JSObject::putInlineSlow should not ignore "__proto__" for Proxy
[WebKit-https.git] / JSTests / ChangeLog
1 2019-09-16  Saam Barati  <sbarati@apple.com>
2
3         JSObject::putInlineSlow should not ignore "__proto__" for Proxy
4         https://bugs.webkit.org/show_bug.cgi?id=200386
5         <rdar://problem/53854946>
6
7         Reviewed by Yusuke Suzuki.
8
9         * stress/proxy-__proto__-in-prototype-chain.js: Added.
10         * stress/proxy-property-replace-structure-transition.js: Added.
11
12 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
13
14         Date.prototype.toJSON does not execute steps 1-2
15         https://bugs.webkit.org/show_bug.cgi?id=105282
16
17         Reviewed by Ross Kirsling.
18
19         * test262/expectations.yaml: Mark 2 test cases as passing.
20
21 2019-09-12  Mark Lam  <mark.lam@apple.com>
22
23         Harden JSC against the abuse of runtime options.
24         https://bugs.webkit.org/show_bug.cgi?id=201597
25         <rdar://problem/55167068>
26
27         Reviewed by Filip Pizlo.
28
29         Remove the call to forceGCSlowPaths().  This utility function will be removed.
30         The modern way to set the required option is to use //@ requireOptions.
31
32         * stress/ftl-try-catch-oom-error-lazy-slow-path.js:
33
34 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
35
36         [JSC] Add StringCodePointAt intrinsic
37         https://bugs.webkit.org/show_bug.cgi?id=201673
38
39         Reviewed by Michael Saboff.
40
41         * stress/string-char-at-constant-index-out-of-range.js: Added.
42         (shouldBe):
43         (test):
44         * stress/string-char-code-at-constant-index-out-of-range.js: Added.
45         (shouldBe):
46         (test):
47         * stress/string-code-point-at--out-of-range.js: Added.
48         (shouldBe):
49         (test):
50         * stress/string-code-point-at-basic.js: Added.
51         (test):
52         * stress/string-code-point-at-constant-index-out-of-range.js: Added.
53         (shouldBe):
54         (test):
55         * stress/string-code-point-at-constant-int32-max-index-out-of-range.js: Added.
56         (shouldBe):
57         (test):
58         * stress/string-code-point-at-constant-surrogate-pair.js: Added.
59         (shouldBe):
60         (test):
61         (breaking):
62         * stress/string-code-point-at-surrogate-pair.js: Added.
63         (shouldBe):
64         * stress/string-code-point-at.js: Added.
65         (shouldBe):
66
67 2019-09-10  Michael Saboff  <msaboff@apple.com>
68
69         JSC crashes due to stack overflow while building RegExp
70         https://bugs.webkit.org/show_bug.cgi?id=201649
71
72         Reviewed by Yusuke Suzuki.
73
74         New regression test.
75
76         * stress/regexp-bol-optimize-out-of-stack.js: Added.
77         (test):
78         (catch):
79
80 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
81
82         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
83         https://bugs.webkit.org/show_bug.cgi?id=189043
84
85         Reviewed by Keith Miller.
86
87         The offset performing the validation becomes a bit different.
88         The offset 0 is nice since it is the starting offset of the Module header signature compared to the offset 8.
89
90         * wasm/js-api/version.js:
91
92 2019-09-07  Keith Miller  <keith_miller@apple.com>
93
94         OSR entry into wasm misses some contexts
95         https://bugs.webkit.org/show_bug.cgi?id=201569
96
97         Reviewed by Yusuke Suzuki.
98
99         Add a new harness and wast and the generated wasm file for
100         testing. The idea long term is to make it easy to test by creating
101         a C file and converting it to a wast then modify that to produce a
102         test.
103
104         * wasm.yaml:
105         * wasm/wast-tests/harness.js: Added.
106         (async.runWasmFile):
107         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wasm: Added.
108         * wasm/wast-tests/osr-entry-inner-loop-branch-above-no-consts.wast: Added.
109         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wasm: Added.
110         * wasm/wast-tests/osr-entry-inner-loop-branch-above.wast: Added.
111         * wasm/wast-tests/osr-entry-inner-loop.wasm: Added.
112         * wasm/wast-tests/osr-entry-inner-loop.wast: Added.
113         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wasm: Added.
114         * wasm/wast-tests/osr-entry-multiple-enclosed-contexts.wast: Added.
115
116 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
117
118         [JSC] Promise resolve/reject functions should be created more efficiently
119         https://bugs.webkit.org/show_bug.cgi?id=201488
120
121         Reviewed by Mark Lam.
122
123         * microbenchmarks/promise-creation-many.js: Added.
124         (executor):
125
126 2019-09-09  Zan Dobersek  <zdobersek@igalia.com>
127
128         Unreviewed JSC test gardening.
129
130         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js:
131         This test allocates a 2GB string before it goes out and tests
132         out-of-memory exception when appending other strings to it. As such,
133         skip the test on memory-limited platforms.
134
135 2019-09-07  Mark Lam  <mark.lam@apple.com>
136
137         The jsc shell should allow disabling of the Gigacage for testing purposes.
138         https://bugs.webkit.org/show_bug.cgi?id=201579
139
140         Reviewed by Michael Saboff.
141
142         Unskip the tests now.
143
144         * stress/disable-gigacage-arrays.js:
145         * stress/disable-gigacage-strings.js:
146         * stress/disable-gigacage-typed-arrays.js:
147
148 2019-09-07  Mark Lam  <mark.lam@apple.com>
149
150         Gardening: temporarily skipping these tests until the fix can be reviewed and landed.
151
152         Not reviewed.
153
154         See https://bugs.webkit.org/show_bug.cgi?id=201579 for the fix.
155
156         * stress/disable-gigacage-arrays.js:
157         * stress/disable-gigacage-strings.js:
158         * stress/disable-gigacage-typed-arrays.js:
159
160 2019-09-07  Mark Lam  <mark.lam@apple.com>
161
162         Gardening: speculative test fix to green bots [attempt #2].
163         https://bugs.webkit.org/show_bug.cgi?id=201529
164         <rdar://problem/53935772>
165
166         Not reviewed.
167
168         * stress/test-out-of-memory.js:
169
170 2019-09-06  Mark Lam  <mark.lam@apple.com>
171
172         Gardening: speculative test fix to green bots.
173         https://bugs.webkit.org/show_bug.cgi?id=201529
174         <rdar://problem/53935772>
175
176         Not reviewed.
177
178         * stress/test-out-of-memory.js:
179
180 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
181
182         Math.round() produces wrong result for value prior to 0.5
183         https://bugs.webkit.org/show_bug.cgi?id=185115
184
185         Reviewed by Saam Barati.
186
187         * stress/math-round-basics.js:
188         Add positive/negative test cases.
189
190         * test262/expectations.yaml:
191         Mark test passing.
192
193 2019-09-06  Mark Lam  <mark.lam@apple.com>
194
195         Move web-assembly-constructors-should-not-override-global-object-property.js below JSTests/wasm/stress.
196         https://bugs.webkit.org/show_bug.cgi?id=201551
197
198         Reviewed by Tadeu Zagallo.
199
200         Ports that don't support WASM will always fail this test if it stays in JSTests/stress.
201
202         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Removed.
203         * wasm/stress/web-assembly-constructors-should-not-override-global-object-property.js: Copied from JSTests/stress/web-assembly-constructors-should-not-override-global-object-property.js.
204
205 2019-09-06  Mark Lam  <mark.lam@apple.com>
206
207         Fix bmalloc::Allocator:tryAllocate() to return null on failure to allocate.
208         https://bugs.webkit.org/show_bug.cgi?id=201529
209         <rdar://problem/53935772>
210
211         Reviewed by Yusuke Suzuki.
212
213         * stress/test-out-of-memory.js: Added.
214
215 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
216
217         LazyClassStructure::setConstructor should not store the constructor to the global object
218         https://bugs.webkit.org/show_bug.cgi?id=201484
219         <rdar://problem/50400451>
220
221         Reviewed by Yusuke Suzuki.
222
223         * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
224
225 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
226
227         [JSC] Do not use FTLOutput::weakPointer directly
228         https://bugs.webkit.org/show_bug.cgi?id=201495
229
230         Reviewed by Filip Pizlo.
231
232         * stress/create-promise-weak-pointer.js: Added.
233         (foo):
234
235 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
236
237         [JSC] Make Promise implementation faster
238         https://bugs.webkit.org/show_bug.cgi?id=200898
239
240         Reviewed by Saam Barati.
241
242         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
243         (assert.assert.return.throws):
244         * modules/breaking-builtin-promise-then-does-not-break-internal-promise.js: Added.
245         * modules/breaking-builtin-promise-then-does-not-break-internal-promise/test.js: Added.
246         * stress/constructor-kind-naked-should-not-be-applied-to-inner-functions.js: Added.
247         (shouldThrow):
248         (new.Promise):
249         (shouldThrow.Promise):
250         * stress/create-promise-should-respect-promise-realm.js: Added.
251         (shouldBe):
252         (other.new.OtherPromise):
253         (DerivedOtherPromise):
254         (i.promise.new.DerivedOtherPromise):
255         (createPromise):
256         * stress/derived-promise-constructor-class-syntax-prototype-replace-attempt.js: Added.
257         (shouldBe):
258         (DerivedPromise):
259         (i.array.push.new.DerivedPromise):
260         (promise.new.DerivedPromise):
261         * stress/derived-promise-constructor-inlined.js: Added.
262         (shouldBe):
263         (DerivedPromise):
264         (i.array.push.new.DerivedPromise):
265         (DerivedPromise.all.array.then):
266         * stress/derived-promise-prototype-replaced.js: Added.
267         (shouldBe):
268         (DerivedPromise):
269         (i.array.push.new.DerivedPromise):
270         (promise.new.DerivedPromise):
271         * stress/internal-promise-constructor-not-confusing.js: Added.
272         (shouldBe):
273         (InternalPromise.vm.createBuiltin):
274         (DerivedPromise):
275         * stress/internal-promise-is-not-exposed.js: Added.
276         (shouldBe):
277         * stress/new-promise-should-respect-promise-realm.js: Added.
278         (shouldBe):
279         (other.new.OtherPromise):
280         (createPromise):
281         * stress/promise-cannot-be-called.js:
282         (shouldThrow):
283         * stress/promise-capability-fast-path.js: Added.
284         (shouldBe):
285         (i.array.push.new.Promise):
286         (i.array.i.then):
287         * stress/promise-capability-slow-path.js: Added.
288         (shouldBe):
289         (Promise.prototype.then):
290         (i.array.push.new.Promise):
291         (i.array.i.then):
292         * stress/promise-capability-then-slow-path.js: Added.
293         (shouldBe):
294         (DerivedPromise):
295         (DerivedPromise.prototype.then):
296         (i.array.push.new.DerivedPromise):
297         (i.array.i.then):
298         * stress/promise-constructor-inlined.js: Added.
299         (shouldBe):
300         (i.array.push.new.Promise):
301         (Promise.all.array.then):
302         * stress/promise-constructor-transition-from-new-promise-to-create-promise.js: Added.
303         (shouldBe):
304         (DerivedPromise):
305         (DerivedPromise2):
306         (i.array.push.new.DerivedPromise):
307         (i.array2.push.new.DerivedPromise2):
308         * stress/without-promise-functions.js: Added.
309         (shouldBe):
310         (async):
311
312 2019-09-03  Mark Lam  <mark.lam@apple.com>
313
314         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
315         https://bugs.webkit.org/show_bug.cgi?id=201309
316         <rdar://problem/54832121>
317
318         Reviewed by Yusuke Suzuki.
319
320         * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
321
322 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
323
324         [JSC] Generate new.target register only when it is used
325         https://bugs.webkit.org/show_bug.cgi?id=201335
326
327         Reviewed by Mark Lam.
328
329         * stress/ensure-new-register-allocated.js: Added.
330         (shouldBe):
331         (basic):
332         (arrow):
333         (Base):
334         (Derived):
335         (evaluate):
336
337 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
338
339         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
340         https://bugs.webkit.org/show_bug.cgi?id=201331
341
342         Reviewed by Mark Lam.
343
344         * stress/simple-jump-table-copy.js: Added.
345         (let.code):
346         (g2):
347
348 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
349
350         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
351         https://bugs.webkit.org/show_bug.cgi?id=201332
352
353         Reviewed by Mark Lam.
354
355         This test is very flaky, it is hard to reproduce.
356
357         * stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
358         (code):
359
360 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
361
362         [JSC] Repatch should construct CallCases and CasesValue at the same time
363         https://bugs.webkit.org/show_bug.cgi?id=201325
364
365         Reviewed by Saam Barati.
366
367         * stress/repatch-switch.js: Added.
368         (main.f2.f0):
369         (main.f2.f3):
370         (main.f2.f1):
371         (main.f2):
372         (main):
373
374 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
375
376         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
377         https://bugs.webkit.org/show_bug.cgi?id=198650
378
379         Reviewed by Saam Barati.
380
381         * stress/object-allocation-sinking-interpretation-can-interpret-edges-that-can-be-proven-unreachable-in-ai.js:
382         (main.v0):
383         (main):
384
385 2019-08-28  Mark Lam  <mark.lam@apple.com>
386
387         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
388         https://bugs.webkit.org/show_bug.cgi?id=201281
389         <rdar://problem/54028228>
390
391         Reviewed by Yusuke Suzuki and Saam Barati.
392
393         * stress/structure-storedPrototype-should-only-assert-on-the-mutator-thread.js: Added.
394
395 2019-08-28  Mark Lam  <mark.lam@apple.com>
396
397         Placate exception check validation in DFG's operationHasGenericProperty().
398         https://bugs.webkit.org/show_bug.cgi?id=201245
399         <rdar://problem/54777512>
400
401         Reviewed by Robin Morisset.
402
403         * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
404
405 2019-08-27  Mark Lam  <mark.lam@apple.com>
406
407         constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
408         https://bugs.webkit.org/show_bug.cgi?id=201196
409         <rdar://problem/54703775>
410
411         Reviewed by Yusuke Suzuki.
412
413         * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
414
415 2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>
416
417         [JSC] Ensure x?.y ?? z is fast
418         https://bugs.webkit.org/show_bug.cgi?id=200875
419
420         Reviewed by Yusuke Suzuki.
421
422         * stress/nullish-coalescing.js:
423
424 2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
425
426         Remove MaximalFlushInsertionPhase
427         https://bugs.webkit.org/show_bug.cgi?id=201036
428
429         Reviewed by Saam Barati.
430
431         Remove all the references to maximal flush
432
433         * stress/arith-ceil-on-various-types.js:
434         (checkCompileCountForUselessNegativeZero):
435         * stress/arith-floor-on-various-types.js:
436         (checkCompileCountForUselessNegativeZero):
437         * stress/arith-negate-on-various-types.js:
438         (checkCompileCountForUselessNegativeZero):
439         * stress/arith-round-on-various-types.js:
440         (checkCompileCountForUselessNegativeZero):
441         * stress/arith-trunc-on-various-types.js:
442         (checkCompileCountForUselessNegativeZero):
443         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
444         * stress/has-indexed-property-should-accept-non-int32.js:
445         * stress/has-indexed-property-with-worsening-array-mode.js:
446         * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
447         * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
448         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
449         * stress/rest-parameter-many-arguments.js:
450         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
451         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
452         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
453
454 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
455
456         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
457         https://bugs.webkit.org/show_bug.cgi?id=200952
458
459         Reviewed by Saam Barati.
460
461         * wasm/references/func_ref.js:
462         (assert.throws):
463
464 2019-08-22  Justin Michaud  <justin_michaud@apple.com>
465
466         Add missing exception check in canonicalizeLocaleList
467         https://bugs.webkit.org/show_bug.cgi?id=201021
468
469         Reviewed by Mark Lam.
470
471         * stress/missing-exception-check-in-canonicalizeLocaleList.js: Added.
472         (catch):
473
474 2019-08-21  Mark Lam  <mark.lam@apple.com>
475
476         Wasm::FunctionParser is failing to enforce maxFunctionLocals.
477         https://bugs.webkit.org/show_bug.cgi?id=201016
478         <rdar://problem/54579911>
479
480         Reviewed by Yusuke Suzuki.
481
482         * wasm/stress/too-many-locals.js: Added.
483         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
484
485 2019-08-21  Ross Kirsling  <ross.kirsling@sony.com>
486
487         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop
488         https://bugs.webkit.org/show_bug.cgi?id=200965
489
490         Reviewed by Saam Barati.
491
492         This has nothing to do with ?. in particular, but throwing >1M type errors takes 100s in Debug on my machine.
493         The main idea here was to JITify the simple success cases, so let's not run the simple failures so many times.
494
495         * stress/optional-chaining.js:
496
497 2019-08-21  Michael Saboff  <msaboff@apple.com>
498
499         [JSC] incorrent JIT lead to StackOverflow
500         https://bugs.webkit.org/show_bug.cgi?id=197823
501
502         Reviewed by Tadeu Zagallo.
503
504         New test.
505
506         * stress/bound-function-stack-overflow.js: Added.
507         (foo):
508         (catch):
509
510 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
511
512         Identify memcpy loops in b3
513         https://bugs.webkit.org/show_bug.cgi?id=200181
514
515         Reviewed by Saam Barati.
516
517         * microbenchmarks/memcpy-loop.js: Added.
518         (doTest):
519         (let.arr1):
520         * microbenchmarks/memcpy-typed-loop-large.js: Added.
521         (doTest):
522         (let.arr1.new.Int32Array.1000000.let.arr2.new.Int32Array.1000000):
523         (arr2):
524         * microbenchmarks/memcpy-typed-loop-small.js: Added.
525         (doTest):
526         (16.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
527         (16.arr2):
528         * microbenchmarks/memcpy-typed-loop-speculative.js: Added.
529         (doTest):
530         (let.arr1.new.Int32Array.10.let.arr2.new.Int32Array.10):
531         (arr2):
532         * microbenchmarks/memcpy-wasm-large.js: Added.
533         (typeof.WebAssembly.string_appeared_here.eq):
534         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
535         * microbenchmarks/memcpy-wasm-medium.js: Added.
536         (typeof.WebAssembly.string_appeared_here.eq):
537         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
538         * microbenchmarks/memcpy-wasm-small.js: Added.
539         (typeof.WebAssembly.string_appeared_here.eq):
540         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
541         * microbenchmarks/memcpy-wasm.js: Added.
542         (typeof.WebAssembly.string_appeared_here.eq):
543         (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array):
544         * stress/memcpy-typed-loops.js: Added.
545         (noLoop):
546         (invalidStart):
547         (const.size.10.let.arr1.new.Int32Array.size.let.arr2.new.Int32Array.size):
548         (arr2):
549         * wasm/function-tests/memcpy-wasm-loop.js: Added.
550         (0.GetLocal.3.I32Const.1.I32Add.SetLocal.3.Br.1.End.End.End.WebAssembly):
551         (string_appeared_here):
552
553 2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>
554
555         [JSC] Array.prototype.toString should not get "join" function each time
556         https://bugs.webkit.org/show_bug.cgi?id=200905
557
558         Reviewed by Mark Lam.
559
560         * stress/array-prototype-join-change.js: Added.
561         (shouldBe):
562         (array2.join):
563         (DerivedArray):
564         (DerivedArray.prototype.join):
565         (array3.__proto__.join):
566         (Array.prototype.join):
567
568 2019-08-20  Justin Michaud  <justin_michaud@apple.com>
569
570         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
571         https://bugs.webkit.org/show_bug.cgi?id=200782
572
573         Reviewed by Saam Barati.
574
575         Skip long memcpy test on debug, and try to fix flakiness for recompilation count tests by disabling cjit.
576
577         * microbenchmarks/memcpy-typed-loop.js:
578         * stress/int8-repeat-in-then-out-of-bounds.js:
579
580 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
581
582         Proxy constructor should throw if handler is revoked Proxy
583         https://bugs.webkit.org/show_bug.cgi?id=198755
584
585         Reviewed by Saam Barati.
586
587         * stress/proxy-revoke.js: Adjust error message.
588         * test262/expectations.yaml: Mark 2 test cases as passing.
589
590 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
591
592         [JSC] OSR entry to Wasm OMG
593         https://bugs.webkit.org/show_bug.cgi?id=200362
594
595         Reviewed by Michael Saboff.
596
597         * wasm/stress/osr-entry-basic.js: Added.
598         (instance.exports.loop):
599         * wasm/stress/osr-entry-many-locals-f32.js: Added.
600         * wasm/stress/osr-entry-many-locals-f64.js: Added.
601         * wasm/stress/osr-entry-many-locals-i32.js: Added.
602         * wasm/stress/osr-entry-many-locals-i64.js: Added.
603         * wasm/stress/osr-entry-many-stacks-f32.js: Added.
604         * wasm/stress/osr-entry-many-stacks-f64.js: Added.
605         * wasm/stress/osr-entry-many-stacks-i32.js: Added.
606         * wasm/stress/osr-entry-many-stacks-i64.js: Added.
607
608 2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>
609
610         Date.prototype.toJSON throws if toISOString returns an object
611         https://bugs.webkit.org/show_bug.cgi?id=198495
612
613         Reviewed by Ross Kirsling.
614
615         * test262/expectations.yaml: Mark 6 test cases as passing.
616
617 2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>
618
619         [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
620         https://bugs.webkit.org/show_bug.cgi?id=200899
621         <rdar://problem/54073341>
622
623         Reviewed by Mark Lam.
624
625         * stress/data-view-get-dfg-should-handle-empty-constant.js: Added.
626         (i.new.Promise):
627         * stress/data-view-set-dfg-should-handle-empty-constant.js: Added.
628         (i.new.Promise):
629
630 2019-08-19  Michael Saboff  <msaboff@apple.com>
631
632         Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
633         https://bugs.webkit.org/show_bug.cgi?id=197090
634
635         Reviewed by Yusuke Suzuki.
636
637         New test.
638
639         * stress/regexp-nonconsuming-counted-parens.js: Added.
640
641 2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>
642
643         [JSC] Correct a->an in error messages and API docblocks
644         https://bugs.webkit.org/show_bug.cgi?id=200833
645
646         Reviewed by Don Olmstead.
647
648         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
649         (assert.assert.return.throws):
650         * stress/promise-finally-should-accept-non-promise-objects.js:
651         * wasm/js-api/table.js:
652         (assert.throws):
653
654 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
655
656         [ESNext] Implement optional chaining
657         https://bugs.webkit.org/show_bug.cgi?id=200199
658
659         Reviewed by Yusuke Suzuki.
660
661         * stress/nullish-coalescing.js:
662         * stress/optional-chaining.js: Added.
663         * stress/tail-call-recognize.js:
664
665 2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>
666
667         [ESNext] Support hashbang.
668         https://bugs.webkit.org/show_bug.cgi?id=200865
669
670         Reviewed by Mark Lam.
671
672         * stress/hashbang.js: Added.
673         * test262/expectations.yaml: Mark 6 cases as passing.
674
675 2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>
676
677         [JSC] DFG ToNumber should support Boolean in fixup
678         https://bugs.webkit.org/show_bug.cgi?id=200864
679
680         Reviewed by Mark Lam.
681
682         * microbenchmarks/to-number-boolean.js: Added.
683         (test):
684         * stress/to-number-boolean-int32.js: Added.
685         (shouldBe):
686         (test):
687         (check):
688         * stress/to-number-boolean.js: Added.
689         (shouldBe):
690         (test):
691         (check):
692         * stress/to-number-int32.js: Added.
693         (shouldBe):
694         (test):
695         (check):
696
697 2019-08-16  Mark Lam  <mark.lam@apple.com>
698
699         More missing exception checks in string comparison operators.
700         https://bugs.webkit.org/show_bug.cgi?id=200844
701         <rdar://problem/54378684>
702
703         Reviewed by Saam Barati.
704
705         * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
706         * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
707         * stress/missing-exception-check-in-string-less-than-compare.js: Added.
708         * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
709
710 2019-08-16  Mark Lam  <mark.lam@apple.com>
711
712         CodeBlock destructor should clear all of its watchpoints.
713         https://bugs.webkit.org/show_bug.cgi?id=200792
714         <rdar://problem/53947800>
715
716         Reviewed by Yusuke Suzuki.
717
718         * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
719
720 2019-08-16  Justin Michaud  <justin_michaud@apple.com>
721
722         Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
723         https://bugs.webkit.org/show_bug.cgi?id=200782
724
725         Reviewed by Saam Barati.
726
727         * microbenchmarks/int8-out-of-bounds.js: Added.
728         (foo):
729         * microbenchmarks/memcpy-typed-loop.js: Added.
730         (doTest):
731         (let.arr1.new.Int32Array.1000.let.arr2.new.Int32Array.1000):
732         (arr2):
733         * stress/int8-repeat-in-then-out-of-bounds.js: Added.
734         (foo):
735
736 2019-08-16  Mark Lam  <mark.lam@apple.com>
737
738         [Re-land] ProxyObject should not be allow to access its target's private properties.
739         https://bugs.webkit.org/show_bug.cgi?id=200739
740         <rdar://problem/53972768>
741
742         Reviewed by Yusuke Suzuki.
743
744         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
745         * stress/proxy-with-private-symbols.js:
746
747 2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>
748
749         [JSC] Promise.prototype.finally should accept non-promise objects
750         https://bugs.webkit.org/show_bug.cgi?id=200829
751
752         Reviewed by Mark Lam.
753
754         * stress/promise-finally-should-accept-non-promise-objects.js: Added.
755         (shouldBe):
756         (Thenable):
757         (Thenable.prototype.then):
758
759 2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>
760
761         Promise constructor should check argument before [[Construct]]
762         https://bugs.webkit.org/show_bug.cgi?id=198976
763
764         Reviewed by Ross Kirsling.
765
766         * stress/create-subclass-structure-may-throw-exception-when-getting-prototype.js: Fix test.
767         * stress/create-subclass-structure-might-throw.js: Fix test.
768         * test262/expectations.yaml: Mark 2 test cases as passing.
769
770 2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>
771
772         Unreviewed, rolling out r248709.
773
774         Caused test/built-ins/Promise/prototype/finally/this-value-
775         non-promise.js to fail on test262 bot
776
777         Reverted changeset:
778
779         "ProxyObject should not be allow to access its target's
780         private properties."
781         https://bugs.webkit.org/show_bug.cgi?id=200739
782         https://trac.webkit.org/changeset/248709
783
784 2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>
785
786         DateConversion::formatDateTime incorrectly formats negative years
787         https://bugs.webkit.org/show_bug.cgi?id=199964
788
789         Reviewed by Ross Kirsling.
790
791         * test262/expectations.yaml: Mark 6 test cases as passing.
792
793 2019-08-15  Mark Lam  <mark.lam@apple.com>
794
795         More missing exception checks in String.prototype.
796         https://bugs.webkit.org/show_bug.cgi?id=200762
797         <rdar://problem/54333896>
798
799         Reviewed by Michael Saboff.
800
801         * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
802         * stress/missing-exception-check-in-string-toLower.js: Added.
803         * stress/missing-exception-check-in-string-toUpper.js: Added.
804
805 2019-08-14  Mark Lam  <mark.lam@apple.com>
806
807         ProxyObject should not be allow to access its target's private properties.
808         https://bugs.webkit.org/show_bug.cgi?id=200739
809         <rdar://problem/53972768>
810
811         Reviewed by Yusuke Suzuki.
812
813         * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
814         * stress/proxy-with-private-symbols.js: Rebased.
815
816 2019-08-14  Mark Lam  <mark.lam@apple.com>
817
818         Missing exception check in string compare.
819         https://bugs.webkit.org/show_bug.cgi?id=200743
820         <rdar://problem/53975356>
821
822         Reviewed by Michael Saboff.
823
824         * stress/missing-exception-check-in-string-compare.js: Added.
825
826 2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>
827
828         [JSC] Add "jump if (not) undefined or null" bytecode ops
829         https://bugs.webkit.org/show_bug.cgi?id=200480
830
831         Reviewed by Saam Barati.
832
833         * stress/destructuring-assignment-require-object-coercible.js:
834         * stress/nullish-coalescing.js:
835
836 2019-08-05  Michael Saboff  <msaboff@apple.com>
837
838         JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
839         https://bugs.webkit.org/show_bug.cgi?id=199997
840
841         Reviewed by Saam Barati.
842
843         New test.
844
845         * stress/typedarray-no-alreadyChecked-assert.js: Added.
846         (checkIntArray):
847         (checkFloatArray):
848
849 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
850
851         [JSC] Support WebAssembly in SamplingProfiler
852         https://bugs.webkit.org/show_bug.cgi?id=200329
853
854         Reviewed by Saam Barati.
855
856         * stress/sampling-profiler-wasm-name-section.js: Added.
857         (const.compile):
858         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
859         (platformSupportsSamplingProfiler.vm.isWasmSupported):
860         * stress/sampling-profiler-wasm.js: Added.
861         (platformSupportsSamplingProfiler.vm.isWasmSupported.wasmEntry):
862         (platformSupportsSamplingProfiler.vm.isWasmSupported):
863         * stress/sampling-profiler/loop.wasm: Added.
864         * stress/sampling-profiler/loop.wast: Added.
865         * stress/sampling-profiler/nameSection.wasm: Added.
866
867 2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>
868
869         [JSC] LazyJSValue should be robust for empty JSValue
870         https://bugs.webkit.org/show_bug.cgi?id=200388
871
872         Reviewed by Saam Barati.
873
874         * stress/switch-constant-child-becomes-empty.js: Added.
875         (foo):
876
877 2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>
878
879         GetterSetter type confusion during DFG compilation
880         https://bugs.webkit.org/show_bug.cgi?id=199903
881
882         Reviewed by Mark Lam.
883
884         * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
885
886 2019-08-01  Ross Kirsling  <ross.kirsling@sony.com>
887
888         Update Test262 (2019.08.01)
889         https://bugs.webkit.org/show_bug.cgi?id=200351
890
891         Reviewed by Keith Miller.
892
893         * test262/expectations.yaml:
894         * test262/harness/testIntl.js:
895         * test262/latest-changes-summary.txt:
896         * test262/test/:
897         * test262/test262-Revision.txt:
898
899 2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>
900
901         [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
902         https://bugs.webkit.org/show_bug.cgi?id=200192
903
904         Reviewed by Saam Barati.
905
906         * stress/structure-chain-stress.js: Added.
907         (keys):
908
909 2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>
910
911         [JSC] Increment bytecode age only when SlotVisitor is first-visit
912         https://bugs.webkit.org/show_bug.cgi?id=200196
913
914         Reviewed by Robin Morisset.
915
916         * stress/reparsing-unlinked-codeblock.js:
917
918 2019-07-29  Justin Michaud  <justin_michaud@apple.com>
919
920         [X86] Emit BT instruction for shift + mask in B3
921         https://bugs.webkit.org/show_bug.cgi?id=199891
922
923         Reviewed by Robin Morisset.
924
925         Lower the number of iterations to fix debug timeouts.
926
927         * microbenchmarks/bit-test-load.js:
928         (i):
929
930 2019-07-27  Justin Michaud  <justin_michaud@apple.com>
931
932         [X86] Emit BT instruction for shift + mask in B3
933         https://bugs.webkit.org/show_bug.cgi?id=199891
934
935         Reviewed by Keith Miller.
936
937         * microbenchmarks/bit-test-constant.js: Added.
938         (let.glob.0.doTest):
939         * microbenchmarks/bit-test-load.js: Added.
940         (let.glob.0.let.arr.new.Int32Array.8.doTest):
941         (i):
942         * microbenchmarks/bit-test-nonconstant.js: Added.
943         (let.glob.0.doTest):
944
945 2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>
946
947         [JSC] Potential GC fix for JSPropertyNameEnumerator
948         https://bugs.webkit.org/show_bug.cgi?id=200151
949
950         Reviewed by Mark Lam.
951
952         * stress/for-in-stress.js: Added.
953         (keys):
954
955 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
956
957         Legacy numeric literals should not permit separators or BigInt
958         https://bugs.webkit.org/show_bug.cgi?id=199984
959
960         Reviewed by Keith Miller.
961
962         * stress/big-int-literals.js:
963         * stress/numeric-literal-separators.js:
964
965 2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>
966
967         [ESNext] Implement nullish coalescing
968         https://bugs.webkit.org/show_bug.cgi?id=200072
969
970         Reviewed by Darin Adler.
971
972         * stress/nullish-coalescing.js: Added.
973
974 2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>
975
976         Three checks are missing in Proxy internal methods
977         https://bugs.webkit.org/show_bug.cgi?id=198630
978
979         Reviewed by Darin Adler.
980
981         * stress/proxy-delete.js: Assert isExtensible is called in correct order.
982         * test262/expectations.yaml: Mark 6 test cases as passing.
983
984 2019-07-23  Justin Michaud  <justin_michaud@apple.com>
985
986         Sometimes we miss removable CheckInBounds
987         https://bugs.webkit.org/show_bug.cgi?id=200018
988
989         Reviewed by Saam Barati.
990
991         * microbenchmarks/typed-array-sum.js: Added.
992         (doTest):
993
994 2019-07-16  Mark Lam  <mark.lam@apple.com>
995
996         ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
997         https://bugs.webkit.org/show_bug.cgi?id=199821
998         <rdar://problem/52452328>
999
1000         Reviewed by Filip Pizlo.
1001
1002         * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
1003
1004 2019-07-16  Keith Miller  <keith_miller@apple.com>
1005
1006         Unreviewed, test262 gardening.
1007
1008         * test262/expectations.yaml:
1009
1010 2019-07-15  Keith Miller  <keith_miller@apple.com>
1011
1012         A Possible Issue of Object.create method
1013         https://bugs.webkit.org/show_bug.cgi?id=199744
1014
1015         Reviewed by Yusuke Suzuki.
1016
1017         * stress/object-create-non-object-properties-parameter.js: Added.
1018         (catch):
1019
1020 2019-07-15  Keith Miller  <keith_miller@apple.com>
1021
1022         Update test262
1023         https://bugs.webkit.org/show_bug.cgi?id=199801
1024
1025         Rubber-stamped by Yusuke Suzuki.
1026
1027         * test262/expectations.yaml:
1028         * test262/latest-changes-summary.txt:
1029         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/Symbol.toStringTag.js: Added.
1030         (fg.new.FinalizationGroup):
1031         (callback):
1032         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-job-not-active-throws.js: Added.
1033         (fg.new.FinalizationGroup):
1034         (callback):
1035         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-length.js: Added.
1036         (fg.new.FinalizationGroup):
1037         (callback):
1038         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-missing-internal-throws.js: Added.
1039         (fg.new.FinalizationGroup):
1040         (callback):
1041         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-name.js: Added.
1042         (fg.new.FinalizationGroup):
1043         (callback):
1044         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-not-object-throws.js: Added.
1045         (fg.new.FinalizationGroup):
1046         (callback):
1047         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/next-prop-desc.js: Added.
1048         (fg.new.FinalizationGroup):
1049         (callback):
1050         * test262/test/built-ins/FinalizationGroup/FinalizationGroupCleanupIteratorPrototype/proto.js: Added.
1051         (callback):
1052         (fg.new.FinalizationGroup):
1053         * test262/test/built-ins/FinalizationGroup/constructor.js: Added.
1054         * test262/test/built-ins/FinalizationGroup/gc-has-one-chance-to-call-cleanupCallback.js: Added.
1055         (cb):
1056         (fg.new.FinalizationGroup):
1057         (emptyCells):
1058         (async.fn):
1059         (fn.then.async):
1060         * test262/test/built-ins/FinalizationGroup/instance-extensible.js: Added.
1061         (fg.new.FinalizationGroup):
1062         * test262/test/built-ins/FinalizationGroup/length.js: Added.
1063         * test262/test/built-ins/FinalizationGroup/name.js: Added.
1064         * test262/test/built-ins/FinalizationGroup/newtarget-prototype-is-not-object.js: Added.
1065         (newTarget):
1066         (fn):
1067         * test262/test/built-ins/FinalizationGroup/prop-desc.js: Added.
1068         * test262/test/built-ins/FinalizationGroup/proto-from-ctor-realm.js: Added.
1069         (fn):
1070         * test262/test/built-ins/FinalizationGroup/proto.js: Added.
1071         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-abrupt.js: Added.
1072         (newTarget):
1073         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget-custom.js: Added.
1074         (newTarget):
1075         * test262/test/built-ins/FinalizationGroup/prototype-from-newtarget.js: Added.
1076         (fg.new.FinalizationGroup):
1077         * test262/test/built-ins/FinalizationGroup/prototype/Symbol.toStringTag.js: Added.
1078         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-iterator-proto.js: Added.
1079         (callback):
1080         (fg.new.FinalizationGroup):
1081         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/callback-not-callable-throws.js: Added.
1082         (fg.new.FinalizationGroup):
1083         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-reference.js: Added.
1084         (cb):
1085         (fg.new.FinalizationGroup):
1086         (emptyCells):
1087         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanup-prevented-with-unregister.js: Added.
1088         (fg.new.FinalizationGroup):
1089         (fg.cleanupSome.cb):
1090         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/cleanupcallback-iterator-proto.js: Added.
1091         (callback):
1092         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/custom-this.js: Added.
1093         (fn):
1094         (cb):
1095         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1096         (cb):
1097         (fg.new.FinalizationGroup):
1098         (emptyCells):
1099         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-dynamic.js: Added.
1100         (fg.new.FinalizationGroup):
1101         (callback):
1102         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/iterator-holdings-multiple-values.js: Added.
1103         (fg.new.FinalizationGroup):
1104         (callback):
1105         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/length.js: Added.
1106         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/name.js: Added.
1107         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-callback-throws.js: Added.
1108         (poisoned):
1109         (fg.new.FinalizationGroup):
1110         (emptyCells):
1111         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/poisoned-cleanup-callback-throws.js: Added.
1112         (poisoned):
1113         (emptyCells):
1114         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/prop-desc.js: Added.
1115         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined-with-gc.js: Added.
1116         (fn):
1117         (cb):
1118         (emptyCells):
1119         (prototype.assert.sameValue.fg.cleanupSome):
1120         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/return-undefined.js: Added.
1121         (fn):
1122         (cb):
1123         (poisoned):
1124         (assert.sameValue.fg.cleanupSome):
1125         (prototype.assert.sameValue.fg.cleanupSome):
1126         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-does-not-have-internal-cells-throws.js: Added.
1127         (cb):
1128         * test262/test/built-ins/FinalizationGroup/prototype/cleanupSome/this-not-object-throws.js: Added.
1129         (cb):
1130         * test262/test/built-ins/FinalizationGroup/prototype/constructor.js: Added.
1131         * test262/test/built-ins/FinalizationGroup/prototype/prop-desc.js: Added.
1132         * test262/test/built-ins/FinalizationGroup/prototype/proto.js: Added.
1133         * test262/test/built-ins/FinalizationGroup/prototype/register/custom-this.js: Added.
1134         (fn):
1135         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-any-value-type.js: Added.
1136         (fn):
1137         * test262/test/built-ins/FinalizationGroup/prototype/register/holdings-same-as-target.js: Added.
1138         (fg.new.FinalizationGroup):
1139         * test262/test/built-ins/FinalizationGroup/prototype/register/length.js: Added.
1140         * test262/test/built-ins/FinalizationGroup/prototype/register/name.js: Added.
1141         * test262/test/built-ins/FinalizationGroup/prototype/register/prop-desc.js: Added.
1142         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined-register-itself.js: Added.
1143         (fn):
1144         * test262/test/built-ins/FinalizationGroup/prototype/register/return-undefined.js: Added.
1145         (fn):
1146         * test262/test/built-ins/FinalizationGroup/prototype/register/target-not-object-throws.js: Added.
1147         (fg.new.FinalizationGroup):
1148         * test262/test/built-ins/FinalizationGroup/prototype/register/this-does-not-have-internal-target-throws.js: Added.
1149         * test262/test/built-ins/FinalizationGroup/prototype/register/this-not-object-throws.js: Added.
1150         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-not-object-or-undefined-throws.js: Added.
1151         (fg.new.FinalizationGroup):
1152         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings-and-target.js: Added.
1153         (fg.new.FinalizationGroup):
1154         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-holdings.js: Added.
1155         (fg.new.FinalizationGroup):
1156         * test262/test/built-ins/FinalizationGroup/prototype/register/unregisterToken-same-as-target.js: Added.
1157         (fg.new.FinalizationGroup):
1158         * test262/test/built-ins/FinalizationGroup/prototype/unregister/custom-this.js: Added.
1159         (fn):
1160         * test262/test/built-ins/FinalizationGroup/prototype/unregister/length.js: Added.
1161         * test262/test/built-ins/FinalizationGroup/prototype/unregister/name.js: Added.
1162         * test262/test/built-ins/FinalizationGroup/prototype/unregister/prop-desc.js: Added.
1163         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-does-not-have-internal-cells-throws.js: Added.
1164         * test262/test/built-ins/FinalizationGroup/prototype/unregister/this-not-object-throws.js: Added.
1165         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregister.js: Added.
1166         (fn):
1167         * test262/test/built-ins/FinalizationGroup/prototype/unregister/unregisterToken-not-object-throws.js: Added.
1168         (fg.new.FinalizationGroup):
1169         * test262/test/built-ins/FinalizationGroup/returns-new-object-from-constructor.js: Added.
1170         (cleanupCallback):
1171         (let.key.of.Object.getOwnPropertyNames):
1172         (set for):
1173         * test262/test/built-ins/FinalizationGroup/target-not-callable-throws.js: Added.
1174         * test262/test/built-ins/FinalizationGroup/undefined-newtarget-throws.js: Added.
1175         (FinalizationGroup):
1176         * test262/test/built-ins/FinalizationGroup/unnaffected-by-poisoned-cleanupCallback.js: Added.
1177         (cleanupCallback):
1178         (let.key.of.Object.getOwnPropertyNames):
1179         (set for):
1180         * test262/test/built-ins/Function/StrictFunction_restricted-properties.js:
1181         * test262/test/built-ins/Function/prototype/bind/BoundFunction_restricted-properties.js:
1182         * test262/test/built-ins/Function/prototype/restricted-property-arguments.js:
1183         * test262/test/built-ins/Function/prototype/restricted-property-caller.js:
1184         * test262/test/built-ins/Object/prototype/toString/proxy-function-async.js: Added.
1185         (asyncProxy.new.Proxy.async):
1186         * test262/test/built-ins/Object/prototype/toString/proxy-function.js:
1187         (asyncProxy.new.Proxy.async):
1188         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-builtin.js: Added.
1189         (setIter.set Symbol):
1190         (set defaultTag):
1191         (gen):
1192         (get return):
1193         (set new):
1194         * test262/test/built-ins/Object/prototype/toString/symbol-tag-non-str-proxy-function.js: Added.
1195         (generatorProxy.new.Proxy):
1196         (asyncProxy.new.Proxy.async):
1197         * test262/test/built-ins/Object/subclass-object-arg.js:
1198         * test262/test/built-ins/Promise/all/invoke-resolve-get-error-close.js:
1199         * test262/test/built-ins/Promise/all/resolve-element-function-name.js:
1200         * test262/test/built-ins/Promise/allSettled/invoke-resolve-get-error-close.js:
1201         * test262/test/built-ins/Promise/allSettled/reject-element-function-name.js:
1202         * test262/test/built-ins/Promise/allSettled/resolve-element-function-name.js:
1203         * test262/test/built-ins/Promise/executor-function-name.js:
1204         * test262/test/built-ins/Promise/race/invoke-resolve-get-error-close.js:
1205         * test262/test/built-ins/Promise/reject-function-name.js:
1206         * test262/test/built-ins/Promise/resolve-function-name.js:
1207         * test262/test/built-ins/Set/prototype/values/does-not-have-setdata-internal-slot-weakset.js:
1208         * test262/test/built-ins/WeakRef/constructor.js: Added.
1209         * test262/test/built-ins/WeakRef/instance-extensible.js: Added.
1210         * test262/test/built-ins/WeakRef/length.js: Added.
1211         * test262/test/built-ins/WeakRef/name.js: Added.
1212         * test262/test/built-ins/WeakRef/newtarget-prototype-is-not-object.js: Added.
1213         (newTarget):
1214         * test262/test/built-ins/WeakRef/prop-desc.js: Added.
1215         * test262/test/built-ins/WeakRef/proto-from-ctor-realm.js: Added.
1216         * test262/test/built-ins/WeakRef/proto.js: Added.
1217         * test262/test/built-ins/WeakRef/prototype-from-newtarget-abrupt.js: Added.
1218         (newTarget):
1219         * test262/test/built-ins/WeakRef/prototype-from-newtarget-custom.js: Added.
1220         (newTarget):
1221         * test262/test/built-ins/WeakRef/prototype-from-newtarget.js: Added.
1222         * test262/test/built-ins/WeakRef/prototype/Symbol.toStringTag.js: Added.
1223         * test262/test/built-ins/WeakRef/prototype/constructor.js: Added.
1224         * test262/test/built-ins/WeakRef/prototype/deref/custom-this.js: Added.
1225         * test262/test/built-ins/WeakRef/prototype/deref/gc-cleanup-not-prevented-with-wr-deref.js: Added.
1226         (emptyCells):
1227         * test262/test/built-ins/WeakRef/prototype/deref/length.js: Added.
1228         * test262/test/built-ins/WeakRef/prototype/deref/name.js: Added.
1229         * test262/test/built-ins/WeakRef/prototype/deref/prop-desc.js: Added.
1230         * test262/test/built-ins/WeakRef/prototype/deref/return-target.js: Added.
1231         * test262/test/built-ins/WeakRef/prototype/deref/this-does-not-have-internal-target-throws.js: Added.
1232         (fg.new.FinalizationGroup):
1233         * test262/test/built-ins/WeakRef/prototype/deref/this-not-object-throws.js: Added.
1234         * test262/test/built-ins/WeakRef/prototype/prop-desc.js: Added.
1235         * test262/test/built-ins/WeakRef/prototype/proto.js: Added.
1236         * test262/test/built-ins/WeakRef/returns-new-object-from-constructor.js: Added.
1237         (let.key.of.Object.getOwnPropertyNames):
1238         (set for):
1239         * test262/test/built-ins/WeakRef/target-not-object-throws.js: Added.
1240         * test262/test/built-ins/WeakRef/undefined-newtarget-throws.js: Added.
1241         * test262/test/intl402/BigInt/prototype/toLocaleString/builtin.js:
1242         * test262/test/intl402/BigInt/prototype/toLocaleString/default-options-object-prototype.js:
1243         * test262/test/intl402/BigInt/prototype/toLocaleString/length.js:
1244         * test262/test/intl402/BigInt/prototype/toLocaleString/returns-same-results-as-NumberFormat.js:
1245         * test262/test/intl402/BigInt/prototype/toLocaleString/taint-Intl-NumberFormat.js:
1246         * test262/test/intl402/BigInt/prototype/toLocaleString/this-value-invalid.js:
1247         * test262/test/intl402/BigInt/prototype/toLocaleString/throws-same-exceptions-as-NumberFormat.js:
1248         * test262/test/intl402/DateTimeFormat/constructor-options-order-quarter.js: Removed.
1249         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-invalid.js: Removed.
1250         * test262/test/intl402/DateTimeFormat/constructor-options-quarter-valid.js: Removed.
1251         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-long-en.js: Added.
1252         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-narrow-en.js: Added.
1253         * test262/test/intl402/DateTimeFormat/prototype/format/dayPeriod-short-en.js: Added.
1254         * test262/test/intl402/DateTimeFormat/prototype/format/fractionalSecondDigits.js: Added.
1255         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-date-string.js:
1256         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-near-time-boundaries.js:
1257         * test262/test/intl402/DateTimeFormat/prototype/formatRange/argument-to-integer.js:
1258         * test262/test/intl402/DateTimeFormat/prototype/formatRange/builtin.js:
1259         * test262/test/intl402/DateTimeFormat/prototype/formatRange/prop-desc.js:
1260         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-date-string.js:
1261         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-near-time-boundaries.js:
1262         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/argument-to-integer.js:
1263         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/builtin.js:
1264         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/prop-desc.js:
1265         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-long-en.js: Added.
1266         (assertParts):
1267         (assertPartsNumeric):
1268         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-narrow-en.js: Added.
1269         (assertParts):
1270         (assertPartsNumeric):
1271         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/dayPeriod-short-en.js: Added.
1272         (assertParts):
1273         (assertPartsNumeric):
1274         * test262/test/intl402/DateTimeFormat/prototype/formatToParts/fractionalSecondDigits.js: Added.
1275         (assertParts):
1276         * test262/test/intl402/DateTimeFormat/prototype/resolvedOptions/order-quarter.js: Removed.
1277         * test262/test/intl402/DateTimeFormat/taint-Object-prototype-quarter.js: Removed.
1278         * test262/test/intl402/RelativeTimeFormat/prototype/format/en-us-numeric-auto.js:
1279         * test262/test/intl402/RelativeTimeFormat/prototype/formatToParts/en-us-numeric-auto.js:
1280         * test262/test/language/expressions/arrow-function/ArrowFunction_restricted-properties.js:
1281         * test262/test/language/expressions/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1282         (C.prototype.method):
1283         * test262/test/language/expressions/class/elements/private-field-access-on-inner-function.js: Added.
1284         (C.prototype.method.innerFunction):
1285         (C.prototype.method):
1286         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1287         (C):
1288         (C.method):
1289         * test262/test/language/expressions/class/elements/private-getter-access-on-inner-function.js: Added.
1290         (C):
1291         (C.method.innerFunction):
1292         (C.method):
1293         * test262/test/language/expressions/class/elements/private-getter-is-not-a-own-property.js: Added.
1294         (C):
1295         (C.checkPrivateGetter):
1296         * test262/test/language/expressions/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1297         (C):
1298         (C.method):
1299         * test262/test/language/expressions/class/elements/private-method-access-on-inner-function.js: Added.
1300         (C):
1301         (C.method.innerFunction):
1302         (C.method):
1303         * test262/test/language/expressions/class/elements/private-method-is-not-a-own-property.js: Added.
1304         (C):
1305         (C.checkPrivateMethod):
1306         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1307         (C):
1308         (C.method):
1309         * test262/test/language/expressions/class/elements/private-setter-access-on-inner-function.js: Added.
1310         (C):
1311         (C.method.innerFunction):
1312         (C.method):
1313         * test262/test/language/expressions/class/elements/private-setter-is-not-a-own-property.js: Added.
1314         (C):
1315         (C.checkPrivateSetter):
1316         * test262/test/language/expressions/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1317         * test262/test/language/expressions/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1318         * test262/test/language/expressions/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1319         * test262/test/language/expressions/class/poisoned-underscore-proto.js: Added.
1320         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1321         (let.classStringExpression):
1322         (let.classStringExpression.access):
1323         (let.createAndInstantiateClass):
1324         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1325         (let.classStringExpression):
1326         (let.classStringExpression.access):
1327         (let.createAndInstantiateClass):
1328         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1329         (const.C):
1330         (let.createAndInstantiateClass):
1331         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1332         (let.classStringExpression.return.prototype.m):
1333         (let.classStringExpression.return.prototype.access):
1334         (let.createAndInstantiateClass):
1335         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1336         (let.classStringExpression.return.prototype.m):
1337         (let.classStringExpression.return.prototype.access):
1338         (let.createAndInstantiateClass):
1339         * test262/test/language/expressions/class/private-getter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1340         (let.classStringExpression):
1341         (let.classStringExpression.access):
1342         (let.createAndInstantiateClass):
1343         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1344         (let.classStringExpression.prototype.m):
1345         (let.classStringExpression.prototype.access):
1346         (let.classStringExpression):
1347         (let.createAndInstantiateClass):
1348         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1349         (let.classStringExpression.prototype.m):
1350         (let.classStringExpression.prototype.access):
1351         (let.classStringExpression):
1352         (let.createAndInstantiateClass):
1353         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1354         (const.C):
1355         (let.createAndInstantiateClass):
1356         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1357         (let.classStringExpression.return.C.prototype.m):
1358         (let.classStringExpression.return.C.prototype.access):
1359         (let.classStringExpression.return.C):
1360         (let.createAndInstantiateClass):
1361         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1362         (let.classStringExpression.return.C.prototype.m):
1363         (let.classStringExpression.return.C.prototype.access):
1364         (let.classStringExpression.return.C):
1365         (let.createAndInstantiateClass):
1366         * test262/test/language/expressions/class/private-method-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1367         (let.classStringExpression):
1368         (let.classStringExpression.access):
1369         (let.createAndInstantiateClass):
1370         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval-indirect.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1371         (let.classStringExpression):
1372         (let.classStringExpression.access):
1373         (let.createAndInstantiateClass):
1374         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-eval.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1375         (let.classStringExpression):
1376         (let.classStringExpression.access):
1377         (let.createAndInstantiateClass):
1378         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-factory.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1379         (const.C):
1380         (let.createAndInstantiateClass):
1381         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1382         (let.classStringExpression.return.prototype.m):
1383         (let.classStringExpression.return.prototype.access):
1384         (let.createAndInstantiateClass):
1385         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm-function-ctor.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1386         (let.classStringExpression.return.prototype.m):
1387         (let.classStringExpression.return.prototype.access):
1388         (let.createAndInstantiateClass):
1389         * test262/test/language/expressions/class/private-setter-brand-check-multiple-evaluations-of-class-realm.js: Copied from JSTests/test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js.
1390         (let.classStringExpression):
1391         (let.classStringExpression.access):
1392         (let.createAndInstantiateClass):
1393         * test262/test/language/expressions/new.target/unary-expr.js: Added.
1394         (new):
1395         (async):
1396         * test262/test/language/expressions/super/call-poisoned-underscore-proto.js: Added.
1397         (A):
1398         * test262/test/language/expressions/super/prop-poisoned-underscore-proto.js: Added.
1399         * test262/test/language/identifiers/vals-cjk-escaped.js: Added.
1400         * test262/test/language/identifiers/vals-cjk.js: Added.
1401         * test262/test/language/statements/class/elements/private-class-field-on-frozen-objects.js:
1402         * test262/test/language/statements/class/elements/private-field-access-on-inner-arrow-function.js: Added.
1403         (C.prototype.method):
1404         (C):
1405         * test262/test/language/statements/class/elements/private-field-access-on-inner-function.js: Added.
1406         (C.prototype.method.innerFunction):
1407         (C.prototype.method):
1408         (C):
1409         * test262/test/language/statements/class/elements/private-field-is-not-clobbered-by-computed-property.js: Added.
1410         (C.prototype.checkPrivateField):
1411         (C):
1412         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval-on-initializer.js: Added.
1413         (C):
1414         * test262/test/language/statements/class/elements/private-field-visible-to-direct-eval.js: Added.
1415         (C.prototype.getWithEval):
1416         (C):
1417         (D):
1418         * test262/test/language/statements/class/elements/private-getter-access-on-inner-arrow-function.js: Added.
1419         (C.prototype.get m):
1420         (C.prototype.method):
1421         (C):
1422         * test262/test/language/statements/class/elements/private-getter-access-on-inner-function.js: Added.
1423         (C.prototype.get m):
1424         (C.prototype.method.innerFunction):
1425         (C.prototype.method):
1426         (C):
1427         * test262/test/language/statements/class/elements/private-getter-brand-check-multiple-evaluations-of-class.js:
1428         (let.createAndInstantiateClass):
1429         * test262/test/language/statements/class/elements/private-getter-is-not-a-own-property.js: Added.
1430         (C.prototype.get m):
1431         (C.prototype.checkPrivateGetter):
1432         (C):
1433         * test262/test/language/statements/class/elements/private-getter-is-not-clobbered-by-computed-property.js: Added.
1434         (C.prototype.get m):
1435         (C.prototype.checkPrivateGetter):
1436         (C):
1437         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval-on-initializer.js: Added.
1438         (C.prototype.get m):
1439         (C):
1440         * test262/test/language/statements/class/elements/private-getter-visible-to-direct-eval.js: Added.
1441         (C.prototype.get m):
1442         (C.prototype.getWithEval):
1443         (C):
1444         (D.prototype.get m):
1445         (D):
1446         * test262/test/language/statements/class/elements/private-method-access-on-inner-arrow-function.js: Added.
1447         (C.prototype.m):
1448         (C.prototype.method):
1449         (C):
1450         * test262/test/language/statements/class/elements/private-method-access-on-inner-function.js: Added.
1451         (C.prototype.m):
1452         (C.prototype.method.innerFunction):
1453         (C.prototype.method):
1454         (C):
1455         * test262/test/language/statements/class/elements/private-method-is-not-a-own-property.js: Added.
1456         (C.prototype.m):
1457         (C.prototype.checkPrivateMethod):
1458         (C):
1459         * test262/test/language/statements/class/elements/private-method-is-not-clobbered-by-computed-property.js: Added.
1460         (C.prototype.m):
1461         (C.prototype.checkPrivateMethod):
1462         (C):
1463         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval-on-initializer.js: Added.
1464         (C.prototype.m):
1465         (C):
1466         * test262/test/language/statements/class/elements/private-method-visible-to-direct-eval.js: Added.
1467         (C.prototype.m):
1468         (C.prototype.getWithEval):
1469         (C):
1470         (D.prototype.m):
1471         (D):
1472         * test262/test/language/statements/class/elements/private-setter-access-on-inner-arrow-function.js: Added.
1473         (C.prototype.set m):
1474         (C.prototype.method):
1475         (C):
1476         * test262/test/language/statements/class/elements/private-setter-access-on-inner-function.js: Added.
1477         (C.prototype.set m):
1478         (C.prototype.method.innerFunction):
1479         (C.prototype.method):
1480         (C):
1481         * test262/test/language/statements/class/elements/private-setter-is-not-a-own-property.js: Added.
1482         (C.prototype.set m):
1483         (C.prototype.checkPrivateSetter):
1484         (C):
1485         * test262/test/language/statements/class/elements/private-setter-is-not-clobbered-by-computed-property.js: Added.
1486         (C.prototype.set m):
1487         (C.prototype.checkPrivateSetter):
1488         (C):
1489         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval-on-initializer.js: Added.
1490         (C.prototype.set m):
1491         (C):
1492         * test262/test/language/statements/class/elements/private-setter-visible-to-direct-eval.js: Added.
1493         (C.prototype.set m):
1494         (C.prototype.setWithEval):
1495         (C):
1496         (D.prototype.set m):
1497         (D):
1498         * test262/test/language/statements/class/elements/prod-private-getter-before-super-return-in-field-initializer.js:
1499         * test262/test/language/statements/class/elements/prod-private-method-before-super-return-in-field-initializer.js:
1500         * test262/test/language/statements/class/elements/prod-private-setter-before-super-return-in-field-initializer.js:
1501         * test262/test/language/statements/class/elements/super-access-inside-a-private-getter.js: Added.
1502         (A.prototype.method):
1503         (A):
1504         (C.prototype.get m):
1505         (C.prototype.access):
1506         (C):
1507         * test262/test/language/statements/class/elements/super-access-inside-a-private-method.js: Added.
1508         (A.prototype.method):
1509         (A):
1510         (C.prototype.m):
1511         (C.prototype.access):
1512         (C):
1513         * test262/test/language/statements/class/elements/super-access-inside-a-private-setter.js: Added.
1514         (A.prototype.method):
1515         (A):
1516         (C.prototype.set m):
1517         (C.prototype.access):
1518         (C):
1519         * test262/test/language/statements/class/poisoned-underscore-proto.js: Added.
1520         (A):
1521         * test262/test/language/statements/function/13.2-30-s.js:
1522         * test262/test262-Revision.txt:
1523
1524 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1525
1526         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1527         https://bugs.webkit.org/show_bug.cgi?id=199783
1528
1529         Reviewed by Mark Lam.
1530
1531         Fix our spec tests.
1532
1533         * wasm/js-api/Module-compile.js:
1534         * wasm/js-api/test_basic_api.js:
1535         (const.c.in.constructorProperties.switch):
1536         * wasm/js-api/validate.js:
1537         * wasm/js-api/web-assembly-instantiate.js:
1538         * wasm/spec-tests/jsapi.js:
1539         (testJSAPI.get test):
1540         (testJSAPI.set test):
1541
1542 2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>
1543
1544         Unreviewed, rolling out r247440.
1545
1546         Broke builds
1547
1548         Reverted changeset:
1549
1550         "[JSC] Improve wasm wpt test results by fixing miscellaneous
1551         issues"
1552         https://bugs.webkit.org/show_bug.cgi?id=199783
1553         https://trac.webkit.org/changeset/247440
1554
1555 2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>
1556
1557         [JSC] Improve wasm wpt test results by fixing miscellaneous issues
1558         https://bugs.webkit.org/show_bug.cgi?id=199783
1559
1560         Reviewed by Mark Lam.
1561
1562         Fix our spec tests.
1563
1564         * wasm/js-api/Module-compile.js:
1565         * wasm/js-api/test_basic_api.js:
1566         (const.c.in.constructorProperties.switch):
1567         * wasm/js-api/validate.js:
1568         * wasm/js-api/web-assembly-instantiate.js:
1569         * wasm/spec-tests/jsapi.js:
1570         (testJSAPI.get test):
1571         (testJSAPI.set test):
1572
1573 2019-07-12  Justin Michaud  <justin_michaud@apple.com>
1574
1575         B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
1576         https://bugs.webkit.org/show_bug.cgi?id=196371
1577
1578         Reviewed by Keith Miller.
1579
1580         * microbenchmarks/mul-immediate-sub.js: Added.
1581         (doTest):
1582
1583 2019-07-12  Caio Lima  <ticaiolima@gmail.com>
1584
1585         [BigInt] Add ValueBitLShift into DFG
1586         https://bugs.webkit.org/show_bug.cgi?id=192664
1587
1588         Reviewed by Saam Barati.
1589
1590         We are adding tests to cover ValueBitwise operations AI changes.
1591
1592         * stress/big-int-left-shift-untyped.js: Added.
1593         * stress/bit-op-with-object-returning-int32.js:
1594         * stress/value-bit-and-ai-rule.js: Added.
1595         * stress/value-bit-lshift-ai-rule.js: Added.
1596         * stress/value-bit-or-ai-rule.js: Added.
1597         * stress/value-bit-xor-ai-rule.js: Added.
1598
1599 2019-07-11  Justin Michaud  <justin_michaud@apple.com>
1600
1601         Add b3 macro lowering for CheckMul on arm64
1602         https://bugs.webkit.org/show_bug.cgi?id=199251
1603
1604         Reviewed by Robin Morisset.
1605
1606         * microbenchmarks/check-mul-constant.js: Added.
1607         (doTest):
1608         * microbenchmarks/check-mul-no-constant.js: Added.
1609         (doTest):
1610         * microbenchmarks/check-mul-power-of-two.js: Added.
1611         (doTest):
1612
1613 2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>
1614
1615         Optimize join of large empty arrays
1616         https://bugs.webkit.org/show_bug.cgi?id=199636
1617
1618         Reviewed by Mark Lam.
1619
1620         * microbenchmarks/large-empty-array-join.js: Added.
1621         * microbenchmarks/large-empty-array-join-resolve-rope.js: Added.
1622
1623 2019-07-06  Michael Saboff  <msaboff@apple.com>
1624
1625         switch(String) needs to check for exceptions when resolving the string
1626         https://bugs.webkit.org/show_bug.cgi?id=199541
1627
1628         Reviewed by Mark Lam.
1629
1630         New tests.
1631
1632         * stress/switch-string-oom.js: Added.
1633         (test):
1634         (testLowerTiers):
1635         (testFTL):
1636
1637 2019-07-05  Mark Lam  <mark.lam@apple.com>
1638
1639         ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
1640         https://bugs.webkit.org/show_bug.cgi?id=199533
1641         <rdar://problem/52669111>
1642
1643         Reviewed by Filip Pizlo.
1644
1645         * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
1646
1647 2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>
1648
1649         [JSC] Clean up ArraySpeciesCreate
1650         https://bugs.webkit.org/show_bug.cgi?id=182434
1651
1652         Reviewed by Yusuke Suzuki.
1653
1654         Adjusts error message expectations in stress tests.
1655
1656         * stress/array-flatmap.js:
1657         * stress/array-flatten.js:
1658         * stress/array-species-create-should-handle-masquerader.js:
1659         * test262/expectations.yaml: Mark 4 test cases as passing.
1660
1661 2019-07-02  Michael Saboff  <msaboff@apple.com>
1662
1663         Exception from For..of loop assignment eliminates TDZ checks in subsequent code
1664         https://bugs.webkit.org/show_bug.cgi?id=199395
1665
1666         Reviewed by Filip Pizlo.
1667
1668         New regession test.
1669
1670         * stress/for-of-tdz-with-try-catch.js: Added.
1671         (test):
1672         (i.catch):
1673
1674 2019-07-02  Keith Miller  <keith_miller@apple.com>
1675
1676         Frozen Arrays length assignment should throw in strict mode
1677         https://bugs.webkit.org/show_bug.cgi?id=199365
1678
1679         Reviewed by Yusuke Suzuki.
1680
1681         * stress/frozen-array-length-should-throw-strict.js: Added.
1682         (test):
1683
1684 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
1685
1686         [Wasm-References] Disable references by default
1687         https://bugs.webkit.org/show_bug.cgi?id=199390
1688
1689         Reviewed by Saam Barati.
1690
1691         * wasm/references-spec-tests/ref_is_null.js:
1692         * wasm/references-spec-tests/ref_null.js:
1693         * wasm/references/anyref_globals.js:
1694         * wasm/references/anyref_modules.js:
1695         * wasm/references/anyref_table.js:
1696         * wasm/references/anyref_table_import.js:
1697         * wasm/references/element_parsing.js:
1698         * wasm/references/func_ref.js:
1699         * wasm/references/is_null.js:
1700         * wasm/references/multitable.js:
1701         * wasm/references/table_misc.js:
1702         * wasm/references/validation.js:
1703
1704 2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>
1705
1706         Unreviewed, rolling out r246946.
1707
1708         Caused JSC test crashes on arm64
1709
1710         Reverted changeset:
1711
1712         "Add b3 macro lowering for CheckMul on arm64"
1713         https://bugs.webkit.org/show_bug.cgi?id=199251
1714         https://trac.webkit.org/changeset/246946
1715
1716 2019-06-28  Justin Michaud  <justin_michaud@apple.com>
1717
1718         Add b3 macro lowering for CheckMul on arm64
1719         https://bugs.webkit.org/show_bug.cgi?id=199251
1720
1721         Reviewed by Robin Morisset.
1722
1723         * microbenchmarks/check-mul-constant.js: Added.
1724         (doTest):
1725         * microbenchmarks/check-mul-no-constant.js: Added.
1726         (doTest):
1727         * microbenchmarks/check-mul-power-of-two.js: Added.
1728         (doTest):
1729
1730 2019-06-26  Keith Miller  <keith_miller@apple.com>
1731
1732         speciesConstruct needs to throw if the result is a DataView
1733         https://bugs.webkit.org/show_bug.cgi?id=199231
1734
1735         Reviewed by Mark Lam.
1736
1737         * stress/typedarray-filter.js:
1738         (subclasses.forEach):
1739         * stress/typedarray-map.js:
1740         (subclasses.forEach):
1741         * stress/typedarray-slice.js:
1742         (typedArrays.forEach):
1743         * stress/typedarray-subarray.js:
1744         (subclasses.forEach):
1745
1746 2019-06-24  Commit Queue  <commit-queue@webkit.org>
1747
1748         Unreviewed, rolling out r246714.
1749         https://bugs.webkit.org/show_bug.cgi?id=199179
1750
1751         revert to do patch in a different way. (Requested by keith_mi_
1752         on #webkit).
1753
1754         Reverted changeset:
1755
1756         "All prototypes should call didBecomePrototype()"
1757         https://bugs.webkit.org/show_bug.cgi?id=196315
1758         https://trac.webkit.org/changeset/246714
1759
1760 2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>
1761
1762         Add Array.prototype.{flat,flatMap} to unscopables
1763         https://bugs.webkit.org/show_bug.cgi?id=194322
1764
1765         Reviewed by Keith Miller.
1766
1767         * stress/unscopables.js: Fix test.
1768         * test262/expectations.yaml: Mark 2 test cases as passing.
1769
1770 2019-06-21  Mark Lam  <mark.lam@apple.com>
1771
1772         ArraySlice needs to keep the source array alive.
1773         https://bugs.webkit.org/show_bug.cgi?id=197374
1774         <rdar://problem/50304429>
1775
1776         Reviewed by Michael Saboff and Filip Pizlo.
1777
1778         * stress/array-slice-must-keep-source-array-alive.js: Added.
1779
1780 2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
1781
1782         All prototypes should call didBecomePrototype()
1783         https://bugs.webkit.org/show_bug.cgi?id=196315
1784
1785         Reviewed by Saam Barati.
1786
1787         * stress/function-prototype-indexed-accessor.js: Added.
1788
1789 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1790
1791         [JSC] Strict, Sloppy and Arrow functions should have different classInfo
1792         https://bugs.webkit.org/show_bug.cgi?id=197631
1793
1794         Reviewed by Saam Barati.
1795
1796         * stress/has-own-property-arguments.js: Added.
1797         (shouldBe):
1798         (A):
1799
1800 2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>
1801
1802         [JSC] ClassExpr should not store result in the middle of evaluation
1803         https://bugs.webkit.org/show_bug.cgi?id=199106
1804
1805         Reviewed by Tadeu Zagallo.
1806
1807         * stress/class-expression-should-store-result-at-last.js: Added.
1808         (shouldThrow):
1809         (shouldThrow.let.a):
1810
1811 2019-06-20  Justin Michaud  <justin_michaud@apple.com>
1812
1813         [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
1814         https://bugs.webkit.org/show_bug.cgi?id=199044
1815
1816         Reviewed by Saam Barati.
1817
1818         Add wasm references spec tests as well as a worker test.
1819
1820         * wasm.yaml:
1821         * wasm/Builder_WebAssemblyBinary.js:
1822         (const.emitters.Element):
1823         * wasm/js-api/element.js:
1824         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1825         * wasm/references-spec-tests/ref_is_null.js: Added.
1826         (hostref):
1827         (is_hostref):
1828         (is_funcref):
1829         (eq_ref):
1830         (let.handler.get target):
1831         (register):
1832         (module):
1833         (instance):
1834         (call):
1835         (get instance):
1836         (exports):
1837         (run):
1838         (assert_malformed):
1839         (assert_invalid):
1840         (assert_unlinkable):
1841         (assert_uninstantiable):
1842         (assert_trap):
1843         (try.f):
1844         (catch):
1845         (assert_exhaustion):
1846         (assert_return):
1847         (assert_return_canonical_nan):
1848         (assert_return_arithmetic_nan):
1849         (assert_return_ref):
1850         (assert_return_func):
1851         * wasm/references-spec-tests/ref_null.js: Added.
1852         (hostref):
1853         (is_hostref):
1854         (is_funcref):
1855         (eq_ref):
1856         (let.handler.get target):
1857         (register):
1858         (module):
1859         (instance):
1860         (call):
1861         (get instance):
1862         (exports):
1863         (run):
1864         (assert_malformed):
1865         (assert_invalid):
1866         (assert_unlinkable):
1867         (assert_uninstantiable):
1868         (assert_trap):
1869         (try.f):
1870         (catch):
1871         (assert_exhaustion):
1872         (assert_return):
1873         (assert_return_canonical_nan):
1874         (assert_return_arithmetic_nan):
1875         (assert_return_ref):
1876         (assert_return_func):
1877         * wasm/references/element_parsing.js: Added.
1878         (module):
1879         * wasm/references/func_ref.js:
1880         * wasm/references/multitable.js:
1881         * wasm/references/table_misc.js:
1882         (TableSize.0.End.End.WebAssembly):
1883         * wasm/references/validation.js:
1884         (assert.throws):
1885
1886 2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>
1887
1888         Optimize `resolve` method lookup in Promise static methods
1889         https://bugs.webkit.org/show_bug.cgi?id=198864
1890
1891         Reviewed by Yusuke Suzuki.
1892
1893         * test262/expectations.yaml: Mark 18 test cases as passing.
1894
1895 2019-06-19  Justin Michaud  <justin_michaud@apple.com>
1896
1897         [WASM-References] Rename anyfunc to funcref
1898         https://bugs.webkit.org/show_bug.cgi?id=198983
1899
1900         Reviewed by Yusuke Suzuki.
1901
1902         * wasm/function-tests/basic-element.js:
1903         * wasm/function-tests/context-switch.js:
1904         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1905         (makeInstance):
1906         (assert.eq.makeInstance):
1907         * wasm/function-tests/exceptions.js:
1908         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1909         * wasm/function-tests/grow-memory-2.js:
1910         (assert.eq.instance.exports.foo):
1911         * wasm/function-tests/nameSection.js:
1912         (const.compile):
1913         * wasm/function-tests/stack-overflow.js:
1914         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1915         (assertOverflows.makeInstance):
1916         * wasm/function-tests/table-basic-2.js:
1917         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1918         * wasm/function-tests/table-basic.js:
1919         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.makeInstance):
1920         * wasm/function-tests/trap-from-start-async.js:
1921         * wasm/function-tests/trap-from-start.js:
1922         * wasm/js-api/Module.exports.js:
1923         (assert.truthy):
1924         * wasm/js-api/Module.imports.js:
1925         (assert.truthy):
1926         * wasm/js-api/call-indirect.js:
1927         (const.oneTable):
1928         (const.multiTable):
1929         (multiTable.const.makeTable):
1930         (multiTable):
1931         (multiTable.Polyphic2Import):
1932         (multiTable.VirtualImport):
1933         * wasm/js-api/element-data.js:
1934         * wasm/js-api/element.js:
1935         (assert.throws.new.WebAssembly.Module.builder.WebAssembly):
1936         (assert.throws):
1937         (badInstantiation.makeModule):
1938         (badInstantiation.test):
1939         (badInstantiation):
1940         * wasm/js-api/extension-MemoryMode.js:
1941         * wasm/js-api/table.js:
1942         (new.WebAssembly.Module):
1943         (assert.throws):
1944         (assertBadTableImport):
1945         (assert.throws.WebAssembly.Table.prototype.grow):
1946         (new.WebAssembly.Table):
1947         (assertBadTable):
1948         (assert.truthy):
1949         * wasm/js-api/test_basic_api.js:
1950         (const.c.in.constructorProperties.switch):
1951         * wasm/js-api/unique-signature.js:
1952         (CallIndirectWithDuplicateSignatures):
1953         * wasm/js-api/wrapper-function.js:
1954         * wasm/modules/table.wat:
1955         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1956         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1957         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1958         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1959         * wasm/references/anyref_table.js:
1960         * wasm/references/anyref_table_import.js:
1961         (doSet):
1962         (assert.throws):
1963         * wasm/references/func_ref.js:
1964         (makeFuncrefIdent):
1965         (assert.eq.instance.exports.fix):
1966         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly.assert.throws):
1967         (GetLocal.0.I32Const.0.TableSet.0.End.End.WebAssembly):
1968         (let.importedFun.of):
1969         (makeAnyfuncIdent): Deleted.
1970         (makeAnyfuncIdent.fun): Deleted.
1971         * wasm/references/multitable.js:
1972         (assert.eq):
1973         (assert.throws):
1974         * wasm/references/table_misc.js:
1975         (GetLocal.0.TableFill.0.End.End.WebAssembly):
1976         * wasm/references/validation.js:
1977         (assert.throws.new.WebAssembly.Module.bin):
1978         (assert.throws):
1979         * wasm/spec-harness/index.js:
1980         * wasm/spec-harness/wasm-constants.js:
1981         * wasm/spec-harness/wasm-module-builder.js:
1982         (WasmModuleBuilder.prototype.toArray):
1983         * wasm/spec-harness/wast.js:
1984         (elem_type):
1985         (string_of_elem_type):
1986         (string_of_table_type):
1987         * wasm/spec-tests/jsapi.js:
1988         * wasm/stress/wasm-table-grow-initialize.js:
1989         * wasm/wasm.json:
1990
1991 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
1992
1993         [WASM-References] Add support for Table.size, grow and fill instructions
1994         https://bugs.webkit.org/show_bug.cgi?id=198761
1995
1996         Reviewed by Yusuke Suzuki.
1997
1998         * wasm/Builder_WebAssemblyBinary.js:
1999         (const.putOp):
2000         * wasm/references/table_misc.js: Added.
2001         (TableSize.End.End.WebAssembly):
2002         (GetLocal.0.GetLocal.1.TableGrow.End.End.WebAssembly):
2003         * wasm/wasm.json:
2004
2005 2019-06-18  Justin Michaud  <justin_michaud@apple.com>
2006
2007         [WASM-References] Add support for multiple tables
2008         https://bugs.webkit.org/show_bug.cgi?id=198760
2009
2010         Reviewed by Saam Barati.
2011
2012         * wasm/Builder.js:
2013         * wasm/js-api/call-indirect.js:
2014         (const.oneTable):
2015         (const.multiTable):
2016         (multiTable):
2017         (multiTable.Polyphic2Import):
2018         (multiTable.VirtualImport):
2019         (const.wasmModuleWhichImportJS): Deleted.
2020         (const.makeTable): Deleted.
2021         (): Deleted.
2022         (Polyphic2Import): Deleted.
2023         (VirtualImport): Deleted.
2024         * wasm/js-api/table.js:
2025         (new.WebAssembly.Module):
2026         (assert.throws):
2027         (assertBadTableImport):
2028         (assert.truthy):
2029         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2030         * wasm/references/anyref_table.js:
2031         * wasm/references/anyref_table_import.js:
2032         (makeImport):
2033         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2034         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2035         * wasm/references/multitable.js: Added.
2036         (assert.throws.1.exports.set_tbl0):
2037         (assert.throws):
2038         (assert.eq):
2039         * wasm/references/validation.js:
2040         (assert.throws.new.WebAssembly.Module.bin):
2041         (assert.throws):
2042         * wasm/spec-tests/imports.wast.js:
2043         * wasm/wasm.json:
2044
2045         * wasm/Builder.js:
2046         * wasm/js-api/call-indirect.js:
2047         (const.oneTable):
2048         (const.multiTable):
2049         (multiTable):
2050         (multiTable.Polyphic2Import):
2051         (multiTable.VirtualImport):
2052         (const.wasmModuleWhichImportJS): Deleted.
2053         (const.makeTable): Deleted.
2054         (): Deleted.
2055         (Polyphic2Import): Deleted.
2056         (VirtualImport): Deleted.
2057         * wasm/js-api/table.js:
2058         (new.WebAssembly.Module):
2059         (assert.throws):
2060         (assertBadTableImport):
2061         (assert.truthy):
2062         (assert.throws.new.WebAssembly.Module.builder.WebAssembly): Deleted.
2063         * wasm/references/anyref_table.js:
2064         * wasm/references/anyref_table_import.js:
2065         (makeImport):
2066         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2067         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2068         * wasm/references/func_ref.js:
2069         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun): Deleted.
2070         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws): Deleted.
2071         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly): Deleted.
2072         * wasm/references/multitable.js: Added.
2073         (assert.throws.1.exports.set_tbl0):
2074         (assert.throws):
2075         (assert.eq):
2076         (string_appeared_here.tableInsanity):
2077         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly.):
2078         (I32Const.0.GetLocal.0.TableSet.1.End.End.WebAssembly):
2079         * wasm/references/validation.js:
2080         (assert.throws.new.WebAssembly.Module.bin):
2081         (assert.throws):
2082         * wasm/spec-tests/imports.wast.js:
2083         * wasm/wasm.json:
2084
2085 2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>
2086
2087         [ESNExt] String.prototype.matchAll
2088         https://bugs.webkit.org/show_bug.cgi?id=186694
2089
2090         Reviewed by Yusuke Suzuki.
2091
2092         Implement String.prototype.matchAll.
2093         (https://tc39.es/ecma262/#sec-string.prototype.matchall)
2094
2095         * test262/config.yaml:
2096
2097 2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2098
2099         DFG code should not reify the names of builtin functions with private names
2100         https://bugs.webkit.org/show_bug.cgi?id=198849
2101         <rdar://problem/51733890>
2102
2103         Reviewed by Filip Pizlo.
2104
2105         * stress/builtin-private-function-name.js: Added.
2106         (then):
2107         (PromiseLike):
2108
2109 2019-06-18  Keith Miller  <keith_miller@apple.com>
2110
2111         MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
2112         https://bugs.webkit.org/show_bug.cgi?id=198969
2113         <rdar://problem/51620714>
2114
2115         Reviewed by Tadeu Zagallo.
2116
2117         * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
2118         (catch):
2119
2120 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2121
2122         Validate that table element type is funcref if using an element section
2123         https://bugs.webkit.org/show_bug.cgi?id=198910
2124
2125         Reviewed by Yusuke Suzuki.
2126
2127         * wasm/references/anyref_table.js:
2128
2129 2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>
2130
2131         [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
2132         https://bugs.webkit.org/show_bug.cgi?id=197378
2133
2134         Reviewed by Saam Barati.
2135
2136         * stress/disposable-call-site-index-with-call-and-this.js: Added.
2137         (foo):
2138         (bar):
2139         * stress/disposable-call-site-index.js: Added.
2140         (foo):
2141         (bar):
2142
2143 2019-06-17  Justin Michaud  <justin_michaud@apple.com>
2144
2145         [WASM-References] Add support for Funcref in parameters and return types
2146         https://bugs.webkit.org/show_bug.cgi?id=198157
2147
2148         Reviewed by Yusuke Suzuki.
2149
2150         * wasm/Builder.js:
2151         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2152         * wasm/references/anyref_globals.js:
2153         * wasm/references/func_ref.js: Added.
2154         (fullGC.gc.makeExportedFunction):
2155         (makeExportedIdent):
2156         (makeAnyfuncIdent):
2157         (fun):
2158         (assert.eq.instance.exports.fix.fun):
2159         (assert.eq.instance.exports.fix):
2160         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
2161         (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
2162         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
2163         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
2164         (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
2165         (assert.throws):
2166         (assert.throws.doTest):
2167         (let.importedFun.of):
2168         (makeAnyfuncIdent.fun):
2169         * wasm/references/validation.js:
2170         (assert.throws):
2171         * wasm/wasm.json:
2172
2173 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
2174
2175         Update test262 tests (2019.06.13)
2176         https://bugs.webkit.org/show_bug.cgi?id=198821
2177
2178         Reviewed by Konstantin Tokarev.
2179
2180         * test262/expectations.yaml:
2181         * test262/harness/:
2182         * test262/latest-changes-summary.txt:
2183         * test262/test/:
2184         * test262/test262-Revision.txt:
2185
2186 2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
2187
2188         [JSC] Grown region of WasmTable should be initialized with null
2189         https://bugs.webkit.org/show_bug.cgi?id=198903
2190
2191         Reviewed by Saam Barati.
2192
2193         * wasm/stress/wasm-table-grow-initialize.js: Added.
2194         (shouldBe):
2195
2196 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
2197
2198         Yarr bytecode compilation failure should be gracefully handled
2199         https://bugs.webkit.org/show_bug.cgi?id=198700
2200
2201         Reviewed by Michael Saboff.
2202
2203         * stress/regexp-bytecode-compilation-fail.js: Added.
2204         (shouldThrow):
2205
2206 2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>
2207
2208         [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
2209         https://bugs.webkit.org/show_bug.cgi?id=198770
2210
2211         Reviewed by Saam Barati.
2212
2213         * stress/poly-call-stub-slow-path-should-restore-callee-saves-when-doing-tail-call.js: Added.
2214         (test):
2215
2216 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2217
2218         JSC should throw if proxy set returns falsish in strict mode context
2219         https://bugs.webkit.org/show_bug.cgi?id=177398
2220
2221         Reviewed by Yusuke Suzuki.
2222
2223         1. Add coverage for Proxy `set` trap returning falsy value in strict mode.
2224         2. RegExp methods throw unless [[Set]] succeeds. Return `true` from Proxy `set` traps to fix the tests.
2225
2226         * stress/proxy-set.js: Add 2 test cases.
2227         * stress/regexp-match-proxy.js: Fix test.
2228         * stress/regexp-replace-proxy.js: Fix test.
2229
2230 2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>
2231
2232         Error message for non-callable Proxy `construct` trap is misleading
2233         https://bugs.webkit.org/show_bug.cgi?id=198637
2234
2235         Reviewed by Saam Barati.
2236
2237         * stress/proxy-construct.js:
2238
2239 2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>
2240
2241         AI BitURShift's result should not be unsigned
2242         https://bugs.webkit.org/show_bug.cgi?id=198689
2243         <rdar://problem/51550063>
2244
2245         Reviewed by Saam Barati.
2246
2247         * stress/urshift-int32-overflow.js: Added.
2248         (foo.):
2249         (foo):
2250
2251 2019-06-11  Guillaume Emont  <guijemont@igalia.com>
2252
2253         Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
2254
2255         Unreviewed gardening.
2256
2257         * stress/ftl-gettypedarrayoffset-wasteful.js:
2258         Skipped on arm/linux as it always times out on the bot since a change
2259         between r246270 and r246278 inclusive.
2260
2261 2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>
2262
2263         [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
2264         https://bugs.webkit.org/show_bug.cgi?id=198023
2265
2266         Reviewed by Saam Barati.
2267
2268         * stress/reparsing-unlinked-codeblock.js: Added.
2269         (shouldBe):
2270         (hello):
2271
2272 2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>
2273
2274         [JSC] Use mergePrediction in ValuePow prediction propagation
2275         https://bugs.webkit.org/show_bug.cgi?id=198648
2276
2277         Reviewed by Saam Barati.
2278
2279         * stress/prediction-propagation-should-use-merge-prediction-for-value-pow.js: Added.
2280
2281 2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>
2282
2283         AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
2284         https://bugs.webkit.org/show_bug.cgi?id=198581
2285         <rdar://problem/51099753>
2286
2287         Reviewed by Saam Barati.
2288
2289         * stress/global-object-proto-getter.js: Added.
2290         (f):
2291         (test):
2292
2293 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2294
2295         [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
2296         https://bugs.webkit.org/show_bug.cgi?id=198398
2297
2298         Reviewed by Saam Barati.
2299
2300         * wasm/references/anyref_table.js: Added.
2301         (string_appeared_here.doGCSet):
2302         (doGCTest):
2303         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2304         * wasm/references/anyref_table_import.js: Added.
2305         (makeImport):
2306         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
2307         (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
2308         * wasm/references/is_null_error.js: Removed.
2309         * wasm/references/validation.js: Added.
2310         (assert.throws.new.WebAssembly.Module.bin):
2311         (assert.throws):
2312         * wasm/wasm.json:
2313
2314 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
2315
2316         WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
2317         https://bugs.webkit.org/show_bug.cgi?id=198106
2318
2319         Reviewed by Saam Barati.
2320
2321         * wasm/regress/selectf64.js: Added.
2322         * wasm/regress/selectf64.wasm: Added.
2323         * wasm/regress/selectf64.wat: Added.
2324
2325 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2326
2327         Argument elimination should check transitive dependents for interference
2328         https://bugs.webkit.org/show_bug.cgi?id=198520
2329         <rdar://problem/50863343>
2330
2331         Reviewed by Filip Pizlo.
2332
2333         * stress/argument-elimination-inline-rest-past-kill.js: Added.
2334         (f2):
2335         (f3):
2336
2337 2019-06-04  Tadeu Zagallo  <tzagallo@apple.com>
2338
2339         Argument elimination should check for negative indices in GetByVal
2340         https://bugs.webkit.org/show_bug.cgi?id=198302
2341         <rdar://problem/51188095>
2342
2343         Reviewed by Filip Pizlo.
2344
2345         * stress/eliminate-arguments-negative-rest-access.js: Added.
2346         (inlinee):
2347         (opt):
2348
2349 2019-06-03  Caio Lima  <ticaiolima@gmail.com>
2350
2351         [ESNext][BigInt] Implement support for "**"
2352         https://bugs.webkit.org/show_bug.cgi?id=190799
2353
2354         Reviewed by Saam Barati.
2355
2356         * stress/big-int-exp-basic.js: Added.
2357         * stress/big-int-exp-jit-osr.js: Added.
2358         * stress/big-int-exp-jit-untyped.js: Added.
2359         * stress/big-int-exp-jit.js: Added.
2360         * stress/big-int-exp-negative-exponent.js: Added.
2361         * stress/big-int-exp-to-primitive.js: Added.
2362         * stress/big-int-exp-type-error.js: Added.
2363         * stress/big-int-exp-wrapped-value.js: Added.
2364         * stress/value-pow-ai-rule.js: Added.
2365
2366 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
2367
2368         [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
2369         https://bugs.webkit.org/show_bug.cgi?id=197979
2370
2371         Reviewed by Filip Pizlo.
2372
2373         * stress/16bit-code.js: Added.
2374         (shouldBe):
2375         * stress/32bit-code.js: Added.
2376         (shouldBe):
2377
2378 2019-05-30  Justin Michaud  <justin_michaud@apple.com>
2379
2380         oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
2381         https://bugs.webkit.org/show_bug.cgi?id=198355
2382
2383         Reviewed by Saam Barati.
2384
2385         * wasm/references/is_null.js:
2386
2387 2019-05-30  Stephan Szabo  <stephan.szabo@sony.com>
2388
2389         [PlayStation] Skip additional tests on PlayStation
2390         https://bugs.webkit.org/show_bug.cgi?id=198352
2391
2392         Reviewed by Don Olmstead.
2393
2394         Skip pow test on PlayStation due to behavior difference in standard library.
2395         Skip incremental marking test due to OOM on PlayStation systems.
2396
2397         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js:
2398         * stress/math-pow-with-constants.js:
2399         * stress/pow-with-constants.js:
2400
2401 2019-05-28  Dean Jackson  <dino@apple.com>
2402
2403         Implement Promise.allSettled
2404         https://bugs.webkit.org/show_bug.cgi?id=197600
2405         <rdar://problem/50483885>
2406
2407         Reviewed by Keith Miller.
2408
2409         Start testing Promise.allSettled. We pass most of the tests.
2410         The ones that fail are similar to the Promise.all tests we already fail.
2411
2412         * test262/config.yaml: Remove Promise.allSettled from skipped tests.
2413         * test262/expectations.yaml: Add new expectations for allSettled tests.
2414
2415 2019-05-28  Michael Saboff  <msaboff@apple.com>
2416
2417         [YARR] Properly handle RegExp's that require large ParenContext space
2418         https://bugs.webkit.org/show_bug.cgi?id=198065
2419
2420         Reviewed by Keith Miller.
2421
2422         New test.
2423
2424         * stress/regexp-large-paren-context.js: Added.
2425         (testLargeRegExp):
2426
2427 2019-05-28  Tadeu Zagallo  <tzagallo@apple.com>
2428
2429         JITOperations putByVal should mark negative array indices as out-of-bounds
2430         https://bugs.webkit.org/show_bug.cgi?id=198271
2431
2432         Reviewed by Saam Barati.
2433
2434         * microbenchmarks/get-by-val-negative-array-index.js:
2435         (foo):
2436         Update the getByVal microbenchmark added in r245769. This now shows that r245769
2437         is 4.2x faster than the previous commit.
2438
2439         * microbenchmarks/put-by-val-negative-array-index.js: Added.
2440         (foo):
2441
2442 2019-05-25  Tadeu Zagallo  <tzagallo@apple.com>
2443
2444         JITOperations getByVal should mark negative array indices as out-of-bounds
2445         https://bugs.webkit.org/show_bug.cgi?id=198229
2446
2447         Reviewed by Saam Barati.
2448
2449         * microbenchmarks/get-by-val-negative-array-index.js: Added.
2450         (foo):
2451
2452 2019-05-24  Justin Michaud  <justin_michaud@apple.com>
2453
2454         [WASM-References] Support Anyref in globals
2455         https://bugs.webkit.org/show_bug.cgi?id=198102
2456
2457         Reviewed by Saam Barati.
2458
2459         Add test for anyrefs in globals, as well as adding a new RefNull initExpr for Builder.
2460
2461         * wasm/Builder.js:
2462         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2463         * wasm/Builder_WebAssemblyBinary.js:
2464         (const.putInitExpr):
2465         * wasm/references/anyref_globals.js: Added.
2466         (GetGlobal.0.End.End.WebAssembly):
2467         (5.doGCSet):
2468         (doGCTest):
2469         (doGCSet.doGCTest.let.count.0.doBarrierSet):
2470
2471 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2472
2473         DFG::OSREntry should not perform arity check
2474         https://bugs.webkit.org/show_bug.cgi?id=198189
2475
2476         Reviewed by Saam Barati.
2477
2478         * microbenchmarks/loop-osr-with-arity-mismatch.js: Added.
2479         (foo):
2480
2481 2019-05-23  Stephan Szabo  <stephan.szabo@sony.com>
2482
2483         [PlayStation] Skip additional tests on PlayStation
2484         https://bugs.webkit.org/show_bug.cgi?id=198145
2485
2486         Reviewed by Ross Kirsling.
2487
2488         * exceptionFuzz.yaml:
2489         Add skip on hostOS playstation
2490         * executableAllocationFuzz.yaml:
2491         Add skip on hostOS playstation
2492
2493 2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
2494
2495         createListFromArrayLike should throw if value is not an object
2496         https://bugs.webkit.org/show_bug.cgi?id=198138
2497
2498         Reviewed by Yusuke Suzuki.
2499
2500         * stress/create-list-from-array-like-not-object.js: Added.
2501         (testValid):
2502         (testInvalid):
2503         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
2504         (opt):
2505         * stress/proxy-proto-enumerator.js: Added.
2506         (main):
2507         * stress/proxy-proto-own-keys.js: Added.
2508         (assert):
2509         (ownKeys):
2510
2511 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2512
2513         [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
2514         https://bugs.webkit.org/show_bug.cgi?id=197809
2515
2516         Reviewed by Michael Saboff.
2517
2518         * stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.
2519         (foo):
2520
2521 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2522
2523         [ESNext] Implement support for Numeric Separators
2524         https://bugs.webkit.org/show_bug.cgi?id=196351
2525
2526         Reviewed by Keith Miller.
2527
2528         * stress/numeric-literal-separators.js: Added.
2529         Add tests for feature.
2530
2531         * test262/expectations.yaml:
2532         Mark 60 test cases as passing.
2533
2534 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2535
2536         llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
2537         https://bugs.webkit.org/show_bug.cgi?id=198120
2538         <rdar://problem/49668795>
2539
2540         Reviewed by Michael Saboff.
2541
2542         * stress/get-array-length-concurrently-change-mode.js: Added.
2543         (main):
2544
2545 2019-05-22  Commit Queue  <commit-queue@webkit.org>
2546
2547         Unreviewed, rolling out r245634.
2548         https://bugs.webkit.org/show_bug.cgi?id=198140
2549
2550         'This patch makes JSC crash on launch in debug builds'
2551         (Requested by tadeuzagallo on #webkit).
2552
2553         Reverted changeset:
2554
2555         "[ESNext] Implement support for Numeric Separators"
2556         https://bugs.webkit.org/show_bug.cgi?id=196351
2557         https://trac.webkit.org/changeset/245634
2558
2559 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
2560
2561         Stack-buffer-overflow in decodeURIComponent
2562         https://bugs.webkit.org/show_bug.cgi?id=198109
2563         <rdar://problem/50397550>
2564
2565         Reviewed by Michael Saboff.
2566
2567         * stress/decode-uri-icu-count-trail-bytes.js: Added.
2568         (i.j.try.i.toString):
2569         (i.j.catch):
2570
2571 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2572
2573         Don't clear PropertyNameArray in Proxy code
2574         https://bugs.webkit.org/show_bug.cgi?id=197691
2575
2576         Reviewed by Saam Barati.
2577
2578         * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: Added.
2579         (shouldBe):
2580         (opt):
2581
2582 2019-05-22  Ross Kirsling  <ross.kirsling@sony.com>
2583
2584         [ESNext] Implement support for Numeric Separators
2585         https://bugs.webkit.org/show_bug.cgi?id=196351
2586
2587         Reviewed by Keith Miller.
2588
2589         * stress/numeric-literal-separators.js: Added.
2590         Add tests for feature.
2591
2592         * test262/expectations.yaml:
2593         Mark 60 test cases as passing.
2594
2595 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
2596
2597         [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
2598         https://bugs.webkit.org/show_bug.cgi?id=198101
2599
2600         Reviewed by Michael Saboff.
2601
2602         * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
2603         (shouldBe):
2604
2605 2019-05-20  Keith Miller  <keith_miller@apple.com>
2606
2607         Cleanup Yarr regexp code around paren contexts.
2608         https://bugs.webkit.org/show_bug.cgi?id=198063
2609
2610         Reviewed by Yusuke Suzuki.
2611
2612         * stress/regexp-many-named-sequential-capture-groups.js: Added.
2613         (i.s):
2614         * stress/regexp-many-unnamed-sequential-capture-groups.js: Added.
2615
2616 2019-05-17  Justin Michaud  <justin_michaud@apple.com>
2617
2618         [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
2619         https://bugs.webkit.org/show_bug.cgi?id=197969
2620
2621         Reviewed by Keith Miller.
2622
2623         Support the anyref type in Builder.js, plus add some extra error logging.
2624         Add new folder for wasm references tests.
2625
2626         * wasm.yaml:
2627         * wasm/Builder.js:
2628         (const._isValidValue):
2629         * wasm/references/anyref_modules.js: Added.
2630         (Call.3.RefIsNull.End.End.WebAssembly.js.ident):
2631         (Call.3.RefIsNull.End.End.WebAssembly.js.make_null):
2632         (Call.3.RefIsNull.End.End.WebAssembly):
2633         (undefined):
2634         * wasm/references/is_null.js: Added.
2635         * wasm/references/is_null_error.js: Added.
2636         * wasm/spec-harness/index.js:
2637         * wasm/wasm.json:
2638
2639 2019-05-16  Ross Kirsling  <ross.kirsling@sony.com>
2640
2641         [JSC] Invalid AssignmentTargetType should be an early error.
2642         https://bugs.webkit.org/show_bug.cgi?id=197603
2643
2644         Reviewed by Keith Miller.
2645
2646         * test262/expectations.yaml:
2647         Update expectations to reflect new SyntaxErrors.
2648         (Ideally, these should all be viewed as passing in the near future.)
2649
2650         * stress/async-await-basic.js:
2651         * stress/big-int-literals.js:
2652         Update tests to reflect new SyntaxErrors.
2653
2654         * ChakraCore.yaml:
2655         * ChakraCore/test/EH/try6.baseline-jsc:
2656         * ChakraCore/test/Error/variousErrors3.baseline-jsc: Added.
2657         Update baselines to reflect new SyntaxErrors.
2658
2659 2019-05-15  Saam Barati  <sbarati@apple.com>
2660
2661         Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
2662         https://bugs.webkit.org/show_bug.cgi?id=197855
2663         <rdar://problem/50236506>
2664
2665         Reviewed by Michael Saboff.
2666
2667         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
2668         (f0):
2669         (bar):
2670         (foo):
2671         * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
2672         (f1):
2673         (f2):
2674         (foo):
2675
2676 2019-05-14  Keith Miller  <keith_miller@apple.com>
2677
2678         Fix issue with byteOffset on ARM64E
2679         https://bugs.webkit.org/show_bug.cgi?id=197884
2680
2681         Reviewed by Saam Barati.
2682
2683         We didn't have any tests that run with non-byte/non-zero offset
2684         typed arrays.
2685
2686         * stress/ftl-gettypedarrayoffset-wasteful.js:
2687
2688 2019-05-14  Yusuke Suzuki  <ysuzuki@apple.com>
2689
2690         [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
2691         https://bugs.webkit.org/show_bug.cgi?id=197833
2692
2693         Reviewed by Darin Adler.
2694
2695         * stress/generator-name.js: Added.
2696         (shouldBe):
2697         (gen):
2698         (catch):
2699
2700 2019-05-13  Tadeu Zagallo  <tzagallo@apple.com>
2701
2702         JSObject::getOwnPropertyDescriptor is missing an exception check
2703         https://bugs.webkit.org/show_bug.cgi?id=197693
2704         <rdar://problem/50441784>
2705
2706         Reviewed by Saam Barati.
2707
2708         * stress/proxy-spread.js: Added.
2709         (foo):
2710
2711 2019-05-10  Saam barati  <sbarati@apple.com>
2712
2713         Call to JSToWasmICCallee::createStructure passes in wrong prototype value
2714         https://bugs.webkit.org/show_bug.cgi?id=197807
2715         <rdar://problem/50530400>
2716
2717         Reviewed by Yusuke Suzuki.
2718
2719         * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
2720         (test.getInstance):
2721         (test):
2722
2723 2019-05-10  Ross Kirsling  <ross.kirsling@sony.com>
2724
2725         [Test262] Unreviewed expectations update following r245188.
2726
2727         * test262/config.yaml:
2728         * test262/expectations.yaml:
2729
2730         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-infinity-throws.js:
2731         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-is-nan-throws.js:
2732         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-undefined-throws.js:
2733         * test262/test/intl402/DateTimeFormat/prototype/formatRange/date-x-greater-than-y-throws.js:
2734         * test262/test/intl402/DateTimeFormat/prototype/formatRange/this-is-not-object-throws.js:
2735         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-infinity-throws.js:
2736         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-is-nan-throws.js:
2737         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-undefined-throws.js:
2738         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/date-x-greater-than-y-throws.js:
2739         * test262/test/intl402/DateTimeFormat/prototype/formatRangeToParts/this-is-not-object-throws.js:
2740         These files have invalid YAML comments. Will also submit corrections back to Test262.
2741
2742 2019-05-10  Keith Miller  <keith_miller@apple.com>
2743
2744         Update test262 tests.
2745
2746         Rubber-stamped by Yusuke Suzuki.
2747
2748         * test262/*: mega-patch too many things to list individually.
2749
2750 2019-05-09  Keith Miller  <keith_miller@apple.com>
2751
2752         Unreview, fix test to have a try-catch.
2753
2754         * stress/many-nested-functions-parser-stack-overflow.js:
2755         (catch):
2756
2757 2019-05-09  Keith Miller  <keith_miller@apple.com>
2758
2759         parseStatementListItem needs a stack overflow check
2760         https://bugs.webkit.org/show_bug.cgi?id=197749
2761
2762         Reviewed by Saam Barati.
2763
2764         * stress/many-nested-functions-parser-stack-overflow.js: Added.
2765
2766 2019-05-08  Saam barati  <sbarati@apple.com>
2767
2768         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
2769         https://bugs.webkit.org/show_bug.cgi?id=197715
2770         <rdar://problem/50399252>
2771
2772         Reviewed by Filip Pizlo.
2773
2774         * stress/polymorphic-access-exception-handler-should-not-clobber-used-register.js: Added.
2775         (foo):
2776         (bar):
2777
2778 2019-05-08  Ryan Haddad  <ryanhaddad@apple.com>
2779
2780         Unreviewed, rolling out r245068.
2781
2782         Caused debug layout tests to exit early due to an assertion
2783         failure.
2784
2785         Reverted changeset:
2786
2787         "All prototypes should call didBecomePrototype()"
2788         https://bugs.webkit.org/show_bug.cgi?id=196315
2789         https://trac.webkit.org/changeset/245068
2790
2791 2019-05-08  Yusuke Suzuki  <ysuzuki@apple.com>
2792
2793         Invalid DFG JIT genereation in high CPU usage state
2794         https://bugs.webkit.org/show_bug.cgi?id=197453
2795
2796         Reviewed by Saam Barati.
2797
2798         * stress/string-ident-use-clears-abstract-value-if-rope-string-constant-is-held.js: Added.
2799         (trigger):
2800         (main):
2801
2802 2019-05-08  Robin Morisset  <rmorisset@apple.com>
2803
2804         All prototypes should call didBecomePrototype()
2805         https://bugs.webkit.org/show_bug.cgi?id=196315
2806
2807         Reviewed by Saam Barati.
2808
2809         This changelog already landed, but the commit was missing the actual changes.
2810
2811         * stress/function-prototype-indexed-accessor.js: Added.
2812
2813 2019-05-08  Caio Lima  <ticaiolima@gmail.com>
2814
2815         [BigInt] Add ValueMod into DFG
2816         https://bugs.webkit.org/show_bug.cgi?id=186174
2817
2818         Reviewed by Saam Barati.
2819
2820         * microbenchmarks/mod-untyped.js: Added.
2821         * stress/big-int-mod-osr.js: Added.
2822         * stress/value-div-ai-rule.js: Added.
2823         * stress/value-mod-ai-rule.js: Added.
2824
2825 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2826
2827         [JSC] DFG_ASSERT failed in lowInt52
2828         https://bugs.webkit.org/show_bug.cgi?id=197569
2829
2830         Reviewed by Saam Barati.
2831
2832         * stress/getstack-int52.js: Added.
2833         (opt):
2834         (main):
2835
2836 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2837
2838         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
2839         https://bugs.webkit.org/show_bug.cgi?id=197479
2840
2841         Reviewed by Saam Barati.
2842
2843         * stress/do-not-perform-bytecode-peephole-optimization-in-jump-target.js: Added.
2844         (shouldBe):
2845
2846 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
2847
2848         TemplateObject passed to template literal tags are not always identical for the same source location.
2849         https://bugs.webkit.org/show_bug.cgi?id=190756
2850
2851         Reviewed by Saam Barati.
2852
2853         * complex.yaml:
2854         * complex/tagged-template-regeneration-after.js: Added.
2855         (shouldBe):
2856         * complex/tagged-template-regeneration.js: Added.
2857         (call):
2858         (test):
2859         * modules/tagged-template-inside-module.js: Added.
2860         (from.string_appeared_here.call):
2861         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
2862         (call):
2863         (export.otherTaggedTemplates):
2864         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
2865         (shouldBe):
2866         (call):
2867         (poly):
2868         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
2869         (shouldBe):
2870         (call):
2871         * stress/tagged-templates-in-function-in-direct-eval.js: Added.
2872         (shouldBe):
2873         (call):
2874         (test):
2875         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
2876         (shouldBe):
2877         (call):
2878         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
2879         (shouldBe):
2880         (call):
2881         * stress/tagged-templates-in-multiple-functions.js: Added.
2882         (shouldBe):
2883         (call):
2884         (a):
2885         (b):
2886         (c):
2887         * stress/tagged-templates-with-same-start-offset.js: Added.
2888         (shouldBe):
2889
2890 2019-05-07  Robin Morisset  <rmorisset@apple.com>
2891
2892         All prototypes should call didBecomePrototype()
2893         https://bugs.webkit.org/show_bug.cgi?id=196315
2894
2895         Reviewed by Saam Barati.
2896
2897         * stress/function-prototype-indexed-accessor.js: Added.
2898
2899 2019-05-07  Commit Queue  <commit-queue@webkit.org>
2900
2901         Unreviewed, rolling out r244978.
2902         https://bugs.webkit.org/show_bug.cgi?id=197671
2903
2904         TemplateObject map should use start/end offsets (Requested by
2905         yusukesuzuki on #webkit).
2906
2907         Reverted changeset:
2908
2909         "TemplateObject passed to template literal tags are not always
2910         identical for the same source location."
2911         https://bugs.webkit.org/show_bug.cgi?id=190756
2912         https://trac.webkit.org/changeset/244978
2913
2914 2019-05-07  Tadeu Zagallo  <tzagallo@apple.com>
2915
2916         tryCachePutByID should not crash if target offset changes
2917         https://bugs.webkit.org/show_bug.cgi?id=197311
2918         <rdar://problem/48033612>
2919
2920         Reviewed by Filip Pizlo.
2921
2922         Add a series of tests related tryCachePutByID. Two of these tests used to crash and were fixed
2923         by this patch: `cache-put-by-id-different-attributes.js` and `cache-put-by-id-different-offset.js`
2924
2925         * stress/cache-put-by-id-delete-prototype.js: Added.
2926         (A.prototype.set y):
2927         (A):
2928         (B.prototype.set y):
2929         (B):
2930         (C):
2931         * stress/cache-put-by-id-different-__proto__.js: Added.
2932         (A.prototype.set y):
2933         (A):
2934         (B1):
2935         (B2.prototype.set y):
2936         (B2):
2937         (C):
2938         (D):
2939         * stress/cache-put-by-id-different-attributes.js: Added.
2940         (Foo):
2941         (set x):
2942         * stress/cache-put-by-id-different-offset.js: Added.
2943         (Foo):
2944         (set x):
2945         * stress/cache-put-by-id-insert-prototype.js: Added.
2946         (A.prototype.set y):
2947         (A):
2948         (C):
2949         * stress/cache-put-by-id-poly-proto.js: Added.
2950         (Foo):
2951         (set _):
2952         (createBar.Bar):
2953         (createBar):
2954
2955 2019-05-07  Saam Barati  <sbarati@apple.com>
2956
2957         Don't OSR enter into an FTL CodeBlock that has been jettisoned
2958         https://bugs.webkit.org/show_bug.cgi?id=197531
2959         <rdar://problem/50162379>
2960
2961         Reviewed by Yusuke Suzuki.
2962
2963         * stress/dont-osr-enter-into-jettisoned-ftl-code-block.js: Added.
2964
2965 2019-05-06  Dean Jackson  <dino@apple.com>
2966
2967         Update test262 expectations for Proxy passes
2968         https://bugs.webkit.org/show_bug.cgi?id=197628
2969
2970         Reviewed by Yusuke Suzuki.
2971
2972         There are two consistent passes in Proxy.ownKeys.
2973
2974         * test262/expectations.yaml:
2975
2976 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2977
2978         [JSC] We should check OOM for description string of Symbol
2979         https://bugs.webkit.org/show_bug.cgi?id=197634
2980
2981         Reviewed by Keith Miller.
2982
2983         * stress/check-symbol-description-oom.js: Added.
2984         (shouldThrow):
2985
2986 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2987
2988         Unreviewed, land one more test
2989         https://bugs.webkit.org/show_bug.cgi?id=197587
2990
2991         * stress/setter-frame-flush.js: Added.
2992         (setter):
2993         (foo):
2994         (bar):
2995
2996 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
2997
2998         TemplateObject passed to template literal tags are not always identical for the same source location.
2999         https://bugs.webkit.org/show_bug.cgi?id=190756
3000
3001         Reviewed by Saam Barati.
3002
3003         * complex.yaml:
3004         * complex/tagged-template-regeneration-after.js: Added.
3005         (shouldBe):
3006         * complex/tagged-template-regeneration.js: Added.
3007         (call):
3008         (test):
3009         * modules/tagged-template-inside-module.js: Added.
3010         (from.string_appeared_here.call):
3011         * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
3012         (call):
3013         (export.otherTaggedTemplates):
3014         * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
3015         (shouldBe):
3016         (call):
3017         (poly):
3018         * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
3019         (shouldBe):
3020         (call):
3021         * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
3022         (shouldBe):
3023         (call):
3024         * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
3025         (shouldBe):
3026         (call):
3027         * stress/tagged-templates-in-multiple-functions.js: Added.
3028         (shouldBe):
3029         (call):
3030         (a):
3031         (b):
3032         (c):
3033
3034 2019-05-06  Stephan Szabo  <stephan.szabo@sony.com>
3035
3036         [PlayStation] JSC Stress tests failing due to timezone printing
3037         https://bugs.webkit.org/show_bug.cgi?id=197615
3038
3039         PlayStation's strftime does not give timezone strings, which
3040         results in time strings like "Wed Oct 23 1974 11:45:01 GMT-0700"
3041         rather than "Wed Oct 23 1974 11:45:01 GMT-0700 (Pacific Daylight Time)"
3042         which causes diff failures with the expectations. Add expectations
3043         without the timezone string and use those on playstation.
3044
3045         Reviewed by Ross Kirsling.
3046
3047         * ChakraCore.yaml: Update these tests to use alternate expectation file on PlayStation
3048         * ChakraCore/test/GlobalFunctions/InternalToString.baseline-jsc-playstation: Added.
3049         * ChakraCore/test/Operators/equals.baseline-jsc-playstation: Added.
3050         * ChakraCore/test/fieldopts/objtypespec-newobj.2.baseline-jsc-playstation: Added.
3051
3052 2019-05-06  Yusuke Suzuki  <ysuzuki@apple.com>
3053
3054         [JSC] Add more tests for DFG SetLocal emission for adhoc SetterCall frame
3055         https://bugs.webkit.org/show_bug.cgi?id=197587
3056
3057         Reviewed by Sam Weinig.
3058
3059         This patch adds more tests to r244939. It also inlines setter calls, and eventually see that no PutStack is emitted because MovHint's KillStack kills it.
3060
3061         * stress/adhoc-setter-frame-should-not-be-killed.js: Added.
3062
3063 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
3064
3065         TypedArrays should not store properties that are canonical numeric indices
3066         https://bugs.webkit.org/show_bug.cgi?id=197228
3067         <rdar://problem/49557381>
3068
3069         Reviewed by Saam Barati.
3070
3071         * stress/array-species-config-array-constructor.js:
3072         (test):
3073         * stress/put-direct-index-broken-2.js:
3074         * stress/typed-array-canonical-numeric-index-string.js: Added.
3075         (makeTest.assert):
3076         (makeTest):
3077         (const.testInvalidIndices.makeTest.set assert):
3078         (const.testInvalidIndices.makeTest):
3079         (const.makeTestValidIndex.configurable.set assert):
3080         (const.makeTestValidIndex.configurable):
3081         * stress/typedarray-access-monomorphic-neutered.js:
3082         (checkNoException):
3083         (testNoException):
3084         (testFTLNoException):
3085         * stress/typedarray-access-neutered.js:
3086         (testNoException):
3087         * stress/typedarray-getownproperty-not-configurable.js:
3088         (foo):
3089         * test262/expectations.yaml:
3090
3091 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3092
3093         [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
3094         https://bugs.webkit.org/show_bug.cgi?id=197584
3095
3096         Reviewed by Saam Barati.
3097
3098         * stress/adhoc-setter-frame-should-emit-setlocal-again.js: Added.
3099         (X):
3100         (foo):
3101
3102 2019-05-03  Michael Saboff  <msaboff@apple.com>
3103
3104         iOS JSC tests frequently exiting with execption after stress/json-stringify-string-builder-overflow.js.no-cjit-validate-phases
3105         https://bugs.webkit.org/show_bug.cgi?id=197586
3106
3107         Reviewed by Keith Miller.
3108
3109         We should only run one config of this test and only when we think we'll have the memory.
3110
3111         * stress/json-stringify-string-builder-overflow.js:
3112
3113 2019-05-03  Yusuke Suzuki  <ysuzuki@apple.com>
3114
3115         [JSC] Generator CodeBlock generation should be idempotent
3116         https://bugs.webkit.org/show_bug.cgi?id=197552
3117
3118         Reviewed by Keith Miller.
3119
3120         Add complex.yaml, which controls how to run JSC shell more.
3121         We split test files into two to run macro task between them which allows debugger to be attached to VM.
3122
3123         * complex.yaml: Added.
3124         * complex/generator-regeneration-after.js: Added.
3125         * complex/generator-regeneration.js: Added.
3126         (gen):
3127
3128 2019-05-02  Michael Saboff  <msaboff@apple.com>
3129
3130         Unreviewed rollout of r244862.
3131
3132         * stress/proxy-getOwnPropertySlots-exceptionChecks.js:
3133
3134 2019-05-01  Saam barati  <sbarati@apple.com>
3135
3136         Baseline JIT should do argument value profiling after checking for stack overflow
3137         https://bugs.webkit.org/show_bug.cgi?id=197052
3138         <rdar://problem/50009602>
3139
3140         Reviewed by Yusuke Suzuki.
3141
3142         * stress/check-stack-overflow-before-value-profiling-arguments.js: Added.
3143
3144 2019-05-01  Yusuke Suzuki  <ysuzuki@apple.com>
3145
3146         [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
3147         https://bugs.webkit.org/show_bug.cgi?id=197405
3148
3149         Reviewed by Saam Barati.
3150
3151         * stress/getter-setter-inlining-should-emit-movhint.js: Added.
3152         (foo):
3153         (test):
3154         (i.o.get f):
3155         (i.o.set f):
3156
3157 2019-05-01  Michael Saboff  <msaboff@apple.com>
3158
3159         ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
3160         https://bugs.webkit.org/show_bug.cgi?id=197485
3161
3162         Reviewed by Saam Barati.
3163
3164         New test.
3165
3166         * stress/proxy-getOwnPropertySlots-exceptionChecks.js: Added.
3167         (foo):
3168
3169 2019-05-01  Ross Kirsling  <ross.kirsling@sony.com>
3170
3171         Unreviewed correction to Test262 expectations following r244828.
3172
3173         * test262/expectations.yaml:
3174
3175 2019-05-01  Stephan Szabo  <stephan.szabo@sony.com>
3176
3177         Add memory-limited skipping to some tests generating very large strings
3178         https://bugs.webkit.org/show_bug.cgi?id=197437
3179
3180         Reviewed by Ross Kirsling.
3181
3182         * stress/StringObject-define-length-getter-rope-string-oom.js:
3183         * stress/create-error-out-of-memory-rope-string.js:
3184         * stress/string-16bit-repeat-overflow.js:
3185
3186 2019-04-30  Commit Queue  <commit-queue@webkit.org>
3187
3188         Unreviewed, rolling out r244806.
3189         https://bugs.webkit.org/show_bug.cgi?id=197446
3190
3191         Causing Test262 and JSC test failures on multiple builds
3192         (Requested by ShawnRoberts on #webkit).
3193
3194         Reverted changeset:
3195
3196         "TypeArrays should not store properties that are canonical
3197         numeric indices"
3198         https://bugs.webkit.org/show_bug.cgi?id=197228
3199         https://trac.webkit.org/changeset/244806
3200
3201 2019-04-30  Tadeu Zagallo  <tzagallo@apple.com>
3202
3203         TypeArrays should not store properties that are canonical numeric indices
3204         https://bugs.webkit.org/show_bug.cgi?id=197228
3205         <rdar://problem/49557381>
3206
3207         Reviewed by Darin Adler.
3208
3209         * stress/typed-array-canonical-numeric-index-string.js: Added.
3210         (makeTest.assert):
3211         (makeTest):
3212         (const.testInvalidIndices.makeTest.set assert):
3213         (const.testInvalidIndices.makeTest):
3214         (const.testValidIndices.makeTest.set assert):
3215         (const.testValidIndices.makeTest):
3216
3217 2019-04-29  Yusuke Suzuki  <ysuzuki@apple.com>
3218
3219         normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
3220         https://bugs.webkit.org/show_bug.cgi?id=197362
3221
3222         Reviewed by Saam Barati.
3223
3224         * stress/map-with-nan.js: Added.
3225         (shouldBe):
3226         (div):
3227         (NaN1):
3228         (NaN2):
3229         (NaN3):
3230         (NaN4):
3231         (NaN1NoInline):
3232         (NaN2NoInline):
3233         (NaN3NoInline):
3234         (NaN4NoInline):
3235         (test1):
3236         (test2):
3237         (test3):
3238         (test4):
3239         * stress/set-with-nan.js: Added.
3240         (shouldBe):
3241         (div):
3242         (NaN1):
3243         (NaN2):
3244         (NaN3):
3245         (NaN4):
3246         (NaN1NoInline):
3247         (NaN2NoInline):
3248         (NaN3NoInline):
3249         (NaN4NoInline):
3250         (test2):
3251         (test4):
3252
3253 2019-04-26  Commit Queue  <commit-queue@webkit.org>
3254
3255         Unreviewed, rolling out r244708.
3256         https://bugs.webkit.org/show_bug.cgi?id=197334
3257
3258         "Broke the debug build" (Requested by rmorisset on #webkit).
3259
3260         Reverted changeset:
3261
3262         "All prototypes should call didBecomePrototype()"
3263         https://bugs.webkit.org/show_bug.cgi?id=196315
3264         https://trac.webkit.org/changeset/244708
3265
3266 2019-04-25  Yusuke Suzuki  <ysuzuki@apple.com>
3267
3268         [JSC] linkPolymorphicCall now does GC
3269         https://bugs.webkit.org/show_bug.cgi?id=197306
3270
3271         Reviewed by Saam Barati.
3272
3273         * stress/link-polymorphic-call-can-gc.js: Added.
3274         (module):
3275         (instance):
3276
3277 2019-04-26  Robin Morisset  <rmorisset@apple.com>
3278
3279         All prototypes should call didBecomePrototype()
3280         https://bugs.webkit.org/show_bug.cgi?id=196315
3281
3282         Reviewed by Saam Barati.
3283
3284         * stress/function-prototype-indexed-accessor.js: Added.
3285
3286 2019-04-23  Saam Barati  <sbarati@apple.com>
3287
3288         LICM incorrectly assumes it'll never insert a node which provably OSR exits
3289         https://bugs.webkit.org/show_bug.cgi?id=196721
3290         <rdar://problem/49556479> 
3291
3292         Reviewed by Filip Pizlo.
3293
3294         * stress/licm-should-handle-if-a-hoist-causes-a-provable-osr-exit.js: Added.
3295         (foo):
3296
3297 2019-04-19  Saam Barati  <sbarati@apple.com>
3298
3299         AbstractValue can represent more than int52
3300         https://bugs.webkit.org/show_bug.cgi?id=197118
3301         <rdar://problem/49969960>
3302
3303         Reviewed by Michael Saboff.
3304
3305         * stress/abstract-value-can-include-int52.js: Added.
3306         (foo):
3307         (index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):
3308
3309 2019-04-18  Yusuke Suzuki  <ysuzuki@apple.com>
3310
3311         [WTF] StringBuilder should set correct m_is8Bit flag when merging
3312         https://bugs.webkit.org/show_bug.cgi?id=197053
3313
3314         Reviewed by Saam Barati.
3315
3316         * stress/merge-string-builder-in-dfg.js: Added.
3317         (foo):
3318
3319 2019-04-16  Caitlin Potter  <caitp@igalia.com>
3320
3321         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3322         https://bugs.webkit.org/show_bug.cgi?id=176810
3323
3324         Reviewed by Saam Barati.
3325
3326         Add tests for the DontEnum filtering, and variations of other tests
3327         take the DontEnum-filtering path.
3328
3329         * stress/proxy-own-keys.js:
3330         (i.catch):
3331         (set assert):
3332         (set add):
3333         (let.set new):
3334         (get let):
3335
3336 2019-04-15  Saam barati  <sbarati@apple.com>
3337
3338         Modify how we do SetArgument when we inline varargs calls
3339         https://bugs.webkit.org/show_bug.cgi?id=196712
3340         <rdar://problem/49605012>
3341
3342         Reviewed by Michael Saboff.
3343
3344         * stress/get-stack-wrong-type-when-inline-varargs.js: Added.
3345         (foo):
3346
3347 2019-04-15  Saam barati  <sbarati@apple.com>
3348
3349         SafeToExecute for GetByOffset/GetGetterByOffset/PutByOffset is using the wrong child for the base
3350         https://bugs.webkit.org/show_bug.cgi?id=196945
3351         <rdar://problem/49802750>
3352
3353         Reviewed by Filip Pizlo.
3354
3355         * stress/get-by-offset-should-use-correct-child.js: Added.
3356         (foo.bar):
3357         (foo):
3358
3359 2019-04-15  Robin Morisset  <rmorisset@apple.com>
3360
3361         DFG should be able to constant fold Object.create() with a constant prototype operand
3362         https://bugs.webkit.org/show_bug.cgi?id=196886
3363
3364         Reviewed by Yusuke Suzuki.
3365
3366         Note that this new benchmark does not currently see a speedup with inlining removed.
3367         The reason is that we do not yet have inline caching for Object.create(), we only optimize it when the DFG can see statically the prototype being passed.
3368
3369         * microbenchmarks/object-create-constant-prototype.js: Added.
3370         (test):
3371
3372 2019-04-15  Tadeu Zagallo  <tzagallo@apple.com>
3373
3374         Incremental bytecode cache should not append function updates when loaded from memory
3375         https://bugs.webkit.org/show_bug.cgi?id=196865
3376
3377         Reviewed by Filip Pizlo.
3378
3379         * stress/bytecode-cache-shared-code-block.js: Added.
3380         (b):
3381         (program):
3382
3383 2019-04-13  Tadeu Zagallo  <tzagallo@apple.com>
3384
3385         CodeCache should check that the UnlinkedCodeBlock was successfully created before caching it
3386         https://bugs.webkit.org/show_bug.cgi?id=196880
3387
3388         Reviewed by Yusuke Suzuki.
3389
3390         * stress/bytecode-cache-syntax-error.js: Added.
3391         (catch):
3392
3393 2019-04-12  Saam barati  <sbarati@apple.com>
3394
3395         r244079 logically broke shouldSpeculateInt52
3396         https://bugs.webkit.org/show_bug.cgi?id=196884
3397
3398         Reviewed by Yusuke Suzuki.
3399
3400         * microbenchmarks/int52-rand-function.js: Added.
3401         (Math.random):
3402
3403 2019-04-11  Yusuke Suzuki  <ysuzuki@apple.com>
3404
3405         [JSC] op_has_indexed_property should not assume subscript part is Uint32
3406         https://bugs.webkit.org/show_bug.cgi?id=196850
3407
3408         Reviewed by Saam Barati.
3409
3410         * stress/has-indexed-property-should-accept-non-int32.js: Added.
3411         (foo):
3412
3413 2019-04-11  Saam barati  <sbarati@apple.com>
3414
3415         Remove invalid assertion in operationInstanceOfCustom
3416         https://bugs.webkit.org/show_bug.cgi?id=196842
3417         <rdar://problem/49725493>
3418
3419         Reviewed by Michael Saboff.
3420
3421         * stress/operationInstanceOfCustom-bad-assertion.js: Added.
3422
3423 2019-04-10  Saam Barati  <sbarati@apple.com>
3424
3425         AbstractValue::validateOSREntryValue is wrong for Int52 constants
3426         https://bugs.webkit.org/show_bug.cgi?id=196801
3427         <rdar://problem/49771122>
3428
3429         Reviewed by Yusuke Suzuki.
3430
3431         * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
3432
3433 2019-04-10  Robin Morisset  <rmorisset@apple.com>
3434
3435         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
3436         https://bugs.webkit.org/show_bug.cgi?id=196746
3437
3438         Reviewed by Yusuke Suzuki.
3439
3440         * stress/cyclic-define-properties.js: Added.
3441         (foo):
3442
3443 2019-04-09  Saam barati  <sbarati@apple.com>
3444
3445         Clean up Int52 code and some bugs in it
3446         https://bugs.webkit.org/show_bug.cgi?id=196639
3447         <rdar://problem/49515757>
3448
3449         Reviewed by Yusuke Suzuki.
3450
3451         * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
3452
3453 2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
3454
3455         ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
3456         https://bugs.webkit.org/show_bug.cgi?id=196708
3457         <rdar://problem/49556803>
3458
3459         Reviewed by Yusuke Suzuki.
3460
3461         * stress/proxy-getter-stack-overflow.js: Added.
3462         (const.handler.get target):
3463         (const.handler.has):
3464         (try.with):
3465         (catch):
3466
3467 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3468
3469         [JSC] DFG should respect node's strict flag
3470         https://bugs.webkit.org/show_bug.cgi?id=196617
3471
3472         Reviewed by Saam Barati.
3473
3474         * stress/put-by-val-direct-should-respect-strict-mode-of-inlining-codeblock.js: Added.
3475         (shouldEqual):
3476         (makeUnwriteableUnconfigurableObject):
3477         (runTest):
3478         * stress/put-dynamic-var-strict-and-sloppy.js: Added.
3479         (shouldBe):
3480         (shouldThrow):
3481         (with.result):
3482         (with.putValueStrict):
3483         (with.putValueSloppy):
3484
3485 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3486
3487         [JSC] isRope jump in StringSlice should not jump over register allocations
3488         https://bugs.webkit.org/show_bug.cgi?id=196716
3489
3490         Reviewed by Saam Barati.
3491
3492         * stress/is-rope-check-in-string-slice-should-not-jump-over-register-allocations.js: Added.
3493         (foo.bar):
3494         (foo):
3495
3496 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3497
3498         [JSC] to_index_string should not assume incoming value is Uint32
3499         https://bugs.webkit.org/show_bug.cgi?id=196713
3500
3501         Reviewed by Saam Barati.
3502
3503         * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
3504         (foo):
3505
3506 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3507
3508         [JSC] Add more tests for r243966
3509         https://bugs.webkit.org/show_bug.cgi?id=196711
3510
3511         Reviewed by Saam Barati.
3512
3513         Adding one more test for r243966 fix. The added test will not crash after r243966.
3514
3515         * stress/stress-cleared-calllinkinfo.js: Added.
3516         (runNearStackLimit.t):
3517         (runNearStackLimit):
3518         (repeat):
3519         (cls):
3520         (let.item.of.array.runNearStackLimit):
3521
3522 2019-04-08  Saam Barati  <sbarati@apple.com>
3523
3524         WebAssembly.RuntimeError missing exception check
3525         https://bugs.webkit.org/show_bug.cgi?id=196700
3526         <rdar://problem/49693932>
3527
3528         Reviewed by Yusuke Suzuki.
3529
3530         * wasm/js-api/runtime-error-should-exception-check.js: Added.
3531
3532 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
3533
3534         Unreviewed, rolling in r243948 with test fix
3535         https://bugs.webkit.org/show_bug.cgi?id=196486
3536
3537         * stress/arrow-function-and-use-strict-directive.js: Added.
3538         * stress/arrow-function-syntax.js: Added.
3539         (checkSyntax):
3540         (checkSyntaxError):
3541
3542 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3543
3544         Unreviewed, rolling out r243948.
3545
3546         Caused inspector/runtime/parse.html to fail
3547
3548         Reverted changeset:
3549
3550         "SIGSEGV in JSC::BytecodeGenerator::addStringConstant"
3551         https://bugs.webkit.org/show_bug.cgi?id=196486
3552         https://trac.webkit.org/changeset/243948
3553
3554 2019-04-08  Ryan Haddad  <ryanhaddad@apple.com>
3555
3556         Unreviewed, rolling out r243943.
3557
3558         Caused test262 failures.
3559
3560         Reverted changeset:
3561
3562         "[JSC] Filter DontEnum properties in
3563         ProxyObject::getOwnPropertyNames()"
3564         https://bugs.webkit.org/show_bug.cgi?id=176810
3565         https://trac.webkit.org/changeset/243943
3566
3567 2019-04-07  Michael Saboff  <msaboff@apple.com>
3568
3569         REGRESSION (r243642): Crash in reddit.com page
3570         https://bugs.webkit.org/show_bug.cgi?id=196684
3571
3572         Reviewed by Geoffrey Garen.
3573
3574         New regression test.
3575
3576         * stress/regexp-nongreedy-charclass-backtracks.js: Added.
3577
3578 2019-04-07  Yusuke Suzuki  <ysuzuki@apple.com>
3579
3580         [JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
3581         https://bugs.webkit.org/show_bug.cgi?id=196683
3582
3583         Reviewed by Saam Barati.
3584
3585         * stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
3586         (foo):
3587
3588 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3589
3590         [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
3591         https://bugs.webkit.org/show_bug.cgi?id=196582
3592
3593         Reviewed by Saam Barati.
3594
3595         * stress/add-overflow-check-with-three-same-registers.js: Added.
3596         (foo):
3597         (Number.prototype.valueOf):
3598         (runWithNumber):
3599
3600 2019-04-05  Ryan Haddad  <ryanhaddad@apple.com>
3601
3602         Unreviewed, rolling out r243665.
3603
3604         Caused iOS JSC tests to exit with an exception.
3605
3606         Reverted changeset:
3607
3608         "Assertion failed in JSC::createError"
3609         https://bugs.webkit.org/show_bug.cgi?id=196305
3610         https://trac.webkit.org/changeset/243665
3611
3612 2019-04-05  Yusuke Suzuki  <ysuzuki@apple.com>
3613
3614         SIGSEGV in JSC::BytecodeGenerator::addStringConstant
3615         https://bugs.webkit.org/show_bug.cgi?id=196486
3616
3617         Reviewed by Saam Barati.
3618
3619         * stress/arrow-function-and-use-strict-directive.js: Added.
3620         * stress/arrow-function-syntax.js: Added. Checking EOF token handling.
3621         (checkSyntax):
3622         (checkSyntaxError): Currently not using it. But it is useful for testing more things related to arrow function syntax.
3623
3624 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3625
3626         [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames()
3627         https://bugs.webkit.org/show_bug.cgi?id=176810
3628
3629         Reviewed by Saam Barati.
3630
3631         Add tests for the DontEnum filtering, and variations of other tests
3632         take the DontEnum-filtering path.
3633
3634         * stress/proxy-own-keys.js:
3635         (i.catch):
3636         (set assert):
3637         (set add):
3638         (let.set new):
3639         (get let):
3640
3641 2019-04-05  Caitlin Potter  <caitp@igalia.com>
3642
3643         [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys
3644         https://bugs.webkit.org/show_bug.cgi?id=185211
3645
3646         Reviewed by Saam Barati.
3647
3648         This is for the normative spec change in https://github.com/tc39/ecma262/pull/833
3649
3650         This changes several assertions to expect a TypeError to be thrown (in some cases,
3651         changing thee expected message).
3652
3653         * es6/Proxy_ownKeys_duplicates.js:
3654         (handler):
3655         (shouldThrow):
3656         (test):
3657         * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3658         (shouldThrow):
3659         * stress/proxy-own-keys.js:
3660         (i.catch):
3661         (assert):
3662
3663 2019-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
3664
3665         [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
3666         https://bugs.webkit.org/show_bug.cgi?id=196631
3667
3668         Reviewed by Saam Barati.
3669
3670         * stress/make-bound-function-should-not-assume-int32-length.js: Added.
3671         (assert):
3672         (test):
3673         (foo):
3674
3675 2019-04-04  Saam Barati  <sbarati@apple.com>
3676
3677         Unreviewed. Make the test from r243906 catch the thrown exceptions.
3678
3679         * stress/inferred-types-regex-matches-array.js:
3680
3681 2019-04-04  Saam Barati  <sbarati@apple.com>
3682
3683         createRegExpMatchesArray does not respect inferred types
3684         https://bugs.webkit.org/show_bug.cgi?id=193287
3685
3686         Reviewed by Yusuke Suzuki.
3687
3688         This checks in the test case for 193287. This issue was discovered by
3689         Samuel GroƟ of Google Project Zero.
3690
3691         * stress/inferred-types-regex-matches-array.js: Added.
3692
3693 2019-04-04  Saam barati  <sbarati@apple.com>
3694
3695         Teach Call ICs how to call Wasm
3696         https://bugs.webkit.org/show_bug.cgi?id=196387
3697
3698         Reviewed by Filip Pizlo.
3699
3700         * wasm/function-tests/stack-trace.js:
3701
3702 2019-04-04  Caio Lima  <ticaiolima@gmail.com>
3703
3704         [JSC] We should consider moving UnlinkedFunctionExecutable::m_parentScopeTDZVariables to RareData
3705         https://bugs.webkit.org/show_bug.cgi?id=194944
3706
3707         Reviewed by Keith Miller.
3708
3709         * stress/verify-bytecode-generator-cached-variables-under-tdz.js: Added.
3710
3711 2019-04-04  Tadeu Zagallo  <tzagallo@apple.com>
3712
3713         Cache bytecode for jsc.cpp helpers and fix CachedStringImpl