c02f9330ec7bd4b0470ad85f62ff39b472d267b8
[WebKit-https.git] / JSTests / ChangeLog
1 2018-02-02  Saam Barati  <sbarati@apple.com>
2
3         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
4         https://bugs.webkit.org/show_bug.cgi?id=182368
5         <rdar://problem/36932466>
6
7         Reviewed by Mark Lam.
8
9         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
10         (runNearStackLimit.t):
11         (runNearStackLimit):
12         (try.runNearStackLimit):
13         (catch):
14
15 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
16
17         Update test262 to Jan 30 version
18         https://bugs.webkit.org/show_bug.cgi?id=182288
19
20         Rubber stamped by Saam Barati.
21
22         This patch updates test262 to the latest one, Jan 30 version.
23         Since added and changed files are too many, we cannot create ChangeLog.
24         The following files are changed.
25
26         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
27         including some special line terminators (like u2028, u2029).
28
29         * test262.yaml:
30         * test262/test262-Revision.txt:
31         * test262/*:
32
33 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
34
35         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
36         https://bugs.webkit.org/show_bug.cgi?id=182411
37
38         Reviewed by Carlos Alberto Lopez Perez.
39
40         This is skipped only on arm memory limited platforms. Until recently
41         it was not a problem on MIPS as the butterfly was not initialized. But
42         since r227435, the butterfly is initialized in that test and therefore
43         memory is allocated, and the test typically takes around 512M, which
44         means it generally gets OOM-killed on the MIPS buildbot.
45
46         * mozilla/mozilla-tests.yaml:
47
48 2018-02-01  Mark Lam  <mark.lam@apple.com>
49
50         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
51         https://bugs.webkit.org/show_bug.cgi?id=182419
52         <rdar://problem/37044945>
53
54         Reviewed by Saam Barati.
55
56         * stress/regress-182419.js: Added.
57
58 2018-02-01  Keith Miller  <keith_miller@apple.com>
59
60         Fix crashes due to mishandling custom sections.
61         https://bugs.webkit.org/show_bug.cgi?id=182404
62         <rdar://problem/36935863>
63
64         Reviewed by Saam Barati.
65
66         * wasm/Builder.js:
67         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
68         * wasm/js-api/validate.js:
69         (assert.truthy):
70
71 2018-01-31  Saam Barati  <sbarati@apple.com>
72
73         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
74         https://bugs.webkit.org/show_bug.cgi?id=182074
75         <rdar://problem/36846261>
76
77         Reviewed by Mark Lam.
78
79         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
80         (assert):
81         (let.func):
82         (let.o.foo):
83         (varFunc):
84
85 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
86
87         Unreviewed, update test262 expects
88         https://bugs.webkit.org/show_bug.cgi?id=182232
89
90         * test262.yaml:
91
92 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
93
94         [JSC] Implement trimStart and trimEnd
95         https://bugs.webkit.org/show_bug.cgi?id=182233
96
97         Reviewed by Mark Lam.
98
99         * stress/trim.js: Added.
100         (shouldBe):
101         (startTest):
102         (endTest):
103         (trimTest):
104
105 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
106
107         [JSC] Relax line terminators in String to make JSON subset of JS
108         https://bugs.webkit.org/show_bug.cgi?id=182232
109
110         Reviewed by Keith Miller.
111
112         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
113         * stress/relaxed-line-terminators-in-string.js: Added.
114         (shouldBe):
115
116 2018-01-29  Michael Saboff  <msaboff@apple.com>
117
118         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
119         https://bugs.webkit.org/show_bug.cgi?id=182249
120
121         Reviewed by Keith Miller.
122
123         New regression test.
124
125         * stress/compare-clobber-untypeduse.js: Added.
126
127 2018-01-29  Matt Lewis  <jlewis3@apple.com>
128
129         Unreviewed, rolling out r227725.
130
131         This caused internal failures.
132
133         Reverted changeset:
134
135         "JSC Sampling Profiler: Detect tester and testee when sampling
136         in RegExp JIT"
137         https://bugs.webkit.org/show_bug.cgi?id=152729
138         https://trac.webkit.org/changeset/227725
139
140 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
141
142         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
143         https://bugs.webkit.org/show_bug.cgi?id=152729
144
145         Reviewed by Saam Barati.
146
147         * stress/sampling-profiler-regexp.js: Added.
148         (platformSupportsSamplingProfiler.test):
149         (platformSupportsSamplingProfiler.baz):
150         (platformSupportsSamplingProfiler):
151
152 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
153
154         [DFG][FTL] WeakMap#set should have DFG node
155         https://bugs.webkit.org/show_bug.cgi?id=180015
156
157         Reviewed by Saam Barati.
158
159         * stress/weakmap-set-change-get.js: Added.
160         (shouldBe):
161         (test):
162         * stress/weakmap-set-cse.js: Added.
163         (shouldBe):
164         (test):
165         * stress/weakset-add-change-get.js: Added.
166         (shouldBe):
167         * stress/weakset-add-cse.js: Added.
168         (shouldBe):
169
170 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
171
172         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
173         https://bugs.webkit.org/show_bug.cgi?id=182213
174
175         Reviewed by Mark Lam.
176
177         * stress/int32-min-to-string.js: Added.
178         (shouldBe):
179         (test2):
180         (test4):
181         (test8):
182         (test16):
183         (test32):
184         * stress/zero-to-string.js: Added.
185         (shouldBe):
186         (test2):
187         (test4):
188         (test8):
189         (test16):
190         (test32):
191
192 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
193
194         Add more module scope related tests with code evaluation by string
195         https://bugs.webkit.org/show_bug.cgi?id=181983
196
197         Reviewed by Sam Weinig.
198
199         Add more module scope related tests. When the original tests are landed,
200         we do not have browser integration. This patch adds more module scope tests
201         with dynamically created script evaluation. We add tests with Function
202         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
203
204         * modules/scopes-eval.js: Added.
205         (shouldBe):
206         * modules/scopes.js:
207         (shouldBe):
208
209 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
210
211         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
212
213         * microbenchmarks/array-push-3.js: Removed.
214         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
215         * microbenchmarks/double-to-int32.js: Removed.
216         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
217         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
218         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
219         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
220         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
221         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
222         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
223         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
224         * microbenchmarks/map-constant-key.js: Removed.
225         * microbenchmarks/nested-function-parsing.js: Removed.
226         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
227         * microbenchmarks/spread-large-array.js: Removed.
228         * microbenchmarks/string-add-constant-folding.js: Removed.
229         * microbenchmarks/to-lower-case.js: Removed.
230         * microbenchmarks/undefined-property-access.js: Removed.
231         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
232         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
233         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
234         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
235         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
236         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
237         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
238         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
239         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
240         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
241         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
242         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
243         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
244         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
245         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
246         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
247         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
248         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
249
250 2018-01-23  Robin Morisset  <rmorisset@apple.com>
251
252         Update the argument count in DFGByteCodeParser::handleRecursiveCall
253         https://bugs.webkit.org/show_bug.cgi?id=181739
254         <rdar://problem/36627662>
255
256         Reviewed by Saam Barati.
257
258         * stress/recursive-tail-call-with-different-argument-count.js: Added.
259         (foo):
260         (bar):
261
262 2018-01-22  Michael Saboff  <msaboff@apple.com>
263
264         DFG abstract interpreter needs to properly model effects of some Math ops
265         https://bugs.webkit.org/show_bug.cgi?id=181886
266
267         Reviewed by Saam Barati.
268
269         New regression test.
270
271         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
272         (test):
273
274 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
275
276         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
277         https://bugs.webkit.org/show_bug.cgi?id=181182
278
279         Reviewed by Darin Adler.
280
281         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
282         * stress/big-int-prototype-to-string-exception.js: Added.
283         * stress/big-int-prototype-to-string-wrong-values.js: Added.
284         * stress/number-prototype-to-string-cast-overflow.js: Added.
285         * stress/number-prototype-to-string-exception.js: Added.
286         * stress/number-prototype-to-string-wrong-values.js: Added.
287
288 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
289
290         Disable Atomics when SharedArrayBuffer isn’t enabled
291         https://bugs.webkit.org/show_bug.cgi?id=181572
292
293         Unreviewed test gardening.
294
295         * test262.yaml: Skip tests that fail after this change.
296
297 2018-01-19  Saam Barati  <sbarati@apple.com>
298
299         Kill ArithNegate's ArithProfile assert inside BytecodeParser
300         https://bugs.webkit.org/show_bug.cgi?id=181877
301         <rdar://problem/36630552>
302
303         Reviewed by Mark Lam.
304
305         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
306         (runNearStackLimit):
307         (f1):
308         (f2):
309         (f3):
310         (i.catch):
311         (i.try.runNearStackLimit):
312         (catch):
313
314 2018-01-19  Saam Barati  <sbarati@apple.com>
315
316         Spread's effects are modeled incorrectly both in AI and in Clobberize
317         https://bugs.webkit.org/show_bug.cgi?id=181867
318         <rdar://problem/36290415>
319
320         Reviewed by Michael Saboff.
321
322         * stress/ai-needs-to-model-spreads-effects.js: Added.
323         (try.p.Symbol.iterator):
324         (try.go):
325         (catch):
326         * stress/clobberize-needs-to-model-spread-effects.js: Added.
327         (assert):
328         (foo):
329         (a.Symbol.iterator):
330
331 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
332
333         Unreviewed, reduce count of iteration to fix timing out debug JSC test
334         https://bugs.webkit.org/show_bug.cgi?id=181535
335
336         * stress/inserted-recovery-with-set-last-index.js:
337
338 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
339
340         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
341         https://bugs.webkit.org/show_bug.cgi?id=181535
342
343         Reviewed by Saam Barati.
344
345         * stress/inserted-recovery-with-set-last-index.js: Added.
346         (shouldBe):
347         (foo):
348         * stress/materialize-regexp-at-osr-exit.js: Added.
349         (shouldBe):
350         (test):
351         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
352         (shouldBe):
353         (test):
354         * stress/materialize-regexp-cyclic-regexp.js: Added.
355         (shouldBe):
356         (test):
357         (i.switch):
358         * stress/materialize-regexp-cyclic.js: Added.
359         (shouldBe):
360         (test):
361         (i.switch):
362         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
363         (bar):
364         (foo):
365         (test):
366         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
367         (bar):
368         (foo):
369         (test):
370         * stress/materialize-regexp.js: Added.
371         (shouldBe):
372         (test):
373         * stress/phantom-regexp-regexp-exec.js: Added.
374         (shouldBe):
375         (test):
376         * stress/phantom-regexp-string-match.js: Added.
377         (shouldBe):
378         (test):
379         * stress/regexp-last-index-sinking.js: Added.
380         (shouldBe):
381         (test):
382
383 2018-01-17  Saam Barati  <sbarati@apple.com>
384
385         Disable Atomics when SharedArrayBuffer isn’t enabled
386         https://bugs.webkit.org/show_bug.cgi?id=181572
387         <rdar://problem/36553206>
388
389         Reviewed by Michael Saboff.
390
391         * stress/isLockFree.js:
392
393 2018-01-17  Saam Barati  <sbarati@apple.com>
394
395         DFG::Node::convertToConstant needs to clear the varargs flags
396         https://bugs.webkit.org/show_bug.cgi?id=181697
397         <rdar://problem/36497332>
398
399         Reviewed by Yusuke Suzuki.
400
401         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
402         (doIndexOf):
403         (bar):
404         (i.bar):
405
406 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
407
408         Unreviewed, rolling out r226937.
409
410         Tests added with this change are failing due to a missing
411         exception check.
412
413         Reverted changeset:
414
415         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
416         double to int32_t"
417         https://bugs.webkit.org/show_bug.cgi?id=181182
418         https://trac.webkit.org/changeset/226937
419
420 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
421
422         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
423         https://bugs.webkit.org/show_bug.cgi?id=181182
424
425         Reviewed by Darin Adler.
426
427         * bigIntTests.yaml:
428         * stress/big-int-constructor.js:
429         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
430         (assert):
431         (assertThrowRangeError):
432         * stress/number-prototype-to-string-cast-overflow.js: Added.
433         (assert):
434         (assertThrowRangeError):
435
436 2018-01-12  Saam Barati  <sbarati@apple.com>
437
438         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
439         https://bugs.webkit.org/show_bug.cgi?id=181177
440         <rdar://problem/36205704>
441
442         Reviewed by Yusuke Suzuki.
443
444         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
445         (runNearStackLimit.t):
446         (runNearStackLimit):
447         (test.f):
448         (test):
449
450 2018-01-12  Saam Barati  <sbarati@apple.com>
451
452         Each variant of a polymorphic inlined call should be exitOK at the top of the block
453         https://bugs.webkit.org/show_bug.cgi?id=181562
454         <rdar://problem/36445624>
455
456         Reviewed by Yusuke Suzuki.
457
458         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
459         (f):
460         (foo):
461
462 2018-01-11  Saam Barati  <sbarati@apple.com>
463
464         When inserting Unreachable in byte code parser we need to flush all the right things
465         https://bugs.webkit.org/show_bug.cgi?id=181509
466         <rdar://problem/36423110>
467
468         Reviewed by Mark Lam.
469
470         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
471
472 2018-01-11  Saam Barati  <sbarati@apple.com>
473
474         JITMathIC code in the FTL is wrong when code gets duplicated
475         https://bugs.webkit.org/show_bug.cgi?id=181525
476         <rdar://problem/36351993>
477
478         Reviewed by Michael Saboff and Keith Miller.
479
480         * stress/allow-math-ic-b3-code-duplication.js: Added.
481
482 2018-01-11  Saam Barati  <sbarati@apple.com>
483
484         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
485         https://bugs.webkit.org/show_bug.cgi?id=181508
486
487         Reviewed by Yusuke Suzuki.
488
489         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
490         (assert):
491         (test1.foo):
492         (test1):
493         (test2.foo):
494         (test2):
495
496 2018-01-09  Mark Lam  <mark.lam@apple.com>
497
498         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
499         https://bugs.webkit.org/show_bug.cgi?id=181388
500         <rdar://problem/36349351>
501
502         Reviewed by Saam Barati.
503
504         * stress/regress-181388.js: Added.
505
506 2018-01-08  JF Bastien  <jfbastien@apple.com>
507
508         WebAssembly: mask indexed accesses to Table
509         https://bugs.webkit.org/show_bug.cgi?id=181412
510         <rdar://problem/36363236>
511
512         Reviewed by Saam Barati.
513
514         Update error messages.
515
516         * wasm/js-api/table.js:
517         (assert.throws.WebAssembly.Table.prototype.grow):
518
519 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
520
521         Disable SharedArrayBuffer tests missed in r226386.
522         https://bugs.webkit.org/show_bug.cgi?id=181266
523
524         Unreviewed test gardening.
525
526         * test262.yaml:
527
528 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
529
530         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
531         https://bugs.webkit.org/show_bug.cgi?id=181321
532
533         Reviewed by Saam Barati.
534
535         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
536         (shouldBe):
537         (testFunction):
538         * test262.yaml:
539
540 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
541
542         Unreviewed, attempt to fix test262 after r226386.
543
544         * test262.yaml:
545
546 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
547
548         [DFG] Define defs for MapSet/SetAdd to participate in CSE
549         https://bugs.webkit.org/show_bug.cgi?id=179911
550
551         Reviewed by Saam Barati.
552
553         In addition to these tests, map-set-cse.js and set-add-cse.js work.
554
555         * stress/map-set-change-get.js: Added.
556         (shouldBe):
557         (test):
558         * stress/map-set-create-bucket.js: Added.
559         (shouldBe):
560         (test):
561         * stress/set-add-create-bucket.js: Added.
562         (shouldBe):
563
564 2018-01-03  Michael Saboff  <msaboff@apple.com>
565
566         Disable SharedArrayBuffers from Web API
567         https://bugs.webkit.org/show_bug.cgi?id=181266
568
569         Reviewed by Saam Barati.
570
571         Disabled SharedArrayBuffer tests.
572
573         * stress/SharedArrayBuffer-opt.js:
574         * stress/SharedArrayBuffer.js:
575         * stress/array-buffer-byte-length.js:
576         * stress/atomics-add-uint32.js:
577         * stress/atomics-known-int-use.js:
578         * stress/atomics-neg-zero.js:
579         * stress/atomics-store-return.js:
580         * stress/lars-sab-workers.js:
581         * stress/regress-159779-1.js:
582         * stress/regress-159779-2.js:
583         * stress/regress-170473.js:
584         * test262.yaml:
585
586 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
587
588         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
589         https://bugs.webkit.org/show_bug.cgi?id=181258
590
591         Reviewed by Antonio Gomes.
592
593         * stress/big-int-constructor-gc.js:
594         * stress/big-int-constructor-oom.js:
595
596 2018-01-03  Robin Morisset  <rmorisset@apple.com>
597
598         Inlining of a function that ends in op_unreachable crashes
599         https://bugs.webkit.org/show_bug.cgi?id=181027
600
601         Reviewed by Filip Pizlo.
602
603         * stress/inlining-unreachable.js: Added.
604         (bar):
605         (baz):
606         (i.catch):
607
608 2018-01-02  Saam Barati  <sbarati@apple.com>
609
610         Incorrect assertion inside AccessCase
611         https://bugs.webkit.org/show_bug.cgi?id=181200
612         <rdar://problem/35494754>
613
614         Reviewed by Yusuke Suzuki.
615
616         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
617         (ctor):
618         (theFunc):
619         (run):
620
621 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
622
623         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
624         https://bugs.webkit.org/show_bug.cgi?id=175359
625
626         Reviewed by Yusuke Suzuki.
627
628         * bigIntTests.yaml:
629         * stress/big-int-as-key.js: Added.
630         * stress/big-int-constructor-gc.js: Added.
631         * stress/big-int-constructor-oom.js: Added.
632         * stress/big-int-constructor-properties.js: Added.
633         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
634         * stress/big-int-constructor-prototype.js: Added.
635         * stress/big-int-constructor.js: Added.
636         * stress/big-int-function-apply.js:
637         * stress/big-int-length.js: Added.
638         * stress/big-int-prop-descriptor.js: Added.
639         * stress/big-int-proto-constructor.js: Added.
640         * stress/big-int-proto-name.js: Added.
641         * stress/big-int-prototype-properties.js: Added.
642         * stress/big-int-prototype-proto.js: Added.
643         * stress/big-int-prototype-value-of.js: Added.
644         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
645         * stress/big-int-prototype-to-string-apply.js: Added.
646         * stress/big-int-to-object.js: Added.
647         * stress/big-int-to-string.js: Added.
648
649 2017-12-28  Saam Barati  <sbarati@apple.com>
650
651         Assertion used to determine if something is an async generator is wrong
652         https://bugs.webkit.org/show_bug.cgi?id=181168
653         <rdar://problem/35640560>
654
655         Reviewed by Yusuke Suzuki.
656
657         * stress/async-generator-assertion.js: Added.
658
659 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
660
661         Skip stress/splay-flash-access tests on memory limited platforms
662         https://bugs.webkit.org/show_bug.cgi?id=181086
663
664         Reviewed by Carlos Alberto Lopez Perez.
665
666         These tests use about 185M of memory, and occasionally get OOM-killed
667         on memory limited platforms.
668
669         * stress/splay-flash-access-1ms.js:
670         * stress/splay-flash-access.js:
671
672 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
673
674         Skip slow jsc tests on embedded platforms
675         https://bugs.webkit.org/show_bug.cgi?id=180937
676
677         Reviewed by Carlos Alberto Lopez Perez.
678
679         The tests typeProfiler/deltablue-for-of.js and
680         typeProfiler/getter-richards.js take a very long time in the
681         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
682         thus always timeout. They should be skipped on these platforms.
683
684         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
685         * typeProfiler/getter-richards.js: Skip on arm*/mips.
686
687 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
688
689         [JSC] Do not check isValid() in op_new_regexp
690         https://bugs.webkit.org/show_bug.cgi?id=180970
691
692         Reviewed by Saam Barati.
693
694         * stress/regexp-syntax-error-invalid-flags.js: Added.
695         (shouldThrow):
696
697 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
698
699         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
700         https://bugs.webkit.org/show_bug.cgi?id=180712
701
702         Reviewed by Michael Catanzaro.
703
704         stress/call-apply-exponential-bytecode-size.js crashes if the
705         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
706         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
707         should skip the test on other platforms.
708
709         * stress/call-apply-exponential-bytecode-size.js:
710
711 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
712
713         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
714         https://bugs.webkit.org/show_bug.cgi?id=179762
715
716         Reviewed by Saam Barati.
717
718         * stress/call-varargs-double-new-array-buffer.js: Added.
719         (assert):
720         (bar):
721         (foo):
722         * stress/call-varargs-spread-new-array-buffer.js: Added.
723         (assert):
724         (bar):
725         (foo):
726         * stress/call-varargs-spread-new-array-buffer2.js: Added.
727         (assert):
728         (bar):
729         (foo):
730         * stress/forward-varargs-double-new-array-buffer.js: Added.
731         (assert):
732         (test.baz):
733         (test.bar):
734         (test.foo):
735         (test):
736         * stress/new-array-buffer-sinking-osrexit.js: Added.
737         (target):
738         (test):
739         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
740         (shouldBe):
741         (test):
742         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
743         (shouldBe):
744         (target):
745         (test):
746         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
747         (assert):
748         (test1.bar):
749         (test1.foo):
750         (test1):
751         (test2.bar):
752         (test2.foo):
753         (test3.baz):
754         (test3.bar):
755         (test3.foo):
756         (test4.baz):
757         (test4.bar):
758         (test4.foo):
759         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
760         (assert):
761         (test.baz):
762         (test.bar):
763         (test.foo):
764         (test):
765         * stress/phantom-new-array-buffer-osr-exit.js: Added.
766         (assert):
767         (baz):
768         (bar):
769         (effects):
770         (foo):
771
772 2017-12-14  Saam Barati  <sbarati@apple.com>
773
774         The CleanUp after LICM is erroneously removing a Check
775         https://bugs.webkit.org/show_bug.cgi?id=180852
776         <rdar://problem/36063494>
777
778         Reviewed by Filip Pizlo.
779
780         * stress/dont-run-cleanup-after-licm.js: Added.
781
782 2017-12-14  Michael Saboff  <msaboff@apple.com>
783
784         REGRESSION (r225695): Repro crash on yahoo login page
785         https://bugs.webkit.org/show_bug.cgi?id=180761
786
787         Reviewed by JF Bastien.
788
789         New regression test.
790
791         * stress/regress-180761.js: Added.
792
793 2017-12-13  Keith Miller  <keith_miller@apple.com>
794
795         JSObjects should have a mask for loading indexed properties
796         https://bugs.webkit.org/show_bug.cgi?id=180768
797
798         Reviewed by Mark Lam.
799
800         * stress/int16-put-by-val-in-and-out-of-bounds.js:
801         (test):
802
803 2017-12-13  Saam Barati  <sbarati@apple.com>
804
805         Arrow functions need their own structure because they have different properties than sloppy functions
806         https://bugs.webkit.org/show_bug.cgi?id=180779
807         <rdar://problem/35814591>
808
809         Reviewed by Mark Lam.
810
811         * stress/arrow-function-needs-its-own-structure.js: Added.
812         (assert):
813         (readPrototype):
814         (noInline.let.f1):
815         (noInline):
816
817 2017-12-13  Saam Barati  <sbarati@apple.com>
818
819         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
820         https://bugs.webkit.org/show_bug.cgi?id=163579
821         <rdar://problem/35455798>
822
823         Reviewed by Mark Lam.
824
825         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
826         (assert):
827         (test1):
828         (i.test1):
829         (i.test1.C):
830         (i.test1.async.foo):
831         (i.test1.foo):
832         (test2):
833
834 2017-12-13  Saam Barati  <sbarati@apple.com>
835
836         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
837         https://bugs.webkit.org/show_bug.cgi?id=180734
838         <rdar://problem/35640547>
839
840         Reviewed by Yusuke Suzuki.
841
842         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
843         (__isPropertyOfType):
844         (__getProperties):
845         (__getObjects):
846         (__getRandomObject):
847         (theClass.):
848         (theClass):
849         (childClass):
850         (counter.catch):
851
852 2017-12-12  Saam Barati  <sbarati@apple.com>
853
854         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
855         https://bugs.webkit.org/show_bug.cgi?id=180725
856         <rdar://problem/35970511>
857
858         Reviewed by Michael Saboff.
859
860         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
861         (f1):
862         (f2):
863         (let.o2.valueOf):
864
865 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
866
867         [JSC] Implement optimized WeakMap and WeakSet
868         https://bugs.webkit.org/show_bug.cgi?id=179929
869
870         Reviewed by Saam Barati.
871
872         * microbenchmarks/weak-map-key.js:
873         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
874         (assert):
875         (objectKey):
876         (let.start.Date.now):
877         * stress/basic-weakmap.js: Added.
878         (shouldBe):
879         (test):
880         * stress/basic-weakset.js: Added.
881         (shouldBe):
882         (test.set new):
883         * stress/weakmap-cse-set-break.js: Added.
884         (shouldBe):
885         (test):
886         * stress/weakmap-cse.js: Added.
887         (shouldBe):
888         (test):
889         * stress/weakmap-gc.js: Added.
890         (test):
891         * stress/weakset-cse-add-break.js: Added.
892         (shouldBe):
893         (test.set new):
894         * stress/weakset-cse.js: Added.
895         (shouldBe):
896         (test.set new):
897         * stress/weakset-gc.js: Added.
898         (test.set add):
899         (test.set new):
900         (test):
901
902 2017-12-12  Saam Barati  <sbarati@apple.com>
903
904         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
905         https://bugs.webkit.org/show_bug.cgi?id=180723
906         <rdar://problem/35859726>
907
908         Reviewed by JF Bastien.
909
910         * stress/get-my-argument-by-val-constant-folding.js: Added.
911         (test):
912         (catch):
913
914 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
915
916         [ESNext][BigInt] Implement BigInt literals and JSBigInt
917         https://bugs.webkit.org/show_bug.cgi?id=179000
918
919         Reviewed by Darin Adler and Yusuke Suzuki.
920
921         * bigIntTests.yaml: Added.
922         * stress/big-int-literal-line-terminator.js: Added.
923         * stress/big-int-literals.js: Added.
924         * stress/big-int-operations-error.js: Added.
925         * stress/big-int-type-of.js: Added.
926         * stress/big-int-white-space-trailing-leading.js: Added.
927         * stress/big-int-function-apply.js: Added.
928
929 2017-12-11  Saam Barati  <sbarati@apple.com>
930
931         We need to disableCaching() in ErrorInstance when we materialize properties
932         https://bugs.webkit.org/show_bug.cgi?id=180343
933         <rdar://problem/35833002>
934
935         Reviewed by Mark Lam.
936
937         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
938         (assert):
939         (makeError):
940         (storeToStack):
941         (storeToStackAlreadyMaterialized):
942
943 2017-12-05  JF Bastien  <jfbastien@apple.com>
944
945         WebAssembly: don't eagerly checksum
946         https://bugs.webkit.org/show_bug.cgi?id=180441
947         <rdar://problem/35156628>
948
949         Reviewed by Saam Barati.
950
951         Checksum is now disabled, so tests only have <?> as the module
952         name.
953
954         * wasm/function-tests/nameSection.js:
955         * wasm/function-tests/stack-overflow.js:
956         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
957         (assertOverflows.assertThrows):
958         (assertOverflows):
959         * wasm/function-tests/stack-trace.js:
960
961 2017-12-04  JF Bastien  <jfbastien@apple.com>
962
963         Proxy all functions, except the $ objects
964         https://bugs.webkit.org/show_bug.cgi?id=180375
965
966         Reviewed by Saam Barati.
967
968         It looks like this test may have broken some executions because I
969         call some internal objects. Explicitly ignore objects whose name
970         starts with "$" because it's a bad idea anyways.
971
972         * stress/proxy-all-the-parameters.js:
973         (generateObjects):
974         (get throw):
975
976 2017-12-04  Saam Barati  <sbarati@apple.com>
977
978         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
979         https://bugs.webkit.org/show_bug.cgi?id=180366
980         <rdar://problem/35685877>
981
982         Reviewed by Michael Saboff.
983
984         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
985         (theParent):
986         (test1.base.getParentStaticValue):
987         (test1.base):
988         (test1.__v_24888.prototype.set prop):
989         (test1.__v_24888):
990         (test2.base.getParentStaticValue):
991         (test2.base):
992         (test2.__v_24888.prototype.set prop):
993         (test2.__v_24888):
994         (test2):
995
996 2017-12-01  JF Bastien  <jfbastien@apple.com>
997
998         Try proxying all function arguments
999         https://bugs.webkit.org/show_bug.cgi?id=180306
1000
1001         Reviewed by Saam Barati.
1002
1003         * stress/proxy-all-the-parameters.js: Added.
1004         (isPropertyOfType):
1005         (getProperties):
1006         (generateObjects):
1007         (getObjects):
1008         (getFunctions):
1009         (get throw):
1010         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1011
1012 2017-12-01  JF Bastien  <jfbastien@apple.com>
1013
1014         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1015         https://bugs.webkit.org/show_bug.cgi?id=180297
1016         <rdar://problem/35745556>
1017
1018         Reviewed by Mark Lam.
1019
1020         * stress/math-exceptions.js: Added.
1021         (get try):
1022         (catch):
1023
1024 2017-12-01  JF Bastien  <jfbastien@apple.com>
1025
1026         JavaScriptCore: add test for weird class static getters
1027         https://bugs.webkit.org/show_bug.cgi?id=180281
1028         <rdar://problem/35592139>
1029
1030         Reviewed by Mark Lam.
1031
1032         I fixed a bug for it in r224927 and didn't add a test. Do so.
1033
1034         * stress/class-static-get-weird.js: Added.
1035         (c.prototype.get name):
1036         (c):
1037         (c.prototype.get arguments):
1038         (c.prototype.get caller):
1039         (c.prototype.get length):
1040
1041 2017-12-01  Saam Barati  <sbarati@apple.com>
1042
1043         Having a bad time needs to handle ArrayClass indexing type as well
1044         https://bugs.webkit.org/show_bug.cgi?id=180274
1045         <rdar://problem/35667869>
1046
1047         Reviewed by Keith Miller and Mark Lam.
1048
1049         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1050         (assert):
1051         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1052         (assert):
1053
1054 2017-12-01  JF Bastien  <jfbastien@apple.com>
1055
1056         WebAssembly: restore cached stack limit after out-call
1057         https://bugs.webkit.org/show_bug.cgi?id=179106
1058         <rdar://problem/35337525>
1059
1060         Reviewed by Saam Barati.
1061
1062         * wasm/function-tests/double-instance.js: Added.
1063         (const.imp.boom):
1064         (const.imp.get callAnother):
1065
1066 2017-11-30  JF Bastien  <jfbastien@apple.com>
1067
1068         WebAssembly: improve stack trace
1069         https://bugs.webkit.org/show_bug.cgi?id=179343
1070
1071         Reviewed by Saam Barati.
1072
1073         Update the tests to follow the new format. Notably, SHA1 module
1074         hash is now included in traces, and stubs are properly identified.
1075
1076         * wasm/assert.js: Add an assertion which matches regular expressions.
1077         * wasm/function-tests/nameSection.js:
1078         * wasm/function-tests/stack-overflow.js:
1079         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1080         (assertOverflows.assertThrows.wasm.1):
1081         (assertOverflows.assertThrows.wasm.0):
1082         (assertOverflows.assertThrows):
1083         (assertOverflows):
1084         * wasm/function-tests/stack-trace.js:
1085         (import.Builder.from.string_appeared_here.assert): Deleted.
1086         * wasm/function-tests/trap-after-cross-instance-call.js:
1087         (wasmFrameCountFromError):
1088         * wasm/function-tests/trap-load-2.js:
1089         (wasmFrameCountFromError):
1090         * wasm/function-tests/trap-load.js:
1091         (wasmFrameCountFromError):
1092
1093 2017-11-30  Mark Lam  <mark.lam@apple.com>
1094
1095         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1096         https://bugs.webkit.org/show_bug.cgi?id=180219
1097         <rdar://problem/35696536>
1098
1099         Reviewed by Filip Pizlo.
1100
1101         * stress/regress-180219.js: Added.
1102
1103 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1104
1105         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1106         https://bugs.webkit.org/show_bug.cgi?id=180190
1107
1108         Reviewed by Mark Lam.
1109
1110         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1111         (shouldBe):
1112         (test1):
1113         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1114         (shouldBe):
1115         (test1):
1116         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1117         (shouldBe):
1118         (test1):
1119         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1120         (shouldBe):
1121         (test1):
1122         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1123         (shouldBe):
1124         (test1):
1125         * stress/operation-in-may-have-negative-int32.js: Added.
1126         (shouldBe):
1127         (test2):
1128         * stress/operation-in-negative-int32-cast.js: Added.
1129         (shouldBe):
1130         (test1):
1131
1132 2017-11-28  JF Bastien  <jfbastien@apple.com>
1133
1134         Strict and sloppy functions shouldn't share structure
1135         https://bugs.webkit.org/show_bug.cgi?id=180103
1136         <rdar://problem/35667847>
1137
1138         Reviewed by Saam Barati.
1139
1140         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1141         because the IC was wrong.
1142         (foo):
1143         (bar):
1144         (baz):
1145         (catch):
1146         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1147         in this patch, but may as well test odd strict mode corner cases.
1148         (bar):
1149         (baz):
1150         (catch):
1151         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1152         (foo):
1153         (bar):
1154         (baz):
1155         (catch):
1156         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1157         next file, but with invalidation of the FunctionExecutable's
1158         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1159         slower path.
1160         (foo):
1161         (bar.const.x):
1162         (bar.const.y):
1163         (bar):
1164         (catch):
1165         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1166         strict nesting works correctly.
1167         (foo):
1168         (bar.baz):
1169         (bar):
1170         * stress/strict-function-structure.js: Added. The test used to
1171         assert in objectProtoFuncHasOwnProperty.
1172         (foo):
1173         (bar):
1174         (baz):
1175         * stress/strict-nested-function-structure.js: Added. Nesting.
1176         (foo):
1177         (bar):
1178         (baz.boo):
1179         (baz):
1180
1181 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1182
1183         The recursive tail call optimisation is wrong on closures
1184         https://bugs.webkit.org/show_bug.cgi?id=179835
1185
1186         Reviewed by Saam Barati.
1187
1188         * stress/closure-recursive-tail-call.js: Added.
1189         (makeClosure):
1190
1191 2017-11-27  JF Bastien  <jfbastien@apple.com>
1192
1193         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1194         https://bugs.webkit.org/show_bug.cgi?id=180051
1195         <rdar://problem/35614371>
1196
1197         Reviewed by Saam Barati.
1198
1199         * stress/rest-parameter-negative.js: Added.
1200         (__f_5484):
1201         (catch):
1202         (__f_5485):
1203         (__v_22598.catch):
1204
1205 2017-11-27  Saam Barati  <sbarati@apple.com>
1206
1207         Spread can escape when CreateRest does not
1208         https://bugs.webkit.org/show_bug.cgi?id=180057
1209         <rdar://problem/35676119>
1210
1211         Reviewed by JF Bastien.
1212
1213         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1214         (assert):
1215         (getProperties):
1216         (theFunc):
1217         (let.obj.valueOf):
1218
1219 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1220
1221         [DFG] Add NormalizeMapKey DFG IR
1222         https://bugs.webkit.org/show_bug.cgi?id=179912
1223
1224         Reviewed by Saam Barati.
1225
1226         * stress/map-untyped-normalize-cse.js: Added.
1227         (shouldBe):
1228         (test):
1229         * stress/map-untyped-normalize.js: Added.
1230         (shouldBe):
1231         (test):
1232         * stress/set-untyped-normalize-cse.js: Added.
1233         (shouldBe):
1234         (set return.set has.set has):
1235         * stress/set-untyped-normalize.js: Added.
1236         (shouldBe):
1237         (set return.set has):
1238
1239 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1240
1241         [FTL] Support DeleteById and DeleteByVal
1242         https://bugs.webkit.org/show_bug.cgi?id=180022
1243
1244         Reviewed by Saam Barati.
1245
1246         * stress/delete-by-id.js: Added.
1247         (shouldBe):
1248         (test1):
1249         (test2):
1250         * stress/delete-by-val-ftl.js: Added.
1251         (shouldBe):
1252         (test1):
1253         (test2):
1254
1255 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1256
1257         [DFG] Introduce {Set,Map,WeakMap}Fields
1258         https://bugs.webkit.org/show_bug.cgi?id=179925
1259
1260         Reviewed by Saam Barati.
1261
1262         * stress/map-set-clobber-map-get.js: Added.
1263         (shouldBe):
1264         (test):
1265         * stress/map-set-does-not-clobber-set-has.js: Added.
1266         (shouldBe):
1267         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1268         (shouldBe):
1269         (test):
1270         * stress/set-add-clobber-set-has.js: Added.
1271         (shouldBe):
1272         * stress/set-add-does-not-clobber-map-get.js: Added.
1273         (shouldBe):
1274
1275 2017-11-24  Mark Lam  <mark.lam@apple.com>
1276
1277         Move unsafe jsc shell test functions to the $vm object.
1278         https://bugs.webkit.org/show_bug.cgi?id=179980
1279
1280         Reviewed by Yusuke Suzuki.
1281
1282         * controlFlowProfiler/driver/driver.js:
1283         * controlFlowProfiler/execution-count.js:
1284         * controlFlowProfiler/if-statement.js:
1285         * controlFlowProfiler/loop-statements.js:
1286         * controlFlowProfiler/switch-statements.js:
1287         * controlFlowProfiler/test-jit.js:
1288         * exceptionFuzz/3d-cube.js:
1289         * exceptionFuzz/date-format-xparb.js:
1290         * exceptionFuzz/earley-boyer.js:
1291         * heapProfiler/basic-edges.js:
1292         * heapProfiler/property-edge-types.js:
1293         * microbenchmarks/try-get-by-id-basic.js:
1294         * microbenchmarks/try-get-by-id-polymorphic.js:
1295         * modules/namespace-object-try-get.js:
1296         * stress/argument-count-bytecode.js:
1297         * stress/argument-intrinsic-basic.js:
1298         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1299         * stress/argument-intrinsic-inlining-with-result-escape.js:
1300         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1301         * stress/argument-intrinsic-inlining-with-vararg.js:
1302         * stress/argument-intrinsic-nested-inlining.js:
1303         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1304         * stress/argument-intrinsic-with-stack-write.js:
1305         * stress/arity-mismatch-get-argument.js:
1306         * stress/array-message-passing.js:
1307         * stress/array-push-with-force-exit.js:
1308         * stress/check-dom-with-signature.js:
1309         * stress/check-sub-class.js:
1310         * stress/compare-eq-incomplete-profile.js:
1311         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1312         * stress/do-eval-virtual-call-correctly.js:
1313         * stress/dom-jit-with-poly-proto.js:
1314         * stress/domjit-exception-ic.js:
1315         * stress/domjit-exception.js:
1316         * stress/domjit-getter-complex-with-incorrect-object.js:
1317         * stress/domjit-getter-complex.js:
1318         * stress/domjit-getter-poly.js:
1319         * stress/domjit-getter-proto.js:
1320         * stress/domjit-getter-super-poly.js:
1321         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1322         * stress/domjit-getter-type-check.js:
1323         * stress/domjit-getter.js:
1324         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1325         * stress/for-in-proxy-target-changed-structure.js:
1326         * stress/for-in-proxy.js:
1327         * stress/generational-opaque-roots.js:
1328         * stress/global-const-redeclaration-setting-2.js:
1329         * stress/global-const-redeclaration-setting-3.js:
1330         * stress/global-const-redeclaration-setting-4.js:
1331         * stress/global-const-redeclaration-setting-5.js:
1332         * stress/global-const-redeclaration-setting.js:
1333         * stress/import-basic.js:
1334         * stress/import-from-eval.js:
1335         * stress/import-reject-with-exception.js:
1336         * stress/import-syntax.js:
1337         * stress/impure-get-own-property-slot-inline-cache.js:
1338         * stress/is-constructor.js:
1339         * stress/istypedarrayview-intrinsic.js:
1340         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1341         * stress/jsc-test-functions-should-be-more-robust.js:
1342         * stress/object-toString-with-proxy.js:
1343         * stress/poly-proto-custom-value-and-accessor.js:
1344         * stress/proxy-inline-cache.js:
1345         * stress/re-execute-error-module.js:
1346         * stress/regress-150532.js:
1347         * stress/regress-156992.js:
1348         * stress/regress-179619.js:
1349         * stress/resources/shadow-chicken-support.js:
1350         * stress/runtime-array.js:
1351         * stress/sampling-profiler-microtasks.js:
1352         * stress/shadow-chicken-enabled.js:
1353         * stress/spread-correct-global-object-on-exception.js:
1354         * stress/super-get-by-id.js:
1355         * stress/tailCallForwardArguments.js:
1356         * stress/to-object-intrinsic-boolean-edge.js:
1357         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1358         * stress/to-object-intrinsic-number-edge.js:
1359         * stress/to-object-intrinsic-object-edge.js:
1360         * stress/to-object-intrinsic-string-edge.js:
1361         * stress/to-object-intrinsic-symbol-edge.js:
1362         * stress/to-object-intrinsic.js:
1363         * stress/try-catch-custom-getter-as-get-by-id.js:
1364         * stress/try-get-by-id-poly-proto.js:
1365         * stress/try-get-by-id-should-spill-registers-dfg.js:
1366         * stress/try-get-by-id.js:
1367         * typeProfiler/arrow-functions.js:
1368         * typeProfiler/basic.js:
1369         * typeProfiler/captured.js:
1370         * typeProfiler/classes.js:
1371         * typeProfiler/dfg-jit-optimizations.js:
1372         * typeProfiler/dictionary-mode.js:
1373         * typeProfiler/es6-block-scoping.js:
1374         * typeProfiler/es6-classes.js:
1375         * typeProfiler/inheritance.js:
1376         * typeProfiler/int52-dfg.js:
1377         * typeProfiler/loop.js:
1378         * typeProfiler/optional-fields.js:
1379         * typeProfiler/overflow.js:
1380         * typeProfiler/return.js:
1381         * typeProfiler/symbol.js:
1382         * typeProfiler/weird-prototype-chain.js:
1383
1384 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1385
1386         [DFG][FTL] Support MapSet / SetAdd intrinsics
1387         https://bugs.webkit.org/show_bug.cgi?id=179858
1388
1389         Reviewed by Saam Barati.
1390
1391         * microbenchmarks/map-has-and-set.js: Added.
1392         (test):
1393         * stress/map-set-check-failure.js: Added.
1394         (shouldBe):
1395         (shouldThrow):
1396         (target):
1397         * stress/map-set-cse.js: Added.
1398         (shouldBe):
1399         (test):
1400         * stress/set-add-check-failure.js: Added.
1401         (shouldBe):
1402         (shouldThrow):
1403         (set shouldThrow):
1404         * stress/set-add-cse.js: Added.
1405         (shouldBe):
1406
1407 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1408
1409         [JSC] Allow poly proto for intrinsic getters
1410         https://bugs.webkit.org/show_bug.cgi?id=179550
1411
1412         Reviewed by Saam Barati.
1413
1414         This change is also tested by existing tests.
1415
1416             1. stress/intrinsic-getter-with-poly-proto.js
1417             2. stress/poly-proto-intrinsic-getter-correctness.js
1418
1419         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1420         (shouldBe):
1421         (makePolyProtoObject.foo.C):
1422         (makePolyProtoObject.foo):
1423         (makePolyProtoObject):
1424         (target):
1425         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1426         (shouldBe):
1427         (makePolyProtoObject.foo.C):
1428         (makePolyProtoObject.foo):
1429         (makePolyProtoObject):
1430         (target):
1431
1432 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1433
1434         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1435         https://bugs.webkit.org/show_bug.cgi?id=179744
1436
1437         Reviewed by Michael Catanzaro.
1438
1439         This test uses too much memory for our buildbots on these platforms
1440         and gets OOM-killed.
1441
1442         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1443         Skip if $memoryLimited and linux.
1444
1445 2017-11-17  JF Bastien  <jfbastien@apple.com>
1446
1447         WebAssembly JS API: throw when a promise can't be created
1448         https://bugs.webkit.org/show_bug.cgi?id=179826
1449         <rdar://problem/35455813>
1450
1451         Reviewed by Mark Lam.
1452
1453         Test WebAssembly.{compile,instantiate} where promise creation
1454         fails because of a stack overflow.
1455
1456         * wasm/js-api/promise-stack-overflow.js: Added.
1457         (const.runNearStackLimit.f.const.t):
1458         (async.testCompile):
1459         (async.testInstantiate):
1460
1461 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1462
1463         Unreviewed, mark regress-178385.js as memory exhausting
1464
1465         * stress/regress-178385.js:
1466
1467 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1468
1469         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1470
1471         Unreviewed test gardening.
1472
1473         * test262.yaml:
1474
1475 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1476
1477         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1478         https://bugs.webkit.org/show_bug.cgi?id=179763
1479         <rdar://problem/35550513>
1480
1481         Reviewed by Keith Miller.
1482
1483         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1484
1485         * stress/tdz-this-in-try-catch.js: Added.
1486         (__v_6388):
1487         (__v_6392):
1488
1489 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1490
1491         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1492         https://bugs.webkit.org/show_bug.cgi?id=179594
1493
1494         Reviewed by Saam Barati.
1495
1496         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1497         (shouldBe):
1498         (args):
1499         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1500         (shouldBe):
1501         (args):
1502
1503 2017-11-14  Saam Barati  <sbarati@apple.com>
1504
1505         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1506         https://bugs.webkit.org/show_bug.cgi?id=179639
1507         <rdar://problem/35513018>
1508
1509         Reviewed by JF Bastien.
1510
1511         * wasm/function-tests/grow-memory-cause-gc.js: Added.
1512         (escape):
1513         (i.func):
1514
1515 2017-11-13  Mark Lam  <mark.lam@apple.com>
1516
1517         Add more overflow check book-keeping for MarkedArgumentBuffer.
1518         https://bugs.webkit.org/show_bug.cgi?id=179634
1519         <rdar://problem/35492517>
1520
1521         Reviewed by Saam Barati.
1522
1523         * stress/regress-179634.js: Added.
1524
1525 2017-11-13  Mark Lam  <mark.lam@apple.com>
1526
1527         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1528         https://bugs.webkit.org/show_bug.cgi?id=179619
1529         <rdar://problem/35492518>
1530
1531         Reviewed by Saam Barati.
1532
1533         * stress/regress-179619.js: Added.
1534
1535 2017-11-12  Mark Lam  <mark.lam@apple.com>
1536
1537         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1538         https://bugs.webkit.org/show_bug.cgi?id=179562
1539         <rdar://problem/35467022>
1540
1541         Reviewed by Saam Barati.
1542
1543         * regress-179562.js: Added.
1544
1545 2017-11-08  Saam Barati  <sbarati@apple.com>
1546
1547         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1548         https://bugs.webkit.org/show_bug.cgi?id=177792
1549
1550         Reviewed by Yusuke Suzuki.
1551
1552         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
1553         (assert):
1554         (foo.Foo.prototype.ensureX):
1555         (foo.Foo):
1556         (foo):
1557         (access):
1558
1559 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
1560
1561         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1562         https://bugs.webkit.org/show_bug.cgi?id=178592
1563
1564         Unreviewed test gardening.
1565
1566         * test262.yaml:
1567
1568 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1569
1570         Turn recursive tail calls into loops
1571         https://bugs.webkit.org/show_bug.cgi?id=176601
1572
1573         Reviewed by Saam Barati.
1574
1575         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1576
1577         Add some simple test that computes factorial in several ways, and other trivial computations.
1578         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1579         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1580         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1581         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1582
1583         * stress/inline-call-to-recursive-tail-call.js: Added.
1584         (factorial.aux):
1585         (factorial):
1586         (factorial2.aux2):
1587         (factorial2.id):
1588         (factorial2):
1589         (factorial3.aux3):
1590         (factorial3):
1591         (aux4):
1592         (factorial4):
1593         (foo):
1594         (auxBar):
1595         (bar):
1596         (test):
1597
1598 2017-11-07  Mark Lam  <mark.lam@apple.com>
1599
1600         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1601         https://bugs.webkit.org/show_bug.cgi?id=179355
1602         <rdar://problem/35263053>
1603
1604         Reviewed by Saam Barati.
1605
1606         * stress/regress-179355.js: Added.
1607
1608 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1609
1610         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1611         https://bugs.webkit.org/show_bug.cgi?id=144458
1612
1613         Reviewed by Saam Barati.
1614
1615         * microbenchmarks/dfg-internal-function-call.js: Added.
1616         (target):
1617         * microbenchmarks/dfg-internal-function-construct.js: Added.
1618         (target):
1619         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
1620         (target):
1621         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
1622         (target):
1623         * stress/dfg-internal-function-call.js: Added.
1624         (shouldBe):
1625         (target):
1626         * stress/dfg-internal-function-construct.js: Added.
1627         (shouldBe):
1628         (target):
1629         * stress/internal-function-call.js: Added.
1630         (shouldBe):
1631         * stress/internal-function-construct.js: Added.
1632         (shouldBe):
1633
1634 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
1635
1636         [Win] Skip stress/regress-178385.js.
1637         https://bugs.webkit.org/show_bug.cgi?id=179298
1638
1639         Unreviewed test gardening.
1640
1641         * stress/regress-178385.js:
1642
1643 2017-11-03  Keith Miller  <keith_miller@apple.com>
1644
1645         Add test for ic with side effects
1646         https://bugs.webkit.org/show_bug.cgi?id=179268
1647
1648         Reviewed by Saam Barati.
1649
1650         * stress/put-inline-cache-side-effects.js: Added.
1651         (let.i.of.objs.keys):
1652         (f):
1653
1654 2017-11-03  Mark Lam  <mark.lam@apple.com>
1655
1656         CachedCall (and its clients) needs overflow checks.
1657         https://bugs.webkit.org/show_bug.cgi?id=179185
1658
1659         Reviewed by JF Bastien.
1660
1661         * stress/regress-179185.js: Added.
1662
1663 2017-11-02  Michael Saboff  <msaboff@apple.com>
1664
1665         DFG needs to handle code motion of code in for..in loop bodies
1666         https://bugs.webkit.org/show_bug.cgi?id=179212
1667
1668         Reviewed by Keith Miller.
1669
1670         New regression test.
1671
1672         * stress/for-in-side-effects.js: Added.
1673         (getPrototypeOf):
1674         (reset):
1675         (testWithoutFTL.f):
1676         (testWithoutFTL):
1677         (testWithFTL.f):
1678         (testWithFTL):
1679
1680 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1681
1682         AI does not correctly model the clobber case of ArithClz32
1683         https://bugs.webkit.org/show_bug.cgi?id=179188
1684
1685         Reviewed by Michael Saboff.
1686
1687         * stress/arith-clz32-effects.js: Added.
1688         (foo):
1689         (valueOf):
1690
1691 2017-11-01  Michael Saboff  <msaboff@apple.com>
1692
1693         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1694         https://bugs.webkit.org/show_bug.cgi?id=179140
1695
1696         Reviewed by Saam Barati.
1697
1698         New regression test.
1699
1700         * stress/regress-179140.js: Added.
1701         (testWithoutFTL):
1702         (testWithFTL):
1703
1704 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1705
1706         [JSC] Introduce @toObject
1707         https://bugs.webkit.org/show_bug.cgi?id=178726
1708
1709         Reviewed by Saam Barati.
1710
1711         * stress/array-copywithin.js:
1712         (shouldThrow):
1713         * stress/object-constructor-boolean-edge.js: Added.
1714         (shouldBe):
1715         (test):
1716         * stress/object-constructor-global.js: Added.
1717         (shouldBe):
1718         * stress/object-constructor-null-edge.js: Added.
1719         (shouldBe):
1720         (test):
1721         * stress/object-constructor-number-edge.js: Added.
1722         (shouldBe):
1723         (test):
1724         * stress/object-constructor-object-edge.js: Added.
1725         (shouldBe):
1726         (test):
1727         (i.arg):
1728         * stress/object-constructor-string-edge.js: Added.
1729         (shouldBe):
1730         (test):
1731         * stress/object-constructor-symbol-edge.js: Added.
1732         (shouldBe):
1733         (test):
1734         * stress/object-constructor-undefined-edge.js: Added.
1735         (shouldBe):
1736         (test):
1737         * stress/symbol-array-from.js: Added.
1738         (shouldBe):
1739         * stress/to-object-intrinsic-boolean-edge.js: Added.
1740         (shouldBe):
1741         (builtin.createBuiltin):
1742         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
1743         (shouldThrow):
1744         * stress/to-object-intrinsic-number-edge.js: Added.
1745         (shouldBe):
1746         (builtin.createBuiltin):
1747         * stress/to-object-intrinsic-object-edge.js: Added.
1748         (shouldBe):
1749         (builtin.createBuiltin):
1750         (i.arg):
1751         * stress/to-object-intrinsic-string-edge.js: Added.
1752         (shouldBe):
1753         (builtin.createBuiltin):
1754         * stress/to-object-intrinsic-symbol-edge.js: Added.
1755         (shouldBe):
1756         (builtin.createBuiltin):
1757         * stress/to-object-intrinsic.js: Added.
1758         (shouldBe):
1759         (shouldThrow):
1760         (builtin.createBuiltin):
1761
1762 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1763
1764         [DFG][FTL] Introduce StringSlice
1765         https://bugs.webkit.org/show_bug.cgi?id=178934
1766
1767         Reviewed by Saam Barati.
1768
1769         * microbenchmarks/string-slice-empty.js: Added.
1770         (slice):
1771         * microbenchmarks/string-slice-one-char.js: Added.
1772         (slice):
1773         * microbenchmarks/string-slice.js: Added.
1774         (slice):
1775
1776 2017-10-26  Michael Saboff  <msaboff@apple.com>
1777
1778         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1779         https://bugs.webkit.org/show_bug.cgi?id=178890
1780
1781         Reviewed by Keith Miller.
1782
1783         New regression test.
1784
1785         * stress/regress-178890.js: Added.
1786
1787 2017-10-26  Mark Lam  <mark.lam@apple.com>
1788
1789         JSRopeString::RopeBuilder::append() should check for overflows.
1790         https://bugs.webkit.org/show_bug.cgi?id=178385
1791         <rdar://problem/35027468>
1792
1793         Reviewed by Saam Barati.
1794
1795         * stress/regress-178385.js: Added.
1796
1797 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
1798
1799         Unreviewed, rolling out r223961.
1800
1801         The change that required this has been rolled out.
1802
1803         Reverted changeset:
1804
1805         "Mark test262.yaml/test262/test/language/statements/try/tco-
1806         catch.js as passing."
1807         https://bugs.webkit.org/show_bug.cgi?id=178592
1808         https://trac.webkit.org/changeset/223961
1809
1810 2017-10-25  Commit Queue  <commit-queue@webkit.org>
1811
1812         Unreviewed, rolling out r223691 and r223729.
1813         https://bugs.webkit.org/show_bug.cgi?id=178834
1814
1815         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1816         by rniwa on #webkit).
1817
1818         Reverted changesets:
1819
1820         "Turn recursive tail calls into loops"
1821         https://bugs.webkit.org/show_bug.cgi?id=176601
1822         https://trac.webkit.org/changeset/223691
1823
1824         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1825         comparison is always false due to limited range of data type
1826         [-Wtype-limits]"
1827         https://bugs.webkit.org/show_bug.cgi?id=178543
1828         https://trac.webkit.org/changeset/223729
1829
1830 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
1831
1832         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1833         https://bugs.webkit.org/show_bug.cgi?id=178592
1834
1835         Unreviewed test gardening.
1836
1837         * test262.yaml:
1838
1839 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1840
1841         [FTL] Support NewStringObject
1842         https://bugs.webkit.org/show_bug.cgi?id=178737
1843
1844         Reviewed by Saam Barati.
1845
1846         * stress/new-string-object.js: Added.
1847         (shouldBe):
1848         (test):
1849
1850 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1851
1852         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
1853         https://bugs.webkit.org/show_bug.cgi?id=178308
1854
1855         Reviewed by Mark Lam.
1856
1857         * test262.yaml:
1858
1859 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1860
1861         [JSC] Use fastJoin in Array#toString
1862         https://bugs.webkit.org/show_bug.cgi?id=178062
1863
1864         Reviewed by Darin Adler.
1865
1866         * microbenchmarks/contiguous-array-to-string.js: Added.
1867         (target):
1868         * microbenchmarks/double-array-to-string.js: Added.
1869         (target):
1870         * microbenchmarks/int32-array-to-string.js: Added.
1871         (target):
1872
1873 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
1874
1875         stress/check-string-ident.js is improperly skipped
1876         https://bugs.webkit.org/show_bug.cgi?id=178642
1877
1878         Reviewed by Saam Barati.
1879
1880         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
1881         since it enforces the run-jsc-stress-tests script to still set up the
1882         test to run, despite the skip directive that's used before.
1883
1884 2017-10-20  Mark Lam  <mark.lam@apple.com>
1885
1886         Add a test case for r214334.
1887         https://bugs.webkit.org/show_bug.cgi?id=169941
1888         <rdar://problem/31221258>
1889
1890         Reviewed by JF Bastien.
1891
1892         * stress/regress-169941.js: Added.
1893
1894 2017-10-19  JF Bastien  <jfbastien@apple.com>
1895
1896         WebAssembly: no VM / JS version of everything but Instance
1897         https://bugs.webkit.org/show_bug.cgi?id=177473
1898
1899         Reviewed by Filip Pizlo, Saam Barati.
1900
1901         - Exceeding max on memory growth now returns a range error as per
1902         spec. This is a (very minor) breaking change: it used to throw OOM
1903         error. Update the corresponding test.
1904
1905         * wasm/js-api/memory-grow.js:
1906         (assertEq):
1907         * wasm/js-api/table.js:
1908         (assert.throws):
1909
1910 2017-10-19  Mark Lam  <mark.lam@apple.com>
1911
1912         Stringifier::appendStringifiedValue() is missing an exception check.
1913         https://bugs.webkit.org/show_bug.cgi?id=178386
1914         <rdar://problem/35027610>
1915
1916         Reviewed by Saam Barati.
1917
1918         * stress/regress-178386.js: Added.
1919
1920 2017-10-19  Michael Saboff  <msaboff@apple.com>
1921
1922         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
1923         https://bugs.webkit.org/show_bug.cgi?id=178521
1924
1925         Reviewed by JF Bastien.
1926
1927         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
1928         now passes with the current version (5.0) of the Emoji spec.
1929
1930 2017-10-19  Robin Morisset  <rmorisset@apple.com>
1931
1932         Turn recursive tail calls into loops
1933         https://bugs.webkit.org/show_bug.cgi?id=176601
1934
1935         Reviewed by Saam Barati.
1936
1937         Add some simple test that computes factorial in several ways, and other trivial computations.
1938         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1939         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1940         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1941         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1942
1943         * stress/inline-call-to-recursive-tail-call.js: Added.
1944         (factorial.aux):
1945         (factorial):
1946         (factorial2.aux):
1947         (factorial2.id):
1948         (factorial2):
1949         (factorial3.aux):
1950         (factorial3):
1951         (aux):
1952         (factorial4):
1953         (test):
1954
1955 2017-10-18  Mark Lam  <mark.lam@apple.com>
1956
1957         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
1958         https://bugs.webkit.org/show_bug.cgi?id=177600
1959         <rdar://problem/34710985>
1960
1961         Reviewed by Saam Barati.
1962
1963         * stress/regress-177600.js: Added.
1964
1965 2017-10-18  Mark Lam  <mark.lam@apple.com>
1966
1967         The compiler should always register a structure when it adds its transitionWatchPointSet.
1968         https://bugs.webkit.org/show_bug.cgi?id=178420
1969         <rdar://problem/34814024>
1970
1971         Reviewed by Saam Barati and Filip Pizlo.
1972
1973         * stress/regress-178420.js: Added.
1974         (new.Array.10000.map):
1975
1976 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1977
1978         [JSC] __proto__ getter should be fast
1979         https://bugs.webkit.org/show_bug.cgi?id=178067
1980
1981         Reviewed by Saam Barati.
1982
1983         * stress/dfg-object-proto-accessor.js: Added.
1984         (shouldBe):
1985         (shouldThrow):
1986         (target):
1987         * stress/dfg-object-proto-getter.js: Added.
1988         (shouldBe):
1989         (shouldThrow):
1990         (target):
1991         * stress/dfg-object-prototype-of.js: Added.
1992         (shouldBe):
1993         (shouldThrow):
1994         (target):
1995         * stress/dfg-reflect-get-prototype-of.js: Added.
1996         (shouldBe):
1997         (shouldThrow):
1998         (target):
1999         * stress/intrinsic-getter-with-poly-proto.js: Added.
2000         (shouldBe):
2001         (makePolyProtoObject.foo.C):
2002         (makePolyProtoObject.foo):
2003         (makePolyProtoObject):
2004         (target):
2005         * stress/object-get-prototype-of-filtered.js: Added.
2006         (shouldBe):
2007         (shouldThrow):
2008         (target):
2009         (i.Cocoa):
2010         * stress/object-get-prototype-of-mono-proto.js: Added.
2011         (shouldBe):
2012         (makePolyProtoObject.foo.C):
2013         (makePolyProtoObject.foo):
2014         (makePolyProtoObject):
2015         (target):
2016         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2017         (shouldBe):
2018         (makePolyProtoObject.foo.C):
2019         (makePolyProtoObject.foo):
2020         (makePolyProtoObject):
2021         (target):
2022         * stress/object-get-prototype-of-poly-proto.js: Added.
2023         (shouldBe):
2024         (makePolyProtoObject.foo.C):
2025         (makePolyProtoObject.foo):
2026         (makePolyProtoObject):
2027         (target):
2028         * stress/object-proto-getter-filtered.js: Added.
2029         (shouldBe):
2030         (shouldThrow):
2031         (target):
2032         (i.Cocoa):
2033         * stress/object-proto-getter-poly-mono-proto.js: Added.
2034         (shouldBe):
2035         (makePolyProtoObject.foo.C):
2036         (makePolyProtoObject.foo):
2037         (makePolyProtoObject):
2038         (target):
2039         * stress/object-proto-getter-poly-proto.js: Added.
2040         (shouldBe):
2041         (makePolyProtoObject.foo.C):
2042         (makePolyProtoObject.foo):
2043         (makePolyProtoObject):
2044         (target):
2045         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2046         * stress/string-proto.js: Added.
2047         (shouldBe):
2048         (target):
2049
2050 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2051
2052         Unreviewed, rolling out r223523.
2053
2054         A test for this change is failing on debug JSC bots.
2055
2056         Reverted changeset:
2057
2058         "[JSC] __proto__ getter should be fast"
2059         https://bugs.webkit.org/show_bug.cgi?id=178067
2060         https://trac.webkit.org/changeset/223523
2061
2062 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2063
2064         [JSC] __proto__ getter should be fast
2065         https://bugs.webkit.org/show_bug.cgi?id=178067
2066
2067         Reviewed by Saam Barati.
2068
2069         * stress/dfg-object-proto-accessor.js: Added.
2070         (shouldBe):
2071         (shouldThrow):
2072         (target):
2073         * stress/dfg-object-proto-getter.js: Added.
2074         (shouldBe):
2075         (shouldThrow):
2076         (target):
2077         * stress/dfg-object-prototype-of.js: Added.
2078         (shouldBe):
2079         (shouldThrow):
2080         (target):
2081         * stress/dfg-reflect-get-prototype-of.js: Added.
2082         (shouldBe):
2083         (shouldThrow):
2084         (target):
2085         * stress/object-get-prototype-of-filtered.js: Added.
2086         (shouldBe):
2087         (shouldThrow):
2088         (target):
2089         (i.Cocoa):
2090         * stress/object-get-prototype-of-mono-proto.js: Added.
2091         (shouldBe):
2092         (makePolyProtoObject.foo.C):
2093         (makePolyProtoObject.foo):
2094         (makePolyProtoObject):
2095         (target):
2096         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2097         (shouldBe):
2098         (makePolyProtoObject.foo.C):
2099         (makePolyProtoObject.foo):
2100         (makePolyProtoObject):
2101         (target):
2102         * stress/object-get-prototype-of-poly-proto.js: Added.
2103         (shouldBe):
2104         (makePolyProtoObject.foo.C):
2105         (makePolyProtoObject.foo):
2106         (makePolyProtoObject):
2107         (target):
2108         * stress/object-proto-getter-filtered.js: Added.
2109         (shouldBe):
2110         (shouldThrow):
2111         (target):
2112         (i.Cocoa):
2113         * stress/object-proto-getter-poly-mono-proto.js: Added.
2114         (shouldBe):
2115         (makePolyProtoObject.foo.C):
2116         (makePolyProtoObject.foo):
2117         (makePolyProtoObject):
2118         (target):
2119         * stress/object-proto-getter-poly-proto.js: Added.
2120         (shouldBe):
2121         (makePolyProtoObject.foo.C):
2122         (makePolyProtoObject.foo):
2123         (makePolyProtoObject):
2124         (target):
2125         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2126         * stress/string-proto.js: Added.
2127         (shouldBe):
2128         (target):
2129
2130 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2131
2132         Reland "Add Above/Below comparisons for UInt32 patterns"
2133         https://bugs.webkit.org/show_bug.cgi?id=177281
2134
2135         Reviewed by Saam Barati.
2136
2137         * stress/uint32-comparison-jump.js: Added.
2138         (shouldBe):
2139         (above):
2140         (aboveOrEqual):
2141         (below):
2142         (belowOrEqual):
2143         (notAbove):
2144         (notAboveOrEqual):
2145         (notBelow):
2146         (notBelowOrEqual):
2147         * stress/uint32-comparison.js: Added.
2148         (shouldBe):
2149         (above):
2150         (aboveOrEqual):
2151         (below):
2152         (belowOrEqual):
2153         (aboveTest):
2154         (aboveOrEqualTest):
2155         (belowTest):
2156         (belowOrEqualTest):
2157
2158 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2159
2160         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2161         https://bugs.webkit.org/show_bug.cgi?id=178210
2162
2163         Reviewed by Saam Barati.
2164
2165         * wasm/function-tests/trap-from-start-async.js:
2166         (async.StartTrapsAsync):
2167         * wasm/function-tests/trap-from-start.js:
2168         (StartTraps):
2169         * wasm/js-api/web-assembly-function.js:
2170         (assert.eq.Object.getPrototypeOf):
2171         * wasm/js-api/wrapper-function.js:
2172         (return.new.WebAssembly.Module):
2173         (assert.throws.makeInstance): Deleted.
2174         (assert.throws.Bar): Deleted.
2175         (assert.throws): Deleted.
2176
2177 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2178
2179         Enable gigacage on iOS
2180         https://bugs.webkit.org/show_bug.cgi?id=177586
2181
2182         Reviewed by JF Bastien.
2183         
2184         Add tests for when Gigacage gets runtime disabled.
2185
2186         * stress/disable-gigacage-arrays.js: Added.
2187         (foo):
2188         * stress/disable-gigacage-strings.js: Added.
2189         (foo):
2190         * stress/disable-gigacage-typed-arrays.js: Added.
2191         (foo):
2192
2193 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2194
2195         import.meta should not be assignable
2196         https://bugs.webkit.org/show_bug.cgi?id=178202
2197
2198         Reviewed by Saam Barati.
2199
2200         * modules/import-meta-assignment.js: Added.
2201         (shouldThrow):
2202         (SyntaxError.import.meta.can.shouldThrow):
2203
2204 2017-10-11  Saam Barati  <sbarati@apple.com>
2205
2206         Unreviewed. Actually skip certain type profiler tests in debug.
2207
2208         * typeProfiler.yaml:
2209         * typeProfiler/deltablue-for-of.js:
2210         * typeProfiler/getter-richards.js:
2211
2212 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2213
2214         Unreviewed, rolling out r223113 and r223121.
2215         https://bugs.webkit.org/show_bug.cgi?id=178182
2216
2217         Reintroduced 20% regression on Kraken (Requested by rniwa on
2218         #webkit).
2219
2220         Reverted changesets:
2221
2222         "Enable gigacage on iOS"
2223         https://bugs.webkit.org/show_bug.cgi?id=177586
2224         https://trac.webkit.org/changeset/223113
2225
2226         "Use one virtual allocation for all gigacages and their
2227         runways"
2228         https://bugs.webkit.org/show_bug.cgi?id=178050
2229         https://trac.webkit.org/changeset/223121
2230
2231 2017-10-11  Michael Saboff  <msaboff@apple.com>
2232
2233         Disable test262 named capture group tests with direct unicode names and with references before definitions
2234         https://bugs.webkit.org/show_bug.cgi?id=178177
2235
2236         Reviewed by Keith Miller.
2237
2238         Bugs to track fixing these test are:
2239         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2240             "Add support in named capture group identifiers for direct surrogate pairs"
2241         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2242             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2243
2244         * test262.yaml:
2245
2246 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2247
2248         Object properties are undefined in super.call() but not in this.call()
2249         https://bugs.webkit.org/show_bug.cgi?id=177230
2250
2251         Reviewed by Saam Barati.
2252
2253         * stress/super-call-function-subclass.js: Added.
2254         (assert):
2255         (A.prototype.t):
2256         (A):
2257         * stress/super-dot-call-and-apply.js: Added.
2258         (assert):
2259         (A):
2260         (A.prototype.call):
2261         (A.prototype.apply):
2262         (B.prototype.testSuper):
2263         (B):
2264         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2265         (D.prototype.testSuper):
2266         (D):
2267
2268 2017-10-10  Saam Barati  <sbarati@apple.com>
2269
2270         The prototype cache should be aware of the Executable it generates a Structure for
2271         https://bugs.webkit.org/show_bug.cgi?id=177907
2272
2273         Reviewed by Filip Pizlo.
2274
2275         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2276         (assert):
2277         (foo.C):
2278         (foo):
2279         (bar.C):
2280         (bar):
2281         (access):
2282         (makeLongChain):
2283         (accessY):
2284
2285 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2286
2287         `async` should be able to be used as an imported binding name
2288         https://bugs.webkit.org/show_bug.cgi?id=176573
2289
2290         Reviewed by Saam Barati.
2291
2292         * modules/import-default-async.js: Added.
2293         * modules/import-named-async-as.js: Added.
2294         * modules/import-named-async.js: Added.
2295         * modules/import-named-async/target.js: Added.
2296         * modules/import-namespace-async.js: Added.
2297         * test262.yaml:
2298
2299 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2300
2301         Enable gigacage on iOS
2302         https://bugs.webkit.org/show_bug.cgi?id=177586
2303
2304         Reviewed by JF Bastien.
2305         
2306         Add tests for when Gigacage gets runtime disabled.
2307
2308         * stress/disable-gigacage-arrays.js: Added.
2309         (foo):
2310         * stress/disable-gigacage-strings.js: Added.
2311         (foo):
2312         * stress/disable-gigacage-typed-arrays.js: Added.
2313         (foo):
2314
2315 2017-10-09  Michael Saboff  <msaboff@apple.com>
2316
2317         Implement RegExp Unicode property escapes
2318         https://bugs.webkit.org/show_bug.cgi?id=172069
2319
2320         Reviewed by JF Bastien.
2321
2322         Enabled Unicode Property tests.
2323
2324         * test262.yaml:
2325
2326 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2327
2328         Unreviewed, rolling out r223015 and r223025.
2329         https://bugs.webkit.org/show_bug.cgi?id=178093
2330
2331         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2332         #webkit).
2333
2334         Reverted changesets:
2335
2336         "Enable gigacage on iOS"
2337         https://bugs.webkit.org/show_bug.cgi?id=177586
2338         http://trac.webkit.org/changeset/223015
2339
2340         "Unreviewed, disable Gigacage on ARM64 Linux"
2341         https://bugs.webkit.org/show_bug.cgi?id=177586
2342         http://trac.webkit.org/changeset/223025
2343
2344 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2345
2346         Update expectations for test262 tests that pass after r223043.
2347         https://bugs.webkit.org/show_bug.cgi?id=176685
2348
2349         Unreviewed test gardening.
2350
2351         * test262.yaml:
2352
2353 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2354
2355         Unreviewed, rolling out r223022.
2356
2357         This change introduced 18 test262 failures.
2358
2359         Reverted changeset:
2360
2361         "`async` should be able to be used as an imported binding
2362         name"
2363         https://bugs.webkit.org/show_bug.cgi?id=176573
2364         http://trac.webkit.org/changeset/223022
2365
2366 2017-10-09  Saam Barati  <sbarati@apple.com>
2367
2368         3 poly-proto JSC tests timing out on debug after r222827
2369         https://bugs.webkit.org/show_bug.cgi?id=177880
2370         <rdar://problem/34817122>
2371
2372         Unreviewed.
2373
2374         I'm skipping these type profiler tests on debug since they are long running.
2375
2376         * typeProfiler/deltablue-for-of.js:
2377         * typeProfiler/getter-richards.js:
2378
2379 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2380
2381         Safari 10 /11 problem with if (!await get(something)).
2382         https://bugs.webkit.org/show_bug.cgi?id=176685
2383
2384         Reviewed by Saam Barati.
2385
2386         * stress/async-await-basic.js:
2387         (awaitEpression.async):
2388         * stress/async-await-syntax.js:
2389         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2390         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2391
2392 2017-10-08  Saam Barati  <sbarati@apple.com>
2393
2394         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2395
2396         * typeProfiler/deltablue-for-of.js:
2397         * typeProfiler/getter-richards.js:
2398
2399 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2400
2401         `async` should be able to be used as an imported binding name
2402         https://bugs.webkit.org/show_bug.cgi?id=176573
2403
2404         Reviewed by Darin Adler.
2405
2406         * modules/import-default-async.js: Added.
2407         * modules/import-named-async-as.js: Added.
2408         * modules/import-named-async.js: Added.
2409         * modules/import-named-async/target.js: Added.
2410         * modules/import-namespace-async.js: Added.
2411
2412 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2413
2414         Enable gigacage on iOS
2415         https://bugs.webkit.org/show_bug.cgi?id=177586
2416
2417         Reviewed by JF Bastien.
2418         
2419         Add tests for when Gigacage gets runtime disabled.
2420
2421         * stress/disable-gigacage-arrays.js: Added.
2422         (foo):
2423         * stress/disable-gigacage-strings.js: Added.
2424         (foo):
2425         * stress/disable-gigacage-typed-arrays.js: Added.
2426         (foo):
2427
2428 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2429
2430         Unreviewed, rolling out r222791 and r222873.
2431         https://bugs.webkit.org/show_bug.cgi?id=178031
2432
2433         Caused crashes with workers/wasm LayoutTests (Requested by
2434         ryanhaddad on #webkit).
2435
2436         Reverted changesets:
2437
2438         "WebAssembly: no VM / JS version of everything but Instance"
2439         https://bugs.webkit.org/show_bug.cgi?id=177473
2440         http://trac.webkit.org/changeset/222791
2441
2442         "WebAssembly: address no VM / JS follow-ups"
2443         https://bugs.webkit.org/show_bug.cgi?id=177887
2444         http://trac.webkit.org/changeset/222873
2445
2446 2017-10-05  Saam Barati  <sbarati@apple.com>
2447
2448         Make sure all prototypes under poly proto get added into the VM's prototype map
2449         https://bugs.webkit.org/show_bug.cgi?id=177909
2450
2451         Reviewed by Keith Miller.
2452
2453         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2454         (assert):
2455         (foo.C):
2456         (foo):
2457         (set x):
2458
2459 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2460
2461         [JSC] Introduce import.meta
2462         https://bugs.webkit.org/show_bug.cgi?id=177703
2463
2464         Reviewed by Filip Pizlo.
2465
2466         * modules/import-meta-syntax.js: Added.
2467         (shouldThrow):
2468         (shouldNotThrow):
2469         * modules/import-meta.js: Added.
2470         * modules/import-meta/cocoa.js: Added.
2471         * modules/resources/assert.js:
2472         (export.shouldNotThrow):
2473         * stress/import-syntax.js:
2474
2475 2017-10-04  Saam Barati  <sbarati@apple.com>
2476
2477         Make pertinent AccessCases watch the poly proto watchpoint
2478         https://bugs.webkit.org/show_bug.cgi?id=177765
2479
2480         Reviewed by Keith Miller.
2481
2482         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2483         (assert):
2484         (foo.C):
2485         (foo):
2486         (validate):
2487         * stress/poly-proto-clear-stub.js: Added.
2488         (assert):
2489         (foo.C):
2490         (foo):
2491
2492 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2493
2494         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2495
2496         Unreviewed test gardening.
2497
2498         * test262.yaml:
2499
2500 2017-10-04  Saam Barati  <sbarati@apple.com>
2501
2502         3 poly-proto JSC tests timing out on debug after r222827
2503         https://bugs.webkit.org/show_bug.cgi?id=177880
2504
2505         Rubber stamped by Mark Lam.
2506
2507         * microbenchmarks/poly-proto-access.js:
2508         * typeProfiler/deltablue-for-of.js:
2509         * typeProfiler/getter-richards.js:
2510
2511 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
2512
2513         Unreviewed, marking tco-catch.js as a failure after test262 update
2514         https://bugs.webkit.org/show_bug.cgi?id=177859
2515
2516         * test262.yaml:
2517
2518 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2519
2520         Unreviewed, marking one async iterator test262 test failed
2521         https://bugs.webkit.org/show_bug.cgi?id=177859
2522
2523         * test262.yaml:
2524
2525 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2526
2527         [Test262] Update Test262 to Oct 4 version
2528         https://bugs.webkit.org/show_bug.cgi?id=177859
2529
2530         Reviewed by Sam Weinig.
2531
2532         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
2533         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
2534
2535         * test262.yaml:
2536         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
2537         (checkSequence):
2538         * test262/harness/typeCoercion.js:
2539         (testCoercibleToIndexZero):
2540         (testCoercibleToIndexOne):
2541         (testCoercibleToIndexFromIndex):
2542         (testNotCoercibleToIndex.testPrimitiveValue):
2543         (testNotCoercibleToInteger):
2544         (testCoercibleToBigIntZero.testPrimitiveValue):
2545         (testCoercibleToBigIntZero):
2546         (testCoercibleToBigIntOne.testPrimitiveValue):
2547         (testCoercibleToBigIntOne):
2548         (testPrimitiveValue):
2549         (testCoercibleToBigIntFromBigInt):
2550         (testNotCoercibleToBigInt.testPrimitiveValue):
2551         (testNotCoercibleToBigInt.testStringValue):
2552         (testNotCoercibleToBigInt):
2553         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
2554         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
2555         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
2556         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
2557         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
2558         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
2559         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
2560         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
2561         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
2562         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
2563         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
2564         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
2565         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
2566         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
2567         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
2568         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
2569         (testCoercibleToBigIntZero):
2570         (testCoercibleToBigIntOne):
2571         (testNotCoercibleToBigInt):
2572         (MyError): Deleted.
2573         (valueOf): Deleted.
2574         (toString): Deleted.
2575         (Symbol.toPrimitive): Deleted.
2576         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
2577         (testCoercibleToIndexZero):
2578         (testCoercibleToIndexOne):
2579         (testNotCoercibleToIndex):
2580         (MyError): Deleted.
2581         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
2582         (assert.sameValue.BigInt.asIntN.toString): Deleted.
2583         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
2584         (BigInt.asIntN.valueOf): Deleted.
2585         (BigInt.asIntN.toString): Deleted.
2586         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
2587         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
2588         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
2589         (testCoercibleToBigIntZero):
2590         (testCoercibleToBigIntOne):
2591         (testNotCoercibleToBigInt):
2592         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
2593         (testCoercibleToIndexZero):
2594         (testCoercibleToIndexOne):
2595         (testNotCoercibleToIndex):
2596         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
2597         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
2598         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
2599         (bits.valueOf):
2600         (bigint.valueOf):
2601         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
2602         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
2603         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
2604         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
2605         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
2606         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
2607         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
2608         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
2609         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
2610         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
2611         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
2612         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
2613         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
2614         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
2615         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
2616         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
2617         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
2618         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
2619         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
2620         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
2621         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
2622         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
2623         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
2624         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
2625         (replacer):
2626         (BigInt.prototype.toJSON):
2627         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
2628         (replacer):
2629         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
2630         (BigInt.prototype.toJSON):
2631         * test262/test/built-ins/JSON/stringify/bigint.js:
2632         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
2633         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
2634         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
2635         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
2636         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
2637         * test262/test/built-ins/Object/proto-from-ctor.js:
2638         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
2639         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
2640         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
2641         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
2642         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
2643         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
2644         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
2645         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
2646         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
2647         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
2648         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
2649         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
2650         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
2651         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
2652         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
2653         * test262/test/built-ins/Proxy/get-fn-realm.js:
2654         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
2655         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
2656         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
2657         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
2658         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
2659         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
2660         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
2661         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
2662         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
2663         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
2664         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
2665         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
2666         (i6.replace):
2667         (i6b.replace):
2668         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
2669         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
2670         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
2671         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
2672         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
2673         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
2674         * test262/test/built-ins/RegExp/u180e.js: Added.
2675         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
2676         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
2677         * test262/test/built-ins/String/proto-from-ctor-realm.js:
2678         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
2679         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
2680         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
2681         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
2682         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
2683         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
2684         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
2685         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
2686         * test262/test/built-ins/String/prototype/endsWith/length.js:
2687         * test262/test/built-ins/String/prototype/endsWith/name.js:
2688         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
2689         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
2690         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
2691         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
2692         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
2693         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
2694         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
2695         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
2696         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
2697         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
2698         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
2699         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
2700         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
2701         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
2702         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
2703         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
2704         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
2705         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
2706         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
2707         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
2708         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
2709         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
2710         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
2711         * test262/test/built-ins/String/prototype/includes/includes.js:
2712         * test262/test/built-ins/String/prototype/includes/length.js:
2713         * test262/test/built-ins/String/prototype/includes/name.js:
2714         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
2715         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
2716         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
2717         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
2718         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
2719         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
2720         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
2721         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
2722         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
2723         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
2724         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
2725         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
2726         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
2727         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
2728         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
2729         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
2730         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
2731         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
2732         * test262/test/built-ins/String/prototype/trim/u180e.js:
2733         * test262/test/built-ins/Symbol/for/cross-realm.js:
2734         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
2735         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
2736         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
2737         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
2738         * test262/test/built-ins/Symbol/match/cross-realm.js:
2739         * test262/test/built-ins/Symbol/replace/cross-realm.js:
2740         * test262/test/built-ins/Symbol/search/cross-realm.js:
2741         * test262/test/built-ins/Symbol/species/cross-realm.js:
2742         * test262/test/built-ins/Symbol/split/cross-realm.js:
2743         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
2744         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
2745         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
2746         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
2747         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
2748         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
2749         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
2750         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
2751         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
2752         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
2753         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
2754         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
2755         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
2756         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
2757         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
2758         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
2759         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
2760         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
2761         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
2762         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
2763         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
2764         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
2765         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
2766         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
2767         * test262/test/language/comments/mongolian-vowel-separator-single.js:
2768         * test262/test/language/eval-code/indirect/realm.js:
2769         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
2770         (o.get z):
2771         (o.get a):
2772         * test262/test/language/expressions/call/eval-realm-indirect.js:
2773         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
2774         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
2775         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
2776         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
2777         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
2778         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
2779         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
2780         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
2781         * test262/test/language/expressions/greater-than/bigint-and-number.js:
2782         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
2783         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
2784         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
2785         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
2786         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
2787         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
2788         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
2789         * test262/test/language/expressions/less-than/bigint-and-number.js:
2790         * test262/test/language/expressions/new/non-ctor-err-realm.js:
2791         * test262/test/language/expressions/super/realm.js:
2792         * test262/test/language/expressions/tagged-template/cache-realm.js:
2793         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
2794         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
2795         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
2796         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
2797         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
2798         * test262/test/language/literals/string/mongolian-vowel-separator.js:
2799         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
2800         (o.get z):
2801         (o.get a):
2802         * test262/test/language/statements/for-of/iterator-next-reference.js:
2803         (next):
2804         (iterator.next): Deleted.
2805         (x.of.iterable.): Deleted.
2806         (x.of.iterable.get return): Deleted.
2807         (x.of.iterable.iterator.next): Deleted.
2808         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
2809         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
2810         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
2811         * test262/test/language/white-space/mongolian-vowel-separator.js:
2812         * test262/test262-Revision.txt:
2813
2814 2017-10-03  Saam Barati  <sbarati@apple.com>
2815
2816         Implement polymorphic prototypes
2817         https://bugs.webkit.org/show_bug.cgi?id=176391
2818
2819         Reviewed by Filip Pizlo.
2820
2821         * microbenchmarks/poly-proto-access.js: Added.
2822         (assert):
2823         (foo.C):
2824         (foo.C.prototype.get bar):
2825         (foo):
2826         (bar):
2827         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
2828         (assert):
2829         (makePolyProtoObject.foo.C):
2830         (makePolyProtoObject.foo):
2831         (makePolyProtoObject):
2832         (performSet):
2833         * microbenchmarks/poly-proto-setter-speed.js: Added.
2834         (assert):
2835         (makePolyProtoObject.foo.C):
2836         (makePolyProtoObject.foo.C.prototype.set p):
2837         (makePolyProtoObject.foo):
2838         (makePolyProtoObject):
2839         (performSet):
2840         * stress/constructor-with-return.js:
2841         (i.tests.forEach.Constructor):
2842         (i.tests.forEach):
2843         (tests.forEach.Constructor): Deleted.
2844         (tests.forEach): Deleted.
2845         * stress/dom-jit-with-poly-proto.js: Added.
2846         (assert):
2847         (makePolyProtoObject.foo.C):
2848         (makePolyProtoObject.foo):
2849         (makePolyProtoObject):
2850         (validate):
2851         * stress/poly-proto-custom-value-and-accessor.js: Added.
2852         (assert):
2853         (makePolyProtoObject.foo.C):
2854         (makePolyProtoObject.foo):
2855         (makePolyProtoObject):
2856         (items.forEach):
2857         (set get for):
2858         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
2859         (assert):
2860         (makePolyProtoObject.foo.C):
2861         (makePolyProtoObject.foo):
2862         (makePolyProtoObject):
2863         (foo):
2864         * stress/poly-proto-miss.js: Added.
2865         (makePolyProtoInstanceWithNullPrototype.foo.C):
2866         (makePolyProtoInstanceWithNullPrototype.foo):
2867         (makePolyProtoInstanceWithNullPrototype):
2868         (assert):
2869         (validate):
2870         * stress/poly-proto-op-in-caching.js: Added.
2871         (assert):
2872         (makePolyProtoObject.foo.C):
2873         (makePolyProtoObject.foo):
2874         (makePolyProtoObject):
2875         (validate):
2876         (validate2):
2877         * stress/poly-proto-put-transition.js: Added.
2878         (assert):
2879         (makePolyProtoObject.foo.C):
2880         (makePolyProtoObject.foo):
2881         (makePolyProtoObject):
2882         (performSet):
2883         (i.obj.__proto__.set p):
2884         * stress/poly-proto-set-prototype.js: Added.
2885         (assert):
2886         (let.alternateProto.get x):
2887         (let.alternateProto2.get y):
2888         (let.alternateProto2.get x):
2889         (foo.C):
2890         (foo):
2891         (validate):
2892         * stress/poly-proto-setter.js: Added.
2893         (assert):
2894         (makePolyProtoObject.foo.C):
2895         (makePolyProtoObject.foo.C.prototype.set p):
2896         (makePolyProtoObject.foo.C.prototype.get p):
2897         (makePolyProtoObject.foo):
2898         (makePolyProtoObject):
2899         (performSet):
2900         * stress/poly-proto-using-inheritance.js: Added.
2901         (assert):
2902         (foo.C):
2903         (foo.C.prototype.get baz):
2904         (foo):
2905         (bar.C):
2906         (bar):
2907         (validate):
2908         * stress/primitive-poly-proto.js: Added.
2909         (makePolyProtoInstance.foo.C):
2910         (makePolyProtoInstance.foo):
2911         (makePolyProtoInstance):
2912         (assert):
2913         (validate):
2914         * stress/prototype-is-not-js-object.js: Added.
2915         (foo.bar):
2916         (foo):
2917         (assert):
2918         (validate):
2919         * stress/try-get-by-id-poly-proto.js: Added.
2920         (assert):
2921         (makePolyProtoObject.foo.C):
2922         (makePolyProtoObject.foo):
2923         (makePolyProtoObject):
2924         (tryGetByIdText):
2925         (x.__proto__.get bar):
2926         (validate):
2927         * typeProfiler/overflow.js:
2928
2929 2017-10-03  JF Bastien  <jfbastien@apple.com>
2930
2931         WebAssembly: no VM / JS version of everything but Instance
2932         https://bugs.webkit.org/show_bug.cgi?id=177473
2933
2934         Reviewed by Filip Pizlo.
2935
2936         - Exceeding max on memory growth now returns a range error as per
2937         spec. This is a (very minor) breaking change: it used to throw OOM
2938         error. Update the corresponding test.
2939
2940         * wasm/js-api/memory-grow.js:
2941         (assertEq):
2942         * wasm/js-api/table.js:
2943         (assert.throws):
2944
2945 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
2946
2947         Skip JSC test stress/regress-159779-2.js on debug.
2948         https://bugs.webkit.org/show_bug.cgi?id=177204
2949
2950         Unreviewed test gardening.
2951
2952         * stress/regress-159779-2.js:
2953
2954 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
2955
2956         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
2957         https://bugs.webkit.org/show_bug.cgi?id=175642
2958
2959         Reviewed by Darin Adler.
2960
2961         * ChakraCore/test/Function/apply3.baseline-jsc:
2962
2963 2017-10-01  Commit Queue  <commit-queue@webkit.org>
2964
2965         Unreviewed, rolling out r222564.
2966         https://bugs.webkit.org/show_bug.cgi?id=177720
2967
2968         "It regressed JetStream by 2% on iOS caused by a 50%
2969         regression on the bigfib subtest" (Requested by saamyjoon on
2970         #webkit).
2971
2972         Reverted changeset:
2973
2974         "Add Above/Below comparisons for UInt32 patterns"
2975         https://bugs.webkit.org/show_bug.cgi?id=177281
2976         http://trac.webkit.org/changeset/222564
2977
2978 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2979
2980         [DFG] Support ArrayPush with multiple args
2981         https://bugs.webkit.org/show_bug.cgi?id=175823
2982
2983         Reviewed by Saam Barati.
2984
2985         * microbenchmarks/array-push-0.js: Added.
2986         (arrayPush0):
2987         * microbenchmarks/array-push-1.js: Added.
2988         (arrayPush1):
2989         * microbenchmarks/array-push-2.js: Added.
2990         (arrayPush2):
2991         * microbenchmarks/array-push-3.js: Added.
2992         (arrayPush3):
2993         * stress/array-push-multiple-contiguous.js: Added.
2994         (shouldBe):
2995         (test):
2996         * stress/array-push-multiple-double-nan.js: Added.
2997         (shouldBe):
2998         (test):
2999         * stress/array-push-multiple-double.js: Added.
3000         (shouldBe):
3001         (test):
3002         * stress/array-push-multiple-int32.js: Added.
3003         (shouldBe):
3004         (test):
3005         * stress/array-push-multiple-many-contiguous.js: Added.
3006         (shouldBe):
3007         (test):
3008         * stress/array-push-multiple-many-double.js: Added.
3009         (shouldBe):
3010         (test):
3011         * stress/array-push-multiple-many-int32.js: Added.
3012         (shouldBe):
3013         (test):
3014         * stress/array-push-multiple-many-storage.js: Added.
3015         (shouldBe):
3016         (test):
3017         * stress/array-push-multiple-storage.js: Added.
3018         (shouldBe):
3019         (test):
3020         * stress/array-push-with-force-exit.js: Added.
3021         (target.createBuiltin):
3022
3023 2017-09-29  Saam Barati  <sbarati@apple.com>
3024
3025         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3026         https://bugs.webkit.org/show_bug.cgi?id=177639
3027
3028         Reviewed by Geoffrey Garen.
3029
3030         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3031         (assert):
3032         (Class):
3033         (items.forEach):
3034         (set get for):
3035
3036 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3037
3038         Unreviewed, rolling out r222563, r222565, and r222581.
3039         https://bugs.webkit.org/show_bug.cgi?id=177675
3040
3041         "It causes a crash when playing youtube videos" (Requested by
3042         saamyjoon on #webkit).
3043
3044         Reverted changesets:
3045
3046         "[DFG] Support ArrayPush with multiple args"
3047         https://bugs.webkit.org/show_bug.cgi?id=175823
3048         http://trac.webkit.org/changeset/222563
3049
3050         "Unreviewed, build fix after r222563"
3051         https://bugs.webkit.org/show_bug.cgi?id=175823
3052         http://trac.webkit.org/changeset/222565
3053
3054         "Unreviewed, fix x86 breaking due to exhausted registers"
3055         https://bugs.webkit.org/show_bug.cgi?id=175823
3056         http://trac.webkit.org/changeset/222581
3057
3058 2017-09-28  Mark Lam  <mark.lam@apple.com>
3059
3060         test262: Unexpected passes after r222617 and r222618.
3061         https://bugs.webkit.org/show_bug.cgi?id=177622
3062         <rdar://problem/34725960>
3063
3064         Reviewed by Saam Barati.
3065
3066         Update test262.yaml for tests that are now passing.
3067
3068         * test262.yaml:
3069
3070 2017-09-27  Michael Saboff  <msaboff@apple.com>
3071
3072         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3073         https://bugs.webkit.org/show_bug.cgi?id=177570
3074
3075         Reviewed by Filip Pizlo.
3076
3077         New regression test.
3078
3079         * stress/regress-177570.js: Added.
3080
3081 2017-09-28  Michael Saboff  <msaboff@apple.com>
3082
3083         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3084         https://bugs.webkit.org/show_bug.cgi?id=177423
3085
3086         Reviewed by Mark Lam.
3087
3088         Updated regression test.
3089
3090         * stress/regress-177423.js:
3091         (catch):
3092
3093 2017-09-27  Mark Lam  <mark.lam@apple.com>
3094
3095         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3096         https://bugs.webkit.org/show_bug.cgi?id=177584
3097         <rdar://problem/34463903>
3098
3099         Reviewed by Saam Barati.
3100
3101         * stress/regress-177584.js: Added.
3102         (assertEqual):
3103         (Array.prototype.Symbol.species):
3104
3105 2017-09-27  Saam Barati  <sbarati@apple.com>
3106
3107         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3108         https://bugs.webkit.org/show_bug.cgi?id=177523
3109
3110         Reviewed by Mark Lam.
3111
3112         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3113         (assert):
3114         (Test):
3115         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3116         (addMethods):
3117         (i.Test.prototype.propName):
3118
3119 2017-09-27  Mark Lam  <mark.lam@apple.com>
3120
3121         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3122         https://bugs.webkit.org/show_bug.cgi?id=177423
3123         <rdar://problem/34621320>
3124
3125         Reviewed by Keith Miller.
3126
3127         * stress/regress-177423.js: Added.
3128
3129 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3130
3131         Add Above/Below comparisons for UInt32 patterns
3132         https://bugs.webkit.org/show_bug.cgi?id=177281
3133
3134         Reviewed by Saam Barati.
3135
3136         * stress/uint32-comparison-jump.js: Added.
3137         (shouldBe):
3138         (above):
3139         (aboveOrEqual):
3140         (below):
3141         (belowOrEqual):
3142         (notAbove):
3143         (notAboveOrEqual):
3144         (notBelow):
3145         (notBelowOrEqual):
3146         * stress/uint32-comparison.js: Added.
3147         (shouldBe):
3148         (above):
3149         (aboveOrEqual):
3150         (below):
3151         (belowOrEqual):
3152         (aboveTest):
3153         (aboveOrEqualTest):
3154         (belowTest):
3155         (belowOrEqualTest):
3156
3157 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3158
3159         [DFG] Support ArrayPush with multiple args
3160         https://bugs.webkit.org/show_bug.cgi?id=175823
3161
3162         Reviewed by Saam Barati.
3163
3164         * microbenchmarks/array-push-0.js: Added.
3165         (arrayPush0):
3166         * microbenchmarks/array-push-1.js: Added.
3167         (arrayPush1):
3168         * microbenchmarks/array-push-2.js: Added.
3169         (arrayPush2):
3170         * microbenchmarks/array-push-3.js: Added.
3171         (arrayPush3):
3172         * stress/array-push-multiple-contiguous.js: Added.
3173         (shouldBe):
3174         (test):
3175         * stress/array-push-multiple-double-nan.js: Added.
3176         (shouldBe):
3177         (test):
3178         * stress/array-push-multiple-double.js: Added.
3179         (shouldBe):
3180         (test):
3181         * stress/array-push-multiple-int32.js: Added.
3182         (shouldBe):
3183         (test):
3184         * stress/array-push-multiple-many-contiguous.js: Added.
3185         (shouldBe):
3186         (test):
3187         * stress/array-push-multiple-many-double.js: Added.
3188         (shouldBe):
3189         (test):
3190         * stress/array-push-multiple-many-int32.js: Added.
3191         (shouldBe):
3192         (test):
3193         * stress/array-push-multiple-many-storage.js: Added.
3194         (shouldBe):
3195         (test):
3196         * stress/array-push-multiple-storage.js: Added.
3197         (shouldBe):
3198         (test):
3199
3200 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3201
3202         Unreviewed, rolling out r222518.
3203         https://bugs.webkit.org/show_bug.cgi?id=177507
3204
3205         Break the High Sierra build (Requested by yusukesuzuki on
3206         #webkit).
3207
3208         Reverted changeset:
3209
3210         "Add Above/Below comparisons for UInt32 patterns"
3211         https://bugs.webkit.org/show_bug.cgi?id=177281
3212         http://trac.webkit.org/changeset/222518
3213
3214 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3215
3216         Add Above/Below comparisons for UInt32 patterns
3217         https://bugs.webkit.org/show_bug.cgi?id=177281
3218
3219         Reviewed by Saam Barati.
3220
3221         * stress/uint32-comparison-jump.js: Added.
3222         (shouldBe):
3223         (above):
3224         (aboveOrEqual):
3225         (below):
3226         (belowOrEqual):
3227         (notAbove):
3228         (notAboveOrEqual):
3229         (notBelow):
3230         (notBelowOrEqual):
3231         * stress/uint32-comparison.js: Added.
3232         (shouldBe):
3233         (above):
3234         (aboveOrEqual):
3235         (below):
3236         (belowOrEqual):
3237         (aboveTest):
3238         (aboveOrEqualTest):
3239         (belowTest):
3240         (belowOrEqualTest):
3241
3242 2017-09-23  Keith Miller  <keith_miller@apple.com>
3243
3244         Fix infinite looping test262 test
3245         https://bugs.webkit.org/show_bug.cgi?id=177412
3246
3247         Reviewed by Yusuke Suzuki.
3248
3249         This test was poorly designed since failing it would cause the vm
3250         to inifinite loop. I've fixed it locally and will fix it on github pending
3251         the results of next weeks tc39 meeting.
3252
3253         * test262.yaml:
3254         * test262/test/language/statements/for-of/iterator-next-reference.js:
3255
3256 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
3257
3258         test262: $.agent became $262.agent in test262 update
3259         https://bugs.webkit.org/show_bug.cgi?id=177407
3260
3261         Reviewed by Yusuke Suzuki.
3262
3263         * test262.yaml:
3264         ~320 tests pass now that we correctly make $262 available.
3265
3266 2017-09-22  Keith Miller  <keith_miller@apple.com>
3267
3268         Speculatively change iteration protocall to use the same next function
3269         https://bugs.webkit.org/show_bug.cgi?id=175653
3270
3271         Reviewed by Saam Barati.
3272
3273         Change test to match the new iteration behavior.
3274
3275         * stress/spread-optimized-properly.js:
3276
3277 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3278
3279         [DFG][FTL] Profile array vector length for array allocation
3280         https://bugs.webkit.org/show_bug.cgi?id=177051
3281
3282         Reviewed by Saam Barati.
3283
3284         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3285         (target):
3286
3287 2017-09-22  Commit Queue  <commit-queue@webkit.org>
3288
3289         Unreviewed, rolling out r222380.
3290         https://bugs.webkit.org/show_bug.cgi?id=177352
3291
3292         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
3293         #webkit).
3294
3295         Reverted changeset:
3296
3297         "[DFG][FTL] Profile array vector length for array allocation"
3298         https://bugs.webkit.org/show_bug.cgi?id=177051
3299         http://trac.webkit.org/changeset/222380
3300
3301 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3302
3303         [DFG][FTL] Profile array vector length for array allocation
3304         https://bugs.webkit.org/show_bug.cgi?id=177051
3305
3306         Reviewed by Saam Barati.
3307
3308         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3309         (target):
3310
3311 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
3312
3313         Skip new hanging test262 tests.
3314         https://bugs.webkit.org/show_bug.cgi?id=177326
3315
3316         Unreviewed test gardening.
3317
3318         * test262.yaml:
3319
3320 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
3321
3322         Mark 6 test262 tests as passing.
3323         https://bugs.webkit.org/show_bug.cgi?id=177307
3324
3325         Unreviewed test gardening.
3326
3327         * test262.yaml:
3328
3329 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3330
3331         Unreviewed follow-up to r222311.
3332
3333         * test262/harness/sta.js:
3334         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
3335         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
3336         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
3337         * test262/test/built-ins/Array/from/elements-added-after.js:
3338         * test262/test/built-ins/Array/from/elements-deleted-after.js:
3339         * test262/test/built-ins/Array/from/elements-updated-after.js:
3340         * test262/test/built-ins/Array/from/from-array.js:
3341         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
3342         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
3343         * test262/test/built-ins/Array/from/source-array-boundary.js:
3344         * test262/test/built-ins/Array/from/source-object-constructor.js:
3345         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
3346         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
3347         * test262/test/built-ins/Array/from/source-object-length.js:
3348         * test262/test/built-ins/Array/from/source-object-missing.js:
3349         * test262/test/built-ins/Array/from/source-object-without.js:
3350         * test262/test/built-ins/Array/from/this-null.js:
3351         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
3352         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
3353         * test262/test/language/literals/numeric/7.8.3-1gs.js:
3354         * test262/test/language/literals/numeric/7.8.3-2gs.js:
3355         * test262/test/language/literals/numeric/7.8.3-3gs.js:
3356         * test262/test/language/literals/regexp/7.8.5-1gs.js:
3357         * test262/test/language/literals/string/7.8.4-1gs.js:
3358         Fix some files that I failed to update when I applied my patch.
3359
3360 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3361
3362         Update test262 tests
3363         https://bugs.webkit.org/show_bug.cgi?id=177220
3364
3365         Reviewed by Saam Barati and Yusuke Suzuki.
3366
3367         * test262.yaml:
3368         * test262/test262-Revision.txt:
3369         New rebaselined expectations for all tests.
3370
3371         * test262/*:
3372         Updated.
3373
3374 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3375
3376         [DFG] Remove ToThis more aggressively
3377         https://bugs.webkit.org/show_bug.cgi?id=177056
3378
3379         Reviewed by Saam Barati.
3380
3381         * stress/generator-with-this-strict.js: Added.
3382         (shouldBe):
3383         (generator):
3384         (target):
3385         * stress/generator-with-this.js: Added.
3386         (shouldBe):
3387         (generator):
3388         (target):
3389
3390 2017-09-17  Michael Saboff  <msaboff@apple.com>
3391
3392         https://bugs.webkit.org/show_bug.cgi?id=177038
3393         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
3394
3395         Reviewed by JF Bastien.
3396
3397         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
3398         as it dies using too much memory.
3399
3400 2017-09-15  Saam Barati  <sbarati@apple.com>
3401
3402         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
3403         https://bugs.webkit.org/show_bug.cgi?id=176981
3404
3405         Reviewed by Yusuke Suzuki.
3406
3407         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
3408         (assert):
3409         (verify):
3410         (func):
3411         (const.bar.createBuiltin):
3412
3413 2017-09-14  Saam Barati  <sbarati@apple.com>
3414
3415         It should be valid to exit before each set when doing arity fixup when inlining
3416         https://bugs.webkit.org/show_bug.cgi?id=176948
3417
3418         Reviewed by Keith Miller.
3419
3420         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
3421         (baz):
3422         (bar):
3423         (foo):
3424
3425 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3426
3427         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
3428         https://bugs.webkit.org/show_bug.cgi?id=176867
3429
3430         Reviewed by Sam Weinig.
3431
3432         * microbenchmarks/object-get-own-property-symbols.js: Added.
3433         (test):
3434
3435 2017-09-13  Mark Lam  <mark.lam@apple.com>
3436
3437         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
3438         https://bugs.webkit.org/show_bug.cgi?id=176888
3439         <rdar://problem/34381832>
3440
3441         Not reviewed.
3442
3443         * stress/op_mod-ConstVar.js:
3444         * stress/op_mod-VarConst.js:
3445         * stress/op_mod-VarVar.js:
3446
3447 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
3448
3449         Skip 3 op_mod tests on Debug JSC bots.
3450         https://bugs.webkit.org/show_bug.cgi?id=176630
3451
3452         Unreviewed test gardening.
3453
3454         * stress/op_mod-ConstVar.js:
3455         * stress/op_mod-VarConst.js:
3456         * stress/op_mod-VarVar.js:
3457
3458 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3459
3460         [JSC] Fix Array allocation in Object.keys
3461         https://bugs.webkit.org/show_bug.cgi?id=176826
3462
3463         Reviewed by Saam Barati.
3464
3465         * stress/object-own-property-keys.js: Added.
3466         (shouldBe):
3467
3468 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3469
3470         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3471         https://bugs.webkit.org/show_bug.cgi?id=176010
3472
3473         Reviewed by Filip Pizlo.
3474
3475         * microbenchmarks/weak-map-key.js: Added.
3476         (assert):
3477         (objectKey):
3478         (let.start.Date.now):
3479
3480 2017-09-12  Mark Lam  <mark.lam@apple.com>
3481
3482         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
3483         https://bugs.webkit.org/show_bug.cgi?id=176630
3484
3485         Reviewed by JF Bastien.
3486
3487         Debug builds are just slow, and these tests do a lot.  They pass when I run them
3488         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
3489         a speculative fix for the bots that are seeing these fail.
3490
3491         I also undid the skipping of the op_mod tests for debug builds.
3492
3493         * stress/op_div-ConstVar.js:
3494         * stress/op_div-VarConst.js:
3495         * stress/op_div-VarVar.js:
3496         * stress/op_mod-ConstVar.js:
3497         * stress/op_mod-VarConst.js:
3498         * stress/op_mod-VarVar.js:
3499
3500 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
3501
3502         Skip stress/value-to-boolean.js on Debug bots.
3503         https://bugs.webkit.org/show_bug.cgi?id=176787
3504
3505         Unreviewed test gardening.
3506
3507         * stress/value-to-boolean.js:
3508
3509 2017-09-11  Mark Lam  <mark.lam@apple.com>
3510
3511         Change test expectation for test262/test/language/statements/try/tco-catch.js
3512         https://bugs.webkit.org/show_bug.cgi?id=176749
3513
3514         Rubber stamped by Keith Miller.
3515
3516         It's been failing since at least r221821.  I'm changing the test expectation to
3517         fail to green the bots while I investigate some more.
3518
3519         * test262.yaml:
3520
3521 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
3522
3523         Unreviewed, rolling out r221854.
3524
3525         The test added with this change fails on 32-bit JSC bots.
3526
3527         Reverted changeset:
3528
3529         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
3530         https://bugs.webkit.org/show_bug.cgi?id=176010
3531         http://trac.webkit.org/changeset/221854
3532
3533 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3534
3535         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3536         https://bugs.webkit.org/show_bug.cgi?id=176010
3537
3538         Reviewed by Filip Pizlo.
3539
3540         * microbenchmarks/weak-map-key.js: Added.
3541         (assert):
3542         (objectKey):
3543         (let.start.Date.now):
3544
3545 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3546
3547         [JSC] Optimize Object.keys by using careful array allocation
3548         https://bugs.webkit.org/show_bug.cgi?id=176654
3549
3550         Reviewed by Darin Adler.
3551
3552         * microbenchmarks/object-keys.js: Added.
3553         (test):
3554
3555 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
3556
3557         Error should compute .stack and friends lazily
3558         https://bugs.webkit.org/show_bug.cgi?id=176645
3559
3560         Reviewed by Saam Barati.
3561
3562         * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
3563         * microbenchmarks/new-error.js: Added.
3564         * microbenchmarks/throw.js: Added.
3565
3566 2017-09-09  Mark Lam  <mark.lam@apple.com>
3567
3568         [Re-landing] Use JIT probes for DFG OSR exit.
3569         https://bugs.webkit.org/show_bug.cgi?id=175144
3570         <rdar://problem/33437050>
3571
3572         Not reviewed.  Original patch reviewed by Saam Barati.
3573
3574         Disable these tests for debug builds because they run too slow with the new OSR exit.
3575
3576         * stress/op_mod-ConstVar.js:
3577         * stress/op_mod-VarConst.js:
3578         * stress/op_mod-VarVar.js:
3579
3580 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3581
3582         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3583         https://bugs.webkit.org/show_bug.cgi?id=176300
3584
3585         Reviewed by Saam Barati.
3586
3587         * stress/new-array-with-size-div.js: Added.
3588         (shouldBe):
3589         (test):
3590         (i.i):
3591
3592 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3593
3594         [DFG] PutByVal with Array::Generic is too generic
3595         https://bugs.webkit.org/show_bug.cgi?id=176345
3596
3597         Reviewed by Filip Pizlo.
3598
3599         * stress/object-assign-symbols.js: Added.
3600         (shouldBe):
3601         (test):
3602         * stress/object-assign.js: Added.
3603         (shouldBe):
3604         (test):
3605         (i.shouldBe.JSON.stringify.test):
3606
3607 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3608
3609         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
3610         https://bugs.webkit.org/show_bug.cgi?id=176590
3611
3612         Reviewed by Saam Barati.
3613
3614         * microbenchmarks/object-iterate-symbols.js: Added.
3615         (test):
3616         * microbenchmarks/object-iterate.js: Added.
3617         (test):
3618         * stress/object-iterate-symbols.js: Added.
3619         (shouldBe):
3620         (test):
3621         * stress/object-iterate.js: Added.
3622         (shouldBe):
3623         (test):
3624
3625 2017-09-07  Per Arne Vollan  <pvollan@apple.com>
3626
3627         [Win32] 10 JSC stress tests are failing.
3628         https://bugs.webkit.org/show_bug.cgi?id=176538
3629
3630         Reviewed by Mark Lam.
3631
3632         Skip tests on Windows to make the bots green.
3633
3634         * ChakraCore.yaml:
3635         * stress/date-relaxed.js:
3636
3637 2017-09-06  Mark Lam  <mark.lam@apple.com>
3638
3639         constructGenericTypedArrayViewWithArguments() is missing an exception check.
3640         https://bugs.webkit.org/show_bug.cgi?id=176485
3641         <rdar://problem/33898874>
3642
3643         Reviewed by Keith Miller.
3644
3645         * stress/regress-176485.js: Added.
3646
3647 2017-09-05  Saam Barati  <sbarati@apple.com>
3648
3649         isNotCellSpeculation is wrong with respect to SpecEmpty
3650         https://bugs.webkit.org/show_bug.cgi?id=176429
3651
3652         Reviewed by Michael Saboff.
3653
3654         * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
3655         (Foo):
3656
3657 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3658
3659         test262: Completion values for control flow do not match the spec
3660         https://bugs.webkit.org/show_bug.cgi?id=171265
3661
3662         Reviewed by Saam Barati.
3663
3664         * stress/completion-value.js:
3665         Condensed test for completion values in top level statements.
3666
3667         * stress/super-get-by-id.js:
3668         ClassDeclaration when evaled no longer produce values. Convert
3669         these to ClassExpressions so they produce the class value.
3670         
3671         * ChakraCore/test/GlobalFunctions/evalreturns3.baseline-jsc:
3672         This is a progression for currect spec behavior.
3673
3674         * mozilla/mozilla-tests.yaml:
3675         This test is now outdated, so mark it as failing for that reason.
3676
3677         * test262.yaml:
3678         Passing all "cptn" completion value tests.
3679
3680 2017-09-04  Saam Barati  <sbarati@apple.com>
3681
3682         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
3683         https://bugs.webkit.org/show_bug.cgi?id=176317
3684
3685         Reviewed by Keith Miller.
3686
3687         * stress/dont-crash-when-hoist-check-structure-on-tdz.js: Added.
3688         (Foo):
3689
3690 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3691
3692         [DFG][FTL] Efficiently execute number#toString()
3693         https://bugs.webkit.org/show_bug.cgi?id=170007
3694
3695         Reviewed by Keith Miller.
3696
3697         * microbenchmarks/number-to-string-strength-reduction.js: Added.
3698         (test):
3699         * microbenchmarks/number-to-string-with-radix-10.js: Added.
3700         (test):
3701         * microbenchmarks/number-to-string-with-radix-cse.js: Added.
3702         (test):
3703         * microbenchmarks/number-to-string-with-radix.js: Added.
3704         (test):
3705         * stress/number-to-string-strength-reduction.js: Added.
3706         (shouldBe):
3707         (test):
3708         * stress/number-to-string-with-radix-10.js: Added.
3709         (shouldBe):
3710         (test):
3711         * stress/number-to-string-with-radix-cse.js: Added.
3712         (shouldBe):
3713         (test):
3714         * stress/number-to-string-with-radix-invalid.js: Added.
3715         (shouldThrow):
3716         * stress/number-to-string-with-radix-watchpoint.js: Added.
3717         (shouldBe):
3718         (test):
3719         (i.i.1e3.Number.prototype.toString):
3720         * stress/number-to-string-with-radix.js: Added.
3721         (shouldBe):
3722         (test):
3723
3724 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3725
3726         [DFG] Relax arity requirement
3727         https://bugs.webkit.org/show_bug.cgi?id=175523
3728
3729         Reviewed by Saam Barati.
3730
3731         * stress/arity-mismatch-arguments-length.js: Added.
3732         (shouldBe):
3733         (test1):
3734         (test):
3735         * stress/arity-mismatch-get-argument.js: Added.
3736         (shouldBe):
3737         (builtin.createBuiltin):
3738         (test):
3739         * stress/arity-mismatch-inlining-extra-slots.js: Added.
3740         (shouldBe):
3741         (inlineTarget):
3742         (test):
3743         * stress/arity-mismatch-inlining.js: Added.
3744         (shouldBe):
3745         (inlineTarget):
3746         (test):
3747         * stress/arity-mismatch-rest.js: Added.
3748         (shouldBe):
3749         (test2):
3750         (test1):
3751         (test):
3752
3753 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3754
3755         [JSC] Fix "name" and "length" of Proxy revoke function
3756         https://bugs.webkit.org/show_bug.cgi?id=176155
3757
3758         Reviewed by Mark Lam.
3759
3760         * test262.yaml:
3761
3762 2017-08-31  Saam Barati  <sbarati@apple.com>
3763
3764         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
3765         https://bugs.webkit.org/show_bug.cgi?id=176206
3766
3767         Reviewed by Keith Miller.
3768
3769         * stress/compare-semantic-origin-op-negate-method-of-getting-a-value-profile.js: Added.
3770         (a):
3771         (b):
3772         (foo):
3773
3774 2017-08-31  Ryan Haddad  <ryanhaddad@apple.com>
3775
3776         Skip two slow JSC tests after r221422.
3777
3778         Unreviewed test gardening.
3779
3780         * stress/regexp-prototype-match-on-too-long-rope.js:
3781         * stress/regexp-prototype-test-on-too-long-rope.js:
3782
3783 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
3784
3785         Unreviewed, skipping slow tests.
3786         
3787         These tests are now timing out. They would have always been slow. The timeouts are probably because OOMs
3788         work differently now.
3789
3790         * stress/regexp-prototype-exec-on-too-long-rope.js:
3791         * stress/string-prototype-charCodeAt-on-too-long-rope.js:
3792
3793 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3794
3795         [JSC] Use reifying system for "name" property of builtin JSFunction
3796         https://bugs.webkit.org/show_bug.cgi?id=175260
3797
3798         Reviewed by Saam Barati.
3799
3800         * stress/accessors-get-set-prefix.js:
3801         * stress/builtin-function-name.js: Added.
3802         (shouldBe):
3803         (shouldThrow):
3804         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
3805         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
3806         * stress/private-name-as-anonymous-builtin.js: Added.
3807         (shouldBe):
3808         (NotPromise):
3809
3810 2017-08-30  Saam Barati  <sbarati@apple.com>
3811
3812         Unreviewed. Make test stop printing.
3813
3814         * microbenchmarks/fake-iterators-that-throw-when-finished.js:
3815
3816 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
3817
3818         Unreviewed, rolling out r221327.
3819
3820         This change caused test262 failures.
3821
3822         Reverted changeset:
3823
3824         "[JSC] Use reifying system for "name" property of builtin
3825         JSFunction"
3826         https://bugs.webkit.org/show_bug.cgi?id=175260
3827         http://trac.webkit.org/changeset/221327
3828
3829 2017-08-30  Saam Barati  <sbarati@apple.com>
3830
3831         semicolon is being interpreted as an = in the LiteralParser
3832         https://bugs.webkit.org/show_bug.cgi?id=176114
3833
3834         Reviewed by Oliver Hunt.
3835
3836         * stress/jsonp-literal-parser-semicolon-is-not-assignment.js: Added.
3837         * stress/resources/literal-parser-test-case.js: Added.
3838
3839 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3840
3841         [ESNext] Async iteration - Implement async iteration statement: for-await-of
3842         https://bugs.webkit.org/show_bug.cgi?id=166698
3843
3844         Reviewed by Yusuke Suzuki.
3845
3846         * stress/async-iteration-for-await-of-syntax.js: Added.
3847         (assert):
3848         (checkSyntax):
3849         (checkSyntaxError):
3850         (checkSimpleAsyncGeneratorSloppyMode):
3851         (checkSimpleAsyncGeneratorStrictMode):
3852         (checkNestedAsyncGenerators):
3853         (checkSimpleAsyncGeneratorSyntaxErrorInStrictMode):
3854         * stress/async-iteration-for-await-of.js: Added.
3855         (assert):
3856         (async.foo):
3857         (async.boo):
3858         (const.boo.async):
3859
3860 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3861
3862         [JSC] Use reifying system for "name" property of builtin JSFunction
3863         https://bugs.webkit.org/show_bug.cgi?id=175260
3864
3865         Reviewed by Saam Barati.
3866
3867         * stress/accessors-get-set-prefix.js:
3868         * stress/builtin-function-name.js: Added.
3869         (shouldBe):
3870         (shouldThrow):
3871         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
3872         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
3873
3874 2017-08-25  Saam Barati  <sbarati@apple.com>
3875
3876         Support compiling catch in the DFG
3877         https://bugs.webkit.org/show_bug.cgi?id=174590
3878         <rdar://problem/34047845>
3879
3880         Reviewed by Filip Pizlo.
3881
3882         * microbenchmarks/delta-blue-try-catch.js: Added.
3883         (exception):
3884         (value):
3885         (OrderedCollection):
3886         (OrderedCollection.prototype.add):
3887         (OrderedCollection.prototype.at):
3888         (OrderedCollection.prototype.size):
3889         (OrderedCollection.prototype.removeFirst):
3890         (OrderedCollection.prototype.remove):
3891         (Strength):
3892         (Strength.stronger):
3893         (Strength.weaker):
3894         (Strength.weakestOf):
3895         (Strength.strongest):
3896         (Strength.prototype.nextWeaker):
3897         (Constraint):
3898         (Constraint.prototype.addConstraint):
3899         (Constraint.prototype.satisfy):
3900         (Constraint.prototype.destroyConstraint):
3901         (Constraint.prototype.isInput):
3902         (UnaryConstraint):
3903         (UnaryConstraint.prototype.addToGraph):
3904         (UnaryConstraint.prototype.chooseMethod):
3905         (UnaryConstraint.prototype.isSatisfied):
3906         (UnaryConstraint.prototype.markInputs):
3907         (UnaryConstraint.prototype.output):
3908         (UnaryConstraint.prototype.recalculate):
3909         (UnaryConstraint.prototype.markUnsatisfied):
3910         (UnaryConstraint.prototype.inputsKnown):
3911         (UnaryConstraint.prototype.removeFromGraph):
3912         (StayConstraint):
3913         (StayConstraint.prototype.execute):
3914         (EditConstraint.prototype.isInput):
3915         (EditConstraint.prototype.execute):
3916         (BinaryConstraint):
3917         (BinaryConstraint.prototype.chooseMethod):
3918         (BinaryConstraint.prototype.addToGraph):
3919         (BinaryConstraint.prototype.isSatisfied):
3920         (BinaryConstraint.prototype.markInputs):
3921         (BinaryConstraint.prototype.input):
3922         (BinaryConstraint.prototype.output):
3923         (BinaryConstraint.prototype.recalculate):
3924         (BinaryConstraint.prototype.markUnsatisfied):
3925         (BinaryConstraint.prototype.inputsKnown):
3926         (BinaryConstraint.prototype.removeFromGraph):
3927         (ScaleConstraint):
3928         (ScaleConstraint.prototype.addToGraph):
3929         (ScaleConstraint.prototype.removeFromGraph):
3930         (ScaleConstraint.prototype.markInputs):
3931         (ScaleConstraint.prototype.execute):
3932         (ScaleConstraint.prototype.recalculate):
3933         (EqualityConstraint):
3934         (EqualityConstraint.prototype.execute):
3935         (Variable):
3936         (Variable.prototype.addConstraint):
3937         (Variable.prototype.removeConstraint):
3938         (Planner):
3939         (Planner.prototype.incrementalAdd):
3940         (Planner.prototype.incrementalRemove):
3941         (Planner.prototype.newMark):
3942         (Planner.prototype.makePlan):
3943         (Planner.prototype.extractPlanFromConstraints):
3944         (Planner.prototype.addPropagate):
3945         (Planner.prototype.removePropagateFrom):
3946         (Planner.prototype.addConstraintsConsumingTo):
3947         (Plan):
3948         (Plan.prototype.addConstraint):
3949         (Plan.prototype.size):
3950         (Plan.prototype.constraintAt):
3951         (Plan.prototype.execute):
3952         (chainTest):
3953         (projectionTest):
3954         (change):
3955         (deltaBlue):
3956         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Added.
3957         (assert):
3958         (Numbers):
3959         (Numbers.prototype.next):
3960         (return.Transpose):
3961         (return.Transpose.prototype.next):
3962         (transpose):
3963         (verifyEven):
3964         (verifyString):
3965         (foo):
3966         (runIterators):
3967         * microbenchmarks/try-catch-word-count.js: Added.
3968         (let.assert):
3969         (EOF):
3970         (let.texts):
3971         (let.o.apply):
3972         (foo):
3973         (bar):
3974         (f):
3975         (run):
3976         (test1):
3977         (test2):
3978         (test3):
3979         (fn):
3980         (A):
3981         (B):
3982         (A.prototype.getValue):
3983         (B.prototype.getParentValue):
3984         (strlen):
3985         (sum.0):
3986         (test):
3987         (result.test.o):
3988         (set add.set add):
3989         (set forEach):
3990         (stringHash):
3991         (set if):
3992         (testFunction):
3993         (set delete.set has.set add):
3994         * stress/catch-set-argument-speculation-failure.js: Added.
3995         (o):
3996         (e):
3997         (e2):
3998         (escape):
3999         (baz):
4000         (noInline.run):
4001         (noInline):
4002         * stress/osr-enter-to-catch-with-set-local-type-check-failure.js: Added.
4003         (foo):
4004         (e):
4005         (baz):
4006         (bar):
4007
4008 2017-08-24  Commit Queue  <commit-queue@webkit.org>
4009
4010         Unreviewed, rolling out r221119, r221124, and r221143.
4011         https://bugs.webkit.org/show_bug.cgi?id=175973
4012
4013         "I think it regressed JSBench by 20%" (Requested by saamyjoon
4014         on #webkit).
4015
4016         Reverted changesets:
4017
4018         "Support compiling catch in the DFG"
4019         https://bugs.webkit.org/show_bug.cgi?id=174590
4020         http://trac.webkit.org/changeset/221119
4021
4022         "Unreviewed, build fix in GTK port"
4023         https://bugs.webkit.org/show_bug.cgi?id=174590
4024         http://trac.webkit.org/changeset/221124
4025
4026         "DFG::JITCode::osrEntry should get sorted since we perform a
4027         binary search on it"
4028         https://bugs.webkit.org/show_bug.cgi?id=175893
4029         http://trac.webkit.org/changeset/221143
4030
4031 2017-08-24  Michael Saboff  <msaboff@apple.com>
4032
4033         Add support for RegExp "dotAll" flag
4034         https://bugs.webkit.org/show_bug.cgi?id=175924
4035
4036         Reviewed by Keith Miller.
4037
4038         Updated tests for new dotAll ('s' flag) changes.
4039
4040         * es6/Proxy_internal_get_calls_RegExp.prototype.flags.js:
4041         * stress/static-getter-in-names.js:
4042
4043 2017-08-24  Mark Lam  <mark.lam@apple.com>
4044
4045         Land regression test for https://bugs.webkit.org/show_bug.cgi?id=164081.
4046         https://bugs.webkit.org/show_bug.cgi?id=175940
4047         <rdar://problem/29003921>
4048
4049         Reviewed by Saam Barati.
4050
4051         * stress/regress-164081.js: Added.
4052         (shouldEqual):
4053         (testcase):
4054
4055 2017-08-24  Ryan Haddad  <ryanhaddad@apple.com>
4056
4057         Skip flaky JSC test stress/test-finally.js.
4058         https://bugs.webkit.org/show_bug.cgi?id=160283
4059
4060         Unreviewed test gardening.
4061
4062         * stress/test-finally.js:
4063
4064 2017-08-23  Saam Barati  <sbarati@apple.com>
4065
4066         Support compiling catch in the DFG
4067         https://bugs.webkit.org/show_bug.cgi?id=174590
4068
4069         Reviewed by Filip Pizlo.
4070
4071         * microbenchmarks/delta-blue-try-catch.js: Added.
4072         (exception):
4073         (value):
4074         (OrderedCollection):
4075         (OrderedCollection.prototype.add):
4076         (OrderedCollection.prototype.at):
4077         (OrderedCollection.prototype.size):
4078         (OrderedCollection.prototype.removeFirst):
4079         (OrderedCollection.prototype.remove):
4080         (Strength):
4081         (Strength.stronger):
4082         (Strength.weaker):
4083         (Strength.weakestOf):
4084         (Strength.strongest):
4085         (Strength.prototype.nextWeaker):
4086         (Constraint):
4087         (Constraint.prototype.addConstraint):
4088         (Constraint.prototype.satisfy):
4089         (Constraint.prototype.destroyConstraint):
4090         (Constraint.prototype.isInput):
4091         (UnaryConstraint):
4092         (UnaryConstraint.prototype.addToGraph):
4093         (UnaryConstraint.prototype.chooseMethod):
4094         (UnaryConstraint.prototype.isSatisfied):
4095         (UnaryConstraint.prototype.markInputs):
4096         (UnaryConstraint.prototype.output):
4097         (UnaryConstraint.prototype.recalculate):
4098         (UnaryConstraint.prototype.markUnsatisfied):
4099         (UnaryConstraint.prototype.inputsKnown):
4100         (UnaryConstraint.prototype.removeFromGraph):
4101         (StayConstraint):
4102         (StayConstraint.prototype.execute):
4103         (EditConstraint.prototype.isInput):
4104         (EditConstraint.prototype.execute):
4105         (BinaryConstraint):
4106         (BinaryConstraint.prototype.chooseMethod):
4107         (BinaryConstraint.prototype.addToGraph):
4108         (BinaryConstraint.prototype.isSatisfied):
4109         (BinaryConstraint.prototype.markInputs):
4110         (BinaryConstraint.prototype.input):
4111         (BinaryConstraint.prototype.output):
4112         (BinaryConstraint.prototype.recalculate):
4113         (BinaryConstraint.prototype.markUnsatisfied):
4114         (BinaryConstraint.prototype.inputsKnown):
4115         (BinaryConstraint.prototype.removeFromGraph):
4116         (ScaleConstraint):
4117         (ScaleConstraint.prototype.addToGraph):
4118         (ScaleConstraint.prototype.removeFromGraph):
4119         (ScaleConstraint.prototype.markInputs):
4120         (ScaleConstraint.prototype.execute):
4121         (ScaleConstraint.prototype.recalculate):
4122         (EqualityConstraint):
4123         (EqualityConstraint.prototype.execute):
4124         (Variable):
4125         (Variable.prototype.addConstraint):
4126         (Variable.prototype.removeConstraint):
4127         (Planner):
4128         (Planner.prototype.incrementalAdd):
4129         (Planner.prototype.incrementalRemove):
4130         (Planner.prototype.newMark):
4131         (Planner.prototype.makePlan):
4132         (Planner.prototype.extractPlanFromConstraints):
4133         (Planner.prototype.addPropagate):
4134         (Planner.prototype.removePropagateFrom):
4135         (Planner.prototype.addConstraintsConsumingTo):
4136         (Plan):
4137         (Plan.prototype.addConstraint):
4138         (Plan.prototype.size):
4139         (Plan.prototype.constraintAt):
4140         (Plan.prototype.execute):
4141         (chainTest):
4142         (projectionTest):
4143         (change):
4144         (deltaBlue):
4145         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Added.
4146         (assert):
4147         (Numbers):
4148         (Numbers.prototype.next):
4149         (return.Transpose):
4150         (return.Transpose.prototype.next):
4151         (transpose):
4152         (verifyEven):
4153         (verifyString):
4154         (foo):
4155         (runIterators):
4156         * microbenchmarks/try-catch-word-count.js: Added.
4157         (let.assert):
4158         (EOF):
4159         (let.texts):
4160         (let.o.apply):
4161         (foo):
4162         (bar):
4163         (f):
4164         (run):
4165         (test1):
4166         (test2):
4167         (test3):
4168         (fn):
4169         (A):
4170         (B):
4171         (A.prototype.getValue):
4172         (B.prototype.getParentValue):
4173         (strlen):
4174         (sum.0):
4175         (test):
4176         (result.test.o):
4177         (set add.set add):
4178         (set forEach):
4179         (stringHash):
4180         (set if):
4181         (testFunction):
4182         (set delete.set has.set add):
4183         * stress/catch-set-argument-speculation-failure.js: Added.
4184         (o):
4185         (e):
4186         (e2):
4187         (escape):
4188         (baz):
4189         (noInline.run):
4190         (noInline):
4191         * stress/osr-enter-to-catch-with-set-local-type-check-failure.js: Added.
4192         (foo):
4193         (e):
4194         (baz):
4195         (bar):
4196
4197 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
4198
4199         [JSC] Optimize Map iteration with intrinsic
4200         https://bugs.webkit.org/show_bug.cgi?id=174355
4201
4202         Reviewed by Saam Barati.
4203
4204         * stress/map-iterator-result-should-have-expected-shape.js: Added.
4205         (shouldBe):
4206         (throw.new.Error):
4207         * stress/set-iterator-result-should-have-expected-shape.js: Added.
4208         (shouldBe):
4209         (throw.new.Error.let.iterator.set Symbol):
4210         (throw.new.Error.set add):
4211         (let.iterator.set Symbol):
4212
4213 2017-08-23  Robin Morisset  <rmorisset@apple.com>
4214
4215         Add a micro-benchmark for checking that accessing a variable within a 'with'
4216         block does not automatically prevent type prediction.
4217         https://bugs.webkit.org/show_bug.cgi?id=175738
4218
4219         Reviewed by Saam Barati.
4220
4221         * stress/with_and_arith.js: Added.
4222         (with):
4223
4224 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
4225
4226         [ESNext] Async iteration - Implement Async Generator - runtime
4227         https://bugs.webkit.org/show_bug.cgi?id=175240
4228
4229         Reviewed by Yusuke Suzuki.
4230
4231         * stress/async-iteration-async-from-sync.js: Added.
4232         (assert):
4233         (const.Logger):
4234         (this.fullfilled):
4235         (this.fullfilledDone):
4236         (this.rejected):
4237         (this.catched):
4238         (this.isFinal):
4239         (_assertLogger):
4240         (const.assertLogger):
4241         (const.getPromise.promiseHolder.return.new.Promise):
4242         (foo):
4243         (async.boo):
4244         (bar):
4245         (async.baz):
4246         (async.goo):
4247         * stress/async-iteration-basic.js: Added.
4248         (assert):
4249         (const.Logger):
4250         (this.fullfilled):
4251         (this.fullfilledDone):
4252         (this.rejected):
4253         (this.catched):
4254         (this.isFinal):
4255         (_assertLogger):
4256         (const.assertLogger):
4257         (const.getPromise.promiseHolder.return.new.Promise):
4258         (async.generator):
4259         (iterator.next.then):
4260         (async.baz):
4261         (async.boo):
4262         (async.foo):
4263         (async.goo):
4264         (A.prototype.async.foo):
4265         (A.prototype.async.boo):
4266         (A):
4267         (asyncGenExp.async):
4268         (async.joo):
4269         (j.next.then):
4270         (then):
4271         (async.koo):
4272         (async.loo):
4273         (async.moo):
4274         (async.noo):
4275         (async.ooo):
4276         (async.roo):
4277         (async.poo):
4278         (async.soo):
4279         (async.too):
4280         * stress/async-iteration-evaluation.js: Added.
4281         (assert):
4282         (async.foo):
4283         (catch):
4284         * stress/async-iteration-syntax.js:
4285         * stress/async-iteration-yield-promise.js: Added.
4286         (assert):
4287         (const.Logger):
4288         (this.fullfilled):
4289         (this.fullfilledDone):
4290         (this.rejected):
4291         (this.catched):
4292         (this.isFinal):
4293         (_assertLogger):
4294         (const.assertLogger):
4295         (const.getPromise.promiseHolder.return.new.Promise):
4296         (async.foo):
4297         (async.boo):
4298         (async.bar):
4299         * stress/async-iteration-yield-star-interface.js: Added.
4300         (assert):
4301         (const.getPromise.promiseHolder.return.new.Promise):
4302         (const.Logger):
4303         (this.fullfilled):
4304         (this.fullfilledDone):
4305         (this.rejected):
4306         (this.catched):
4307         (this.custom):
4308         (this.isFinal):
4309         (_assertLogger):
4310         (const.assertLogger):
4311         (let.asyncIter.Symbol.asyncIterator):
4312         (let.asyncIter.next):
4313         (let.asyncIter.throw):
4314         (let.asyncIter.return):
4315         (async.foo):
4316         (asyncIter.Symbol.asyncIterator):
4317         (asyncIter.next):
4318         (async.boo):
4319         (asyncIter.return):
4320         (async.bar):
4321         (async.baz):
4322         (async.foobar):
4323         * stress/async-iteration-yield-star.js: Added.
4324         (assert):
4325         (const.Logger):
4326         (this.fullfilled):
4327         (this.fullfilledDone):
4328         (this.rejected):
4329         (this.catched):
4330         (this.custom):
4331         (this.isFinal):
4332         (_assertLogger):
4333         (const.assertLogger):
4334         (const.getPromise.promiseHolder.return.new.Promise):
4335         (async.foo):
4336         (async.boo):
4337         (async.bar):
4338         (async.baz):
4339         (async.joo):
4340         (async.goo):
4341         (async.koo):
4342         (async.loo):
4343         (let.asyncIter.Symbol.asyncIterator):
4344         (let.asyncIter.next):
4345         (let.asyncIter.throw):
4346         (let.asyncIter.return):
4347         (async.moo):
4348         (async.noo):
4349         * test262.yaml:
4350
4351 2017-08-23  JF Bastien  <jfbastien@apple.com>
4352
4353         Fix printing in test
4354
4355         Unreviewed: fixing verbosity, shouldn't have been there.
4356
4357         * wasm/regress/175693.js:
4358         (else.else):
4359         (catch):
4360
4361 2017-08-18  Ryan Haddad  <ryanhaddad@apple.com>
4362
4363         Skip flaky JSC test microbenchmarks/generator-with-several-types.js.
4364         https://bugs.webkit.org/show_bug.cgi?id=172543
4365
4366         Unreviewed test gardening.
4367
4368         * microbenchmarks/generator-with-several-types.js:
4369
4370 2017-08-17  JF Bastien  <jfbastien@apple.com>
4371
4372         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
4373         https://bugs.webkit.org/show_bug.cgi?id=175693
4374         <rdar://problem/33952443>
4375
4376         Reviewed by Saam Barati.
4377
4378         Add a regression directory for WebAssembly tests.
4379
4380         * wasm.yaml:
4381         * wasm/regress/175693.js: Added.
4382         (else.else):
4383         (instance.new.WebAssembly.Instance.new.WebAssembly.Module):
4384         (catch):
4385         * wasm/regress/175693.wasm: Added.
4386
4387 2017-08-15  Robin Morisset  <rmorisset@apple.com>
4388
4389         Support the 'with' keyword in FTL.
4390         https://bugs.webkit.org/show_bug.cgi?id=175585
4391
4392         Reviewed by Saam Barati.
4393
4394         Also improve the JSTest/stress/with.js file to test
4395         what happens when non-objects are passed to with.
4396
4397         * stress/with.js:
4398         (foo):
4399         (i.catch):
4400         (i.with): Deleted.
4401
4402 2017-08-14  Keith Miller  <keith_miller@apple.com>
4403
4404         Add testing tool to lie to the DFG about profiles
4405         https://bugs.webkit.org/show_bug.cgi?id=175487
4406
4407         Reviewed by Saam Barati.
4408
4409         * stress/compare-eq-incomplete-profile.js: Added.
4410         (const.test.createBuiltin):
4411
4412 2017-08-14  Robin Morisset  <rmorisset@apple.com>
4413
4414         Support the with keyword in DFG
4415         https://bugs.webkit.org/show_bug.cgi?id=175470
4416
4417         Reviewed by Saam Barati.
4418
4419         Added a new stress-test for the 'with' keyword, that caught a bug in a
4420         previous version of this code.
4421
4422         * stress/with.js: Added.
4423         (i.with):
4424
4425 2017-08-14  Ryan Haddad  <ryanhaddad@apple.com>
4426
4427         Skip flaky JSC test test/fieldopts/objtypespec-newobj-invalidation.1.js
4428         https://bugs.webkit.org/show_bug.cgi?id=175544
4429
4430         Unreviewed test gardening.
4431
4432         * ChakraCore.ya