Fix crashes due to mishandling custom sections.

[WebKit-https.git] / JSTests / ChangeLog

2018-02-01  Keith Miller  <keith_miller@apple.com>

        Fix crashes due to mishandling custom sections.
        https://bugs.webkit.org/show_bug.cgi?id=182404
        <rdar://problem/36935863>

        Reviewed by Saam Barati.

        * wasm/Builder.js:
        (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
        * wasm/js-api/validate.js:
        (assert.truthy):

2018-01-31  Saam Barati  <sbarati@apple.com>

        JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
        https://bugs.webkit.org/show_bug.cgi?id=182074
        <rdar://problem/36846261>

        Reviewed by Mark Lam.

        * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
        (assert):
        (let.func):
        (let.o.foo):
        (varFunc):

2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, update test262 expects
        https://bugs.webkit.org/show_bug.cgi?id=182232

        * test262.yaml:

2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement trimStart and trimEnd
        https://bugs.webkit.org/show_bug.cgi?id=182233

        Reviewed by Mark Lam.

        * stress/trim.js: Added.
        (shouldBe):
        (startTest):
        (endTest):
        (trimTest):

2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Relax line terminators in String to make JSON subset of JS
        https://bugs.webkit.org/show_bug.cgi?id=182232

        Reviewed by Keith Miller.

        * ChakraCore/test/es5/Lex_u3.baseline-jsc:
        * stress/relaxed-line-terminators-in-string.js: Added.
        (shouldBe):

2018-01-29  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
        https://bugs.webkit.org/show_bug.cgi?id=182249

        Reviewed by Keith Miller.

        New regression test.

        * stress/compare-clobber-untypeduse.js: Added.

2018-01-29  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r227725.

        This caused internal failures.

        Reverted changeset:

        "JSC Sampling Profiler: Detect tester and testee when sampling
        in RegExp JIT"
        https://bugs.webkit.org/show_bug.cgi?id=152729
        https://trac.webkit.org/changeset/227725

2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
        https://bugs.webkit.org/show_bug.cgi?id=152729

        Reviewed by Saam Barati.

        * stress/sampling-profiler-regexp.js: Added.
        (platformSupportsSamplingProfiler.test):
        (platformSupportsSamplingProfiler.baz):
        (platformSupportsSamplingProfiler):

2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] WeakMap#set should have DFG node
        https://bugs.webkit.org/show_bug.cgi?id=180015

        Reviewed by Saam Barati.

        * stress/weakmap-set-change-get.js: Added.
        (shouldBe):
        (test):
        * stress/weakmap-set-cse.js: Added.
        (shouldBe):
        (test):
        * stress/weakset-add-change-get.js: Added.
        (shouldBe):
        * stress/weakset-add-cse.js: Added.
        (shouldBe):

2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
        https://bugs.webkit.org/show_bug.cgi?id=182213

        Reviewed by Mark Lam.

        * stress/int32-min-to-string.js: Added.
        (shouldBe):
        (test2):
        (test4):
        (test8):
        (test16):
        (test32):
        * stress/zero-to-string.js: Added.
        (shouldBe):
        (test2):
        (test4):
        (test8):
        (test16):
        (test32):

2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        Add more module scope related tests with code evaluation by string
        https://bugs.webkit.org/show_bug.cgi?id=181983

        Reviewed by Sam Weinig.

        Add more module scope related tests. When the original tests are landed,
        we do not have browser integration. This patch adds more module scope tests
        with dynamically created script evaluation. We add tests with Function
        constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.

        * modules/scopes-eval.js: Added.
        (shouldBe):
        * modules/scopes.js:
        (shouldBe):

2018-01-23  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.

        * microbenchmarks/array-push-3.js: Removed.
        * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
        * microbenchmarks/double-to-int32.js: Removed.
        * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
        * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
        * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
        * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
        * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
        * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
        * microbenchmarks/ftl-polymorphic-sub.js: Removed.
        * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
        * microbenchmarks/map-constant-key.js: Removed.
        * microbenchmarks/nested-function-parsing.js: Removed.
        * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
        * microbenchmarks/spread-large-array.js: Removed.
        * microbenchmarks/string-add-constant-folding.js: Removed.
        * microbenchmarks/to-lower-case.js: Removed.
        * microbenchmarks/undefined-property-access.js: Removed.
        * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
        * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
        * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
        * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
        * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
        * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
        * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
        * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
        * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
        * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
        * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
        * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
        * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
        * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
        * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
        * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
        * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
        * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.

2018-01-23  Robin Morisset  <rmorisset@apple.com>

        Update the argument count in DFGByteCodeParser::handleRecursiveCall
        https://bugs.webkit.org/show_bug.cgi?id=181739
        <rdar://problem/36627662>

        Reviewed by Saam Barati.

        * stress/recursive-tail-call-with-different-argument-count.js: Added.
        (foo):
        (bar):

2018-01-22  Michael Saboff  <msaboff@apple.com>

        DFG abstract interpreter needs to properly model effects of some Math ops
        https://bugs.webkit.org/show_bug.cgi?id=181886

        Reviewed by Saam Barati.

        New regression test.

        * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
        (test):

2018-01-20  Caio Lima  <ticaiolima@gmail.com>

        [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
        https://bugs.webkit.org/show_bug.cgi?id=181182

        Reviewed by Darin Adler.

        * stress/big-int-prototype-to-string-cast-overflow.js: Added.
        * stress/big-int-prototype-to-string-exception.js: Added.
        * stress/big-int-prototype-to-string-wrong-values.js: Added.
        * stress/number-prototype-to-string-cast-overflow.js: Added.
        * stress/number-prototype-to-string-exception.js: Added.
        * stress/number-prototype-to-string-wrong-values.js: Added.

2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>

        Disable Atomics when SharedArrayBuffer isn’t enabled
        https://bugs.webkit.org/show_bug.cgi?id=181572

        Unreviewed test gardening.

        * test262.yaml: Skip tests that fail after this change.

2018-01-19  Saam Barati  <sbarati@apple.com>

        Kill ArithNegate's ArithProfile assert inside BytecodeParser
        https://bugs.webkit.org/show_bug.cgi?id=181877
        <rdar://problem/36630552>

        Reviewed by Mark Lam.

        * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
        (runNearStackLimit):
        (f1):
        (f2):
        (f3):
        (i.catch):
        (i.try.runNearStackLimit):
        (catch):

2018-01-19  Saam Barati  <sbarati@apple.com>

        Spread's effects are modeled incorrectly both in AI and in Clobberize
        https://bugs.webkit.org/show_bug.cgi?id=181867
        <rdar://problem/36290415>

        Reviewed by Michael Saboff.

        * stress/ai-needs-to-model-spreads-effects.js: Added.
        (try.p.Symbol.iterator):
        (try.go):
        (catch):
        * stress/clobberize-needs-to-model-spread-effects.js: Added.
        (assert):
        (foo):
        (a.Symbol.iterator):

2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, reduce count of iteration to fix timing out debug JSC test
        https://bugs.webkit.org/show_bug.cgi?id=181535

        * stress/inserted-recovery-with-set-last-index.js:

2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
        https://bugs.webkit.org/show_bug.cgi?id=181535

        Reviewed by Saam Barati.

        * stress/inserted-recovery-with-set-last-index.js: Added.
        (shouldBe):
        (foo):
        * stress/materialize-regexp-at-osr-exit.js: Added.
        (shouldBe):
        (test):
        * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
        (shouldBe):
        (test):
        * stress/materialize-regexp-cyclic-regexp.js: Added.
        (shouldBe):
        (test):
        (i.switch):
        * stress/materialize-regexp-cyclic.js: Added.
        (shouldBe):
        (test):
        (i.switch):
        * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
        (bar):
        (foo):
        (test):
        * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
        (bar):
        (foo):
        (test):
        * stress/materialize-regexp.js: Added.
        (shouldBe):
        (test):
        * stress/phantom-regexp-regexp-exec.js: Added.
        (shouldBe):
        (test):
        * stress/phantom-regexp-string-match.js: Added.
        (shouldBe):
        (test):
        * stress/regexp-last-index-sinking.js: Added.
        (shouldBe):
        (test):

2018-01-17  Saam Barati  <sbarati@apple.com>

        Disable Atomics when SharedArrayBuffer isn’t enabled
        https://bugs.webkit.org/show_bug.cgi?id=181572
        <rdar://problem/36553206>

        Reviewed by Michael Saboff.

        * stress/isLockFree.js:

2018-01-17  Saam Barati  <sbarati@apple.com>

        DFG::Node::convertToConstant needs to clear the varargs flags
        https://bugs.webkit.org/show_bug.cgi?id=181697
        <rdar://problem/36497332>

        Reviewed by Yusuke Suzuki.

        * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
        (doIndexOf):
        (bar):
        (i.bar):

2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r226937.

        Tests added with this change are failing due to a missing
        exception check.

        Reverted changeset:

        "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
        double to int32_t"
        https://bugs.webkit.org/show_bug.cgi?id=181182
        https://trac.webkit.org/changeset/226937

2018-01-13  Caio Lima  <ticaiolima@gmail.com>

        [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
        https://bugs.webkit.org/show_bug.cgi?id=181182

        Reviewed by Darin Adler.

        * bigIntTests.yaml:
        * stress/big-int-constructor.js:
        * stress/big-int-prototype-to-string-cast-overflow.js: Added.
        (assert):
        (assertThrowRangeError):
        * stress/number-prototype-to-string-cast-overflow.js: Added.
        (assert):
        (assertThrowRangeError):

2018-01-12  Saam Barati  <sbarati@apple.com>

        CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
        https://bugs.webkit.org/show_bug.cgi?id=181177
        <rdar://problem/36205704>

        Reviewed by Yusuke Suzuki.

        * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
        (runNearStackLimit.t):
        (runNearStackLimit):
        (test.f):
        (test):

2018-01-12  Saam Barati  <sbarati@apple.com>

        Each variant of a polymorphic inlined call should be exitOK at the top of the block
        https://bugs.webkit.org/show_bug.cgi?id=181562
        <rdar://problem/36445624>

        Reviewed by Yusuke Suzuki.

        * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
        (f):
        (foo):

2018-01-11  Saam Barati  <sbarati@apple.com>

        When inserting Unreachable in byte code parser we need to flush all the right things
        https://bugs.webkit.org/show_bug.cgi?id=181509
        <rdar://problem/36423110>

        Reviewed by Mark Lam.

        * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.

2018-01-11  Saam Barati  <sbarati@apple.com>

        JITMathIC code in the FTL is wrong when code gets duplicated
        https://bugs.webkit.org/show_bug.cgi?id=181525
        <rdar://problem/36351993>

        Reviewed by Michael Saboff and Keith Miller.

        * stress/allow-math-ic-b3-code-duplication.js: Added.

2018-01-11  Saam Barati  <sbarati@apple.com>

        Our for-in caching is wrong when we add indexed properties on things in the prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=181508

        Reviewed by Yusuke Suzuki.

        * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
        (assert):
        (test1.foo):
        (test1):
        (test2.foo):
        (test2):

2018-01-09  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
        https://bugs.webkit.org/show_bug.cgi?id=181388
        <rdar://problem/36349351>

        Reviewed by Saam Barati.

        * stress/regress-181388.js: Added.

2018-01-08  JF Bastien  <jfbastien@apple.com>

        WebAssembly: mask indexed accesses to Table
        https://bugs.webkit.org/show_bug.cgi?id=181412
        <rdar://problem/36363236>

        Reviewed by Saam Barati.

        Update error messages.

        * wasm/js-api/table.js:
        (assert.throws.WebAssembly.Table.prototype.grow):

2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>

        Disable SharedArrayBuffer tests missed in r226386.
        https://bugs.webkit.org/show_bug.cgi?id=181266

        Unreviewed test gardening.

        * test262.yaml:

2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
        https://bugs.webkit.org/show_bug.cgi?id=181321

        Reviewed by Saam Barati.

        * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
        (shouldBe):
        (testFunction):
        * test262.yaml:

2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, attempt to fix test262 after r226386.

        * test262.yaml:

2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Define defs for MapSet/SetAdd to participate in CSE
        https://bugs.webkit.org/show_bug.cgi?id=179911

        Reviewed by Saam Barati.

        In addition to these tests, map-set-cse.js and set-add-cse.js work.

        * stress/map-set-change-get.js: Added.
        (shouldBe):
        (test):
        * stress/map-set-create-bucket.js: Added.
        (shouldBe):
        (test):
        * stress/set-add-create-bucket.js: Added.
        (shouldBe):

2018-01-03  Michael Saboff  <msaboff@apple.com>

        Disable SharedArrayBuffers from Web API
        https://bugs.webkit.org/show_bug.cgi?id=181266

        Reviewed by Saam Barati.

        Disabled SharedArrayBuffer tests.

        * stress/SharedArrayBuffer-opt.js:
        * stress/SharedArrayBuffer.js:
        * stress/array-buffer-byte-length.js:
        * stress/atomics-add-uint32.js:
        * stress/atomics-known-int-use.js:
        * stress/atomics-neg-zero.js:
        * stress/atomics-store-return.js:
        * stress/lars-sab-workers.js:
        * stress/regress-159779-1.js:
        * stress/regress-159779-2.js:
        * stress/regress-170473.js:
        * test262.yaml:

2018-01-03  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
        https://bugs.webkit.org/show_bug.cgi?id=181258

        Reviewed by Antonio Gomes.

        * stress/big-int-constructor-gc.js:
        * stress/big-int-constructor-oom.js:

2018-01-03  Robin Morisset  <rmorisset@apple.com>

        Inlining of a function that ends in op_unreachable crashes
        https://bugs.webkit.org/show_bug.cgi?id=181027

        Reviewed by Filip Pizlo.

        * stress/inlining-unreachable.js: Added.
        (bar):
        (baz):
        (i.catch):

2018-01-02  Saam Barati  <sbarati@apple.com>

        Incorrect assertion inside AccessCase
        https://bugs.webkit.org/show_bug.cgi?id=181200
        <rdar://problem/35494754>

        Reviewed by Yusuke Suzuki.

        * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
        (ctor):
        (theFunc):
        (run):

2018-01-02  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
        https://bugs.webkit.org/show_bug.cgi?id=175359

        Reviewed by Yusuke Suzuki.

        * bigIntTests.yaml:
        * stress/big-int-as-key.js: Added.
        * stress/big-int-constructor-gc.js: Added.
        * stress/big-int-constructor-oom.js: Added.
        * stress/big-int-constructor-properties.js: Added.
        * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
        * stress/big-int-constructor-prototype.js: Added.
        * stress/big-int-constructor.js: Added.
        * stress/big-int-function-apply.js:
        * stress/big-int-length.js: Added.
        * stress/big-int-prop-descriptor.js: Added.
        * stress/big-int-proto-constructor.js: Added.
        * stress/big-int-proto-name.js: Added.
        * stress/big-int-prototype-properties.js: Added.
        * stress/big-int-prototype-proto.js: Added.
        * stress/big-int-prototype-value-of.js: Added.
        * stress/big-int-prototype-symbol-to-string-tag.js: Added.
        * stress/big-int-prototype-to-string-apply.js: Added.
        * stress/big-int-to-object.js: Added.
        * stress/big-int-to-string.js: Added.

2017-12-28  Saam Barati  <sbarati@apple.com>

        Assertion used to determine if something is an async generator is wrong
        https://bugs.webkit.org/show_bug.cgi?id=181168
        <rdar://problem/35640560>

        Reviewed by Yusuke Suzuki.

        * stress/async-generator-assertion.js: Added.

2017-12-21  Guillaume Emont  <guijemont@igalia.com>

        Skip stress/splay-flash-access tests on memory limited platforms
        https://bugs.webkit.org/show_bug.cgi?id=181086

        Reviewed by Carlos Alberto Lopez Perez.

        These tests use about 185M of memory, and occasionally get OOM-killed
        on memory limited platforms.

        * stress/splay-flash-access-1ms.js:
        * stress/splay-flash-access.js:

2017-12-21  Guillaume Emont  <guijemont@igalia.com>

        Skip slow jsc tests on embedded platforms
        https://bugs.webkit.org/show_bug.cgi?id=180937

        Reviewed by Carlos Alberto Lopez Perez.

        The tests typeProfiler/deltablue-for-of.js and
        typeProfiler/getter-richards.js take a very long time in the
        ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
        thus always timeout. They should be skipped on these platforms.

        * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
        * typeProfiler/getter-richards.js: Skip on arm*/mips.

2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Do not check isValid() in op_new_regexp
        https://bugs.webkit.org/show_bug.cgi?id=180970

        Reviewed by Saam Barati.

        * stress/regexp-syntax-error-invalid-flags.js: Added.
        (shouldThrow):

2017-12-18  Guillaume Emont  <guijemont@igalia.com>

        Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
        https://bugs.webkit.org/show_bug.cgi?id=180712

        Reviewed by Michael Catanzaro.

        stress/call-apply-exponential-bytecode-size.js crashes if the
        ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
        MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
        should skip the test on other platforms.

        * stress/call-apply-exponential-bytecode-size.js:

2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] NewArrayBuffer should be sinked if it is only used for spreading
        https://bugs.webkit.org/show_bug.cgi?id=179762

        Reviewed by Saam Barati.

        * stress/call-varargs-double-new-array-buffer.js: Added.
        (assert):
        (bar):
        (foo):
        * stress/call-varargs-spread-new-array-buffer.js: Added.
        (assert):
        (bar):
        (foo):
        * stress/call-varargs-spread-new-array-buffer2.js: Added.
        (assert):
        (bar):
        (foo):
        * stress/forward-varargs-double-new-array-buffer.js: Added.
        (assert):
        (test.baz):
        (test.bar):
        (test.foo):
        (test):
        * stress/new-array-buffer-sinking-osrexit.js: Added.
        (target):
        (test):
        * stress/new-array-with-spread-double-new-array-buffer.js: Added.
        (shouldBe):
        (test):
        * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
        (shouldBe):
        (target):
        (test):
        * stress/phantom-new-array-buffer-forward-varargs.js: Added.
        (assert):
        (test1.bar):
        (test1.foo):
        (test1):
        (test2.bar):
        (test2.foo):
        (test3.baz):
        (test3.bar):
        (test3.foo):
        (test4.baz):
        (test4.bar):
        (test4.foo):
        * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
        (assert):
        (test.baz):
        (test.bar):
        (test.foo):
        (test):
        * stress/phantom-new-array-buffer-osr-exit.js: Added.
        (assert):
        (baz):
        (bar):
        (effects):
        (foo):

2017-12-14  Saam Barati  <sbarati@apple.com>

        The CleanUp after LICM is erroneously removing a Check
        https://bugs.webkit.org/show_bug.cgi?id=180852
        <rdar://problem/36063494>

        Reviewed by Filip Pizlo.

        * stress/dont-run-cleanup-after-licm.js: Added.

2017-12-14  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r225695): Repro crash on yahoo login page
        https://bugs.webkit.org/show_bug.cgi?id=180761

        Reviewed by JF Bastien.

        New regression test.

        * stress/regress-180761.js: Added.

2017-12-13  Keith Miller  <keith_miller@apple.com>

        JSObjects should have a mask for loading indexed properties
        https://bugs.webkit.org/show_bug.cgi?id=180768

        Reviewed by Mark Lam.

        * stress/int16-put-by-val-in-and-out-of-bounds.js:
        (test):

2017-12-13  Saam Barati  <sbarati@apple.com>

        Arrow functions need their own structure because they have different properties than sloppy functions
        https://bugs.webkit.org/show_bug.cgi?id=180779
        <rdar://problem/35814591>

        Reviewed by Mark Lam.

        * stress/arrow-function-needs-its-own-structure.js: Added.
        (assert):
        (readPrototype):
        (noInline.let.f1):
        (noInline):

2017-12-13  Saam Barati  <sbarati@apple.com>

        Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
        https://bugs.webkit.org/show_bug.cgi?id=163579
        <rdar://problem/35455798>

        Reviewed by Mark Lam.

        * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
        (assert):
        (test1):
        (i.test1):
        (i.test1.C):
        (i.test1.async.foo):
        (i.test1.foo):
        (test2):

2017-12-13  Saam Barati  <sbarati@apple.com>

        TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
        https://bugs.webkit.org/show_bug.cgi?id=180734
        <rdar://problem/35640547>

        Reviewed by Yusuke Suzuki.

        * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
        (__isPropertyOfType):
        (__getProperties):
        (__getObjects):
        (__getRandomObject):
        (theClass.):
        (theClass):
        (childClass):
        (counter.catch):

2017-12-12  Saam Barati  <sbarati@apple.com>

        We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
        https://bugs.webkit.org/show_bug.cgi?id=180725
        <rdar://problem/35970511>

        Reviewed by Michael Saboff.

        * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
        (f1):
        (f2):
        (let.o2.valueOf):

2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement optimized WeakMap and WeakSet
        https://bugs.webkit.org/show_bug.cgi?id=179929

        Reviewed by Saam Barati.

        * microbenchmarks/weak-map-key.js:
        * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
        (assert):
        (objectKey):
        (let.start.Date.now):
        * stress/basic-weakmap.js: Added.
        (shouldBe):
        (test):
        * stress/basic-weakset.js: Added.
        (shouldBe):
        (test.set new):
        * stress/weakmap-cse-set-break.js: Added.
        (shouldBe):
        (test):
        * stress/weakmap-cse.js: Added.
        (shouldBe):
        (test):
        * stress/weakmap-gc.js: Added.
        (test):
        * stress/weakset-cse-add-break.js: Added.
        (shouldBe):
        (test.set new):
        * stress/weakset-cse.js: Added.
        (shouldBe):
        (test.set new):
        * stress/weakset-gc.js: Added.
        (test.set add):
        (test.set new):
        (test):

2017-12-12  Saam Barati  <sbarati@apple.com>

        ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
        https://bugs.webkit.org/show_bug.cgi?id=180723
        <rdar://problem/35859726>

        Reviewed by JF Bastien.

        * stress/get-my-argument-by-val-constant-folding.js: Added.
        (test):
        (catch):

2017-12-12  Caio Lima  <ticaiolima@gmail.com>

        [ESNext][BigInt] Implement BigInt literals and JSBigInt
        https://bugs.webkit.org/show_bug.cgi?id=179000

        Reviewed by Darin Adler and Yusuke Suzuki.

        * bigIntTests.yaml: Added.
        * stress/big-int-literal-line-terminator.js: Added.
        * stress/big-int-literals.js: Added.
        * stress/big-int-operations-error.js: Added.
        * stress/big-int-type-of.js: Added.
        * stress/big-int-white-space-trailing-leading.js: Added.
        * stress/big-int-function-apply.js: Added.

2017-12-11  Saam Barati  <sbarati@apple.com>

        We need to disableCaching() in ErrorInstance when we materialize properties
        https://bugs.webkit.org/show_bug.cgi?id=180343
        <rdar://problem/35833002>

        Reviewed by Mark Lam.

        * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
        (assert):
        (makeError):
        (storeToStack):
        (storeToStackAlreadyMaterialized):

2017-12-05  JF Bastien  <jfbastien@apple.com>

        WebAssembly: don't eagerly checksum
        https://bugs.webkit.org/show_bug.cgi?id=180441
        <rdar://problem/35156628>

        Reviewed by Saam Barati.

        Checksum is now disabled, so tests only have <?> as the module
        name.

        * wasm/function-tests/nameSection.js:
        * wasm/function-tests/stack-overflow.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
        (assertOverflows.assertThrows):
        (assertOverflows):
        * wasm/function-tests/stack-trace.js:

2017-12-04  JF Bastien  <jfbastien@apple.com>

        Proxy all functions, except the $ objects
        https://bugs.webkit.org/show_bug.cgi?id=180375

        Reviewed by Saam Barati.

        It looks like this test may have broken some executions because I
        call some internal objects. Explicitly ignore objects whose name
        starts with "$" because it's a bad idea anyways.

        * stress/proxy-all-the-parameters.js:
        (generateObjects):
        (get throw):

2017-12-04  Saam Barati  <sbarati@apple.com>

        We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
        https://bugs.webkit.org/show_bug.cgi?id=180366
        <rdar://problem/35685877>

        Reviewed by Michael Saboff.

        * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
        (theParent):
        (test1.base.getParentStaticValue):
        (test1.base):
        (test1.__v_24888.prototype.set prop):
        (test1.__v_24888):
        (test2.base.getParentStaticValue):
        (test2.base):
        (test2.__v_24888.prototype.set prop):
        (test2.__v_24888):
        (test2):

2017-12-01  JF Bastien  <jfbastien@apple.com>

        Try proxying all function arguments
        https://bugs.webkit.org/show_bug.cgi?id=180306

        Reviewed by Saam Barati.

        * stress/proxy-all-the-parameters.js: Added.
        (isPropertyOfType):
        (getProperties):
        (generateObjects):
        (getObjects):
        (getFunctions):
        (get throw):
        (let.o.of.getObjects.let.f.of.getFunctions.catch):

2017-12-01  JF Bastien  <jfbastien@apple.com>

        JavaScriptCore: missing exception checks in Math functions that take more than one argument
        https://bugs.webkit.org/show_bug.cgi?id=180297
        <rdar://problem/35745556>

        Reviewed by Mark Lam.

        * stress/math-exceptions.js: Added.
        (get try):
        (catch):

2017-12-01  JF Bastien  <jfbastien@apple.com>

        JavaScriptCore: add test for weird class static getters
        https://bugs.webkit.org/show_bug.cgi?id=180281
        <rdar://problem/35592139>

        Reviewed by Mark Lam.

        I fixed a bug for it in r224927 and didn't add a test. Do so.

        * stress/class-static-get-weird.js: Added.
        (c.prototype.get name):
        (c):
        (c.prototype.get arguments):
        (c.prototype.get caller):
        (c.prototype.get length):

2017-12-01  Saam Barati  <sbarati@apple.com>

        Having a bad time needs to handle ArrayClass indexing type as well
        https://bugs.webkit.org/show_bug.cgi?id=180274
        <rdar://problem/35667869>

        Reviewed by Keith Miller and Mark Lam.

        * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
        (assert):
        * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
        (assert):

2017-12-01  JF Bastien  <jfbastien@apple.com>

        WebAssembly: restore cached stack limit after out-call
        https://bugs.webkit.org/show_bug.cgi?id=179106
        <rdar://problem/35337525>

        Reviewed by Saam Barati.

        * wasm/function-tests/double-instance.js: Added.
        (const.imp.boom):
        (const.imp.get callAnother):

2017-11-30  JF Bastien  <jfbastien@apple.com>

        WebAssembly: improve stack trace
        https://bugs.webkit.org/show_bug.cgi?id=179343

        Reviewed by Saam Barati.

        Update the tests to follow the new format. Notably, SHA1 module
        hash is now included in traces, and stubs are properly identified.

        * wasm/assert.js: Add an assertion which matches regular expressions.
        * wasm/function-tests/nameSection.js:
        * wasm/function-tests/stack-overflow.js:
        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
        (assertOverflows.assertThrows.wasm.1):
        (assertOverflows.assertThrows.wasm.0):
        (assertOverflows.assertThrows):
        (assertOverflows):
        * wasm/function-tests/stack-trace.js:
        (import.Builder.from.string_appeared_here.assert): Deleted.
        * wasm/function-tests/trap-after-cross-instance-call.js:
        (wasmFrameCountFromError):
        * wasm/function-tests/trap-load-2.js:
        (wasmFrameCountFromError):
        * wasm/function-tests/trap-load.js:
        (wasmFrameCountFromError):

2017-11-30  Mark Lam  <mark.lam@apple.com>

        jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
        https://bugs.webkit.org/show_bug.cgi?id=180219
        <rdar://problem/35696536>

        Reviewed by Filip Pizlo.

        * stress/regress-180219.js: Added.

2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
        https://bugs.webkit.org/show_bug.cgi?id=180190

        Reviewed by Mark Lam.

        * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32-double-array.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
        (shouldBe):
        (test1):
        * stress/operation-in-may-have-negative-int32.js: Added.
        (shouldBe):
        (test2):
        * stress/operation-in-negative-int32-cast.js: Added.
        (shouldBe):
        (test1):

2017-11-28  JF Bastien  <jfbastien@apple.com>

        Strict and sloppy functions shouldn't share structure
        https://bugs.webkit.org/show_bug.cgi?id=180103
        <rdar://problem/35667847>

        Reviewed by Saam Barati.

        * stress/get-by-id-strict-arguments.js: Added. Used to not throw
        because the IC was wrong.
        (foo):
        (bar):
        (baz):
        (catch):
        * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
        in this patch, but may as well test odd strict mode corner cases.
        (bar):
        (baz):
        (catch):
        * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
        (foo):
        (bar):
        (baz):
        (catch):
        * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
        next file, but with invalidation of the FunctionExecutable's
        singletonFunction() to hit SpeculativeJIT::compileNewFunction's
        slower path.
        (foo):
        (bar.const.x):
        (bar.const.y):
        (bar):
        (catch):
        * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
        strict nesting works correctly.
        (foo):
        (bar.baz):
        (bar):
        * stress/strict-function-structure.js: Added. The test used to
        assert in objectProtoFuncHasOwnProperty.
        (foo):
        (bar):
        (baz):
        * stress/strict-nested-function-structure.js: Added. Nesting.
        (foo):
        (bar):
        (baz.boo):
        (baz):

2017-11-29  Robin Morisset  <rmorisset@apple.com>

        The recursive tail call optimisation is wrong on closures
        https://bugs.webkit.org/show_bug.cgi?id=179835

        Reviewed by Saam Barati.

        * stress/closure-recursive-tail-call.js: Added.
        (makeClosure):

2017-11-27  JF Bastien  <jfbastien@apple.com>

        JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
        https://bugs.webkit.org/show_bug.cgi?id=180051
        <rdar://problem/35614371>

        Reviewed by Saam Barati.

        * stress/rest-parameter-negative.js: Added.
        (__f_5484):
        (catch):
        (__f_5485):
        (__v_22598.catch):

2017-11-27  Saam Barati  <sbarati@apple.com>

        Spread can escape when CreateRest does not
        https://bugs.webkit.org/show_bug.cgi?id=180057
        <rdar://problem/35676119>

        Reviewed by JF Bastien.

        * stress/spread-escapes-but-create-rest-does-not.js: Added.
        (assert):
        (getProperties):
        (theFunc):
        (let.obj.valueOf):

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Add NormalizeMapKey DFG IR
        https://bugs.webkit.org/show_bug.cgi?id=179912

        Reviewed by Saam Barati.

        * stress/map-untyped-normalize-cse.js: Added.
        (shouldBe):
        (test):
        * stress/map-untyped-normalize.js: Added.
        (shouldBe):
        (test):
        * stress/set-untyped-normalize-cse.js: Added.
        (shouldBe):
        (set return.set has.set has):
        * stress/set-untyped-normalize.js: Added.
        (shouldBe):
        (set return.set has):

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support DeleteById and DeleteByVal
        https://bugs.webkit.org/show_bug.cgi?id=180022

        Reviewed by Saam Barati.

        * stress/delete-by-id.js: Added.
        (shouldBe):
        (test1):
        (test2):
        * stress/delete-by-val-ftl.js: Added.
        (shouldBe):
        (test1):
        (test2):

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Introduce {Set,Map,WeakMap}Fields
        https://bugs.webkit.org/show_bug.cgi?id=179925

        Reviewed by Saam Barati.

        * stress/map-set-clobber-map-get.js: Added.
        (shouldBe):
        (test):
        * stress/map-set-does-not-clobber-set-has.js: Added.
        (shouldBe):
        * stress/map-set-does-not-clobber-weak-map-get.js: Added.
        (shouldBe):
        (test):
        * stress/set-add-clobber-set-has.js: Added.
        (shouldBe):
        * stress/set-add-does-not-clobber-map-get.js: Added.
        (shouldBe):

2017-11-24  Mark Lam  <mark.lam@apple.com>

        Move unsafe jsc shell test functions to the $vm object.
        https://bugs.webkit.org/show_bug.cgi?id=179980

        Reviewed by Yusuke Suzuki.

        * controlFlowProfiler/driver/driver.js:
        * controlFlowProfiler/execution-count.js:
        * controlFlowProfiler/if-statement.js:
        * controlFlowProfiler/loop-statements.js:
        * controlFlowProfiler/switch-statements.js:
        * controlFlowProfiler/test-jit.js:
        * exceptionFuzz/3d-cube.js:
        * exceptionFuzz/date-format-xparb.js:
        * exceptionFuzz/earley-boyer.js:
        * heapProfiler/basic-edges.js:
        * heapProfiler/property-edge-types.js:
        * microbenchmarks/try-get-by-id-basic.js:
        * microbenchmarks/try-get-by-id-polymorphic.js:
        * modules/namespace-object-try-get.js:
        * stress/argument-count-bytecode.js:
        * stress/argument-intrinsic-basic.js:
        * stress/argument-intrinsic-inlining-use-caller-arg.js:
        * stress/argument-intrinsic-inlining-with-result-escape.js:
        * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
        * stress/argument-intrinsic-inlining-with-vararg.js:
        * stress/argument-intrinsic-nested-inlining.js:
        * stress/argument-intrinsic-not-convert-to-get-argument.js:
        * stress/argument-intrinsic-with-stack-write.js:
        * stress/arity-mismatch-get-argument.js:
        * stress/array-message-passing.js:
        * stress/array-push-with-force-exit.js:
        * stress/check-dom-with-signature.js:
        * stress/check-sub-class.js:
        * stress/compare-eq-incomplete-profile.js:
        * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
        * stress/do-eval-virtual-call-correctly.js:
        * stress/dom-jit-with-poly-proto.js:
        * stress/domjit-exception-ic.js:
        * stress/domjit-exception.js:
        * stress/domjit-getter-complex-with-incorrect-object.js:
        * stress/domjit-getter-complex.js:
        * stress/domjit-getter-poly.js:
        * stress/domjit-getter-proto.js:
        * stress/domjit-getter-super-poly.js:
        * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
        * stress/domjit-getter-type-check.js:
        * stress/domjit-getter.js:
        * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
        * stress/for-in-proxy-target-changed-structure.js:
        * stress/for-in-proxy.js:
        * stress/generational-opaque-roots.js:
        * stress/global-const-redeclaration-setting-2.js:
        * stress/global-const-redeclaration-setting-3.js:
        * stress/global-const-redeclaration-setting-4.js:
        * stress/global-const-redeclaration-setting-5.js:
        * stress/global-const-redeclaration-setting.js:
        * stress/import-basic.js:
        * stress/import-from-eval.js:
        * stress/import-reject-with-exception.js:
        * stress/import-syntax.js:
        * stress/impure-get-own-property-slot-inline-cache.js:
        * stress/is-constructor.js:
        * stress/istypedarrayview-intrinsic.js:
        * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
        * stress/jsc-test-functions-should-be-more-robust.js:
        * stress/object-toString-with-proxy.js:
        * stress/poly-proto-custom-value-and-accessor.js:
        * stress/proxy-inline-cache.js:
        * stress/re-execute-error-module.js:
        * stress/regress-150532.js:
        * stress/regress-156992.js:
        * stress/regress-179619.js:
        * stress/resources/shadow-chicken-support.js:
        * stress/runtime-array.js:
        * stress/sampling-profiler-microtasks.js:
        * stress/shadow-chicken-enabled.js:
        * stress/spread-correct-global-object-on-exception.js:
        * stress/super-get-by-id.js:
        * stress/tailCallForwardArguments.js:
        * stress/to-object-intrinsic-boolean-edge.js:
        * stress/to-object-intrinsic-null-or-undefined-edge.js:
        * stress/to-object-intrinsic-number-edge.js:
        * stress/to-object-intrinsic-object-edge.js:
        * stress/to-object-intrinsic-string-edge.js:
        * stress/to-object-intrinsic-symbol-edge.js:
        * stress/to-object-intrinsic.js:
        * stress/try-catch-custom-getter-as-get-by-id.js:
        * stress/try-get-by-id-poly-proto.js:
        * stress/try-get-by-id-should-spill-registers-dfg.js:
        * stress/try-get-by-id.js:
        * typeProfiler/arrow-functions.js:
        * typeProfiler/basic.js:
        * typeProfiler/captured.js:
        * typeProfiler/classes.js:
        * typeProfiler/dfg-jit-optimizations.js:
        * typeProfiler/dictionary-mode.js:
        * typeProfiler/es6-block-scoping.js:
        * typeProfiler/es6-classes.js:
        * typeProfiler/inheritance.js:
        * typeProfiler/int52-dfg.js:
        * typeProfiler/loop.js:
        * typeProfiler/optional-fields.js:
        * typeProfiler/overflow.js:
        * typeProfiler/return.js:
        * typeProfiler/symbol.js:
        * typeProfiler/weird-prototype-chain.js:

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Support MapSet / SetAdd intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=179858

        Reviewed by Saam Barati.

        * microbenchmarks/map-has-and-set.js: Added.
        (test):
        * stress/map-set-check-failure.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/map-set-cse.js: Added.
        (shouldBe):
        (test):
        * stress/set-add-check-failure.js: Added.
        (shouldBe):
        (shouldThrow):
        (set shouldThrow):
        * stress/set-add-cse.js: Added.
        (shouldBe):

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Allow poly proto for intrinsic getters
        https://bugs.webkit.org/show_bug.cgi?id=179550

        Reviewed by Saam Barati.

        This change is also tested by existing tests.

            1. stress/intrinsic-getter-with-poly-proto.js
            2. stress/poly-proto-intrinsic-getter-correctness.js

        * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):

2017-11-20  Guillaume Emont  <guijemont@igalia.com>

        Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
        https://bugs.webkit.org/show_bug.cgi?id=179744

        Reviewed by Michael Catanzaro.

        This test uses too much memory for our buildbots on these platforms
        and gets OOM-killed.

        * stress/unshiftCountSlowCase-correct-postCapacity.js:
        Skip if $memoryLimited and linux.

2017-11-17  JF Bastien  <jfbastien@apple.com>

        WebAssembly JS API: throw when a promise can't be created
        https://bugs.webkit.org/show_bug.cgi?id=179826
        <rdar://problem/35455813>

        Reviewed by Mark Lam.

        Test WebAssembly.{compile,instantiate} where promise creation
        fails because of a stack overflow.

        * wasm/js-api/promise-stack-overflow.js: Added.
        (const.runNearStackLimit.f.const.t):
        (async.testCompile):
        (async.testInstantiate):

2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, mark regress-178385.js as memory exhausting

        * stress/regress-178385.js:

2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>

        Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.

        Unreviewed test gardening.

        * test262.yaml:

2017-11-16  Robin Morisset  <rmorisset@apple.com>

        REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
        https://bugs.webkit.org/show_bug.cgi?id=179763
        <rdar://problem/35550513>

        Reviewed by Keith Miller.

        Just adding a slightly cleaned-up version of the original fuzzer-found test.

        * stress/tdz-this-in-try-catch.js: Added.
        (__v_6388):
        (__v_6392):

2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Support Array::DirectArguments with OutOfBounds
        https://bugs.webkit.org/show_bug.cgi?id=179594

        Reviewed by Saam Barati.

        * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
        (shouldBe):
        (args):
        * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
        (shouldBe):
        (args):

2017-11-14  Saam Barati  <sbarati@apple.com>

        We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
        https://bugs.webkit.org/show_bug.cgi?id=179639
        <rdar://problem/35513018>

        Reviewed by JF Bastien.

        * wasm/function-tests/grow-memory-cause-gc.js: Added.
        (escape):
        (i.func):

2017-11-13  Mark Lam  <mark.lam@apple.com>

        Add more overflow check book-keeping for MarkedArgumentBuffer.
        https://bugs.webkit.org/show_bug.cgi?id=179634
        <rdar://problem/35492517>

        Reviewed by Saam Barati.

        * stress/regress-179634.js: Added.

2017-11-13  Mark Lam  <mark.lam@apple.com>

        Make the jsc shell loadGetterFromGetterSetter() function more robust.
        https://bugs.webkit.org/show_bug.cgi?id=179619
        <rdar://problem/35492518>

        Reviewed by Saam Barati.

        * stress/regress-179619.js: Added.

2017-11-12  Mark Lam  <mark.lam@apple.com>

        We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
        https://bugs.webkit.org/show_bug.cgi?id=179562
        <rdar://problem/35467022>

        Reviewed by Saam Barati.

        * regress-179562.js: Added.

2017-11-08  Saam Barati  <sbarati@apple.com>

        A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
        https://bugs.webkit.org/show_bug.cgi?id=177792

        Reviewed by Yusuke Suzuki.

        * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
        (assert):
        (foo.Foo.prototype.ensureX):
        (foo.Foo):
        (foo):
        (access):

2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>

        Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
        https://bugs.webkit.org/show_bug.cgi?id=178592

        Unreviewed test gardening.

        * test262.yaml:

2017-11-08  Robin Morisset  <rmorisset@apple.com>

        Turn recursive tail calls into loops
        https://bugs.webkit.org/show_bug.cgi?id=176601

        Reviewed by Saam Barati.

        Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.

        Add some simple test that computes factorial in several ways, and other trivial computations.
        They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
        Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
        I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
        (which it doesn't if that tail call is transformed into a loop in the unsound cases).

        * stress/inline-call-to-recursive-tail-call.js: Added.
        (factorial.aux):
        (factorial):
        (factorial2.aux2):
        (factorial2.id):
        (factorial2):
        (factorial3.aux3):
        (factorial3):
        (aux4):
        (factorial4):
        (foo):
        (auxBar):
        (bar):
        (test):

2017-11-07  Mark Lam  <mark.lam@apple.com>

        AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
        https://bugs.webkit.org/show_bug.cgi?id=179355
        <rdar://problem/35263053>

        Reviewed by Saam Barati.

        * stress/regress-179355.js: Added.

2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
        https://bugs.webkit.org/show_bug.cgi?id=144458

        Reviewed by Saam Barati.

        * microbenchmarks/dfg-internal-function-call.js: Added.
        (target):
        * microbenchmarks/dfg-internal-function-construct.js: Added.
        (target):
        * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
        (target):
        * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
        (target):
        * stress/dfg-internal-function-call.js: Added.
        (shouldBe):
        (target):
        * stress/dfg-internal-function-construct.js: Added.
        (shouldBe):
        (target):
        * stress/internal-function-call.js: Added.
        (shouldBe):
        * stress/internal-function-construct.js: Added.
        (shouldBe):

2017-11-05  Per Arne Vollan  <pvollan@apple.com>

        [Win] Skip stress/regress-178385.js.
        https://bugs.webkit.org/show_bug.cgi?id=179298

        Unreviewed test gardening.

        * stress/regress-178385.js:

2017-11-03  Keith Miller  <keith_miller@apple.com>

        Add test for ic with side effects
        https://bugs.webkit.org/show_bug.cgi?id=179268

        Reviewed by Saam Barati.

        * stress/put-inline-cache-side-effects.js: Added.
        (let.i.of.objs.keys):
        (f):

2017-11-03  Mark Lam  <mark.lam@apple.com>

        CachedCall (and its clients) needs overflow checks.
        https://bugs.webkit.org/show_bug.cgi?id=179185

        Reviewed by JF Bastien.

        * stress/regress-179185.js: Added.

2017-11-02  Michael Saboff  <msaboff@apple.com>

        DFG needs to handle code motion of code in for..in loop bodies
        https://bugs.webkit.org/show_bug.cgi?id=179212

        Reviewed by Keith Miller.

        New regression test.

        * stress/for-in-side-effects.js: Added.
        (getPrototypeOf):
        (reset):
        (testWithoutFTL.f):
        (testWithoutFTL):
        (testWithFTL.f):
        (testWithFTL):

2017-11-02  Filip Pizlo  <fpizlo@apple.com>

        AI does not correctly model the clobber case of ArithClz32
        https://bugs.webkit.org/show_bug.cgi?id=179188

        Reviewed by Michael Saboff.

        * stress/arith-clz32-effects.js: Added.
        (foo):
        (valueOf):

2017-11-01  Michael Saboff  <msaboff@apple.com>

        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
        https://bugs.webkit.org/show_bug.cgi?id=179140

        Reviewed by Saam Barati.

        New regression test.

        * stress/regress-179140.js: Added.
        (testWithoutFTL):
        (testWithFTL):

2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce @toObject
        https://bugs.webkit.org/show_bug.cgi?id=178726

        Reviewed by Saam Barati.

        * stress/array-copywithin.js:
        (shouldThrow):
        * stress/object-constructor-boolean-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-global.js: Added.
        (shouldBe):
        * stress/object-constructor-null-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-number-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-object-edge.js: Added.
        (shouldBe):
        (test):
        (i.arg):
        * stress/object-constructor-string-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-symbol-edge.js: Added.
        (shouldBe):
        (test):
        * stress/object-constructor-undefined-edge.js: Added.
        (shouldBe):
        (test):
        * stress/symbol-array-from.js: Added.
        (shouldBe):
        * stress/to-object-intrinsic-boolean-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
        (shouldThrow):
        * stress/to-object-intrinsic-number-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        * stress/to-object-intrinsic-object-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        (i.arg):
        * stress/to-object-intrinsic-string-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        * stress/to-object-intrinsic-symbol-edge.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        * stress/to-object-intrinsic.js: Added.
        (shouldBe):
        (shouldThrow):
        (builtin.createBuiltin):

2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Introduce StringSlice
        https://bugs.webkit.org/show_bug.cgi?id=178934

        Reviewed by Saam Barati.

        * microbenchmarks/string-slice-empty.js: Added.
        (slice):
        * microbenchmarks/string-slice-one-char.js: Added.
        (slice):
        * microbenchmarks/string-slice.js: Added.
        (slice):

2017-10-26  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
        https://bugs.webkit.org/show_bug.cgi?id=178890

        Reviewed by Keith Miller.

        New regression test.

        * stress/regress-178890.js: Added.

2017-10-26  Mark Lam  <mark.lam@apple.com>

        JSRopeString::RopeBuilder::append() should check for overflows.
        https://bugs.webkit.org/show_bug.cgi?id=178385
        <rdar://problem/35027468>

        Reviewed by Saam Barati.

        * stress/regress-178385.js: Added.

2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r223961.

        The change that required this has been rolled out.

        Reverted changeset:

        "Mark test262.yaml/test262/test/language/statements/try/tco-
        catch.js as passing."
        https://bugs.webkit.org/show_bug.cgi?id=178592
        https://trac.webkit.org/changeset/223961

2017-10-25  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r223691 and r223729.
        https://bugs.webkit.org/show_bug.cgi?id=178834

        Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
        by rniwa on #webkit).

        Reverted changesets:

        "Turn recursive tail calls into loops"
        https://bugs.webkit.org/show_bug.cgi?id=176601
        https://trac.webkit.org/changeset/223691

        "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
        comparison is always false due to limited range of data type
        [-Wtype-limits]"
        https://bugs.webkit.org/show_bug.cgi?id=178543
        https://trac.webkit.org/changeset/223729

2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>

        Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
        https://bugs.webkit.org/show_bug.cgi?id=178592

        Unreviewed test gardening.

        * test262.yaml:

2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support NewStringObject
        https://bugs.webkit.org/show_bug.cgi?id=178737

        Reviewed by Saam Barati.

        * stress/new-string-object.js: Added.
        (shouldBe):
        (test):

2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
        https://bugs.webkit.org/show_bug.cgi?id=178308

        Reviewed by Mark Lam.

        * test262.yaml:

2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use fastJoin in Array#toString
        https://bugs.webkit.org/show_bug.cgi?id=178062

        Reviewed by Darin Adler.

        * microbenchmarks/contiguous-array-to-string.js: Added.
        (target):
        * microbenchmarks/double-array-to-string.js: Added.
        (target):
        * microbenchmarks/int32-array-to-string.js: Added.
        (target):

2017-10-22  Zan Dobersek  <zdobersek@igalia.com>

        stress/check-string-ident.js is improperly skipped
        https://bugs.webkit.org/show_bug.cgi?id=178642

        Reviewed by Saam Barati.

        * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
        since it enforces the run-jsc-stress-tests script to still set up the
        test to run, despite the skip directive that's used before.

2017-10-20  Mark Lam  <mark.lam@apple.com>

        Add a test case for r214334.
        https://bugs.webkit.org/show_bug.cgi?id=169941
        <rdar://problem/31221258>

        Reviewed by JF Bastien.

        * stress/regress-169941.js: Added.

2017-10-19  JF Bastien  <jfbastien@apple.com>

        WebAssembly: no VM / JS version of everything but Instance
        https://bugs.webkit.org/show_bug.cgi?id=177473

        Reviewed by Filip Pizlo, Saam Barati.

        - Exceeding max on memory growth now returns a range error as per
        spec. This is a (very minor) breaking change: it used to throw OOM
        error. Update the corresponding test.

        * wasm/js-api/memory-grow.js:
        (assertEq):
        * wasm/js-api/table.js:
        (assert.throws):

2017-10-19  Mark Lam  <mark.lam@apple.com>

        Stringifier::appendStringifiedValue() is missing an exception check.
        https://bugs.webkit.org/show_bug.cgi?id=178386
        <rdar://problem/35027610>

        Reviewed by Saam Barati.

        * stress/regress-178386.js: Added.

2017-10-19  Michael Saboff  <msaboff@apple.com>

        Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
        https://bugs.webkit.org/show_bug.cgi?id=178521

        Reviewed by JF Bastien.

        * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
        now passes with the current version (5.0) of the Emoji spec.

2017-10-19  Robin Morisset  <rmorisset@apple.com>

        Turn recursive tail calls into loops
        https://bugs.webkit.org/show_bug.cgi?id=176601

        Reviewed by Saam Barati.

        Add some simple test that computes factorial in several ways, and other trivial computations.
        They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
        Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
        I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
        (which it doesn't if that tail call is transformed into a loop in the unsound cases).

        * stress/inline-call-to-recursive-tail-call.js: Added.
        (factorial.aux):
        (factorial):
        (factorial2.aux):
        (factorial2.id):
        (factorial2):
        (factorial3.aux):
        (factorial3):
        (aux):
        (factorial4):
        (test):

2017-10-18  Mark Lam  <mark.lam@apple.com>

        RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
        https://bugs.webkit.org/show_bug.cgi?id=177600
        <rdar://problem/34710985>

        Reviewed by Saam Barati.

        * stress/regress-177600.js: Added.

2017-10-18  Mark Lam  <mark.lam@apple.com>

        The compiler should always register a structure when it adds its transitionWatchPointSet.
        https://bugs.webkit.org/show_bug.cgi?id=178420
        <rdar://problem/34814024>

        Reviewed by Saam Barati and Filip Pizlo.

        * stress/regress-178420.js: Added.
        (new.Array.10000.map):

2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] __proto__ getter should be fast
        https://bugs.webkit.org/show_bug.cgi?id=178067

        Reviewed by Saam Barati.

        * stress/dfg-object-proto-accessor.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-object-proto-getter.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-object-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-reflect-get-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/intrinsic-getter-with-poly-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-filtered.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        (i.Cocoa):
        * stress/object-get-prototype-of-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-poly-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-poly-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-proto-getter-filtered.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        (i.Cocoa):
        * stress/object-proto-getter-poly-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-proto-getter-poly-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
        * stress/string-proto.js: Added.
        (shouldBe):
        (target):

2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r223523.

        A test for this change is failing on debug JSC bots.

        Reverted changeset:

        "[JSC] __proto__ getter should be fast"
        https://bugs.webkit.org/show_bug.cgi?id=178067
        https://trac.webkit.org/changeset/223523

2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] __proto__ getter should be fast
        https://bugs.webkit.org/show_bug.cgi?id=178067

        Reviewed by Saam Barati.

        * stress/dfg-object-proto-accessor.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-object-proto-getter.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-object-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/dfg-reflect-get-prototype-of.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        * stress/object-get-prototype-of-filtered.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        (i.Cocoa):
        * stress/object-get-prototype-of-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-poly-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-get-prototype-of-poly-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-proto-getter-filtered.js: Added.
        (shouldBe):
        (shouldThrow):
        (target):
        (i.Cocoa):
        * stress/object-proto-getter-poly-mono-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-proto-getter-poly-proto.js: Added.
        (shouldBe):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (target):
        * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
        * stress/string-proto.js: Added.
        (shouldBe):
        (target):

2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        Reland "Add Above/Below comparisons for UInt32 patterns"
        https://bugs.webkit.org/show_bug.cgi?id=177281

        Reviewed by Saam Barati.

        * stress/uint32-comparison-jump.js: Added.
        (shouldBe):
        (above):
        (aboveOrEqual):
        (below):
        (belowOrEqual):
        (notAbove):
        (notAboveOrEqual):
        (notBelow):
        (notBelowOrEqual):
        * stress/uint32-comparison.js: Added.
        (shouldBe):
        (above):
        (aboveOrEqual):
        (below):
        (belowOrEqual):
        (aboveTest):
        (aboveOrEqualTest):
        (belowTest):
        (belowOrEqualTest):

2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
        https://bugs.webkit.org/show_bug.cgi?id=178210

        Reviewed by Saam Barati.

        * wasm/function-tests/trap-from-start-async.js:
        (async.StartTrapsAsync):
        * wasm/function-tests/trap-from-start.js:
        (StartTraps):
        * wasm/js-api/web-assembly-function.js:
        (assert.eq.Object.getPrototypeOf):
        * wasm/js-api/wrapper-function.js:
        (return.new.WebAssembly.Module):
        (assert.throws.makeInstance): Deleted.
        (assert.throws.Bar): Deleted.
        (assert.throws): Deleted.

2017-09-29  Filip Pizlo  <fpizlo@apple.com>

        Enable gigacage on iOS
        https://bugs.webkit.org/show_bug.cgi?id=177586

        Reviewed by JF Bastien.
        
        Add tests for when Gigacage gets runtime disabled.

        * stress/disable-gigacage-arrays.js: Added.
        (foo):
        * stress/disable-gigacage-strings.js: Added.
        (foo):
        * stress/disable-gigacage-typed-arrays.js: Added.
        (foo):

2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        import.meta should not be assignable
        https://bugs.webkit.org/show_bug.cgi?id=178202

        Reviewed by Saam Barati.

        * modules/import-meta-assignment.js: Added.
        (shouldThrow):
        (SyntaxError.import.meta.can.shouldThrow):

2017-10-11  Saam Barati  <sbarati@apple.com>

        Unreviewed. Actually skip certain type profiler tests in debug.

        * typeProfiler.yaml:
        * typeProfiler/deltablue-for-of.js:
        * typeProfiler/getter-richards.js:

2017-10-11  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r223113 and r223121.
        https://bugs.webkit.org/show_bug.cgi?id=178182

        Reintroduced 20% regression on Kraken (Requested by rniwa on
        #webkit).

        Reverted changesets:

        "Enable gigacage on iOS"
        https://bugs.webkit.org/show_bug.cgi?id=177586
        https://trac.webkit.org/changeset/223113

        "Use one virtual allocation for all gigacages and their
        runways"
        https://bugs.webkit.org/show_bug.cgi?id=178050
        https://trac.webkit.org/changeset/223121

2017-10-11  Michael Saboff  <msaboff@apple.com>

        Disable test262 named capture group tests with direct unicode names and with references before definitions
        https://bugs.webkit.org/show_bug.cgi?id=178177

        Reviewed by Keith Miller.

        Bugs to track fixing these test are:
        https://bugs.webkit.org/show_bug.cgi?id=178174 -
            "Add support in named capture group identifiers for direct surrogate pairs"
        https://bugs.webkit.org/show_bug.cgi?id=178175 -
            "Test262 failure with Named Capture Groups - using a reference before the group is defined"

        * test262.yaml:

2017-10-11  Caio Lima  <ticaiolima@gmail.com>

        Object properties are undefined in super.call() but not in this.call()
        https://bugs.webkit.org/show_bug.cgi?id=177230

        Reviewed by Saam Barati.

        * stress/super-call-function-subclass.js: Added.
        (assert):
        (A.prototype.t):
        (A):
        * stress/super-dot-call-and-apply.js: Added.
        (assert):
        (A):
        (A.prototype.call):
        (A.prototype.apply):
        (B.prototype.testSuper):
        (B):
        (const.obj.new.B.string_appeared_here.obj.testSuper.C):
        (D.prototype.testSuper):
        (D):

2017-10-10  Saam Barati  <sbarati@apple.com>

        The prototype cache should be aware of the Executable it generates a Structure for
        https://bugs.webkit.org/show_bug.cgi?id=177907

        Reviewed by Filip Pizlo.

        * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
        (assert):
        (foo.C):
        (foo):
        (bar.C):
        (bar):
        (access):
        (makeLongChain):
        (accessY):

2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        `async` should be able to be used as an imported binding name
        https://bugs.webkit.org/show_bug.cgi?id=176573

        Reviewed by Saam Barati.

        * modules/import-default-async.js: Added.
        * modules/import-named-async-as.js: Added.
        * modules/import-named-async.js: Added.
        * modules/import-named-async/target.js: Added.
        * modules/import-namespace-async.js: Added.
        * test262.yaml:

2017-09-29  Filip Pizlo  <fpizlo@apple.com>

        Enable gigacage on iOS
        https://bugs.webkit.org/show_bug.cgi?id=177586

        Reviewed by JF Bastien.
        
        Add tests for when Gigacage gets runtime disabled.

        * stress/disable-gigacage-arrays.js: Added.
        (foo):
        * stress/disable-gigacage-strings.js: Added.
        (foo):
        * stress/disable-gigacage-typed-arrays.js: Added.
        (foo):

2017-10-09  Michael Saboff  <msaboff@apple.com>

        Implement RegExp Unicode property escapes
        https://bugs.webkit.org/show_bug.cgi?id=172069

        Reviewed by JF Bastien.

        Enabled Unicode Property tests.

        * test262.yaml:

2017-10-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r223015 and r223025.
        https://bugs.webkit.org/show_bug.cgi?id=178093

        Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
        #webkit).

        Reverted changesets:

        "Enable gigacage on iOS"
        https://bugs.webkit.org/show_bug.cgi?id=177586
        http://trac.webkit.org/changeset/223015

        "Unreviewed, disable Gigacage on ARM64 Linux"
        https://bugs.webkit.org/show_bug.cgi?id=177586
        http://trac.webkit.org/changeset/223025

2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>

        Update expectations for test262 tests that pass after r223043.
        https://bugs.webkit.org/show_bug.cgi?id=176685

        Unreviewed test gardening.

        * test262.yaml:

2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r223022.

        This change introduced 18 test262 failures.

        Reverted changeset:

        "`async` should be able to be used as an imported binding
        name"
        https://bugs.webkit.org/show_bug.cgi?id=176573
        http://trac.webkit.org/changeset/223022

2017-10-09  Saam Barati  <sbarati@apple.com>

        3 poly-proto JSC tests timing out on debug after r222827
        https://bugs.webkit.org/show_bug.cgi?id=177880
        <rdar://problem/34817122>

        Unreviewed.

        I'm skipping these type profiler tests on debug since they are long running.

        * typeProfiler/deltablue-for-of.js:
        * typeProfiler/getter-richards.js:

2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>

        Safari 10 /11 problem with if (!await get(something)).
        https://bugs.webkit.org/show_bug.cgi?id=176685

        Reviewed by Saam Barati.

        * stress/async-await-basic.js:
        (awaitEpression.async):
        * stress/async-await-syntax.js:
        (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
        (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):

2017-10-08  Saam Barati  <sbarati@apple.com>

        Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.

        * typeProfiler/deltablue-for-of.js:
        * typeProfiler/getter-richards.js:

2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>

        `async` should be able to be used as an imported binding name
        https://bugs.webkit.org/show_bug.cgi?id=176573

        Reviewed by Darin Adler.

        * modules/import-default-async.js: Added.
        * modules/import-named-async-as.js: Added.
        * modules/import-named-async.js: Added.
        * modules/import-named-async/target.js: Added.
        * modules/import-namespace-async.js: Added.

2017-09-29  Filip Pizlo  <fpizlo@apple.com>

        Enable gigacage on iOS
        https://bugs.webkit.org/show_bug.cgi?id=177586

        Reviewed by JF Bastien.
        
        Add tests for when Gigacage gets runtime disabled.

        * stress/disable-gigacage-arrays.js: Added.
        (foo):
        * stress/disable-gigacage-strings.js: Added.
        (foo):
        * stress/disable-gigacage-typed-arrays.js: Added.
        (foo):

2017-10-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r222791 and r222873.
        https://bugs.webkit.org/show_bug.cgi?id=178031

        Caused crashes with workers/wasm LayoutTests (Requested by
        ryanhaddad on #webkit).

        Reverted changesets:

        "WebAssembly: no VM / JS version of everything but Instance"
        https://bugs.webkit.org/show_bug.cgi?id=177473
        http://trac.webkit.org/changeset/222791

        "WebAssembly: address no VM / JS follow-ups"
        https://bugs.webkit.org/show_bug.cgi?id=177887
        http://trac.webkit.org/changeset/222873

2017-10-05  Saam Barati  <sbarati@apple.com>

        Make sure all prototypes under poly proto get added into the VM's prototype map
        https://bugs.webkit.org/show_bug.cgi?id=177909

        Reviewed by Keith Miller.

        * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
        (assert):
        (foo.C):
        (foo):
        (set x):

2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce import.meta
        https://bugs.webkit.org/show_bug.cgi?id=177703

        Reviewed by Filip Pizlo.

        * modules/import-meta-syntax.js: Added.
        (shouldThrow):
        (shouldNotThrow):
        * modules/import-meta.js: Added.
        * modules/import-meta/cocoa.js: Added.
        * modules/resources/assert.js:
        (export.shouldNotThrow):
        * stress/import-syntax.js:

2017-10-04  Saam Barati  <sbarati@apple.com>

        Make pertinent AccessCases watch the poly proto watchpoint
        https://bugs.webkit.org/show_bug.cgi?id=177765

        Reviewed by Keith Miller.

        * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
        (assert):
        (foo.C):
        (foo):
        (validate):
        * stress/poly-proto-clear-stub.js: Added.
        (assert):
        (foo.C):
        (foo):

2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>

        Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.

        Unreviewed test gardening.

        * test262.yaml:

2017-10-04  Saam Barati  <sbarati@apple.com>

        3 poly-proto JSC tests timing out on debug after r222827
        https://bugs.webkit.org/show_bug.cgi?id=177880

        Rubber stamped by Mark Lam.

        * microbenchmarks/poly-proto-access.js:
        * typeProfiler/deltablue-for-of.js:
        * typeProfiler/getter-richards.js:

2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed, marking tco-catch.js as a failure after test262 update
        https://bugs.webkit.org/show_bug.cgi?id=177859

        * test262.yaml:

2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, marking one async iterator test262 test failed
        https://bugs.webkit.org/show_bug.cgi?id=177859

        * test262.yaml:

2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [Test262] Update Test262 to Oct 4 version
        https://bugs.webkit.org/show_bug.cgi?id=177859

        Reviewed by Sam Weinig.

        Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
        we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.

        * test262.yaml:
        * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
        (checkSequence):
        * test262/harness/typeCoercion.js:
        (testCoercibleToIndexZero):
        (testCoercibleToIndexOne):
        (testCoercibleToIndexFromIndex):
        (testNotCoercibleToIndex.testPrimitiveValue):
        (testNotCoercibleToInteger):
        (testCoercibleToBigIntZero.testPrimitiveValue):
        (testCoercibleToBigIntZero):
        (testCoercibleToBigIntOne.testPrimitiveValue):
        (testCoercibleToBigIntOne):
        (testPrimitiveValue):
        (testCoercibleToBigIntFromBigInt):
        (testNotCoercibleToBigInt.testPrimitiveValue):
        (testNotCoercibleToBigInt.testStringValue):
        (testNotCoercibleToBigInt):
        * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
        * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
        * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
        * test262/test/built-ins/Array/proto-from-ctor-realm.js:
        * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
        * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
        * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
        * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
        * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
        * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
        * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
        * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
        * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
        * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
        * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
        * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
        (testCoercibleToBigIntZero):
        (testCoercibleToBigIntOne):
        (testNotCoercibleToBigInt):
        (MyError): Deleted.
        (valueOf): Deleted.
        (toString): Deleted.
        (Symbol.toPrimitive): Deleted.
        * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
        (testCoercibleToIndexZero):
        (testCoercibleToIndexOne):
        (testNotCoercibleToIndex):
        (MyError): Deleted.
        (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
        (assert.sameValue.BigInt.asIntN.toString): Deleted.
        (BigInt.asIntN.Symbol.toPrimitive): Deleted.
        (BigInt.asIntN.valueOf): Deleted.
        (BigInt.asIntN.toString): Deleted.
        * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
        * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
        * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
        (testCoercibleToBigIntZero):
        (testCoercibleToBigIntOne):
        (testNotCoercibleToBigInt):
        * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
        (testCoercibleToIndexZero):
        (testCoercibleToIndexOne):
        (testNotCoercibleToIndex):
        * test262/test/built-ins/BigInt/asUintN/length.js: Added.
        * test262/test/built-ins/BigInt/asUintN/name.js: Added.
        * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
        (bits.valueOf):
        (bigint.valueOf):
        * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
        * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
        * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
        * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
        * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
        * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
        * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
        * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
        * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
        * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
        * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
        * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
        * test262/test/built-ins/Error/proto-from-ctor-realm.js:
        * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
        * test262/test/built-ins/Function/call-bind-this-realm-value.js:
        * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
        * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
        * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
        * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
        * test262/test/built-ins/Function/proto-from-ctor-realm.js:
        * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
        * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
        * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
        * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
        (replacer):
        (BigInt.prototype.toJSON):
        * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
        (replacer):
        * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
        (BigInt.prototype.toJSON):
        * test262/test/built-ins/JSON/stringify/bigint.js:
        * test262/test/built-ins/Map/proto-from-ctor-realm.js:
        * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
        * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
        * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
        * test262/test/built-ins/Number/proto-from-ctor-realm.js:
        * test262/test/built-ins/Object/proto-from-ctor.js:
        * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
        * test262/test/built-ins/Proxy/apply/arguments-realm.js:
        * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/construct/arguments-realm.js:
        * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
        * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
        * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
        * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
        * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
        * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
        * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
        * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
        * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/get-fn-realm.js:
        * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
        * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
        * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
        * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
        * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
        (i6.replace):
        (i6b.replace):
        * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
        * test262/test/built-ins/RegExp/dotall/with-dotall.js:
        * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
        * test262/test/built-ins/RegExp/dotall/without-dotall.js:
        * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
        * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
        * test262/test/built-ins/RegExp/u180e.js: Added.
        * test262/test/built-ins/Set/proto-from-ctor-realm.js:
        * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
        * test262/test/built-ins/String/proto-from-ctor-realm.js:
        * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
        * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
        * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
        * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
        * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
        * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
        * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
        * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
        * test262/test/built-ins/String/prototype/endsWith/length.js:
        * test262/test/built-ins/String/prototype/endsWith/name.js:
        * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
        * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
        * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
        * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
        * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
        * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
        * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
        * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
        * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
        * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
        * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
        * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
        * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
        * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
        * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
        * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
        * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
        * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
        * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
        * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
        * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
        * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
        * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
        * test262/test/built-ins/String/prototype/includes/includes.js:
        * test262/test/built-ins/String/prototype/includes/length.js:
        * test262/test/built-ins/String/prototype/includes/name.js:
        * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
        * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
        * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
        * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
        * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
        * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
        * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
        * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
        * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
        * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
        * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
        * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
        * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
        * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
        * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
        * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
        * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
        * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
        * test262/test/built-ins/String/prototype/trim/u180e.js:
        * test262/test/built-ins/Symbol/for/cross-realm.js:
        * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
        * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
        * test262/test/built-ins/Symbol/iterator/cross-realm.js:
        * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
        * test262/test/built-ins/Symbol/match/cross-realm.js:
        * test262/test/built-ins/Symbol/replace/cross-realm.js:
        * test262/test/built-ins/Symbol/search/cross-realm.js:
        * test262/test/built-ins/Symbol/species/cross-realm.js:
        * test262/test/built-ins/Symbol/split/cross-realm.js:
        * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
        * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
        * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
        * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
        * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
        * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
        * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
        * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
        * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
        * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
        * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
        * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
        * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
        * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
        * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
        * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
        * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
        * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
        * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
        * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
        * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
        * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
        * test262/test/language/comments/mongolian-vowel-separator-multi.js:
        * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
        * test262/test/language/comments/mongolian-vowel-separator-single.js:
        * test262/test/language/eval-code/indirect/realm.js:
        * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
        (o.get z):
        (o.get a):
        * test262/test/language/expressions/call/eval-realm-indirect.js:
        * test262/test/language/expressions/generators/eval-body-proto-realm.js:
        * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
        * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
        * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
        * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
        * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
        * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
        * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
        * test262/test/language/expressions/greater-than/bigint-and-number.js:
        * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
        * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
        * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
        * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
        * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
        * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
        * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
        * test262/test/language/expressions/less-than/bigint-and-number.js:
        * test262/test/language/expressions/new/non-ctor-err-realm.js:
        * test262/test/language/expressions/super/realm.js:
        * test262/test/language/expressions/tagged-template/cache-realm.js:
        * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
        * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
        * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
        * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
        * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
        * test262/test/language/literals/string/mongolian-vowel-separator.js:
        * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
        (o.get z):
        (o.get a):
        * test262/test/language/statements/for-of/iterator-next-reference.js:
        (next):
        (iterator.next): Deleted.
        (x.of.iterable.): Deleted.
        (x.of.iterable.get return): Deleted.
        (x.of.iterable.iterator.next): Deleted.
        * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
        * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
        * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
        * test262/test/language/white-space/mongolian-vowel-separator.js:
        * test262/test262-Revision.txt:

2017-10-03  Saam Barati  <sbarati@apple.com>

        Implement polymorphic prototypes
        https://bugs.webkit.org/show_bug.cgi?id=176391

        Reviewed by Filip Pizlo.

        * microbenchmarks/poly-proto-access.js: Added.
        (assert):
        (foo.C):
        (foo.C.prototype.get bar):
        (foo):
        (bar):
        * microbenchmarks/poly-proto-put-transition-speed.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (performSet):
        * microbenchmarks/poly-proto-setter-speed.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo.C.prototype.set p):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (performSet):
        * stress/constructor-with-return.js:
        (i.tests.forEach.Constructor):
        (i.tests.forEach):
        (tests.forEach.Constructor): Deleted.
        (tests.forEach): Deleted.
        * stress/dom-jit-with-poly-proto.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (validate):
        * stress/poly-proto-custom-value-and-accessor.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (items.forEach):
        (set get for):
        * stress/poly-proto-intrinsic-getter-correctness.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (foo):
        * stress/poly-proto-miss.js: Added.
        (makePolyProtoInstanceWithNullPrototype.foo.C):
        (makePolyProtoInstanceWithNullPrototype.foo):
        (makePolyProtoInstanceWithNullPrototype):
        (assert):
        (validate):
        * stress/poly-proto-op-in-caching.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (validate):
        (validate2):
        * stress/poly-proto-put-transition.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (performSet):
        (i.obj.__proto__.set p):
        * stress/poly-proto-set-prototype.js: Added.
        (assert):
        (let.alternateProto.get x):
        (let.alternateProto2.get y):
        (let.alternateProto2.get x):
        (foo.C):
        (foo):
        (validate):
        * stress/poly-proto-setter.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo.C.prototype.set p):
        (makePolyProtoObject.foo.C.prototype.get p):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (performSet):
        * stress/poly-proto-using-inheritance.js: Added.
        (assert):
        (foo.C):
        (foo.C.prototype.get baz):
        (foo):
        (bar.C):
        (bar):
        (validate):
        * stress/primitive-poly-proto.js: Added.
        (makePolyProtoInstance.foo.C):
        (makePolyProtoInstance.foo):
        (makePolyProtoInstance):
        (assert):
        (validate):
        * stress/prototype-is-not-js-object.js: Added.
        (foo.bar):
        (foo):
        (assert):
        (validate):
        * stress/try-get-by-id-poly-proto.js: Added.
        (assert):
        (makePolyProtoObject.foo.C):
        (makePolyProtoObject.foo):
        (makePolyProtoObject):
        (tryGetByIdText):
        (x.__proto__.get bar):
        (validate):
        * typeProfiler/overflow.js:

2017-10-03  JF Bastien  <jfbastien@apple.com>

        WebAssembly: no VM / JS version of everything but Instance
        https://bugs.webkit.org/show_bug.cgi?id=177473

        Reviewed by Filip Pizlo.

        - Exceeding max on memory growth now returns a range error as per
        spec. This is a (very minor) breaking change: it used to throw OOM
        error. Update the corresponding test.

        * wasm/js-api/memory-grow.js:
        (assertEq):
        * wasm/js-api/table.js:
        (assert.throws):

2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>

        Skip JSC test stress/regress-159779-2.js on debug.
        https://bugs.webkit.org/show_bug.cgi?id=177204

        Unreviewed test gardening.

        * stress/regress-159779-2.js:

2017-10-02  Caio Lima  <ticaiolima@gmail.com>

        ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
        https://bugs.webkit.org/show_bug.cgi?id=175642

        Reviewed by Darin Adler.

        * ChakraCore/test/Function/apply3.baseline-jsc:

2017-10-01  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r222564.
        https://bugs.webkit.org/show_bug.cgi?id=177720

        "It regressed JetStream by 2% on iOS caused by a 50%
        regression on the bigfib subtest" (Requested by saamyjoon on
        #webkit).

        Reverted changeset:

        "Add Above/Below comparisons for UInt32 patterns"
        https://bugs.webkit.org/show_bug.cgi?id=177281
        http://trac.webkit.org/changeset/222564

2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Support ArrayPush with multiple args
        https://bugs.webkit.org/show_bug.cgi?id=175823

        Reviewed by Saam Barati.

        * microbenchmarks/array-push-0.js: Added.
        (arrayPush0):
        * microbenchmarks/array-push-1.js: Added.
        (arrayPush1):
        * microbenchmarks/array-push-2.js: Added.
        (arrayPush2):
        * microbenchmarks/array-push-3.js: Added.
        (arrayPush3):
        * stress/array-push-multiple-contiguous.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-double-nan.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-double.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-int32.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-many-contiguous.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-many-double.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-many-int32.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-many-storage.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-storage.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-with-force-exit.js: Added.
        (target.createBuiltin):

2017-09-29  Saam Barati  <sbarati@apple.com>

        Custom GetterSetterAccessCase does not use the correct slotBase when making call
        https://bugs.webkit.org/show_bug.cgi?id=177639

        Reviewed by Geoffrey Garen.

        * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
        (assert):
        (Class):
        (items.forEach):
        (set get for):

2017-09-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r222563, r222565, and r222581.
        https://bugs.webkit.org/show_bug.cgi?id=177675

        "It causes a crash when playing youtube videos" (Requested by
        saamyjoon on #webkit).

        Reverted changesets:

        "[DFG] Support ArrayPush with multiple args"
        https://bugs.webkit.org/show_bug.cgi?id=175823
        http://trac.webkit.org/changeset/222563

        "Unreviewed, build fix after r222563"
        https://bugs.webkit.org/show_bug.cgi?id=175823
        http://trac.webkit.org/changeset/222565

        "Unreviewed, fix x86 breaking due to exhausted registers"
        https://bugs.webkit.org/show_bug.cgi?id=175823
        http://trac.webkit.org/changeset/222581

2017-09-28  Mark Lam  <mark.lam@apple.com>

        test262: Unexpected passes after r222617 and r222618.
        https://bugs.webkit.org/show_bug.cgi?id=177622
        <rdar://problem/34725960>

        Reviewed by Saam Barati.

        Update test262.yaml for tests that are now passing.

        * test262.yaml:

2017-09-27  Michael Saboff  <msaboff@apple.com>

        REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
        https://bugs.webkit.org/show_bug.cgi?id=177570

        Reviewed by Filip Pizlo.

        New regression test.

        * stress/regress-177570.js: Added.

2017-09-28  Michael Saboff  <msaboff@apple.com>

        Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
        https://bugs.webkit.org/show_bug.cgi?id=177423

        Reviewed by Mark Lam.

        Updated regression test.

        * stress/regress-177423.js:
        (catch):

2017-09-27  Mark Lam  <mark.lam@apple.com>

        JSArray::canFastCopy() should fail if the source and destination arrays are the same.
        https://bugs.webkit.org/show_bug.cgi?id=177584
        <rdar://problem/34463903>

        Reviewed by Saam Barati.

        * stress/regress-177584.js: Added.
        (assertEqual):
        (Array.prototype.Symbol.species):

2017-09-27  Saam Barati  <sbarati@apple.com>

        Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
        https://bugs.webkit.org/show_bug.cgi?id=177523

        Reviewed by Mark Lam.

        * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
        (assert):
        (Test):
        (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
        (addMethods):
        (i.Test.prototype.propName):

2017-09-27  Mark Lam  <mark.lam@apple.com>

        Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
        https://bugs.webkit.org/show_bug.cgi?id=177423
        <rdar://problem/34621320>

        Reviewed by Keith Miller.

        * stress/regress-177423.js: Added.

2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        Add Above/Below comparisons for UInt32 patterns
        https://bugs.webkit.org/show_bug.cgi?id=177281

        Reviewed by Saam Barati.

        * stress/uint32-comparison-jump.js: Added.
        (shouldBe):
        (above):
        (aboveOrEqual):
        (below):
        (belowOrEqual):
        (notAbove):
        (notAboveOrEqual):
        (notBelow):
        (notBelowOrEqual):
        * stress/uint32-comparison.js: Added.
        (shouldBe):
        (above):
        (aboveOrEqual):
        (below):
        (belowOrEqual):
        (aboveTest):
        (aboveOrEqualTest):
        (belowTest):
        (belowOrEqualTest):

2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Support ArrayPush with multiple args
        https://bugs.webkit.org/show_bug.cgi?id=175823

        Reviewed by Saam Barati.

        * microbenchmarks/array-push-0.js: Added.
        (arrayPush0):
        * microbenchmarks/array-push-1.js: Added.
        (arrayPush1):
        * microbenchmarks/array-push-2.js: Added.
        (arrayPush2):
        * microbenchmarks/array-push-3.js: Added.
        (arrayPush3):
        * stress/array-push-multiple-contiguous.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-double-nan.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-double.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-int32.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-many-contiguous.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-many-double.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-many-int32.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-many-storage.js: Added.
        (shouldBe):
        (test):
        * stress/array-push-multiple-storage.js: Added.
        (shouldBe):
        (test):

2017-09-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r222518.
        https://bugs.webkit.org/show_bug.cgi?id=177507

        Break the High Sierra build (Requested by yusukesuzuki on
        #webkit).

        Reverted changeset:

        "Add Above/Below comparisons for UInt32 patterns"
        https://bugs.webkit.org/show_bug.cgi?id=177281
        http://trac.webkit.org/changeset/222518

2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        Add Above/Below comparisons for UInt32 patterns
        https://bugs.webkit.org/show_bug.cgi?id=177281

        Reviewed by Saam Barati.

        * stress/uint32-comparison-jump.js: Added.
        (shouldBe):
        (above):
        (aboveOrEqual):
        (below):
        (belowOrEqual):
        (notAbove):
        (notAboveOrEqual):
        (notBelow):
        (notBelowOrEqual):
        * stress/uint32-comparison.js: Added.
        (shouldBe):
        (above):
        (aboveOrEqual):
        (below):
        (belowOrEqual):
        (aboveTest):
        (aboveOrEqualTest):
        (belowTest):
        (belowOrEqualTest):

2017-09-23  Keith Miller  <keith_miller@apple.com>

        Fix infinite looping test262 test
        https://bugs.webkit.org/show_bug.cgi?id=177412

        Reviewed by Yusuke Suzuki.

        This test was poorly designed since failing it would cause the vm
        to inifinite loop. I've fixed it locally and will fix it on github pending
        the results of next weeks tc39 meeting.

        * test262.yaml:
        * test262/test/language/statements/for-of/iterator-next-reference.js:

2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>

        test262: $.agent became $262.agent in test262 update
        https://bugs.webkit.org/show_bug.cgi?id=177407

        Reviewed by Yusuke Suzuki.

        * test262.yaml:
        ~320 tests pass now that we correctly make $262 available.

2017-09-22  Keith Miller  <keith_miller@apple.com>

        Speculatively change iteration protocall to use the same next function
        https://bugs.webkit.org/show_bug.cgi?id=175653

        Reviewed by Saam Barati.

        Change test to match the new iteration behavior.

        * stress/spread-optimized-properly.js:

2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Profile array vector length for array allocation
        https://bugs.webkit.org/show_bug.cgi?id=177051

        Reviewed by Saam Barati.

        * microbenchmarks/new-array-buffer-vector-profile.js: Added.
        (target):

2017-09-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r222380.
        https://bugs.webkit.org/show_bug.cgi?id=177352

        Octane/box2d shows 8% regression (Requested by yusukesuzuki on
        #webkit).

        Reverted changeset:

        "[DFG][FTL] Profile array vector length for array allocation"
        https://bugs.webkit.org/show_bug.cgi?id=177051
        http://trac.webkit.org/changeset/222380

2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Profile array vector length for array allocation
        https://bugs.webkit.org/show_bug.cgi?id=177051

        Reviewed by Saam Barati.

        * microbenchmarks/new-array-buffer-vector-profile.js: Added.
        (target):

2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>

        Skip new hanging test262 tests.
        https://bugs.webkit.org/show_bug.cgi?id=177326

        Unreviewed test gardening.

        * test262.yaml:

2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>

        Mark 6 test262 tests as passing.
        https://bugs.webkit.org/show_bug.cgi?id=177307

        Unreviewed test gardening.

        * test262.yaml:

2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed follow-up to r222311.

        * test262/harness/sta.js:
        * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
        * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
        * test262/test/built-ins/Array/from/calling-from-valid-2.js:
        * test262/test/built-ins/Array/from/elements-added-after.js:
        * test262/test/built-ins/Array/from/elements-deleted-after.js:
        * test262/test/built-ins/Array/from/elements-updated-after.js:
        * test262/test/built-ins/Array/from/from-array.js:
        * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
        * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
        * test262/test/built-ins/Array/from/source-array-boundary.js:
        * test262/test/built-ins/Array/from/source-object-constructor.js:
        * test262/test/built-ins/Array/from/source-object-iterator-1.js:
        * test262/test/built-ins/Array/from/source-object-iterator-2.js:
        * test262/test/built-ins/Array/from/source-object-length.js:
        * test262/test/built-ins/Array/from/source-object-missing.js:
        * test262/test/built-ins/Array/from/source-object-without.js:
        * test262/test/built-ins/Array/from/this-null.js:
        * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
        * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
        * test262/test/language/literals/numeric/7.8.3-1gs.js:
        * test262/test/language/literals/numeric/7.8.3-2gs.js:
        * test262/test/language/literals/numeric/7.8.3-3gs.js:
        * test262/test/language/literals/regexp/7.8.5-1gs.js:
        * test262/test/language/literals/string/7.8.4-1gs.js:
        Fix some files that I failed to update when I applied my patch.

2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>

        Update test262 tests
        https://bugs.webkit.org/show_bug.cgi?id=177220

        Reviewed by Saam Barati and Yusuke Suzuki.

        * test262.yaml:
        * test262/test262-Revision.txt:
        New rebaselined expectations for all tests.

        * test262/*:
        Updated.

2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Remove ToThis more aggressively
        https://bugs.webkit.org/show_bug.cgi?id=177056

        Reviewed by Saam Barati.

        * stress/generator-with-this-strict.js: Added.
        (shouldBe):
        (generator):
        (target):
        * stress/generator-with-this.js: Added.
        (shouldBe):
        (generator):
        (target):

2017-09-17  Michael Saboff  <msaboff@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=177038
        Add an option to run-jsc-stress-tests to limit tests variations to a basic set

        Reviewed by JF Bastien.

        * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
        as it dies using too much memory.

2017-09-15  Saam Barati  <sbarati@apple.com>

        Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
        https://bugs.webkit.org/show_bug.cgi?id=176981

        Reviewed by Yusuke Suzuki.

        * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
        (assert):
        (verify):
        (func):
        (const.bar.createBuiltin):

2017-09-14  Saam Barati  <sbarati@apple.com>

        It should be valid to exit before each set when doing arity fixup when inlining
        https://bugs.webkit.org/show_bug.cgi?id=176948

        Reviewed by Keith Miller.

        * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
        (baz):
        (bar):
        (foo):

2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
        https://bugs.webkit.org/show_bug.cgi?id=176867

        Reviewed by Sam Weinig.

        * microbenchmarks/object-get-own-property-symbols.js: Added.
        (test):

2017-09-13  Mark Lam  <mark.lam@apple.com>

        Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
        https://bugs.webkit.org/show_bug.cgi?id=176888
        <rdar://problem/34381832>

        Not reviewed.

        * stress/op_mod-ConstVar.js:
        * stress/op_mod-VarConst.js:
        * stress/op_mod-VarVar.js:

2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>

        Skip 3 op_mod tests on Debug JSC bots.
        https://bugs.webkit.org/show_bug.cgi?id=176630

        Unreviewed test gardening.

        * stress/op_mod-ConstVar.js:
        * stress/op_mod-VarConst.js:
        * stress/op_mod-VarVar.js:

2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Fix Array allocation in Object.keys
        https://bugs.webkit.org/show_bug.cgi?id=176826

        Reviewed by Saam Barati.

        * stress/object-own-property-keys.js: Added.
        (shouldBe):

2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Optimize WeakMap::get by adding intrinsic and fixup
        https://bugs.webkit.org/show_bug.cgi?id=176010

        Reviewed by Filip Pizlo.

        * microbenchmarks/weak-map-key.js: Added.
        (assert):
        (objectKey):
        (let.start.Date.now):

2017-09-12  Mark Lam  <mark.lam@apple.com>

        REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
        https://bugs.webkit.org/show_bug.cgi?id=176630

        Reviewed by JF Bastien.

        Debug builds are just slow, and these tests do a lot.  They pass when I run them
        locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
        a speculative fix for the bots that are seeing these fail.

        I also undid the skipping of the op_mod tests for debug builds.

        * stress/op_div-ConstVar.js:
        * stress/op_div-VarConst.js:
        * stress/op_div-VarVar.js:
        * stress/op_mod-ConstVar.js:
        * stress/op_mod-VarConst.js:
        * stress/op_mod-VarVar.js:

2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>

        Skip stress/value-to-boolean.js on Debug bots.
        https://bugs.webkit.org/show_bug.cgi?id=176787

        Unreviewed test gardening.

        * stress/value-to-boolean.js:

2017-09-11  Mark Lam  <mark.lam@apple.com>

        Change test expectation for test262/test/language/statements/try/tco-catch.js
        https://bugs.webkit.org/show_bug.cgi?id=176749

        Rubber stamped by Keith Miller.

        It's been failing since at least r221821.  I'm changing the test expectation to
        fail to green the bots while I investigate some more.

        * test262.yaml:

2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r221854.

        The test added with this change fails on 32-bit JSC bots.

        Reverted changeset:

        "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
        https://bugs.webkit.org/show_bug.cgi?id=176010
        http://trac.webkit.org/changeset/221854

2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Optimize WeakMap::get by adding intrinsic and fixup
        https://bugs.webkit.org/show_bug.cgi?id=176010

        Reviewed by Filip Pizlo.

        * microbenchmarks/weak-map-key.js: Added.
        (assert):
        (objectKey):
        (let.start.Date.now):

2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Optimize Object.keys by using careful array allocation
        https://bugs.webkit.org/show_bug.cgi?id=176654

        Reviewed by Darin Adler.

        * microbenchmarks/object-keys.js: Added.
        (test):

2017-09-09  Filip Pizlo  <fpizlo@apple.com>

        Error should compute .stack and friends lazily
        https://bugs.webkit.org/show_bug.cgi?id=176645

        Reviewed by Saam Barati.

        * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
        * microbenchmarks/new-error.js: Added.
        * microbenchmarks/throw.js: Added.

2017-09-09  Mark Lam  <mark.lam@apple.com>

        [Re-landing] Use JIT probes for DFG OSR exit.
        https://bugs.webkit.org/show_bug.cgi?id=175144
        <rdar://problem/33437050>

        Not reviewed.  Original patch reviewed by Saam Barati.

        Disable these tests for debug builds because they run too slow with the new OSR exit.

        * stress/op_mod-ConstVar.js:
        * stress/op_mod-VarConst.js:
        * stress/op_mod-VarVar.js:

2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] NewArrayWithSize(size)'s size does not care negative zero
        https://bugs.webkit.org/show_bug.cgi?id=176300

        Reviewed by Saam Barati.

        * stress/new-array-with-size-div.js: Added.
        (shouldBe):
        (test):
        (i.i):

2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] PutByVal with Array::Generic is too generic
        https://bugs.webkit.org/show_bug.cgi?id=176345

        Reviewed by Filip Pizlo.

        * stress/object-assign-symbols.js: Added.
        (shouldBe):
        (test):
        * stress/object-assign.js: Added.
        (shouldBe):
        (test):
        (i.shouldBe.JSON.stringify.test):

2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
        https://bugs.webkit.org/show_bug.cgi?id=176590

        Reviewed by Saam Barati.

        * microbenchmarks/object-iterate-symbols.js: Added.
        (test):
        * microbenchmarks/object-iterate.js: Added.
        (test):
        * stress/object-iterate-symbols.js: Added.
        (shouldBe):
        (test):
        * stress/object-iterate.js: Added.
        (shouldBe):
        (test):

2017-09-07  Per Arne Vollan  <pvollan@apple.com>

        [Win32] 10 JSC stress tests are failing.
        https://bugs.webkit.org/show_bug.cgi?id=176538

        Reviewed by Mark Lam.

        Skip tests on Windows to make the bots green.

        * ChakraCore.yaml:
        * stress/date-relaxed.js:

2017-09-06  Mark Lam  <mark.lam@apple.com>

        constructGenericTypedArrayViewWithArguments() is missing an exception check.
        https://bugs.webkit.org/show_bug.cgi?id=176485
        <rdar://problem/33898874>

        Reviewed by Keith Miller.

        * stress/regress-176485.js: Added.

2017-09-05  Saam Barati  <sbarati@apple.com>

        isNotCellSpeculation is wrong with respect to SpecEmpty
        https://bugs.webkit.org/show_bug.cgi?id=176429

        Reviewed by Michael Saboff.

        * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
        (Foo):

2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>

        test262: Completion values for control flow do not match the spec
        https://bugs.webkit.org/show_bug.cgi?id=171265

        Reviewed by Saam Barati.

        * stress/completion-value.js:
        Condensed test for completion values in top level statements.

        * stress/super-get-by-id.js:
        ClassDeclaration when evaled no longer produce values. Convert
        these to ClassExpressions so they produce the class value.
        
        * ChakraCore/test/GlobalFunctions/evalreturns3.baseline-jsc:
        This is a progression for currect spec behavior.

        * mozilla/mozilla-tests.yaml:
        This test is now outdated, so mark it as failing for that reason.

        * test262.yaml:
        Passing all "cptn" completion value tests.

2017-09-04  Saam Barati  <sbarati@apple.com>

        typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=176317

        Reviewed by Keith Miller.

        * stress/dont-crash-when-hoist-check-structure-on-tdz.js: Added.
        (Foo):

2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Efficiently execute number#toString()
        https://bugs.webkit.org/show_bug.cgi?id=170007

        Reviewed by Keith Miller.

        * microbenchmarks/number-to-string-strength-reduction.js: Added.
        (test):
        * microbenchmarks/number-to-string-with-radix-10.js: Added.
        (test):
        * microbenchmarks/number-to-string-with-radix-cse.js: Added.
        (test):
        * microbenchmarks/number-to-string-with-radix.js: Added.
        (test):
        * stress/number-to-string-strength-reduction.js: Added.
        (shouldBe):
        (test):
        * stress/number-to-string-with-radix-10.js: Added.
        (shouldBe):
        (test):
        * stress/number-to-string-with-radix-cse.js: Added.
        (shouldBe):
        (test):
        * stress/number-to-string-with-radix-invalid.js: Added.
        (shouldThrow):
        * stress/number-to-string-with-radix-watchpoint.js: Added.
        (shouldBe):
        (test):
        (i.i.1e3.Number.prototype.toString):
        * stress/number-to-string-with-radix.js: Added.
        (shouldBe):
        (test):

2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Relax arity requirement
        https://bugs.webkit.org/show_bug.cgi?id=175523

        Reviewed by Saam Barati.

        * stress/arity-mismatch-arguments-length.js: Added.
        (shouldBe):
        (test1):
        (test):
        * stress/arity-mismatch-get-argument.js: Added.
        (shouldBe):
        (builtin.createBuiltin):
        (test):
        * stress/arity-mismatch-inlining-extra-slots.js: Added.
        (shouldBe):
        (inlineTarget):
        (test):
        * stress/arity-mismatch-inlining.js: Added.
        (shouldBe):
        (inlineTarget):
        (test):
        * stress/arity-mismatch-rest.js: Added.
        (shouldBe):
        (test2):
        (test1):
        (test):

2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Fix "name" and "length" of Proxy revoke function
        https://bugs.webkit.org/show_bug.cgi?id=176155

        Reviewed by Mark Lam.

        * test262.yaml:

2017-08-31  Saam Barati  <sbarati@apple.com>

        Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
        https://bugs.webkit.org/show_bug.cgi?id=176206

        Reviewed by Keith Miller.

        * stress/compare-semantic-origin-op-negate-method-of-getting-a-value-profile.js: Added.
        (a):
        (b):
        (foo):

2017-08-31  Ryan Haddad  <ryanhaddad@apple.com>

        Skip two slow JSC tests after r221422.

        Unreviewed test gardening.

        * stress/regexp-prototype-match-on-too-long-rope.js:
        * stress/regexp-prototype-test-on-too-long-rope.js:

2017-08-31  Filip Pizlo  <fpizlo@apple.com>