for-in loops should preserve and restore the TDZ stack for each of its internal loops.
[WebKit-https.git] / JSTests / ChangeLog
1 2018-05-25  Mark Lam  <mark.lam@apple.com>
2
3         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
4         https://bugs.webkit.org/show_bug.cgi?id=185995
5         <rdar://problem/40173142>
6
7         Reviewed by Saam Barati.
8
9         * stress/regress-185995.js: Added.
10
11 2018-05-23  Keith Miller  <keith_miller@apple.com>
12
13         Define length on CoW array should properly convert to writable
14         https://bugs.webkit.org/show_bug.cgi?id=185927
15
16         Reviewed by Yusuke Suzuki.
17
18         * stress/cow-define-length-as-value.js: Added.
19         (test):
20
21 2018-05-23  Michael Saboff  <msaboff@apple.com>
22
23         Date.parse() doesn't properly handle input outside of ES Spec limits
24         https://bugs.webkit.org/show_bug.cgi?id=185868
25
26         Reviewed by Mark Lam.
27
28         New test.
29
30         * stress/date-parse-ranges.js: Added.
31         (shouldBe):
32         (throw.new.Error):
33         (shouldBeNaN):
34
35 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
36
37         Conversion misspelled "Convertion" in error message string
38         https://bugs.webkit.org/show_bug.cgi?id=185436
39
40         Reviewed by Saam Barati, Michael Saboff.
41
42         * bigIntTests.yaml:
43
44 2018-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
45
46         Unreviewed, skip test if memoryLimited is specified
47         https://bugs.webkit.org/show_bug.cgi?id=185888
48
49         * stress/regress-185888.js:
50
51 2018-05-22  Mark Lam  <mark.lam@apple.com>
52
53         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
54         https://bugs.webkit.org/show_bug.cgi?id=185896
55         <rdar://problem/40471403>
56
57         Reviewed by Saam Barati.
58
59         * stress/regress-185896.js: Added.
60
61 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
62
63         [JSC] Fix CachedCall's argument count if RegExp has named captures
64         https://bugs.webkit.org/show_bug.cgi?id=185587
65
66         Reviewed by Mark Lam.
67
68         * test262/expectations.yaml:
69
70 2018-05-22  Mark Lam  <mark.lam@apple.com>
71
72         StringImpl utf8 conversion should not fail silently.
73         https://bugs.webkit.org/show_bug.cgi?id=185888
74         <rdar://problem/40464506>
75
76         Reviewed by Filip Pizlo.
77
78         * stress/regress-185888.js: Added.
79
80 2018-05-22  Keith Miller  <keith_miller@apple.com>
81
82         We should have a CoW storage for NewArrayBuffer arrays.
83         https://bugs.webkit.org/show_bug.cgi?id=185003
84
85         Reviewed by Filip Pizlo.
86
87         * stress/cow-convert-contiguous-to-array-storage.js: Added.
88         (createBuffer):
89         (shouldBe):
90         (test):
91         * stress/cow-convert-double-to-array-storage.js: Added.
92         (createBuffer):
93         (shouldBe):
94         (test):
95         * stress/cow-convert-double-to-contiguous.js: Added.
96         (createBuffer):
97         (shouldBe):
98         (test):
99         * stress/cow-convert-int32-to-array-storage.js: Added.
100         (createBuffer):
101         (shouldBe):
102         (test):
103         * stress/cow-convert-int32-to-contiguous.js: Added.
104         (createBuffer):
105         (shouldBe):
106         (test):
107         * stress/cow-convert-int32-to-double.js: Added.
108         (createBuffer):
109         (shouldBe):
110         (test):
111         * stress/put-on-cow-prototype.js: Added.
112         (putByVal):
113         (putById):
114
115 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
116
117         Unreviewed, reland InById cache
118         https://bugs.webkit.org/show_bug.cgi?id=185682
119
120         * stress/in-by-id-accessors.js: Added.
121         (shouldBe):
122         (test):
123         (protoGetter.__proto__.get hello):
124         (protoSetter.__proto__.set hello):
125         (i.shouldBe.test.get hello):
126         (i.shouldBe.test.set hello):
127         * stress/in-by-id-ai.js: Added.
128         (shouldBe):
129         (test):
130         * stress/in-by-id-custom-accessors.js: Added.
131         (shouldBe):
132         (test1):
133         (test2):
134         * stress/in-by-id-custom-values.js: Added.
135         (shouldBe):
136         (test):
137         * stress/in-by-id-operation.js: Added.
138         (shouldBe):
139         (test):
140         (selfCache):
141         * stress/in-by-id-proxy.js: Added.
142         (shouldBe):
143         (test):
144         (handler.has):
145
146 2018-05-21  Commit Queue  <commit-queue@webkit.org>
147
148         Unreviewed, rolling out r231998 and r232017.
149         https://bugs.webkit.org/show_bug.cgi?id=185842
150
151         causes crashes on 32 JSC bot (Requested by realdawei on
152         #webkit).
153
154         Reverted changesets:
155
156         "[JSC] JSC should have consistent InById IC"
157         https://bugs.webkit.org/show_bug.cgi?id=185682
158         https://trac.webkit.org/changeset/231998
159
160         "Unreviewed, fix 32bit and scope release"
161         https://bugs.webkit.org/show_bug.cgi?id=185682
162         https://trac.webkit.org/changeset/232017
163
164 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
165
166         [JSC] JSC should have consistent InById IC
167         https://bugs.webkit.org/show_bug.cgi?id=185682
168
169         Reviewed by Filip Pizlo.
170
171         * stress/in-by-id-accessors.js: Added.
172         (shouldBe):
173         (test):
174         (protoGetter.__proto__.get hello):
175         (protoSetter.__proto__.set hello):
176         (i.shouldBe.test.get hello):
177         (i.shouldBe.test.set hello):
178         * stress/in-by-id-ai.js: Added.
179         (shouldBe):
180         (test):
181         * stress/in-by-id-custom-accessors.js: Added.
182         (shouldBe):
183         (test1):
184         (test2):
185         * stress/in-by-id-custom-values.js: Added.
186         (shouldBe):
187         (test):
188         * stress/in-by-id-operation.js: Added.
189         (shouldBe):
190         (test):
191         (selfCache):
192         * stress/in-by-id-proxy.js: Added.
193         (shouldBe):
194         (test):
195         (handler.has):
196
197 2018-05-18  Keith Miller  <keith_miller@apple.com>
198
199         op_in should mark if it sees out of bounds accesses
200         https://bugs.webkit.org/show_bug.cgi?id=185792
201
202         Reviewed by Filip Pizlo.
203
204         * stress/has-indexed-property-array-storage-ftl.js:
205         (test2):
206         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
207         (test2):
208
209 2018-05-18  Mark Lam  <mark.lam@apple.com>
210
211         Add missing exception check.
212         https://bugs.webkit.org/show_bug.cgi?id=185786
213         <rdar://problem/35686560>
214
215         Reviewed by Michael Saboff.
216
217         * stress/regress-185786.js: Added.
218
219 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
220
221         JSC should have InstanceOf inline caching
222         https://bugs.webkit.org/show_bug.cgi?id=185652
223
224         Reviewed by Saam Barati.
225
226         * microbenchmarks/instanceof-always-hit-one.js: Added.
227         * microbenchmarks/instanceof-always-hit-two.js: Added.
228         * microbenchmarks/instanceof-dynamic.js: Added.
229         * microbenchmarks/instanceof-sometimes-hit.js: Added.
230         * stress/instanceof-dynamic-proxy-check-structure.js: Added.
231         * stress/instanceof-dynamic-proxy-loop.js: Added.
232         * stress/instanceof-dynamic-proxy.js: Added.
233         * stress/instanceof-hit-one-object-then-another.js: Added.
234         * stress/instanceof-hit-two-objects-then-another.js: Added.
235         * stress/instanceof-prototype-change.js: Added.
236         * stress/instanceof-prototype-change-to-hit.js: Added.
237         * stress/instanceof-prototype-change-to-null.js: Added.
238         * stress/instanceof-prototype-change-watchpointable.js: Added.
239
240 2018-05-17  Michael Saboff  <msaboff@apple.com>
241
242         We don't throw SyntaxErrors for runtime generated regular expressions with errors
243         https://bugs.webkit.org/show_bug.cgi?id=185755
244
245         Reviewed by Keith Miller.
246
247         New regression test.
248
249         * stress/regexp-with-runtime-syntax-errors.js: Added.
250         (testThrowsSyntaxtError):
251         (fromExecWithBadUnicodeEscape):
252         (fromTestWithBadUnicodeProperty):
253         (fromSplitWithBadUnicodeIdentity):
254         (fromMatchWithBadUnicodeBackReference):
255         (fromReplaceWithBadUnicodeEscape):
256         (fromSearchWithBadUnicodeEscape):
257
258 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
259
260         [ESNext][BigInt] Implement support for "/" operation
261         https://bugs.webkit.org/show_bug.cgi?id=183996
262
263         Reviewed by Yusuke Suzuki.
264
265         * bigIntTests.yaml:
266         * stress/big-int-div-jit.js: Added.
267         * stress/big-int-div-memory-stress.js: Added.
268         * stress/big-int-div-to-primitive-precedence.js: Added.
269         * stress/big-int-div-to-primitive.js: Added.
270         * stress/big-int-div-type-error.js: Added.
271         * stress/big-int-div-wrapped-value.js: Added.
272         * stress/big-int-division.js: Added.
273
274 2018-05-16  Saam Barati  <sbarati@apple.com>
275
276         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
277         https://bugs.webkit.org/show_bug.cgi?id=185670
278
279         Reviewed by Yusuke Suzuki.
280
281         * microbenchmarks/constant-fold-check-type-info-flags.js: Added.
282         * stress/dont-constant-fold-check-type-info-on-bound-function.js: Added.
283
284 2018-05-16  Commit Queue  <commit-queue@webkit.org>
285
286         Unreviewed, rolling out r231845.
287         https://bugs.webkit.org/show_bug.cgi?id=185702
288
289         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
290         caiolima on #webkit).
291
292         Reverted changeset:
293
294         "[ESNext][BigInt] Implement support for "/" operation"
295         https://bugs.webkit.org/show_bug.cgi?id=183996
296         https://trac.webkit.org/changeset/231845
297
298 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
299
300         DFG models InstanceOf incorrectly
301         https://bugs.webkit.org/show_bug.cgi?id=185694
302
303         Reviewed by Keith Miller.
304
305         * stress/instanceof-proxy-check-structure.js: Added.
306         (Foo):
307         (Bar):
308         (doBadThings):
309         (getPrototypeOf):
310         (foo):
311         (i.new.Bar):
312         (new.Bar):
313         * stress/instanceof-proxy-loop.js: Added.
314         (Foo):
315         (Bar):
316         (doBadThings):
317         (getPrototypeOf):
318         (foo):
319         * stress/instanceof-proxy.js: Added.
320         (Foo):
321         (Bar):
322         (doBadThings):
323         (getPrototypeOf):
324         (foo):
325
326 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
327
328         [ESNext][BigInt] Implement support for "/" operation
329         https://bugs.webkit.org/show_bug.cgi?id=183996
330
331         Reviewed by Yusuke Suzuki.
332
333         * bigIntTests.yaml:
334         * stress/big-int-div-jit.js: Added.
335         * stress/big-int-div-memory-stress.js: Added.
336         * stress/big-int-div-to-primitive-precedence.js: Added.
337         * stress/big-int-div-to-primitive.js: Added.
338         * stress/big-int-div-type-error.js: Added.
339         * stress/big-int-div-wrapped-value.js: Added.
340         * stress/big-int-division.js: Added.
341
342 2018-05-14  Leo Balter  <leonardo.balter@gmail.com>
343
344         Fix a legacy CRLF eol from Test262
345         https://bugs.webkit.org/show_bug.cgi?id=185565
346
347         Reviewed by Yusuke Suzuki.
348
349         * test262/config.yaml:
350         * test262/test/built-ins/Math/cbrt/prop-desc.js:
351
352 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
353
354         [JSC] timeClip(-0) should produce +0
355         https://bugs.webkit.org/show_bug.cgi?id=185589
356
357         Reviewed by Saam Barati.
358
359         Fix several test262 failures.
360
361         * stress/date-negative-zero.js: Added.
362         (shouldBe):
363         * test262/expectations.yaml:
364
365 2018-05-13  Caio Lima  <ticaiolima@gmail.com>
366
367         [BigInt] stress/big-int-spec-to-primitive.js test is failing
368         https://bugs.webkit.org/show_bug.cgi?id=185582
369
370         Reviewed by Yusuke Suzuki.
371
372         This patch is removing the use of ```numberOfDFGCompiles``` from 
373         stress/big-int-spec-to-primitive.js because it makes this est fail
374         sometimes.
375
376         * stress/big-int-spec-to-primitive.js:
377
378 2018-05-13  Andy VanWagoner  <andy@vanwagoner.family>
379
380         [INTL] Improve spec & test262 compliance for Intl APIs
381         https://bugs.webkit.org/show_bug.cgi?id=185578
382
383         Reviewed by Yusuke Suzuki.
384
385         Remove intl402 failures that have been fixed.
386
387         * test262/expectations.yaml:
388         * stress/regress-178385.js: toStringTag is configurable, but not writable.
389
390 2018-05-11  Caio Lima  <ticaiolima@gmail.com>
391
392         [ESNext][BigInt] Implement support for "*" operation
393         https://bugs.webkit.org/show_bug.cgi?id=183721
394
395         Reviewed by Yusuke Suzuki.
396
397         * bigIntTests.yaml:
398         * stress/big-int-mul-jit.js: Added.
399         * stress/big-int-mul-to-primitive-precedence.js: Added.
400         * stress/big-int-mul-to-primitive.js: Added.
401         * stress/big-int-mul-type-error.js: Added.
402         * stress/big-int-mul-wrapped-value.js: Added.
403         * stress/big-int-multiplication.js: Added.
404         * stress/big-int-multiply-memory-stress.js: Added.
405
406 2018-05-11  Michael Saboff  <msaboff@apple.com>
407
408         [DFG] Compiler uses incorrect output register for NumberIsInteger operation
409         https://bugs.webkit.org/show_bug.cgi?id=185328
410
411         Reviewed by Keith Miller.
412
413         New regression test.
414
415         * stress/isInteger-doesnt-overwrite-argument.js: Added.
416         (testIsInteger):
417
418 2018-05-09  Yusuke Suzuki  <utatane.tea@gmail.com>
419
420         [JSC] Object.assign for final objects should be faster
421         https://bugs.webkit.org/show_bug.cgi?id=185348
422
423         Reviewed by Saam Barati.
424
425         * stress/object-assign-fast-path.js: Added.
426         (shouldBe):
427         (checkProperty):
428
429 2018-05-10  Leo Balter  <leonardo.balter@gmail.com>
430
431         Update Test262 tests through the new import script - 20180509
432         https://bugs.webkit.org/show_bug.cgi?id=185482
433
434         Reviewed by Michael Saboff.
435
436         Also update the test262/expecatations.yaml with the recent imported files.
437
438         * test262/expectations.yaml:
439         * test262/harness/compareIterator.js: Added.
440         (assert.compareIterator):
441         * test262/harness/nativeFunctionMatcher.js:
442         (const.assertToStringOrNativeFunction):
443         (const.assertNativeFunction):
444         * test262/harness/regExpUtils.js:
445         * test262/harness/testIntl.js:
446         (getInvalidLanguageTags):
447         * test262/harness/testTypedArray.js:
448         * test262/harness/wellKnownIntrinsicObjects.js: Added.
449         (WellKnownIntrinsicObjects.forEach.wkio.catch):
450         * test262/latest-changes-summary.txt: Added.
451         * test262/test/annexB/language/eval-code/direct/block-decl-nostrict.js: Copied from JSTests/test262/test/language/eval-code/direct/block-decl-strict-caller.js.
452         (catch):
453         * test262/test/annexB/language/eval-code/direct/switch-case-decl-nostrict.js: Copied from JSTests/test262/test/language/eval-code/direct/switch-case-decl-strict-source.js.
454         (catch):
455         * test262/test/annexB/language/eval-code/direct/switch-dflt-decl-nostrict.js: Copied from JSTests/test262/test/language/eval-code/direct/switch-dflt-decl-strict-caller.js.
456         (catch):
457         * test262/test/annexB/language/function-code/block-decl-nested-blocks-with-fun-decl.js: Added.
458         (g.f):
459         (g):
460         * test262/test/annexB/language/function-code/block-decl-nostrict.js: Copied from JSTests/test262/test/language/function-code/block-decl-strict.js.
461         (catch):
462         (f):
463         * test262/test/annexB/language/function-code/switch-case-decl-nostrict.js: Copied from JSTests/test262/test/language/function-code/switch-case-decl-strict.js.
464         (catch):
465         (switch.case.1):
466         (switch):
467         * test262/test/annexB/language/function-code/switch-dflt-decl-nostrict.js: Copied from JSTests/test262/test/language/function-code/switch-dflt-decl-strict.js.
468         (catch):
469         (switch.default):
470         (switch):
471         * test262/test/built-ins/Array/prototype/filter/target-array-with-non-writable-property.js: Added.
472         (a.Symbol.species):
473         (r.a.filter):
474         * test262/test/built-ins/Array/prototype/indexOf/calls-only-has-on-prototype-after-length-zeroed.js: Added.
475         (allowProxyTraps.has):
476         (fromIndex.valueOf):
477         * test262/test/built-ins/Array/prototype/lastIndexOf/calls-only-has-on-prototype-after-length-zeroed.js: Added.
478         (allowProxyTraps.has):
479         (fromIndex.valueOf):
480         * test262/test/built-ins/Array/prototype/map/target-array-with-non-writable-property.js: Added.
481         (a.Symbol.species):
482         (r.a.map):
483         * test262/test/built-ins/Array/prototype/slice/target-array-with-non-writable-property.js: Added.
484         (a.Symbol.species):
485         * test262/test/built-ins/Array/prototype/splice/property-traps-order-with-species.js: Added.
486         (a.Symbol.species):
487         * test262/test/built-ins/Array/prototype/splice/target-array-with-non-writable-property.js: Added.
488         (a.Symbol.species):
489         * test262/test/built-ins/Atomics/Symbol.toStringTag.js:
490         * test262/test/built-ins/Atomics/add/bad-range.js:
491         (testWithTypedArrayConstructors):
492         * test262/test/built-ins/Atomics/add/good-views.js:
493         (testWithTypedArrayConstructors):
494         * test262/test/built-ins/Atomics/add/non-views.js:
495         * test262/test/built-ins/Atomics/add/nonshared-int-views.js:
496         (testWithTypedArrayConstructors):
497         * test262/test/built-ins/Atomics/add/shared-nonint-views.js:
498         (testWithTypedArrayConstructors):
499         * test262/test/built-ins/Atomics/and/bad-range.js:
500         (testWithTypedArrayConstructors):
501         * test262/test/built-ins/Atomics/and/good-views.js:
502         (testWithTypedArrayConstructors):
503         * test262/test/built-ins/Atomics/and/non-views.js:
504         * test262/test/built-ins/Atomics/and/nonshared-int-views.js:
505         (testWithTypedArrayConstructors):
506         * test262/test/built-ins/Atomics/and/shared-nonint-views.js:
507         (testWithTypedArrayConstructors):
508         * test262/test/built-ins/Atomics/compareExchange/bad-range.js:
509         (testWithTypedArrayConstructors):
510         * test262/test/built-ins/Atomics/compareExchange/good-views.js:
511         (testWithTypedArrayConstructors):
512         (view): Deleted.
513         * test262/test/built-ins/Atomics/compareExchange/non-views.js:
514         * test262/test/built-ins/Atomics/compareExchange/nonshared-int-views.js:
515         (testWithTypedArrayConstructors):
516         * test262/test/built-ins/Atomics/compareExchange/shared-nonint-views.js:
517         (testWithTypedArrayConstructors):
518         * test262/test/built-ins/Atomics/exchange/bad-range.js:
519         (testWithTypedArrayConstructors):
520         * test262/test/built-ins/Atomics/exchange/good-views.js:
521         (testWithTypedArrayConstructors):
522         * test262/test/built-ins/Atomics/exchange/non-views.js:
523         * test262/test/built-ins/Atomics/exchange/nonshared-int-views.js:
524         (testWithTypedArrayConstructors):
525         * test262/test/built-ins/Atomics/exchange/shared-nonint-views.js:
526         (testWithTypedArrayConstructors):
527         * test262/test/built-ins/Atomics/isLockFree/corner-cases.js:
528         (hide):
529         * test262/test/built-ins/Atomics/isLockFree/value.js:
530         (testIsLockFree): Deleted.
531         * test262/test/built-ins/Atomics/load/bad-range.js:
532         (testWithTypedArrayConstructors):
533         * test262/test/built-ins/Atomics/load/good-views.js:
534         (testWithTypedArrayConstructors):
535         * test262/test/built-ins/Atomics/load/non-views.js:
536         * test262/test/built-ins/Atomics/load/nonshared-int-views.js:
537         (testWithTypedArrayConstructors):
538         * test262/test/built-ins/Atomics/load/shared-nonint-views.js:
539         (testWithTypedArrayConstructors):
540         * test262/test/built-ins/Atomics/or/bad-range.js:
541         (testWithTypedArrayConstructors):
542         * test262/test/built-ins/Atomics/or/good-views.js:
543         (testWithTypedArrayConstructors):
544         * test262/test/built-ins/Atomics/or/non-views.js:
545         * test262/test/built-ins/Atomics/or/nonshared-int-views.js:
546         (testWithTypedArrayConstructors):
547         * test262/test/built-ins/Atomics/or/shared-nonint-views.js:
548         (testWithTypedArrayConstructors):
549         * test262/test/built-ins/Atomics/prop-desc.js:
550         * test262/test/built-ins/Atomics/proto.js:
551         * test262/test/built-ins/Atomics/store/bad-range.js:
552         (testWithTypedArrayConstructors):
553         * test262/test/built-ins/Atomics/store/good-views.js:
554         (testWithTypedArrayConstructors):
555         (ToInteger):
556         * test262/test/built-ins/Atomics/store/non-views.js:
557         * test262/test/built-ins/Atomics/store/nonshared-int-views.js:
558         (testWithTypedArrayConstructors):
559         * test262/test/built-ins/Atomics/store/shared-nonint-views.js:
560         (testWithTypedArrayConstructors):
561         * test262/test/built-ins/Atomics/sub/bad-range.js:
562         (testWithTypedArrayConstructors):
563         * test262/test/built-ins/Atomics/sub/good-views.js:
564         (testWithTypedArrayConstructors):
565         * test262/test/built-ins/Atomics/sub/non-views.js:
566         * test262/test/built-ins/Atomics/sub/nonshared-int-views.js:
567         (testWithTypedArrayConstructors):
568         * test262/test/built-ins/Atomics/sub/shared-nonint-views.js:
569         (testWithTypedArrayConstructors):
570         * test262/test/built-ins/Atomics/wait/bad-range.js: Copied from JSTests/test262/test/built-ins/Atomics/wake/bad-range.js.
571         (testWithTypedArrayConstructors):
572         * test262/test/built-ins/Atomics/wait/cannot-suspend-throws.js:
573         * test262/test/built-ins/Atomics/wait/did-timeout.js:
574         (getReport):
575         * test262/test/built-ins/Atomics/wait/false-for-timeout-agent.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/false-for-timeout.js.
576         (getReport):
577         (262.agent.start.valueOf.valueOf):
578         (toPrimitive.Symbol.toPrimitive):
579         (262.agent.receiveBroadcast):
580         * test262/test/built-ins/Atomics/wait/false-for-timeout.js:
581         (valueOf.valueOf):
582         (toPrimitive.Symbol.toPrimitive):
583         (getReport): Deleted.
584         (262.agent.start.262.agent.receiveBroadcast): Deleted.
585         * test262/test/built-ins/Atomics/wait/good-views.js:
586         (r.getReport):
587         (getReport):
588         * test262/test/built-ins/Atomics/wait/nan-for-timeout.js:
589         (getReport):
590         * test262/test/built-ins/Atomics/wait/negative-index-throws.js:
591         * test262/test/built-ins/Atomics/wait/negative-timeout-agent.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/negative-timeout.js.
592         (getReport):
593         (262.agent.start.262.agent.receiveBroadcast):
594         * test262/test/built-ins/Atomics/wait/negative-timeout.js:
595         (262.agent.start.262.agent.receiveBroadcast): Deleted.
596         (getReport): Deleted.
597         * test262/test/built-ins/Atomics/wait/no-spurious-wakeup.js:
598         (getReport):
599         * test262/test/built-ins/Atomics/wait/non-int32-typedarray-throws.js:
600         * test262/test/built-ins/Atomics/wait/non-shared-bufferdata-throws.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/nonshared-bufferdata-throws.js.
601         * test262/test/built-ins/Atomics/wait/not-a-typedarray-throws.js:
602         * test262/test/built-ins/Atomics/wait/not-an-object-throws.js:
603         * test262/test/built-ins/Atomics/wait/null-bufferdata-throws.js:
604         * test262/test/built-ins/Atomics/wait/null-for-timeout-agent.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/false-for-timeout.js.
605         (getReport):
606         (262.agent.start.valueOf.valueOf):
607         (toPrimitive.Symbol.toPrimitive):
608         (262.agent.receiveBroadcast):
609         * test262/test/built-ins/Atomics/wait/null-for-timeout.js:
610         (valueOf.valueOf):
611         (toPrimitive.Symbol.toPrimitive):
612         (getReport): Deleted.
613         (262.agent.start.262.agent.receiveBroadcast): Deleted.
614         * test262/test/built-ins/Atomics/wait/object-for-timeout-agent.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/false-for-timeout.js.
615         (getReport):
616         (262.agent.start.valueOf.valueOf):
617         (toString.toString):
618         (toPrimitive.Symbol.toPrimitive):
619         (262.agent.receiveBroadcast):
620         * test262/test/built-ins/Atomics/wait/object-for-timeout.js:
621         (valueOf.valueOf):
622         (toString.toString):
623         (toPrimitive.Symbol.toPrimitive):
624         (getReport): Deleted.
625         (262.agent.start.262.agent.receiveBroadcast): Deleted.
626         * test262/test/built-ins/Atomics/wait/out-of-range-index-throws.js:
627         * test262/test/built-ins/Atomics/wait/poisoned-object-for-timeout-throws-agent.js: Added.
628         (getReport):
629         (262.agent.start.poisonedValueOf.valueOf):
630         (poisonedToPrimitive.Symbol.toPrimitive):
631         (262.agent.receiveBroadcast):
632         * test262/test/built-ins/Atomics/wait/poisoned-object-for-timeout-throws.js:
633         (poisonedValueOf.valueOf):
634         (poisonedToPrimitive.Symbol.toPrimitive):
635         (getReport): Deleted.
636         (262.agent.start.262.agent.receiveBroadcast): Deleted.
637         * test262/test/built-ins/Atomics/wait/symbol-for-index-throws-agent.js: Added.
638         (getReport):
639         (262.agent.start.poisonedValueOf.valueOf):
640         (poisonedToPrimitive.Symbol.toPrimitive):
641         (262.agent.receiveBroadcast):
642         * test262/test/built-ins/Atomics/wait/symbol-for-index-throws.js:
643         (poisonedToPrimitive.Symbol.toPrimitive):
644         (poisoned.valueOf): Deleted.
645         (poisonedWithString.get valueOf): Deleted.
646         (poisonedToPrimitive.get Symbol): Deleted.
647         * test262/test/built-ins/Atomics/wait/symbol-for-timeout-throws-agent.js: Added.
648         (getReport):
649         (262.agent.start.262.agent.receiveBroadcast):
650         * test262/test/built-ins/Atomics/wait/symbol-for-timeout-throws.js:
651         (poisonedValueOf.valueOf):
652         (poisonedToPrimitive.Symbol.toPrimitive):
653         (getReport): Deleted.
654         (262.agent.start.262.agent.receiveBroadcast): Deleted.
655         * test262/test/built-ins/Atomics/wait/symbol-for-value-throws-agent.js: Added.
656         (getReport):
657         (262.agent.start.poisonedValueOf.valueOf):
658         (poisonedToPrimitive.Symbol.toPrimitive):
659         (262.agent.receiveBroadcast):
660         * test262/test/built-ins/Atomics/wait/symbol-for-value-throws.js: Added.
661         (poisonedValueOf.valueOf):
662         (poisonedToPrimitive.Symbol.toPrimitive):
663         * test262/test/built-ins/Atomics/wait/true-for-timeout-agent.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/null-for-timeout.js.
664         (getReport):
665         (262.agent.start.valueOf.valueOf):
666         (toPrimitive.Symbol.toPrimitive):
667         (262.agent.receiveBroadcast):
668         * test262/test/built-ins/Atomics/wait/true-for-timeout.js:
669         (valueOf.valueOf):
670         (toPrimitive.Symbol.toPrimitive):
671         (getReport): Deleted.
672         (262.agent.start.262.agent.receiveBroadcast): Deleted.
673         * test262/test/built-ins/Atomics/wait/undefined-for-timeout.js:
674         (getReport):
675         * test262/test/built-ins/Atomics/wait/undefined-index-defaults-to-zero.js:
676         (262.agent.start.262.agent.receiveBroadcast):
677         (getReport):
678         * test262/test/built-ins/Atomics/wait/value-not-equal.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/wait-index-value-not-equal.js.
679         (getReport):
680         (262.agent.start.262.agent.receiveBroadcast):
681         * test262/test/built-ins/Atomics/wait/wait-index-value-not-equal.js:
682         (262.agent.start.262.agent.receiveBroadcast):
683         * test262/test/built-ins/Atomics/wait/waiterlist-block-indexedposition-wake.js: Added.
684         (getReport):
685         (262.agent.start.262.agent.receiveBroadcast):
686         * test262/test/built-ins/Atomics/wait/waiterlist-order-of-operations-is-fifo.js: Added.
687         (getReport):
688         (262.agent.start.262.agent.receiveBroadcast):
689         * test262/test/built-ins/Atomics/wait/was-woken-before-timeout.js:
690         (getReport):
691         (262.agent.start.262.agent.receiveBroadcast):
692         * test262/test/built-ins/Atomics/wait/was-woken.js:
693         (getReport):
694         (262.agent.start.262.agent.receiveBroadcast):
695         * test262/test/built-ins/Atomics/wake/bad-range.js:
696         (testWithTypedArrayConstructors):
697         * test262/test/built-ins/Atomics/wake/count-boundary-cases.js: Renamed from JSTests/test262/test/built-ins/Atomics/wake/counts.js.
698         * test262/test/built-ins/Atomics/wake/count-defaults-to-infinity-missing.js: Added.
699         (getReport):
700         (262.agent.start.262.agent.receiveBroadcast):
701         * test262/test/built-ins/Atomics/wake/count-defaults-to-infinity-undefined.js: Added.
702         (getReport):
703         (262.agent.start.262.agent.receiveBroadcast):
704         * test262/test/built-ins/Atomics/wake/count-from-nans.js: Added.
705         * test262/test/built-ins/Atomics/wake/count-symbol-throws.js: Added.
706         * test262/test/built-ins/Atomics/wake/count-tointeger-throws-then-wake-throws.js: Added.
707         (poisoned.valueOf):
708         * test262/test/built-ins/Atomics/wake/good-views.js:
709         * test262/test/built-ins/Atomics/wake/negative-count.js: Renamed from JSTests/test262/test/built-ins/Atomics/wake/wake-negative.js.
710         * test262/test/built-ins/Atomics/wake/negative-index-throws.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/negative-index-throws.js.
711         (poisoned.valueOf):
712         * test262/test/built-ins/Atomics/wake/non-int32-typedarray-throws.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/non-int32-typedarray-throws.js.
713         (poisoned.valueOf):
714         * test262/test/built-ins/Atomics/wake/non-shared-bufferdata-throws.js: Renamed from JSTests/test262/test/built-ins/Atomics/wait/nonshared-bufferdata-throws.js.
715         (poisoned.valueOf):
716         * test262/test/built-ins/Atomics/wake/non-views.js:
717         * test262/test/built-ins/Atomics/wake/nonshared-int-views.js:
718         (testWithTypedArrayConstructors):
719         * test262/test/built-ins/Atomics/wake/not-a-typedarray-throws.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/not-a-typedarray-throws.js.
720         (poisoned.valueOf):
721         * test262/test/built-ins/Atomics/wake/not-an-object-throws.js: Added.
722         (poisoned.valueOf):
723         * test262/test/built-ins/Atomics/wake/null-bufferdata-throws.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/null-bufferdata-throws.js.
724         (poisoned.valueOf):
725         * test262/test/built-ins/Atomics/wake/out-of-range-index-throws.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/out-of-range-index-throws.js.
726         (poisoned.valueOf):
727         * test262/test/built-ins/Atomics/wake/shared-nonint-views.js:
728         (testWithTypedArrayConstructors):
729         * test262/test/built-ins/Atomics/wake/symbol-for-index-throws.js: Added.
730         (poisonedValueOf.valueOf):
731         (poisonedToPrimitive.Symbol.toPrimitive):
732         * test262/test/built-ins/Atomics/wake/undefined-index-defaults-to-zero.js: Copied from JSTests/test262/test/built-ins/Atomics/wait/undefined-index-defaults-to-zero.js.
733         (262.agent.start.262.agent.receiveBroadcast):
734         (getReport):
735         * test262/test/built-ins/Atomics/wake/wake-all-on-loc.js:
736         (262.agent.start.262.agent.receiveBroadcast):
737         (getReport):
738         (waitUntil):
739         * test262/test/built-ins/Atomics/wake/wake-all.js:
740         (262.agent.start.262.agent.receiveBroadcast):
741         (getReport):
742         (waitUntil):
743         * test262/test/built-ins/Atomics/wake/wake-in-order.js:
744         (getReport):
745         (waitUntil):
746         * test262/test/built-ins/Atomics/wake/wake-nan.js:
747         (getReport):
748         * test262/test/built-ins/Atomics/wake/wake-one.js:
749         (getReport):
750         (waitUntil):
751         * test262/test/built-ins/Atomics/wake/wake-rewake-noop.js: Added.
752         (getReport):
753         (waitUntil):
754         (262.agent.start.262.agent.receiveBroadcast):
755         * test262/test/built-ins/Atomics/wake/wake-two.js:
756         (getReport):
757         * test262/test/built-ins/Atomics/wake/wake-with-no-agents-waiting.js: Added.
758         (262.agent.start.262.agent.receiveBroadcast):
759         (waitUntil):
760         * test262/test/built-ins/Atomics/wake/wake-with-no-matching-agents-waiting.js: Added.
761         (262.agent.start.262.agent.receiveBroadcast):
762         (waitUntil):
763         * test262/test/built-ins/Atomics/wake/wake-zero.js:
764         (i.262.agent.start.262.agent.receiveBroadcast):
765         (getReport):
766         (waitUntil):
767         * test262/test/built-ins/Atomics/xor/bad-range.js:
768         (testWithTypedArrayConstructors):
769         * test262/test/built-ins/Atomics/xor/good-views.js:
770         (testWithTypedArrayConstructors):
771         * test262/test/built-ins/Atomics/xor/non-views.js:
772         * test262/test/built-ins/Atomics/xor/nonshared-int-views.js:
773         (testWithTypedArrayConstructors):
774         * test262/test/built-ins/Atomics/xor/shared-nonint-views.js:
775         (testWithTypedArrayConstructors):
776         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint-errors.js:
777         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint-toprimitive.js:
778         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint-wrapped-values.js:
779         * test262/test/built-ins/BigInt/asIntN/bits-toindex-errors.js:
780         * test262/test/built-ins/BigInt/asIntN/bits-toindex-toprimitive.js:
781         * test262/test/built-ins/BigInt/asIntN/bits-toindex-wrapped-values.js:
782         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint-errors.js:
783         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint-toprimitive.js:
784         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint-wrapped-values.js:
785         * test262/test/built-ins/BigInt/asUintN/bits-toindex-errors.js:
786         * test262/test/built-ins/BigInt/asUintN/bits-toindex-toprimitive.js:
787         * test262/test/built-ins/BigInt/asUintN/bits-toindex-wrapped-values.js:
788         * test262/test/built-ins/BigInt/constructor-empty-string.js:
789         * test262/test/built-ins/BigInt/constructor-from-binary-string.js:
790         * test262/test/built-ins/BigInt/constructor-from-decimal-string.js:
791         * test262/test/built-ins/BigInt/constructor-from-hex-string.js:
792         * test262/test/built-ins/BigInt/constructor-from-octal-string.js:
793         * test262/test/built-ins/BigInt/constructor-from-string-syntax-errors.js:
794         * test262/test/built-ins/BigInt/constructor-integer.js: Added.
795         * test262/test/built-ins/BigInt/constructor-trailing-leading-spaces.js:
796         * test262/test/built-ins/BigInt/issafeinteger-true.js: Removed.
797         * test262/test/built-ins/BigInt/out-of-bounds-integer-rangeerror.js: Removed.
798         * test262/test/built-ins/BigInt/prototype/Symbol.toStringTag.js:
799         * test262/test/built-ins/BigInt/prototype/toString/default-radix.js: Added.
800         * test262/test/built-ins/BigInt/prototype/toString/thisbigintvalue-not-valid-throws.js:
801         * test262/test/built-ins/BigInt/prototype/valueOf/cross-realm.js: Added.
802         * test262/test/built-ins/BigInt/tostring-throws.js: Copied from JSTests/test262/test/built-ins/BigInt/value-of-throws.js.
803         * test262/test/built-ins/BigInt/valueof-throws.js: Renamed from JSTests/test262/test/built-ins/BigInt/value-of-throws.js.
804         (BigInt.valueOf):
805         * test262/test/built-ins/DataView/prototype/setBigInt64/set-values-return-undefined.js:
806         (values.forEach):
807         * test262/test/built-ins/Function/prototype/bind/length-exceeds-int32.js: Added.
808         (f):
809         * test262/test/built-ins/Function/prototype/toString/anonymous-intrinsics.js: Removed.
810         * test262/test/built-ins/Function/prototype/toString/bound-function.js:
811         (assertNativeFunction):
812         (let.f): Deleted.
813         * test262/test/built-ins/Function/prototype/toString/built-in-function-object.js: Added.
814         * test262/test/built-ins/Function/prototype/toString/intrinsics.js: Removed.
815         * test262/test/built-ins/Function/prototype/toString/proxy-arrow-function.js: Added.
816         (assertNativeFunction.new.Proxy):
817         * test262/test/built-ins/Function/prototype/toString/proxy-async-function.js: Added.
818         (assertNativeFunction.new.Proxy.async):
819         * test262/test/built-ins/Function/prototype/toString/proxy-async-generator-function.js: Added.
820         (assertNativeFunction.new.Proxy.async):
821         * test262/test/built-ins/Function/prototype/toString/proxy-async-generator-method-definition.js: Added.
822         (assertNativeFunction.new.Proxy.async.method):
823         (apply):
824         * test262/test/built-ins/Function/prototype/toString/proxy-async-method-definition.js: Added.
825         (assertNativeFunction.new.Proxy.async.method):
826         (apply):
827         * test262/test/built-ins/Function/prototype/toString/proxy-bound-function.js: Added.
828         (assertNativeFunction.new.Proxy):
829         (bind):
830         * test262/test/built-ins/Function/prototype/toString/proxy-class.js: Added.
831         (assertNativeFunction):
832         * test262/test/built-ins/Function/prototype/toString/proxy-function-expression.js: Added.
833         (assertNativeFunction.new.Proxy):
834         * test262/test/built-ins/Function/prototype/toString/proxy-generator-function.js: Added.
835         (assertNativeFunction.new.Proxy):
836         * test262/test/built-ins/Function/prototype/toString/proxy-method-definition.js: Added.
837         (assertNativeFunction.new.Proxy.method):
838         (apply):
839         * test262/test/built-ins/Function/prototype/toString/proxy-non-callable-throws.js: Added.
840         * test262/test/built-ins/Function/prototype/toString/proxy.js: Removed.
841         * test262/test/built-ins/Function/prototype/toString/well-known-intrinsic-object-functions.js: Added.
842         (WellKnownIntrinsicObjects.forEach):
843         * test262/test/built-ins/JSON/prop-desc.js: Added.
844         * test262/test/built-ins/Math/acosh/nan-returns.js:
845         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
846         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
847         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
848         * test262/test/built-ins/Math/cbrt/prop-desc.js:
849         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
850         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
851         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
852         * test262/test/built-ins/Math/log2/log2-basicTests.js:
853         * test262/test/built-ins/Math/prop-desc.js:
854         * test262/test/built-ins/Math/sign/sign-specialVals.js:
855         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
856         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
857         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
858         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
859         * test262/test/built-ins/Object/assign/strings-and-symbol-order.js: Added.
860         * test262/test/built-ins/Object/keys/property-traps-order-with-proxied-array.js: Added.
861         (get t):
862         * test262/test/built-ins/Reflect/Reflect.js: Removed.
863         * test262/test/built-ins/Reflect/prop-desc.js: Added.
864         * test262/test/built-ins/Reflect/properties.js: Removed.
865         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/internal-regexp-lastindex-not-zero.js: Added.
866         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/isregexp-internal-regexp-is-false.js: Added.
867         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/isregexp-internal-regexp-throws.js: Added.
868         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/isregexp-this-throws.js: Added.
869         (obj.get Symbol):
870         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/length.js: Added.
871         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/name.js: Added.
872         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/prop-desc.js: Added.
873         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/regexpcreate-this-throws.js: Added.
874         (obj.toString):
875         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-constructor-get-constructor-throws.js: Added.
876         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-constructor-get-species-throws.js: Added.
877         (regexp.get Symbol):
878         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-constructor-is-not-object-throws.js: Added.
879         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-constructor-is-undefined.js: Added.
880         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-constructor-species-is-not-constructor.js: Added.
881         (callMatchAll):
882         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-constructor-species-is-null-or-undefined.js: Added.
883         (TestWithConstructor):
884         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-constructor-species-throws.js: Added.
885         (regexp.Symbol.species):
886         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-constructor.js: Added.
887         (regexp.Symbol.species):
888         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-regexp-get-global-throws.js: Added.
889         (regexp.Symbol.species):
890         (get assert):
891         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/species-regexp-get-unicode-throws.js: Added.
892         (regexp.Symbol.species):
893         (get assert):
894         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/string-tostring-throws.js: Added.
895         (obj.valueOf):
896         (obj.toString):
897         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/string-tostring.js: Added.
898         (obj.toString):
899         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/this-get-flags-throws.js: Added.
900         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/this-get-flags.js: Added.
901         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/this-lastindex-cached.js: Added.
902         (regexp.lastIndex.valueOf):
903         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/this-not-object-throws.js: Added.
904         (callMatchAll):
905         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/this-tolength-lastindex-throws.js: Added.
906         (regexp.lastIndex.valueOf):
907         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/this-tostring-flags-throws.js: Added.
908         (value.valueOf):
909         (value.toString):
910         * test262/test/built-ins/RegExp/prototype/Symbol.matchAll/this-tostring-flags.js: Added.
911         (value.toString):
912         * test262/test/built-ins/RegExpStringIteratorPrototype/Symbol.toStringTag.js: Added.
913         * test262/test/built-ins/RegExpStringIteratorPrototype/ancestry.js: Added.
914         * test262/test/built-ins/RegExpStringIteratorPrototype/next/custom-regexpexec-call-throws.js: Added.
915         (RegExp.prototype.exec):
916         * test262/test/built-ins/RegExpStringIteratorPrototype/next/custom-regexpexec-get-throws.js: Added.
917         * test262/test/built-ins/RegExpStringIteratorPrototype/next/custom-regexpexec-match-get-0-throws.js: Added.
918         (return.get string_appeared_here):
919         (RegExp.prototype.exec):
920         * test262/test/built-ins/RegExpStringIteratorPrototype/next/custom-regexpexec-match-get-0-tostring-throws.js: Added.
921         (return.toString):
922         (RegExp.prototype.exec):
923         * test262/test/built-ins/RegExpStringIteratorPrototype/next/custom-regexpexec-match-get-0-tostring.js: Added.
924         (execResult.get string_appeared_here):
925         (RegExp.prototype.exec):
926         * test262/test/built-ins/RegExpStringIteratorPrototype/next/custom-regexpexec-not-callable.js: Added.
927         (TestWithRegExpExec):
928         * test262/test/built-ins/RegExpStringIteratorPrototype/next/custom-regexpexec.js: Added.
929         (callNextWithExecReturnValue.RegExp.prototype.exec):
930         (callNextWithExecReturnValue):
931         * test262/test/built-ins/RegExpStringIteratorPrototype/next/length.js: Added.
932         * test262/test/built-ins/RegExpStringIteratorPrototype/next/name.js: Added.
933         * test262/test/built-ins/RegExpStringIteratorPrototype/next/next-iteration-global.js: Added.
934         * test262/test/built-ins/RegExpStringIteratorPrototype/next/next-iteration.js: Added.
935         * test262/test/built-ins/RegExpStringIteratorPrototype/next/next-missing-internal-slots.js: Added.
936         * test262/test/built-ins/RegExpStringIteratorPrototype/next/prop-desc.js: Added.
937         * test262/test/built-ins/RegExpStringIteratorPrototype/next/regexp-tolength-lastindex-throws.js: Added.
938         (RegExp.prototype.exec):
939         * test262/test/built-ins/RegExpStringIteratorPrototype/next/this-is-not-object-throws.js: Added.
940         (callNext):
941         * test262/test/built-ins/String/prototype/matchAll/length.js: Added.
942         * test262/test/built-ins/String/prototype/matchAll/name.js: Added.
943         * test262/test/built-ins/String/prototype/matchAll/prop-desc.js: Added.
944         * test262/test/built-ins/String/prototype/matchAll/regexp-get-matchAll-throws.js: Added.
945         * test262/test/built-ins/String/prototype/matchAll/regexp-is-null.js: Added.
946         * test262/test/built-ins/String/prototype/matchAll/regexp-is-undefined.js: Added.
947         * test262/test/built-ins/String/prototype/matchAll/regexp-matchAll-invocation.js: Added.
948         (obj.Symbol.matchAll):
949         * test262/test/built-ins/String/prototype/matchAll/regexp-matchAll-throws.js: Added.
950         (regexp.Symbol.matchAll):
951         * test262/test/built-ins/String/prototype/matchAll/regexp-prototype-get-matchAll-throws.js: Added.
952         * test262/test/built-ins/String/prototype/matchAll/regexp-prototype-has-no-matchAll.js: Added.
953         * test262/test/built-ins/String/prototype/matchAll/regexp-prototype-matchAll-invocation.js: Added.
954         (RegExp.prototype.Symbol.matchAll):
955         * test262/test/built-ins/String/prototype/matchAll/regexp-prototype-matchAll-throws.js: Added.
956         (RegExp.prototype.Symbol.matchAll):
957         * test262/test/built-ins/String/prototype/matchAll/this-val-non-obj-coercible.js: Added.
958         * test262/test/built-ins/Symbol/matchAll/cross-realm.js: Added.
959         * test262/test/built-ins/Symbol/matchAll/prop-desc.js: Added.
960         * test262/test/harness/testTypedArray.js:
961         * test262/test/intl402/Array/prototype/toLocaleString/calls-toLocaleString-number-elements.js: Added.
962         * test262/test/intl402/Intl/getCanonicalLocales/invalid-tags.js:
963         * test262/test/intl402/Locale/constructor-newtarget-undefined.js: Added.
964         * test262/test/intl402/Locale/constructor-options-calendar-invalid.js: Added.
965         (const.invalidCalendarOption.of.invalidCalendarOptions.new.Intl.Locale):
966         * test262/test/intl402/Locale/constructor-options-calendar-valid.js: Added.
967         * test262/test/intl402/Locale/constructor-options-language-invalid.js: Added.
968         (const.invalidLanguageOption.of.invalidLanguageOptions.new.Intl.Locale):
969         * test262/test/intl402/Locale/constructor-options-language-valid.js: Added.
970         (toString):
971         * test262/test/intl402/Locale/constructor-options-region-invalid.js: Added.
972         (const.invalidRegionOption.of.invalidRegionOptions.new.Intl.Locale):
973         * test262/test/intl402/Locale/constructor-options-region-valid.js: Added.
974         * test262/test/intl402/Locale/constructor-options-script-invalid.js: Added.
975         (const.invalidScriptOption.of.invalidScriptOptions.new.Intl.Locale):
976         * test262/test/intl402/Locale/constructor-options-script-valid.js: Added.
977         (toString):
978         * test262/test/intl402/Locale/function-prototype.js: Added.
979         * test262/test/intl402/Locale/instance-extensibility.js: Added.
980         * test262/test/intl402/Locale/instance.js: Added.
981         * test262/test/intl402/Locale/invalid-tag-throws-boolean.js: Added.
982         * test262/test/intl402/Locale/invalid-tag-throws-null.js: Added.
983         * test262/test/intl402/Locale/invalid-tag-throws-number.js: Added.
984         * test262/test/intl402/Locale/invalid-tag-throws-symbol.js: Added.
985         * test262/test/intl402/Locale/invalid-tag-throws-undefined.js: Added.
986         * test262/test/intl402/Locale/invalid-tag-throws.js: Added.
987         (const.invalidTag.of.getInvalidLanguageTags):
988         * test262/test/intl402/Locale/length.js: Added.
989         * test262/test/intl402/Locale/name.js: Added.
990         * test262/test/intl402/Locale/prop-desc.js: Added.
991         * test262/test/intl402/Locale/prototype/constructor.js: Added.
992         * test262/test/intl402/Locale/prototype/maximize/length.js: Added.
993         * test262/test/intl402/Locale/prototype/maximize/name.js: Added.
994         * test262/test/intl402/Locale/prototype/maximize/prop-desc.js: Added.
995         * test262/test/intl402/Locale/prototype/prop-desc.js: Added.
996         * test262/test/intl402/Locale/prototype/toStringTag.js: Added.
997         * test262/test/intl402/TypedArray/prototype/toLocaleString/calls-toLocaleString-number-elements.js: Added.
998         (testWithTypedArrayConstructors):
999         * test262/test/language/asi/S7.9_A11_T8.js:
1000         (else.x.1): Deleted.
1001         * test262/test/language/asi/S7.9_A4.js:
1002         (catch):
1003         * test262/test/language/asi/S7.9_A5.1_T1.js:
1004         * test262/test/language/asi/S7.9_A5.3_T1.js:
1005         * test262/test/language/block-scope/syntax/redeclaration/function-declaration-attempt-to-redeclare-with-var-declaration-nested-in-function.js: Added.
1006         (g.f):
1007         (g):
1008         * test262/test/language/destructuring/binding/initialization-requires-object-coercible-null.js:
1009         * test262/test/language/destructuring/binding/initialization-requires-object-coercible-undefined.js:
1010         * test262/test/language/destructuring/binding/initialization-returns-normal-completion-for-empty-objects.js:
1011         * test262/test/language/destructuring/binding/syntax/array-elements-with-initializer.js:
1012         * test262/test/language/destructuring/binding/syntax/array-elements-with-object-patterns.js:
1013         * test262/test/language/destructuring/binding/syntax/array-elements-without-initializer.js:
1014         * test262/test/language/destructuring/binding/syntax/array-pattern-with-elisions.js:
1015         * test262/test/language/destructuring/binding/syntax/array-pattern-with-no-elements.js:
1016         * test262/test/language/destructuring/binding/syntax/array-rest-elements.js:
1017         * test262/test/language/destructuring/binding/syntax/object-pattern-with-no-property-list.js:
1018         * test262/test/language/destructuring/binding/syntax/property-list-bindings-elements.js:
1019         * test262/test/language/destructuring/binding/syntax/property-list-followed-by-a-single-comma.js:
1020         * test262/test/language/destructuring/binding/syntax/property-list-single-name-bindings.js:
1021         * test262/test/language/destructuring/binding/syntax/property-list-with-property-list.js:
1022         * test262/test/language/destructuring/binding/syntax/recursive-array-and-object-patterns.js:
1023         * test262/test/language/eval-code/direct/block-decl-eval-source-is-strict-nostrict.js: Copied from JSTests/test262/test/language/eval-code/direct/block-decl-strict-source.js.
1024         * test262/test/language/eval-code/direct/block-decl-eval-source-is-strict-onlystrict.js: Renamed from JSTests/test262/test/language/eval-code/direct/block-decl-strict-source.js.
1025         (catch):
1026         * test262/test/language/eval-code/direct/block-decl-onlystrict.js: Renamed from JSTests/test262/test/language/eval-code/direct/block-decl-strict-caller.js.
1027         * test262/test/language/eval-code/direct/switch-case-decl-eval-source-is-strict-nostrict.js: Renamed from JSTests/test262/test/language/eval-code/direct/switch-case-decl-strict-source.js.
1028         * test262/test/language/eval-code/direct/switch-case-decl-eval-source-is-strict-onlystrict.js: Copied from JSTests/test262/test/language/eval-code/direct/switch-case-decl-strict-caller.js.
1029         (catch):
1030         * test262/test/language/eval-code/direct/switch-case-decl-onlystrict.js: Renamed from JSTests/test262/test/language/eval-code/direct/switch-case-decl-strict-caller.js.
1031         * test262/test/language/eval-code/direct/switch-dflt-decl-eval-source-is-strict-nostrict.js: Renamed from JSTests/test262/test/language/eval-code/direct/switch-dflt-decl-strict-source.js.
1032         * test262/test/language/eval-code/direct/switch-dflt-decl-eval-source-is-strict-onlystrict.js: Copied from JSTests/test262/test/language/eval-code/direct/switch-dflt-decl-strict-caller.js.
1033         (catch):
1034         * test262/test/language/eval-code/direct/switch-dflt-decl-onlystrict.js: Renamed from JSTests/test262/test/language/eval-code/direct/switch-dflt-decl-strict-caller.js.
1035         * test262/test/language/expressions/async-arrow-function/await-as-param-ident-nested-arrow-parameter-position.js: Added.
1036         (async):
1037         * test262/test/language/expressions/async-arrow-function/await-as-param-nested-arrow-body-position.js: Added.
1038         (async):
1039         * test262/test/language/expressions/async-arrow-function/await-as-param-nested-arrow-parameter-position.js: Added.
1040         (async.a):
1041         * test262/test/language/expressions/async-arrow-function/await-as-param-rest-nested-arrow-parameter-position.js: Added.
1042         (async.a):
1043         * test262/test/language/expressions/async-arrow-function/escaped-async-line-terminator.js: Added.
1044         * test262/test/language/expressions/async-generator/generator-created-after-decl-inst.js: Added.
1045         (g.async.a):
1046         * test262/test/language/expressions/class/class-name-ident-await-escaped-module.js: Added.
1047         (C):
1048         * test262/test/language/expressions/class/class-name-ident-await-escaped.js: Added.
1049         (C):
1050         * test262/test/language/expressions/class/class-name-ident-await-module.js: Added.
1051         (C):
1052         * test262/test/language/expressions/class/class-name-ident-await.js: Added.
1053         (C):
1054         * test262/test/language/expressions/class/class-name-ident-let-escaped.js: Added.
1055         (C):
1056         * test262/test/language/expressions/class/class-name-ident-let.js: Added.
1057         (C):
1058         * test262/test/language/expressions/class/class-name-ident-static-escaped.js: Added.
1059         (C):
1060         * test262/test/language/expressions/class/class-name-ident-static.js: Added.
1061         * test262/test/language/expressions/class/class-name-ident-yield-escaped.js: Added.
1062         (C):
1063         * test262/test/language/expressions/class/class-name-ident-yield.js: Added.
1064         (C):
1065         * test262/test/language/expressions/class/constructor-this-tdz-during-initializers.js: Added.
1066         (Base):
1067         (C):
1068         * test262/test/language/expressions/class/fields-run-once-on-double-super.js: Added.
1069         (Base):
1070         (C):
1071         * test262/test/language/expressions/generators/generator-created-after-decl-inst.js: Added.
1072         (g):
1073         * test262/test/language/expressions/greater-than-or-equal/bigint-and-incomparable-string.js: Added.
1074         * test262/test/language/expressions/greater-than-or-equal/bigint-and-string.js: Added.
1075         * test262/test/language/expressions/greater-than/bigint-and-boolean.js: Added.
1076         * test262/test/language/expressions/greater-than/bigint-and-incomparable-string.js: Added.
1077         * test262/test/language/expressions/greater-than/bigint-and-string.js: Added.
1078         * test262/test/language/expressions/less-than-or-equal/bigint-and-incomparable-string.js: Added.
1079         * test262/test/language/expressions/less-than-or-equal/bigint-and-string.js: Added.
1080         * test262/test/language/expressions/less-than/bigint-and-boolean.js: Added.
1081         * test262/test/language/expressions/less-than/bigint-and-incomparable-string.js: Added.
1082         * test262/test/language/expressions/less-than/bigint-and-string.js: Added.
1083         * test262/test/language/expressions/object/method-definition/generator-super-prop-param.js:
1084         * test262/test/language/function-code/block-decl-onlystrict.js: Renamed from JSTests/test262/test/language/function-code/block-decl-strict.js.
1085         * test262/test/language/function-code/switch-case-decl-onlystrict.js: Renamed from JSTests/test262/test/language/function-code/switch-case-decl-strict.js.
1086         * test262/test/language/function-code/switch-dflt-decl-onlystrict.js: Renamed from JSTests/test262/test/language/function-code/switch-dflt-decl-strict.js.
1087         * test262/test/language/line-terminators/S7.3_A2.3.js: Removed.
1088         * test262/test/language/line-terminators/S7.3_A2.4.js: Removed.
1089         * test262/test/language/literals/regexp/invalid-optional-lookbehind.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1090         * test262/test/language/literals/regexp/invalid-optional-negative-lookbehind.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1091         * test262/test/language/literals/regexp/invalid-range-lookbehind.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1092         * test262/test/language/literals/regexp/invalid-range-negative-lookbehind.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1093         * test262/test/language/literals/regexp/u-invalid-optional-lookahead.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1094         * test262/test/language/literals/regexp/u-invalid-optional-lookbehind.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1095         * test262/test/language/literals/regexp/u-invalid-optional-negative-lookahead.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1096         * test262/test/language/literals/regexp/u-invalid-optional-negative-lookbehind.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1097         * test262/test/language/literals/regexp/u-invalid-range-lookahead.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1098         * test262/test/language/literals/regexp/u-invalid-range-lookbehind.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1099         * test262/test/language/literals/regexp/u-invalid-range-negative-lookahead.js: Copied from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1100         * test262/test/language/literals/regexp/u-invalid-range-negative-lookbehind.js: Renamed from JSTests/test262/test/language/literals/regexp/u-invalid-quantifiable-assertion.js.
1101         * test262/test/language/literals/string/line-separator-eval.js: Added.
1102         * test262/test/language/literals/string/line-separator.js: Added.
1103         * test262/test/language/literals/string/paragraph-separator-eval.js: Added.
1104         * test262/test/language/literals/string/paragraph-separator.js: Added.
1105         * test262/test/language/module-code/early-strict-mode.js:
1106         * test262/test/language/statements/async-generator/generator-created-after-decl-inst.js: Added.
1107         (async.g):
1108         * test262/test/language/statements/break/S12.8_A8_T1.js:
1109         (catch):
1110         * test262/test/language/statements/break/S12.8_A8_T2.js:
1111         (catch):
1112         * test262/test/language/statements/class/class-name-ident-await-escaped-module.js: Added.
1113         (aw):
1114         * test262/test/language/statements/class/class-name-ident-await-escaped.js: Added.
1115         (aw):
1116         * test262/test/language/statements/class/class-name-ident-await-module.js: Added.
1117         (await):
1118         * test262/test/language/statements/class/class-name-ident-await.js: Added.
1119         (await):
1120         * test262/test/language/statements/class/class-name-ident-let-escaped.js: Added.
1121         (l):
1122         * test262/test/language/statements/class/class-name-ident-let.js: Added.
1123         (let):
1124         * test262/test/language/statements/class/class-name-ident-static-escaped.js: Added.
1125         (st):
1126         * test262/test/language/statements/class/class-name-ident-static.js: Added.
1127         * test262/test/language/statements/class/class-name-ident-yield-escaped.js: Added.
1128         (yi):
1129         * test262/test/language/statements/class/class-name-ident-yield.js: Added.
1130         (yield):
1131         * test262/test/language/statements/continue/S12.7_A8_T1.js:
1132         (catch):
1133         * test262/test/language/statements/continue/S12.7_A8_T2.js:
1134         (catch):
1135         * test262/test/language/statements/generators/generator-created-after-decl-inst.js: Added.
1136         (g):
1137         * test262/test/language/statements/try/early-catch-duplicates.js:
1138         * test262/test/language/statements/try/early-catch-function.js: Added.
1139         (f.catch.e):
1140         (f):
1141         * test262/test/language/statements/try/early-catch-lex.js:
1142         * test262/test/language/statements/try/early-catch-var.js:
1143         * test262/test262-Revision.txt:
1144
1145 2018-05-09  Caio Lima  <ticaiolima@gmail.com>
1146
1147         [ESNext][BigInt] Implement support for "==" operation
1148         https://bugs.webkit.org/show_bug.cgi?id=184474
1149
1150         Reviewed by Yusuke Suzuki.
1151
1152         * stress/big-int-equals-basic.js: Added.
1153         * stress/big-int-equals-to-primitive-precedence.js: Added.
1154         * stress/big-int-equals-wrapped-value.js: Added.
1155
1156 2018-05-08  Valerie R Young  <valerie@bocoup.com>
1157
1158         test262/Runner.pm: move input files to JSTests/test262
1159         https://bugs.webkit.org/show_bug.cgi?id=185389
1160
1161         Reviewed by Michael Saboff.
1162
1163         * test262/config.yaml: Renamed from Tools/Scripts/test262/config.yaml.
1164         * test262/expectations.yaml: Renamed from Tools/Scripts/test262/expectations.yaml.
1165
1166 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
1167
1168         DFG AI should have O(1) clobbering
1169         https://bugs.webkit.org/show_bug.cgi?id=185287
1170
1171         Reviewed by Saam Barati.
1172
1173         * stress/simple-ai-effect.js: Added.
1174         (bar):
1175         (foo):
1176
1177 2018-05-04  Keith Miller  <keith_miller@apple.com>
1178
1179         isCacheableArrayLength should return true for undecided arrays
1180         https://bugs.webkit.org/show_bug.cgi?id=185309
1181
1182         Reviewed by Michael Saboff.
1183
1184         * stress/get-array-length-undecided.js: Added.
1185         (test):
1186
1187 2018-05-04  Dominik Infuehr  <dinfuehr@igalia.com>
1188
1189         Disable tests on systems with limited memory
1190         https://bugs.webkit.org/show_bug.cgi?id=185296
1191
1192         Reviewed by Saam Barati.
1193
1194         Test doesn't work with a limited amount of memory. I tried to reduce memory usage
1195         but then it was hard to reproduce the failure the test was originally made to test.
1196
1197         * stress/array-reverse-doesnt-clobber.js:
1198
1199 2018-05-03  Saam Barati  <sbarati@apple.com>
1200
1201         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
1202         https://bugs.webkit.org/show_bug.cgi?id=185177
1203
1204         Reviewed by Filip Pizlo.
1205
1206         * microbenchmarks/construct-poly-proto-object.js: Added.
1207         (foo.A):
1208         (foo):
1209         * stress/allocation-sinking-new-object-with-poly-proto.js: Added.
1210         (foo.A):
1211         (foo):
1212         (makePolyProto):
1213         (bar):
1214         (baz):
1215
1216 2018-05-03  Michael Saboff  <msaboff@apple.com>
1217
1218         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
1219         https://bugs.webkit.org/show_bug.cgi?id=185281
1220
1221         Reviewed by Saam Barati.
1222
1223         New regression test.
1224
1225         * stress/baseline-osrentry-catch-is-reachable.js: Added.
1226         (i.j.catch):
1227
1228 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
1229
1230         Unreviewed, rolling out r231197.
1231
1232         The test added with this change crashes on the 32-bit JSC bot.
1233
1234         Reverted changeset:
1235
1236         "Correctly detect string overflow when using the 'Function'
1237         constructor"
1238         https://bugs.webkit.org/show_bug.cgi?id=184883
1239         https://trac.webkit.org/changeset/231197
1240
1241 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
1242
1243         JSC should know how to cache custom getter accesses on the prototype chain
1244         https://bugs.webkit.org/show_bug.cgi?id=185213
1245
1246         Reviewed by Keith Miller.
1247
1248         * microbenchmarks/get-custom-getter.js: Added.
1249         (test):
1250
1251 2018-05-02  Robin Morisset  <rmorisset@apple.com>
1252
1253         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
1254         https://bugs.webkit.org/show_bug.cgi?id=183172
1255
1256         Reviewed by Filip Pizlo.
1257
1258         * stress/length-of-new-array-with-spread.js: Added.
1259         (foo):
1260         (bar):
1261         (baz):
1262
1263 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1264
1265         [JSC] Add SameValue DFG node
1266         https://bugs.webkit.org/show_bug.cgi?id=185065
1267
1268         Reviewed by Saam Barati.
1269
1270         * microbenchmarks/object-is.js: Added.
1271         (incognito):
1272         (sameValue):
1273         (test1):
1274         (test2):
1275         (test3):
1276         (test4):
1277         (test5):
1278         (test6):
1279         * stress/object-is.js: Added.
1280         (shouldBe):
1281         (is1):
1282         (is2):
1283         (is3):
1284         (is4):
1285         (is5):
1286         (is6):
1287         (is7):
1288         (is8):
1289         (is9):
1290         (is10):
1291         (is11):
1292         (is12):
1293         (is13):
1294         (is14):
1295         (is15):
1296
1297 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1298
1299         Correctly detect string overflow when using the 'Function' constructor
1300         https://bugs.webkit.org/show_bug.cgi?id=184883
1301         <rdar://problem/36320331>
1302
1303         Reviewed by Filip Pizlo.
1304
1305         I put this regression test in the 'slowMicrobenchmarks' directory because it takes nearly 30s to run, and I am not sure where else to put it.
1306
1307         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
1308         (catch):
1309
1310 2018-05-01  Robin Morisset  <rmorisset@apple.com>
1311
1312         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
1313         https://bugs.webkit.org/show_bug.cgi?id=185162
1314
1315         Reviewed by Filip Pizlo.
1316
1317         * stress/incomplete-unicode-locale.js: Added.
1318         (catch):
1319
1320 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
1321
1322         Add SetCallee as DFG-Operation
1323         https://bugs.webkit.org/show_bug.cgi?id=184582
1324
1325         Reviewed by Filip Pizlo.
1326
1327         Added test that runs into infinite loop without updating the callee and
1328         therefore emitting SetCallee in DFG for recursive tail calls.
1329
1330         * stress/closure-recursive-tail-call-infinite-loop.js: Added.
1331         (Foo):
1332         (second):
1333         (first):
1334         (return.closure):
1335         (createClosure):
1336
1337 2018-04-30  Saam Barati  <sbarati@apple.com>
1338
1339         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
1340         https://bugs.webkit.org/show_bug.cgi?id=185149
1341         <rdar://problem/39455917>
1342
1343         Reviewed by Filip Pizlo.
1344
1345         * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.
1346
1347 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
1348
1349         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
1350         https://bugs.webkit.org/show_bug.cgi?id=185126
1351
1352         Reviewed by Saam Barati.
1353         
1354         I found this bug by accident when I was writing this test for something else.
1355         
1356         This change also speeds up other benchmarks of this case that we already had. They are all called
1357         the licm-dragons tests.
1358
1359         * microbenchmarks/licm-dragons-two-structures.js: Added.
1360         (foo):
1361
1362 2018-04-29  Commit Queue  <commit-queue@webkit.org>
1363
1364         Unreviewed, rolling out r231137.
1365         https://bugs.webkit.org/show_bug.cgi?id=185118
1366
1367         It is breaking Test262 language/expressions/multiplication
1368         /order-of-evaluation.js (Requested by caiolima on #webkit).
1369
1370         Reverted changeset:
1371
1372         "[ESNext][BigInt] Implement support for "*" operation"
1373         https://bugs.webkit.org/show_bug.cgi?id=183721
1374         https://trac.webkit.org/changeset/231137
1375
1376 2018-04-28  Saam Barati  <sbarati@apple.com>
1377
1378         We don't model regexp effects properly
1379         https://bugs.webkit.org/show_bug.cgi?id=185059
1380         <rdar://problem/39736150>
1381
1382         Reviewed by Filip Pizlo.
1383
1384         * stress/regexp-exec-test-effectful-last-index.js: Added.
1385         (assert):
1386         (foo):
1387         (i.regexLastIndex.toString):
1388         (bar):
1389
1390 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
1391
1392         Token misspelled "tocken" in error message string
1393         https://bugs.webkit.org/show_bug.cgi?id=185030
1394
1395         Reviewed by Saam Barati.
1396
1397         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
1398         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
1399         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
1400         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
1401         (testSyntaxError.String.raw.v):
1402         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
1403         (testSyntaxError.String.raw.a):
1404
1405 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
1406
1407         [ESNext][BigInt] Implement support for "*" operation
1408         https://bugs.webkit.org/show_bug.cgi?id=183721
1409
1410         Reviewed by Saam Barati.
1411
1412         * bigIntTests.yaml:
1413         * stress/big-int-mul-jit.js: Added.
1414         * stress/big-int-mul-to-primitive-precedence.js: Added.
1415         * stress/big-int-mul-to-primitive.js: Added.
1416         * stress/big-int-mul-type-error.js: Added.
1417         * stress/big-int-mul-wrapped-value.js: Added.
1418         * stress/big-int-multiplication.js: Added.
1419         * stress/big-int-multiply-memory-stress.js: Added.
1420
1421 2018-04-28  Commit Queue  <commit-queue@webkit.org>
1422
1423         Unreviewed, rolling out r231131.
1424         https://bugs.webkit.org/show_bug.cgi?id=185112
1425
1426         It is breaking Debug build due to unchecked exception
1427         (Requested by caiolima on #webkit).
1428
1429         Reverted changeset:
1430
1431         "[ESNext][BigInt] Implement support for "*" operation"
1432         https://bugs.webkit.org/show_bug.cgi?id=183721
1433         https://trac.webkit.org/changeset/231131
1434
1435 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
1436
1437         [ESNext][BigInt] Implement support for "*" operation
1438         https://bugs.webkit.org/show_bug.cgi?id=183721
1439
1440         Reviewed by Saam Barati.
1441
1442         * bigIntTests.yaml:
1443         * stress/big-int-mul-jit.js: Added.
1444         * stress/big-int-mul-to-primitive-precedence.js: Added.
1445         * stress/big-int-mul-to-primitive.js: Added.
1446         * stress/big-int-mul-type-error.js: Added.
1447         * stress/big-int-mul-wrapped-value.js: Added.
1448         * stress/big-int-multiplication.js: Added.
1449         * stress/big-int-multiply-memory-stress.js: Added.
1450
1451 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
1452
1453         Unreviewed, rolling out r231086.
1454
1455         Caused JSC test failures due to an unchecked exception.
1456
1457         Reverted changeset:
1458
1459         "[ESNext][BigInt] Implement support for "*" operation"
1460         https://bugs.webkit.org/show_bug.cgi?id=183721
1461         https://trac.webkit.org/changeset/231086
1462
1463 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
1464
1465         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
1466
1467         * test262.yaml: Mark tests as passing.
1468
1469 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
1470
1471         [ESNext][BigInt] Implement support for "*" operation
1472         https://bugs.webkit.org/show_bug.cgi?id=183721
1473
1474         Reviewed by Saam Barati.
1475
1476         * bigIntTests.yaml:
1477         * stress/big-int-mul-jit.js: Added.
1478         * stress/big-int-mul-to-primitive-precedence.js: Added.
1479         * stress/big-int-mul-to-primitive.js: Added.
1480         * stress/big-int-mul-type-error.js: Added.
1481         * stress/big-int-mul-wrapped-value.js: Added.
1482         * stress/big-int-multiplication.js: Added.
1483         * stress/big-int-multiply-memory-stress.js: Added.
1484
1485 2018-04-25  Robin Morisset  <rmorisset@apple.com>
1486
1487         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
1488         https://bugs.webkit.org/show_bug.cgi?id=184773
1489         <rdar://problem/37773612>
1490
1491         Reviewed by Filip Pizlo.
1492
1493         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
1494         so I decided to add it to the stress tests nonetheless.
1495
1496         * stress/create-rest-while-having-a-bad-time.js: Added.
1497         (f):
1498         (g):
1499         (h):
1500
1501 2018-04-25  Keith Miller  <keith_miller@apple.com>
1502
1503         Add missing scope release to functionProtoFuncToString
1504         https://bugs.webkit.org/show_bug.cgi?id=184995
1505
1506         Reviewed by Saam Barati.
1507
1508         * stress/function-toString-arrow.js: Added.
1509         (async):
1510
1511 2018-04-24  Keith Miller  <keith_miller@apple.com>
1512
1513         fromCharCode is missing some exception checks
1514         https://bugs.webkit.org/show_bug.cgi?id=184952
1515
1516         Reviewed by Saam Barati.
1517
1518         * stress/fromCharCode-exception-check.js: Added.
1519         (get catch):
1520
1521 2018-04-24  Mark Lam  <mark.lam@apple.com>
1522
1523         Gardening: test fix after r230863.
1524         https://bugs.webkit.org/show_bug.cgi?id=184846
1525         <rdar://problem/39390672>
1526
1527         Not reviewed.
1528
1529         * stress/json-stringified-overflow-2.js:
1530         (catch):
1531         * stress/json-stringified-overflow.js:
1532         (catch):
1533
1534 2018-04-20  JF Bastien  <jfbastien@apple.com>
1535
1536         Handle more JSON stringify OOM
1537         https://bugs.webkit.org/show_bug.cgi?id=184846
1538         <rdar://problem/39390672>
1539
1540         Reviewed by Mark Lam.
1541
1542         * stress/json-stringified-overflow-2.js: Added. Same as the one
1543         below, but with a bigger input which will trigger a different code
1544         path.
1545         (catch):
1546         * stress/json-stringified-overflow.js: Modify the test to only
1547         catch OOM on stringification. not on string creation.
1548
1549 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1550
1551         [WebAssembly][Modules] Import tables in wasm modules
1552         https://bugs.webkit.org/show_bug.cgi?id=184738
1553
1554         Reviewed by JF Bastien.
1555
1556         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
1557         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
1558         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1559         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
1560         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
1561         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1562         * wasm/modules/wasm-imports-wasm-exports.js:
1563         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
1564         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1565         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
1566         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1567
1568 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1569
1570         [WebAssembly][Modules] Import globals from wasm modules
1571         https://bugs.webkit.org/show_bug.cgi?id=184736
1572
1573         Reviewed by JF Bastien.
1574
1575         * wasm.yaml:
1576         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
1577         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
1578         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
1579         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
1580         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
1581         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
1582         * wasm/modules/wasm-imports-wasm-exports.js:
1583         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
1584         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
1585         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
1586         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
1587
1588 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1589
1590         Unreviewed, reland r230697, r230720, and r230724.
1591         https://bugs.webkit.org/show_bug.cgi?id=184600
1592
1593         * wasm.yaml:
1594         * wasm/modules/constant.wasm: Added.
1595         * wasm/modules/constant.wat: Added.
1596         * wasm/modules/default-import-star-error.js: Added.
1597         (then):
1598         * wasm/modules/default-import-star-error/entry.wasm: Added.
1599         * wasm/modules/default-import-star-error/entry.wat: Added.
1600         * wasm/modules/default-import-star-error/t0.js: Added.
1601         * wasm/modules/default-import-star-error/t1.js: Added.
1602         * wasm/modules/default-import-star-error/t2.js: Added.
1603         (export.default.Cocoa):
1604         * wasm/modules/js-wasm-cycle.js: Added.
1605         * wasm/modules/js-wasm-cycle/entry.js: Added.
1606         (from.string_appeared_here.export.return42):
1607         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
1608         * wasm/modules/js-wasm-cycle/sum.wat: Added.
1609         * wasm/modules/js-wasm-function-namespace.js: Added.
1610         (assert.throws):
1611         * wasm/modules/js-wasm-function.js: Added.
1612         (assert.throws):
1613         * wasm/modules/js-wasm-global-namespace.js: Added.
1614         (assert.throws):
1615         * wasm/modules/js-wasm-global.js: Added.
1616         (assert.throws):
1617         * wasm/modules/js-wasm-memory-namespace.js: Added.
1618         (assert.throws):
1619         * wasm/modules/js-wasm-memory.js: Added.
1620         (assert.throws):
1621         * wasm/modules/js-wasm-start.js: Added.
1622         (then):
1623         * wasm/modules/js-wasm-table-namespace.js: Added.
1624         (assert.throws):
1625         * wasm/modules/js-wasm-table.js: Added.
1626         (assert.throws):
1627         * wasm/modules/memory.wasm: Added.
1628         * wasm/modules/memory.wat: Added.
1629         * wasm/modules/run-from-wasm.wasm: Added.
1630         * wasm/modules/run-from-wasm.wat: Added.
1631         * wasm/modules/run-from-wasm/check.js: Added.
1632         (export.check):
1633         * wasm/modules/start.wasm: Added.
1634         * wasm/modules/start.wat: Added.
1635         * wasm/modules/sum.wasm: Added.
1636         * wasm/modules/sum.wat: Added.
1637         * wasm/modules/table.wasm: Added.
1638         * wasm/modules/table.wat: Added.
1639         * wasm/modules/wasm-imports-js-exports.js: Added.
1640         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
1641         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
1642         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
1643         (export.sum):
1644         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
1645         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
1646         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
1647         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
1648         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
1649         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
1650         * wasm/modules/wasm-imports-wasm-exports.js: Added.
1651         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
1652         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
1653         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
1654         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
1655         * wasm/modules/wasm-js-cycle.js: Added.
1656         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
1657         * wasm/modules/wasm-js-cycle/entry.wat: Added.
1658         * wasm/modules/wasm-js-cycle/sum.js: Added.
1659         (from.string_appeared_here.export.sum):
1660         * wasm/modules/wasm-wasm-cycle.js: Added.
1661         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
1662         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
1663         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
1664         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
1665
1666 2018-04-17  Commit Queue  <commit-queue@webkit.org>
1667
1668         Unreviewed, rolling out r230697, r230720, and r230724.
1669         https://bugs.webkit.org/show_bug.cgi?id=184717
1670
1671         These caused multiple failures on the Test262 testers.
1672         (Requested by mlewis13 on #webkit).
1673
1674         Reverted changesets:
1675
1676         "[WebAssembly][Modules] Prototype wasm import"
1677         https://bugs.webkit.org/show_bug.cgi?id=184600
1678         https://trac.webkit.org/changeset/230697
1679
1680         "[WebAssembly][Modules] Implement function import from wasm
1681         modules"
1682         https://bugs.webkit.org/show_bug.cgi?id=184689
1683         https://trac.webkit.org/changeset/230720
1684
1685         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
1686         https://bugs.webkit.org/show_bug.cgi?id=184703
1687         https://trac.webkit.org/changeset/230724
1688
1689 2018-04-17  JF Bastien  <jfbastien@apple.com>
1690
1691         A put is not an ExistingProperty put when we transition a structure because of an attributes change
1692         https://bugs.webkit.org/show_bug.cgi?id=184706
1693         <rdar://problem/38871451>
1694
1695         Reviewed by Saam Barati.
1696
1697         * stress/put-by-id-direct-strict-transition.js: Added.
1698         (const.foo):
1699         (j.const.obj.set hello):
1700         * stress/put-by-id-direct-transition.js: Added.
1701         (const.foo):
1702         (j.const.obj.set hello):
1703         * stress/put-getter-setter-by-id-strict-transition.js: Added.
1704         (const.foo):
1705         (j.const.obj.set hello):
1706         * stress/put-getter-setter-by-id-transition.js: Added.
1707         (const.foo):
1708         (j.const.obj.set hello):
1709
1710 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
1711
1712         PutStackSinkingPhase should know that KillStack means ConflictingFlush
1713         https://bugs.webkit.org/show_bug.cgi?id=184672
1714
1715         Reviewed by Michael Saboff.
1716
1717         * stress/sink-put-stack-over-kill-stack.js: Added.
1718         (avocado_1):
1719         (apricot_0):
1720         (__c_0):
1721         (banana_2):
1722
1723 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1724
1725         [JSC] Rename runWebAssembly to runWebAssemblySuite
1726         https://bugs.webkit.org/show_bug.cgi?id=184703
1727
1728         Reviewed by JF Bastien.
1729
1730         And add runWebAssembly as a command to simplely run wasm modules.
1731
1732         * wasm.yaml:
1733
1734 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1735
1736         [WebAssembly][Modules] Implement function import from wasm modules
1737         https://bugs.webkit.org/show_bug.cgi?id=184689
1738
1739         Reviewed by JF Bastien.
1740
1741         * wasm.yaml:
1742         * wasm/modules/js-wasm-cycle.js: Added.
1743         * wasm/modules/js-wasm-cycle/entry.js: Added.
1744         (from.string_appeared_here.export.return42):
1745         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
1746         * wasm/modules/js-wasm-cycle/sum.wat: Added.
1747         * wasm/modules/run-from-wasm.wasm: Added.
1748         * wasm/modules/run-from-wasm.wat: Added.
1749         * wasm/modules/run-from-wasm/check.js: Added.
1750         (export.check):
1751         * wasm/modules/wasm-imports-js-exports.js: Added.
1752         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
1753         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
1754         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
1755         (export.sum):
1756         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
1757         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
1758         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
1759         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
1760         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
1761         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
1762         * wasm/modules/wasm-imports-wasm-exports.js: Added.
1763         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
1764         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
1765         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
1766         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
1767         * wasm/modules/wasm-js-cycle.js: Added.
1768         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
1769         * wasm/modules/wasm-js-cycle/entry.wat: Added.
1770         * wasm/modules/wasm-js-cycle/sum.js: Added.
1771         (from.string_appeared_here.export.sum):
1772         * wasm/modules/wasm-wasm-cycle.js: Added.
1773         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
1774         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
1775         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
1776         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
1777
1778 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1779
1780         [WebAssembly][Modules] Prototype wasm import
1781         https://bugs.webkit.org/show_bug.cgi?id=184600
1782
1783         Reviewed by JF Bastien.
1784
1785         Add wasm and wat files since module loader want to load wasm files from FS.
1786         Currently, importing the other modules from wasm is not supported.
1787
1788         * wasm.yaml:
1789         * wasm/modules/constant.wasm: Added.
1790         * wasm/modules/constant.wat: Added.
1791         * wasm/modules/js-wasm-function-namespace.js: Added.
1792         (assert.throws):
1793         * wasm/modules/js-wasm-function.js: Added.
1794         (assert.throws):
1795         * wasm/modules/js-wasm-global-namespace.js: Added.
1796         (assert.throws):
1797         * wasm/modules/js-wasm-global.js: Added.
1798         (assert.throws):
1799         * wasm/modules/js-wasm-memory-namespace.js: Added.
1800         (assert.throws):
1801         * wasm/modules/js-wasm-memory.js: Added.
1802         (assert.throws):
1803         * wasm/modules/js-wasm-start.js: Added.
1804         (then):
1805         * wasm/modules/js-wasm-table-namespace.js: Added.
1806         (assert.throws):
1807         * wasm/modules/js-wasm-table.js: Added.
1808         (assert.throws):
1809         * wasm/modules/memory.wasm: Added.
1810         * wasm/modules/memory.wat: Added.
1811         * wasm/modules/start.wasm: Added.
1812         * wasm/modules/start.wat: Added.
1813         * wasm/modules/sum.wasm: Added.
1814         * wasm/modules/sum.wat: Added.
1815         * wasm/modules/table.wasm: Added.
1816         * wasm/modules/table.wat: Added.
1817
1818 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
1819
1820         Function.prototype.caller shouldn't return generator bodies
1821         https://bugs.webkit.org/show_bug.cgi?id=184630
1822
1823         Reviewed by Yusuke Suzuki.
1824
1825         * stress/function-caller-async-arrow-function-body.js: Added.
1826         * stress/function-caller-async-function-body.js: Added.
1827         * stress/function-caller-async-generator-body.js: Added.
1828         * stress/function-caller-generator-body.js: Added.
1829         * stress/function-caller-generator-method-body.js: Added.
1830
1831 2018-04-12  Tomas Popela  <tpopela@redhat.com>
1832
1833         Unreviewed, skip JIT tests if it isn't enabled
1834
1835         See https://bugs.webkit.org/show_bug.cgi?id=182730.
1836
1837         * stress/big-int-spec-to-primitive.js:
1838         * stress/big-int-spec-to-this.js:
1839
1840 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
1841
1842         [ESNext][BigInt] Add support for BigInt in SpeculatedType
1843         https://bugs.webkit.org/show_bug.cgi?id=182470
1844
1845         Reviewed by Saam Barati.
1846
1847         * stress/big-int-spec-to-primitive.js: Added.
1848         * stress/big-int-spec-to-this.js: Added.
1849         * stress/big-int-strict-equals-jit.js: Added.
1850         * stress/big-int-strict-spec-to-this.js: Added.
1851         * stress/big-int-type-of-proven-type.js: Added.
1852
1853 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
1854
1855         DFG AI and clobberize should agree with each other
1856         https://bugs.webkit.org/show_bug.cgi?id=184440
1857
1858         Reviewed by Saam Barati.
1859         
1860         Add tests for all of the bugs I fixed.
1861
1862         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
1863         (foo):
1864         * stress/new-typed-array-cse-effects.js: Added.
1865         (foo):
1866         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
1867         (foo.theO):
1868         (foo):
1869         * stress/string-from-char-code-change-structure-not-dead.js: Added.
1870         (foo):
1871         (i.valueOf):
1872         (weirdValue.valueOf):
1873         * stress/string-from-char-code-change-structure.js: Added.
1874         (foo):
1875         (i.valueOf):
1876         (weirdValue.valueOf):
1877
1878 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
1879
1880         Fix errant Test262 files CRLF to LF for consistency with the original source
1881         https://bugs.webkit.org/show_bug.cgi?id=184425
1882
1883         Reviewed by Yusuke Suzuki.
1884
1885         * test262/test/built-ins/Math/acosh/nan-returns.js:
1886         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
1887         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
1888         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
1889         * test262/test/built-ins/Math/cbrt/prop-desc.js:
1890         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
1891         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
1892         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
1893         * test262/test/built-ins/Math/log2/log2-basicTests.js:
1894         * test262/test/built-ins/Math/sign/sign-specialVals.js:
1895         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
1896         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
1897         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
1898         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
1899
1900 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1901
1902         Unreviewed, remove incorrect entry in test262.yaml
1903         https://bugs.webkit.org/show_bug.cgi?id=184266
1904
1905         * test262.yaml:
1906
1907 2018-04-08  Valerie Young  <valerie@bocoup.com>
1908
1909         [JSC] Update Test262 to April 6 version
1910         https://bugs.webkit.org/show_bug.cgi?id=184266
1911
1912         Rubber stamped by Yusuke Suzuki.
1913
1914 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1915
1916         [JSC] Introduce op_get_by_id_direct
1917         https://bugs.webkit.org/show_bug.cgi?id=183970
1918
1919         Reviewed by Filip Pizlo.
1920
1921         * stress/generator-prototype-copy.js: Added.
1922         (gen):
1923         (catch):
1924         Adopted JF's tests.
1925
1926         * stress/generator-type-check.js: Added.
1927         (shouldThrow):
1928         (foo2):
1929         (i.shouldThrow):
1930         * stress/get-by-id-direct-getter.js: Added.
1931         (shouldBe):
1932         (shouldThrow):
1933         (obj.get hello):
1934         (builtin.createBuiltin):
1935         (obj2.get length):
1936         * stress/get-by-id-direct.js: Added.
1937         (shouldBe):
1938         (shouldThrow):
1939         (builtin.createBuiltin):
1940         * test262.yaml:
1941         We fixed long-standing spec compatibility issue.
1942         As a result, this patch makes several test262 tests passed!
1943
1944
1945 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1946
1947         Unreviewed, annotate test with @skip if $memoryLimited
1948         https://bugs.webkit.org/show_bug.cgi?id=183894
1949
1950         * stress/json-stringified-overflow.js:
1951
1952 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
1953
1954         Add svn:eol-style to line-terminator-normalisation-CR.js
1955         https://bugs.webkit.org/show_bug.cgi?id=184341
1956
1957         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
1958
1959 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
1960
1961         Unreviewed, remove errant LF from existing test262 test for CR line endings.
1962
1963         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1964
1965 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
1966
1967         Unreviewed, rolling out r230320.
1968
1969         Revert fix, as the root cause lies elsewhere.
1970
1971         Reverted changeset:
1972
1973         "[test262] Mark line-terminator-normalisation-CR.js as a
1974         binary file."
1975         https://bugs.webkit.org/show_bug.cgi?id=184341
1976         https://trac.webkit.org/changeset/230320
1977
1978 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
1979
1980         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
1981         https://bugs.webkit.org/show_bug.cgi?id=184341
1982
1983         Reviewed by Yusuke Suzuki.
1984
1985         This test is all about CR line endings, but `svn-apply` can't deal with them.
1986         Treating the file as binary ensures that its contents never are never shown in a diff.
1987
1988         * .gitattributes: Added.
1989
1990 2018-04-05  Robin Morisset  <rmorisset@apple.com>
1991
1992         Fix testcase (missing try/catch).
1993         https://bugs.webkit.org/show_bug.cgi?id=183657
1994
1995         Unreviewed.
1996
1997         * stress/large-unshift-splice.js
1998
1999 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
2000
2001         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
2002         https://bugs.webkit.org/show_bug.cgi?id=184319
2003
2004         Reviewed by Saam Barati.
2005
2006         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
2007         (foo):
2008         (bar):
2009         * stress/array-push-nan-to-double-array.js: Added.
2010         (foo):
2011         (bar):
2012
2013 2018-04-03  Mark Lam  <mark.lam@apple.com>
2014
2015         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
2016         https://bugs.webkit.org/show_bug.cgi?id=184284
2017
2018         Reviewed by Saam Barati.
2019
2020         * stress/js-fixed-array-out-of-memory.js:
2021
2022 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
2023
2024         JSC crash in JIT code with for-of loop and Array/Set iterators
2025         https://bugs.webkit.org/show_bug.cgi?id=183174
2026
2027         Reviewed by Saam Barati.
2028
2029         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
2030         (foo):
2031         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
2032         (f):
2033
2034 2018-03-30  JF Bastien  <jfbastien@apple.com>
2035
2036         WebAssembly: support DataView compilation
2037         https://bugs.webkit.org/show_bug.cgi?id=183342
2038
2039         Reviewed by Mark Lam.
2040
2041         Test WebAssembly compilation using a DataView with offset.
2042
2043         * wasm/regress/183342.js: Added.
2044         (attempt.catch):
2045
2046 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
2047
2048         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
2049         https://bugs.webkit.org/show_bug.cgi?id=184189
2050
2051         Reviewed by JF Bastien.
2052
2053         * stress/load-hole-from-scope-into-live-var.js: Added.
2054         (result.eval.try.switch):
2055         (catch):
2056
2057 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
2058
2059         Unreviewed, rolling out r230102.
2060
2061         Caused assertion failures on JSC bots.
2062
2063         Reverted changeset:
2064
2065         "A stack overflow in the parsing of a builtin (called by
2066         createExecutable) cause a crash instead of a catchable js
2067         exception"
2068         https://bugs.webkit.org/show_bug.cgi?id=184074
2069         https://trac.webkit.org/changeset/230102
2070
2071 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2072
2073         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
2074         https://bugs.webkit.org/show_bug.cgi?id=183812
2075
2076         Reviewed by Keith Miller.
2077
2078         * stress/inlining-unreachable-non-tail.js: Added.
2079         (foo.):
2080         (foo):
2081
2082 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2083
2084         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
2085         https://bugs.webkit.org/show_bug.cgi?id=184074
2086         <rdar://problem/37165897>
2087
2088         Reviewed by Keith Miller.
2089
2090         * stress/stack-overflow-while-parsing-builtin.js: Added.
2091         (f):
2092
2093 2018-03-30  Robin Morisset  <rmorisset@apple.com>
2094
2095         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
2096         https://bugs.webkit.org/show_bug.cgi?id=183657
2097
2098         Reviewed by Keith Miller.
2099
2100         * stress/large-unshift-splice.js: Added.
2101         (make_contig_arr):
2102
2103 2018-03-28  Robin Morisset  <rmorisset@apple.com>
2104
2105         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
2106         https://bugs.webkit.org/show_bug.cgi?id=183894
2107
2108         Reviewed by Saam Barati.
2109
2110         * stress/json-stringified-overflow.js: Added.
2111         (catch):
2112
2113 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
2114
2115         DFG should know that CreateThis can be effectful
2116         https://bugs.webkit.org/show_bug.cgi?id=184013
2117
2118         Reviewed by Saam Barati.
2119
2120         * stress/create-this-property-change.js: Added.
2121         (Foo):
2122         (RealBar):
2123         (get if):
2124         * stress/create-this-structure-change-without-cse.js: Added.
2125         (Foo):
2126         (RealBar):
2127         (get if):
2128         * stress/create-this-structure-change.js: Added.
2129         (Foo):
2130         (RealBar):
2131         (get if):
2132
2133 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2134
2135         [DFG] Introduces fused compare and jump
2136         https://bugs.webkit.org/show_bug.cgi?id=177100
2137
2138         Reviewed by Mark Lam.
2139
2140         * stress/fused-jeq-slow.js: Added.
2141         (shouldBe):
2142         (testJEQ):
2143         (testJNEQB):
2144         (testJEQB):
2145         (testJNEQF):
2146         (testJEQF):
2147         * stress/fused-jeq.js: Added.
2148         (shouldBe):
2149         (testJEQ):
2150         (testJNEQB):
2151         (testJEQB):
2152         (testJNEQF):
2153         (testJEQF):
2154         * stress/fused-jstricteq-slow.js: Added.
2155         (shouldBe):
2156         (testJSTRICTEQ):
2157         (testJNSTRICTEQB):
2158         (testJSTRICTEQB):
2159         (testJNSTRICTEQF):
2160         (testJSTRICTEQF):
2161         * stress/fused-jstricteq.js: Added.
2162         (shouldBe):
2163         (testJSTRICTEQ):
2164         (testJNSTRICTEQB):
2165         (testJSTRICTEQB):
2166         (testJNSTRICTEQF):
2167         (testJSTRICTEQF):
2168
2169 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2170
2171         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
2172         https://bugs.webkit.org/show_bug.cgi?id=183559
2173
2174         Reviewed by Mark Lam.
2175
2176         * stress/double-to-string-in-loop-removed.js: Added.
2177         (test):
2178         * stress/int32-to-string-in-loop-removed.js: Added.
2179         (test):
2180         * stress/int52-to-string-in-loop-removed.js: Added.
2181         (test):
2182
2183 2018-03-22  Michael Saboff  <msaboff@apple.com>
2184
2185         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
2186         https://bugs.webkit.org/show_bug.cgi?id=183901
2187
2188         Reviewed by Keith Miller.
2189
2190         New test.
2191
2192         * stress/array-reverse-doesnt-clobber.js: Added.
2193         (testArrayReverse):
2194         (createArrayOfArrays):
2195         (createArrayStorage):
2196
2197 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
2198
2199         ScopedArguments should do poisoning and index masking
2200         https://bugs.webkit.org/show_bug.cgi?id=183863
2201
2202         Reviewed by Mark Lam.
2203         
2204         Adds another stress test of scoped arguments.
2205
2206         * stress/scoped-arguments-test.js: Added.
2207         (foo):
2208
2209 2018-03-20  Saam Barati  <sbarati@apple.com>
2210
2211         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
2212         https://bugs.webkit.org/show_bug.cgi?id=183795
2213         <rdar://problem/38298694>
2214
2215         Reviewed by JF Bastien.
2216
2217         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
2218         (foo):
2219         (bar):
2220
2221 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2222
2223         [DFG][FTL] Add vectorLengthHint for NewArray
2224         https://bugs.webkit.org/show_bug.cgi?id=183694
2225
2226         Reviewed by Saam Barati.
2227
2228         * stress/vector-length-hint-array-constructor.js: Added.
2229         (shouldBe):
2230         (test):
2231         * stress/vector-length-hint-new-array.js: Added.
2232         (shouldBe):
2233         (test):
2234
2235 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2236
2237         [DFG][FTL] Make ArraySlice(0) code tight
2238         https://bugs.webkit.org/show_bug.cgi?id=183590
2239
2240         Reviewed by Saam Barati.
2241
2242         * stress/array-slice-with-zero.js: Added.
2243         (shouldBe):
2244         (test):
2245         (test2):
2246         * stress/array-slice-zero-args.js: Added.
2247         (shouldBe):
2248         (test):
2249
2250 2018-03-14  Caitlin Potter  <caitp@igalia.com>
2251
2252         [JSC] fix order of evaluation for ClassDefinitionEvaluation
2253         https://bugs.webkit.org/show_bug.cgi?id=183523
2254
2255         Reviewed by Keith Miller.
2256
2257         Computed property names need to be evaluated in source order during class
2258         definition evaluation, as it's observable (and specified to work this way).
2259
2260         This change improves compatibility with Chromium.
2261
2262         * stress/class_elements.js: Added.
2263         (test):
2264         (test.C.prototype.effect):
2265         (test.C.effect):
2266         (test.C.prototype.get effect):
2267         (test.C.prototype.set effect):
2268         (test.C):
2269
2270 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2271
2272         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
2273         https://bugs.webkit.org/show_bug.cgi?id=183310
2274
2275         Reviewed by Filip Pizlo.
2276
2277         * stress/ai-create-this-to-new-object-fire.js: Added.
2278         (assert):
2279         (test):
2280         (func):
2281         (check):
2282         (test.body.A):
2283         (test.body.B):
2284         (test.body):
2285         * stress/ai-create-this-to-new-object.js: Added.
2286         (assert):
2287         (test):
2288         (func):
2289         (check):
2290         (test.body.A):
2291         (test.body.B):
2292         (test.body):
2293
2294 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2295
2296         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
2297         https://bugs.webkit.org/show_bug.cgi?id=181848
2298
2299         Reviewed by Sam Weinig.
2300
2301         * microbenchmarks/regexp-u-global-es5.js: Added.
2302         (fn):
2303         * microbenchmarks/regexp-u-global-es6.js: Added.
2304         (fn):
2305         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
2306         (shouldBe):
2307         (test):
2308         (i.switch):
2309         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
2310         (shouldBe):
2311         (test):
2312
2313 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
2314
2315         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
2316         https://bugs.webkit.org/show_bug.cgi?id=183334
2317
2318         Reviewed by Žan Doberšek.
2319
2320         * stress/var-injection-cache-invalidation.js:
2321
2322 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
2323
2324         [ARM] Disable tests that run out of memory
2325         https://bugs.webkit.org/show_bug.cgi?id=182699
2326
2327         Reviewed by Žan Doberšek.
2328
2329         Skip tests that run of of memory. Do not run
2330         modules/module-jit-reachability.js without LLInt to prevent
2331         running out of executable memory.
2332
2333         * modules.yaml:
2334         * modules/module-jit-reachability.js:
2335         * stress/has-own-property-name-cache-string-keys.js:
2336         * stress/has-own-property-name-cache-symbol-keys.js:
2337
2338 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2339
2340         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
2341         https://bugs.webkit.org/show_bug.cgi?id=183173
2342
2343         Reviewed by Saam Barati.
2344
2345         * stress/async-arrow-function-in-class-heritage.js: Added.
2346         (testSyntax):
2347         (testSyntaxError):
2348         (SyntaxError):
2349
2350 2018-03-01  Saam Barati  <sbarati@apple.com>
2351
2352         We need to clear cached structures when having a bad time
2353         https://bugs.webkit.org/show_bug.cgi?id=183256
2354         <rdar://problem/36245022>
2355
2356         Reviewed by Mark Lam.
2357
2358         * stress/having-a-bad-time-with-derived-arrays.js: Added.
2359         (assert):
2360         (defineSetter):
2361         (iterate):
2362         (doSlice):
2363
2364 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2365
2366         JSC crash with `import("")`
2367         https://bugs.webkit.org/show_bug.cgi?id=183175
2368
2369         Reviewed by Saam Barati.
2370
2371         * stress/import-with-empty-string.js: Added.
2372
2373 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2374
2375         Unreviewed, skip FTL tests if FTL is disabled
2376         https://bugs.webkit.org/show_bug.cgi?id=183071
2377
2378         * stress/has-indexed-property-array-storage-ftl.js:
2379         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
2380
2381 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2382
2383         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
2384         https://bugs.webkit.org/show_bug.cgi?id=182965
2385
2386         Reviewed by Saam Barati.
2387
2388         * stress/put-by-val-array-storage.js: Added.
2389         (shouldBe):
2390         (testArrayStorageInBounds):
2391         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
2392         (shouldBe):
2393         (testInt32.createBuiltin):
2394         (set for):
2395         * stress/put-by-val-slow-put-array-storage.js: Added.
2396         (shouldBe):
2397         (testArrayStorageInBounds):
2398
2399 2018-02-26  Saam Barati  <sbarati@apple.com>
2400
2401         validateStackAccess should not validate if the offset is within the stack bounds
2402         https://bugs.webkit.org/show_bug.cgi?id=183067
2403         <rdar://problem/37749988>
2404
2405         Reviewed by Mark Lam.
2406
2407         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
2408         (assert):
2409         (test.a):
2410         (test.b):
2411         (test):
2412
2413 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2414
2415         Unreviewed, skip FTL tests if FTL is disabled
2416         https://bugs.webkit.org/show_bug.cgi?id=183071
2417
2418         * stress/has-indexed-property-array-storage-ftl.js:
2419         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
2420
2421 2018-02-23  Saam Barati  <sbarati@apple.com>
2422
2423         Make Number.isInteger an intrinsic
2424         https://bugs.webkit.org/show_bug.cgi?id=183088
2425
2426         Reviewed by JF Bastien.
2427
2428         * stress/number-is-integer-intrinsic.js: Added.
2429
2430 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
2431
2432         WebAssembly: cache memory address / size on instance
2433         https://bugs.webkit.org/show_bug.cgi?id=177305
2434
2435         Reviewed by JF Bastien.
2436
2437         * wasm/function-tests/memory-reuse.js: Added.
2438         (createWasmInstance):
2439         (doCheckTrap):
2440         (doMemoryGrow):
2441         (doCheck):
2442         (checkWasmInstancesWithSharedMemory):
2443
2444 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2445
2446         [JSC] Implement $vm.ftlTrue function for FTL testing
2447         https://bugs.webkit.org/show_bug.cgi?id=183071
2448
2449         Reviewed by Mark Lam.
2450
2451         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
2452         (foo):
2453         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
2454         (foo):
2455         * stress/dead-fiat-value-to-int52.js:
2456         (foo):
2457         * stress/dead-osr-entry-value.js:
2458         (foo):
2459         * stress/fiat-value-to-int52-then-exit-not-double.js:
2460         (foo):
2461         * stress/fiat-value-to-int52-then-exit-not-int52.js:
2462         (foo):
2463         * stress/fiat-value-to-int52-then-fail-to-fold.js:
2464         (foo):
2465         * stress/fiat-value-to-int52-then-fold.js:
2466         (foo):
2467         * stress/fiat-value-to-int52.js:
2468         (foo):
2469         * stress/fold-based-on-int32-proof-mul-branch.js:
2470         (foo):
2471         * stress/fold-profiled-call-to-call.js:
2472         (foo):
2473         * stress/fold-to-double-constant-then-exit.js:
2474         (foo):
2475         * stress/fold-to-int52-constant-then-exit.js:
2476         (foo):
2477         * stress/fold-to-primitive-in-cfa.js:
2478         (foo):
2479         * stress/fold-to-primitive-to-identity-in-cfa.js:
2480         (foo):
2481         * stress/has-indexed-property-array-storage-ftl.js: Added.
2482         (shouldBe):
2483         (test1):
2484         (test2):
2485         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
2486         (shouldBe):
2487         (test1):
2488         (test2):
2489         * stress/int52-ai-add-then-filter-int32.js:
2490         (foo):
2491         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
2492         (foo):
2493         * stress/int52-ai-mul-then-filter-int32.js:
2494         (foo):
2495         * stress/int52-ai-neg-then-filter-int32.js:
2496         (foo):
2497         * stress/int52-ai-sub-then-filter-int32.js:
2498         (foo):
2499         * stress/licm-pre-header-cannot-exit-nested.js:
2500         (foo):
2501         * stress/licm-pre-header-cannot-exit.js:
2502         (foo):
2503         * stress/sparse-array-entry-update-144067.js:
2504         (useMemoryToTriggerGCs):
2505         * stress/test-spec-misc.js:
2506         (foo):
2507         * stress/tricky-array-bounds-checks.js:
2508         (foo):
2509
2510 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2511
2512         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
2513         https://bugs.webkit.org/show_bug.cgi?id=182792
2514
2515         Reviewed by Mark Lam.
2516
2517         * stress/has-indexed-property-array-storage.js: Added.
2518         (shouldBe):
2519         (test1):
2520         (test2):
2521         * stress/has-indexed-property-slow-put-array-storage.js: Added.
2522         (shouldBe):
2523         (test1):
2524         (test2):
2525
2526 2018-02-20  Saam Barati  <sbarati@apple.com>
2527
2528         DFG::VarargsForwardingPhase should eliminate getting argument length
2529         https://bugs.webkit.org/show_bug.cgi?id=182959
2530
2531         Reviewed by Keith Miller.
2532
2533         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
2534
2535 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [FTL] Support ArrayPush for ArrayStorage
2538         https://bugs.webkit.org/show_bug.cgi?id=182782
2539
2540         Reviewed by Saam Barati.
2541
2542         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
2543
2544         * stress/array-push-array-storage-beyond-int32.js: Added.
2545         (shouldBe):
2546         (test):
2547         * stress/array-push-array-storage.js: Added.
2548         (shouldBe):
2549         (test):
2550         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
2551         (shouldBe):
2552         (test):
2553         * stress/array-push-multiple-storage-continuous.js: Added.
2554         (shouldBe):
2555         (test):
2556
2557 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2558
2559         [FTL] Support ArrayPop for ArrayStorage
2560         https://bugs.webkit.org/show_bug.cgi?id=182783
2561
2562         Reviewed by Saam Barati.
2563
2564         * stress/array-pop-array-storage.js: Added.
2565         (shouldBe):
2566         (test):
2567
2568 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2569
2570         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
2571         https://bugs.webkit.org/show_bug.cgi?id=182731
2572
2573         Reviewed by Saam Barati.
2574
2575         * stress/arrayify-array-storage-array.js: Added.
2576         (shouldBe):
2577         (testArrayStorage):
2578         * stress/arrayify-array-storage-non-array.js: Added.
2579         (shouldBe):
2580         (testArrayStorage):
2581         * stress/arrayify-array-storage.js: Added.
2582         (shouldBe):
2583         (testArrayStorage):
2584         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
2585         (shouldBe):
2586         (testArrayStorage):
2587         * stress/arrayify-slow-put-array-storage.js: Added.
2588         (shouldBe):
2589         (testArrayStorage):
2590
2591 2018-02-19  Saam Barati  <sbarati@apple.com>
2592
2593         Don't use JSFunction's allocation profile when getting the prototype can be effectful
2594         https://bugs.webkit.org/show_bug.cgi?id=182942
2595         <rdar://problem/37584764>
2596
2597         Reviewed by Mark Lam.
2598
2599         * stress/get-prototype-create-this-effectful.js: Added.
2600
2601 2018-02-16  Saam Barati  <sbarati@apple.com>
2602
2603         Fix bugs from r228411
2604         https://bugs.webkit.org/show_bug.cgi?id=182851
2605         <rdar://problem/37577732>
2606
2607         Reviewed by JF Bastien.
2608
2609         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
2610
2611 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
2612
2613         Unreviewed, roll out r228366 since it did not progress anything.
2614
2615         * stress/gc-error-stack.js: Removed.
2616         * stress/no-gc-error-stack.js: Removed.
2617
2618 2018-02-15  Tomas Popela  <tpopela@redhat.com>
2619
2620         Many stress tests fail with JIT disabled
2621         https://bugs.webkit.org/show_bug.cgi?id=182730
2622
2623         Reviewed by Saam Barati.
2624
2625         These tests are broken by design if the JIT is disabled - they test
2626         the return value of numberOfDFGCompiles(), which is always set to
2627         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
2628
2629         * stress/arith-abs-on-various-types.js:
2630         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
2631         * stress/arith-acos-on-various-types.js:
2632         * stress/arith-acosh-on-various-types.js:
2633         * stress/arith-asin-on-various-types.js:
2634         * stress/arith-asinh-on-various-types.js:
2635         * stress/arith-atan-on-various-types.js:
2636         * stress/arith-atanh-on-various-types.js:
2637         * stress/arith-cbrt-on-various-types.js:
2638         * stress/arith-ceil-on-various-types.js:
2639         * stress/arith-clz32-on-various-types.js:
2640         * stress/arith-cos-on-various-types.js:
2641         * stress/arith-cosh-on-various-types.js:
2642         * stress/arith-expm1-on-various-types.js:
2643         * stress/arith-floor-on-various-types.js:
2644         * stress/arith-fround-on-various-types.js:
2645         * stress/arith-log-on-various-types.js:
2646         * stress/arith-log10-on-various-types.js:
2647         * stress/arith-log2-on-various-types.js:
2648         * stress/arith-negate-on-various-types.js:
2649         * stress/arith-round-on-various-types.js:
2650         * stress/arith-sin-on-various-types.js:
2651         * stress/arith-sinh-on-various-types.js:
2652         * stress/arith-sqrt-on-various-types.js:
2653         * stress/arith-tan-on-various-types.js:
2654         * stress/arith-tanh-on-various-types.js:
2655         * stress/arith-trunc-on-various-types.js:
2656         * stress/compare-strict-eq-on-various-types.js:
2657
2658 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
2659
2660         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
2661
2662         Unreviewed test gardening.
2663
2664         * stress/new-largeish-contiguous-array-with-size.js:
2665
2666 2018-02-14  Saam Barati  <sbarati@apple.com>
2667
2668         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
2669         https://bugs.webkit.org/show_bug.cgi?id=182801
2670
2671         Reviewed by Keith Miller.
2672
2673         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
2674
2675 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
2676
2677         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
2678         https://bugs.webkit.org/show_bug.cgi?id=182526
2679
2680         Unreviewed test gardening.
2681
2682         * stress/activation-sink-default-value-tdz-error.js:
2683
2684 2018-02-13  Saam Barati  <sbarati@apple.com>
2685
2686         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
2687         https://bugs.webkit.org/show_bug.cgi?id=182755
2688         <rdar://problem/37080864>
2689
2690         Reviewed by Keith Miller.
2691
2692         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
2693         (test1.o.get 10005):
2694         (test1):
2695         (test2.o.get 1000):
2696         (test2):
2697
2698 2018-02-13  Caitlin Potter  <caitp@igalia.com>
2699
2700         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
2701         https://bugs.webkit.org/show_bug.cgi?id=182717
2702
2703         Reviewed by Yusuke Suzuki.
2704
2705         https://github.com/tc39/ecma262/pull/890 imposes a change to template
2706         literals, to allow template callsite arrays to be collected when the
2707         code containing the tagged template call is collected. This spec change
2708         has received concensus and been ratified.
2709
2710         This change eliminates the eternal map associating template contents
2711         with arrays.
2712
2713         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
2714         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
2715         * stress/tagged-templates-identity.js:
2716         * stress/template-string-tags-eval.js:
2717         * test262.yaml:
2718
2719 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2720
2721         Support GetArrayLength on ArrayStorage in the FTL
2722         https://bugs.webkit.org/show_bug.cgi?id=182625
2723
2724         Reviewed by Saam Barati.
2725
2726         * stress/array-storage-length.js: Added.
2727         (shouldBe):
2728         (testInBound):
2729         (testUncountable):
2730         (testSlowPutInBound):
2731         (testSlowPutUncountable):
2732         * stress/undecided-length.js: Added.
2733         (shouldBe):
2734         (test2):
2735
2736 2018-02-12  Saam Barati  <sbarati@apple.com>
2737
2738         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
2739         https://bugs.webkit.org/show_bug.cgi?id=182706
2740         <rdar://problem/36833681>
2741
2742         Reviewed by Filip Pizlo.
2743
2744         * stress/get-array-length-phantom-new-array-buffer.js: Added.
2745         (effects):
2746         (foo):
2747
2748 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
2749
2750         Don't waste memory for error.stack
2751         https://bugs.webkit.org/show_bug.cgi?id=182656
2752
2753         Reviewed by Saam Barati.
2754         
2755         Tests the policy.
2756
2757         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
2758         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
2759
2760 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2761
2762         [JSC] Update Test262 to Feb 9 version
2763         https://bugs.webkit.org/show_bug.cgi?id=182468
2764
2765         Reviewed by Saam Barati.
2766
2767 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2768
2769         Unreviewed, fix invalid line terminator in old test262 file part 2
2770         https://bugs.webkit.org/show_bug.cgi?id=182468
2771
2772         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
2773
2774 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2775
2776         Unreviewed, fix invalid line terminator in old test262 file
2777         https://bugs.webkit.org/show_bug.cgi?id=182468
2778
2779         * test262/test/language/literals/regexp/7.8.5-1.js:
2780
2781 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2782
2783         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
2784         https://bugs.webkit.org/show_bug.cgi?id=182440
2785
2786         Reviewed by Darin Adler.
2787
2788         * stress/array-flatmap.js: Added.
2789         (shouldBe):
2790         (shouldBeArray):
2791         (shouldThrow):
2792         (var):
2793         * stress/array-flatten.js: Added.
2794         (shouldBe):
2795         (shouldBeArray):
2796         * test262.yaml:
2797         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
2798         (3.flatMap):
2799         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
2800
2801 2018-02-06  Keith Miller  <keith_miller@apple.com>
2802
2803         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
2804         https://bugs.webkit.org/show_bug.cgi?id=182549
2805         <rdar://problem/36189995>
2806
2807         Reviewed by Saam Barati.
2808
2809         * stress/var-injection-cache-invalidation.js: Added.
2810         (allocateLotsOfThings):
2811         (test):
2812
2813 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2814
2815         Unreviewed, follow up for test262 update
2816         https://bugs.webkit.org/show_bug.cgi?id=182288
2817
2818         * test262.yaml:
2819
2820 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
2821
2822         Update test262 to Jan 30 version
2823         https://bugs.webkit.org/show_bug.cgi?id=182288
2824
2825         Unreviewed test gardening.
2826
2827         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
2828
2829 2018-02-02  Saam Barati  <sbarati@apple.com>
2830
2831         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
2832         https://bugs.webkit.org/show_bug.cgi?id=182368
2833         <rdar://problem/36932466>
2834
2835         Reviewed by Mark Lam.
2836
2837         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
2838         (runNearStackLimit.t):
2839         (runNearStackLimit):
2840         (try.runNearStackLimit):
2841         (catch):
2842
2843 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2844
2845         Update test262 to Jan 30 version
2846         https://bugs.webkit.org/show_bug.cgi?id=182288
2847
2848         Rubber stamped by Saam Barati.
2849
2850         This patch updates test262 to the latest one, Jan 30 version.
2851         Since added and changed files are too many, we cannot create ChangeLog.
2852         The following files are changed.
2853
2854         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
2855         including some special line terminators (like u2028, u2029).
2856
2857         * test262.yaml:
2858         * test262/test262-Revision.txt:
2859         * test262/*:
2860
2861 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
2862
2863         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
2864         https://bugs.webkit.org/show_bug.cgi?id=182411
2865
2866         Reviewed by Carlos Alberto Lopez Perez.
2867
2868         This is skipped only on arm memory limited platforms. Until recently
2869         it was not a problem on MIPS as the butterfly was not initialized. But
2870         since r227435, the butterfly is initialized in that test and therefore
2871         memory is allocated, and the test typically takes around 512M, which
2872         means it generally gets OOM-killed on the MIPS buildbot.
2873
2874         * mozilla/mozilla-tests.yaml:
2875
2876 2018-02-01  Mark Lam  <mark.lam@apple.com>
2877
2878         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
2879         https://bugs.webkit.org/show_bug.cgi?id=182419
2880         <rdar://problem/37044945>
2881
2882         Reviewed by Saam Barati.
2883
2884         * stress/regress-182419.js: Added.
2885
2886 2018-02-01  Keith Miller  <keith_miller@apple.com>
2887
2888         Fix crashes due to mishandling custom sections.
2889         https://bugs.webkit.org/show_bug.cgi?id=182404
2890         <rdar://problem/36935863>
2891
2892         Reviewed by Saam Barati.
2893
2894         * wasm/Builder.js:
2895         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
2896         * wasm/js-api/validate.js:
2897         (assert.truthy):
2898
2899 2018-01-31  Saam Barati  <sbarati@apple.com>
2900
2901         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
2902         https://bugs.webkit.org/show_bug.cgi?id=182074
2903         <rdar://problem/36846261>
2904
2905         Reviewed by Mark Lam.
2906
2907         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
2908         (assert):
2909         (let.func):
2910         (let.o.foo):
2911         (varFunc):
2912
2913 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2914
2915         Unreviewed, update test262 expects
2916         https://bugs.webkit.org/show_bug.cgi?id=182232
2917
2918         * test262.yaml:
2919
2920 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2921
2922         [JSC] Implement trimStart and trimEnd
2923         https://bugs.webkit.org/show_bug.cgi?id=182233
2924
2925         Reviewed by Mark Lam.
2926
2927         * stress/trim.js: Added.
2928         (shouldBe):
2929         (startTest):
2930         (endTest):
2931         (trimTest):
2932
2933 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2934
2935         [JSC] Relax line terminators in String to make JSON subset of JS
2936         https://bugs.webkit.org/show_bug.cgi?id=182232
2937
2938         Reviewed by Keith Miller.
2939
2940         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
2941         * stress/relaxed-line-terminators-in-string.js: Added.
2942         (shouldBe):
2943
2944 2018-01-29  Michael Saboff  <msaboff@apple.com>
2945
2946         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
2947         https://bugs.webkit.org/show_bug.cgi?id=182249
2948
2949         Reviewed by Keith Miller.
2950
2951         New regression test.
2952
2953         * stress/compare-clobber-untypeduse.js: Added.
2954
2955 2018-01-29  Matt Lewis  <jlewis3@apple.com>
2956
2957         Unreviewed, rolling out r227725.
2958
2959         This caused internal failures.
2960
2961         Reverted changeset:
2962
2963         "JSC Sampling Profiler: Detect tester and testee when sampling
2964         in RegExp JIT"
2965         https://bugs.webkit.org/show_bug.cgi?id=152729
2966         https://trac.webkit.org/changeset/227725
2967
2968 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2969
2970         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
2971         https://bugs.webkit.org/show_bug.cgi?id=152729
2972
2973         Reviewed by Saam Barati.
2974
2975         * stress/sampling-profiler-regexp.js: Added.
2976         (platformSupportsSamplingProfiler.test):
2977         (platformSupportsSamplingProfiler.baz):
2978         (platformSupportsSamplingProfiler):
2979
2980 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2981
2982         [DFG][FTL] WeakMap#set should have DFG node
2983         https://bugs.webkit.org/show_bug.cgi?id=180015
2984
2985         Reviewed by Saam Barati.
2986
2987         * stress/weakmap-set-change-get.js: Added.
2988         (shouldBe):
2989         (test):
2990         * stress/weakmap-set-cse.js: Added.
2991         (shouldBe):
2992         (test):
2993         * stress/weakset-add-change-get.js: Added.
2994         (shouldBe):
2995         * stress/weakset-add-cse.js: Added.
2996         (shouldBe):
2997
2998 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2999
3000         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
3001         https://bugs.webkit.org/show_bug.cgi?id=182213
3002
3003         Reviewed by Mark Lam.
3004
3005         * stress/int32-min-to-string.js: Added.
3006         (shouldBe):
3007         (test2):
3008         (test4):
3009         (test8):
3010         (test16):
3011         (test32):
3012         * stress/zero-to-string.js: Added.
3013         (shouldBe):
3014         (test2):
3015         (test4):
3016         (test8):
3017         (test16):
3018         (test32):
3019
3020 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3021
3022         Add more module scope related tests with code evaluation by string
3023         https://bugs.webkit.org/show_bug.cgi?id=181983
3024
3025         Reviewed by Sam Weinig.
3026
3027         Add more module scope related tests. When the original tests are landed,
3028         we do not have browser integration. This patch adds more module scope tests
3029         with dynamically created script evaluation. We add tests with Function
3030         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
3031
3032         * modules/scopes-eval.js: Added.
3033         (shouldBe):
3034         * modules/scopes.js:
3035         (shouldBe):
3036
3037 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
3038
3039         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
3040
3041         * microbenchmarks/array-push-3.js: Removed.
3042         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
3043         * microbenchmarks/double-to-int32.js: Removed.
3044         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
3045         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
3046         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
3047         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
3048         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
3049         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
3050         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
3051         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
3052         * microbenchmarks/map-constant-key.js: Removed.
3053         * microbenchmarks/nested-function-parsing.js: Removed.
3054         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
3055         * microbenchmarks/spread-large-array.js: Removed.
3056         * microbenchmarks/string-add-constant-folding.js: Removed.
3057         * microbenchmarks/to-lower-case.js: Removed.
3058         * microbenchmarks/undefined-property-access.js: Removed.
3059         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
3060         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
3061         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
3062         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
3063         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
3064         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
3065         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
3066         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
3067         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
3068         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
3069         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
3070         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
3071         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
3072         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
3073         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
3074         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
3075         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
3076         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
3077
3078 2018-01-23  Robin Morisset  <rmorisset@apple.com>
3079
3080         Update the argument count in DFGByteCodeParser::handleRecursiveCall
3081         https://bugs.webkit.org/show_bug.cgi?id=181739
3082         <rdar://problem/36627662>
3083
3084         Reviewed by Saam Barati.
3085
3086         * stress/recursive-tail-call-with-different-argument-count.js: Added.
3087         (foo):
3088         (bar):
3089
3090 2018-01-22  Michael Saboff  <msaboff@apple.com>
3091
3092         DFG abstract interpreter needs to properly model effects of some Math ops
3093         https://bugs.webkit.org/show_bug.cgi?id=181886
3094
3095         Reviewed by Saam Barati.
3096
3097         New regression test.
3098
3099         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
3100         (test):
3101
3102 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
3103
3104         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
3105         https://bugs.webkit.org/show_bug.cgi?id=181182
3106
3107         Reviewed by Darin Adler.
3108
3109         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
3110         * stress/big-int-prototype-to-string-exception.js: Added.
3111         * stress/big-int-prototype-to-string-wrong-values.js: Added.
3112         * stress/number-prototype-to-string-cast-overflow.js: Added.
3113         * stress/number-prototype-to-string-exception.js: Added.
3114         * stress/number-prototype-to-string-wrong-values.js: Added.
3115
3116 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
3117
3118         Disable Atomics when SharedArrayBuffer isn’t enabled
3119         https://bugs.webkit.org/show_bug.cgi?id=181572
3120
3121         Unreviewed test gardening.
3122
3123         * test262.yaml: Skip tests that fail after this change.
3124
3125 2018-01-19  Saam Barati  <sbarati@apple.com>
3126
3127         Kill ArithNegate's ArithProfile assert inside BytecodeParser
3128         https://bugs.webkit.org/show_bug.cgi?id=181877
3129         <rdar://problem/36630552>
3130
3131         Reviewed by Mark Lam.
3132
3133         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
3134         (runNearStackLimit):
3135         (f1):
3136         (f2):
3137         (f3):
3138         (i.catch):
3139         (i.try.runNearStackLimit):
3140         (catch):
3141
3142 2018-01-19  Saam Barati  <sbarati@apple.com>
3143
3144         Spread's effects are modeled incorrectly both in AI and in Clobberize
3145         https://bugs.webkit.org/show_bug.cgi?id=181867
3146         <rdar://problem/36290415>
3147
3148         Reviewed by Michael Saboff.
3149
3150         * stress/ai-needs-to-model-spreads-effects.js: Added.
3151         (try.p.Symbol.iterator):
3152         (try.go):
3153         (catch):
3154         * stress/clobberize-needs-to-model-spread-effects.js: Added.
3155         (assert):
3156         (foo):
3157         (a.Symbol.iterator):
3158
3159 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3160
3161         Unreviewed, reduce count of iteration to fix timing out debug JSC test
3162         https://bugs.webkit.org/show_bug.cgi?id=181535
3163
3164         * stress/inserted-recovery-with-set-last-index.js:
3165
3166 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3167
3168         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
3169         https://bugs.webkit.org/show_bug.cgi?id=181535
3170
3171         Reviewed by Saam Barati.
3172
3173         * stress/inserted-recovery-with-set-last-index.js: Added.
3174         (shouldBe):
3175         (foo):
3176         * stress/materialize-regexp-at-osr-exit.js: Added.
3177         (shouldBe):
3178         (test):
3179         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
3180         (shouldBe):
3181         (test):
3182         * stress/materialize-regexp-cyclic-regexp.js: Added.
3183         (shouldBe):
3184         (test):
3185         (i.switch):
3186         * stress/materialize-regexp-cyclic.js: Added.
3187         (shouldBe):
3188         (test):
3189         (i.switch):
3190         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
3191         (bar):
3192         (foo):
3193         (test):
3194         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
3195         (bar):
3196         (foo):
3197         (test):
3198         * stress/materialize-regexp.js: Added.
3199         (shouldBe):
3200         (test):
3201         * stress/phantom-regexp-regexp-exec.js: Added.
3202         (shouldBe):
3203         (test):
3204         * stress/phantom-regexp-string-match.js: Added.
3205         (shouldBe):
3206         (test):
3207         * stress/regexp-last-index-sinking.js: Added.
3208         (shouldBe):
3209         (test):
3210
3211 2018-01-17  Saam Barati  <sbarati@apple.com>
3212
3213         Disable Atomics when SharedArrayBuffer isn’t enabled
3214         https://bugs.webkit.org/show_bug.cgi?id=181572
3215         <rdar://problem/36553206>
3216
3217         Reviewed by Michael Saboff.
3218
3219         * stress/isLockFree.js:
3220
3221 2018-01-17  Saam Barati  <sbarati@apple.com>
3222
3223         DFG::Node::convertToConstant needs to clear the varargs flags
3224         https://bugs.webkit.org/show_bug.cgi?id=181697
3225         <rdar://problem/36497332>
3226
3227         Reviewed by Yusuke Suzuki.
3228
3229         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
3230         (doIndexOf):
3231         (bar):
3232         (i.bar):
3233
3234 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
3235
3236         Unreviewed, rolling out r226937.
3237
3238         Tests added with this change are failing due to a missing
3239         exception check.
3240
3241         Reverted changeset:
3242
3243         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
3244         double to int32_t"
3245         https://bugs.webkit.org/show_bug.cgi?id=181182
3246         https://trac.webkit.org/changeset/226937
3247
3248 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
3249
3250         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
3251         https://bugs.webkit.org/show_bug.cgi?id=181182
3252
3253         Reviewed by Darin Adler.
3254
3255         * bigIntTests.yaml:
3256         * stress/big-int-constructor.js:
3257         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
3258         (assert):
3259         (assertThrowRangeError):
3260         * stress/number-prototype-to-string-cast-overflow.js: Added.
3261         (assert):
3262         (assertThrowRangeError):
3263
3264 2018-01-12  Saam Barati  <sbarati@apple.com>
3265
3266         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
3267         https://bugs.webkit.org/show_bug.cgi?id=181177
3268         <rdar://problem/36205704>
3269
3270         Reviewed by Yusuke Suzuki.
3271
3272         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
3273         (runNearStackLimit.t):
3274         (runNearStackLimit):
3275         (test.f):
3276         (test):
3277
3278 2018-01-12  Saam Barati  <sbarati@apple.com>
3279
3280         Each variant of a polymorphic inlined call should be exitOK at the top of the block
3281         https://bugs.webkit.org/show_bug.cgi?id=181562
3282         <rdar://problem/36445624>
3283
3284         Reviewed by Yusuke Suzuki.
3285
3286         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
3287         (f):
3288         (foo):
3289
3290 2018-01-11  Saam Barati  <sbarati@apple.com>
3291
3292         When inserting Unreachable in byte code parser we need to flush all the right things
3293         https://bugs.webkit.org/show_bug.cgi?id=181509
3294         <rdar://problem/36423110>
3295
3296         Reviewed by Mark Lam.
3297
3298         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
3299
3300 2018-01-11  Saam Barati  <sbarati@apple.com>
3301
3302         JITMathIC code in the FTL is wrong when code gets duplicated
3303         https://bugs.webkit.org/show_bug.cgi?id=181525
3304         <rdar://problem/36351993>
3305
3306         Reviewed by Michael Saboff and Keith Miller.
3307
3308         * stress/allow-math-ic-b3-code-duplication.js: Added.
3309
3310 2018-01-11  Saam Barati  <sbarati@apple.com>
3311
3312         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
3313         https://bugs.webkit.org/show_bug.cgi?id=181508
3314
3315         Reviewed by Yusuke Suzuki.
3316
3317         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
3318         (assert):
3319         (test1.foo):
3320         (test1):
3321         (test2.foo):
3322         (test2):
3323
3324 2018-01-09  Mark Lam  <mark.lam@apple.com>
3325
3326         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
3327         https://bugs.webkit.org/show_bug.cgi?id=181388
3328         <rdar://problem/36349351>
3329
3330         Reviewed by Saam Barati.
3331
3332         * stress/regress-181388.js: Added.
3333
3334 2018-01-08  JF Bastien  <jfbastien@apple.com>
3335
3336         WebAssembly: mask indexed accesses to Table
3337         https://bugs.webkit.org/show_bug.cgi?id=181412
3338         <rdar://problem/36363236>
3339
3340         Reviewed by Saam Barati.
3341
3342         Update error messages.
3343
3344         * wasm/js-api/table.js:
3345         (assert.throws.WebAssembly.Table.prototype.grow):
3346
3347 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
3348
3349         Disable SharedArrayBuffer tests missed in r226386.
3350         https://bugs.webkit.org/show_bug.cgi?id=181266
3351
3352         Unreviewed test gardening.
3353
3354         * test262.yaml:
3355
3356 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3357
3358         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
3359         https://bugs.webkit.org/show_bug.cgi?id=181321
3360
3361         Reviewed by Saam Barati.
3362
3363         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
3364         (shouldBe):
3365         (testFunction):
3366         * test262.yaml:
3367
3368 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
3369
3370         Unreviewed, attempt to fix test262 after r226386.
3371
3372         * test262.yaml:
3373
3374 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3375
3376         [DFG] Define defs for MapSet/SetAdd to participate in CSE
3377         https://bugs.webkit.org/show_bug.cgi?id=179911
3378
3379         Reviewed by Saam Barati.
3380
3381         In addition to these tests, map-set-cse.js and set-add-cse.js work.
3382
3383         * stress/map-set-change-get.js: Added.
3384         (shouldBe):
3385         (test):
3386         * stress/map-set-create-bucket.js: Added.
3387         (shouldBe):
3388         (test):
3389         * stress/set-add-create-bucket.js: Added.
3390         (shouldBe):
3391
3392 2018-01-03  Michael Saboff  <msaboff@apple.com>
3393
3394         Disable SharedArrayBuffers from Web API
3395         https://bugs.webkit.org/show_bug.cgi?id=181266
3396
3397         Reviewed by Saam Barati.
3398
3399         Disabled SharedArrayBuffer tests.
3400
3401         * stress/SharedArrayBuffer-opt.js:
3402         * stress/SharedArrayBuffer.js:
3403         * stress/array-buffer-byte-length.js:
3404         * stress/atomics-add-uint32.js:
3405         * stress/atomics-known-int-use.js:
3406         * stress/atomics-neg-zero.js:
3407         * stress/atomics-store-return.js:
3408         * stress/lars-sab-workers.js:
3409         * stress/regress-159779-1.js:
3410         * stress/regress-159779-2.js:
3411         * stress/regress-170473.js:
3412         * test262.yaml:
3413
3414 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
3415
3416         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
3417         https://bugs.webkit.org/show_bug.cgi?id=181258
3418
3419         Reviewed by Antonio Gomes.
3420
3421         * stress/big-int-constructor-gc.js:
3422         * stress/big-int-constructor-oom.js:
3423
3424 2018-01-03  Robin Morisset  <rmorisset@apple.com>
3425
3426         Inlining of a function that ends in op_unreachable crashes
3427         https://bugs.webkit.org/show_bug.cgi?id=181027
3428
3429         Reviewed by Filip Pizlo.
3430
3431         * stress/inlining-unreachable.js: Added.
3432         (bar):
3433         (baz):
3434         (i.catch):
3435
3436 2018-01-02  Saam Barati  <sbarati@apple.com>
3437
3438         Incorrect assertion inside AccessCase
3439         https://bugs.webkit.org/show_bug.cgi?id=181200
3440         <rdar://problem/35494754>
3441
3442         Reviewed by Yusuke Suzuki.
3443
3444         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
3445         (ctor):
3446         (theFunc):
3447         (run):
3448
3449 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
3450
3451         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
3452         https://bugs.webkit.org/show_bug.cgi?id=175359
3453
3454         Reviewed by Yusuke Suzuki.
3455
3456         * bigIntTests.yaml:
3457         * stress/big-int-as-key.js: Added.
3458         * stress/big-int-constructor-gc.js: Added.
3459         * stress/big-int-constructor-oom.js: Added.
3460         * stress/big-int-constructor-properties.js: Added.
3461         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
3462         * stress/big-int-constructor-prototype.js: Added.
3463         * stress/big-int-constructor.js: Added.
3464         * stress/big-int-function-apply.js:
3465         * stress/big-int-length.js: Added.
3466         * stress/big-int-prop-descriptor.js: Added.
3467         * stress/big-int-proto-constructor.js: Added.
3468         * stress/big-int-proto-name.js: Added.
3469         * stress/big-int-prototype-properties.js: Added.
3470         * stress/big-int-prototype-proto.js: Added.
3471         * stress/big-int-prototype-value-of.js: Added.
3472         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
3473         * stress/big-int-prototype-to-string-apply.js: Added.
3474         * stress/big-int-to-object.js: Added.
3475         * stress/big-int-to-string.js: Added.
3476
3477 2017-12-28  Saam Barati  <sbarati@apple.com>
3478
3479         Assertion used to determine if something is an async generator is wrong
3480         https://bugs.webkit.org/show_bug.cgi?id=181168
3481         <rdar://problem/35640560>
3482
3483         Reviewed by Yusuke Suzuki.
3484
3485         * stress/async-generator-assertion.js: Added.
3486
3487 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
3488
3489         Skip stress/splay-flash-access tests on memory limited platforms
3490         https://bugs.webkit.org/show_bug.cgi?id=181086
3491
3492         Reviewed by Carlos Alberto Lopez Perez.
3493
3494         These tests use about 185M of memory, and occasionally get OOM-killed
3495         on memory limited platforms.
3496
3497         * stress/splay-flash-access-1ms.js:
3498         * stress/splay-flash-access.js:
3499
3500 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
3501
3502         Skip slow jsc tests on embedded platforms
3503         https://bugs.webkit.org/show_bug.cgi?id=180937
3504
3505         Reviewed by Carlos Alberto Lopez Perez.
3506
3507         The tests typeProfiler/deltablue-for-of.js and
3508         typeProfiler/getter-richards.js take a very long time in the
3509         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
3510         thus always timeout. They should be skipped on these platforms.
3511
3512         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
3513         * typeProfiler/getter-richards.js: Skip on arm*/mips.
3514
3515 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3516
3517         [JSC] Do not check isValid() in op_new_regexp
3518         https://bugs.webkit.org/show_bug.cgi?id=180970
3519
3520         Reviewed by Saam Barati.
3521
3522         * stress/regexp-syntax-error-invalid-flags.js: Added.
3523         (shouldThrow):
3524
3525 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
3526
3527         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
3528         https://bugs.webkit.org/show_bug.cgi?id=180712
3529
3530         Reviewed by Michael Catanzaro.
3531
3532         stress/call-apply-exponential-bytecode-size.js crashes if the
3533         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
3534         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
3535         should skip the test on other platforms.
3536
3537         * stress/call-apply-exponential-bytecode-size.js:
3538
3539 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3540
3541         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
3542         https://bugs.webkit.org/show_bug.cgi?id=179762
3543
3544         Reviewed by Saam Barati.
3545
3546         * stress/call-varargs-double-new-array-buffer.js: Added.
3547         (assert):
3548         (bar):
3549         (foo):
3550         * stress/call-varargs-spread-new-array-buffer.js: Added.
3551         (assert):
3552         (bar):
3553         (foo):
3554         * stress/call-varargs-spread-new-array-buffer2.js: Added.
3555         (assert):
3556         (bar):
3557         (foo):
3558         * stress/forward-varargs-double-new-array-buffer.js: Added.
3559         (assert):
3560         (test.baz):
3561         (test.bar):
3562         (test.foo):
3563         (test):
3564         * stress/new-array-buffer-sinking-osrexit.js: Added.
3565         (target):
3566         (test):
3567         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
3568         (shouldBe):
3569         (test):
3570         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
3571         (shouldBe):
3572         (target):
3573         (test):
3574         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
3575         (assert):
3576         (test1.bar):
3577         (test1.foo):
3578         (test1):
3579         (test2.bar):
3580         (test2.foo):
3581         (test3.baz):
3582         (test3.bar):
3583         (test3.foo):
3584         (test4.baz):
3585         (test4.bar):
3586         (test4.foo):
3587         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
3588         (assert):
3589         (test.baz):
3590         (test.bar):
3591         (test.foo):
3592         (test):
3593         * stress/phantom-new-array-buffer-osr-exit.js: Added.
3594         (assert):
3595         (baz):
3596         (bar):
3597         (effects):
3598         (foo):
3599
3600 2017-12-14  Saam Barati  <sbarati@apple.com>
3601
3602         The CleanUp after LICM is erroneously removing a Check
3603         https://bugs.webkit.org/show_bug.cgi?id=180852
3604         <rdar://problem/36063494>
3605
3606         Reviewed by Filip Pizlo.
3607
3608         * stress/dont-run-cleanup-after-licm.js: Added.
3609
3610 2017-12-14  Michael Saboff  <msaboff@apple.com>
3611
3612         REGRESSION (r225695): Repro crash on yahoo login page
3613         https://bugs.webkit.org/show_bug.cgi?id=180761
3614
3615         Reviewed by JF Bastien.
3616
3617         New regression test.
3618
3619         * stress/regress-180761.js: Added.
3620
3621 2017-12-13  Keith Miller  <keith_miller@apple.com>
3622
3623         JSObjects should have a mask for loading indexed properties
3624         https://bugs.webkit.org/show_bug.cgi?id=180768
3625
3626         Reviewed by Mark Lam.
3627
3628         * stress/int16-put-by-val-in-and-out-of-bounds.js:
3629         (test):
3630
3631 2017-12-13  Saam Barati  <sbarati@apple.com>
3632
3633         Arrow functions need their own structure because they have different properties than sloppy functions
3634         https://bugs.webkit.org/show_bug.cgi?id=180779
3635         <rdar://problem/35814591>
3636
3637         Reviewed by Mark Lam.
3638
3639         * stress/arrow-function-needs-its-own-structure.js: Added.
3640         (assert):
3641         (readPrototype):
3642         (noInline.let.f1):
3643         (noInline):
3644
3645 2017-12-13  Saam Barati  <sbarati@apple.com>
3646
3647         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
3648         https://bugs.webkit.org/show_bug.cgi?id=163579
3649         <rdar://problem/35455798>
3650
3651         Reviewed by Mark Lam.
3652
3653         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
3654         (assert):
3655         (test1):
3656         (i.test1):
3657         (i.test1.C):
3658         (i.test1.async.foo):
3659         (i.test1.foo):
3660         (test2):
3661
3662 2017-12-13  Saam Barati  <sbarati@apple.com>
3663
3664         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
3665         https://bugs.webkit.org/show_bug.cgi?id=180734
3666         <rdar://problem/35640547>
3667
3668         Reviewed by Yusuke Suzuki.
3669
3670         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
3671         (__isPropertyOfType):
3672         (__getProperties):
3673         (__getObjects):
3674         (__getRandomObject):
3675         (theClass.):
3676         (theClass):
3677         (childClass):
3678         (counter.catch):
3679
3680 2017-12-12  Saam Barati  <sbarati@apple.com>
3681
3682         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
3683         https://bugs.webkit.org/show_bug.cgi?id=180725
3684         <rdar://problem/35970511>
3685
3686         Reviewed by Michael Saboff.
3687
3688         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
3689         (f1):
3690         (f2):
3691         (let.o2.valueOf):
3692
3693 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3694
3695         [JSC] Implement optimized WeakMap and WeakSet
3696         https://bugs.webkit.org/show_bug.cgi?id=179929
3697
3698         Reviewed by Saam Barati.
3699
3700         * microbenchmarks/weak-map-key.js:
3701         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
3702         (assert):
3703         (objectKey):
3704         (let.start.Date.now):
3705         * stress/basic-weakmap.js: Added.
3706         (shouldBe):
3707         (test):
3708         * stress/basic-weakset.js: Added.
3709         (shouldBe):
3710         (test.set new):
3711         * stress/weakmap-cse-set-break.js: Added.
3712         (shouldBe):
3713         (test):
3714         * stress/weakmap-cse.js: Added.
3715         (shouldBe):
3716         (test):
3717         * stress/weakmap-gc.js: Added.
3718         (test):
3719         * stress/weakset-cse-add-break.js: Added.
3720         (shouldBe):
3721         (test.set new):
3722         * stress/weakset-cse.js: Added.
3723         (shouldBe):
3724         (test.set new):
3725         * stress/weakset-gc.js: Added.
3726         (test.set add):
3727         (test.set new):
3728         (test):
3729
3730 2017-12-12  Saam Barati  <sbarati@apple.com>
3731
3732         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
3733         https://bugs.webkit.org/show_bug.cgi?id=180723
3734         <rdar://problem/35859726>
3735
3736         Reviewed by JF Bastien.
3737
3738         * stress/get-my-argument-by-val-constant-folding.js: Added.
3739         (test):
3740         (catch):
3741
3742 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
3743
3744         [ESNext][BigInt] Implement BigInt literals and JSBigInt
3745         https://bugs.webkit.org/show_bug.cgi?id=179000
3746
3747         Reviewed by Darin Adler and Yusuke Suzuki.
3748
3749         * bigIntTests.yaml: Added.
3750         * stress/big-int-literal-line-terminator.js: Added.
3751         * stress/big-int-literals.js: Added.
3752         * stress/big-int-operations-error.js: Added.
3753         * stress/big-int-type-of.js: Added.
3754         * stress/big-int-white-space-trailing-leading.js: Added.
3755         * stress/big-int-function-apply.js: Added.
3756
3757 2017-12-11  Saam Barati  <sbarati@apple.com>
3758
3759         We need to disableCaching() in ErrorInstance when we materialize properties
3760         https://bugs.webkit.org/show_bug.cgi?id=180343
3761         <rdar://problem/35833002>
3762
3763         Reviewed by Mark Lam.
3764
3765         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
3766         (assert):
3767         (makeError):
3768         (storeToStack):
3769         (storeToStackAlreadyMaterialized):
3770
3771 2017-12-05  JF Bastien  <jfbastien@apple.com>
3772
3773         WebAssembly: don't eagerly checksum
3774         https://bugs.webkit.org/show_bug.cgi?id=180441
3775         <rdar://problem/35156628>
3776
3777         Reviewed by Saam Barati.
3778
3779         Checksum is now disabled, so tests only have <?> as the module
3780         name.
3781
3782         * wasm/function-tests/nameSection.js:
3783         * wasm/function-tests/stack-overflow.js:
3784         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
3785         (assertOverflows.assertThrows):
3786         (assertOverflows):
3787         * wasm/function-tests/stack-trace.js:
3788
3789 2017-12-04  JF Bastien  <jfbastien@apple.com>
3790
3791         Proxy all functions, except the $ objects
3792         https://bugs.webkit.org/show_bug.cgi?id=180375
3793
3794         Reviewed by Saam Barati.
3795
3796         It looks like this test may have broken some executions because I
3797         call some internal objects. Explicitly ignore objects whose name
3798         starts with "$" because it's a bad idea anyways.
3799
3800         * stress/proxy-all-the-parameters.js:
3801         (generateObjects):
3802         (get throw):
3803
3804 2017-12-04  Saam Barati  <sbarati@apple.com>
3805
3806         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
3807         https://bugs.webkit.org/show_bug.cgi?id=180366
3808         <rdar://problem/35685877>
3809
3810         Reviewed by Michael Saboff.
3811
3812         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
3813         (theParent):
3814         (test1.base.getParentStaticValue):
3815         (test1.base):
3816         (test1.__v_24888.prototype.set prop):
3817         (test1.__v_24888):
3818         (test2.base.getParentStaticValue):
3819         (test2.base):
3820         (test2.__v_24888.prototype.set prop):
3821         (test2.__v_24888):
3822         (test2):
3823
3824 2017-12-01  JF Bastien  <jfbastien@apple.com>
3825
3826         Try proxying all function arguments
3827         https://bugs.webkit.org/show_bug.cgi?id=180306
3828
3829         Reviewed by Saam Barati.
3830
3831         * stress/proxy-all-the-parameters.js: Added.
3832         (isPropertyOfType):
3833         (getProperties):
3834         (generateObjects):
3835         (getObjects):
3836         (getFunctions):
3837         (get throw):
3838         (let.o.of.getObjects.let.f.of.getFunctions.catch):
3839
3840 2017-12-01  JF Bastien  <jfbastien@apple.com>
3841
3842         JavaScriptCore: missing exception checks in Math functions that take more than one argument
3843         https://bugs.webkit.org/show_bug.cgi?id=180297
3844         <rdar://problem/35745556>
3845
3846         Reviewed by Mark Lam.
3847
3848         * stress/math-exceptions.js: Added.
3849         (get try):
3850         (catch):
3851
3852 2017-12-01  JF Bastien  <jfbastien@apple.com>
3853
3854         JavaScriptCore: add test for weird class static getters
3855         https://bugs.webkit.org/show_bug.cgi?id=180281
3856         <rdar://problem/35592139>
3857
3858         Reviewed by Mark Lam.
3859
3860         I fixed a bug for it in r224927 and didn't add a test. Do so.
3861
3862         * stress/class-static-get-weird.js: Added.
3863         (c.prototype.get name):
3864         (c):
3865         (c.prototype.get arguments):
3866         (c.prototype.get caller):
3867         (c.prototype.get length):
3868
3869 2017-12-01  Saam Barati  <sbarati@apple.com>
3870
3871         Having a bad time needs to handle ArrayClass indexing type as well
3872         https://bugs.webkit.org/show_bug.cgi?id=180274
3873         <rdar://problem/35667869>
3874
3875         Reviewed by Keith Miller and Mark Lam.
3876
3877         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
3878         (assert):
3879         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
3880         (assert):
3881
3882 2017-12-01  JF Bastien  <jfbastien@apple.com>
3883
3884         WebAssembly: restore cached stack limit after out-call
3885         https://bugs.webkit.org/show_bug.cgi?id=179106
3886         <rdar://problem/35337525>
3887
3888         Reviewed by Saam Barati.
3889
3890         * wasm/function-tests/double-instance.js: Added.
3891         (const.imp.boom):
3892         (const.imp.get callAnother):
3893
3894 2017-11-30  JF Bastien  <jfbastien@apple.com>
3895
3896         WebAssembly: improve stack trace
3897         https://bugs.webkit.org/show_bug.cgi?id=179343
3898
3899         Reviewed by Saam Barati.
3900
3901         Update the tests to follow the new format. Notably, SHA1 module
3902         hash is now included in traces, and stubs are properly identified.
3903
3904         * wasm/assert.js: Add an assertion which matches regular expressions.
3905         * wasm/function-tests/nameSection.js:
3906         * wasm/function-tests/stack-overflow.js:
3907         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
3908         (assertOverflows.assertThrows.wasm.1):
3909         (assertOverflows.assertThrows.wasm.0):
3910         (assertOverflows.assertThrows):
3911         (assertOverflows):
3912         * wasm/function-tests/stack-trace.js:
3913         (import.Builder.from.string_appeared_here.assert): Deleted.
3914         * wasm/function-tests/trap-after-cross-instance-call.js:
3915         (wasmFrameCountFromError):
3916         * wasm/function-tests/trap-load-2.js:
3917         (wasmFrameCountFromError):
3918         * wasm/function-tests/trap-load.js:
3919         (wasmFrameCountFromError):
3920
3921 2017-11-30  Mark Lam  <mark.lam@apple.com>
3922
3923         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
3924         https://bugs.webkit.org/show_bug.cgi?id=180219
3925         <rdar://problem/35696536>
3926
3927         Reviewed by Filip Pizlo.
3928
3929         * stress/regress-180219.js: Added.
3930
3931 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3932
3933         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
3934         https://bugs.webkit.org/show_bug.cgi?id=180190
3935
3936         Reviewed by Mark Lam.
3937
3938         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
3939         (shouldBe):
3940         (test1):
3941         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
3942         (shouldBe):
3943         (test1):
3944         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
3945         (shouldBe):
3946         (test1):
3947         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
3948         (shouldBe):
3949         (test1):
3950         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
3951         (shouldBe):
3952         (test1):
3953         * stress/operation-in-may-have-negative-int32.js: Added.
3954         (shouldBe):
3955         (test2):
3956         * stress/operation-in-negative-int32-cast.js: Added.
3957         (shouldBe):
3958         (test1):
3959
3960 2017-11-28  JF Bastien  <jfbastien@apple.com>
3961
3962         Strict and sloppy functions shouldn't share structure
3963         https://bugs.webkit.org/show_bug.cgi?id=180103
3964         <rdar://problem/35667847>
3965
3966         Reviewed by Saam Barati.
3967
3968         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
3969         because the IC was wrong.
3970         (foo):
3971         (bar):
3972         (baz):
3973         (catch):
3974         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
3975         in this patch, but may as well test odd strict mode corner cases.
3976         (bar):
3977         (baz):
3978         (catch):
3979         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
3980         (foo):
3981         (bar):
3982         (baz):
3983         (catch):
3984         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
3985         next file, but with invalidation of the FunctionExecutable's
3986         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
3987         slower path.
3988         (foo):
3989         (bar.const.x):
3990         (bar.const.y):
3991         (bar):
3992         (catch):
3993         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
3994         strict nesting works correctly.
3995         (foo):
3996         (bar.baz):
3997         (bar):
3998         * stress/strict-function-structure.js: Added. The test used to
3999         assert in objectProtoFuncHasOwnProperty.
4000         (foo):
4001         (bar):
4002         (baz):
4003         * stress/strict-nested-function-structure.js: Added. Nesting.
4004         (foo):
4005         (bar):
4006         (baz.boo):
4007         (baz):
4008
4009 2017-11-29  Robin Morisset  <rmorisset@apple.com>
4010
4011         The recursive tail call optimisation is wrong on closures
4012         https://bugs.webkit.org/show_bug.cgi?id=179835
4013
4014         Reviewed by Saam Barati.
4015
4016         * stress/closure-recursive-tail-call.js: Added.
4017         (makeClosure):
4018
4019 2017-11-27  JF Bastien  <jfbastien@apple.com>
4020
4021         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
4022         https://bugs.webkit.org/show_bug.cgi?id=180051
4023         <rdar://problem/35614371>
4024
4025         Reviewed by Saam Barati.
4026
4027         * stress/rest-parameter-negative.js: Added.
4028         (__f_5484):
4029         (catch):
4030         (__f_5485):
4031         (__v_22598.catch):
4032
4033 2017-11-27  Saam Barati  <sbarati@apple.com>
4034
4035         Spread can escape when CreateRest does not
4036         https://bugs.webkit.org/show_bug.cgi?id=180057
4037         <rdar://problem/35676119>
4038
4039         Reviewed by JF Bastien.
4040
4041         * stress/spread-escapes-but-create-rest-does-not.js: Added.
4042         (assert):
4043         (getProperties):
4044         (theFunc):
4045         (let.obj.valueOf):
4046
4047 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
4048
4049         [DFG] Add NormalizeMapKey DFG IR
4050         https://bugs.webkit.org/show_bug.cgi?id=179912
4051
4052         Reviewed by Saam Barati.
4053
4054         * stress/map-untyped-normalize-cse.js: Added.
4055         (shouldBe):
4056         (test):
4057         * stress/map-untyped-normalize.js: Added.
4058         (shouldBe):
4059         (test):
4060         * stress/set-untyped-normalize-cse.js: Added.
4061         (shouldBe):
4062         (set return.set has.set has):
4063         * stress/set-untyped-normalize.js: Added.
4064         (shouldBe):
4065         (set return.set has):
4066
4067 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
4068
4069         [FTL] Support DeleteById and DeleteByVal
4070         https://bugs.webkit.org/show_bug.cgi?id=180022
4071
4072         Reviewed by Saam Barati.
4073
4074         * stress/delete-by-id.js: Added.
4075         (shouldBe):
4076         (test1):
4077         (test2):
4078         * stress/delete-by-val-ftl.js: Added.
4079         (shouldBe):
4080         (test1):
4081         (test2):
4082
4083 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
4084
4085         [DFG] Introduce {Set,Map,WeakMap}Fields
4086         https://bugs.webkit.org/show_bug.cgi?id=179925
4087
4088         Reviewed by Saam Barati.
4089
4090         * stress/map-set-clobber-map-get.js: Added.
4091         (shouldBe):
4092         (test):
4093         * stress/map-set-does-not-clobber-set-has.js: Added.
4094         (shouldBe):
4095         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
4096         (shouldBe):
4097         (test):
4098         * stress/set-add-clobber-set-has.js: Added.
4099         (shouldBe):
4100         * stress/set-add-does-not-clobber-map-get.js: Added.
4101         (shouldBe):
4102
4103 2017-11-24  Mark Lam  <mark.lam@apple.com>
4104
4105         Move unsafe jsc shell test functions to the $vm object.
4106         https://bugs.webkit.org/show_bug.cgi?id=179980
4107
4108         Reviewed by Yusuke Suzuki.
4109
4110         * controlFlowProfiler/driver/driver.js:
4111         * controlFlowProfiler/execution-count.js:
4112         * controlFlowProfiler/if-statement.js:
4113         * controlFlowProfiler/loop-statements.js:
4114         * controlFlowProfiler/switch-statements.js:
4115         * controlFlowProfiler/test-jit.js:
4116         * exceptionFuzz/3d-cube.js:
4117         * exceptionFuzz/date-format-xparb.js:
4118         * exceptionFuzz/earley-boyer.js:
4119         * heapProfiler/basic-edges.js:
4120         * heapProfiler/property-edge-types.js:
4121         * microbenchmarks/try-get-by-id-basic.js:
4122         * microbenchmarks/try-get-by-id-polymorphic.js:
4123         * modules/namespace-object-try-get.js:
4124         * stress/argument-count-bytecode.js:
4125         * stress/argument-intrinsic-basic.js:
4126         * stress/argument-intrinsic-inlining-use-caller-arg.js:
4127         * stress/argument-intrinsic-inlining-with-result-escape.js:
4128         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
4129         * stress/argument-intrinsic-inlining-with-vararg.js:
4130         * stress/argument-intrinsic-nested-inlining.js:
4131         * stress/argument-intrinsic-not-convert-to-get-argument.js:
4132         * stress/argument-intrinsic-with-stack-write.js:
4133         * stress/arity-mismatch-get-argument.js:
4134         * stress/array-message-passing.js:
4135         * stress/array-push-with-force-exit.js:
4136         * stress/check-dom-with-signature.js:
4137         * stress/check-sub-class.js:
4138         * stress/compare-eq-incomplete-profile.js:
4139         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
4140         * stress/do-eval-virtual-call-correctly.js:
4141         * stress/dom-jit-with-poly-proto.js:
4142         * stress/domjit-exception-ic.js:
4143         * stress/domjit-exception.js:
4144         * stress/domjit-getter-complex-with-incorrect-object.js:
4145         * stress/domjit-getter-complex.js:
4146         * stress/domjit-getter-poly.js:
4147         * stress/domjit-getter-proto.js:
4148         * stress/domjit-getter-super-poly.js:
4149         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
4150         * stress/domjit-getter-type-check.js:
4151         * stress/domjit-getter.js:
4152         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
4153         * stress/for-in-proxy-target-changed-structure.js:
4154         * stress/for-in-proxy.js:
4155         * stress/generational-opaque-roots.js:
4156         * stress/global-const-redeclaration-setting-2.js:
4157         * stress/global-const-redeclaration-setting-3.js:
4158         * stress/global-const-redeclaration-setting-4.js:
4159         * stress/global-const-redeclaration-setting-5.js:
4160         * stress/global-const-redeclaration-setting.js:
4161         * stress/import-basic.js:
4162         * stress/import-from-eval.js:
4163         * stress/import-reject-with-exception.js:
4164         * stress/import-syntax.js:
4165         * stress/impure-get-own-property-slot-inline-cache.js:
4166         * stress/is-constructor.js:
4167         * stress/istypedarrayview-intrinsic.js:
4168         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
4169         * stress/jsc-test-functions-should-be-more-robust.js:
4170         * stress/object-toString-with-proxy.js:
4171         * stress/poly-proto-custom-value-and-accessor.js:
4172         * stress/proxy-inline-cache.js:
4173         * stress/re-execute-error-module.js:
4174         * stress/regress-150532.js:
4175         * stress/regress-156992.js:
4176         * stress/regress-179619.js:
4177         * stress/resources/shadow-chicken-support.js:
4178         * stress/runtime-array.js:
4179         * stress/sampling-profiler-microtasks.js:
4180         * stress/shadow-chicken-enabled.js:
4181         * stress/spread-correct-global-object-on-exception.js:
4182         * stress/super-get-by-id.js:
4183         * stress/tailCallForwardArguments.js:
4184         * stress/to-object-intrinsic-boolean-edge.js:
4185         * stress/to-object-intrinsic-null-or-undefined-edge.js:
4186         * stress/to-object-intrinsic-number-edge.js:
4187         * stress/to-object-intrinsic-object-edge.js:
4188         * stress/to-object-intrinsic-string-edge.js:
4189         * stress/to-object-intrinsic-symbol-edge.js:
4190         * stress/to-object-intrinsic.js:
4191         * stress/try-catch-custom-getter-as-get-by-id.js:
4192         * stress/try-get-by-id-poly-proto.js:
4193         * stress/try-get-by-id-should-spill-registers-dfg.js:
4194         * stress/try-get-by-id.js:
4195         * typeProfiler/arrow-functions.js:
4196         * typeProfiler/basic.js:
4197         * typeProfiler/captured.js:
4198         * typeProfiler/classes.js:
4199         * typeProfiler/dfg-jit-optimizations.js:
4200         * typeProfiler/dictionary-mode.js:
4201         * typeProfiler/es6-block-scoping.js:
4202         * typeProfiler/es6-classes.js:
4203         * typeProfiler/inheritance.js:
4204         * typeProfiler/int52-dfg.js:
4205         * typeProfiler/loop.js:
4206         * typeProfiler/optional-fields.js:
4207         * typeProfiler/overflow.js:
4208         * typeProfiler/return.js:
4209         * typeProfiler/symbol.js:
4210         * typeProfiler/weird-prototype-chain.js:
4211
4212 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
4213
4214         [DFG][FTL] Support MapSet / SetAdd intrinsics
4215         https://bugs.webkit.org/show_bug.cgi?id=179858
4216
4217         Reviewed by Saam Barati.
4218
4219         * microbenchmarks/map-has-and-set.js: Added.
4220         (test):
4221         * stress/map-set-check-failure.js: Added.
4222         (shouldBe):
4223         (shouldThrow):
4224         (target):
4225         * stress/map-set-cse.js: Added.
4226         (shouldBe):
4227         (test):
4228         * stress/set-add-check-failure.js: Added.
4229         (shouldBe):
4230         (shouldThrow):
4231         (set shouldThrow):
4232         * stress/set-add-cse.js: Added.
4233         (shouldBe):
4234
4235 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
4236
4237         [JSC] Allow poly proto for intrinsic getters
4238         https://bugs.webkit.org/show_bug.cgi?id=179550
4239
4240         Reviewed by Saam Barati.
4241
4242         This change is also tested by existing tests.
4243
4244             1. stress/intrinsic-getter-with-poly-proto.js
4245             2. stress/poly-proto-intrinsic-getter-correctness.js
4246
4247         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
4248         (shouldBe):
4249         (makePolyProtoObject.foo.C):
4250         (makePolyProtoObject.foo):
4251         (makePolyProtoObject):
4252         (target):
4253         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
4254         (shouldBe):
4255         (makePolyProtoObject.foo.C):
4256         (makePolyProtoObject.foo):
4257         (makePolyProtoObject):
4258         (target):
4259
4260 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
4261
4262         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
4263         https://bugs.webkit.org/show_bug.cgi?id=179744
4264
4265         Reviewed by Michael Catanzaro.
4266
4267         This test uses too much memory for our buildbots on these platforms
4268         and gets OOM-killed.
4269
4270         * stress/unshiftCountSlowCase-correct-postCapacity.js:
4271         Skip if $memoryLimited and linux.
4272
4273 2017-11-17  JF Bastien  <jfbastien@apple.com>
4274
4275         WebAssembly JS API: throw when a promise can't be created
4276         https://bugs.webkit.org/show_bug.cgi?id=179826
4277         <rdar://problem/35455813>
4278
4279         Reviewed by Mark Lam.
4280
4281         Test WebAssembly.{compile,instantiate} where promise creation
4282         fails because of a stack overflow.
4283
4284         * wasm/js-api/promise-stack-overflow.js: Added.
4285         (const.runNearStackLimit.f.const.t):
4286         (async.testCompile):
4287         (async.testInstantiate):
4288
4289 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
4290
4291         Unreviewed, mark regress-178385.js as memory exhausting
4292
4293         * stress/regress-178385.js:
4294
4295 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
4296
4297         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
4298
4299         Unreviewed test gardening.
4300
4301         * test262.yaml:
4302
4303 2017-11-16  Robin Morisset  <rmorisset@apple.com>
4304
4305         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
4306         https://bugs.webkit.org/show_bug.cgi?id=179763
4307         <rdar://problem/35550513>
4308
4309         Reviewed by Keith Miller.
4310
4311         Just adding a slightly cleaned-up version of the original fuzzer-found test.
4312
4313         * stress/tdz-this-in-try-catch.js: Added.
4314         (__v_6388):
4315         (__v_6392):
4316
4317 2017-11-14  Yusuke Suzuki  <utat