oven-sh
diff --git a/‎JSTests/stress/array-fast-fill-beyond-length.js
+13 b/‎JSTests/stress/array-fast-fill-beyond-length.js
+13
diff --git a/‎JSTests/stress/reduce-assertNoException.js
+42 b/‎JSTests/stress/reduce-assertNoException.js
+42
diff --git a/‎JSTests/stress/to-this-flags.js
+5 b/‎JSTests/stress/to-this-flags.js
+5
diff --git a/‎JSTests/wasm/stress/catch-function-signature.js
+18 b/‎JSTests/wasm/stress/catch-function-signature.js
+18
diff --git a/‎LayoutTests/imported/w3c/web-platform-tests/css/css-writing-modes/reference/sideways-lr-main-axis-ref.html
+61 b/‎LayoutTests/imported/w3c/web-platform-tests/css/css-writing-modes/reference/sideways-lr-main-axis-ref.html
+61
diff --git a/‎LayoutTests/imported/w3c/web-platform-tests/css/css-writing-modes/sideways-lr-main-axis-expected.html
+61 b/‎LayoutTests/imported/w3c/web-platform-tests/css/css-writing-modes/sideways-lr-main-axis-expected.html
+61
diff --git a/‎LayoutTests/imported/w3c/web-platform-tests/css/css-writing-modes/sideways-lr-main-axis.html
+57 b/‎LayoutTests/imported/w3c/web-platform-tests/css/css-writing-modes/sideways-lr-main-axis.html
+57
diff --git a/‎Source/JavaScriptCore/runtime/InternalFunction.cpp
+1-1 b/‎Source/JavaScriptCore/runtime/InternalFunction.cpp
+1-1
diff --git a/‎Source/JavaScriptCore/runtime/JSArray.cpp
+4 b/‎Source/JavaScriptCore/runtime/JSArray.cpp
+4
diff --git a/‎Source/JavaScriptCore/runtime/RegExpPrototype.cpp
+10-6 b/‎Source/JavaScriptCore/runtime/RegExpPrototype.cpp
+10-6
@@ -0,0 +1,13 @@
+const v0 = [];
+for (let i2 = 0; i2 < 1000000; i2++) {
+    v0[i2] = [];
+}
+const v10 = new Object(Object, v0);
+function f11() {
+    v0.length = 0;
+    return 0;
+}
+const o14 = {
+    "valueOf": f11,
+};
+v0.fill(v10, o14);
@@ -0,0 +1,42 @@
+//@ runDefault("--watchdog=500", "--watchdog-exception-ok")
+function placeholder() {}
+function main() {
+  const z48431 = [0.4, 1145324612];
+  for (let v4 = 0; v4 < 100; v4++) {
+    const v6 = Array(46139);
+    let v7 = undefined;
+    const v9 = class V9 extends Int16Array {
+      constructor(v11, v12, v13) {
+        super();
+      }
+      split() {
+        return 'Test262Error: ' + this.message;
+      }
+    };
+    const v16 = new v9();
+    function v18(v19, v20, v21, v22) {
+      v7 = forceGCSlowPaths;
+    }
+  }
+  const z570009 = [0.4, 1145324612];
+  const z676068 = [0.4, 1145324612];
+  const v23 = 0;
+  const v24 = 100;
+  const z106237 = [0.4, 1145324612];
+  const z788844 = [0.4, 1145324612];
+  const z115753 = [0.4, 1145324612];
+  const z913254 = [0.4, 1145324612];
+  const z438038 = [0.4, 1145324612];
+  const v25 = 1;
+  for (let v29 = 0; v29 < 1099511627776n; v29++) {
+    async function* v30(v31, v32, v33, a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10) {}
+    const v34 = v30();
+  }
+  const z637976 = [0.4, 1145324612];
+  gc();
+  const z112286 = [0.4, 134217728n];
+  const z709419 = [0.4, 1145324612];
+}
+noDFG(main);
+noFTL(main);
+main();
@@ -0,0 +1,5 @@
+try {
+    const x = Object.getOwnPropertyDescriptor(RegExp.prototype, "flags").get;
+    x();
+    const sticky = 0;
+} catch { }
@@ -0,0 +1,18 @@
+try {
+    let v17 = 96;
+    let v28 = -4294967295;
+    const v29 = ++v28;
+    const v30 = -v17;
+    const v32 = v29 && --v17;
+    +v28;
+    v32 ^ v32;
+    Math.asinh(v30);
+    const o87 = {
+        "maxByteLength": 2,
+    };
+    const v89 = new SharedArrayBuffer(0, o87);
+    new Uint8Array(v89);
+    const v94 = new Uint8Array([0,97,115,109,1,0,0,0,1,9,2,v17,1,127,0,96,1,127,0,2,8,1,1,109,1,116,4,0,0,3,2,1,1,7,9,1,5,116,104,114,111,119,0,0,10,8,1,6,0,32,0,8,0,11,0,15,4,110,97,109,101,1,8,1,0,5,116,104,114,111,119]);
+    const t20 = WebAssembly.Module;
+    new t20(v94);
+} catch { }
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<title>Reference: sideways-lr flexbox main axis progresses in correct direction</title>
+<style>
+    .container {
+        font-size: 0
+    }
+    .item {
+        width: 20px;
+        height: 20px;
+    }
+
+    .item:nth-child(1) { background-color: lime; }
+    .item:nth-child(2) { background-color: limegreen; }
+    .item:nth-child(3) { background-color: green; }
+
+    .container.reverse .item:nth-child(1) { background-color: green; }
+    .container.reverse .item:nth-child(2) { background-color: limegreen; }
+    .container.reverse .item:nth-child(3) { background-color: lime; }
+
+    .container.row .item { display: inline-block; }
+</style>
+<div class="container reverse">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container reverse">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container row">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container row">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container row reverse">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container row reverse">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<title>Reference: sideways-lr flexbox main axis progresses in correct direction</title>
+<style>
+    .container {
+        font-size: 0
+    }
+    .item {
+        width: 20px;
+        height: 20px;
+    }
+
+    .item:nth-child(1) { background-color: lime; }
+    .item:nth-child(2) { background-color: limegreen; }
+    .item:nth-child(3) { background-color: green; }
+
+    .container.reverse .item:nth-child(1) { background-color: green; }
+    .container.reverse .item:nth-child(2) { background-color: limegreen; }
+    .container.reverse .item:nth-child(3) { background-color: lime; }
+
+    .container.row .item { display: inline-block; }
+</style>
+<div class="container reverse">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container reverse">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container row">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container row">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container row reverse">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container row reverse">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<title>sideways-lr flexbox main axis progresses in correct direction</title>
+<link rel="author" title="Tim Nguyen" href="https://github.com/nt1m">
+<link rel="help" href="https://drafts.csswg.org/css-flexbox-1/#box-model">
+<link rel="match" href="reference/sideways-lr-main-axis-ref.html">
+<style>
+    .container {
+        display: flex;
+    }
+    .item {
+        width: 20px;
+        height: 20px;
+    }
+    .item:nth-child(1) { background-color: lime; }
+    .item:nth-child(2) { background-color: limegreen; }
+    .item:nth-child(3) { background-color: green; }
+</style>
+<div class="container" style="writing-mode: sideways-lr; flex-direction: row;">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container" style="writing-mode: sideways-lr; direction: rtl; flex-direction: row;">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container" style="writing-mode: sideways-lr; flex-direction: row-reverse;">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container" style="writing-mode: sideways-lr; direction: rtl; flex-direction: row-reverse;">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container" style="writing-mode: sideways-lr; flex-direction: column;">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container" style="writing-mode: sideways-lr; direction: rtl; flex-direction: column;">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container" style="writing-mode: sideways-lr; flex-direction: column-reverse;">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
+<div class="container" style="writing-mode: sideways-lr; direction: rtl; flex-direction: column-reverse;">
+    <div class="item"></div>
+    <div class="item"></div>
+    <div class="item"></div>
+</div>
@@ -166,7 +166,7 @@ Structure* InternalFunction::createSubclassStructure(JSGlobalObject* globalObjec
 
     // .prototype can't be a getter if we canUseAllocationProfiles().
     JSValue prototypeValue = targetFunction->get(globalObject, vm.propertyNames->prototype);
-    scope.assertNoException();
+    RETURN_IF_EXCEPTION(scope, nullptr);
 
     if (JSObject* prototype = jsDynamicCast<JSObject*>(prototypeValue))
         return rareData->createInternalFunctionAllocationStructureFromBase(vm, baseGlobalObject, prototype, baseClass);
 
@@ -496,6 +496,10 @@ bool JSArray::fastFill(VM& vm, unsigned startIndex, unsigned endIndex, JSValue v
 
     ASSERT(nextType == indexingType());
 
+    // There is a chance that endIndex is beyond the length. If it is, let's just fail.
+    if (endIndex > this->butterfly()->publicLength())
+        return false;
+
     if (nextType == ArrayWithDouble) {
         auto* data = butterfly()->contiguousDouble().data();
         double pattern = value.asNumber();
 
@@ -199,7 +199,9 @@ JSC_DEFINE_HOST_FUNCTION(regExpProtoFuncToString, (JSGlobalObject* globalObject,
     auto scope = DECLARE_THROW_SCOPE(vm);
 
     JSValue thisValue = callFrame->thisValue().toThis(globalObject, ECMAMode::strict());
-    if (!thisValue.isObject())
+    RETURN_IF_EXCEPTION(scope, { });
+
+    if (UNLIKELY(!thisValue.isObject()))
         return throwVMTypeError(globalObject, scope);
 
     JSObject* thisObject = asObject(thisValue);
@@ -211,14 +213,14 @@ JSC_DEFINE_HOST_FUNCTION(regExpProtoFuncToString, (JSGlobalObject* globalObject,
         return JSValue::encode(earlyReturnValue);
 
     JSValue sourceValue = thisObject->get(globalObject, vm.propertyNames->source);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    RETURN_IF_EXCEPTION(scope, { });
     String source = sourceValue.toWTFString(globalObject);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     JSValue flagsValue = thisObject->get(globalObject, vm.propertyNames->flags);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    RETURN_IF_EXCEPTION(scope, { });
     String flags = flagsValue.toWTFString(globalObject);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     RELEASE_AND_RETURN(scope, JSValue::encode(jsMakeNontrivialString(globalObject, '/', source, '/', flags)));
 }
@@ -356,7 +358,9 @@ JSC_DEFINE_HOST_FUNCTION(regExpProtoGetterFlags, (JSGlobalObject* globalObject,
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    JSValue thisValue = callFrame->thisValue();
+    JSValue thisValue = callFrame->thisValue().toThis(globalObject, ECMAMode::strict());
+    RETURN_IF_EXCEPTION(scope, { });
+
     if (UNLIKELY(!thisValue.isObject()))
         return throwVMTypeError(globalObject, scope, "The RegExp.prototype.flags getter can only be called on an object"_s);