isCacheableArrayLength should return true for undecided arrays

[WebKit-https.git] / JSTests / ChangeLog

2018-05-04  Keith Miller  <keith_miller@apple.com>

        isCacheableArrayLength should return true for undecided arrays
        https://bugs.webkit.org/show_bug.cgi?id=185309

        Reviewed by Michael Saboff.

        * stress/get-array-length-undecided.js: Added.
        (test):

2018-05-04  Dominik Infuehr  <dinfuehr@igalia.com>

        Disable tests on systems with limited memory
        https://bugs.webkit.org/show_bug.cgi?id=185296

        Reviewed by Saam Barati.

        Test doesn't work with a limited amount of memory. I tried to reduce memory usage
        but then it was hard to reproduce the failure the test was originally made to test.

        * stress/array-reverse-doesnt-clobber.js:

2018-05-03  Saam Barati  <sbarati@apple.com>

        Don't prevent CreateThis being folded to NewObject when the structure is poly proto
        https://bugs.webkit.org/show_bug.cgi?id=185177

        Reviewed by Filip Pizlo.

        * microbenchmarks/construct-poly-proto-object.js: Added.
        (foo.A):
        (foo):
        * stress/allocation-sinking-new-object-with-poly-proto.js: Added.
        (foo.A):
        (foo):
        (makePolyProto):
        (bar):
        (baz):

2018-05-03  Michael Saboff  <msaboff@apple.com>

        OSR entry pruning of Program Bytecodes doesn't take into account try/catch
        https://bugs.webkit.org/show_bug.cgi?id=185281

        Reviewed by Saam Barati.

        New regression test.

        * stress/baseline-osrentry-catch-is-reachable.js: Added.
        (i.j.catch):

2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r231197.

        The test added with this change crashes on the 32-bit JSC bot.

        Reverted changeset:

        "Correctly detect string overflow when using the 'Function'
        constructor"
        https://bugs.webkit.org/show_bug.cgi?id=184883
        https://trac.webkit.org/changeset/231197

2018-05-02  Filip Pizlo  <fpizlo@apple.com>

        JSC should know how to cache custom getter accesses on the prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=185213

        Reviewed by Keith Miller.

        * microbenchmarks/get-custom-getter.js: Added.
        (test):

2018-05-02  Robin Morisset  <rmorisset@apple.com>

        emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
        https://bugs.webkit.org/show_bug.cgi?id=183172

        Reviewed by Filip Pizlo.

        * stress/length-of-new-array-with-spread.js: Added.
        (foo):
        (bar):
        (baz):

2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add SameValue DFG node
        https://bugs.webkit.org/show_bug.cgi?id=185065

        Reviewed by Saam Barati.

        * microbenchmarks/object-is.js: Added.
        (incognito):
        (sameValue):
        (test1):
        (test2):
        (test3):
        (test4):
        (test5):
        (test6):
        * stress/object-is.js: Added.
        (shouldBe):
        (is1):
        (is2):
        (is3):
        (is4):
        (is5):
        (is6):
        (is7):
        (is8):
        (is9):
        (is10):
        (is11):
        (is12):
        (is13):
        (is14):
        (is15):

2018-05-01  Robin Morisset  <rmorisset@apple.com>

        Correctly detect string overflow when using the 'Function' constructor
        https://bugs.webkit.org/show_bug.cgi?id=184883
        <rdar://problem/36320331>

        Reviewed by Filip Pizlo.

        I put this regression test in the 'slowMicrobenchmarks' directory because it takes nearly 30s to run, and I am not sure where else to put it.

        * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
        (catch):

2018-05-01  Robin Morisset  <rmorisset@apple.com>

        IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
        https://bugs.webkit.org/show_bug.cgi?id=185162

        Reviewed by Filip Pizlo.

        * stress/incomplete-unicode-locale.js: Added.
        (catch):

2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>

        Add SetCallee as DFG-Operation
        https://bugs.webkit.org/show_bug.cgi?id=184582

        Reviewed by Filip Pizlo.

        Added test that runs into infinite loop without updating the callee and
        therefore emitting SetCallee in DFG for recursive tail calls.

        * stress/closure-recursive-tail-call-infinite-loop.js: Added.
        (Foo):
        (second):
        (first):
        (return.closure):
        (createClosure):

2018-04-30  Saam Barati  <sbarati@apple.com>

        ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=185149
        <rdar://problem/39455917>

        Reviewed by Filip Pizlo.

        * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.

2018-04-29  Filip Pizlo  <fpizlo@apple.com>

        LICM shouldn't hoist nodes if hoisted nodes exited in that code block
        https://bugs.webkit.org/show_bug.cgi?id=185126

        Reviewed by Saam Barati.
        
        I found this bug by accident when I was writing this test for something else.
        
        This change also speeds up other benchmarks of this case that we already had. They are all called
        the licm-dragons tests.

        * microbenchmarks/licm-dragons-two-structures.js: Added.
        (foo):

2018-04-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r231137.
        https://bugs.webkit.org/show_bug.cgi?id=185118

        It is breaking Test262 language/expressions/multiplication
        /order-of-evaluation.js (Requested by caiolima on #webkit).

        Reverted changeset:

        "[ESNext][BigInt] Implement support for "*" operation"
        https://bugs.webkit.org/show_bug.cgi?id=183721
        https://trac.webkit.org/changeset/231137

2018-04-28  Saam Barati  <sbarati@apple.com>

        We don't model regexp effects properly
        https://bugs.webkit.org/show_bug.cgi?id=185059
        <rdar://problem/39736150>

        Reviewed by Filip Pizlo.

        * stress/regexp-exec-test-effectful-last-index.js: Added.
        (assert):
        (foo):
        (i.regexLastIndex.toString):
        (bar):

2018-04-28  Rick Waldron  <waldron.rick@gmail.com>

        Token misspelled "tocken" in error message string
        https://bugs.webkit.org/show_bug.cgi?id=185030

        Reviewed by Saam Barati.

        * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
        * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
        * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
        * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
        (testSyntaxError.String.raw.v):
        (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
        (testSyntaxError.String.raw.a):

2018-04-28  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "*" operation
        https://bugs.webkit.org/show_bug.cgi?id=183721

        Reviewed by Saam Barati.

        * bigIntTests.yaml:
        * stress/big-int-mul-jit.js: Added.
        * stress/big-int-mul-to-primitive-precedence.js: Added.
        * stress/big-int-mul-to-primitive.js: Added.
        * stress/big-int-mul-type-error.js: Added.
        * stress/big-int-mul-wrapped-value.js: Added.
        * stress/big-int-multiplication.js: Added.
        * stress/big-int-multiply-memory-stress.js: Added.

2018-04-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r231131.
        https://bugs.webkit.org/show_bug.cgi?id=185112

        It is breaking Debug build due to unchecked exception
        (Requested by caiolima on #webkit).

        Reverted changeset:

        "[ESNext][BigInt] Implement support for "*" operation"
        https://bugs.webkit.org/show_bug.cgi?id=183721
        https://trac.webkit.org/changeset/231131

2018-04-27  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "*" operation
        https://bugs.webkit.org/show_bug.cgi?id=183721

        Reviewed by Saam Barati.

        * bigIntTests.yaml:
        * stress/big-int-mul-jit.js: Added.
        * stress/big-int-mul-to-primitive-precedence.js: Added.
        * stress/big-int-mul-to-primitive.js: Added.
        * stress/big-int-mul-type-error.js: Added.
        * stress/big-int-mul-wrapped-value.js: Added.
        * stress/big-int-multiplication.js: Added.
        * stress/big-int-multiply-memory-stress.js: Added.

2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r231086.

        Caused JSC test failures due to an unchecked exception.

        Reverted changeset:

        "[ESNext][BigInt] Implement support for "*" operation"
        https://bugs.webkit.org/show_bug.cgi?id=183721
        https://trac.webkit.org/changeset/231086

2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.

        * test262.yaml: Mark tests as passing.

2018-04-26  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement support for "*" operation
        https://bugs.webkit.org/show_bug.cgi?id=183721

        Reviewed by Saam Barati.

        * bigIntTests.yaml:
        * stress/big-int-mul-jit.js: Added.
        * stress/big-int-mul-to-primitive-precedence.js: Added.
        * stress/big-int-mul-to-primitive.js: Added.
        * stress/big-int-mul-type-error.js: Added.
        * stress/big-int-mul-wrapped-value.js: Added.
        * stress/big-int-multiplication.js: Added.
        * stress/big-int-multiply-memory-stress.js: Added.

2018-04-25  Robin Morisset  <rmorisset@apple.com>

        In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
        https://bugs.webkit.org/show_bug.cgi?id=184773
        <rdar://problem/37773612>

        Reviewed by Filip Pizlo.

        This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
        so I decided to add it to the stress tests nonetheless.

        * stress/create-rest-while-having-a-bad-time.js: Added.
        (f):
        (g):
        (h):

2018-04-25  Keith Miller  <keith_miller@apple.com>

        Add missing scope release to functionProtoFuncToString
        https://bugs.webkit.org/show_bug.cgi?id=184995

        Reviewed by Saam Barati.

        * stress/function-toString-arrow.js: Added.
        (async):

2018-04-24  Keith Miller  <keith_miller@apple.com>

        fromCharCode is missing some exception checks
        https://bugs.webkit.org/show_bug.cgi?id=184952

        Reviewed by Saam Barati.

        * stress/fromCharCode-exception-check.js: Added.
        (get catch):

2018-04-24  Mark Lam  <mark.lam@apple.com>

        Gardening: test fix after r230863.
        https://bugs.webkit.org/show_bug.cgi?id=184846
        <rdar://problem/39390672>

        Not reviewed.

        * stress/json-stringified-overflow-2.js:
        (catch):
        * stress/json-stringified-overflow.js:
        (catch):

2018-04-20  JF Bastien  <jfbastien@apple.com>

        Handle more JSON stringify OOM
        https://bugs.webkit.org/show_bug.cgi?id=184846
        <rdar://problem/39390672>

        Reviewed by Mark Lam.

        * stress/json-stringified-overflow-2.js: Added. Same as the one
        below, but with a bigger input which will trigger a different code
        path.
        (catch):
        * stress/json-stringified-overflow.js: Modify the test to only
        catch OOM on stringification. not on string creation.

2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebAssembly][Modules] Import tables in wasm modules
        https://bugs.webkit.org/show_bug.cgi?id=184738

        Reviewed by JF Bastien.

        * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
        * wasm/modules/wasm-imports-wasm-exports.js:
        * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
        * wasm/modules/wasm-imports-wasm-exports/imports.wat:
        * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
        * wasm/modules/wasm-imports-wasm-exports/sum.wat:

2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebAssembly][Modules] Import globals from wasm modules
        https://bugs.webkit.org/show_bug.cgi?id=184736

        Reviewed by JF Bastien.

        * wasm.yaml:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
        * wasm/modules/wasm-imports-wasm-exports.js:
        * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
        * wasm/modules/wasm-imports-wasm-exports/imports.wat:
        * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
        * wasm/modules/wasm-imports-wasm-exports/sum.wat:

2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, reland r230697, r230720, and r230724.
        https://bugs.webkit.org/show_bug.cgi?id=184600

        * wasm.yaml:
        * wasm/modules/constant.wasm: Added.
        * wasm/modules/constant.wat: Added.
        * wasm/modules/default-import-star-error.js: Added.
        (then):
        * wasm/modules/default-import-star-error/entry.wasm: Added.
        * wasm/modules/default-import-star-error/entry.wat: Added.
        * wasm/modules/default-import-star-error/t0.js: Added.
        * wasm/modules/default-import-star-error/t1.js: Added.
        * wasm/modules/default-import-star-error/t2.js: Added.
        (export.default.Cocoa):
        * wasm/modules/js-wasm-cycle.js: Added.
        * wasm/modules/js-wasm-cycle/entry.js: Added.
        (from.string_appeared_here.export.return42):
        * wasm/modules/js-wasm-cycle/sum.wasm: Added.
        * wasm/modules/js-wasm-cycle/sum.wat: Added.
        * wasm/modules/js-wasm-function-namespace.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-function.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-global-namespace.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-global.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-memory-namespace.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-memory.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-start.js: Added.
        (then):
        * wasm/modules/js-wasm-table-namespace.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-table.js: Added.
        (assert.throws):
        * wasm/modules/memory.wasm: Added.
        * wasm/modules/memory.wat: Added.
        * wasm/modules/run-from-wasm.wasm: Added.
        * wasm/modules/run-from-wasm.wat: Added.
        * wasm/modules/run-from-wasm/check.js: Added.
        (export.check):
        * wasm/modules/start.wasm: Added.
        * wasm/modules/start.wat: Added.
        * wasm/modules/sum.wasm: Added.
        * wasm/modules/sum.wat: Added.
        * wasm/modules/table.wasm: Added.
        * wasm/modules/table.wat: Added.
        * wasm/modules/wasm-imports-js-exports.js: Added.
        * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
        * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
        * wasm/modules/wasm-imports-js-exports/sum.js: Added.
        (export.sum):
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
        * wasm/modules/wasm-imports-wasm-exports.js: Added.
        * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
        * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
        * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
        * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
        * wasm/modules/wasm-js-cycle.js: Added.
        * wasm/modules/wasm-js-cycle/entry.wasm: Added.
        * wasm/modules/wasm-js-cycle/entry.wat: Added.
        * wasm/modules/wasm-js-cycle/sum.js: Added.
        (from.string_appeared_here.export.sum):
        * wasm/modules/wasm-wasm-cycle.js: Added.
        * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
        * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
        * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
        * wasm/modules/wasm-wasm-cycle/sum.wat: Added.

2018-04-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r230697, r230720, and r230724.
        https://bugs.webkit.org/show_bug.cgi?id=184717

        These caused multiple failures on the Test262 testers.
        (Requested by mlewis13 on #webkit).

        Reverted changesets:

        "[WebAssembly][Modules] Prototype wasm import"
        https://bugs.webkit.org/show_bug.cgi?id=184600
        https://trac.webkit.org/changeset/230697

        "[WebAssembly][Modules] Implement function import from wasm
        modules"
        https://bugs.webkit.org/show_bug.cgi?id=184689
        https://trac.webkit.org/changeset/230720

        "[JSC] Rename runWebAssembly to runWebAssemblySuite"
        https://bugs.webkit.org/show_bug.cgi?id=184703
        https://trac.webkit.org/changeset/230724

2018-04-17  JF Bastien  <jfbastien@apple.com>

        A put is not an ExistingProperty put when we transition a structure because of an attributes change
        https://bugs.webkit.org/show_bug.cgi?id=184706
        <rdar://problem/38871451>

        Reviewed by Saam Barati.

        * stress/put-by-id-direct-strict-transition.js: Added.
        (const.foo):
        (j.const.obj.set hello):
        * stress/put-by-id-direct-transition.js: Added.
        (const.foo):
        (j.const.obj.set hello):
        * stress/put-getter-setter-by-id-strict-transition.js: Added.
        (const.foo):
        (j.const.obj.set hello):
        * stress/put-getter-setter-by-id-transition.js: Added.
        (const.foo):
        (j.const.obj.set hello):

2018-04-16  Filip Pizlo  <fpizlo@apple.com>

        PutStackSinkingPhase should know that KillStack means ConflictingFlush
        https://bugs.webkit.org/show_bug.cgi?id=184672

        Reviewed by Michael Saboff.

        * stress/sink-put-stack-over-kill-stack.js: Added.
        (avocado_1):
        (apricot_0):
        (__c_0):
        (banana_2):

2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Rename runWebAssembly to runWebAssemblySuite
        https://bugs.webkit.org/show_bug.cgi?id=184703

        Reviewed by JF Bastien.

        And add runWebAssembly as a command to simplely run wasm modules.

        * wasm.yaml:

2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebAssembly][Modules] Implement function import from wasm modules
        https://bugs.webkit.org/show_bug.cgi?id=184689

        Reviewed by JF Bastien.

        * wasm.yaml:
        * wasm/modules/js-wasm-cycle.js: Added.
        * wasm/modules/js-wasm-cycle/entry.js: Added.
        (from.string_appeared_here.export.return42):
        * wasm/modules/js-wasm-cycle/sum.wasm: Added.
        * wasm/modules/js-wasm-cycle/sum.wat: Added.
        * wasm/modules/run-from-wasm.wasm: Added.
        * wasm/modules/run-from-wasm.wat: Added.
        * wasm/modules/run-from-wasm/check.js: Added.
        (export.check):
        * wasm/modules/wasm-imports-js-exports.js: Added.
        * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
        * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
        * wasm/modules/wasm-imports-js-exports/sum.js: Added.
        (export.sum):
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
        * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
        * wasm/modules/wasm-imports-wasm-exports.js: Added.
        * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
        * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
        * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
        * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
        * wasm/modules/wasm-js-cycle.js: Added.
        * wasm/modules/wasm-js-cycle/entry.wasm: Added.
        * wasm/modules/wasm-js-cycle/entry.wat: Added.
        * wasm/modules/wasm-js-cycle/sum.js: Added.
        (from.string_appeared_here.export.sum):
        * wasm/modules/wasm-wasm-cycle.js: Added.
        * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
        * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
        * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
        * wasm/modules/wasm-wasm-cycle/sum.wat: Added.

2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebAssembly][Modules] Prototype wasm import
        https://bugs.webkit.org/show_bug.cgi?id=184600

        Reviewed by JF Bastien.

        Add wasm and wat files since module loader want to load wasm files from FS.
        Currently, importing the other modules from wasm is not supported.

        * wasm.yaml:
        * wasm/modules/constant.wasm: Added.
        * wasm/modules/constant.wat: Added.
        * wasm/modules/js-wasm-function-namespace.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-function.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-global-namespace.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-global.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-memory-namespace.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-memory.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-start.js: Added.
        (then):
        * wasm/modules/js-wasm-table-namespace.js: Added.
        (assert.throws):
        * wasm/modules/js-wasm-table.js: Added.
        (assert.throws):
        * wasm/modules/memory.wasm: Added.
        * wasm/modules/memory.wat: Added.
        * wasm/modules/start.wasm: Added.
        * wasm/modules/start.wat: Added.
        * wasm/modules/sum.wasm: Added.
        * wasm/modules/sum.wat: Added.
        * wasm/modules/table.wasm: Added.
        * wasm/modules/table.wat: Added.

2018-04-14  Filip Pizlo  <fpizlo@apple.com>

        Function.prototype.caller shouldn't return generator bodies
        https://bugs.webkit.org/show_bug.cgi?id=184630

        Reviewed by Yusuke Suzuki.

        * stress/function-caller-async-arrow-function-body.js: Added.
        * stress/function-caller-async-function-body.js: Added.
        * stress/function-caller-async-generator-body.js: Added.
        * stress/function-caller-generator-body.js: Added.
        * stress/function-caller-generator-method-body.js: Added.

2018-04-12  Tomas Popela  <tpopela@redhat.com>

        Unreviewed, skip JIT tests if it isn't enabled

        See https://bugs.webkit.org/show_bug.cgi?id=182730.

        * stress/big-int-spec-to-primitive.js:
        * stress/big-int-spec-to-this.js:

2018-04-10  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Add support for BigInt in SpeculatedType
        https://bugs.webkit.org/show_bug.cgi?id=182470

        Reviewed by Saam Barati.

        * stress/big-int-spec-to-primitive.js: Added.
        * stress/big-int-spec-to-this.js: Added.
        * stress/big-int-strict-equals-jit.js: Added.
        * stress/big-int-strict-spec-to-this.js: Added.
        * stress/big-int-type-of-proven-type.js: Added.

2018-04-10  Filip Pizlo  <fpizlo@apple.com>

        DFG AI and clobberize should agree with each other
        https://bugs.webkit.org/show_bug.cgi?id=184440

        Reviewed by Saam Barati.
        
        Add tests for all of the bugs I fixed.

        * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
        (foo):
        * stress/new-typed-array-cse-effects.js: Added.
        (foo):
        * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
        (foo.theO):
        (foo):
        * stress/string-from-char-code-change-structure-not-dead.js: Added.
        (foo):
        (i.valueOf):
        (weirdValue.valueOf):
        * stress/string-from-char-code-change-structure.js: Added.
        (foo):
        (i.valueOf):
        (weirdValue.valueOf):

2018-04-09  Leo Balter  <leonardo.balter@gmail.com>

        Fix errant Test262 files CRLF to LF for consistency with the original source
        https://bugs.webkit.org/show_bug.cgi?id=184425

        Reviewed by Yusuke Suzuki.

        * test262/test/built-ins/Math/acosh/nan-returns.js:
        * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
        * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
        * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
        * test262/test/built-ins/Math/cbrt/prop-desc.js:
        * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
        * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
        * test262/test/built-ins/Math/log10/Log10-specialVals.js:
        * test262/test/built-ins/Math/log2/log2-basicTests.js:
        * test262/test/built-ins/Math/sign/sign-specialVals.js:
        * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
        * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
        * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
        * test262/test/built-ins/Math/trunc/trunc-specialVals.js:

2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, remove incorrect entry in test262.yaml
        https://bugs.webkit.org/show_bug.cgi?id=184266

        * test262.yaml:

2018-04-08  Valerie Young  <valerie@bocoup.com>

        [JSC] Update Test262 to April 6 version
        https://bugs.webkit.org/show_bug.cgi?id=184266

        Rubber stamped by Yusuke Suzuki.

2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce op_get_by_id_direct
        https://bugs.webkit.org/show_bug.cgi?id=183970

        Reviewed by Filip Pizlo.

        * stress/generator-prototype-copy.js: Added.
        (gen):
        (catch):
        Adopted JF's tests.

        * stress/generator-type-check.js: Added.
        (shouldThrow):
        (foo2):
        (i.shouldThrow):
        * stress/get-by-id-direct-getter.js: Added.
        (shouldBe):
        (shouldThrow):
        (obj.get hello):
        (builtin.createBuiltin):
        (obj2.get length):
        * stress/get-by-id-direct.js: Added.
        (shouldBe):
        (shouldThrow):
        (builtin.createBuiltin):
        * test262.yaml:
        We fixed long-standing spec compatibility issue.
        As a result, this patch makes several test262 tests passed!


2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, annotate test with @skip if $memoryLimited
        https://bugs.webkit.org/show_bug.cgi?id=183894

        * stress/json-stringified-overflow.js:

2018-04-06  Alexey Proskuryakov  <ap@apple.com>

        Add svn:eol-style to line-terminator-normalisation-CR.js
        https://bugs.webkit.org/show_bug.cgi?id=184341

        * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.

2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed, remove errant LF from existing test262 test for CR line endings.

        * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:

2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed, rolling out r230320.

        Revert fix, as the root cause lies elsewhere.

        Reverted changeset:

        "[test262] Mark line-terminator-normalisation-CR.js as a
        binary file."
        https://bugs.webkit.org/show_bug.cgi?id=184341
        https://trac.webkit.org/changeset/230320

2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>

        [test262] Mark line-terminator-normalisation-CR.js as a binary file.
        https://bugs.webkit.org/show_bug.cgi?id=184341

        Reviewed by Yusuke Suzuki.

        This test is all about CR line endings, but `svn-apply` can't deal with them.
        Treating the file as binary ensures that its contents never are never shown in a diff.

        * .gitattributes: Added.

2018-04-05  Robin Morisset  <rmorisset@apple.com>

        Fix testcase (missing try/catch).
        https://bugs.webkit.org/show_bug.cgi?id=183657

        Unreviewed.

        * stress/large-unshift-splice.js

2018-04-04  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
        https://bugs.webkit.org/show_bug.cgi?id=184319

        Reviewed by Saam Barati.

        * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
        (foo):
        (bar):
        * stress/array-push-nan-to-double-array.js: Added.
        (foo):
        (bar):

2018-04-03  Mark Lam  <mark.lam@apple.com>

        Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
        https://bugs.webkit.org/show_bug.cgi?id=184284

        Reviewed by Saam Barati.

        * stress/js-fixed-array-out-of-memory.js:

2018-03-31  Filip Pizlo  <fpizlo@apple.com>

        JSC crash in JIT code with for-of loop and Array/Set iterators
        https://bugs.webkit.org/show_bug.cgi?id=183174

        Reviewed by Saam Barati.

        * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
        (foo):
        * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
        (f):

2018-03-30  JF Bastien  <jfbastien@apple.com>

        WebAssembly: support DataView compilation
        https://bugs.webkit.org/show_bug.cgi?id=183342

        Reviewed by Mark Lam.

        Test WebAssembly compilation using a DataView with offset.

        * wasm/regress/183342.js: Added.
        (attempt.catch):

2018-03-30  Filip Pizlo  <fpizlo@apple.com>

        Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
        https://bugs.webkit.org/show_bug.cgi?id=184189

        Reviewed by JF Bastien.

        * stress/load-hole-from-scope-into-live-var.js: Added.
        (result.eval.try.switch):
        (catch):

2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r230102.

        Caused assertion failures on JSC bots.

        Reverted changeset:

        "A stack overflow in the parsing of a builtin (called by
        createExecutable) cause a crash instead of a catchable js
        exception"
        https://bugs.webkit.org/show_bug.cgi?id=184074
        https://trac.webkit.org/changeset/230102

2018-03-30  Robin Morisset  <rmorisset@apple.com>

        Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
        https://bugs.webkit.org/show_bug.cgi?id=183812

        Reviewed by Keith Miller.

        * stress/inlining-unreachable-non-tail.js: Added.
        (foo.):
        (foo):

2018-03-30  Robin Morisset  <rmorisset@apple.com>

        A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
        https://bugs.webkit.org/show_bug.cgi?id=184074
        <rdar://problem/37165897>

        Reviewed by Keith Miller.

        * stress/stack-overflow-while-parsing-builtin.js: Added.
        (f):

2018-03-30  Robin Morisset  <rmorisset@apple.com>

        Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
        https://bugs.webkit.org/show_bug.cgi?id=183657

        Reviewed by Keith Miller.

        * stress/large-unshift-splice.js: Added.
        (make_contig_arr):

2018-03-28  Robin Morisset  <rmorisset@apple.com>

        appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
        https://bugs.webkit.org/show_bug.cgi?id=183894

        Reviewed by Saam Barati.

        * stress/json-stringified-overflow.js: Added.
        (catch):

2018-03-26  Filip Pizlo  <fpizlo@apple.com>

        DFG should know that CreateThis can be effectful
        https://bugs.webkit.org/show_bug.cgi?id=184013

        Reviewed by Saam Barati.

        * stress/create-this-property-change.js: Added.
        (Foo):
        (RealBar):
        (get if):
        * stress/create-this-structure-change-without-cse.js: Added.
        (Foo):
        (RealBar):
        (get if):
        * stress/create-this-structure-change.js: Added.
        (Foo):
        (RealBar):
        (get if):

2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Introduces fused compare and jump
        https://bugs.webkit.org/show_bug.cgi?id=177100

        Reviewed by Mark Lam.

        * stress/fused-jeq-slow.js: Added.
        (shouldBe):
        (testJEQ):
        (testJNEQB):
        (testJEQB):
        (testJNEQF):
        (testJEQF):
        * stress/fused-jeq.js: Added.
        (shouldBe):
        (testJEQ):
        (testJNEQB):
        (testJEQB):
        (testJNEQF):
        (testJEQF):
        * stress/fused-jstricteq-slow.js: Added.
        (shouldBe):
        (testJSTRICTEQ):
        (testJNSTRICTEQB):
        (testJSTRICTEQB):
        (testJNSTRICTEQF):
        (testJSTRICTEQF):
        * stress/fused-jstricteq.js: Added.
        (shouldBe):
        (testJSTRICTEQ):
        (testJNSTRICTEQB):
        (testJSTRICTEQB):
        (testJNSTRICTEQF):
        (testJSTRICTEQF):

2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
        https://bugs.webkit.org/show_bug.cgi?id=183559

        Reviewed by Mark Lam.

        * stress/double-to-string-in-loop-removed.js: Added.
        (test):
        * stress/int32-to-string-in-loop-removed.js: Added.
        (test):
        * stress/int52-to-string-in-loop-removed.js: Added.
        (test):

2018-03-22  Michael Saboff  <msaboff@apple.com>

        Race Condition in arrayProtoFuncReverse() causes wrong results or crash
        https://bugs.webkit.org/show_bug.cgi?id=183901

        Reviewed by Keith Miller.

        New test.

        * stress/array-reverse-doesnt-clobber.js: Added.
        (testArrayReverse):
        (createArrayOfArrays):
        (createArrayStorage):

2018-03-21  Filip Pizlo  <fpizlo@apple.com>

        ScopedArguments should do poisoning and index masking
        https://bugs.webkit.org/show_bug.cgi?id=183863

        Reviewed by Mark Lam.
        
        Adds another stress test of scoped arguments.

        * stress/scoped-arguments-test.js: Added.
        (foo):

2018-03-20  Saam Barati  <sbarati@apple.com>

        We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
        https://bugs.webkit.org/show_bug.cgi?id=183795
        <rdar://problem/38298694>

        Reviewed by JF Bastien.

        * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
        (foo):
        (bar):

2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Add vectorLengthHint for NewArray
        https://bugs.webkit.org/show_bug.cgi?id=183694

        Reviewed by Saam Barati.

        * stress/vector-length-hint-array-constructor.js: Added.
        (shouldBe):
        (test):
        * stress/vector-length-hint-new-array.js: Added.
        (shouldBe):
        (test):

2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Make ArraySlice(0) code tight
        https://bugs.webkit.org/show_bug.cgi?id=183590

        Reviewed by Saam Barati.

        * stress/array-slice-with-zero.js: Added.
        (shouldBe):
        (test):
        (test2):
        * stress/array-slice-zero-args.js: Added.
        (shouldBe):
        (test):

2018-03-14  Caitlin Potter  <caitp@igalia.com>

        [JSC] fix order of evaluation for ClassDefinitionEvaluation
        https://bugs.webkit.org/show_bug.cgi?id=183523

        Reviewed by Keith Miller.

        Computed property names need to be evaluated in source order during class
        definition evaluation, as it's observable (and specified to work this way).

        This change improves compatibility with Chromium.

        * stress/class_elements.js: Added.
        (test):
        (test.C.prototype.effect):
        (test.C.effect):
        (test.C.prototype.get effect):
        (test.C.prototype.set effect):
        (test.C):

2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
        https://bugs.webkit.org/show_bug.cgi?id=183310

        Reviewed by Filip Pizlo.

        * stress/ai-create-this-to-new-object-fire.js: Added.
        (assert):
        (test):
        (func):
        (check):
        (test.body.A):
        (test.body.B):
        (test.body):
        * stress/ai-create-this-to-new-object.js: Added.
        (assert):
        (test):
        (func):
        (check):
        (test.body.A):
        (test.body.B):
        (test.body):

2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
        https://bugs.webkit.org/show_bug.cgi?id=181848

        Reviewed by Sam Weinig.

        * microbenchmarks/regexp-u-global-es5.js: Added.
        (fn):
        * microbenchmarks/regexp-u-global-es6.js: Added.
        (fn):
        * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
        (shouldBe):
        (test):
        (i.switch):
        * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
        (shouldBe):
        (test):

2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>

        Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
        https://bugs.webkit.org/show_bug.cgi?id=183334

        Reviewed by Žan Doberšek.

        * stress/var-injection-cache-invalidation.js:

2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>

        [ARM] Disable tests that run out of memory
        https://bugs.webkit.org/show_bug.cgi?id=182699

        Reviewed by Žan Doberšek.

        Skip tests that run of of memory. Do not run
        modules/module-jit-reachability.js without LLInt to prevent
        running out of executable memory.

        * modules.yaml:
        * modules/module-jit-reachability.js:
        * stress/has-own-property-name-cache-string-keys.js:
        * stress/has-own-property-name-cache-symbol-keys.js:

2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
        https://bugs.webkit.org/show_bug.cgi?id=183173

        Reviewed by Saam Barati.

        * stress/async-arrow-function-in-class-heritage.js: Added.
        (testSyntax):
        (testSyntaxError):
        (SyntaxError):

2018-03-01  Saam Barati  <sbarati@apple.com>

        We need to clear cached structures when having a bad time
        https://bugs.webkit.org/show_bug.cgi?id=183256
        <rdar://problem/36245022>

        Reviewed by Mark Lam.

        * stress/having-a-bad-time-with-derived-arrays.js: Added.
        (assert):
        (defineSetter):
        (iterate):
        (doSlice):

2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>

        JSC crash with `import("")`
        https://bugs.webkit.org/show_bug.cgi?id=183175

        Reviewed by Saam Barati.

        * stress/import-with-empty-string.js: Added.

2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, skip FTL tests if FTL is disabled
        https://bugs.webkit.org/show_bug.cgi?id=183071

        * stress/has-indexed-property-array-storage-ftl.js:
        * stress/has-indexed-property-slow-put-array-storage-ftl.js:

2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
        https://bugs.webkit.org/show_bug.cgi?id=182965

        Reviewed by Saam Barati.

        * stress/put-by-val-array-storage.js: Added.
        (shouldBe):
        (testArrayStorageInBounds):
        * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
        (shouldBe):
        (testInt32.createBuiltin):
        (set for):
        * stress/put-by-val-slow-put-array-storage.js: Added.
        (shouldBe):
        (testArrayStorageInBounds):

2018-02-26  Saam Barati  <sbarati@apple.com>

        validateStackAccess should not validate if the offset is within the stack bounds
        https://bugs.webkit.org/show_bug.cgi?id=183067
        <rdar://problem/37749988>

        Reviewed by Mark Lam.

        * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
        (assert):
        (test.a):
        (test.b):
        (test):

2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, skip FTL tests if FTL is disabled
        https://bugs.webkit.org/show_bug.cgi?id=183071

        * stress/has-indexed-property-array-storage-ftl.js:
        * stress/has-indexed-property-slow-put-array-storage-ftl.js:

2018-02-23  Saam Barati  <sbarati@apple.com>

        Make Number.isInteger an intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=183088

        Reviewed by JF Bastien.

        * stress/number-is-integer-intrinsic.js: Added.

2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>

        WebAssembly: cache memory address / size on instance
        https://bugs.webkit.org/show_bug.cgi?id=177305

        Reviewed by JF Bastien.

        * wasm/function-tests/memory-reuse.js: Added.
        (createWasmInstance):
        (doCheckTrap):
        (doMemoryGrow):
        (doCheck):
        (checkWasmInstancesWithSharedMemory):

2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement $vm.ftlTrue function for FTL testing
        https://bugs.webkit.org/show_bug.cgi?id=183071

        Reviewed by Mark Lam.

        * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
        (foo):
        * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
        (foo):
        * stress/dead-fiat-value-to-int52.js:
        (foo):
        * stress/dead-osr-entry-value.js:
        (foo):
        * stress/fiat-value-to-int52-then-exit-not-double.js:
        (foo):
        * stress/fiat-value-to-int52-then-exit-not-int52.js:
        (foo):
        * stress/fiat-value-to-int52-then-fail-to-fold.js:
        (foo):
        * stress/fiat-value-to-int52-then-fold.js:
        (foo):
        * stress/fiat-value-to-int52.js:
        (foo):
        * stress/fold-based-on-int32-proof-mul-branch.js:
        (foo):
        * stress/fold-profiled-call-to-call.js:
        (foo):
        * stress/fold-to-double-constant-then-exit.js:
        (foo):
        * stress/fold-to-int52-constant-then-exit.js:
        (foo):
        * stress/fold-to-primitive-in-cfa.js:
        (foo):
        * stress/fold-to-primitive-to-identity-in-cfa.js:
        (foo):
        * stress/has-indexed-property-array-storage-ftl.js: Added.
        (shouldBe):
        (test1):
        (test2):
        * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
        (shouldBe):
        (test1):
        (test2):
        * stress/int52-ai-add-then-filter-int32.js:
        (foo):
        * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
        (foo):
        * stress/int52-ai-mul-then-filter-int32.js:
        (foo):
        * stress/int52-ai-neg-then-filter-int32.js:
        (foo):
        * stress/int52-ai-sub-then-filter-int32.js:
        (foo):
        * stress/licm-pre-header-cannot-exit-nested.js:
        (foo):
        * stress/licm-pre-header-cannot-exit.js:
        (foo):
        * stress/sparse-array-entry-update-144067.js:
        (useMemoryToTriggerGCs):
        * stress/test-spec-misc.js:
        (foo):
        * stress/tricky-array-bounds-checks.js:
        (foo):

2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
        https://bugs.webkit.org/show_bug.cgi?id=182792

        Reviewed by Mark Lam.

        * stress/has-indexed-property-array-storage.js: Added.
        (shouldBe):
        (test1):
        (test2):
        * stress/has-indexed-property-slow-put-array-storage.js: Added.
        (shouldBe):
        (test1):
        (test2):

2018-02-20  Saam Barati  <sbarati@apple.com>

        DFG::VarargsForwardingPhase should eliminate getting argument length
        https://bugs.webkit.org/show_bug.cgi?id=182959

        Reviewed by Keith Miller.

        * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.

2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support ArrayPush for ArrayStorage
        https://bugs.webkit.org/show_bug.cgi?id=182782

        Reviewed by Saam Barati.

        Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.

        * stress/array-push-array-storage-beyond-int32.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-array-storage.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-storage-continuous.js: Added.
        (shouldBe):
        (test):

2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support ArrayPop for ArrayStorage
        https://bugs.webkit.org/show_bug.cgi?id=182783

        Reviewed by Saam Barati.

        * stress/array-pop-array-storage.js: Added.
        (shouldBe):
        (test):

2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
        https://bugs.webkit.org/show_bug.cgi?id=182731

        Reviewed by Saam Barati.

        * stress/arrayify-array-storage-array.js: Added.
        (shouldBe):
        (testArrayStorage):
        * stress/arrayify-array-storage-non-array.js: Added.
        (shouldBe):
        (testArrayStorage):
        * stress/arrayify-array-storage.js: Added.
        (shouldBe):
        (testArrayStorage):
        * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
        (shouldBe):
        (testArrayStorage):
        * stress/arrayify-slow-put-array-storage.js: Added.
        (shouldBe):
        (testArrayStorage):

2018-02-19  Saam Barati  <sbarati@apple.com>

        Don't use JSFunction's allocation profile when getting the prototype can be effectful
        https://bugs.webkit.org/show_bug.cgi?id=182942
        <rdar://problem/37584764>

        Reviewed by Mark Lam.

        * stress/get-prototype-create-this-effectful.js: Added.

2018-02-16  Saam Barati  <sbarati@apple.com>

        Fix bugs from r228411
        https://bugs.webkit.org/show_bug.cgi?id=182851
        <rdar://problem/37577732>

        Reviewed by JF Bastien.

        * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.

2018-02-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out r228366 since it did not progress anything.

        * stress/gc-error-stack.js: Removed.
        * stress/no-gc-error-stack.js: Removed.

2018-02-15  Tomas Popela  <tpopela@redhat.com>

        Many stress tests fail with JIT disabled
        https://bugs.webkit.org/show_bug.cgi?id=182730

        Reviewed by Saam Barati.

        These tests are broken by design if the JIT is disabled - they test
        the return value of numberOfDFGCompiles(), which is always set to
        1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.

        * stress/arith-abs-on-various-types.js:
        * stress/arith-abs-to-arith-negate-range-optimizaton.js:
        * stress/arith-acos-on-various-types.js:
        * stress/arith-acosh-on-various-types.js:
        * stress/arith-asin-on-various-types.js:
        * stress/arith-asinh-on-various-types.js:
        * stress/arith-atan-on-various-types.js:
        * stress/arith-atanh-on-various-types.js:
        * stress/arith-cbrt-on-various-types.js:
        * stress/arith-ceil-on-various-types.js:
        * stress/arith-clz32-on-various-types.js:
        * stress/arith-cos-on-various-types.js:
        * stress/arith-cosh-on-various-types.js:
        * stress/arith-expm1-on-various-types.js:
        * stress/arith-floor-on-various-types.js:
        * stress/arith-fround-on-various-types.js:
        * stress/arith-log-on-various-types.js:
        * stress/arith-log10-on-various-types.js:
        * stress/arith-log2-on-various-types.js:
        * stress/arith-negate-on-various-types.js:
        * stress/arith-round-on-various-types.js:
        * stress/arith-sin-on-various-types.js:
        * stress/arith-sinh-on-various-types.js:
        * stress/arith-sqrt-on-various-types.js:
        * stress/arith-tan-on-various-types.js:
        * stress/arith-tanh-on-various-types.js:
        * stress/arith-trunc-on-various-types.js:
        * stress/compare-strict-eq-on-various-types.js:

2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>

        Skip stress/new-largeish-contiguous-array-with-size.js on arm.

        Unreviewed test gardening.

        * stress/new-largeish-contiguous-array-with-size.js:

2018-02-14  Saam Barati  <sbarati@apple.com>

        Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
        https://bugs.webkit.org/show_bug.cgi?id=182801

        Reviewed by Keith Miller.

        * stress/watchdog-dont-malloc-when-in-c-code.js: Added.

2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>

        Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
        https://bugs.webkit.org/show_bug.cgi?id=182526

        Unreviewed test gardening.

        * stress/activation-sink-default-value-tdz-error.js:

2018-02-13  Saam Barati  <sbarati@apple.com>

        putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
        https://bugs.webkit.org/show_bug.cgi?id=182755
        <rdar://problem/37080864>

        Reviewed by Keith Miller.

        * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
        (test1.o.get 10005):
        (test1):
        (test2.o.get 1000):
        (test2):

2018-02-13  Caitlin Potter  <caitp@igalia.com>

        [JSC] cache TaggedTemplate arrays by callsite rather than by contents
        https://bugs.webkit.org/show_bug.cgi?id=182717

        Reviewed by Yusuke Suzuki.

        https://github.com/tc39/ecma262/pull/890 imposes a change to template
        literals, to allow template callsite arrays to be collected when the
        code containing the tagged template call is collected. This spec change
        has received concensus and been ratified.

        This change eliminates the eternal map associating template contents
        with arrays.

        * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
        * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
        * stress/tagged-templates-identity.js:
        * stress/template-string-tags-eval.js:
        * test262.yaml:

2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        Support GetArrayLength on ArrayStorage in the FTL
        https://bugs.webkit.org/show_bug.cgi?id=182625

        Reviewed by Saam Barati.

        * stress/array-storage-length.js: Added.
        (shouldBe):
        (testInBound):
        (testUncountable):
        (testSlowPutInBound):
        (testSlowPutUncountable):
        * stress/undecided-length.js: Added.
        (shouldBe):
        (test2):

2018-02-12  Saam Barati  <sbarati@apple.com>

        DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
        https://bugs.webkit.org/show_bug.cgi?id=182706
        <rdar://problem/36833681>

        Reviewed by Filip Pizlo.

        * stress/get-array-length-phantom-new-array-buffer.js: Added.
        (effects):
        (foo):

2018-02-09  Filip Pizlo  <fpizlo@apple.com>

        Don't waste memory for error.stack
        https://bugs.webkit.org/show_bug.cgi?id=182656

        Reviewed by Saam Barati.
        
        Tests the policy.

        * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
        * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.

2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Update Test262 to Feb 9 version
        https://bugs.webkit.org/show_bug.cgi?id=182468

        Reviewed by Saam Barati.

2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, fix invalid line terminator in old test262 file part 2
        https://bugs.webkit.org/show_bug.cgi?id=182468

        * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:

2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, fix invalid line terminator in old test262 file
        https://bugs.webkit.org/show_bug.cgi?id=182468

        * test262/test/language/literals/regexp/7.8.5-1.js:

2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
        https://bugs.webkit.org/show_bug.cgi?id=182440

        Reviewed by Darin Adler.

        * stress/array-flatmap.js: Added.
        (shouldBe):
        (shouldBeArray):
        (shouldThrow):
        (var):
        * stress/array-flatten.js: Added.
        (shouldBe):
        (shouldBeArray):
        * test262.yaml:
        * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
        (3.flatMap):
        Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.

2018-02-06  Keith Miller  <keith_miller@apple.com>

        put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
        https://bugs.webkit.org/show_bug.cgi?id=182549
        <rdar://problem/36189995>

        Reviewed by Saam Barati.

        * stress/var-injection-cache-invalidation.js: Added.
        (allocateLotsOfThings):
        (test):

2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, follow up for test262 update
        https://bugs.webkit.org/show_bug.cgi?id=182288

        * test262.yaml:

2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>

        Update test262 to Jan 30 version
        https://bugs.webkit.org/show_bug.cgi?id=182288

        Unreviewed test gardening.

        * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js

2018-02-02  Saam Barati  <sbarati@apple.com>

        When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
        https://bugs.webkit.org/show_bug.cgi?id=182368
        <rdar://problem/36932466>

        Reviewed by Mark Lam.

        * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
        (runNearStackLimit.t):
        (runNearStackLimit):
        (try.runNearStackLimit):
        (catch):

2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Update test262 to Jan 30 version
        https://bugs.webkit.org/show_bug.cgi?id=182288

        Rubber stamped by Saam Barati.

        This patch updates test262 to the latest one, Jan 30 version.
        Since added and changed files are too many, we cannot create ChangeLog.
        The following files are changed.

        Several files are intentionally omitted due to merge failures. We should investigate how to merge files
        including some special line terminators (like u2028, u2029).

        * test262.yaml:
        * test262/test262-Revision.txt:
        * test262/*:

2018-02-02  Guillaume Emont  <guijemont@igalia.com>

        JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
        https://bugs.webkit.org/show_bug.cgi?id=182411

        Reviewed by Carlos Alberto Lopez Perez.

        This is skipped only on arm memory limited platforms. Until recently
        it was not a problem on MIPS as the butterfly was not initialized. But
        since r227435, the butterfly is initialized in that test and therefore
        memory is allocated, and the test typically takes around 512M, which
        means it generally gets OOM-killed on the MIPS buildbot.

        * mozilla/mozilla-tests.yaml:

2018-02-01  Mark Lam  <mark.lam@apple.com>

        Fix broken bounds check in FTL's compileGetMyArgumentByVal().
        https://bugs.webkit.org/show_bug.cgi?id=182419
        <rdar://problem/37044945>

        Reviewed by Saam Barati.

        * stress/regress-182419.js: Added.

2018-02-01  Keith Miller  <keith_miller@apple.com>

        Fix crashes due to mishandling custom sections.
        https://bugs.webkit.org/show_bug.cgi?id=182404
        <rdar://problem/36935863>

        Reviewed by Saam Barati.

        * wasm/Builder.js:
        (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
        * wasm/js-api/validate.js:
        (assert.truthy):

2018-01-31  Saam Barati  <sbarati@apple.com>

        JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
        https://bugs.webkit.org/show_bug.cgi?id=182074
        <rdar://problem/36846261>

        Reviewed by Mark Lam.

        * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
        (assert):
        (let.func):
        (let.o.foo):
        (varFunc):

2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, update test262 expects
        https://bugs.webkit.org/show_bug.cgi?id=182232

        * test262.yaml:

2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement trimStart and trimEnd
        https://bugs.webkit.org/show_bug.cgi?id=182233

        Reviewed by Mark Lam.

        * stress/trim.js: Added.
        (shouldBe):
        (startTest):
        (endTest):
        (trimTest):

2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Relax line terminators in String to make JSON subset of JS
        https://bugs.webkit.org/show_bug.cgi?id=182232

        Reviewed by Keith Miller.

        * ChakraCore/test/es5/Lex_u3.baseline-jsc:
        * stress/relaxed-line-terminators-in-string.js: Added.
        (shouldBe):

2018-01-29  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
        https://bugs.webkit.org/show_bug.cgi?id=182249

        Reviewed by Keith Miller.

        New regression test.

        * stress/compare-clobber-untypeduse.js: Added.

2018-01-29  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r227725.

        This caused internal failures.

        Reverted changeset:

        "JSC Sampling Profiler: Detect tester and testee when sampling
        in RegExp JIT"
        https://bugs.webkit.org/show_bug.cgi?id=152729
        https://trac.webkit.org/changeset/227725

2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
        https://bugs.webkit.org/show_bug.cgi?id=152729

        Reviewed by Saam Barati.

        * stress/sampling-profiler-regexp.js: Added.
        (platformSupportsSamplingProfiler.test):
        (platformSupportsSamplingProfiler.baz):
        (platformSupportsSamplingProfiler):

2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] WeakMap#set should have DFG node
        https://bugs.webkit.org/show_bug.cgi?id=180015

        Reviewed by Saam Barati.

        * stress/weakmap-set-change-get.js: Added.
        (shouldBe):
        (test):
        * stress/weakmap-set-cse.js: Added.
        (shouldBe):
        (test):
        * stress/weakset-add-change-get.js: Added.
        (shouldBe):
        * stress/weakset-add-cse.js: Added.
        (shouldBe):

2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
        https://bugs.webkit.org/show_bug.cgi?id=182213

        Reviewed by Mark Lam.

        * stress/int32-min-to-string.js: Added.
        (shouldBe):
        (test2):
        (test4):
        (test8):
        (test16):
        (test32):
        * stress/zero-to-string.js: Added.
        (shouldBe):
        (test2):
        (test4):
        (test8):
        (test16):
        (test32):

2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        Add more module scope related tests with code evaluation by string
        https://bugs.webkit.org/show_bug.cgi?id=181983

        Reviewed by Sam Weinig.

        Add more module scope related tests. When the original tests are landed,
        we do not have browser integration. This patch adds more module scope tests
        with dynamically created script evaluation. We add tests with Function
        constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.

        * modules/scopes-eval.js: Added.
        (shouldBe):
        * modules/scopes.js:
        (shouldBe):

2018-01-23  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.

        * microbenchmarks/array-push-3.js: Removed.
        * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
        * microbenchmarks/double-to-int32.js: Removed.
        * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
        * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
        * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
        * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
        * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
        * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
        * microbenchmarks/ftl-polymorphic-sub.js: Removed.
        * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
        * microbenchmarks/map-constant-key.js: Removed.
        * microbenchmarks/nested-function-parsing.js: Removed.
        * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
        * microbenchmarks/spread-large-array.js: Removed.
        * microbenchmarks/string-add-constant-folding.js: Removed.
        * microbenchmarks/to-lower-case.js: Removed.
        * microbenchmarks/undefined-property-access.js: Removed.
        * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
        * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
        * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
        * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
        * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
        * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
        * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
        * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
        * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
        * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
        * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
        * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
        * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
        * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
        * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
        * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
        * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
        * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.

2018-01-23  Robin Morisset  <rmorisset@apple.com>

        Update the argument count in DFGByteCodeParser::handleRecursiveCall
        https://bugs.webkit.org/show_bug.cgi?id=181739
        <rdar://problem/36627662>

        Reviewed by Saam Barati.

        * stress/recursive-tail-call-with-different-argument-count.js: Added.
        (foo):
        (bar):

2018-01-22  Michael Saboff  <msaboff@apple.com>

        DFG abstract interpreter needs to properly model effects of some Math ops
        https://bugs.webkit.org/show_bug.cgi?id=181886

        Reviewed by Saam Barati.

        New regression test.

        * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
        (test):

2018-01-20  Caio Lima  <ticaiolima@gmail.com>

        [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
        https://bugs.webkit.org/show_bug.cgi?id=181182

        Reviewed by Darin Adler.

        * stress/big-int-prototype-to-string-cast-overflow.js: Added.
        * stress/big-int-prototype-to-string-exception.js: Added.
        * stress/big-int-prototype-to-string-wrong-values.js: Added.
        * stress/number-prototype-to-string-cast-overflow.js: Added.
        * stress/number-prototype-to-string-exception.js: Added.
        * stress/number-prototype-to-string-wrong-values.js: Added.

2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>

        Disable Atomics when SharedArrayBuffer isn’t enabled
        https://bugs.webkit.org/show_bug.cgi?id=181572

        Unreviewed test gardening.

        * test262.yaml: Skip tests that fail after this change.

2018-01-19  Saam Barati  <sbarati@apple.com>

        Kill ArithNegate's ArithProfile assert inside BytecodeParser
        https://bugs.webkit.org/show_bug.cgi?id=181877
        <rdar://problem/36630552>

        Reviewed by Mark Lam.

        * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
        (runNearStackLimit):
        (f1):
        (f2):
        (f3):
        (i.catch):
        (i.try.runNearStackLimit):
        (catch):

2018-01-19  Saam Barati  <sbarati@apple.com>

        Spread's effects are modeled incorrectly both in AI and in Clobberize
        https://bugs.webkit.org/show_bug.cgi?id=181867
        <rdar://problem/36290415>

        Reviewed by Michael Saboff.

        * stress/ai-needs-to-model-spreads-effects.js: Added.
        (try.p.Symbol.iterator):
        (try.go):
        (catch):
        * stress/clobberize-needs-to-model-spread-effects.js: Added.
        (assert):
        (foo):
        (a.Symbol.iterator):

2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, reduce count of iteration to fix timing out debug JSC test
        https://bugs.webkit.org/show_bug.cgi?id=181535

        * stress/inserted-recovery-with-set-last-index.js:

2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
        https://bugs.webkit.org/show_bug.cgi?id=181535

        Reviewed by Saam Barati.

        * stress/inserted-recovery-with-set-last-index.js: Added.
        (shouldBe):
        (foo):
        * stress/materialize-regexp-at-osr-exit.js: Added.
        (shouldBe):
        (test):
        * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
        (shouldBe):
        (test):
        * stress/materialize-regexp-cyclic-regexp.js: Added.
        (shouldBe):
        (test):
        (i.switch):
        * stress/materialize-regexp-cyclic.js: Added.
        (shouldBe):
        (test):
        (i.switch):
        * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
        (bar):
        (foo):
        (test):
        * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
        (bar):
        (foo):
        (test):
        * stress/materialize-regexp.js: Added.
        (shouldBe):
        (test):
        * stress/phantom-regexp-regexp-exec.js: Added.
        (shouldBe):
        (test):
        * stress/phantom-regexp-string-match.js: Added.
        (shouldBe):
        (test):
        * stress/regexp-last-index-sinking.js: Added.
        (shouldBe):
        (test):

2018-01-17  Saam Barati  <sbarati@apple.com>

        Disable Atomics when SharedArrayBuffer isn’t enabled
        https://bugs.webkit.org/show_bug.cgi?id=181572
        <rdar://problem/36553206>

        Reviewed by Michael Saboff.

        * stress/isLockFree.js:

2018-01-17  Saam Barati  <sbarati@apple.com>

        DFG::Node::convertToConstant needs to clear the varargs flags
        https://bugs.webkit.org/show_bug.cgi?id=181697
        <rdar://problem/36497332>

        Reviewed by Yusuke Suzuki.

        * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
        (doIndexOf):
        (bar):
        (i.bar):

2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r226937.

        Tests added with this change are failing due to a missing
        exception check.

        Reverted changeset:

        "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
        double to int32_t"
        https://bugs.webkit.org/show_bug.cgi?id=181182
        https://trac.webkit.org/changeset/226937

2018-01-13  Caio Lima  <ticaiolima@gmail.com>

        [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
        https://bugs.webkit.org/show_bug.cgi?id=181182

        Reviewed by Darin Adler.

        * bigIntTests.yaml:
        * stress/big-int-constructor.js:
        * stress/big-int-prototype-to-string-cast-overflow.js: Added.
        (assert):
        (assertThrowRangeError):
        * stress/number-prototype-to-string-cast-overflow.js: Added.
        (assert):
        (assertThrowRangeError):

2018-01-12  Saam Barati  <sbarati@apple.com>

        CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
        https://bugs.webkit.org/show_bug.cgi?id=181177
        <rdar://problem/36205704>

        Reviewed by Yusuke Suzuki.

        * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
        (runNearStackLimit.t):
        (runNearStackLimit):
        (test.f):
        (test):

2018-01-12  Saam Barati  <sbarati@apple.com>

        Each variant of a polymorphic inlined call should be exitOK at the top of the block
        https://bugs.webkit.org/show_bug.cgi?id=181562
        <rdar://problem/36445624>

        Reviewed by Yusuke Suzuki.

        * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
        (f):
        (foo):

2018-01-11  Saam Barati  <sbarati@apple.com>

        When inserting Unreachable in byte code parser we need to flush all the right things
        https://bugs.webkit.org/show_bug.cgi?id=181509
        <rdar://problem/36423110>

        Reviewed by Mark Lam.

        * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.

2018-01-11  Saam Barati  <sbarati@apple.com>

        JITMathIC code in the FTL is wrong when code gets duplicated
        https://bugs.webkit.org/show_bug.cgi?id=181525
        <rdar://problem/36351993>

        Reviewed by Michael Saboff and Keith Miller.

        * stress/allow-math-ic-b3-code-duplication.js: Added.

2018-01-11  Saam Barati  <sbarati@apple.com>

        Our for-in caching is wrong when we add indexed properties on things in the prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=181508

        Reviewed by Yusuke Suzuki.

        * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
        (assert):
        (test1.foo):
        (test1):
        (test2.foo):
        (test2):

2018-01-09  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
        https://bugs.webkit.org/show_bug.cgi?id=181388
        <rdar://problem/36349351>

        Reviewed by Saam Barati.

        * stress/regress-181388.js: Added.

2018-01-08  JF Bastien  <jfbastien@apple.com>

        WebAssembly: mask indexed accesses to Table
        https://bugs.webkit.org/show_bug.cgi?id=181412
        <rdar://problem/36363236>

        Reviewed by Saam Barati.

        Update error messages.

        * wasm/js-api/table.js:
        (assert.throws.WebAssembly.Table.prototype.grow):

2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>

        Disable SharedArrayBuffer tests missed in r226386.
        https://bugs.webkit.org/show_bug.cgi?id=181266

        Unreviewed test gardening.

        * test262.yaml:

2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
        https://bugs.webkit.org/show_bug.cgi?id=181321

        Reviewed by Saam Barati.

        * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
        (shouldBe):
        (testFunction):
        * test262.yaml:

2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, attempt to fix test262 after r226386.

        * test262.yaml:

2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Define defs for MapSet/SetAdd to participate in CSE
        https://bugs.webkit.org/show_bug.cgi?id=179911

        Reviewed by Saam Barati.

        In addition to these tests, map-set-cse.js and set-add-cse.js work.

        * stress/map-set-change-get.js: Added.
        (shouldBe):
        (test):
        * stress/map-set-create-bucket.js: Added.
        (shouldBe):
        (test):
        * stress/set-add-create-bucket.js: Added.
        (shouldBe):

2018-01-03  Michael Saboff  <msaboff@apple.com>

        Disable SharedArrayBuffers from Web API
        https://bugs.webkit.org/show_bug.cgi?id=181266

        Reviewed by Saam Barati.

        Disabled SharedArrayBuffer tests.

        * stress/SharedArrayBuffer-opt.js:
        * stress/SharedArrayBuffer.js:
        * stress/array-buffer-byte-length.js:
        * stress/atomics-add-uint32.js:
        * stress/atomics-known-int-use.js:
        * stress/atomics-neg-zero.js:
        * stress/atomics-store-return.js:
        * stress/lars-sab-workers.js:
        * stress/regress-159779-1.js:
        * stress/regress-159779-2.js:
        * stress/regress-170473.js:
        * test262.yaml:

2018-01-03  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
        https://bugs.webkit.org/show_bug.cgi?id=181258

        Reviewed by Antonio Gomes.

        * stress/big-int-constructor-gc.js:
        * stress/big-int-constructor-oom.js:

2018-01-03  Robin Morisset  <rmorisset@apple.com>

        Inlining of a function that ends in op_unreachable crashes
        https://bugs.webkit.org/show_bug.cgi?id=181027

        Reviewed by Filip Pizlo.

        * stress/inlining-unreachable.js: Added.
        (bar):
        (baz):
        (i.catch):

2018-01-02  Saam Barati  <sbarati@apple.com>

        Incorrect assertion inside AccessCase
        https://bugs.webkit.org/show_bug.cgi?id=181200
        <rdar://problem/35494754>

        Reviewed by Yusuke Suzuki.

        * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
        (ctor):
        (theFunc):
        (run):

2018-01-02  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
        https://bugs.webkit.org/show_bug.cgi?id=175359

        Reviewed by Yusuke Suzuki.

        * bigIntTests.yaml:
        * stress/big-int-as-key.js: Added.
        * stress/big-int-constructor-gc.js: Added.
        * stress/big-int-constructor-oom.js: Added.
        * stress/big-int-constructor-properties.js: Added.
        * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
        * stress/big-int-constructor-prototype.js: Added.
        * stress/big-int-constructor.js: Added.
        * stress/big-int-function-apply.js:
        * stress/big-int-length.js: Added.
        * stress/big-int-prop-descriptor.js: Added.
        * stress/big-int-proto-constructor.js: Added.
        * stress/big-int-proto-name.js: Added.
        * stress/big-int-prototype-properties.js: Added.
        * stress/big-int-prototype-proto.js: Added.
        * stress/big-int-prototype-value-of.js: Added.
        * stress/big-int-prototype-symbol-to-string-tag.js: Added.
        * stress/big-int-prototype-to-string-apply.js: Added.
        * stress/big-int-to-object.js: Added.
        * stress/big-int-to-string.js: Added.

2017-12-28  Saam Barati  <sbarati@apple.com>

        Assertion used to determine if something is an async generator is wrong
        https://bugs.webkit.org/show_bug.cgi?id=181168
        <rdar://problem/35640560>

        Reviewed by Yusuke Suzuki.

        * stress/async-generator-assertion.js: Added.

2017-12-21  Guillaume Emont  <guijemont@igalia.com>

        Skip stress/splay-flash-access tests on memory limited platforms
        https://bugs.webkit.org/show_bug.cgi?id=181086

        Reviewed by Carlos Alberto Lopez Perez.

        These tests use about 185M of memory, and occasionally get OOM-killed
        on memory limited platforms.

        * stress/splay-flash-access-1ms.js:
        * stress/splay-flash-access.js:

2017-12-21  Guillaume Emont  <guijemont@igalia.com>

        Skip slow jsc tests on embedded platforms
        https://bugs.webkit.org/show_bug.cgi?id=180937

        Reviewed by Carlos Alberto Lopez Perez.

        The tests typeProfiler/deltablue-for-of.js and
        typeProfiler/getter-richards.js take a very long time in the
        ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
        thus always timeout. They should be skipped on these platforms.

        * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
        * typeProfiler/getter-richards.js: Skip on arm*/mips.

2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Do not check isValid() in op_new_regexp
        https://bugs.webkit.org/show_bug.cgi?id=180970

        Reviewed by Saam Barati.

        * stress/regexp-syntax-error-invalid-flags.js: Added.
        (shouldThrow):

2017-12-18  Guillaume Emont  <guijemont@igalia.com>

        Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
        https://bugs.webkit.org/show_bug.cgi?id=180712

        Reviewed by Michael Catanzaro.

        stress/call-apply-exponential-bytecode-size.js crashes if the
        ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
        MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
        should skip the test on other platforms.

        * stress/call-apply-exponential-bytecode-size.js:

2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] NewArrayBuffer should be sinked if it is only used for spreading
        https://bugs.webkit.org/show_bug.cgi?id=179762

        Reviewed by Saam Barati.

        * stress/call-varargs-double-new-array-buffer.js: Added.
        (assert):
        (bar):
        (foo):
        * stress/call-varargs-spread-new-array-buffer.js: Added.
        (assert):
        (bar):
        (foo):
        * stress/call-varargs-spread-new-array-buffer2.js: Added.
        (assert):
        (bar):
        (foo):
        * stress/forward-varargs-double-new-array-buffer.js: Added.
        (assert):
        (test.baz):
        (test.bar):
        (test.foo):
        (test):
        * stress/new-array-buffer-sinking-osrexit.js: Added.
        (target):
        (test):
        * stress/new-array-with-spread-double-new-array-buffer.js: Added.
        (shouldBe):
        (test):
        * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
        (shouldBe):
        (target):
        (test):
        * stress/phantom-new-array-buffer-forward-varargs.js: Added.
        (assert):
        (test1.bar):
        (test1.foo):
        (test1):
        (test2.bar):
        (test2.foo):
        (test3.baz):
        (test3.bar):
        (test3.foo):
        (test4.baz):
        (test4.bar):
        (test4.foo):
        * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
        (assert):
        (test.baz):
        (test.bar):
        (test.foo):
        (test):
        * stress/phantom-new-array-buffer-osr-exit.js: Added.
        (assert):
        (baz):
        (bar):
        (effects):
        (foo):

2017-12-14  Saam Barati  <sbarati@apple.com>

        The CleanUp after LICM is erroneously removing a Check
        https://bugs.webkit.org/show_bug.cgi?id=180852
        <rdar://problem/36063494>

        Reviewed by Filip Pizlo.

        * stress/dont-run-cleanup-after-licm.js: Added.

2017-12-14  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r225695): Repro crash on yahoo login page
        https://bugs.webkit.org/show_bug.cgi?id=180761

        Reviewed by JF Bastien.

        New regression test.

        * stress/regress-180761.js: Added.

2017-12-13  Keith Miller  <keith_miller@apple.com>

        JSObjects should have a mask for loading indexed properties
        https://bugs.webkit.org/show_bug.cgi?id=180768

        Reviewed by Mark Lam.

        * stress/int16-put-by-val-in-and-out-of-bounds.js:
        (test):

2017-12-13  Saam Barati  <sbarati@apple.com>

        Arrow functions need their own structure because they have different properties than sloppy functions
        https://bugs.webkit.org/show_bug.cgi?id=180779
        <rdar://problem/35814591>

        Reviewed by Mark Lam.

        * stress/arrow-function-needs-its-own-structure.js: Added.
        (assert):
        (readPrototype):
        (noInline.let.f1):
        (noInline):

2017-12-13  Saam Barati  <sbarati@apple.com>

        Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
        https://bugs.webkit.org/show_bug.cgi?id=163579
        <rdar://problem/35455798>

        Reviewed by Mark Lam.

        * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
        (assert):
        (test1):
        (i.test1):
        (i.test1.C):
        (i.test1.async.foo):
        (i.test1.foo):
        (test2):

2017-12-13  Saam Barati  <sbarati@apple.com>

        TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
        https://bugs.webkit.org/show_bug.cgi?id=180734
        <rdar://problem/35640547>

        Reviewed by Yusuke Suzuki.

        * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
        (__isPropertyOfType):
        (__getProperties):
        (__getObjects):
        (__getRandomObject):
        (theClass.):
        (theClass):
        (childClass):
        (counter.catch):

2017-12-12  Saam Barati  <sbarati@apple.com>

        We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
        https://bugs.webkit.org/show_bug.cgi?id=180725
        <rdar://problem/35970511>

        Reviewed by Michael Saboff.

        * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
        (f1):
        (f2):
        (let.o2.valueOf):

2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement optimized WeakMap and WeakSet
        https://bugs.webkit.org/show_bug.cgi?id=179929

        Reviewed by Saam Barati.

        * microbenchmarks/weak-map-key.js:
        * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
        (assert):
        (objectKey):
        (let.start.Date.now):
        * stress/basic-weakmap.js: Added.
        (shouldBe):
        (test):
        * stress/basic-weakset.js: Added.
        (shouldBe):
        (test.set new):
        * stress/weakmap-cse-set-break.js: Added.
        (shouldBe):
        (test):
        * stress/weakmap-cse.js: Added.
        (shouldBe):
        (test):
        * stress/weakmap-gc.js: Added.
        (test):
        * stress/weakset-cse-add-break.js: Added.
        (shouldBe):
        (test.set new):
        * stress/weakset-cse.js: Added.
        (shouldBe):
        (test.set new):
        * stress/weakset-gc.js: Added.
        (test.set add):
        (test.set new):
        (test):

2017-12-12  Saam Barati  <sbarati@apple.com>

        ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
        https://bugs.webkit.org/show_bug.cgi?id=180723
        <rdar://problem/35859726>

        Reviewed by JF Bastien.

        * stress/get-my-argument-by-val-constant-folding.js: Added.
        (test):
        (catch):

2017-12-12  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement BigInt literals and JSBigInt
        https://bugs.webkit.org/show_bug.cgi?id=179000

        Reviewed by Darin Adler and Yusuke Suzuki.

        * bigIntTests.yaml: Added.
        * stress/big-int-literal-line-terminator.js: Added.
        * stress/big-int-literals.js: Added.
        * stress/big-int-operations-error.js: Added.
        * stress/big-int-type-of.js: Added.
        * stress/big-int-white-space-trailing-leading.js: Added.
        * stress/big-int-function-apply.js: Added.

2017-12-11  Saam Barati  <sbarati@apple.com>

        We need to disableCaching() in ErrorInstance when we materialize properties
        https://bugs.webkit.org/show_bug.cgi?id=180343
        <rdar://problem/35833002>

        Reviewed by Mark Lam.

        * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
        (assert):
        (makeError):
        (storeToStack):
        (storeToStackAlreadyMaterialized):

2017-12-05  JF Bastien  <jfbastien@apple.com>

        WebAssembly: don't eagerly checksum
        https://bugs.webkit.org/show_bug.cgi?id=180441
        <rdar://problem/35156628>

        Reviewed by Saam Barati.

        Checksum is now disabled, so tests only have <?> as the module
        name.

        * wasm/function-tests/nameSection.js:
        * wasm/function-tests/stack-overflow.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
        (assertOverflows.assertThrows):
        (assertOverflows):
        * wasm/function-tests/stack-trace.js:

2017-12-04  JF Bastien  <jfbastien@apple.com>

        Proxy all functions, except the $ objects
        https://bugs.webkit.org/show_bug.cgi?id=180375

        Reviewed by Saam Barati.

        It looks like this test may have broken some executions because I
        call some internal objects. Explicitly ignore objects whose name
        starts with "$" because it's a bad idea anyways.

        * stress/proxy-all-the-parameters.js:
        (generateObjects):
        (get throw):

2017-12-04  Saam Barati  <sbarati@apple.com>

        We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
        https://bugs.webkit.org/show_bug.cgi?id=180366
        <rdar://problem/35685877>

        Reviewed by Michael Saboff.

        * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
        (theParent):
        (test1.base.getParentStaticValue):
        (test1.base):
        (test1.__v_24888.prototype.set prop):
        (test1.__v_24888):
        (test2.base.getParentStaticValue):
        (test2.base):
        (test2.__v_24888.prototype.set prop):
        (test2.__v_24888):
        (test2):

2017-12-01  JF Bastien  <jfbastien@apple.com>

        Try proxying all function arguments
        https://bugs.webkit.org/show_bug.cgi?id=180306

        Reviewed by Saam Barati.

        * stress/proxy-all-the-parameters.js: Added.
        (isPropertyOfType):
        (getProperties):
        (generateObjects):
        (getObjects):
        (getFunctions):
        (get throw):
        (let.o.of.getObjects.let.f.of.getFunctions.catch):

2017-12-01  JF Bastien  <jfbastien@apple.com>

        JavaScriptCore: missing exception checks in Math functions that take more than one argument
        https://bugs.webkit.org/show_bug.cgi?id=180297
        <rdar://problem/35745556>

        Reviewed by Mark Lam.

        * stress/math-exceptions.js: Added.
        (get try):
        (catch):

2017-12-01  JF Bastien  <jfbastien@apple.com>

        JavaScriptCore: add test for weird class static getters
        https://bugs.webkit.org/show_bug.cgi?id=180281
        <rdar://problem/35592139>

        Reviewed by Mark Lam.

        I fixed a bug for it in r224927 and didn't add a test. Do so.

        * stress/class-static-get-weird.js: Added.
        (c.prototype.get name):
        (c):
        (c.prototype.get arguments):
        (c.prototype.get caller):
        (c.prototype.get length):

2017-12-01  Saam Barati  <sbarati@apple.com>

        Having a bad time needs to handle ArrayClass indexing type as well
        https://bugs.webkit.org/show_bug.cgi?id=180274
        <rdar://problem/35667869>

        Reviewed by Keith Miller and Mark Lam.

        * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
        (assert):
        * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
        (assert):

2017-12-01  JF Bastien  <jfbastien@apple.com>

        WebAssembly: restore cached stack limit after out-call
        https://bugs.webkit.org/show_bug.cgi?id=179106
        <rdar://problem/35337525>

        Reviewed by Saam Barati.

        * wasm/function-tests/double-instance.js: Added.
        (const.imp.boom):
        (const.imp.get callAnother):

2017-11-30  JF Bastien  <jfbastien@apple.com>

        WebAssembly: improve stack trace
        https://bugs.webkit.org/show_bug.cgi?id=179343

        Reviewed by Saam Barati.

        Update the tests to follow the new format. Notably, SHA1 module
        hash is now included in traces, and stubs are properly identified.

        * wasm/assert.js: Add an assertion which matches regular expressions.
        * wasm/function-tests/nameSection.js:
        * wasm/function-tests/stack-overflow.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
        (assertOverflows.assertThrows.wasm.1):
        (assertOverflows.assertThrows.wasm.0):
        (assertOverflows.assertThrows):
        (assertOverflows):
        * wasm/function-tests/stack-trace.js:
        (import.Builder.from.string_appeared_here.assert): Deleted.
        * wasm/function-tests/trap-after-cross-instance-call.js:
        (wasmFrameCountFromError):
        * wasm/function-tests/trap-load-2.js:
        (wasmFrameCountFromError):
        * wasm/function-tests/trap-load.js:
        (wasmFrameCountFromError):

2017-11-30  Mark Lam  <mark.lam@apple.com>

        jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
        https://bugs.webkit.org/show_bug.cgi?id=180219
        <rdar://problem/35696536>

        Reviewed by Filip Pizlo.

        * stress/regress-180219.js: Added.

2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
        https://bugs.webkit.org/show_bug.cgi?id=180190

        Reviewed by Mark Lam.

        * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32-double-array.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32.js: Added.
        (shouldBe):
        (test2):
        * stress/operation-in-negative-int32-cast.js: Added.
        (shouldBe):
        (test1):

2017-11-28  JF Bastien  <jfbastien@apple.com>

        Strict and sloppy functions shouldn't share structure
        https://bugs.webkit.org/show_bug.cgi?id=180103
        <rdar://problem/35667847>

        Reviewed by Saam Barati.

        * stress/get-by-id-strict-arguments.js: Added. Used to not throw
        because the IC was wrong.
        (foo):
        (bar):
        (baz):
        (catch):
        * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
        in this patch, but may as well test odd strict mode corner cases.
        (bar):
        (baz):
        (catch):
        * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
        (foo):
        (bar):
        (baz):
        (catch):
        * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
        next file, but with invalidation of the FunctionExecutable's
        singletonFunction() to hit SpeculativeJIT::compileNewFunction's
        slower path.
        (foo):
        (bar.const.x):
        (bar.const.y):
        (bar):
        (catch):
        * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
        strict nesting works correctly.
        (foo):
        (bar.baz):
        (bar):
        * stress/strict-function-structure.js: Added. The test used to
        assert in objectProtoFuncHasOwnProperty.
        (foo):
        (bar):
        (baz):
        * stress/strict-nested-function-structure.js: Added. Nesting.
        (foo):
        (bar):
        (baz.boo):
        (baz):

2017-11-29  Robin Morisset  <rmorisset@apple.com>

        The recursive tail call optimisation is wrong on closures
        https://bugs.webkit.org/show_bug.cgi?id=179835

        Reviewed by Saam Barati.

        * stress/closure-recursive-tail-call.js: Added.
        (makeClosure):

2017-11-27  JF Bastien  <jfbastien@apple.com>

        JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
        https://bugs.webkit.org/show_bug.cgi?id=180051
        <rdar://problem/35614371>

        Reviewed by Saam Barati.

        * stress/rest-parameter-negative.js: Added.
        (__f_5484):
        (catch):
        (__f_5485):
        (__v_22598.catch):

2017-11-27  Saam Barati  <sbarati@apple.com>

        Spread can escape when CreateRest does not
        https://bugs.webkit.org/show_bug.cgi?id=180057
        <rdar://problem/35676119>

        Reviewed by JF Bastien.

        * stress/spread-escapes-but-create-rest-does-not.js: Added.
        (assert):
        (getProperties):
        (theFunc):
        (let.obj.valueOf):

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Add NormalizeMapKey DFG IR
        https://bugs.webkit.org/show_bug.cgi?id=179912

        Reviewed by Saam Barati.

        * stress/map-untyped-normalize-cse.js: Added.
        (shouldBe):
        (test):
        * stress/map-untyped-normalize.js: Added.
        (shouldBe):
        (test):
        * stress/set-untyped-normalize-cse.js: Added.
        (shouldBe):
        (set return.set has.set has):
        * stress/set-untyped-normalize.js: Added.
        (shouldBe):
        (set return.set has):

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support DeleteById and DeleteByVal
        https://bugs.webkit.org/show_bug.cgi?id=180022

        Reviewed by Saam Barati.

        * stress/delete-by-id.js: Added.
        (shouldBe):
        (test1):
        (test2):
        * stress/delete-by-val-ftl.js: Added.
        (shouldBe):
        (test1):
        (test2):

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Introduce {Set,Map,WeakMap}Fields
        https://bugs.webkit.org/show_bug.cgi?id=179925

        Reviewed by Saam Barati.

        * stress/map-set-clobber-map-get.js: Added.
        (shouldBe):
        (test):
        * stress/map-set-does-not-clobber-set-has.js: Added.
        (shouldBe):
        * stress/map-set-does-not-clobber-weak-map-get.js: Added.
        (shouldBe):
        (test):
        * stress/set-add-clobber-set-has.js: Added.
        (shouldBe):
        * stress/set-add-does-not-clobber-map-get.js: Added.
        (shouldBe):

2017-11-24  Mark Lam  <mark.lam@apple.com>

        Move unsafe jsc shell test functions to the $vm object.
        https://bugs.webkit.org/show_bug.cgi?id=179980

        Reviewed by Yusuke Suzuki.

        * controlFlowProfiler/driver/driver.js:
        * controlFlowProfiler/execution-count.js:
        * controlFlowProfiler/if-statement.js:
        * controlFlowProfiler/loop-statements.js:
        * controlFlowProfiler/switch-statements.js:
        * controlFlowProfiler/test-jit.js:
        * exceptionFuzz/3d-cube.js:
        * exceptionFuzz/date-format-xparb.js:
        * exceptionFuzz/earley-boyer.js:
        * heapProfiler/basic-edges.js:
        * heapProfiler/property-edge-types.js:
        * microbenchmarks/try-get-by-id-basic.js:
        * microbenchmarks/try-get-by-id-polymorphic.js:
        * modules/namespace-object-try-get.js:
        * stress/argument-count-bytecode.js:
        * stress/argument-intrinsic-basic.js:
        * stress/argument-intrinsic-inlining-use-caller-arg.js:
        * stress/argument-intrinsic-inlining-with-result-escape.js:
        * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
        * stress/argument-intrinsic-inlining-with-vararg.js:
        * stress/argument-intrinsic-nested-inlining.js:
        * stress/argument-intrinsic-not-convert-to-get-argument.js:
        * stress/argument-intrinsic-with-stack-write.js:
        * stress/arity-mismatch-get-argument.js:
        * stress/array-message-passing.js:
        * stress/array-push-with-force-exit.js:
        * stress/check-dom-with-signature.js:
        * stress/check-sub-class.js:
        * stress/compare-eq-incomplete-profile.js:
        * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
        * stress/do-eval-virtual-call-correctly.js:
        * stress/dom-jit-with-poly-proto.js:
        * stress/domjit-exception-ic.js:
        * stress/domjit-exception.js:
        * stress/domjit-getter-complex-with-incorrect-object.js:
        * stress/domjit-getter-complex.js:
        * stress/domjit-getter-poly.js:
        * stress/domjit-getter-proto.js:
        * stress/domjit-getter-super-poly.js:
        * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
        * stress/domjit-getter-type-check.js:
        * stress/domjit-getter.js:
        * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
        * stress/for-in-proxy-target-changed-structure.js:
        * stress/for-in-proxy.js:
        * stress/generational-opaque-roots.js:
        * stress/global-const-redeclaration-setting-2.js:
        * stress/global-const-redeclaration-setting-3.js:
        * stress/global-const-redeclaration-setting-4.js:
        * stress/global-const-redeclaration-setting-5.js:
        * stress/global-const-redeclaration-setting.js:
        * stress/import-basic.js:
        * stress/import-from-eval.js:
        * stress/import-reject-with-exception.js:
        * stress/import-syntax.js:
        * stress/impure-get-own-property-slot-inline-cache.js:
        * stress/is-constructor.js:
        * stress/istypedarrayview-intrinsic.js:
        * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
        * stress/jsc-test-functions-should-be-more-robust.js:
        * stress/object-toString-with-proxy.js:
        * stress/poly-proto-custom-value-and-accessor.js:
        * stress/proxy-inline-cache.js:
        * stress/re-execute-error-module.js:
        * stress/regress-150532.js:
        * stress/regress-156992.js:
        * stress/regress-179619.js:
        * stress/resources/shadow-chicken-support.js:
        * stress/runtime-array.js:
        * stress/sampling-profiler-microtasks.js:
        * stress/shadow-chicken-enabled.js:
        * stress/spread-correct-global-object-on-exception.js:
        * stress/super-get-by-id.js:
        * stress/tailCallForwardArguments.js:
        * stress/to-object-intrinsic-boolean-edge.js:
        * stress/to-object-intrinsic-null-or-undefined-edge.js:
        * stress/to-object-intrinsic-number-edge.js:
        * stress/to-object-intrinsic-object-edge.js:
        * stress/to-object-intrinsic-string-edge.js:
        * stress/to-object-intrinsic-symbol-edge.js:
        * stress/to-object-intrinsic.js:
        * stress/try-catch-custom-getter-as-get-by-id.js:
        * stress/try-get-by-id-poly-proto.js:
        * stress/try-get-by-id-should-spill-registers-dfg.js:
        * stress/try-get-by-id.js:
        * typeProfiler/arrow-functions.js:
        * typeProfiler/basic.js:
        * typeProfiler/captured.js:
        * typeProfiler/classes.js:
        * typeProfiler/dfg-jit-optimizations.js:
        * typeProfiler/dictionary-mode.js:
        * typeProfiler/es6-block-scoping.js:
        * typeProfiler/es6-classes.js:
        * typeProfiler/inheritance.js:
        * typeProfiler/int52-dfg.js:
        * typeProfiler/loop.js:
        * typeProfiler/optional-fields.js:
        * typeProfiler/overflow.js:
        * typeProfiler/return.js:
        * typeProfiler/symbol.js:
        * typeProfiler/weird-prototype-chain.js:

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Support MapSet / SetAdd intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=179858

        Reviewed by Saam Barati.

        * microbenchmarks/map-has-and-set.js: Added.
        (test):
        * stress/map-set-check-failure.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/map-set-cse.js: Added.
        (shouldBe):
        (test):
        * stress/set-add-check-failure.js: Added.
        (shouldBe):
        (shouldThrow):
        (set shouldThrow):
        * stress/set-add-cse.js: Added.
        (shouldBe):

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Allow poly proto for intrinsic getters
        https://bugs.webkit.org/show_bug.cgi?id=179550

        Reviewed by Saam Barati.

        This change is also tested by existing tests.

            1. stress/intrinsic-getter-with-poly-proto.js
            2. stress/poly-proto-intrinsic-getter-correctness.js

        * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):

2017-11-20  Guillaume Emont  <guijemont@igalia.com>

        Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
        https://bugs.webkit.org/show_bug.cgi?id=179744

        Reviewed by Michael Catanzaro.

        This test uses too much memory for our buildbots on these platforms
        and gets OOM-killed.

        * stress/unshiftCountSlowCase-correct-postCapacity.js:
        Skip if $memoryLimited and linux.

2017-11-17  JF Bastien  <jfbastien@apple.com>

        WebAssembly JS API: throw when a promise can't be created
        https://bugs.webkit.org/show_bug.cgi?id=179826
        <rdar://problem/35455813>

        Reviewed by Mark Lam.

        Test WebAssembly.{compile,instantiate} where promise creation
        fails because of a stack overflow.

        * wasm/js-api/promise-stack-overflow.js: Added.
        (const.runNearStackLimit.f.const.t):
        (async.testCompile):
        (async.testInstantiate):

2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, mark regress-178385.js as memory exhausting

        * stress/regress-178385.js:

2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>

        Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.

        Unreviewed test gardening.

        * test262.yaml:

2017-11-16  Robin Morisset  <rmorisset@apple.com>

        REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
        https://bugs.webkit.org/show_bug.cgi?id=179763
        <rdar://problem/35550513>

        Reviewed by Keith Miller.

        Just adding a slightly cleaned-up version of the original fuzzer-found test.

        * stress/tdz-this-in-try-catch.js: Added.
        (__v_6388):
        (__v_6392):

2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Support Array::DirectArguments with OutOfBounds
        https://bugs.webkit.org/show_bug.cgi?id=179594

        Reviewed by Saam Barati.

        * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
        (shouldBe):
        (args):
        * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
        (shouldBe):
        (args):

2017-11-14  Saam Barati  <sbarati@apple.com>

        We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
        https://bugs.webkit.org/show_bug.cgi?id=179639
        <rdar://problem/35513018>

        Reviewed by JF Bastien.

        * wasm/function-tests/grow-memory-cause-gc.js: Added.
        (escape):
        (i.func):

2017-11-13  Mark Lam  <mark.lam@apple.com>

        Add more overflow check book-keeping for MarkedArgumentBuffer.
        https://bugs.webkit.org/show_bug.cgi?id=179634
        <rdar://problem/35492517>

        Reviewed by Saam Barati.

        * stress/regress-179634.js: Added.

2017-11-13  Mark Lam  <mark.lam@apple.com>

        Make the jsc shell loadGetterFromGetterSetter() function more robust.
        https://bugs.webkit.org/show_bug.cgi?id=179619
        <rdar://problem/35492518>

        Reviewed by Saam Barati.

        * stress/regress-179619.js: Added.

2017-11-12  Mark Lam  <mark.lam@apple.com>

        We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
        https://bugs.webkit.org/show_bug.cgi?id=179562
        <rdar://problem/35467022>

        Reviewed by Saam Barati.

        * regress-179562.js: Added.

2017-11-08  Saam Barati  <sbarati@apple.com>

        A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
        https://bugs.webkit.org/show_bug.cgi?id=177792

        Reviewed by Yusuke Suzuki.

        * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
        (assert):
        (foo.Foo.prototype.ensureX):
        (foo.Foo):
        (foo):
        (access):

2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>

        Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
        https://bugs.webkit.org/show_bug.cgi?id=178592

        Unreviewed test gardening.

        * test262.yaml:

2017-11-08  Robin Morisset  <rmorisset@apple.com>

        Turn recursive tail calls into loops
        https://bugs.webkit.org/show_bug.cgi?id=176601

        Reviewed by Saam Barati.

        Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.

        Add some simple test that computes factorial in several ways, and other trivial computations.
        They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
        Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
        I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
        (which it doesn't if that tail call is transformed into a loop in the unsound cases).

        * stress/inline-call-to-recursive-tail-call.js: Added.
        (factorial.aux):
        (factorial):
        (factorial2.aux2):
        (factorial2.id):
        (factorial2):
        (factorial3.aux3):
        (factorial3):
        (aux4):
        (factorial4):
        (foo):
        (auxBar):
        (bar):
        (test):

2017-11-07  Mark Lam  <mark.lam@apple.com>

        AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
        https://bugs.webkit.org/show_bug.cgi?id=179355
        <rdar://problem/35263053>

        Reviewed by Saam Barati.

        * stress/regress-179355.js: Added.

2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
        https://bugs.webkit.org/show_bug.cgi?id=144458

        Reviewed by Saam Barati.

        * microbenchmarks/dfg-internal-function-call.js: Added.
        (target):
        * microbenchmarks/dfg-internal-function-construct.js: Added.
        (target):
        * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
        (target):
        * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
        (target):
        * stress/dfg-internal-function-call.js: Added.
        (shouldBe):
        (target):
        * stress/dfg-internal-function-construct.js: Added.
        (shouldBe):
        (target):
        * stress/internal-function-call.js: Added.
        (shouldBe):
        * stress/internal-function-construct.js: Added.
        (shouldBe):

2017-11-05  Per Arne Vollan  <pvollan@apple.com>

        [Win] Skip stress/regress-178385.js.
        https://bugs.webkit.org/show_bug.cgi?id=179298

        Unreviewed test gardening.

        * stress/regress-178385.js:

2017-11-03  Keith Miller  <keith_miller@apple.com>

        Add test for ic with side effects
        https://bugs.webkit.org/show_bug.cgi?id=179268

        Reviewed by Saam Barati.

        * stress/put-inline-cache-side-effects.js: Added.
        (let.i.of.objs.keys):
        (f):

2017-11-03  Mark Lam  <mark.lam@apple.com>

        CachedCall (and its clients) needs overflow checks.
        https://bugs.webkit.org/show_bug.cgi?id=179185

        Reviewed by JF Bastien.

        * stress/regress-179185.js: Added.

2017-11-02  Michael Saboff  <msaboff@apple.com>

        DFG needs to handle code motion of code in for..in loop bodies
        https://bugs.webkit.org/show_bug.cgi?id=179212

        Reviewed by Keith Miller.

        New regression test.

        * stress/for-in-side-effects.js: Added.
        (getPrototypeOf):
        (reset):
        (testWithoutFTL.f):
        (testWithoutFTL):
        (testWithFTL.f):
        (testWithFTL):

2017-11-02  Filip Pizlo  <fpizlo@apple.com>

        AI does not correctly model the clobber case of ArithClz32
        https://bugs.webkit.org/show_bug.cgi?id=179188

        Reviewed by Michael Saboff.

        * stress/arith-clz32-effects.js: Added.
        (foo):
        (valueOf):

2017-11-01  Michael Saboff  <msaboff@apple.com>

        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
        https://bugs.webkit.org/show_bug.cgi?id=179140

        Reviewed by Saam Barati.

        New regression test.

        * stress/regress-179140.js: Added.
        (testWithoutFTL):
        (testWithFTL):

2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce @toObject
        https://bugs.webkit.org/show_bug.cgi?id=178726

        Reviewed by Saam Barati.

        * stress/array-copywithin.js:
        (shouldThrow):
        * stress/object-constructor-boolean-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-global.js: Added.
        (shouldBe):
        * stress/object-constructor-null-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-number-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-object-edge.js: Added.
        (shouldBe):
        (test):
        (i.arg):
        * stress/object-constructor-string-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-symbol-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-undefined-edge.js: Added.
        (shouldBe):
        (test):
        * stress/symbol-array-from.js: Added.
        (shouldBe):
        * stress/to-object-intrinsic-boolean-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
        (shouldThrow):
        * stress/to-object-intrinsic-number-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        * stress/to-object-intrinsic-object-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        (i.arg):
        * stress/to-object-intrinsic-string-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        * stress/to-object-intrinsic-symbol-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        * stress/to-object-intrinsic.js: Added.
        (shouldBe):
        (shouldThrow):
        (builtin.createBuiltin):

2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Introduce StringSlice
        https://bugs.webkit.org/show_bug.cgi?id=178934

        Reviewed by Saam Barati.

        * microbenchmarks/string-slice-empty.js: Added.
        (slice):
        * microbenchmarks/string-slice-one-char.js: Added.
        (slice):
        * microbenchmarks/string-slice.js: Added.
        (slice):

2017-10-26  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
        https://bugs.webkit.org/show_bug.cgi?id=178890

        Reviewed by Keith Miller.

        New regression test.

        * stress/regress-178890.js: Added.

2017-10-26  Mark Lam  <mark.lam@apple.com>

        JSRopeString::RopeBuilder::append() should check for overflows.
        https://bugs.webkit.org/show_bug.cgi?id=178385
        <rdar://problem/35027468>

        Reviewed by Saam Barati.

        * stress/regress-178385.js: Added.

2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r223961.

        The change that required this has been rolled out.

        Reverted changeset:

        "Mark test262.yaml/test262/test/language/statements/try/tco-
        catch.js as passing."
        https://bugs.webkit.org/show_bug.cgi?id=178592
        https://trac.webkit.org/changeset/223961

2017-10-25  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r223691 and r223729.
        https://bugs.webkit.org/show_bug.cgi?id=178834

        Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
        by rniwa on #webkit).

        Reverted changesets:

        "Turn recursive tail calls into loops"
        https://bugs.webkit.org/show_bug.cgi?id=176601
        https://trac.webkit.org/changeset/223691

        "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
        comparison is always false due to limited range of data type
        [-Wtype-limits]"
        https://bugs.webkit.org/show_bug.cgi?id=178543
        https://trac.webkit.org/changeset/223729

2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>

        Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
        https://bugs.webkit.org/show_bug.cgi?id=178592

        Unreviewed test gardening.

        * test262.yaml:

2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support NewStringObject
        https://bugs.webkit.org/show_bug.cgi?id=178737

        Reviewed by Saam Barati.

        * stress/new-string-object.js: Added.
        (shouldBe):
        (test):

2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
        https://bugs.webkit.org/show_bug.cgi?id=178308

        Reviewed by Mark Lam.

        * test262.yaml:

2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use fastJoin in Array#toString
        https://bugs.webkit.org/show_bug.cgi?id=178062

        Reviewed by Darin Adler.

        * microbenchmarks/contiguous-array-to-string.js: Added.
        (target):
        * microbenchmarks/double-array-to-string.js: Added.
        (target):
        * microbenchmarks/int32-array-to-string.js: Added.
        (target):

2017-10-22  Zan Dobersek  <zdobersek@igalia.com>

        stress/check-string-ident.js is improperly skipped
        https://bugs.webkit.org/show_bug.cgi?id=178642

        Reviewed by Saam Barati.

        * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
        since it enforces the run-jsc-stress-tests script to still set up the
        test to run, despite the skip directive that's used before.

2017-10-20  Mark Lam  <mark.lam@apple.com>

        Add a test case for r214334.
        https://bugs.webkit.org/show_bug.cgi?id=169941
        <rdar://problem/31221258>

        Reviewed by JF Bastien.

        * stress/regress-169941.js: Added.

2017-10-19  JF Bastien  <jfbastien@apple.com>

        WebAssembly: no VM / JS version of everything but Instance
        https://bugs.webkit.org/show_bug.cgi?id=177473

        Reviewed by Filip Pizlo, Saam Barati.

        - Exceeding max on memory growth now returns a range error as per
        spec. This is a (very minor) breaking change: it used to throw OOM
        error. Update the corresponding test.

        * wasm/js-api/memory-grow.js:
        (assertEq):
        * wasm/js-api/table.js:
        (assert.throws):

2017-10-19  Mark Lam  <mark.lam@apple.com>

        Stringifier::appendStringifiedValue() is missing an exception check.
        https://bugs.webkit.org/show_bug.cgi?id=178386
        <rdar://problem/35027610>

        Reviewed by Saam Barati.

        * stress/regress-178386.js: Added.

2017-10-19  Michael Saboff  <msaboff@apple.com>

        Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
        https://bugs.webkit.org/show_bug.cgi?id=178521

        Reviewed by JF Bastien.

        * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
        now passes with the current version (5.0) of the Emoji spec.

2017-10-19  Robin Morisset  <rmorisset@apple.com>

        Turn recursive tail calls into loops
        https://bugs.webkit.org/show_bug.cgi?id=176601

        Reviewed by Saam Barati.

        Add some simple test that computes factorial in several ways, and other trivial computations.
        They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
        Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
        I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
        (which it doesn't if that tail call is transformed into a loop in the unsound cases).

        * stress/inline-call-to-recursive-tail-call.js: Added.
        (factorial.aux):
        (factorial):
        (factorial2.aux):
        (factorial2.id):
        (factorial2):
        (factorial3.aux):
        (factorial3):
        (aux):
        (factorial4):
        (test):

2017-10-18  Mark Lam  <mark.lam@apple.com>

        RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
        https://bugs.webkit.org/show_bug.cgi?id=177600
        <rdar://problem/34710985>

        Reviewed by Saam Barati.

        * stress/regress-177600.js: Added.

2017-10-18  Mark Lam  <mark.lam@apple.com>

        The compiler should always register a structure when it adds its transitionWatchPointSet.
        https://bugs.webkit.org/show_bug.cgi?id=178420
        <rdar://problem/34814024>

        Reviewed by Saam Barati and Filip Pizlo.

        * stress/regress-178420.js: Added.
        (new.Array.10000.map):

2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] __proto__ getter should be fast
        https://bugs.webkit.org/show_bug.cgi?id=178067

        Reviewed by Saam Barati.

        * stress/dfg-object-proto-accessor.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-object-proto-getter.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-object-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-reflect-get-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/intrinsic-getter-with-poly-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-filtered.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        (i.Cocoa):
        * stress/object-get-prototype-of-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-poly-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-poly-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-proto-getter-filtered.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        (i.Cocoa):
        * stress/object-proto-getter-poly-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-proto-getter-poly-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
        * stress/string-proto.js: Added.
        (shouldBe):
        (target):

2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r223523.

        A test for this change is failing on debug JSC bots.

        Reverted changeset:

        "[JSC] __proto__ getter should be fast"
        https://bugs.webkit.org/show_bug.cgi?id=178067
        https://trac.webkit.org/changeset/223523

2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] __proto__ getter should be fast
        https://bugs.webkit.org/show_bug.cgi?id=178067

        Reviewed by Saam Barati.

        * stress/dfg-object-proto-accessor.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-object-proto-getter.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-object-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-reflect-get-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/object-get-prototype-of-filtered.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        (i.Cocoa):
        * stress/object-get-prototype-of-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-poly-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-poly-proto.js: Added.