.WebAssembly.Module):
1932         (assert.throws):
1933         (assertBadTableImport):
1934         (assert.throws.WebAssembly.Table.prototype.grow):
1935         (new.WebAssembly.Table):
1936         (assertBadTable):
1937         (assert.truthy):
1938         * wasm/js-api/test_basic_api.js:
1939         (const.c.in.constructorProperties.switch):
1940         * wasm/js-api/unique-signature.js:
1941         (CallIndirectWithDuplicateSignatures):
1942         * wasm/js-api/wrapper-function.js:
1943         * wasm/modules/table.wat:
1944         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1945         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1946         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1947         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1948         * wasm/references/anyref_table.js:
1949         * wasm/references/anyref_table_import.js:
1950         (doSet):
1951         (assert.throws):
1952         * wasm/references/func_ref.js:
1953         (makeFuncrefIdent):
1954         (assert.eq.instance.exports.fix):
1955         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
1956         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
1957         (let.importedFun.of):
1958         (makeAnyfuncIdent): Deleted.
1959         (makeAnyfuncIdent.fun): Deleted.
1960         * wasm/references/multitable.js:
1961         (assert.eq):
1962         (assert.throws):
1963         * wasm/references/table_misc.js:
1964         (GetLocal.0.TableFill.0.End.End.WebAssembly):
1965         * wasm/references/validation.js:
1966         (assert.throws.new.WebAssembly.Module.bin):
1967         (assert.throws):
1968         * wasm/spec-harness/index.js:
1969         * wasm/spec-harness/wasm-constants.js:
1970         * wasm/spec-harness/wasm-module-builder.js:
1971         (WasmModuleBuilder.prototype.toArray):
1972         * wasm/spec-harness/wast.js:
1973         (elem_type):
1974         (string_of_elem_type):
1975         (string_of_table_type):
1976         * wasm/spec-tests/jsapi.js:
1977         * wasm/stress/wasm-table-grow-initialize.js:
1978         * wasm/wasm.json:
1979
1980 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1981
1982         [WASM-References] Add support for Table.size, grow and fill instructions
1983         https://bugs.webkit.org/show_bug.cgi?id=198761
1984
1985         Reviewed by Yusuke Suzuki.
1986
1987         * wasm/Builder_WebAssemblyBinary.js:
1988         (const.putOp):
1989         * wasm/references/table_misc.js: Added.
1990         (TableSize.End.End.WebAssembly):
1991         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
1992         * wasm/wasm.json:
1993
1994 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1995
1996         [WASM-References] Add support for multiple tables
1997         https://bugs.webkit.org/show_bug.cgi?id=198760
1998
1999         Reviewed by Saam Barati.
2000
2001         * wasm/Builder.js:
2002         * wasm/js-api/call-indirect.js:
2003         (const.oneTable):
2004         (const.multiTable):
2005         (multiTable):
2006         (multiTable.Polyphic2Import):
2007         (multiTable.VirtualImport):
2008         (const.wasmModuleWhichImportJS): Deleted.
2009         (const.makeTable): Deleted.
2010         (): Deleted.
2011         (Polyphic2Import): Deleted.
2012         (VirtualImport): Deleted.
2013         * wasm/js-api/table.js:
2014         (new.WebAssembly.Module):
2015         (assert.throws):
2016         (assertBadTableImport):
2017         (assert.truthy):
2018         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2019         * wasm/references/anyref_table.js:
2020         * wasm/references/anyref_table_import.js:
2021         (makeImport):
2022         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2023         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2024         * wasm/references/multitable.js: Added.
2025         (assert.throws.1.exports.set_tbl0):
2026         (assert.throws):
2027         (assert.eq):
2028         * wasm/references/validation.js:
2029         (assert.throws.new.WebAssembly.Module.bin):
2030         (assert.throws):
2031         * wasm/spec-tests/imports.wast.js:
2032         * wasm/wasm.json:
2033
2034         * wasm/Builder.js:
2035         * wasm/js-api/call-indirect.js:
2036         (const.oneTable):
2037         (const.multiTable):
2038         (multiTable):
2039         (multiTable.Polyphic2Import):
2040         (multiTable.VirtualImport):
2041         (const.wasmModuleWhichImportJS): Deleted.
2042         (const.makeTable): Deleted.
2043         (): Deleted.
2044         (Polyphic2Import): Deleted.
2045         (VirtualImport): Deleted.
2046         * wasm/js-api/table.js:
2047         (new.WebAssembly.Module):
2048         (assert.throws):
2049         (assertBadTableImport):
2050         (assert.truthy):
2051         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2052         * wasm/references/anyref_table.js:
2053         * wasm/references/anyref_table_import.js:
2054         (makeImport):
2055         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2056         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2057         * wasm/references/func_ref.js:
2058         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2059         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2060         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2061         * wasm/references/multitable.js: Added.
2062         (assert.throws.1.exports.set_tbl0):
2063         (assert.throws):
2064         (assert.eq):
2065         (string_appeared_here.tableInsanity):
2066         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2067         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2068         * wasm/references/validation.js:
2069         (assert.throws.new.WebAssembly.Module.bin):
2070         (assert.throws):
2071         * wasm/spec-tests/imports.wast.js:
2072         * wasm/wasm.json:
2073
2074 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2075
2076         [ESNExt] String.prototype.matchAll
2077         https://bugs.webkit.org/show_bug.cgi?id=186694
2078
2079         Reviewed by Yusuke Suzuki.
2080
2081         Implement String.prototype.matchAll.
2082         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2083
2084         * test262/config.yaml:
2085
2086 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2087
2088         DFG code should not reify the names of builtin functions with private names
2089         https://bugs.webkit.org/show_bug.cgi?id=198849
2090         <rdar://problem/51733890>
2091
2092         Reviewed by Filip Pizlo.
2093
2094         * stress/builtin-private-function-name.js: Added.
2095         (then):
2096         (PromiseLike):
2097
2098 2019-06-18  Keith Miller  <keith_miller@apple.com>
2099
2100         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2101         https://bugs.webkit.org/show_bug.cgi?id=198969
2102         <rdar://problem/51620714>
2103
2104         Reviewed by Tadeu Zagallo.
2105
2106         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2107         (catch):
2108
2109 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2110
2111         Validate that table element type is funcref if using an element section
2112         https://bugs.webkit.org/show_bug.cgi?id=198910
2113
2114         Reviewed by Yusuke Suzuki.
2115
2116         * wasm/references/anyref_table.js:
2117
2118 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2119
2120         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2121         https://bugs.webkit.org/show_bug.cgi?id=197378
2122
2123         Reviewed by Saam Barati.
2124
2125         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2126         (foo):
2127         (bar):
2128         * stress/disposable-call-site-index.js: Added.
2129         (foo):
2130         (bar):
2131
2132 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2133
2134         [WASM-References] Add support for Funcref in parameters and return types
2135         https://bugs.webkit.org/show_bug.cgi?id=198157
2136
2137         Reviewed by Yusuke Suzuki.
2138
2139         * wasm/Builder.js:
2140         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2141         * wasm/references/anyref_globals.js:
2142         * wasm/references/func_ref.js: Added.
2143         (fullGC.gc.makeExportedFunction):
2144         (makeExportedIdent):
2145         (makeAnyfuncIdent):
2146         (fun):
2147         (assert.eq.instance.exports.fix.fun):
2148         (assert.eq.instance.exports.fix):
2149         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2150         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2151         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2152         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2153         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2154         (assert.throws):
2155         (assert.throws.doTest):
2156         (let.importedFun.of):
2157         (makeAnyfuncIdent.fun):
2158         * wasm/references/validation.js:
2159         (assert.throws):
2160         * wasm/wasm.json:
2161
2162 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2163
2164         Update test262 tests (2019.06.13)
2165         https://bugs.webkit.org/show_bug.cgi?id=198821
2166
2167         Reviewed by Konstantin Tokarev.
2168
2169         * test262/expectations.yaml:
2170         * test262/harness/:
2171         * test262/latest-changes-summary.txt:
2172         * test262/test/:
2173         * test262/test262-Revision.txt:
2174
2175 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2176
2177         [JSC] Grown region of WasmTable should be initialized with null
2178         https://bugs.webkit.org/show_bug.cgi?id=198903
2179
2180         Reviewed by Saam Barati.
2181
2182         * wasm/stress/wasm-table-grow-initialize.js: Added.
2183         (shouldBe):
2184
2185 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2186
2187         Yarr bytecode compilation failure should be gracefully handled
2188         https://bugs.webkit.org/show_bug.cgi?id=198700
2189
2190         Reviewed by Michael Saboff.
2191
2192         * stress/regexp-bytecode-compilation-fail.js: Added.
2193         (shouldThrow):
2194
2195 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2196
2197         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2198         https://bugs.webkit.org/show_bug.cgi?id=198770
2199
2200         Reviewed by Saam Barati.
2201
2202         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2203         (test):
2204
2205 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2206
2207         JSC should throw if proxy set returns falsish in strict mode context
2208         https://bugs.webkit.org/show_bug.cgi?id=177398
2209
2210         Reviewed by Yusuke Suzuki.
2211
2212         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2213         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2214
2215         * stress/proxy-set.js: Add 2 test cases.
2216         * stress/regexp-match-proxy.js: Fix test.
2217         * stress/regexp-replace-proxy.js: Fix test.
2218
2219 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2220
2221         Error message for non-callable Proxy `construct` trap is misleading
2222         https://bugs.webkit.org/show_bug.cgi?id=198637
2223
2224         Reviewed by Saam Barati.
2225
2226         * stress/proxy-construct.js:
2227
2228 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2229
2230         AI BitURShift's result should not be unsigned
2231         https://bugs.webkit.org/show_bug.cgi?id=198689
2232         <rdar://problem/51550063>
2233
2234         Reviewed by Saam Barati.
2235
2236         * stress/urshift-int32-overflow.js: Added.
2237         (foo.):
2238         (foo):
2239
2240 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2241
2242         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2243
2244         Unreviewed gardening.
2245
2246         * stress/ftl-gettypedarrayoffset-wasteful.js:
2247         Skipped on arm/linux as it always times out on the bot since a change
2248         between r246270 and r246278 inclusive.
2249
2250 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2251
2252         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2253         https://bugs.webkit.org/show_bug.cgi?id=198023
2254
2255         Reviewed by Saam Barati.
2256
2257         * stress/reparsing-unlinked-codeblock.js: Added.
2258         (shouldBe):
2259         (hello):
2260
2261 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2262
2263         [JSC] Use mergePrediction in ValuePow prediction propagation
2264         https://bugs.webkit.org/show_bug.cgi?id=198648
2265
2266         Reviewed by Saam Barati.
2267
2268         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2269
2270 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2271
2272         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2273         https://bugs.webkit.org/show_bug.cgi?id=198581
2274         <rdar://problem/51099753>
2275
2276         Reviewed by Saam Barati.
2277
2278         * stress/global-object-proto-getter.js: Added.
2279         (f):
2280         (test):
2281
2282 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2283
2284         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2285         https://bugs.webkit.org/show_bug.cgi?id=198398
2286
2287         Reviewed by Saam Barati.
2288
2289         * wasm/references/anyref_table.js: Added.
2290         (string_appeared_here.doGCSet):
2291         (doGCTest):
2292         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2293         * wasm/references/anyref_table_import.js: Added.
2294         (makeImport):
2295         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2296         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2297         * wasm/references/is_null_error.js: Removed.
2298         * wasm/references/validation.js: Added.
2299         (assert.throws.new.WebAssembly.Module.bin):
2300         (assert.throws):
2301         * wasm/wasm.json:
2302
2303 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2304
2305         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2306         https://bugs.webkit.org/show_bug.cgi?id=198106
2307
2308         Reviewed by Saam Barati.
2309
2310         * wasm/regress/selectf64.js: Added.
2311         * wasm/regress/selectf64.wasm: Added.
2312         * wasm/regress/selectf64.wat: Added.
2313
2314 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2315
2316         Argument elimination should check transitive dependents for interference
2317         https://bugs.webkit.org/show_bug.cgi?id=198520
2318         <rdar://problem/50863343>
2319
2320         Reviewed by Filip Pizlo.
2321
2322         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2323         (f2):
2324         (f3):
2325
2326 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2327
2328         Argument elimination should check for negative indices in GetByVal
2329         https://bugs.webkit.org/show_bug.cgi?id=198302
2330         <rdar://problem/51188095>
2331
2332         Reviewed by Filip Pizlo.
2333
2334         * stress/eliminate-arguments-negative-rest-access.js: Added.
2335         (inlinee):
2336         (opt):
2337
2338 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2339
2340         [ESNext][BigInt] Implement support for "**"
2341         https://bugs.webkit.org/show_bug.cgi?id=190799
2342
2343         Reviewed by Saam Barati.
2344
2345         * stress/big-int-exp-basic.js: Added.
2346         * stress/big-int-exp-jit-osr.js: Added.
2347         * stress/big-int-exp-jit-untyped.js: Added.
2348         * stress/big-int-exp-jit.js: Added.
2349         * stress/big-int-exp-negative-exponent.js: Added.
2350         * stress/big-int-exp-to-primitive.js: Added.
2351         * stress/big-int-exp-type-error.js: Added.
2352         * stress/big-int-exp-wrapped-value.js: Added.
2353         * stress/value-pow-ai-rule.js: Added.
2354
2355 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2356
2357         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2358         https://bugs.webkit.org/show_bug.cgi?id=197979
2359
2360         Reviewed by Filip Pizlo.
2361
2362         * stress/16bit-code.js: Added.
2363         (shouldBe):
2364         * stress/32bit-code.js: Added.
2365         (shouldBe):
2366
2367 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2368
2369         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2370         https://bugs.webkit.org/show_bug.cgi?id=198355
2371
2372         Reviewed by Saam Barati.
2373
2374         * wasm/references/is_null.js:
2375
2376 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2377
2378         [PlayStation] Skip additional tests on PlayStation
2379         https://bugs.webkit.org/show_bug.cgi?id=198352
2380
2381         Reviewed by Don Olmstead.
2382
2383         Skip pow test on PlayStation due to behavior difference in standard library.
2384         Skip incremental marking test due to OOM on PlayStation systems.
2385
2386         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2387         * stress/math-pow-with-constants.js:
2388         * stress/pow-with-constants.js:
2389
2390 2019-05-28  Dean Jackson  <dino@apple.com>
2391
2392         Implement Promise.allSettled
2393         https://bugs.webkit.org/show_bug.cgi?id=197600
2394         <rdar://problem/50483885>
2395
2396         Reviewed by Keith Miller.
2397
2398         Start testing Promise.allSettled. We pass most of the tests.
2399         The ones that fail are similar to the Promise.all tests we already fail.
2400
2401         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2402         * test262/expectations.yaml: Add new expectations for allSettled tests.
2403
2404 2019-05-28  Michael Saboff  <msaboff@apple.com>
2405
2406         [YARR] Properly handle RegExp's that require large ParenContext space
2407         https://bugs.webkit.org/show_bug.cgi?id=198065
2408
2409         Reviewed by Keith Miller.
2410
2411         New test.
2412
2413         * stress/regexp-large-paren-context.js: Added.
2414         (testLargeRegExp):
2415
2416 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2417
2418         JITOperations putByVal should mark negative array indices as out-of-bounds
2419         https://bugs.webkit.org/show_bug.cgi?id=198271
2420
2421         Reviewed by Saam Barati.
2422
2423         * microbenchmarks/get-by-val-negative-array-index.js:
2424         (foo):
2425         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2426         is 4.2x faster than the previous commit.
2427
2428         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2429         (foo):
2430
2431 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2432
2433         JITOperations getByVal should mark negative array indices as out-of-bounds
2434         https://bugs.webkit.org/show_bug.cgi?id=198229
2435
2436         Reviewed by Saam Barati.
2437
2438         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2439         (foo):
2440
2441 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2442
2443         [WASM-References] Support Anyref in globals
2444         https://bugs.webkit.org/show_bug.cgi?id=198102
2445
2446         Reviewed by Saam Barati.
2447
2448         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2449
2450         * wasm/Builder.js:
2451         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2452         * wasm/Builder_WebAssemblyBinary.js:
2453         (const.putInitExpr):
2454         * wasm/references/anyref_globals.js: Added.
2455         (GetGlobal.0.End.End.WebAssembly):
2456         (5.doGCSet):
2457         (doGCTest):
2458         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2459
2460 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2461
2462         DFG::OSREntry should not perform arity check
2463         https://bugs.webkit.org/show_bug.cgi?id=198189
2464
2465         Reviewed by Saam Barati.
2466
2467         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2468         (foo):
2469
2470 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2471
2472         [PlayStation] Skip additional tests on PlayStation
2473         https://bugs.webkit.org/show_bug.cgi?id=198145
2474
2475         Reviewed by Ross Kirsling.
2476
2477         * exceptionFuzz.yaml:
2478         Add skip on hostOS playstation
2479         * executableAllocationFuzz.yaml:
2480         Add skip on hostOS playstation
2481
2482 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2483
2484         createListFromArrayLike should throw if value is not an object
2485         https://bugs.webkit.org/show_bug.cgi?id=198138
2486
2487         Reviewed by Yusuke Suzuki.
2488
2489         * stress/create-list-from-array-like-not-object.js: Added.
2490         (testValid):
2491         (testInvalid):
2492         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
2493         (opt):
2494         * stress/proxy-proto-enumerator.js: Added.
2495         (main):
2496         * stress/proxy-proto-own-keys.js: Added.
2497         (assert):
2498         (ownKeys):
2499
2500 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2501
2502         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
2503         https://bugs.webkit.org/show_bug.cgi?id=197809
2504
2505         Reviewed by Michael Saboff.
2506
2507         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
2508         (foo):
2509
2510 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2511
2512         [ESNext] Implement support for Numeric Separators
2513         https://bugs.webkit.org/show_bug.cgi?id=196351
2514
2515         Reviewed by Keith Miller.
2516
2517         * stress/numeric-literal-separators.js: Added.
2518         Add tests for feature.
2519
2520         * test262/expectations.yaml:
2521         Mark 60 test cases as passing.
2522
2523 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2524
2525         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
2526         https://bugs.webkit.org/show_bug.cgi?id=198120
2527         <rdar://problem/49668795>
2528
2529         Reviewed by Michael Saboff.
2530
2531         * stress/get-array-length-concurrently-change-mode.js: Added.
2532         (main):
2533
2534 2019-05-22  Commit Queue  <commit-queue@webkit.org>
2535
2536         Unreviewed, rolling out r245634.
2537         https://bugs.webkit.org/show_bug.cgi?id=198140
2538
2539         'This patch makes JSC crash on launch in debug builds'
2540         (Requested by tadeuzagallo on #webkit).
2541
2542         Reverted changeset:
2543
2544         "[ESNext] Implement support for Numeric Separators"
2545         https://bugs.webkit.org/show_bug.cgi?id=196351
2546         https://trac.webkit.org/changeset/245634
2547
2548 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2549
2550         Stack-buffer-overflow in decodeURIComponent
2551         https://bugs.webkit.org/show_bug.cgi?id=198109
2552         <rdar://problem/50397550>
2553
2554         Reviewed by Michael Saboff.
2555
2556         * stress/decode-uri-icu-count-trail-bytes.js: Added.
2557         (i.j.try.i.toString):
2558         (i.j.catch):
2559
2560 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2561
2562         Don't clear PropertyNameArray in Proxy code
2563         https://bugs.webkit.org/show_bug.cgi?id=197691
2564
2565         Reviewed by Saam Barati.
2566
2567         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
2568         (shouldBe):
2569         (opt):
2570
2571 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2572
2573         [ESNext] Implement support for Numeric Separators
2574         https://bugs.webkit.org/show_bug.cgi?id=196351
2575
2576         Reviewed by Keith Miller.
2577
2578         * stress/numeric-literal-separators.js: Added.
2579         Add tests for feature.
2580
2581         * test262/expectations.yaml:
2582         Mark 60 test cases as passing.
2583
2584 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2585
2586         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
2587         https://bugs.webkit.org/show_bug.cgi?id=198101
2588
2589         Reviewed by Michael Saboff.
2590
2591         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
2592         (shouldBe):
2593
2594 2019-05-20  Keith Miller  <keith_miller@apple.com>
2595
2596         Cleanup Yarr regexp code around paren contexts.
2597         https://bugs.webkit.org/show_bug.cgi?id=198063
2598
2599         Reviewed by Yusuke Suzuki.
2600
2601         * stress/regexp-many-named-sequential-capture-groups.js: Added.
2602         (i.s):
2603         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2604
2605 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
2606
2607         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
2608         https://bugs.webkit.org/show_bug.cgi?id=197969
2609
2610         Reviewed by Keith Miller.
2611
2612         Support the anyref type in Builder.js, plus add some extra error logging.
2613         Add new folder for wasm references tests.
2614
2615         * wasm.yaml:
2616         * wasm/Builder.js:
2617         (const._isValidValue):
2618         * wasm/references/anyref_modules.js: Added.
2619         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
2620         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
2621         (Call.3.RefIsNull.End.End.WebAssembly):
2622         (undefined):
2623         * wasm/references/is_null.js: Added.
2624         * wasm/references/is_null_error.js: Added.
2625         * wasm/spec-harness/index.js:
2626         * wasm/wasm.json:
2627
2628 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
2629
2630         [JSC] Invalid AssignmentTargetType should be an early error.
2631         https://bugs.webkit.org/show_bug.cgi?id=197603
2632
2633         Reviewed by Keith Miller.
2634
2635         * test262/expectations.yaml:
2636         Update expectations to reflect new SyntaxErrors.
2637         (Ideally, these should all be viewed as passing in the near future.)
2638
2639         * stress/async-await-basic.js:
2640         * stress/big-int-literals.js:
2641         Update tests to reflect new SyntaxErrors.
2642
2643         * ChakraCore.yaml:
2644         * ChakraCore/test/EH/try6.baseline-jsc:
2645         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
2646         Update baselines to reflect new SyntaxErrors.
2647
2648 2019-05-15  Saam Barati  <sbarati@apple.com>
2649
2650         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
2651         https://bugs.webkit.org/show_bug.cgi?id=197855
2652         <rdar://problem/50236506>
2653
2654         Reviewed by Michael Saboff.
2655
2656         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
2657         (f0):
2658         (bar):
2659         (foo):
2660         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
2661         (f1):
2662         (f2):
2663         (foo):
2664
2665 2019-05-14  Keith Miller  <keith_miller@apple.com>
2666
2667         Fix issue with byteOffset on ARM64E
2668         https://bugs.webkit.org/show_bug.cgi?id=197884
2669
2670         Reviewed by Saam Barati.
2671
2672         We didn't have any tests that run with non-byte/non-zero offset
2673         typed arrays.
2674
2675         * stress/ftl-gettypedarrayoffset-wasteful.js:
2676
2677 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2678
2679         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
2680         https://bugs.webkit.org/show_bug.cgi?id=197833
2681
2682         Reviewed by Darin Adler.
2683
2684         * stress/generator-name.js: Added.
2685         (shouldBe):
2686         (gen):
2687         (catch):
2688
2689 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
2690
2691         JSObject::getOwnPropertyDescriptor is missing an exception check
2692         https://bugs.webkit.org/show_bug.cgi?id=197693
2693         <rdar://problem/50441784>
2694
2695         Reviewed by Saam Barati.
2696
2697         * stress/proxy-spread.js: Added.
2698         (foo):
2699
2700 2019-05-10  Saam barati  <sbarati@apple.com>
2701
2702         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
2703         https://bugs.webkit.org/show_bug.cgi?id=197807
2704         <rdar://problem/50530400>
2705
2706         Reviewed by Yusuke Suzuki.
2707
2708         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
2709         (test.getInstance):
2710         (test):
2711
2712 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
2713
2714         [Test262] Unreviewed expectations update following r245188.
2715
2716         * test262/config.yaml:
2717         * test262/expectations.yaml:
2718
2719         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
2720         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
2721         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
2722         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
2723         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
2724         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
2725         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
2726         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
2727         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
2728         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
2729         These files have invalid YAML comments. Will also submit corrections back to Test262.
2730
2731 2019-05-10  Keith Miller  <keith_miller@apple.com>
2732
2733         Update test262 tests.
2734
2735         Rubber-stamped by Yusuke Suzuki.
2736
2737         * test262/*: mega-patch too many things to list individually.
2738
2739 2019-05-09  Keith Miller  <keith_miller@apple.com>
2740
2741         Unreview, fix test to have a try-catch.
2742
2743         * stress/many-nested-functions-parser-stack-overflow.js:
2744         (catch):
2745
2746 2019-05-09  Keith Miller  <keith_miller@apple.com>
2747
2748         parseStatementListItem needs a stack overflow check
2749         https://bugs.webkit.org/show_bug.cgi?id=197749
2750
2751         Reviewed by Saam Barati.
2752
2753         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2754
2755 2019-05-08  Saam barati  <sbarati@apple.com>
2756
2757         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2758         https://bugs.webkit.org/show_bug.cgi?id=197715
2759         <rdar://problem/50399252>
2760
2761         Reviewed by Filip Pizlo.
2762
2763         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2764         (foo):
2765         (bar):
2766
2767 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2768
2769         Unreviewed, rolling out r245068.
2770
2771         Caused debug layout tests to exit early due to an assertion
2772         failure.
2773
2774         Reverted changeset:
2775
2776         "All prototypes should call didBecomePrototype()"
2777         https://bugs.webkit.org/show_bug.cgi?id=196315
2778         https://trac.webkit.org/changeset/245068
2779
2780 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2781
2782         Invalid DFG JIT genereation in high CPU usage state
2783         https://bugs.webkit.org/show_bug.cgi?id=197453
2784
2785         Reviewed by Saam Barati.
2786
2787         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2788         (trigger):
2789         (main):
2790
2791 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2792
2793         All prototypes should call didBecomePrototype()
2794         https://bugs.webkit.org/show_bug.cgi?id=196315
2795
2796         Reviewed by Saam Barati.
2797
2798         This changelog already landed, but the commit was missing the actual changes.
2799
2800         * stress/function-prototype-indexed-accessor.js: Added.
2801
2802 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
2803
2804         [BigInt] Add ValueMod into DFG
2805         https://bugs.webkit.org/show_bug.cgi?id=186174
2806
2807         Reviewed by Saam Barati.
2808
2809         * microbenchmarks/mod-untyped.js: Added.
2810         * stress/big-int-mod-osr.js: Added.
2811         * stress/value-div-ai-rule.js: Added.
2812         * stress/value-mod-ai-rule.js: Added.
2813
2814 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2815
2816         [JSC] DFG_ASSERT failed in lowInt52
2817         https://bugs.webkit.org/show_bug.cgi?id=197569
2818
2819         Reviewed by Saam Barati.
2820
2821         * stress/getstack-int52.js: Added.
2822         (opt):
2823         (main):
2824
2825 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2826
2827         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
2828         https://bugs.webkit.org/show_bug.cgi?id=197479
2829
2830         Reviewed by Saam Barati.
2831
2832         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
2833         (shouldBe):
2834
2835 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2836
2837         TemplateObject passed to template literal tags are not always identical for the same source location.
2838         https://bugs.webkit.org/show_bug.cgi?id=190756
2839
2840         Reviewed by Saam Barati.
2841
2842         * complex.yaml:
2843         * complex/tagged-template-regeneration-after.js: Added.
2844         (shouldBe):
2845         * complex/tagged-template-regeneration.js: Added.
2846         (call):
2847         (test):
2848         * modules/tagged-template-inside-module.js: Added.
2849         (from.string_appeared_here.call):
2850         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2851         (call):
2852         (export.otherTaggedTemplates):
2853         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2854         (shouldBe):
2855         (call):
2856         (poly):
2857         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2858         (shouldBe):
2859         (call):
2860         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
2861         (shouldBe):
2862         (call):
2863         (test):
2864         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2865         (shouldBe):
2866         (call):
2867         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2868         (shouldBe):
2869         (call):
2870         * stress/tagged-templates-in-multiple-functions.js: Added.
2871         (shouldBe):
2872         (call):
2873         (a):
2874         (b):
2875         (c):
2876         * stress/tagged-templates-with-same-start-offset.js: Added.
2877         (shouldBe):
2878
2879 2019-05-07  Robin Morisset  <rmorisset@apple.com>
2880
2881         All prototypes should call didBecomePrototype()
2882         https://bugs.webkit.org/show_bug.cgi?id=196315
2883
2884         Reviewed by Saam Barati.
2885
2886         * stress/function-prototype-indexed-accessor.js: Added.
2887
2888 2019-05-07  Commit Queue  <commit-queue@webkit.org>
2889
2890         Unreviewed, rolling out r244978.
2891         https://bugs.webkit.org/show_bug.cgi?id=197671
2892
2893         TemplateObject map should use start/end offsets (Requested by
2894         yusukesuzuki on #webkit).
2895
2896         Reverted changeset:
2897
2898         "TemplateObject passed to template literal tags are not always
2899         identical for the same source location."
2900         https://bugs.webkit.org/show_bug.cgi?id=190756
2901         https://trac.webkit.org/changeset/244978
2902
2903 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
2904
2905         tryCachePutByID should not crash if target offset changes
2906         https://bugs.webkit.org/show_bug.cgi?id=197311
2907         <rdar://problem/48033612>
2908
2909         Reviewed by Filip Pizlo.
2910
2911         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
2912         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
2913
2914         * stress/cache-put-by-id-delete-prototype.js: Added.
2915         (A.prototype.set y):
2916         (A):
2917         (B.prototype.set y):
2918         (B):
2919         (C):
2920         * stress/cache-put-by-id-different-__proto__.js: Added.
2921         (A.prototype.set y):
2922         (A):
2923         (B1):
2924         (B2.prototype.set y):
2925         (B2):
2926         (C):
2927         (D):
2928         * stress/cache-put-by-id-different-attributes.js: Added.
2929         (Foo):
2930         (set x):
2931         * stress/cache-put-by-id-different-offset.js: Added.
2932         (Foo):
2933         (set x):
2934         * stress/cache-put-by-id-insert-prototype.js: Added.
2935         (A.prototype.set y):
2936         (A):
2937         (C):
2938         * stress/cache-put-by-id-poly-proto.js: Added.
2939         (Foo):
2940         (set _):
2941         (createBar.Bar):
2942         (createBar):
2943
2944 2019-05-07  Saam Barati  <sbarati@apple.com>
2945
2946         Don't OSR enter into an FTL CodeBlock that has been jettisoned
2947         https://bugs.webkit.org/show_bug.cgi?id=197531
2948         <rdar://problem/50162379>
2949
2950         Reviewed by Yusuke Suzuki.
2951
2952         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
2953
2954 2019-05-06  Dean Jackson  <dino@apple.com>
2955
2956         Update test262 expectations for Proxy passes
2957         https://bugs.webkit.org/show_bug.cgi?id=197628
2958
2959         Reviewed by Yusuke Suzuki.
2960
2961         There are two consistent passes in Proxy.ownKeys.
2962
2963         * test262/expectations.yaml:
2964
2965 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2966
2967         [JSC] We should check OOM for description string of Symbol
2968         https://bugs.webkit.org/show_bug.cgi?id=197634
2969
2970         Reviewed by Keith Miller.
2971
2972         * stress/check-symbol-description-oom.js: Added.
2973         (shouldThrow):
2974
2975 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2976
2977         Unreviewed, land one more test
2978         https://bugs.webkit.org/show_bug.cgi?id=197587
2979
2980         * stress/setter-frame-flush.js: Added.
2981         (setter):
2982         (foo):
2983         (bar):
2984
2985 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2986
2987         TemplateObject passed to template literal tags are not always identical for the same source location.
2988         https://bugs.webkit.org/show_bug.cgi?id=190756
2989
2990         Reviewed by Saam Barati.
2991
2992         * complex.yaml:
2993         * complex/tagged-template-regeneration-after.js: Added.
2994         (shouldBe):
2995         * complex/tagged-template-regeneration.js: Added.
2996         (call):
2997         (test):
2998         * modules/tagged-template-inside-module.js: Added.
2999         (from.string_appeared_here.call):
3000         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3001         (call):
3002         (export.otherTaggedTemplates):
3003         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3004         (shouldBe):
3005         (call):
3006         (poly):
3007         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3008         (shouldBe):
3009         (call):
3010         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3011         (shouldBe):
3012         (call):
3013         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3014         (shouldBe):
3015         (call):
3016         * stress/tagged-templates-in-multiple-functions.js: Added.
3017         (shouldBe):
3018         (call):
3019         (a):
3020         (b):
3021         (c):
3022
3023 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3024
3025         [PlayStation] JSC Stress tests failing due to timezone printing
3026         https://bugs.webkit.org/show_bug.cgi?id=197615
3027
3028         PlayStation's strftime does not give timezone strings, which
3029         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3030         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3031         which causes diff failures with the expectations. Add expectations
3032         without the timezone string and use those on playstation.
3033
3034         Reviewed by Ross Kirsling.
3035
3036         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3037         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3038         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3039         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3040
3041 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3042
3043         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3044         https://bugs.webkit.org/show_bug.cgi?id=197587
3045
3046         Reviewed by Sam Weinig.
3047
3048         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3049
3050         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3051
3052 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3053
3054         TypedArrays should not store properties that are canonical numeric indices
3055         https://bugs.webkit.org/show_bug.cgi?id=197228
3056         <rdar://problem/49557381>
3057
3058         Reviewed by Saam Barati.
3059
3060         * stress/array-species-config-array-constructor.js:
3061         (test):
3062         * stress/put-direct-index-broken-2.js:
3063         * stress/typed-array-canonical-numeric-index-string.js: Added.
3064         (makeTest.assert):
3065         (makeTest):
3066         (const.testInvalidIndices.makeTest.set assert):
3067         (const.testInvalidIndices.makeTest):
3068         (const.makeTestValidIndex.configurable.set assert):
3069         (const.makeTestValidIndex.configurable):
3070         * stress/typedarray-access-monomorphic-neutered.js:
3071         (checkNoException):
3072         (testNoException):
3073         (testFTLNoException):
3074         * stress/typedarray-access-neutered.js:
3075         (testNoException):
3076         * stress/typedarray-getownproperty-not-configurable.js:
3077         (foo):
3078         * test262/expectations.yaml:
3079
3080 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3081
3082         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3083         https://bugs.webkit.org/show_bug.cgi?id=197584
3084
3085         Reviewed by Saam Barati.
3086
3087         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3088         (X):
3089         (foo):
3090
3091 2019-05-03  Michael Saboff  <msaboff@apple.com>
3092
3093         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3094         https://bugs.webkit.org/show_bug.cgi?id=197586
3095
3096         Reviewed by Keith Miller.
3097
3098         We should only run one config of this test and only when we think we'll have the memory.
3099
3100         * stress/json-stringify-string-builder-overflow.js:
3101
3102 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3103
3104         [JSC] Generator CodeBlock generation should be idempotent
3105         https://bugs.webkit.org/show_bug.cgi?id=197552
3106
3107         Reviewed by Keith Miller.
3108
3109         Add complex.yaml, which controls how to run JSC shell more.
3110         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3111
3112         * complex.yaml: Added.
3113         * complex/generator-regeneration-after.js: Added.
3114         * complex/generator-regeneration.js: Added.
3115         (gen):
3116
3117 2019-05-02  Michael Saboff  <msaboff@apple.com>
3118
3119         Unreviewed rollout of r244862.
3120
3121         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3122
3123 2019-05-01  Saam barati  <sbarati@apple.com>
3124
3125         Baseline JIT should do argument value profiling after checking for stack overflow
3126         https://bugs.webkit.org/show_bug.cgi?id=197052
3127         <rdar://problem/50009602>
3128
3129         Reviewed by Yusuke Suzuki.
3130
3131         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3132
3133 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3134
3135         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3136         https://bugs.webkit.org/show_bug.cgi?id=197405
3137
3138         Reviewed by Saam Barati.
3139
3140         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3141         (foo):
3142         (test):
3143         (i.o.get f):
3144         (i.o.set f):
3145
3146 2019-05-01  Michael Saboff  <msaboff@apple.com>
3147
3148         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3149         https://bugs.webkit.org/show_bug.cgi?id=197485
3150
3151         Reviewed by Saam Barati.
3152
3153         New test.
3154
3155         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3156         (foo):
3157
3158 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3159
3160         Unreviewed correction to Test262 expectations following r244828.
3161
3162         * test262/expectations.yaml:
3163
3164 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3165
3166         Add memory-limited skipping to some tests generating very large strings
3167         https://bugs.webkit.org/show_bug.cgi?id=197437
3168
3169         Reviewed by Ross Kirsling.
3170
3171         * stress/StringObject-define-length-getter-rope-string-oom.js:
3172         * stress/create-error-out-of-memory-rope-string.js:
3173         * stress/string-16bit-repeat-overflow.js:
3174
3175 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3176
3177         Unreviewed, rolling out r244806.
3178         https://bugs.webkit.org/show_bug.cgi?id=197446
3179
3180         Causing Test262 and JSC test failures on multiple builds
3181         (Requested by ShawnRoberts on #webkit).
3182
3183         Reverted changeset:
3184
3185         "TypeArrays should not store properties that are canonical
3186         numeric indices"
3187         https://bugs.webkit.org/show_bug.cgi?id=197228
3188         https://trac.webkit.org/changeset/244806
3189
3190 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3191
3192         TypeArrays should not store properties that are canonical numeric indices
3193         https://bugs.webkit.org/show_bug.cgi?id=197228
3194         <rdar://problem/49557381>
3195
3196         Reviewed by Darin Adler.
3197
3198         * stress/typed-array-canonical-numeric-index-string.js: Added.
3199         (makeTest.assert):
3200         (makeTest):
3201         (const.testInvalidIndices.makeTest.set assert):
3202         (const.testInvalidIndices.makeTest):
3203         (const.testValidIndices.makeTest.set assert):
3204         (const.testValidIndices.makeTest):
3205
3206 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3207
3208         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3209         https://bugs.webkit.org/show_bug.cgi?id=197362
3210
3211         Reviewed by Saam Barati.
3212
3213         * stress/map-with-nan.js: Added.
3214         (shouldBe):
3215         (div):
3216         (NaN1):
3217         (NaN2):
3218         (NaN3):
3219         (NaN4):
3220         (NaN1NoInline):
3221         (NaN2NoInline):
3222         (NaN3NoInline):
3223         (NaN4NoInline):
3224         (test1):
3225         (test2):
3226         (test3):
3227         (test4):
3228         * stress/set-with-nan.js: Added.
3229         (shouldBe):
3230         (div):
3231         (NaN1):
3232         (NaN2):
3233         (NaN3):
3234         (NaN4):
3235         (NaN1NoInline):
3236         (NaN2NoInline):
3237         (NaN3NoInline):
3238         (NaN4NoInline):
3239         (test2):
3240         (test4):
3241
3242 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3243
3244         Unreviewed, rolling out r244708.
3245         https://bugs.webkit.org/show_bug.cgi?id=197334
3246
3247         "Broke the debug build" (Requested by rmorisset on #webkit).
3248
3249         Reverted changeset:
3250
3251         "All prototypes should call didBecomePrototype()"
3252         https://bugs.webkit.org/show_bug.cgi?id=196315
3253         https://trac.webkit.org/changeset/244708
3254
3255 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3256
3257         [JSC] linkPolymorphicCall now does GC
3258         https://bugs.webkit.org/show_bug.cgi?id=197306
3259
3260         Reviewed by Saam Barati.
3261
3262         * stress/link-polymorphic-call-can-gc.js: Added.
3263         (module):
3264         (instance):
3265
3266 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3267
3268         All prototypes should call didBecomePrototype()
3269         https://bugs.webkit.org/show_bug.cgi?id=196315
3270
3271         Reviewed by Saam Barati.
3272
3273         * stress/function-prototype-indexed-accessor.js: Added.
3274
3275 2019-04-23  Saam Barati  <sbarati@apple.com>
3276
3277         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3278         https://bugs.webkit.org/show_bug.cgi?id=196721
3279         <rdar://problem/49556479> 
3280
3281         Reviewed by Filip Pizlo.
3282
3283         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3284         (foo):
3285
3286 2019-04-19  Saam Barati  <sbarati@apple.com>
3287
3288         AbstractValue can represent more than int52
3289         https://bugs.webkit.org/show_bug.cgi?id=197118
3290         <rdar://problem/49969960>
3291
3292         Reviewed by Michael Saboff.
3293
3294         * stress/abstract-value-can-include-int52.js: Added.
3295         (foo):
3296         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3297
3298 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3299
3300         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3301         https://bugs.webkit.org/show_bug.cgi?id=197053
3302
3303         Reviewed by Saam Barati.
3304
3305         * stress/merge-string-builder-in-dfg.js: Added.
3306         (foo):
3307
3308 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3309
3310         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3311         https://bugs.webkit.org/show_bug.cgi?id=176810
3312
3313         Reviewed by Saam Barati.
3314
3315         Add tests for the DontEnum filtering, and variations of other tests
3316         take the DontEnum-filtering path.
3317
3318         * stress/proxy-own-keys.js:
3319         (i.catch):
3320         (set assert):
3321         (set add):
3322         (let.set new):
3323         (get let):
3324
3325 2019-04-15  Saam barati  <sbarati@apple.com>
3326
3327         Modify how we do SetArgument when we inline varargs calls
3328         https://bugs.webkit.org/show_bug.cgi?id=196712
3329         <rdar://problem/49605012>
3330
3331         Reviewed by Michael Saboff.
3332
3333         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3334         (foo):
3335
3336 2019-04-15  Saam barati  <sbarati@apple.com>
3337
3338         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3339         https://bugs.webkit.org/show_bug.cgi?id=196945
3340         <rdar://problem/49802750>
3341
3342         Reviewed by Filip Pizlo.
3343
3344         * stress/get-by-offset-should-use-correct-child.js: Added.
3345         (foo.bar):
3346         (foo):
3347
3348 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3349
3350         DFG should be able to constant fold Object.create() with a constant prototype operand
3351         https://bugs.webkit.org/show_bug.cgi?id=196886
3352
3353         Reviewed by Yusuke Suzuki.
3354
3355         Note that this new benchmark does not currently see a speedup with inlining removed.
3356         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3357
3358         * microbenchmarks/object-create-constant-prototype.js: Added.
3359         (test):
3360
3361 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3362
3363         Incremental bytecode cache should not append function updates when loaded from memory
3364         https://bugs.webkit.org/show_bug.cgi?id=196865
3365
3366         Reviewed by Filip Pizlo.
3367
3368         * stress/bytecode-cache-shared-code-block.js: Added.
3369         (b):
3370         (program):
3371
3372 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3373
3374         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3375         https://bugs.webkit.org/show_bug.cgi?id=196880
3376
3377         Reviewed by Yusuke Suzuki.
3378
3379         * stress/bytecode-cache-syntax-error.js: Added.
3380         (catch):
3381
3382 2019-04-12  Saam barati  <sbarati@apple.com>
3383
3384         r244079 logically broke shouldSpeculateInt52
3385         https://bugs.webkit.org/show_bug.cgi?id=196884
3386
3387         Reviewed by Yusuke Suzuki.
3388
3389         * microbenchmarks/int52-rand-function.js: Added.
3390         (Math.random):
3391
3392 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3393
3394         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3395         https://bugs.webkit.org/show_bug.cgi?id=196850
3396
3397         Reviewed by Saam Barati.
3398
3399         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3400         (foo):
3401
3402 2019-04-11  Saam barati  <sbarati@apple.com>
3403
3404         Remove invalid assertion in operationInstanceOfCustom
3405         https://bugs.webkit.org/show_bug.cgi?id=196842
3406         <rdar://problem/49725493>
3407
3408         Reviewed by Michael Saboff.
3409
3410         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3411
3412 2019-04-10  Saam Barati  <sbarati@apple.com>
3413
3414         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3415         https://bugs.webkit.org/show_bug.cgi?id=196801
3416         <rdar://problem/49771122>
3417
3418         Reviewed by Yusuke Suzuki.
3419
3420         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3421
3422 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3423
3424         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3425         https://bugs.webkit.org/show_bug.cgi?id=196746
3426
3427         Reviewed by Yusuke Suzuki.
3428
3429         * stress/cyclic-define-properties.js: Added.
3430         (foo):
3431
3432 2019-04-09  Saam barati  <sbarati@apple.com>
3433
3434         Clean up Int52 code and some bugs in it
3435         https://bugs.webkit.org/show_bug.cgi?id=196639
3436         <rdar://problem/49515757>
3437
3438         Reviewed by Yusuke Suzuki.
3439
3440         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3441
3442 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3443
3444         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3445         https://bugs.webkit.org/show_bug.cgi?id=196708
3446         <rdar://problem/49556803>
3447
3448         Reviewed by Yusuke Suzuki.
3449
3450         * stress/proxy-getter-stack-overflow.js: Added.
3451         (const.handler.get target):
3452         (const.handler.has):
3453         (try.with):
3454         (catch):
3455
3456 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3457
3458         [JSC] DFG should respect node's strict flag
3459         https://bugs.webkit.org/show_bug.cgi?id=196617
3460
3461         Reviewed by Saam Barati.
3462
3463         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3464         (shouldEqual):
3465         (makeUnwriteableUnconfigurableObject):
3466         (runTest):
3467         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3468         (shouldBe):
3469         (shouldThrow):
3470         (with.result):
3471         (with.putValueStrict):
3472         (with.putValueSloppy):
3473
3474 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3475
3476         [JSC] isRope jump in StringSlice should not jump over register allocations
3477         https://bugs.webkit.org/show_bug.cgi?id=196716
3478
3479         Reviewed by Saam Barati.
3480
3481         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3482         (foo.bar):
3483         (foo):
3484
3485 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3486
3487         [JSC] to_index_string should not assume incoming value is Uint32
3488         https://bugs.webkit.org/show_bug.cgi?id=196713
3489
3490         Reviewed by Saam Barati.
3491
3492         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
3493         (foo):
3494
3495 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3496
3497         [JSC] Add more tests for r243966
3498         https://bugs.webkit.org/show_bug.cgi?id=196711
3499
3500         Reviewed by Saam Barati.
3501
3502         Adding one more test for r243966 fix. The added test will not crash after r243966.
3503
3504         * stress/stress-cleared-calllinkinfo.js: Added.
3505         (runNearStackLimit.t):
3506         (runNearStackLimit):
3507         (repeat):
3508         (cls):
3509         (let.item.of.array.runNearStackLimit):
3510
3511 2019-04-08  Saam Barati  <sbarati@apple.com>
3512
3513         WebAssembly.RuntimeError missing exception check
3514         https://bugs.webkit.org/show_bug.cgi?id=196700
3515         <rdar://problem/49693932>
3516
3517         Reviewed by Yusuke Suzuki.
3518
3519         * wasm/js-api/runtime-error-should-exception-check.js: Added.
3520
3521 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3522
3523         Unreviewed, rolling in r243948 with test fix
3524         https://bugs.webkit.org/show_bug.cgi?id=196486
3525
3526         * stress/arrow-function-and-use-strict-directive.js: Added.
3527         * stress/arrow-function-syntax.js: Added.
3528         (checkSyntax):
3529         (checkSyntaxError):
3530
3531 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3532
3533         Unreviewed, rolling out r243948.
3534
3535         Caused inspector/runtime/parse.html to fail
3536
3537         Reverted changeset:
3538
3539         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
3540         https://bugs.webkit.org/show_bug.cgi?id=196486
3541         https://trac.webkit.org/changeset/243948
3542
3543 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3544
3545         Unreviewed, rolling out r243943.
3546
3547         Caused test262 failures.
3548
3549         Reverted changeset:
3550
3551         "[JSC] Filter DontEnum properties in
3552         ProxyObject::getOwnPropertyNames()"
3553         https://bugs.webkit.org/show_bug.cgi?id=176810
3554         https://trac.webkit.org/changeset/243943
3555
3556 2019-04-07  Michael Saboff  <msaboff@apple.com>
3557
3558         REGRESSION (r243642): Crash in reddit.com page
3559         https://bugs.webkit.org/show_bug.cgi?id=196684
3560
3561         Reviewed by Geoffrey Garen.
3562
3563         New regression test.
3564
3565         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
3566
3567 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
3568
3569         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
3570         https://bugs.webkit.org/show_bug.cgi?id=196683
3571
3572         Reviewed by Saam Barati.
3573
3574         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
3575         (foo):
3576
3577 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3578
3579         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
3580         https://bugs.webkit.org/show_bug.cgi?id=196582
3581
3582         Reviewed by Saam Barati.
3583
3584         * stress/add-overflow-check-with-three-same-registers.js: Added.
3585         (foo):
3586         (Number.prototype.valueOf):
3587         (runWithNumber):
3588
3589 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
3590
3591         Unreviewed, rolling out r243665.
3592
3593         Caused iOS JSC tests to exit with an exception.
3594
3595         Reverted changeset:
3596
3597         "Assertion failed in JSC::createError"
3598         https://bugs.webkit.org/show_bug.cgi?id=196305
3599         https://trac.webkit.org/changeset/243665
3600
3601 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3602
3603         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
3604         https://bugs.webkit.org/show_bug.cgi?id=196486
3605
3606         Reviewed by Saam Barati.
3607
3608         * stress/arrow-function-and-use-strict-directive.js: Added.
3609         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
3610         (checkSyntax):
3611         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
3612
3613 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3614
3615         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3616         https://bugs.webkit.org/show_bug.cgi?id=176810
3617
3618         Reviewed by Saam Barati.
3619
3620         Add tests for the DontEnum filtering, and variations of other tests
3621         take the DontEnum-filtering path.
3622
3623         * stress/proxy-own-keys.js:
3624         (i.catch):
3625         (set assert):
3626         (set add):
3627         (let.set new):
3628         (get let):
3629
3630 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3631
3632         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
3633         https://bugs.webkit.org/show_bug.cgi?id=185211
3634
3635         Reviewed by Saam Barati.
3636
3637         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
3638
3639         This changes several assertions to expect a TypeError to be thrown (in some cases,
3640         changing thee expected message).
3641
3642         * es6/Proxy_ownKeys_duplicates.js:
3643         (handler):
3644         (shouldThrow):
3645         (test):
3646         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3647         (shouldThrow):
3648         * stress/proxy-own-keys.js:
3649         (i.catch):
3650         (assert):
3651
3652 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3653
3654         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
3655         https://bugs.webkit.org/show_bug.cgi?id=196631
3656
3657         Reviewed by Saam Barati.
3658
3659         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
3660         (assert):
3661         (test):
3662         (foo):
3663
3664 2019-04-04  Saam Barati  <sbarati@apple.com>
3665
3666         Unreviewed. Make the test from r243906 catch the thrown exceptions.
3667
3668         * stress/inferred-types-regex-matches-array.js:
3669
3670 2019-04-04  Saam Barati  <sbarati@apple.com>
3671
3672         createRegExpMatchesArray does not respect inferred types
3673         https://bugs.webkit.org/show_bug.cgi?id=193287
3674
3675         Reviewed by Yusuke Suzuki.
3676
3677         This checks in the test case for 193287. This issue was discovered by
3678         Samuel GroƟ of Google Project Zero.
3679
3680         * stress/inferred-types-regex-matches-array.js: Added.
3681
3682 2019-04-04  Saam barati  <sbarati@apple.com>
3683
3684         Teach Call ICs how to call Wasm
3685         https://bugs.webkit.org/show_bug.cgi?id=196387
3686
3687         Reviewed by Filip Pizlo.
3688
3689         * wasm/function-tests/stack-trace.js:
3690
3691 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
3692
3693         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
3694         https://bugs.webkit.org/show_bug.cgi?id=194944
3695
3696         Reviewed by Keith Miller.
3697
3698         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
3699
3700 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3701
3702         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl
3703         https://bugs.webkit.org/show_bug.cgi?id=196409
3704
3705         Reviewed by Saam Barati.
3706
3707         * stress/bytecode-cache-cached-string-impl.js: Added.
3708         (f):
3709         (g):
3710         * stress/bytecode-cache-run-string.js: Added.
3711
3712 2019-04-03  Robin Morisset  <rmorisset@apple.com>
3713
3714         B3 should use associativity to optimize expression trees
3715         https://bugs.webkit.org/show_bug.cgi?id=194081
3716
3717         Reviewed by Filip Pizlo.
3718
3719         Added three microbenchmarks:
3720         - add-tree should be the ideal case, but there is no speedup because we are currently unable to prove that the CheckAdd won't overflow
3721         - bit-xor-tree most closely matches the situation where the optimization triggers on the JetStream2 subtests where it triggers:
3722           an unbalanced expression tree of size 8 that can be balanced, with no other optimizations being unlocked. 16% speedup
3723         - bit-or-tree is an ideal case, where the reassociation also enables a ton of further simplifications. 42% speedup
3724
3725         * microbenchmarks/add-tree.js: Added.
3726         * microbenchmarks/bit-or-tree.js: Added.
3727         * microbenchmarks/bit-xor-tree.js: Added.
3728
3729 2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
3730
3731         [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
3732         https://bugs.webkit.org/show_bug.cgi?id=196574
3733
3734         Reviewed by Saam Barati.
3735
3736         * stress/string-index-of-exception-check.js: Added.
3737         (blurType):
3738         (1.forEach):
3739
3740 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
3741
3742         Assertion failed in JSC::createError
3743         https://bugs.webkit.org/show_bug.cgi?id=196305
3744         <rdar://problem/49387382>
3745
3746         Reviewed by Saam Barati.
3747
3748         * stress/create-error-out-of-memory-rope-string-2.js: Added.
3749         (assert):
3750         (catch):
3751
3752 2019-03-28  Saam Barati  <sbarati@apple.com>
3753
3754         BackwardsGraph needs to consider back edges as the backward's root successor
3755         https://bugs.webkit.org/show_bug.cgi?id=195991
3756
3757         Reviewed by Filip Pizlo.
3758
3759         * stress/map-b3-licm-infinite-loop.js: Added.
3760
3761 2019-03-28  Tadeu Zagallo  <tzagallo@apple.com>
3762
3763         CodeBlock::jettison() should disallow repatching its own calls
3764         https://bugs.webkit.org/show_bug.cgi?id=196359
3765         <rdar://problem/48973663>
3766
3767         Reviewed by Saam Barati.
3768
3769         * stress/call-link-info-osrexit-repatch.js: Added.
3770         (foo):
3771
3772 2019-03-28  Yusuke Suzuki  <ysuzuki@apple.com>
3773
3774         [JSC] imports-oom.js intermittently fails
3775         https://bugs.webkit.org/show_bug.cgi?id=196373
3776
3777         Reviewed by Saam Barati.
3778
3779         imports-oom.js ensures that a wasm module compilation / instantiation throws an OOM error instead of crashing when compiling / instantiating their entry points
3780         with extremely low executable memory amount. And this test expects we at least once successfully compile, instantiate, and execute a wasm module to test that
3781         wasm implementation is always throwing an OOM error. However, maybe due to wasm changes, the amount of executable memory consumed by wasm compilation is changed,
3782         and now we may encounter an OOM error at the first compilation. Since imports-oom.js randomize the amount of executable memory used by the generated wasm module,
3783         imports-oom.js intermittently fails when it first generates large wasm module which cannot be compiled.
3784
3785         This patch reduces the maxParams from 32 to 8 to reduce the size of randomly generated wasm module. Since we repeatedly generate wasm modules, this test soon encounter
3786         an expected OOM error. But this avoids the situation that we get an OOM error when we compile a first wasm module.
3787
3788         * wasm/lowExecutableMemory/imports-oom.js:
3789
3790 2019-03-27  Saam Barati  <sbarati@apple.com>
3791
3792         validateOSREntryValue with Int52 should box the value being checked into double format
3793         https://bugs.webkit.org/show_bug.cgi?id=196313
3794         <rdar://problem/49306703>
3795
3796         Reviewed by Yusuke Suzuki.
3797
3798         * stress/validate-int-52-ai-state.js: Added.
3799
3800 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
3801
3802         [JSC] Owner of watchpoints should validate at GC finalizing phase
3803         https://bugs.webkit.org/show_bug.cgi?id=195827
3804
3805         Reviewed by Filip Pizlo.
3806
3807         * stress/gc-should-reap-dead-watchpoints.js: Added.
3808         (foo):
3809         (A.prototype.y):
3810         (A):
3811
3812 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
3813
3814         Skip WebAssembly test on 32-bit systems
3815         https://bugs.webkit.org/show_bug.cgi?id=196206
3816
3817         Reviewed by Saam Barati.
3818
3819         Invoking runDefault executes test immediately even though
3820         that test should be skipped due to missing WASM support.
3821         Therefore remove runDefault.
3822
3823         * wasm/regress/web-assembly-link-error-exception-check.js:
3824
3825 2019-03-26  Tadeu Zagallo  <tzagallo@apple.com>
3826
3827         WebAssembly: Fix f32.min, f64.min and f64.max operations on NaN
3828         https://bugs.webkit.org/show_bug.cgi?id=196217
3829
3830         Reviewed by Saam Barati.
3831
3832         Re-enable all NaN tests for f32.min, f64.min and f64.max.
3833
3834         * wasm/spec-tests/f32.wast.js:
3835         * wasm/spec-tests/f64.wast.js:
3836         * wasm/wasm.json:
3837
3838 2019-03-25  Keith Miller  <keith_miller@apple.com>
3839
3840         ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge)
3841         https://bugs.webkit.org/show_bug.cgi?id=196176
3842
3843         Reviewed by Saam Barati.
3844
3845         * stress/object-is-fold-to-compare-eq-ptr.js: Added.
3846         (main.v10):
3847         (main):
3848
3849 2019-03-25  Tadeu Zagallo  <tzagallo@apple.com>
3850
3851         WebAssembly: f32.max with NaN generates incorrect result
3852         https://bugs.webkit.org/show_bug.cgi?id=175691
3853         <rdar://problem/33952228>
3854
3855         Reviewed by Saam Barati.
3856
3857         Enable all f32.max NaN tests
3858
3859         * wasm/spec-tests/f32.wast.js:
3860         * wasm/wasm.json:
3861
3862 2019-03-24  Dominik Infuehr  <dinfuehr@igalia.com>
3863
3864         [JSC] Move test into directory for WASM tests
3865         https://bugs.webkit.org/show_bug.cgi?id=196187
3866
3867         Reviewed by Mark Lam.
3868
3869         Move Test into wasm-directory. Otherwise this test
3870         is also executed on systems without WASM support.
3871
3872         * wasm/regress/web-assembly-link-error-exception-check.js: Renamed from JSTests/stress/web-assembly-link-error-exception-check.js.
3873
3874 2019-03-23  Mark Lam  <mark.lam@apple.com>
3875
3876         Rolling out r243032 and r243071 because the fix is incorrect.
3877         https://bugs.webkit.org/show_bug.cgi?id=195892
3878         <rdar://problem/48981239>
3879
3880         Not reviewed.
3881
3882         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Removed.
3883
3884 2019-03-22  Mark Lam  <mark.lam@apple.com>
3885
3886         Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf().
3887         https://bugs.webkit.org/show_bug.cgi?id=196154
3888         <rdar://problem/49145307>
3889
3890         Reviewed by Filip Pizlo.
3891
3892         Also added //@ runDefault constraint to web-assembly-link-error-exception-check.js.
3893         There's no need to run this test on more than 1 test configuration.
3894
3895         * stress/typed-array-lastIndexOf-exception-check.js: Added.
3896         * stress/web-assembly-link-error-exception-check.js:
3897
3898 2019-03-22  Mark Lam  <mark.lam@apple.com>
3899
3900         Placate exception check validation in constructJSWebAssemblyLinkError().
3901         https://bugs.webkit.org/show_bug.cgi?id=196152
3902         <rdar://problem/49145257>
3903
3904         Reviewed by Michael Saboff.
3905
3906         * stress/web-assembly-link-error-exception-check.js: Added.
3907
3908 2019-03-22  Dominik Infuehr  <dinfuehr@igalia.com>
3909
3910         Skip tests running out of memory on ARM/MIPS
3911         https://bugs.webkit.org/show_bug.cgi?id=196131
3912
3913         Unreviewed. Skip test if memory is limited.
3914
3915         * microbenchmarks/put-by-val-direct-large-index.js:
3916
3917 2019-03-21  Mark Lam  <mark.lam@apple.com>
3918
3919         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
3920         https://bugs.webkit.org/show_bug.cgi?id=196116
3921         <rdar://problem/48976951>
3922
3923         Reviewed by Filip Pizlo.
3924
3925         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
3926
3927 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
3928
3929         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
3930         https://bugs.webkit.org/show_bug.cgi?id=196078
3931         <rdar://problem/35925380>
3932
3933         Reviewed by Mark Lam.
3934
3935         Add a new benchmark that allocates several objects and invokes put_by_val_direct
3936         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
3937
3938         * microbenchmarks/put-by-val-direct-large-index.js: Added.
3939
3940 2019-03-21  Mark Lam  <mark.lam@apple.com>
3941
3942         Placate exception check validation in operationArrayIndexOfString().
3943         https://bugs.webkit.org/show_bug.cgi?id=196067
3944         <rdar://problem/49056572>
3945
3946         Reviewed by Michael Saboff.
3947
3948         * stress/string-equal-exception-check.js: Added.
3949
3950 2019-03-21  Mark Lam  <mark.lam@apple.com>
3951
3952         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
3953         https://bugs.webkit.org/show_bug.cgi?id=196055
3954         <rdar://problem/49067448>
3955
3956         Reviewed by Yusuke Suzuki.
3957
3958         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
3959
3960 2019-03-20  Saam Barati  <sbarati@apple.com>
3961
3962         typeOfDoubleSum is wrong for when NaN can be produced
3963         https://bugs.webkit.org/show_bug.cgi?id=196030
3964
3965         Reviewed by Filip Pizlo.
3966
3967         * stress/double-add-sub-mul-can-produce-nan.js: Added.
3968         (assert):
3969         (noInline.sub):
3970         (noInline):
3971         (assert.mul):
3972         (assert.add):
3973
3974 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
3975
3976         Update the test to ensure OutOfMemoryError is thrown as intended
3977         https://bugs.webkit.org/show_bug.cgi?id=196032
3978         <rdar://problem/46842740>
3979
3980         Rubber stamped by Saam Barati.
3981
3982         * stress/create-error-out-of-memory-rope-string.js:
3983         (assert):
3984         (catch):
3985
3986 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
3987
3988         JSC::createError needs to check for OOM in errorDescriptionForValue
3989         https://bugs.webkit.org/show_bug.cgi?id=196032
3990         <rdar://problem/46842740>
3991
3992         Reviewed by Mark Lam.
3993
3994         * stress/create-error-out-of-memory-rope-string.js: Added.
3995
3996 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
3997
3998         Unreviewed, reduce # of iterations to avoid timing out after r242991
3999         https://bugs.webkit.org/show_bug.cgi?id=195791
4000
4001         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
4002
4003         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
4004
4005 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
4006
4007         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
4008         https://bugs.webkit.org/show_bug.cgi?id=195950
4009
4010         Unreviewed, reducing the amount of memory used on this test to avoid
4011         OOM on devices with memory restrictions.
4012
4013         * microbenchmarks/generate-multiple-llint-entrypoints.js:
4014
4015 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
4016
4017         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
4018         https://bugs.webkit.org/show_bug.cgi?id=194648
4019
4020         Reviewed by Keith Miller.
4021
4022         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
4023
4024 2019-03-18  Mark Lam  <mark.lam@apple.com>
4025
4026         Missing a ThrowScope release in JSObject::toString().
4027         https://bugs.webkit.org/show_bug.cgi?id=195893
4028         <rdar://problem/48970986>
4029
4030         Reviewed by Michael Saboff.
4031
4032         * stress/to-string-exception-check-release.js: Added.
4033
4034 2019-03-18  Mark Lam  <mark.lam@apple.com>
4035
4036         Structure::flattenDictionary() should clear unused property slots.
4037         https://bugs.webkit.org/show_bug.cgi?id=195871
4038         <rdar://problem/48959497>
4039
4040         Reviewed by Michael Saboff.
4041
4042         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
4043
4044 2019-03-15  Mark Lam  <mark.lam@apple.com>
4045
4046         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
4047         https://bugs.webkit.org/show_bug.cgi?id=195827
4048         <rdar://problem/48845513>
4049
4050         Reviewed by Filip Pizlo.
4051
4052         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
4053
4054 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
4055
4056         [ARM,MIPS] Skip slow tests
4057         https://bugs.webkit.org/show_bug.cgi?id=195799
4058
4059         Unreviewed, test does not finish on ARM and MIPS within the
4060         timeout limit.
4061
4062         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
4063
4064 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
4065
4066         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
4067         https://bugs.webkit.org/show_bug.cgi?id=195791
4068         <rdar://problem/48806130>
4069
4070         Reviewed by Mark Lam.
4071
4072         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
4073         (foo):
4074
4075 2019-03-14  Saam barati  <sbarati@apple.com>
4076
4077         We can't remove code after ForceOSRExit until after FixupPhase
4078         https://bugs.webkit.org/show_bug.cgi?id=186916
4079         <rdar://problem/41396612>
4080
4081         Reviewed by Yusuke Suzuki.
4082
4083         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
4084         (foo):
4085         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
4086         (foo):
4087
4088 2019-03-13  Michael Saboff  <msaboff@apple.com>
4089
4090         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
4091         https://bugs.webkit.org/show_bug.cgi?id=195735
4092
4093         Reviewed by Mark Lam.
4094
4095         New regression test.
4096
4097         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
4098         (foo):
4099         (bar):
4100
4101 2019-03-14  Saam barati  <sbarati@apple.com>
4102
4103         Fixup uses KnownInt32 incorrectly in some nodes
4104         https://bugs.webkit.org/show_bug.cgi?id=195279
4105         <rdar://problem/47915654>
4106
4107         Reviewed by Yusuke Suzuki.
4108
4109         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
4110         (foo):
4111
4112 2019-03-14  Keith Miller  <keith_miller@apple.com>
4113
4114         DFG liveness can't skip tail caller inline frames
4115         https://bugs.webkit.org/show_bug.cgi?id=195715
4116
4117         Reviewed by Saam Barati.
4118
4119         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
4120         (i.foo):
4121
4122 2019-03-13  Mark Lam  <mark.lam@apple.com>
4123
4124         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
4125         https://bugs.webkit.org/show_bug.cgi?id=195415
4126
4127         Not reviewed.
4128
4129         Changed these tests to only run the default configuration.
4130         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
4131         There's no strong need to run this test on that variant.
4132
4133         * stress/dfg-to-string-on-int-does-gc.js:
4134         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
4135
4136 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
4137
4138         String overflow when using StringBuilder in JSC::createError
4139         https://bugs.webkit.org/show_bug.cgi?id=194957
4140
4141         Reviewed by Mark Lam.
4142
4143         Add test string-overflow-createError-bulder.js that overflows
4144         StringBuilder in notAFunctionSourceAppender. The second new test
4145         string-overflow-createError-fit.js has an error message that doesn't
4146         overflow, it still failed since the String's capacity can't be doubled.
4147         Run test string-overflow-createError.js only in the default
4148         configuration to reduce memory consumption when running the test
4149         in all configurations on multiple CPUs in parallel.
4150
4151         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
4152         (catch):
4153         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
4154         (catch):
4155         * stress/string-overflow-createError.js:
4156
4157 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
4158
4159         [JSC] OSR entry should respect abstract values in addition to flush formats
4160         https://bugs.webkit.org/show_bug.cgi?id=195653
4161
4162         Reviewed by Mark Lam.
4163
4164         * stress/osr-entry-locals-none.js: Added.
4165
4166 2019-03-12  Michael Saboff  <msaboff@apple.com>
4167
4168         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
4169         https://bugs.webkit.org/show_bug.cgi?id=195613
4170
4171         Reviewed by Mark Lam.
4172
4173         New regression test.
4174
4175         * stress/regexp-backref-inbounds.js: Added.
4176         (testRegExp):
4177
4178 2019-03-12  Mark Lam  <mark.lam@apple.com>
4179
4180         The HasIndexedProperty node does GC.
4181         https://bugs.webkit.org/show_bug.cgi?id=195559
4182         <rdar://problem/48767923>
4183
4184         Reviewed by Yusuke Suzuki.
4185
4186         * stress/HasIndexedProperty-does-gc.js: Added.
4187
4188 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
4189
4190         [ESNext][BigInt] Implement "~" unary operation
4191         https://bugs.webkit.org/show_bug.cgi?id=182216
4192
4193         Reviewed by Keith Miller.
4194
4195         * stress/big-int-bit-not-general.js: Added.
4196         * stress/big-int-bitwise-not-jit.js: Added.
4197         * stress/big-int-bitwise-not-wrapped-value.js: Added.
4198         * stress/bit-op-with-object-returning-int32.js:
4199         * stress/bitwise-not-fixup-rules.js: Added.
4200         * stress/value-bit-not-ai-rule.js: Added.
4201
4202 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
4203
4204         Invalid flags in a RegExp literal should be an early SyntaxError
4205         https://bugs.webkit.org/show_bug.cgi?id=195514
4206
4207         Reviewed by Darin Adler.
4208
4209         * test262/expectations.yaml:
4210         Mark 4 test cases as passing.
4211
4212         * stress/regexp-syntax-error-invalid-flags.js:
4213         * stress/regress-161995.js: Removed.
4214         Update existing test, merging in an older test for the same behavior.
4215
4216 2019-03-08  Mark Lam  <mark.lam@apple.com>
4217
4218         Stack overflow crash in JSC::JSObject::hasInstance.
4219         https://bugs.webkit.org/show_bug.cgi?id=195458
4220         <rdar://problem/48710195>
4221
4222         Reviewed by Yusuke Suzuki.
4223
4224         * stress/stack-overflow-in-custom-hasInstance.js: Added.
4225
4226 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
4227
4228         op_check_tdz does not def its argument
4229         https://bugs.webkit.org/show_bug.cgi?id=192880
4230         <rdar://problem/46221598>
4231
4232         Reviewed by Saam Barati.
4233
4234         * microbenchmarks/let-for-in.js: Added.
4235         (foo):
4236
4237 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
4238
4239         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
4240         https://bugs.webkit.org/show_bug.cgi?id=195429
4241
4242         Reviewed by Saam Barati.
4243
4244         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
4245         (foo):
4246         * stress/string-from-char-code-255.js: Added.
4247
4248 2019-03-06  Mark Lam  <mark.lam@apple.com>
4249
4250         Fix incorrect handling of try-finally completion values.
4251         https://bugs.webkit.org/show_bug.cgi?id=195131
4252         <rdar://problem/46222079>
4253
4254         Reviewed by Saam Barati and Yusuke Suzuki.
4255
4256         Added many permutations of new test case to test-finally.js.  test-finally.js has
4257         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
4258         tests passes there as well.
4259
4260         * stress/test-finally.js:
4261
4262 2019-03-06  Saam Barati  <sbarati@apple.com>
4263
4264         Air::reportUsedRegisters must padInterference
4265         https://bugs.webkit.org/show_bug.cgi?id=195303
4266         <rdar://problem/48270343>
4267
4268         Reviewed by Keith Miller.
4269
4270         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
4271
4272 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
4273
4274         [JSC] AI should not propagate AbstractValue relying on constant folding phase
4275         https://bugs.webkit.org/show_bug.cgi?id=195375
4276
4277         Reviewed by Saam Barati.
4278
4279         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
4280         (let.array):
4281
4282 2019-03-05  Saam barati  <sbarati@apple.com>
4283
4284         op_switch_char broken for rope strings after JSRopeString layout rewrite
4285         https://bugs.webkit.org/show_bug.cgi?id=195339
4286         <rdar://problem/48592545>
4287
4288         Reviewed by Yusuke Suzuki.
4289
4290         * stress/switch-on-char-llint-rope.js: Added.
4291
4292 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
4293
4294         [JSC] Store bits for JSRopeString in 3 stores
4295         https://bugs.webkit.org/show_bug.cgi?id=195234
4296
4297         Reviewed by Saam Barati.
4298
4299         * stress/null-rope-and-collectors.js: Added.
4300
4301 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
4302
4303         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
4304         https://bugs.webkit.org/show_bug.cgi?id=195207
4305
4306         Unreviewed. After test runtime was reduced in r242213, test can be
4307         run again on ARM/MIPS.
4308
4309         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
4310
4311 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
4312
4313         [JSC] sizeof(JSString) should be 16
4314         https://bugs.webkit.org/show_bug.cgi?id=194375
4315
4316         Reviewed by Saam Barati.
4317
4318         * microbenchmarks/make-rope.js: Added.
4319         (makeRope):
4320         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
4321         (returnRope.helper): Deleted.
4322         (returnRope): Deleted.
4323
4324 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
4325
4326         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
4327         https://bugs.webkit.org/show_bug.cgi?id=195144
4328
4329         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
4330         Change the number from 1e8 to 1e5.
4331
4332         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
4333         (foo):
4334
4335 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
4336
4337         Test times out on ARM/MIPS
4338         https://bugs.webkit.org/show_bug.cgi?id=195168
4339
4340         Unreviewed. Skip test on ARM/MIPS.
4341
4342         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
4343
4344 2019-02-27  Mark Lam  <mark.lam@apple.com>
4345
4346         The parser is failing to record the token location of new in new.target.
4347         https://bugs.webkit.org/show_bug.cgi?id=195127
4348         <rdar://problem/39645578>
4349
4350         Reviewed by Yusuke Suzuki.
4351
4352         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
4353
4354 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
4355
4356         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
4357         https://bugs.webkit.org/show_bug.cgi?id=195144
4358         <rdar://problem/47595961>
4359
4360         Reviewed by Mark Lam.
4361
4362         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
4363         (bar):
4364         (foo):
4365         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
4366         (bar):
4367         (foo):
4368
4369 2019-02-27  Robin Morisset  <rmorisset@apple.com>
4370
4371         DFG: Loop-invariant code motion (LICM) should not hoist dead code
4372         https://bugs.webkit.org/show_bug.cgi?id=194945
4373         <rdar://problem/48311657>
4374
4375         Reviewed by Mark Lam.
4376
4377         * stress/licm-dead-code.js: Added.
4378
4379 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
4380
4381         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
4382         https://bugs.webkit.org/show_bug.cgi?id=194677
4383         <rdar://problem/48112492>
4384
4385         Reviewed by Mark Lam.
4386
4387         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
4388         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
4389         it immediately fails due the large size.
4390
4391         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
4392         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
4393         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
4394         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
4395
4396         This patch changes the test to produce 16bit string from String.fromCharCode.
4397
4398         * stress/regress-178386.js:
4399
4400 2019-02-26  Mark Lam  <mark.lam@apple.com>
4401
4402         wasmToJS() should purify incoming NaNs.
4403         https://bugs.webkit.org/show_bug.cgi?id=194807
4404         <rdar://problem/48189132>
4405
4406         Reviewed by Saam Barati.
4407
4408         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
4409
4410 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
4411
4412         [JSC] Repeat string created from Array.prototype.join() take too much memory
4413         https://bugs.webkit.org/show_bug.cgi?id=193912
4414
4415         Reviewed by Saam Barati.