test262/Runner.pm: move input files to JSTests/test262
[WebKit-https.git] / JSTests / ChangeLog
1 2018-05-08  Valerie R Young  <valerie@bocoup.com>
2
3         test262/Runner.pm: move input files to JSTests/test262
4         https://bugs.webkit.org/show_bug.cgi?id=185389
5
6         Reviewed by Michael Saboff.
7
8         * test262/config.yaml: Renamed from Tools/Scripts/test262/config.yaml.
9         * test262/expectations.yaml: Renamed from Tools/Scripts/test262/expectations.yaml.
10
11 2018-05-05  Filip Pizlo  <fpizlo@apple.com>
12
13         DFG AI should have O(1) clobbering
14         https://bugs.webkit.org/show_bug.cgi?id=185287
15
16         Reviewed by Saam Barati.
17
18         * stress/simple-ai-effect.js: Added.
19         (bar):
20         (foo):
21
22 2018-05-04  Keith Miller  <keith_miller@apple.com>
23
24         isCacheableArrayLength should return true for undecided arrays
25         https://bugs.webkit.org/show_bug.cgi?id=185309
26
27         Reviewed by Michael Saboff.
28
29         * stress/get-array-length-undecided.js: Added.
30         (test):
31
32 2018-05-04  Dominik Infuehr  <dinfuehr@igalia.com>
33
34         Disable tests on systems with limited memory
35         https://bugs.webkit.org/show_bug.cgi?id=185296
36
37         Reviewed by Saam Barati.
38
39         Test doesn't work with a limited amount of memory. I tried to reduce memory usage
40         but then it was hard to reproduce the failure the test was originally made to test.
41
42         * stress/array-reverse-doesnt-clobber.js:
43
44 2018-05-03  Saam Barati  <sbarati@apple.com>
45
46         Don't prevent CreateThis being folded to NewObject when the structure is poly proto
47         https://bugs.webkit.org/show_bug.cgi?id=185177
48
49         Reviewed by Filip Pizlo.
50
51         * microbenchmarks/construct-poly-proto-object.js: Added.
52         (foo.A):
53         (foo):
54         * stress/allocation-sinking-new-object-with-poly-proto.js: Added.
55         (foo.A):
56         (foo):
57         (makePolyProto):
58         (bar):
59         (baz):
60
61 2018-05-03  Michael Saboff  <msaboff@apple.com>
62
63         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
64         https://bugs.webkit.org/show_bug.cgi?id=185281
65
66         Reviewed by Saam Barati.
67
68         New regression test.
69
70         * stress/baseline-osrentry-catch-is-reachable.js: Added.
71         (i.j.catch):
72
73 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
74
75         Unreviewed, rolling out r231197.
76
77         The test added with this change crashes on the 32-bit JSC bot.
78
79         Reverted changeset:
80
81         "Correctly detect string overflow when using the 'Function'
82         constructor"
83         https://bugs.webkit.org/show_bug.cgi?id=184883
84         https://trac.webkit.org/changeset/231197
85
86 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
87
88         JSC should know how to cache custom getter accesses on the prototype chain
89         https://bugs.webkit.org/show_bug.cgi?id=185213
90
91         Reviewed by Keith Miller.
92
93         * microbenchmarks/get-custom-getter.js: Added.
94         (test):
95
96 2018-05-02  Robin Morisset  <rmorisset@apple.com>
97
98         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
99         https://bugs.webkit.org/show_bug.cgi?id=183172
100
101         Reviewed by Filip Pizlo.
102
103         * stress/length-of-new-array-with-spread.js: Added.
104         (foo):
105         (bar):
106         (baz):
107
108 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
109
110         [JSC] Add SameValue DFG node
111         https://bugs.webkit.org/show_bug.cgi?id=185065
112
113         Reviewed by Saam Barati.
114
115         * microbenchmarks/object-is.js: Added.
116         (incognito):
117         (sameValue):
118         (test1):
119         (test2):
120         (test3):
121         (test4):
122         (test5):
123         (test6):
124         * stress/object-is.js: Added.
125         (shouldBe):
126         (is1):
127         (is2):
128         (is3):
129         (is4):
130         (is5):
131         (is6):
132         (is7):
133         (is8):
134         (is9):
135         (is10):
136         (is11):
137         (is12):
138         (is13):
139         (is14):
140         (is15):
141
142 2018-05-01  Robin Morisset  <rmorisset@apple.com>
143
144         Correctly detect string overflow when using the 'Function' constructor
145         https://bugs.webkit.org/show_bug.cgi?id=184883
146         <rdar://problem/36320331>
147
148         Reviewed by Filip Pizlo.
149
150         I put this regression test in the 'slowMicrobenchmarks' directory because it takes nearly 30s to run, and I am not sure where else to put it.
151
152         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
153         (catch):
154
155 2018-05-01  Robin Morisset  <rmorisset@apple.com>
156
157         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
158         https://bugs.webkit.org/show_bug.cgi?id=185162
159
160         Reviewed by Filip Pizlo.
161
162         * stress/incomplete-unicode-locale.js: Added.
163         (catch):
164
165 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
166
167         Add SetCallee as DFG-Operation
168         https://bugs.webkit.org/show_bug.cgi?id=184582
169
170         Reviewed by Filip Pizlo.
171
172         Added test that runs into infinite loop without updating the callee and
173         therefore emitting SetCallee in DFG for recursive tail calls.
174
175         * stress/closure-recursive-tail-call-infinite-loop.js: Added.
176         (Foo):
177         (second):
178         (first):
179         (return.closure):
180         (createClosure):
181
182 2018-04-30  Saam Barati  <sbarati@apple.com>
183
184         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
185         https://bugs.webkit.org/show_bug.cgi?id=185149
186         <rdar://problem/39455917>
187
188         Reviewed by Filip Pizlo.
189
190         * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.
191
192 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
193
194         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
195         https://bugs.webkit.org/show_bug.cgi?id=185126
196
197         Reviewed by Saam Barati.
198         
199         I found this bug by accident when I was writing this test for something else.
200         
201         This change also speeds up other benchmarks of this case that we already had. They are all called
202         the licm-dragons tests.
203
204         * microbenchmarks/licm-dragons-two-structures.js: Added.
205         (foo):
206
207 2018-04-29  Commit Queue  <commit-queue@webkit.org>
208
209         Unreviewed, rolling out r231137.
210         https://bugs.webkit.org/show_bug.cgi?id=185118
211
212         It is breaking Test262 language/expressions/multiplication
213         /order-of-evaluation.js (Requested by caiolima on #webkit).
214
215         Reverted changeset:
216
217         "[ESNext][BigInt] Implement support for "*" operation"
218         https://bugs.webkit.org/show_bug.cgi?id=183721
219         https://trac.webkit.org/changeset/231137
220
221 2018-04-28  Saam Barati  <sbarati@apple.com>
222
223         We don't model regexp effects properly
224         https://bugs.webkit.org/show_bug.cgi?id=185059
225         <rdar://problem/39736150>
226
227         Reviewed by Filip Pizlo.
228
229         * stress/regexp-exec-test-effectful-last-index.js: Added.
230         (assert):
231         (foo):
232         (i.regexLastIndex.toString):
233         (bar):
234
235 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
236
237         Token misspelled "tocken" in error message string
238         https://bugs.webkit.org/show_bug.cgi?id=185030
239
240         Reviewed by Saam Barati.
241
242         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
243         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
244         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
245         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
246         (testSyntaxError.String.raw.v):
247         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
248         (testSyntaxError.String.raw.a):
249
250 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
251
252         [ESNext][BigInt] Implement support for "*" operation
253         https://bugs.webkit.org/show_bug.cgi?id=183721
254
255         Reviewed by Saam Barati.
256
257         * bigIntTests.yaml:
258         * stress/big-int-mul-jit.js: Added.
259         * stress/big-int-mul-to-primitive-precedence.js: Added.
260         * stress/big-int-mul-to-primitive.js: Added.
261         * stress/big-int-mul-type-error.js: Added.
262         * stress/big-int-mul-wrapped-value.js: Added.
263         * stress/big-int-multiplication.js: Added.
264         * stress/big-int-multiply-memory-stress.js: Added.
265
266 2018-04-28  Commit Queue  <commit-queue@webkit.org>
267
268         Unreviewed, rolling out r231131.
269         https://bugs.webkit.org/show_bug.cgi?id=185112
270
271         It is breaking Debug build due to unchecked exception
272         (Requested by caiolima on #webkit).
273
274         Reverted changeset:
275
276         "[ESNext][BigInt] Implement support for "*" operation"
277         https://bugs.webkit.org/show_bug.cgi?id=183721
278         https://trac.webkit.org/changeset/231131
279
280 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
281
282         [ESNext][BigInt] Implement support for "*" operation
283         https://bugs.webkit.org/show_bug.cgi?id=183721
284
285         Reviewed by Saam Barati.
286
287         * bigIntTests.yaml:
288         * stress/big-int-mul-jit.js: Added.
289         * stress/big-int-mul-to-primitive-precedence.js: Added.
290         * stress/big-int-mul-to-primitive.js: Added.
291         * stress/big-int-mul-type-error.js: Added.
292         * stress/big-int-mul-wrapped-value.js: Added.
293         * stress/big-int-multiplication.js: Added.
294         * stress/big-int-multiply-memory-stress.js: Added.
295
296 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
297
298         Unreviewed, rolling out r231086.
299
300         Caused JSC test failures due to an unchecked exception.
301
302         Reverted changeset:
303
304         "[ESNext][BigInt] Implement support for "*" operation"
305         https://bugs.webkit.org/show_bug.cgi?id=183721
306         https://trac.webkit.org/changeset/231086
307
308 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
309
310         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
311
312         * test262.yaml: Mark tests as passing.
313
314 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
315
316         [ESNext][BigInt] Implement support for "*" operation
317         https://bugs.webkit.org/show_bug.cgi?id=183721
318
319         Reviewed by Saam Barati.
320
321         * bigIntTests.yaml:
322         * stress/big-int-mul-jit.js: Added.
323         * stress/big-int-mul-to-primitive-precedence.js: Added.
324         * stress/big-int-mul-to-primitive.js: Added.
325         * stress/big-int-mul-type-error.js: Added.
326         * stress/big-int-mul-wrapped-value.js: Added.
327         * stress/big-int-multiplication.js: Added.
328         * stress/big-int-multiply-memory-stress.js: Added.
329
330 2018-04-25  Robin Morisset  <rmorisset@apple.com>
331
332         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
333         https://bugs.webkit.org/show_bug.cgi?id=184773
334         <rdar://problem/37773612>
335
336         Reviewed by Filip Pizlo.
337
338         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
339         so I decided to add it to the stress tests nonetheless.
340
341         * stress/create-rest-while-having-a-bad-time.js: Added.
342         (f):
343         (g):
344         (h):
345
346 2018-04-25  Keith Miller  <keith_miller@apple.com>
347
348         Add missing scope release to functionProtoFuncToString
349         https://bugs.webkit.org/show_bug.cgi?id=184995
350
351         Reviewed by Saam Barati.
352
353         * stress/function-toString-arrow.js: Added.
354         (async):
355
356 2018-04-24  Keith Miller  <keith_miller@apple.com>
357
358         fromCharCode is missing some exception checks
359         https://bugs.webkit.org/show_bug.cgi?id=184952
360
361         Reviewed by Saam Barati.
362
363         * stress/fromCharCode-exception-check.js: Added.
364         (get catch):
365
366 2018-04-24  Mark Lam  <mark.lam@apple.com>
367
368         Gardening: test fix after r230863.
369         https://bugs.webkit.org/show_bug.cgi?id=184846
370         <rdar://problem/39390672>
371
372         Not reviewed.
373
374         * stress/json-stringified-overflow-2.js:
375         (catch):
376         * stress/json-stringified-overflow.js:
377         (catch):
378
379 2018-04-20  JF Bastien  <jfbastien@apple.com>
380
381         Handle more JSON stringify OOM
382         https://bugs.webkit.org/show_bug.cgi?id=184846
383         <rdar://problem/39390672>
384
385         Reviewed by Mark Lam.
386
387         * stress/json-stringified-overflow-2.js: Added. Same as the one
388         below, but with a bigger input which will trigger a different code
389         path.
390         (catch):
391         * stress/json-stringified-overflow.js: Modify the test to only
392         catch OOM on stringification. not on string creation.
393
394 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
395
396         [WebAssembly][Modules] Import tables in wasm modules
397         https://bugs.webkit.org/show_bug.cgi?id=184738
398
399         Reviewed by JF Bastien.
400
401         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
402         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
403         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
404         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
405         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
406         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
407         * wasm/modules/wasm-imports-wasm-exports.js:
408         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
409         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
410         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
411         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
412
413 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
414
415         [WebAssembly][Modules] Import globals from wasm modules
416         https://bugs.webkit.org/show_bug.cgi?id=184736
417
418         Reviewed by JF Bastien.
419
420         * wasm.yaml:
421         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
422         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
423         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
424         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
425         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
426         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
427         * wasm/modules/wasm-imports-wasm-exports.js:
428         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
429         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
430         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
431         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
432
433 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
434
435         Unreviewed, reland r230697, r230720, and r230724.
436         https://bugs.webkit.org/show_bug.cgi?id=184600
437
438         * wasm.yaml:
439         * wasm/modules/constant.wasm: Added.
440         * wasm/modules/constant.wat: Added.
441         * wasm/modules/default-import-star-error.js: Added.
442         (then):
443         * wasm/modules/default-import-star-error/entry.wasm: Added.
444         * wasm/modules/default-import-star-error/entry.wat: Added.
445         * wasm/modules/default-import-star-error/t0.js: Added.
446         * wasm/modules/default-import-star-error/t1.js: Added.
447         * wasm/modules/default-import-star-error/t2.js: Added.
448         (export.default.Cocoa):
449         * wasm/modules/js-wasm-cycle.js: Added.
450         * wasm/modules/js-wasm-cycle/entry.js: Added.
451         (from.string_appeared_here.export.return42):
452         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
453         * wasm/modules/js-wasm-cycle/sum.wat: Added.
454         * wasm/modules/js-wasm-function-namespace.js: Added.
455         (assert.throws):
456         * wasm/modules/js-wasm-function.js: Added.
457         (assert.throws):
458         * wasm/modules/js-wasm-global-namespace.js: Added.
459         (assert.throws):
460         * wasm/modules/js-wasm-global.js: Added.
461         (assert.throws):
462         * wasm/modules/js-wasm-memory-namespace.js: Added.
463         (assert.throws):
464         * wasm/modules/js-wasm-memory.js: Added.
465         (assert.throws):
466         * wasm/modules/js-wasm-start.js: Added.
467         (then):
468         * wasm/modules/js-wasm-table-namespace.js: Added.
469         (assert.throws):
470         * wasm/modules/js-wasm-table.js: Added.
471         (assert.throws):
472         * wasm/modules/memory.wasm: Added.
473         * wasm/modules/memory.wat: Added.
474         * wasm/modules/run-from-wasm.wasm: Added.
475         * wasm/modules/run-from-wasm.wat: Added.
476         * wasm/modules/run-from-wasm/check.js: Added.
477         (export.check):
478         * wasm/modules/start.wasm: Added.
479         * wasm/modules/start.wat: Added.
480         * wasm/modules/sum.wasm: Added.
481         * wasm/modules/sum.wat: Added.
482         * wasm/modules/table.wasm: Added.
483         * wasm/modules/table.wat: Added.
484         * wasm/modules/wasm-imports-js-exports.js: Added.
485         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
486         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
487         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
488         (export.sum):
489         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
490         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
491         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
492         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
493         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
494         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
495         * wasm/modules/wasm-imports-wasm-exports.js: Added.
496         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
497         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
498         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
499         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
500         * wasm/modules/wasm-js-cycle.js: Added.
501         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
502         * wasm/modules/wasm-js-cycle/entry.wat: Added.
503         * wasm/modules/wasm-js-cycle/sum.js: Added.
504         (from.string_appeared_here.export.sum):
505         * wasm/modules/wasm-wasm-cycle.js: Added.
506         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
507         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
508         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
509         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
510
511 2018-04-17  Commit Queue  <commit-queue@webkit.org>
512
513         Unreviewed, rolling out r230697, r230720, and r230724.
514         https://bugs.webkit.org/show_bug.cgi?id=184717
515
516         These caused multiple failures on the Test262 testers.
517         (Requested by mlewis13 on #webkit).
518
519         Reverted changesets:
520
521         "[WebAssembly][Modules] Prototype wasm import"
522         https://bugs.webkit.org/show_bug.cgi?id=184600
523         https://trac.webkit.org/changeset/230697
524
525         "[WebAssembly][Modules] Implement function import from wasm
526         modules"
527         https://bugs.webkit.org/show_bug.cgi?id=184689
528         https://trac.webkit.org/changeset/230720
529
530         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
531         https://bugs.webkit.org/show_bug.cgi?id=184703
532         https://trac.webkit.org/changeset/230724
533
534 2018-04-17  JF Bastien  <jfbastien@apple.com>
535
536         A put is not an ExistingProperty put when we transition a structure because of an attributes change
537         https://bugs.webkit.org/show_bug.cgi?id=184706
538         <rdar://problem/38871451>
539
540         Reviewed by Saam Barati.
541
542         * stress/put-by-id-direct-strict-transition.js: Added.
543         (const.foo):
544         (j.const.obj.set hello):
545         * stress/put-by-id-direct-transition.js: Added.
546         (const.foo):
547         (j.const.obj.set hello):
548         * stress/put-getter-setter-by-id-strict-transition.js: Added.
549         (const.foo):
550         (j.const.obj.set hello):
551         * stress/put-getter-setter-by-id-transition.js: Added.
552         (const.foo):
553         (j.const.obj.set hello):
554
555 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
556
557         PutStackSinkingPhase should know that KillStack means ConflictingFlush
558         https://bugs.webkit.org/show_bug.cgi?id=184672
559
560         Reviewed by Michael Saboff.
561
562         * stress/sink-put-stack-over-kill-stack.js: Added.
563         (avocado_1):
564         (apricot_0):
565         (__c_0):
566         (banana_2):
567
568 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
569
570         [JSC] Rename runWebAssembly to runWebAssemblySuite
571         https://bugs.webkit.org/show_bug.cgi?id=184703
572
573         Reviewed by JF Bastien.
574
575         And add runWebAssembly as a command to simplely run wasm modules.
576
577         * wasm.yaml:
578
579 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
580
581         [WebAssembly][Modules] Implement function import from wasm modules
582         https://bugs.webkit.org/show_bug.cgi?id=184689
583
584         Reviewed by JF Bastien.
585
586         * wasm.yaml:
587         * wasm/modules/js-wasm-cycle.js: Added.
588         * wasm/modules/js-wasm-cycle/entry.js: Added.
589         (from.string_appeared_here.export.return42):
590         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
591         * wasm/modules/js-wasm-cycle/sum.wat: Added.
592         * wasm/modules/run-from-wasm.wasm: Added.
593         * wasm/modules/run-from-wasm.wat: Added.
594         * wasm/modules/run-from-wasm/check.js: Added.
595         (export.check):
596         * wasm/modules/wasm-imports-js-exports.js: Added.
597         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
598         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
599         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
600         (export.sum):
601         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
602         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
603         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
604         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
605         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
606         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
607         * wasm/modules/wasm-imports-wasm-exports.js: Added.
608         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
609         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
610         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
611         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
612         * wasm/modules/wasm-js-cycle.js: Added.
613         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
614         * wasm/modules/wasm-js-cycle/entry.wat: Added.
615         * wasm/modules/wasm-js-cycle/sum.js: Added.
616         (from.string_appeared_here.export.sum):
617         * wasm/modules/wasm-wasm-cycle.js: Added.
618         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
619         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
620         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
621         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
622
623 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
624
625         [WebAssembly][Modules] Prototype wasm import
626         https://bugs.webkit.org/show_bug.cgi?id=184600
627
628         Reviewed by JF Bastien.
629
630         Add wasm and wat files since module loader want to load wasm files from FS.
631         Currently, importing the other modules from wasm is not supported.
632
633         * wasm.yaml:
634         * wasm/modules/constant.wasm: Added.
635         * wasm/modules/constant.wat: Added.
636         * wasm/modules/js-wasm-function-namespace.js: Added.
637         (assert.throws):
638         * wasm/modules/js-wasm-function.js: Added.
639         (assert.throws):
640         * wasm/modules/js-wasm-global-namespace.js: Added.
641         (assert.throws):
642         * wasm/modules/js-wasm-global.js: Added.
643         (assert.throws):
644         * wasm/modules/js-wasm-memory-namespace.js: Added.
645         (assert.throws):
646         * wasm/modules/js-wasm-memory.js: Added.
647         (assert.throws):
648         * wasm/modules/js-wasm-start.js: Added.
649         (then):
650         * wasm/modules/js-wasm-table-namespace.js: Added.
651         (assert.throws):
652         * wasm/modules/js-wasm-table.js: Added.
653         (assert.throws):
654         * wasm/modules/memory.wasm: Added.
655         * wasm/modules/memory.wat: Added.
656         * wasm/modules/start.wasm: Added.
657         * wasm/modules/start.wat: Added.
658         * wasm/modules/sum.wasm: Added.
659         * wasm/modules/sum.wat: Added.
660         * wasm/modules/table.wasm: Added.
661         * wasm/modules/table.wat: Added.
662
663 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
664
665         Function.prototype.caller shouldn't return generator bodies
666         https://bugs.webkit.org/show_bug.cgi?id=184630
667
668         Reviewed by Yusuke Suzuki.
669
670         * stress/function-caller-async-arrow-function-body.js: Added.
671         * stress/function-caller-async-function-body.js: Added.
672         * stress/function-caller-async-generator-body.js: Added.
673         * stress/function-caller-generator-body.js: Added.
674         * stress/function-caller-generator-method-body.js: Added.
675
676 2018-04-12  Tomas Popela  <tpopela@redhat.com>
677
678         Unreviewed, skip JIT tests if it isn't enabled
679
680         See https://bugs.webkit.org/show_bug.cgi?id=182730.
681
682         * stress/big-int-spec-to-primitive.js:
683         * stress/big-int-spec-to-this.js:
684
685 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
686
687         [ESNext][BigInt] Add support for BigInt in SpeculatedType
688         https://bugs.webkit.org/show_bug.cgi?id=182470
689
690         Reviewed by Saam Barati.
691
692         * stress/big-int-spec-to-primitive.js: Added.
693         * stress/big-int-spec-to-this.js: Added.
694         * stress/big-int-strict-equals-jit.js: Added.
695         * stress/big-int-strict-spec-to-this.js: Added.
696         * stress/big-int-type-of-proven-type.js: Added.
697
698 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
699
700         DFG AI and clobberize should agree with each other
701         https://bugs.webkit.org/show_bug.cgi?id=184440
702
703         Reviewed by Saam Barati.
704         
705         Add tests for all of the bugs I fixed.
706
707         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
708         (foo):
709         * stress/new-typed-array-cse-effects.js: Added.
710         (foo):
711         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
712         (foo.theO):
713         (foo):
714         * stress/string-from-char-code-change-structure-not-dead.js: Added.
715         (foo):
716         (i.valueOf):
717         (weirdValue.valueOf):
718         * stress/string-from-char-code-change-structure.js: Added.
719         (foo):
720         (i.valueOf):
721         (weirdValue.valueOf):
722
723 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
724
725         Fix errant Test262 files CRLF to LF for consistency with the original source
726         https://bugs.webkit.org/show_bug.cgi?id=184425
727
728         Reviewed by Yusuke Suzuki.
729
730         * test262/test/built-ins/Math/acosh/nan-returns.js:
731         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
732         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
733         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
734         * test262/test/built-ins/Math/cbrt/prop-desc.js:
735         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
736         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
737         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
738         * test262/test/built-ins/Math/log2/log2-basicTests.js:
739         * test262/test/built-ins/Math/sign/sign-specialVals.js:
740         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
741         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
742         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
743         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
744
745 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
746
747         Unreviewed, remove incorrect entry in test262.yaml
748         https://bugs.webkit.org/show_bug.cgi?id=184266
749
750         * test262.yaml:
751
752 2018-04-08  Valerie Young  <valerie@bocoup.com>
753
754         [JSC] Update Test262 to April 6 version
755         https://bugs.webkit.org/show_bug.cgi?id=184266
756
757         Rubber stamped by Yusuke Suzuki.
758
759 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
760
761         [JSC] Introduce op_get_by_id_direct
762         https://bugs.webkit.org/show_bug.cgi?id=183970
763
764         Reviewed by Filip Pizlo.
765
766         * stress/generator-prototype-copy.js: Added.
767         (gen):
768         (catch):
769         Adopted JF's tests.
770
771         * stress/generator-type-check.js: Added.
772         (shouldThrow):
773         (foo2):
774         (i.shouldThrow):
775         * stress/get-by-id-direct-getter.js: Added.
776         (shouldBe):
777         (shouldThrow):
778         (obj.get hello):
779         (builtin.createBuiltin):
780         (obj2.get length):
781         * stress/get-by-id-direct.js: Added.
782         (shouldBe):
783         (shouldThrow):
784         (builtin.createBuiltin):
785         * test262.yaml:
786         We fixed long-standing spec compatibility issue.
787         As a result, this patch makes several test262 tests passed!
788
789
790 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
791
792         Unreviewed, annotate test with @skip if $memoryLimited
793         https://bugs.webkit.org/show_bug.cgi?id=183894
794
795         * stress/json-stringified-overflow.js:
796
797 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
798
799         Add svn:eol-style to line-terminator-normalisation-CR.js
800         https://bugs.webkit.org/show_bug.cgi?id=184341
801
802         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
803
804 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
805
806         Unreviewed, remove errant LF from existing test262 test for CR line endings.
807
808         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
809
810 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
811
812         Unreviewed, rolling out r230320.
813
814         Revert fix, as the root cause lies elsewhere.
815
816         Reverted changeset:
817
818         "[test262] Mark line-terminator-normalisation-CR.js as a
819         binary file."
820         https://bugs.webkit.org/show_bug.cgi?id=184341
821         https://trac.webkit.org/changeset/230320
822
823 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
824
825         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
826         https://bugs.webkit.org/show_bug.cgi?id=184341
827
828         Reviewed by Yusuke Suzuki.
829
830         This test is all about CR line endings, but `svn-apply` can't deal with them.
831         Treating the file as binary ensures that its contents never are never shown in a diff.
832
833         * .gitattributes: Added.
834
835 2018-04-05  Robin Morisset  <rmorisset@apple.com>
836
837         Fix testcase (missing try/catch).
838         https://bugs.webkit.org/show_bug.cgi?id=183657
839
840         Unreviewed.
841
842         * stress/large-unshift-splice.js
843
844 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
845
846         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
847         https://bugs.webkit.org/show_bug.cgi?id=184319
848
849         Reviewed by Saam Barati.
850
851         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
852         (foo):
853         (bar):
854         * stress/array-push-nan-to-double-array.js: Added.
855         (foo):
856         (bar):
857
858 2018-04-03  Mark Lam  <mark.lam@apple.com>
859
860         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
861         https://bugs.webkit.org/show_bug.cgi?id=184284
862
863         Reviewed by Saam Barati.
864
865         * stress/js-fixed-array-out-of-memory.js:
866
867 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
868
869         JSC crash in JIT code with for-of loop and Array/Set iterators
870         https://bugs.webkit.org/show_bug.cgi?id=183174
871
872         Reviewed by Saam Barati.
873
874         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
875         (foo):
876         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
877         (f):
878
879 2018-03-30  JF Bastien  <jfbastien@apple.com>
880
881         WebAssembly: support DataView compilation
882         https://bugs.webkit.org/show_bug.cgi?id=183342
883
884         Reviewed by Mark Lam.
885
886         Test WebAssembly compilation using a DataView with offset.
887
888         * wasm/regress/183342.js: Added.
889         (attempt.catch):
890
891 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
892
893         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
894         https://bugs.webkit.org/show_bug.cgi?id=184189
895
896         Reviewed by JF Bastien.
897
898         * stress/load-hole-from-scope-into-live-var.js: Added.
899         (result.eval.try.switch):
900         (catch):
901
902 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
903
904         Unreviewed, rolling out r230102.
905
906         Caused assertion failures on JSC bots.
907
908         Reverted changeset:
909
910         "A stack overflow in the parsing of a builtin (called by
911         createExecutable) cause a crash instead of a catchable js
912         exception"
913         https://bugs.webkit.org/show_bug.cgi?id=184074
914         https://trac.webkit.org/changeset/230102
915
916 2018-03-30  Robin Morisset  <rmorisset@apple.com>
917
918         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
919         https://bugs.webkit.org/show_bug.cgi?id=183812
920
921         Reviewed by Keith Miller.
922
923         * stress/inlining-unreachable-non-tail.js: Added.
924         (foo.):
925         (foo):
926
927 2018-03-30  Robin Morisset  <rmorisset@apple.com>
928
929         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
930         https://bugs.webkit.org/show_bug.cgi?id=184074
931         <rdar://problem/37165897>
932
933         Reviewed by Keith Miller.
934
935         * stress/stack-overflow-while-parsing-builtin.js: Added.
936         (f):
937
938 2018-03-30  Robin Morisset  <rmorisset@apple.com>
939
940         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
941         https://bugs.webkit.org/show_bug.cgi?id=183657
942
943         Reviewed by Keith Miller.
944
945         * stress/large-unshift-splice.js: Added.
946         (make_contig_arr):
947
948 2018-03-28  Robin Morisset  <rmorisset@apple.com>
949
950         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
951         https://bugs.webkit.org/show_bug.cgi?id=183894
952
953         Reviewed by Saam Barati.
954
955         * stress/json-stringified-overflow.js: Added.
956         (catch):
957
958 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
959
960         DFG should know that CreateThis can be effectful
961         https://bugs.webkit.org/show_bug.cgi?id=184013
962
963         Reviewed by Saam Barati.
964
965         * stress/create-this-property-change.js: Added.
966         (Foo):
967         (RealBar):
968         (get if):
969         * stress/create-this-structure-change-without-cse.js: Added.
970         (Foo):
971         (RealBar):
972         (get if):
973         * stress/create-this-structure-change.js: Added.
974         (Foo):
975         (RealBar):
976         (get if):
977
978 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
979
980         [DFG] Introduces fused compare and jump
981         https://bugs.webkit.org/show_bug.cgi?id=177100
982
983         Reviewed by Mark Lam.
984
985         * stress/fused-jeq-slow.js: Added.
986         (shouldBe):
987         (testJEQ):
988         (testJNEQB):
989         (testJEQB):
990         (testJNEQF):
991         (testJEQF):
992         * stress/fused-jeq.js: Added.
993         (shouldBe):
994         (testJEQ):
995         (testJNEQB):
996         (testJEQB):
997         (testJNEQF):
998         (testJEQF):
999         * stress/fused-jstricteq-slow.js: Added.
1000         (shouldBe):
1001         (testJSTRICTEQ):
1002         (testJNSTRICTEQB):
1003         (testJSTRICTEQB):
1004         (testJNSTRICTEQF):
1005         (testJSTRICTEQF):
1006         * stress/fused-jstricteq.js: Added.
1007         (shouldBe):
1008         (testJSTRICTEQ):
1009         (testJNSTRICTEQB):
1010         (testJSTRICTEQB):
1011         (testJNSTRICTEQF):
1012         (testJSTRICTEQF):
1013
1014 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1015
1016         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
1017         https://bugs.webkit.org/show_bug.cgi?id=183559
1018
1019         Reviewed by Mark Lam.
1020
1021         * stress/double-to-string-in-loop-removed.js: Added.
1022         (test):
1023         * stress/int32-to-string-in-loop-removed.js: Added.
1024         (test):
1025         * stress/int52-to-string-in-loop-removed.js: Added.
1026         (test):
1027
1028 2018-03-22  Michael Saboff  <msaboff@apple.com>
1029
1030         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
1031         https://bugs.webkit.org/show_bug.cgi?id=183901
1032
1033         Reviewed by Keith Miller.
1034
1035         New test.
1036
1037         * stress/array-reverse-doesnt-clobber.js: Added.
1038         (testArrayReverse):
1039         (createArrayOfArrays):
1040         (createArrayStorage):
1041
1042 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
1043
1044         ScopedArguments should do poisoning and index masking
1045         https://bugs.webkit.org/show_bug.cgi?id=183863
1046
1047         Reviewed by Mark Lam.
1048         
1049         Adds another stress test of scoped arguments.
1050
1051         * stress/scoped-arguments-test.js: Added.
1052         (foo):
1053
1054 2018-03-20  Saam Barati  <sbarati@apple.com>
1055
1056         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
1057         https://bugs.webkit.org/show_bug.cgi?id=183795
1058         <rdar://problem/38298694>
1059
1060         Reviewed by JF Bastien.
1061
1062         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
1063         (foo):
1064         (bar):
1065
1066 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1067
1068         [DFG][FTL] Add vectorLengthHint for NewArray
1069         https://bugs.webkit.org/show_bug.cgi?id=183694
1070
1071         Reviewed by Saam Barati.
1072
1073         * stress/vector-length-hint-array-constructor.js: Added.
1074         (shouldBe):
1075         (test):
1076         * stress/vector-length-hint-new-array.js: Added.
1077         (shouldBe):
1078         (test):
1079
1080 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1081
1082         [DFG][FTL] Make ArraySlice(0) code tight
1083         https://bugs.webkit.org/show_bug.cgi?id=183590
1084
1085         Reviewed by Saam Barati.
1086
1087         * stress/array-slice-with-zero.js: Added.
1088         (shouldBe):
1089         (test):
1090         (test2):
1091         * stress/array-slice-zero-args.js: Added.
1092         (shouldBe):
1093         (test):
1094
1095 2018-03-14  Caitlin Potter  <caitp@igalia.com>
1096
1097         [JSC] fix order of evaluation for ClassDefinitionEvaluation
1098         https://bugs.webkit.org/show_bug.cgi?id=183523
1099
1100         Reviewed by Keith Miller.
1101
1102         Computed property names need to be evaluated in source order during class
1103         definition evaluation, as it's observable (and specified to work this way).
1104
1105         This change improves compatibility with Chromium.
1106
1107         * stress/class_elements.js: Added.
1108         (test):
1109         (test.C.prototype.effect):
1110         (test.C.effect):
1111         (test.C.prototype.get effect):
1112         (test.C.prototype.set effect):
1113         (test.C):
1114
1115 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1116
1117         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
1118         https://bugs.webkit.org/show_bug.cgi?id=183310
1119
1120         Reviewed by Filip Pizlo.
1121
1122         * stress/ai-create-this-to-new-object-fire.js: Added.
1123         (assert):
1124         (test):
1125         (func):
1126         (check):
1127         (test.body.A):
1128         (test.body.B):
1129         (test.body):
1130         * stress/ai-create-this-to-new-object.js: Added.
1131         (assert):
1132         (test):
1133         (func):
1134         (check):
1135         (test.body.A):
1136         (test.body.B):
1137         (test.body):
1138
1139 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1140
1141         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
1142         https://bugs.webkit.org/show_bug.cgi?id=181848
1143
1144         Reviewed by Sam Weinig.
1145
1146         * microbenchmarks/regexp-u-global-es5.js: Added.
1147         (fn):
1148         * microbenchmarks/regexp-u-global-es6.js: Added.
1149         (fn):
1150         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
1151         (shouldBe):
1152         (test):
1153         (i.switch):
1154         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
1155         (shouldBe):
1156         (test):
1157
1158 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
1159
1160         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
1161         https://bugs.webkit.org/show_bug.cgi?id=183334
1162
1163         Reviewed by Žan Doberšek.
1164
1165         * stress/var-injection-cache-invalidation.js:
1166
1167 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
1168
1169         [ARM] Disable tests that run out of memory
1170         https://bugs.webkit.org/show_bug.cgi?id=182699
1171
1172         Reviewed by Žan Doberšek.
1173
1174         Skip tests that run of of memory. Do not run
1175         modules/module-jit-reachability.js without LLInt to prevent
1176         running out of executable memory.
1177
1178         * modules.yaml:
1179         * modules/module-jit-reachability.js:
1180         * stress/has-own-property-name-cache-string-keys.js:
1181         * stress/has-own-property-name-cache-symbol-keys.js:
1182
1183 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1184
1185         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1186         https://bugs.webkit.org/show_bug.cgi?id=183173
1187
1188         Reviewed by Saam Barati.
1189
1190         * stress/async-arrow-function-in-class-heritage.js: Added.
1191         (testSyntax):
1192         (testSyntaxError):
1193         (SyntaxError):
1194
1195 2018-03-01  Saam Barati  <sbarati@apple.com>
1196
1197         We need to clear cached structures when having a bad time
1198         https://bugs.webkit.org/show_bug.cgi?id=183256
1199         <rdar://problem/36245022>
1200
1201         Reviewed by Mark Lam.
1202
1203         * stress/having-a-bad-time-with-derived-arrays.js: Added.
1204         (assert):
1205         (defineSetter):
1206         (iterate):
1207         (doSlice):
1208
1209 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1210
1211         JSC crash with `import("")`
1212         https://bugs.webkit.org/show_bug.cgi?id=183175
1213
1214         Reviewed by Saam Barati.
1215
1216         * stress/import-with-empty-string.js: Added.
1217
1218 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1219
1220         Unreviewed, skip FTL tests if FTL is disabled
1221         https://bugs.webkit.org/show_bug.cgi?id=183071
1222
1223         * stress/has-indexed-property-array-storage-ftl.js:
1224         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1225
1226 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1227
1228         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1229         https://bugs.webkit.org/show_bug.cgi?id=182965
1230
1231         Reviewed by Saam Barati.
1232
1233         * stress/put-by-val-array-storage.js: Added.
1234         (shouldBe):
1235         (testArrayStorageInBounds):
1236         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1237         (shouldBe):
1238         (testInt32.createBuiltin):
1239         (set for):
1240         * stress/put-by-val-slow-put-array-storage.js: Added.
1241         (shouldBe):
1242         (testArrayStorageInBounds):
1243
1244 2018-02-26  Saam Barati  <sbarati@apple.com>
1245
1246         validateStackAccess should not validate if the offset is within the stack bounds
1247         https://bugs.webkit.org/show_bug.cgi?id=183067
1248         <rdar://problem/37749988>
1249
1250         Reviewed by Mark Lam.
1251
1252         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1253         (assert):
1254         (test.a):
1255         (test.b):
1256         (test):
1257
1258 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1259
1260         Unreviewed, skip FTL tests if FTL is disabled
1261         https://bugs.webkit.org/show_bug.cgi?id=183071
1262
1263         * stress/has-indexed-property-array-storage-ftl.js:
1264         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1265
1266 2018-02-23  Saam Barati  <sbarati@apple.com>
1267
1268         Make Number.isInteger an intrinsic
1269         https://bugs.webkit.org/show_bug.cgi?id=183088
1270
1271         Reviewed by JF Bastien.
1272
1273         * stress/number-is-integer-intrinsic.js: Added.
1274
1275 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1276
1277         WebAssembly: cache memory address / size on instance
1278         https://bugs.webkit.org/show_bug.cgi?id=177305
1279
1280         Reviewed by JF Bastien.
1281
1282         * wasm/function-tests/memory-reuse.js: Added.
1283         (createWasmInstance):
1284         (doCheckTrap):
1285         (doMemoryGrow):
1286         (doCheck):
1287         (checkWasmInstancesWithSharedMemory):
1288
1289 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1290
1291         [JSC] Implement $vm.ftlTrue function for FTL testing
1292         https://bugs.webkit.org/show_bug.cgi?id=183071
1293
1294         Reviewed by Mark Lam.
1295
1296         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1297         (foo):
1298         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1299         (foo):
1300         * stress/dead-fiat-value-to-int52.js:
1301         (foo):
1302         * stress/dead-osr-entry-value.js:
1303         (foo):
1304         * stress/fiat-value-to-int52-then-exit-not-double.js:
1305         (foo):
1306         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1307         (foo):
1308         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1309         (foo):
1310         * stress/fiat-value-to-int52-then-fold.js:
1311         (foo):
1312         * stress/fiat-value-to-int52.js:
1313         (foo):
1314         * stress/fold-based-on-int32-proof-mul-branch.js:
1315         (foo):
1316         * stress/fold-profiled-call-to-call.js:
1317         (foo):
1318         * stress/fold-to-double-constant-then-exit.js:
1319         (foo):
1320         * stress/fold-to-int52-constant-then-exit.js:
1321         (foo):
1322         * stress/fold-to-primitive-in-cfa.js:
1323         (foo):
1324         * stress/fold-to-primitive-to-identity-in-cfa.js:
1325         (foo):
1326         * stress/has-indexed-property-array-storage-ftl.js: Added.
1327         (shouldBe):
1328         (test1):
1329         (test2):
1330         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1331         (shouldBe):
1332         (test1):
1333         (test2):
1334         * stress/int52-ai-add-then-filter-int32.js:
1335         (foo):
1336         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1337         (foo):
1338         * stress/int52-ai-mul-then-filter-int32.js:
1339         (foo):
1340         * stress/int52-ai-neg-then-filter-int32.js:
1341         (foo):
1342         * stress/int52-ai-sub-then-filter-int32.js:
1343         (foo):
1344         * stress/licm-pre-header-cannot-exit-nested.js:
1345         (foo):
1346         * stress/licm-pre-header-cannot-exit.js:
1347         (foo):
1348         * stress/sparse-array-entry-update-144067.js:
1349         (useMemoryToTriggerGCs):
1350         * stress/test-spec-misc.js:
1351         (foo):
1352         * stress/tricky-array-bounds-checks.js:
1353         (foo):
1354
1355 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1356
1357         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1358         https://bugs.webkit.org/show_bug.cgi?id=182792
1359
1360         Reviewed by Mark Lam.
1361
1362         * stress/has-indexed-property-array-storage.js: Added.
1363         (shouldBe):
1364         (test1):
1365         (test2):
1366         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1367         (shouldBe):
1368         (test1):
1369         (test2):
1370
1371 2018-02-20  Saam Barati  <sbarati@apple.com>
1372
1373         DFG::VarargsForwardingPhase should eliminate getting argument length
1374         https://bugs.webkit.org/show_bug.cgi?id=182959
1375
1376         Reviewed by Keith Miller.
1377
1378         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1379
1380 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1381
1382         [FTL] Support ArrayPush for ArrayStorage
1383         https://bugs.webkit.org/show_bug.cgi?id=182782
1384
1385         Reviewed by Saam Barati.
1386
1387         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1388
1389         * stress/array-push-array-storage-beyond-int32.js: Added.
1390         (shouldBe):
1391         (test):
1392         * stress/array-push-array-storage.js: Added.
1393         (shouldBe):
1394         (test):
1395         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1396         (shouldBe):
1397         (test):
1398         * stress/array-push-multiple-storage-continuous.js: Added.
1399         (shouldBe):
1400         (test):
1401
1402 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1403
1404         [FTL] Support ArrayPop for ArrayStorage
1405         https://bugs.webkit.org/show_bug.cgi?id=182783
1406
1407         Reviewed by Saam Barati.
1408
1409         * stress/array-pop-array-storage.js: Added.
1410         (shouldBe):
1411         (test):
1412
1413 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1414
1415         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1416         https://bugs.webkit.org/show_bug.cgi?id=182731
1417
1418         Reviewed by Saam Barati.
1419
1420         * stress/arrayify-array-storage-array.js: Added.
1421         (shouldBe):
1422         (testArrayStorage):
1423         * stress/arrayify-array-storage-non-array.js: Added.
1424         (shouldBe):
1425         (testArrayStorage):
1426         * stress/arrayify-array-storage.js: Added.
1427         (shouldBe):
1428         (testArrayStorage):
1429         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1430         (shouldBe):
1431         (testArrayStorage):
1432         * stress/arrayify-slow-put-array-storage.js: Added.
1433         (shouldBe):
1434         (testArrayStorage):
1435
1436 2018-02-19  Saam Barati  <sbarati@apple.com>
1437
1438         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1439         https://bugs.webkit.org/show_bug.cgi?id=182942
1440         <rdar://problem/37584764>
1441
1442         Reviewed by Mark Lam.
1443
1444         * stress/get-prototype-create-this-effectful.js: Added.
1445
1446 2018-02-16  Saam Barati  <sbarati@apple.com>
1447
1448         Fix bugs from r228411
1449         https://bugs.webkit.org/show_bug.cgi?id=182851
1450         <rdar://problem/37577732>
1451
1452         Reviewed by JF Bastien.
1453
1454         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1455
1456 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1457
1458         Unreviewed, roll out r228366 since it did not progress anything.
1459
1460         * stress/gc-error-stack.js: Removed.
1461         * stress/no-gc-error-stack.js: Removed.
1462
1463 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1464
1465         Many stress tests fail with JIT disabled
1466         https://bugs.webkit.org/show_bug.cgi?id=182730
1467
1468         Reviewed by Saam Barati.
1469
1470         These tests are broken by design if the JIT is disabled - they test
1471         the return value of numberOfDFGCompiles(), which is always set to
1472         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1473
1474         * stress/arith-abs-on-various-types.js:
1475         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1476         * stress/arith-acos-on-various-types.js:
1477         * stress/arith-acosh-on-various-types.js:
1478         * stress/arith-asin-on-various-types.js:
1479         * stress/arith-asinh-on-various-types.js:
1480         * stress/arith-atan-on-various-types.js:
1481         * stress/arith-atanh-on-various-types.js:
1482         * stress/arith-cbrt-on-various-types.js:
1483         * stress/arith-ceil-on-various-types.js:
1484         * stress/arith-clz32-on-various-types.js:
1485         * stress/arith-cos-on-various-types.js:
1486         * stress/arith-cosh-on-various-types.js:
1487         * stress/arith-expm1-on-various-types.js:
1488         * stress/arith-floor-on-various-types.js:
1489         * stress/arith-fround-on-various-types.js:
1490         * stress/arith-log-on-various-types.js:
1491         * stress/arith-log10-on-various-types.js:
1492         * stress/arith-log2-on-various-types.js:
1493         * stress/arith-negate-on-various-types.js:
1494         * stress/arith-round-on-various-types.js:
1495         * stress/arith-sin-on-various-types.js:
1496         * stress/arith-sinh-on-various-types.js:
1497         * stress/arith-sqrt-on-various-types.js:
1498         * stress/arith-tan-on-various-types.js:
1499         * stress/arith-tanh-on-various-types.js:
1500         * stress/arith-trunc-on-various-types.js:
1501         * stress/compare-strict-eq-on-various-types.js:
1502
1503 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1504
1505         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1506
1507         Unreviewed test gardening.
1508
1509         * stress/new-largeish-contiguous-array-with-size.js:
1510
1511 2018-02-14  Saam Barati  <sbarati@apple.com>
1512
1513         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1514         https://bugs.webkit.org/show_bug.cgi?id=182801
1515
1516         Reviewed by Keith Miller.
1517
1518         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1519
1520 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1521
1522         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1523         https://bugs.webkit.org/show_bug.cgi?id=182526
1524
1525         Unreviewed test gardening.
1526
1527         * stress/activation-sink-default-value-tdz-error.js:
1528
1529 2018-02-13  Saam Barati  <sbarati@apple.com>
1530
1531         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1532         https://bugs.webkit.org/show_bug.cgi?id=182755
1533         <rdar://problem/37080864>
1534
1535         Reviewed by Keith Miller.
1536
1537         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1538         (test1.o.get 10005):
1539         (test1):
1540         (test2.o.get 1000):
1541         (test2):
1542
1543 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1544
1545         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1546         https://bugs.webkit.org/show_bug.cgi?id=182717
1547
1548         Reviewed by Yusuke Suzuki.
1549
1550         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1551         literals, to allow template callsite arrays to be collected when the
1552         code containing the tagged template call is collected. This spec change
1553         has received concensus and been ratified.
1554
1555         This change eliminates the eternal map associating template contents
1556         with arrays.
1557
1558         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1559         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1560         * stress/tagged-templates-identity.js:
1561         * stress/template-string-tags-eval.js:
1562         * test262.yaml:
1563
1564 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1565
1566         Support GetArrayLength on ArrayStorage in the FTL
1567         https://bugs.webkit.org/show_bug.cgi?id=182625
1568
1569         Reviewed by Saam Barati.
1570
1571         * stress/array-storage-length.js: Added.
1572         (shouldBe):
1573         (testInBound):
1574         (testUncountable):
1575         (testSlowPutInBound):
1576         (testSlowPutUncountable):
1577         * stress/undecided-length.js: Added.
1578         (shouldBe):
1579         (test2):
1580
1581 2018-02-12  Saam Barati  <sbarati@apple.com>
1582
1583         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1584         https://bugs.webkit.org/show_bug.cgi?id=182706
1585         <rdar://problem/36833681>
1586
1587         Reviewed by Filip Pizlo.
1588
1589         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1590         (effects):
1591         (foo):
1592
1593 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1594
1595         Don't waste memory for error.stack
1596         https://bugs.webkit.org/show_bug.cgi?id=182656
1597
1598         Reviewed by Saam Barati.
1599         
1600         Tests the policy.
1601
1602         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1603         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1604
1605 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1606
1607         [JSC] Update Test262 to Feb 9 version
1608         https://bugs.webkit.org/show_bug.cgi?id=182468
1609
1610         Reviewed by Saam Barati.
1611
1612 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1613
1614         Unreviewed, fix invalid line terminator in old test262 file part 2
1615         https://bugs.webkit.org/show_bug.cgi?id=182468
1616
1617         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1618
1619 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1620
1621         Unreviewed, fix invalid line terminator in old test262 file
1622         https://bugs.webkit.org/show_bug.cgi?id=182468
1623
1624         * test262/test/language/literals/regexp/7.8.5-1.js:
1625
1626 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1627
1628         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1629         https://bugs.webkit.org/show_bug.cgi?id=182440
1630
1631         Reviewed by Darin Adler.
1632
1633         * stress/array-flatmap.js: Added.
1634         (shouldBe):
1635         (shouldBeArray):
1636         (shouldThrow):
1637         (var):
1638         * stress/array-flatten.js: Added.
1639         (shouldBe):
1640         (shouldBeArray):
1641         * test262.yaml:
1642         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1643         (3.flatMap):
1644         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1645
1646 2018-02-06  Keith Miller  <keith_miller@apple.com>
1647
1648         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1649         https://bugs.webkit.org/show_bug.cgi?id=182549
1650         <rdar://problem/36189995>
1651
1652         Reviewed by Saam Barati.
1653
1654         * stress/var-injection-cache-invalidation.js: Added.
1655         (allocateLotsOfThings):
1656         (test):
1657
1658 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1659
1660         Unreviewed, follow up for test262 update
1661         https://bugs.webkit.org/show_bug.cgi?id=182288
1662
1663         * test262.yaml:
1664
1665 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1666
1667         Update test262 to Jan 30 version
1668         https://bugs.webkit.org/show_bug.cgi?id=182288
1669
1670         Unreviewed test gardening.
1671
1672         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1673
1674 2018-02-02  Saam Barati  <sbarati@apple.com>
1675
1676         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1677         https://bugs.webkit.org/show_bug.cgi?id=182368
1678         <rdar://problem/36932466>
1679
1680         Reviewed by Mark Lam.
1681
1682         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1683         (runNearStackLimit.t):
1684         (runNearStackLimit):
1685         (try.runNearStackLimit):
1686         (catch):
1687
1688 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1689
1690         Update test262 to Jan 30 version
1691         https://bugs.webkit.org/show_bug.cgi?id=182288
1692
1693         Rubber stamped by Saam Barati.
1694
1695         This patch updates test262 to the latest one, Jan 30 version.
1696         Since added and changed files are too many, we cannot create ChangeLog.
1697         The following files are changed.
1698
1699         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1700         including some special line terminators (like u2028, u2029).
1701
1702         * test262.yaml:
1703         * test262/test262-Revision.txt:
1704         * test262/*:
1705
1706 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1707
1708         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1709         https://bugs.webkit.org/show_bug.cgi?id=182411
1710
1711         Reviewed by Carlos Alberto Lopez Perez.
1712
1713         This is skipped only on arm memory limited platforms. Until recently
1714         it was not a problem on MIPS as the butterfly was not initialized. But
1715         since r227435, the butterfly is initialized in that test and therefore
1716         memory is allocated, and the test typically takes around 512M, which
1717         means it generally gets OOM-killed on the MIPS buildbot.
1718
1719         * mozilla/mozilla-tests.yaml:
1720
1721 2018-02-01  Mark Lam  <mark.lam@apple.com>
1722
1723         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1724         https://bugs.webkit.org/show_bug.cgi?id=182419
1725         <rdar://problem/37044945>
1726
1727         Reviewed by Saam Barati.
1728
1729         * stress/regress-182419.js: Added.
1730
1731 2018-02-01  Keith Miller  <keith_miller@apple.com>
1732
1733         Fix crashes due to mishandling custom sections.
1734         https://bugs.webkit.org/show_bug.cgi?id=182404
1735         <rdar://problem/36935863>
1736
1737         Reviewed by Saam Barati.
1738
1739         * wasm/Builder.js:
1740         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1741         * wasm/js-api/validate.js:
1742         (assert.truthy):
1743
1744 2018-01-31  Saam Barati  <sbarati@apple.com>
1745
1746         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1747         https://bugs.webkit.org/show_bug.cgi?id=182074
1748         <rdar://problem/36846261>
1749
1750         Reviewed by Mark Lam.
1751
1752         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1753         (assert):
1754         (let.func):
1755         (let.o.foo):
1756         (varFunc):
1757
1758 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1759
1760         Unreviewed, update test262 expects
1761         https://bugs.webkit.org/show_bug.cgi?id=182232
1762
1763         * test262.yaml:
1764
1765 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1766
1767         [JSC] Implement trimStart and trimEnd
1768         https://bugs.webkit.org/show_bug.cgi?id=182233
1769
1770         Reviewed by Mark Lam.
1771
1772         * stress/trim.js: Added.
1773         (shouldBe):
1774         (startTest):
1775         (endTest):
1776         (trimTest):
1777
1778 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1779
1780         [JSC] Relax line terminators in String to make JSON subset of JS
1781         https://bugs.webkit.org/show_bug.cgi?id=182232
1782
1783         Reviewed by Keith Miller.
1784
1785         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1786         * stress/relaxed-line-terminators-in-string.js: Added.
1787         (shouldBe):
1788
1789 2018-01-29  Michael Saboff  <msaboff@apple.com>
1790
1791         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1792         https://bugs.webkit.org/show_bug.cgi?id=182249
1793
1794         Reviewed by Keith Miller.
1795
1796         New regression test.
1797
1798         * stress/compare-clobber-untypeduse.js: Added.
1799
1800 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1801
1802         Unreviewed, rolling out r227725.
1803
1804         This caused internal failures.
1805
1806         Reverted changeset:
1807
1808         "JSC Sampling Profiler: Detect tester and testee when sampling
1809         in RegExp JIT"
1810         https://bugs.webkit.org/show_bug.cgi?id=152729
1811         https://trac.webkit.org/changeset/227725
1812
1813 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1814
1815         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1816         https://bugs.webkit.org/show_bug.cgi?id=152729
1817
1818         Reviewed by Saam Barati.
1819
1820         * stress/sampling-profiler-regexp.js: Added.
1821         (platformSupportsSamplingProfiler.test):
1822         (platformSupportsSamplingProfiler.baz):
1823         (platformSupportsSamplingProfiler):
1824
1825 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1826
1827         [DFG][FTL] WeakMap#set should have DFG node
1828         https://bugs.webkit.org/show_bug.cgi?id=180015
1829
1830         Reviewed by Saam Barati.
1831
1832         * stress/weakmap-set-change-get.js: Added.
1833         (shouldBe):
1834         (test):
1835         * stress/weakmap-set-cse.js: Added.
1836         (shouldBe):
1837         (test):
1838         * stress/weakset-add-change-get.js: Added.
1839         (shouldBe):
1840         * stress/weakset-add-cse.js: Added.
1841         (shouldBe):
1842
1843 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1844
1845         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1846         https://bugs.webkit.org/show_bug.cgi?id=182213
1847
1848         Reviewed by Mark Lam.
1849
1850         * stress/int32-min-to-string.js: Added.
1851         (shouldBe):
1852         (test2):
1853         (test4):
1854         (test8):
1855         (test16):
1856         (test32):
1857         * stress/zero-to-string.js: Added.
1858         (shouldBe):
1859         (test2):
1860         (test4):
1861         (test8):
1862         (test16):
1863         (test32):
1864
1865 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1866
1867         Add more module scope related tests with code evaluation by string
1868         https://bugs.webkit.org/show_bug.cgi?id=181983
1869
1870         Reviewed by Sam Weinig.
1871
1872         Add more module scope related tests. When the original tests are landed,
1873         we do not have browser integration. This patch adds more module scope tests
1874         with dynamically created script evaluation. We add tests with Function
1875         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1876
1877         * modules/scopes-eval.js: Added.
1878         (shouldBe):
1879         * modules/scopes.js:
1880         (shouldBe):
1881
1882 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1883
1884         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1885
1886         * microbenchmarks/array-push-3.js: Removed.
1887         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1888         * microbenchmarks/double-to-int32.js: Removed.
1889         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1890         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1891         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1892         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1893         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1894         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1895         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1896         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1897         * microbenchmarks/map-constant-key.js: Removed.
1898         * microbenchmarks/nested-function-parsing.js: Removed.
1899         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1900         * microbenchmarks/spread-large-array.js: Removed.
1901         * microbenchmarks/string-add-constant-folding.js: Removed.
1902         * microbenchmarks/to-lower-case.js: Removed.
1903         * microbenchmarks/undefined-property-access.js: Removed.
1904         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1905         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1906         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1907         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1908         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1909         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1910         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1911         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1912         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1913         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1914         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1915         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1916         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1917         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1918         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1919         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1920         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1921         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1922
1923 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1924
1925         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1926         https://bugs.webkit.org/show_bug.cgi?id=181739
1927         <rdar://problem/36627662>
1928
1929         Reviewed by Saam Barati.
1930
1931         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1932         (foo):
1933         (bar):
1934
1935 2018-01-22  Michael Saboff  <msaboff@apple.com>
1936
1937         DFG abstract interpreter needs to properly model effects of some Math ops
1938         https://bugs.webkit.org/show_bug.cgi?id=181886
1939
1940         Reviewed by Saam Barati.
1941
1942         New regression test.
1943
1944         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1945         (test):
1946
1947 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1948
1949         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1950         https://bugs.webkit.org/show_bug.cgi?id=181182
1951
1952         Reviewed by Darin Adler.
1953
1954         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1955         * stress/big-int-prototype-to-string-exception.js: Added.
1956         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1957         * stress/number-prototype-to-string-cast-overflow.js: Added.
1958         * stress/number-prototype-to-string-exception.js: Added.
1959         * stress/number-prototype-to-string-wrong-values.js: Added.
1960
1961 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1962
1963         Disable Atomics when SharedArrayBuffer isn’t enabled
1964         https://bugs.webkit.org/show_bug.cgi?id=181572
1965
1966         Unreviewed test gardening.
1967
1968         * test262.yaml: Skip tests that fail after this change.
1969
1970 2018-01-19  Saam Barati  <sbarati@apple.com>
1971
1972         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1973         https://bugs.webkit.org/show_bug.cgi?id=181877
1974         <rdar://problem/36630552>
1975
1976         Reviewed by Mark Lam.
1977
1978         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1979         (runNearStackLimit):
1980         (f1):
1981         (f2):
1982         (f3):
1983         (i.catch):
1984         (i.try.runNearStackLimit):
1985         (catch):
1986
1987 2018-01-19  Saam Barati  <sbarati@apple.com>
1988
1989         Spread's effects are modeled incorrectly both in AI and in Clobberize
1990         https://bugs.webkit.org/show_bug.cgi?id=181867
1991         <rdar://problem/36290415>
1992
1993         Reviewed by Michael Saboff.
1994
1995         * stress/ai-needs-to-model-spreads-effects.js: Added.
1996         (try.p.Symbol.iterator):
1997         (try.go):
1998         (catch):
1999         * stress/clobberize-needs-to-model-spread-effects.js: Added.
2000         (assert):
2001         (foo):
2002         (a.Symbol.iterator):
2003
2004 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2005
2006         Unreviewed, reduce count of iteration to fix timing out debug JSC test
2007         https://bugs.webkit.org/show_bug.cgi?id=181535
2008
2009         * stress/inserted-recovery-with-set-last-index.js:
2010
2011 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2012
2013         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
2014         https://bugs.webkit.org/show_bug.cgi?id=181535
2015
2016         Reviewed by Saam Barati.
2017
2018         * stress/inserted-recovery-with-set-last-index.js: Added.
2019         (shouldBe):
2020         (foo):
2021         * stress/materialize-regexp-at-osr-exit.js: Added.
2022         (shouldBe):
2023         (test):
2024         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
2025         (shouldBe):
2026         (test):
2027         * stress/materialize-regexp-cyclic-regexp.js: Added.
2028         (shouldBe):
2029         (test):
2030         (i.switch):
2031         * stress/materialize-regexp-cyclic.js: Added.
2032         (shouldBe):
2033         (test):
2034         (i.switch):
2035         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
2036         (bar):
2037         (foo):
2038         (test):
2039         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
2040         (bar):
2041         (foo):
2042         (test):
2043         * stress/materialize-regexp.js: Added.
2044         (shouldBe):
2045         (test):
2046         * stress/phantom-regexp-regexp-exec.js: Added.
2047         (shouldBe):
2048         (test):
2049         * stress/phantom-regexp-string-match.js: Added.
2050         (shouldBe):
2051         (test):
2052         * stress/regexp-last-index-sinking.js: Added.
2053         (shouldBe):
2054         (test):
2055
2056 2018-01-17  Saam Barati  <sbarati@apple.com>
2057
2058         Disable Atomics when SharedArrayBuffer isn’t enabled
2059         https://bugs.webkit.org/show_bug.cgi?id=181572
2060         <rdar://problem/36553206>
2061
2062         Reviewed by Michael Saboff.
2063
2064         * stress/isLockFree.js:
2065
2066 2018-01-17  Saam Barati  <sbarati@apple.com>
2067
2068         DFG::Node::convertToConstant needs to clear the varargs flags
2069         https://bugs.webkit.org/show_bug.cgi?id=181697
2070         <rdar://problem/36497332>
2071
2072         Reviewed by Yusuke Suzuki.
2073
2074         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
2075         (doIndexOf):
2076         (bar):
2077         (i.bar):
2078
2079 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
2080
2081         Unreviewed, rolling out r226937.
2082
2083         Tests added with this change are failing due to a missing
2084         exception check.
2085
2086         Reverted changeset:
2087
2088         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
2089         double to int32_t"
2090         https://bugs.webkit.org/show_bug.cgi?id=181182
2091         https://trac.webkit.org/changeset/226937
2092
2093 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
2094
2095         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
2096         https://bugs.webkit.org/show_bug.cgi?id=181182
2097
2098         Reviewed by Darin Adler.
2099
2100         * bigIntTests.yaml:
2101         * stress/big-int-constructor.js:
2102         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
2103         (assert):
2104         (assertThrowRangeError):
2105         * stress/number-prototype-to-string-cast-overflow.js: Added.
2106         (assert):
2107         (assertThrowRangeError):
2108
2109 2018-01-12  Saam Barati  <sbarati@apple.com>
2110
2111         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
2112         https://bugs.webkit.org/show_bug.cgi?id=181177
2113         <rdar://problem/36205704>
2114
2115         Reviewed by Yusuke Suzuki.
2116
2117         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
2118         (runNearStackLimit.t):
2119         (runNearStackLimit):
2120         (test.f):
2121         (test):
2122
2123 2018-01-12  Saam Barati  <sbarati@apple.com>
2124
2125         Each variant of a polymorphic inlined call should be exitOK at the top of the block
2126         https://bugs.webkit.org/show_bug.cgi?id=181562
2127         <rdar://problem/36445624>
2128
2129         Reviewed by Yusuke Suzuki.
2130
2131         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
2132         (f):
2133         (foo):
2134
2135 2018-01-11  Saam Barati  <sbarati@apple.com>
2136
2137         When inserting Unreachable in byte code parser we need to flush all the right things
2138         https://bugs.webkit.org/show_bug.cgi?id=181509
2139         <rdar://problem/36423110>
2140
2141         Reviewed by Mark Lam.
2142
2143         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
2144
2145 2018-01-11  Saam Barati  <sbarati@apple.com>
2146
2147         JITMathIC code in the FTL is wrong when code gets duplicated
2148         https://bugs.webkit.org/show_bug.cgi?id=181525
2149         <rdar://problem/36351993>
2150
2151         Reviewed by Michael Saboff and Keith Miller.
2152
2153         * stress/allow-math-ic-b3-code-duplication.js: Added.
2154
2155 2018-01-11  Saam Barati  <sbarati@apple.com>
2156
2157         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
2158         https://bugs.webkit.org/show_bug.cgi?id=181508
2159
2160         Reviewed by Yusuke Suzuki.
2161
2162         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
2163         (assert):
2164         (test1.foo):
2165         (test1):
2166         (test2.foo):
2167         (test2):
2168
2169 2018-01-09  Mark Lam  <mark.lam@apple.com>
2170
2171         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
2172         https://bugs.webkit.org/show_bug.cgi?id=181388
2173         <rdar://problem/36349351>
2174
2175         Reviewed by Saam Barati.
2176
2177         * stress/regress-181388.js: Added.
2178
2179 2018-01-08  JF Bastien  <jfbastien@apple.com>
2180
2181         WebAssembly: mask indexed accesses to Table
2182         https://bugs.webkit.org/show_bug.cgi?id=181412
2183         <rdar://problem/36363236>
2184
2185         Reviewed by Saam Barati.
2186
2187         Update error messages.
2188
2189         * wasm/js-api/table.js:
2190         (assert.throws.WebAssembly.Table.prototype.grow):
2191
2192 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
2193
2194         Disable SharedArrayBuffer tests missed in r226386.
2195         https://bugs.webkit.org/show_bug.cgi?id=181266
2196
2197         Unreviewed test gardening.
2198
2199         * test262.yaml:
2200
2201 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2202
2203         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
2204         https://bugs.webkit.org/show_bug.cgi?id=181321
2205
2206         Reviewed by Saam Barati.
2207
2208         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2209         (shouldBe):
2210         (testFunction):
2211         * test262.yaml:
2212
2213 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2214
2215         Unreviewed, attempt to fix test262 after r226386.
2216
2217         * test262.yaml:
2218
2219 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2220
2221         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2222         https://bugs.webkit.org/show_bug.cgi?id=179911
2223
2224         Reviewed by Saam Barati.
2225
2226         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2227
2228         * stress/map-set-change-get.js: Added.
2229         (shouldBe):
2230         (test):
2231         * stress/map-set-create-bucket.js: Added.
2232         (shouldBe):
2233         (test):
2234         * stress/set-add-create-bucket.js: Added.
2235         (shouldBe):
2236
2237 2018-01-03  Michael Saboff  <msaboff@apple.com>
2238
2239         Disable SharedArrayBuffers from Web API
2240         https://bugs.webkit.org/show_bug.cgi?id=181266
2241
2242         Reviewed by Saam Barati.
2243
2244         Disabled SharedArrayBuffer tests.
2245
2246         * stress/SharedArrayBuffer-opt.js:
2247         * stress/SharedArrayBuffer.js:
2248         * stress/array-buffer-byte-length.js:
2249         * stress/atomics-add-uint32.js:
2250         * stress/atomics-known-int-use.js:
2251         * stress/atomics-neg-zero.js:
2252         * stress/atomics-store-return.js:
2253         * stress/lars-sab-workers.js:
2254         * stress/regress-159779-1.js:
2255         * stress/regress-159779-2.js:
2256         * stress/regress-170473.js:
2257         * test262.yaml:
2258
2259 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2260
2261         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2262         https://bugs.webkit.org/show_bug.cgi?id=181258
2263
2264         Reviewed by Antonio Gomes.
2265
2266         * stress/big-int-constructor-gc.js:
2267         * stress/big-int-constructor-oom.js:
2268
2269 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2270
2271         Inlining of a function that ends in op_unreachable crashes
2272         https://bugs.webkit.org/show_bug.cgi?id=181027
2273
2274         Reviewed by Filip Pizlo.
2275
2276         * stress/inlining-unreachable.js: Added.
2277         (bar):
2278         (baz):
2279         (i.catch):
2280
2281 2018-01-02  Saam Barati  <sbarati@apple.com>
2282
2283         Incorrect assertion inside AccessCase
2284         https://bugs.webkit.org/show_bug.cgi?id=181200
2285         <rdar://problem/35494754>
2286
2287         Reviewed by Yusuke Suzuki.
2288
2289         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2290         (ctor):
2291         (theFunc):
2292         (run):
2293
2294 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2295
2296         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2297         https://bugs.webkit.org/show_bug.cgi?id=175359
2298
2299         Reviewed by Yusuke Suzuki.
2300
2301         * bigIntTests.yaml:
2302         * stress/big-int-as-key.js: Added.
2303         * stress/big-int-constructor-gc.js: Added.
2304         * stress/big-int-constructor-oom.js: Added.
2305         * stress/big-int-constructor-properties.js: Added.
2306         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2307         * stress/big-int-constructor-prototype.js: Added.
2308         * stress/big-int-constructor.js: Added.
2309         * stress/big-int-function-apply.js:
2310         * stress/big-int-length.js: Added.
2311         * stress/big-int-prop-descriptor.js: Added.
2312         * stress/big-int-proto-constructor.js: Added.
2313         * stress/big-int-proto-name.js: Added.
2314         * stress/big-int-prototype-properties.js: Added.
2315         * stress/big-int-prototype-proto.js: Added.
2316         * stress/big-int-prototype-value-of.js: Added.
2317         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2318         * stress/big-int-prototype-to-string-apply.js: Added.
2319         * stress/big-int-to-object.js: Added.
2320         * stress/big-int-to-string.js: Added.
2321
2322 2017-12-28  Saam Barati  <sbarati@apple.com>
2323
2324         Assertion used to determine if something is an async generator is wrong
2325         https://bugs.webkit.org/show_bug.cgi?id=181168
2326         <rdar://problem/35640560>
2327
2328         Reviewed by Yusuke Suzuki.
2329
2330         * stress/async-generator-assertion.js: Added.
2331
2332 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2333
2334         Skip stress/splay-flash-access tests on memory limited platforms
2335         https://bugs.webkit.org/show_bug.cgi?id=181086
2336
2337         Reviewed by Carlos Alberto Lopez Perez.
2338
2339         These tests use about 185M of memory, and occasionally get OOM-killed
2340         on memory limited platforms.
2341
2342         * stress/splay-flash-access-1ms.js:
2343         * stress/splay-flash-access.js:
2344
2345 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2346
2347         Skip slow jsc tests on embedded platforms
2348         https://bugs.webkit.org/show_bug.cgi?id=180937
2349
2350         Reviewed by Carlos Alberto Lopez Perez.
2351
2352         The tests typeProfiler/deltablue-for-of.js and
2353         typeProfiler/getter-richards.js take a very long time in the
2354         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2355         thus always timeout. They should be skipped on these platforms.
2356
2357         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2358         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2359
2360 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2361
2362         [JSC] Do not check isValid() in op_new_regexp
2363         https://bugs.webkit.org/show_bug.cgi?id=180970
2364
2365         Reviewed by Saam Barati.
2366
2367         * stress/regexp-syntax-error-invalid-flags.js: Added.
2368         (shouldThrow):
2369
2370 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2371
2372         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2373         https://bugs.webkit.org/show_bug.cgi?id=180712
2374
2375         Reviewed by Michael Catanzaro.
2376
2377         stress/call-apply-exponential-bytecode-size.js crashes if the
2378         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2379         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2380         should skip the test on other platforms.
2381
2382         * stress/call-apply-exponential-bytecode-size.js:
2383
2384 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2385
2386         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2387         https://bugs.webkit.org/show_bug.cgi?id=179762
2388
2389         Reviewed by Saam Barati.
2390
2391         * stress/call-varargs-double-new-array-buffer.js: Added.
2392         (assert):
2393         (bar):
2394         (foo):
2395         * stress/call-varargs-spread-new-array-buffer.js: Added.
2396         (assert):
2397         (bar):
2398         (foo):
2399         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2400         (assert):
2401         (bar):
2402         (foo):
2403         * stress/forward-varargs-double-new-array-buffer.js: Added.
2404         (assert):
2405         (test.baz):
2406         (test.bar):
2407         (test.foo):
2408         (test):
2409         * stress/new-array-buffer-sinking-osrexit.js: Added.
2410         (target):
2411         (test):
2412         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2413         (shouldBe):
2414         (test):
2415         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2416         (shouldBe):
2417         (target):
2418         (test):
2419         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2420         (assert):
2421         (test1.bar):
2422         (test1.foo):
2423         (test1):
2424         (test2.bar):
2425         (test2.foo):
2426         (test3.baz):
2427         (test3.bar):
2428         (test3.foo):
2429         (test4.baz):
2430         (test4.bar):
2431         (test4.foo):
2432         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2433         (assert):
2434         (test.baz):
2435         (test.bar):
2436         (test.foo):
2437         (test):
2438         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2439         (assert):
2440         (baz):
2441         (bar):
2442         (effects):
2443         (foo):
2444
2445 2017-12-14  Saam Barati  <sbarati@apple.com>
2446
2447         The CleanUp after LICM is erroneously removing a Check
2448         https://bugs.webkit.org/show_bug.cgi?id=180852
2449         <rdar://problem/36063494>
2450
2451         Reviewed by Filip Pizlo.
2452
2453         * stress/dont-run-cleanup-after-licm.js: Added.
2454
2455 2017-12-14  Michael Saboff  <msaboff@apple.com>
2456
2457         REGRESSION (r225695): Repro crash on yahoo login page
2458         https://bugs.webkit.org/show_bug.cgi?id=180761
2459
2460         Reviewed by JF Bastien.
2461
2462         New regression test.
2463
2464         * stress/regress-180761.js: Added.
2465
2466 2017-12-13  Keith Miller  <keith_miller@apple.com>
2467
2468         JSObjects should have a mask for loading indexed properties
2469         https://bugs.webkit.org/show_bug.cgi?id=180768
2470
2471         Reviewed by Mark Lam.
2472
2473         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2474         (test):
2475
2476 2017-12-13  Saam Barati  <sbarati@apple.com>
2477
2478         Arrow functions need their own structure because they have different properties than sloppy functions
2479         https://bugs.webkit.org/show_bug.cgi?id=180779
2480         <rdar://problem/35814591>
2481
2482         Reviewed by Mark Lam.
2483
2484         * stress/arrow-function-needs-its-own-structure.js: Added.
2485         (assert):
2486         (readPrototype):
2487         (noInline.let.f1):
2488         (noInline):
2489
2490 2017-12-13  Saam Barati  <sbarati@apple.com>
2491
2492         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2493         https://bugs.webkit.org/show_bug.cgi?id=163579
2494         <rdar://problem/35455798>
2495
2496         Reviewed by Mark Lam.
2497
2498         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2499         (assert):
2500         (test1):
2501         (i.test1):
2502         (i.test1.C):
2503         (i.test1.async.foo):
2504         (i.test1.foo):
2505         (test2):
2506
2507 2017-12-13  Saam Barati  <sbarati@apple.com>
2508
2509         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2510         https://bugs.webkit.org/show_bug.cgi?id=180734
2511         <rdar://problem/35640547>
2512
2513         Reviewed by Yusuke Suzuki.
2514
2515         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2516         (__isPropertyOfType):
2517         (__getProperties):
2518         (__getObjects):
2519         (__getRandomObject):
2520         (theClass.):
2521         (theClass):
2522         (childClass):
2523         (counter.catch):
2524
2525 2017-12-12  Saam Barati  <sbarati@apple.com>
2526
2527         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2528         https://bugs.webkit.org/show_bug.cgi?id=180725
2529         <rdar://problem/35970511>
2530
2531         Reviewed by Michael Saboff.
2532
2533         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2534         (f1):
2535         (f2):
2536         (let.o2.valueOf):
2537
2538 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2539
2540         [JSC] Implement optimized WeakMap and WeakSet
2541         https://bugs.webkit.org/show_bug.cgi?id=179929
2542
2543         Reviewed by Saam Barati.
2544
2545         * microbenchmarks/weak-map-key.js:
2546         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2547         (assert):
2548         (objectKey):
2549         (let.start.Date.now):
2550         * stress/basic-weakmap.js: Added.
2551         (shouldBe):
2552         (test):
2553         * stress/basic-weakset.js: Added.
2554         (shouldBe):
2555         (test.set new):
2556         * stress/weakmap-cse-set-break.js: Added.
2557         (shouldBe):
2558         (test):
2559         * stress/weakmap-cse.js: Added.
2560         (shouldBe):
2561         (test):
2562         * stress/weakmap-gc.js: Added.
2563         (test):
2564         * stress/weakset-cse-add-break.js: Added.
2565         (shouldBe):
2566         (test.set new):
2567         * stress/weakset-cse.js: Added.
2568         (shouldBe):
2569         (test.set new):
2570         * stress/weakset-gc.js: Added.
2571         (test.set add):
2572         (test.set new):
2573         (test):
2574
2575 2017-12-12  Saam Barati  <sbarati@apple.com>
2576
2577         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2578         https://bugs.webkit.org/show_bug.cgi?id=180723
2579         <rdar://problem/35859726>
2580
2581         Reviewed by JF Bastien.
2582
2583         * stress/get-my-argument-by-val-constant-folding.js: Added.
2584         (test):
2585         (catch):
2586
2587 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2588
2589         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2590         https://bugs.webkit.org/show_bug.cgi?id=179000
2591
2592         Reviewed by Darin Adler and Yusuke Suzuki.
2593
2594         * bigIntTests.yaml: Added.
2595         * stress/big-int-literal-line-terminator.js: Added.
2596         * stress/big-int-literals.js: Added.
2597         * stress/big-int-operations-error.js: Added.
2598         * stress/big-int-type-of.js: Added.
2599         * stress/big-int-white-space-trailing-leading.js: Added.
2600         * stress/big-int-function-apply.js: Added.
2601
2602 2017-12-11  Saam Barati  <sbarati@apple.com>
2603
2604         We need to disableCaching() in ErrorInstance when we materialize properties
2605         https://bugs.webkit.org/show_bug.cgi?id=180343
2606         <rdar://problem/35833002>
2607
2608         Reviewed by Mark Lam.
2609
2610         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2611         (assert):
2612         (makeError):
2613         (storeToStack):
2614         (storeToStackAlreadyMaterialized):
2615
2616 2017-12-05  JF Bastien  <jfbastien@apple.com>
2617
2618         WebAssembly: don't eagerly checksum
2619         https://bugs.webkit.org/show_bug.cgi?id=180441
2620         <rdar://problem/35156628>
2621
2622         Reviewed by Saam Barati.
2623
2624         Checksum is now disabled, so tests only have <?> as the module
2625         name.
2626
2627         * wasm/function-tests/nameSection.js:
2628         * wasm/function-tests/stack-overflow.js:
2629         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2630         (assertOverflows.assertThrows):
2631         (assertOverflows):
2632         * wasm/function-tests/stack-trace.js:
2633
2634 2017-12-04  JF Bastien  <jfbastien@apple.com>
2635
2636         Proxy all functions, except the $ objects
2637         https://bugs.webkit.org/show_bug.cgi?id=180375
2638
2639         Reviewed by Saam Barati.
2640
2641         It looks like this test may have broken some executions because I
2642         call some internal objects. Explicitly ignore objects whose name
2643         starts with "$" because it's a bad idea anyways.
2644
2645         * stress/proxy-all-the-parameters.js:
2646         (generateObjects):
2647         (get throw):
2648
2649 2017-12-04  Saam Barati  <sbarati@apple.com>
2650
2651         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2652         https://bugs.webkit.org/show_bug.cgi?id=180366
2653         <rdar://problem/35685877>
2654
2655         Reviewed by Michael Saboff.
2656
2657         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2658         (theParent):
2659         (test1.base.getParentStaticValue):
2660         (test1.base):
2661         (test1.__v_24888.prototype.set prop):
2662         (test1.__v_24888):
2663         (test2.base.getParentStaticValue):
2664         (test2.base):
2665         (test2.__v_24888.prototype.set prop):
2666         (test2.__v_24888):
2667         (test2):
2668
2669 2017-12-01  JF Bastien  <jfbastien@apple.com>
2670
2671         Try proxying all function arguments
2672         https://bugs.webkit.org/show_bug.cgi?id=180306
2673
2674         Reviewed by Saam Barati.
2675
2676         * stress/proxy-all-the-parameters.js: Added.
2677         (isPropertyOfType):
2678         (getProperties):
2679         (generateObjects):
2680         (getObjects):
2681         (getFunctions):
2682         (get throw):
2683         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2684
2685 2017-12-01  JF Bastien  <jfbastien@apple.com>
2686
2687         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2688         https://bugs.webkit.org/show_bug.cgi?id=180297
2689         <rdar://problem/35745556>
2690
2691         Reviewed by Mark Lam.
2692
2693         * stress/math-exceptions.js: Added.
2694         (get try):
2695         (catch):
2696
2697 2017-12-01  JF Bastien  <jfbastien@apple.com>
2698
2699         JavaScriptCore: add test for weird class static getters
2700         https://bugs.webkit.org/show_bug.cgi?id=180281
2701         <rdar://problem/35592139>
2702
2703         Reviewed by Mark Lam.
2704
2705         I fixed a bug for it in r224927 and didn't add a test. Do so.
2706
2707         * stress/class-static-get-weird.js: Added.
2708         (c.prototype.get name):
2709         (c):
2710         (c.prototype.get arguments):
2711         (c.prototype.get caller):
2712         (c.prototype.get length):
2713
2714 2017-12-01  Saam Barati  <sbarati@apple.com>
2715
2716         Having a bad time needs to handle ArrayClass indexing type as well
2717         https://bugs.webkit.org/show_bug.cgi?id=180274
2718         <rdar://problem/35667869>
2719
2720         Reviewed by Keith Miller and Mark Lam.
2721
2722         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2723         (assert):
2724         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2725         (assert):
2726
2727 2017-12-01  JF Bastien  <jfbastien@apple.com>
2728
2729         WebAssembly: restore cached stack limit after out-call
2730         https://bugs.webkit.org/show_bug.cgi?id=179106
2731         <rdar://problem/35337525>
2732
2733         Reviewed by Saam Barati.
2734
2735         * wasm/function-tests/double-instance.js: Added.
2736         (const.imp.boom):
2737         (const.imp.get callAnother):
2738
2739 2017-11-30  JF Bastien  <jfbastien@apple.com>
2740
2741         WebAssembly: improve stack trace
2742         https://bugs.webkit.org/show_bug.cgi?id=179343
2743
2744         Reviewed by Saam Barati.
2745
2746         Update the tests to follow the new format. Notably, SHA1 module
2747         hash is now included in traces, and stubs are properly identified.
2748
2749         * wasm/assert.js: Add an assertion which matches regular expressions.
2750         * wasm/function-tests/nameSection.js:
2751         * wasm/function-tests/stack-overflow.js:
2752         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2753         (assertOverflows.assertThrows.wasm.1):
2754         (assertOverflows.assertThrows.wasm.0):
2755         (assertOverflows.assertThrows):
2756         (assertOverflows):
2757         * wasm/function-tests/stack-trace.js:
2758         (import.Builder.from.string_appeared_here.assert): Deleted.
2759         * wasm/function-tests/trap-after-cross-instance-call.js:
2760         (wasmFrameCountFromError):
2761         * wasm/function-tests/trap-load-2.js:
2762         (wasmFrameCountFromError):
2763         * wasm/function-tests/trap-load.js:
2764         (wasmFrameCountFromError):
2765
2766 2017-11-30  Mark Lam  <mark.lam@apple.com>
2767
2768         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2769         https://bugs.webkit.org/show_bug.cgi?id=180219
2770         <rdar://problem/35696536>
2771
2772         Reviewed by Filip Pizlo.
2773
2774         * stress/regress-180219.js: Added.
2775
2776 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2777
2778         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2779         https://bugs.webkit.org/show_bug.cgi?id=180190
2780
2781         Reviewed by Mark Lam.
2782
2783         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2784         (shouldBe):
2785         (test1):
2786         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2787         (shouldBe):
2788         (test1):
2789         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2790         (shouldBe):
2791         (test1):
2792         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2793         (shouldBe):
2794         (test1):
2795         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2796         (shouldBe):
2797         (test1):
2798         * stress/operation-in-may-have-negative-int32.js: Added.
2799         (shouldBe):
2800         (test2):
2801         * stress/operation-in-negative-int32-cast.js: Added.
2802         (shouldBe):
2803         (test1):
2804
2805 2017-11-28  JF Bastien  <jfbastien@apple.com>
2806
2807         Strict and sloppy functions shouldn't share structure
2808         https://bugs.webkit.org/show_bug.cgi?id=180103
2809         <rdar://problem/35667847>
2810
2811         Reviewed by Saam Barati.
2812
2813         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2814         because the IC was wrong.
2815         (foo):
2816         (bar):
2817         (baz):
2818         (catch):
2819         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2820         in this patch, but may as well test odd strict mode corner cases.
2821         (bar):
2822         (baz):
2823         (catch):
2824         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2825         (foo):
2826         (bar):
2827         (baz):
2828         (catch):
2829         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2830         next file, but with invalidation of the FunctionExecutable's
2831         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2832         slower path.
2833         (foo):
2834         (bar.const.x):
2835         (bar.const.y):
2836         (bar):
2837         (catch):
2838         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2839         strict nesting works correctly.
2840         (foo):
2841         (bar.baz):
2842         (bar):
2843         * stress/strict-function-structure.js: Added. The test used to
2844         assert in objectProtoFuncHasOwnProperty.
2845         (foo):
2846         (bar):
2847         (baz):
2848         * stress/strict-nested-function-structure.js: Added. Nesting.
2849         (foo):
2850         (bar):
2851         (baz.boo):
2852         (baz):
2853
2854 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2855
2856         The recursive tail call optimisation is wrong on closures
2857         https://bugs.webkit.org/show_bug.cgi?id=179835
2858
2859         Reviewed by Saam Barati.
2860
2861         * stress/closure-recursive-tail-call.js: Added.
2862         (makeClosure):
2863
2864 2017-11-27  JF Bastien  <jfbastien@apple.com>
2865
2866         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2867         https://bugs.webkit.org/show_bug.cgi?id=180051
2868         <rdar://problem/35614371>
2869
2870         Reviewed by Saam Barati.
2871
2872         * stress/rest-parameter-negative.js: Added.
2873         (__f_5484):
2874         (catch):
2875         (__f_5485):
2876         (__v_22598.catch):
2877
2878 2017-11-27  Saam Barati  <sbarati@apple.com>
2879
2880         Spread can escape when CreateRest does not
2881         https://bugs.webkit.org/show_bug.cgi?id=180057
2882         <rdar://problem/35676119>
2883
2884         Reviewed by JF Bastien.
2885
2886         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2887         (assert):
2888         (getProperties):
2889         (theFunc):
2890         (let.obj.valueOf):
2891
2892 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2893
2894         [DFG] Add NormalizeMapKey DFG IR
2895         https://bugs.webkit.org/show_bug.cgi?id=179912
2896
2897         Reviewed by Saam Barati.
2898
2899         * stress/map-untyped-normalize-cse.js: Added.
2900         (shouldBe):
2901         (test):
2902         * stress/map-untyped-normalize.js: Added.
2903         (shouldBe):
2904         (test):
2905         * stress/set-untyped-normalize-cse.js: Added.
2906         (shouldBe):
2907         (set return.set has.set has):
2908         * stress/set-untyped-normalize.js: Added.
2909         (shouldBe):
2910         (set return.set has):
2911
2912 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2913
2914         [FTL] Support DeleteById and DeleteByVal
2915         https://bugs.webkit.org/show_bug.cgi?id=180022
2916
2917         Reviewed by Saam Barati.
2918
2919         * stress/delete-by-id.js: Added.
2920         (shouldBe):
2921         (test1):
2922         (test2):
2923         * stress/delete-by-val-ftl.js: Added.
2924         (shouldBe):
2925         (test1):
2926         (test2):
2927
2928 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2929
2930         [DFG] Introduce {Set,Map,WeakMap}Fields
2931         https://bugs.webkit.org/show_bug.cgi?id=179925
2932
2933         Reviewed by Saam Barati.
2934
2935         * stress/map-set-clobber-map-get.js: Added.
2936         (shouldBe):
2937         (test):
2938         * stress/map-set-does-not-clobber-set-has.js: Added.
2939         (shouldBe):
2940         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2941         (shouldBe):
2942         (test):
2943         * stress/set-add-clobber-set-has.js: Added.
2944         (shouldBe):
2945         * stress/set-add-does-not-clobber-map-get.js: Added.
2946         (shouldBe):
2947
2948 2017-11-24  Mark Lam  <mark.lam@apple.com>
2949
2950         Move unsafe jsc shell test functions to the $vm object.
2951         https://bugs.webkit.org/show_bug.cgi?id=179980
2952
2953         Reviewed by Yusuke Suzuki.
2954
2955         * controlFlowProfiler/driver/driver.js:
2956         * controlFlowProfiler/execution-count.js:
2957         * controlFlowProfiler/if-statement.js:
2958         * controlFlowProfiler/loop-statements.js:
2959         * controlFlowProfiler/switch-statements.js:
2960         * controlFlowProfiler/test-jit.js:
2961         * exceptionFuzz/3d-cube.js:
2962         * exceptionFuzz/date-format-xparb.js:
2963         * exceptionFuzz/earley-boyer.js:
2964         * heapProfiler/basic-edges.js:
2965         * heapProfiler/property-edge-types.js:
2966         * microbenchmarks/try-get-by-id-basic.js:
2967         * microbenchmarks/try-get-by-id-polymorphic.js:
2968         * modules/namespace-object-try-get.js:
2969         * stress/argument-count-bytecode.js:
2970         * stress/argument-intrinsic-basic.js:
2971         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2972         * stress/argument-intrinsic-inlining-with-result-escape.js:
2973         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2974         * stress/argument-intrinsic-inlining-with-vararg.js:
2975         * stress/argument-intrinsic-nested-inlining.js:
2976         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2977         * stress/argument-intrinsic-with-stack-write.js:
2978         * stress/arity-mismatch-get-argument.js:
2979         * stress/array-message-passing.js:
2980         * stress/array-push-with-force-exit.js:
2981         * stress/check-dom-with-signature.js:
2982         * stress/check-sub-class.js:
2983         * stress/compare-eq-incomplete-profile.js:
2984         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2985         * stress/do-eval-virtual-call-correctly.js:
2986         * stress/dom-jit-with-poly-proto.js:
2987         * stress/domjit-exception-ic.js:
2988         * stress/domjit-exception.js:
2989         * stress/domjit-getter-complex-with-incorrect-object.js:
2990         * stress/domjit-getter-complex.js:
2991         * stress/domjit-getter-poly.js:
2992         * stress/domjit-getter-proto.js:
2993         * stress/domjit-getter-super-poly.js:
2994         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2995         * stress/domjit-getter-type-check.js:
2996         * stress/domjit-getter.js:
2997         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2998         * stress/for-in-proxy-target-changed-structure.js:
2999         * stress/for-in-proxy.js:
3000         * stress/generational-opaque-roots.js:
3001         * stress/global-const-redeclaration-setting-2.js:
3002         * stress/global-const-redeclaration-setting-3.js:
3003         * stress/global-const-redeclaration-setting-4.js:
3004         * stress/global-const-redeclaration-setting-5.js:
3005         * stress/global-const-redeclaration-setting.js:
3006         * stress/import-basic.js:
3007         * stress/import-from-eval.js:
3008         * stress/import-reject-with-exception.js:
3009         * stress/import-syntax.js:
3010         * stress/impure-get-own-property-slot-inline-cache.js:
3011         * stress/is-constructor.js:
3012         * stress/istypedarrayview-intrinsic.js:
3013         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
3014         * stress/jsc-test-functions-should-be-more-robust.js:
3015         * stress/object-toString-with-proxy.js:
3016         * stress/poly-proto-custom-value-and-accessor.js:
3017         * stress/proxy-inline-cache.js:
3018         * stress/re-execute-error-module.js:
3019         * stress/regress-150532.js:
3020         * stress/regress-156992.js:
3021         * stress/regress-179619.js:
3022         * stress/resources/shadow-chicken-support.js:
3023         * stress/runtime-array.js:
3024         * stress/sampling-profiler-microtasks.js:
3025         * stress/shadow-chicken-enabled.js:
3026         * stress/spread-correct-global-object-on-exception.js:
3027         * stress/super-get-by-id.js:
3028         * stress/tailCallForwardArguments.js:
3029         * stress/to-object-intrinsic-boolean-edge.js:
3030         * stress/to-object-intrinsic-null-or-undefined-edge.js:
3031         * stress/to-object-intrinsic-number-edge.js:
3032         * stress/to-object-intrinsic-object-edge.js:
3033         * stress/to-object-intrinsic-string-edge.js:
3034         * stress/to-object-intrinsic-symbol-edge.js:
3035         * stress/to-object-intrinsic.js:
3036         * stress/try-catch-custom-getter-as-get-by-id.js:
3037         * stress/try-get-by-id-poly-proto.js:
3038         * stress/try-get-by-id-should-spill-registers-dfg.js:
3039         * stress/try-get-by-id.js:
3040         * typeProfiler/arrow-functions.js:
3041         * typeProfiler/basic.js:
3042         * typeProfiler/captured.js:
3043         * typeProfiler/classes.js:
3044         * typeProfiler/dfg-jit-optimizations.js:
3045         * typeProfiler/dictionary-mode.js:
3046         * typeProfiler/es6-block-scoping.js:
3047         * typeProfiler/es6-classes.js:
3048         * typeProfiler/inheritance.js:
3049         * typeProfiler/int52-dfg.js:
3050         * typeProfiler/loop.js:
3051         * typeProfiler/optional-fields.js:
3052         * typeProfiler/overflow.js:
3053         * typeProfiler/return.js:
3054         * typeProfiler/symbol.js:
3055         * typeProfiler/weird-prototype-chain.js:
3056
3057 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3058
3059         [DFG][FTL] Support MapSet / SetAdd intrinsics
3060         https://bugs.webkit.org/show_bug.cgi?id=179858
3061
3062         Reviewed by Saam Barati.
3063
3064         * microbenchmarks/map-has-and-set.js: Added.
3065         (test):
3066         * stress/map-set-check-failure.js: Added.
3067         (shouldBe):
3068         (shouldThrow):
3069         (target):
3070         * stress/map-set-cse.js: Added.
3071         (shouldBe):
3072         (test):
3073         * stress/set-add-check-failure.js: Added.
3074         (shouldBe):
3075         (shouldThrow):
3076         (set shouldThrow):
3077         * stress/set-add-cse.js: Added.
3078         (shouldBe):
3079
3080 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3081
3082         [JSC] Allow poly proto for intrinsic getters
3083         https://bugs.webkit.org/show_bug.cgi?id=179550
3084
3085         Reviewed by Saam Barati.
3086
3087         This change is also tested by existing tests.
3088
3089             1. stress/intrinsic-getter-with-poly-proto.js
3090             2. stress/poly-proto-intrinsic-getter-correctness.js
3091
3092         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
3093         (shouldBe):
3094         (makePolyProtoObject.foo.C):
3095         (makePolyProtoObject.foo):
3096         (makePolyProtoObject):
3097         (target):
3098         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
3099         (shouldBe):
3100         (makePolyProtoObject.foo.C):
3101         (makePolyProtoObject.foo):
3102         (makePolyProtoObject):
3103         (target):
3104
3105 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
3106
3107         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
3108         https://bugs.webkit.org/show_bug.cgi?id=179744
3109
3110         Reviewed by Michael Catanzaro.
3111
3112         This test uses too much memory for our buildbots on these platforms
3113         and gets OOM-killed.
3114
3115         * stress/unshiftCountSlowCase-correct-postCapacity.js:
3116         Skip if $memoryLimited and linux.
3117
3118 2017-11-17  JF Bastien  <jfbastien@apple.com>
3119
3120         WebAssembly JS API: throw when a promise can't be created
3121         https://bugs.webkit.org/show_bug.cgi?id=179826
3122         <rdar://problem/35455813>
3123
3124         Reviewed by Mark Lam.
3125
3126         Test WebAssembly.{compile,instantiate} where promise creation
3127         fails because of a stack overflow.
3128
3129         * wasm/js-api/promise-stack-overflow.js: Added.
3130         (const.runNearStackLimit.f.const.t):
3131         (async.testCompile):
3132         (async.testInstantiate):
3133
3134 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3135
3136         Unreviewed, mark regress-178385.js as memory exhausting
3137
3138         * stress/regress-178385.js:
3139
3140 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
3141
3142         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
3143
3144         Unreviewed test gardening.
3145
3146         * test262.yaml:
3147
3148 2017-11-16  Robin Morisset  <rmorisset@apple.com>
3149
3150         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
3151         https://bugs.webkit.org/show_bug.cgi?id=179763
3152         <rdar://problem/35550513>
3153
3154         Reviewed by Keith Miller.
3155
3156         Just adding a slightly cleaned-up version of the original fuzzer-found test.
3157
3158         * stress/tdz-this-in-try-catch.js: Added.
3159         (__v_6388):
3160         (__v_6392):
3161
3162 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3163
3164         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3165         https://bugs.webkit.org/show_bug.cgi?id=179594
3166
3167         Reviewed by Saam Barati.
3168
3169         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
3170         (shouldBe):
3171         (args):
3172         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
3173         (shouldBe):
3174         (args):
3175
3176 2017-11-14  Saam Barati  <sbarati@apple.com>
3177
3178         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3179         https://bugs.webkit.org/show_bug.cgi?id=179639
3180         <rdar://problem/35513018>
3181
3182         Reviewed by JF Bastien.
3183
3184         * wasm/function-tests/grow-memory-cause-gc.js: Added.
3185         (escape):
3186         (i.func):
3187
3188 2017-11-13  Mark Lam  <mark.lam@apple.com>
3189
3190         Add more overflow check book-keeping for MarkedArgumentBuffer.
3191         https://bugs.webkit.org/show_bug.cgi?id=179634
3192         <rdar://problem/35492517>
3193
3194         Reviewed by Saam Barati.
3195
3196         * stress/regress-179634.js: Added.
3197
3198 2017-11-13  Mark Lam  <mark.lam@apple.com>
3199
3200         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3201         https://bugs.webkit.org/show_bug.cgi?id=179619
3202         <rdar://problem/35492518>
3203
3204         Reviewed by Saam Barati.
3205
3206         * stress/regress-179619.js: Added.
3207
3208 2017-11-12  Mark Lam  <mark.lam@apple.com>
3209
3210         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3211         https://bugs.webkit.org/show_bug.cgi?id=179562
3212         <rdar://problem/35467022>
3213
3214         Reviewed by Saam Barati.
3215
3216         * regress-179562.js: Added.
3217
3218 2017-11-08  Saam Barati  <sbarati@apple.com>
3219
3220         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3221         https://bugs.webkit.org/show_bug.cgi?id=177792
3222
3223         Reviewed by Yusuke Suzuki.
3224
3225         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3226         (assert):
3227         (foo.Foo.prototype.ensureX):
3228         (foo.Foo):
3229         (foo):
3230         (access):
3231
3232 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3233
3234         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3235         https://bugs.webkit.org/show_bug.cgi?id=178592
3236
3237         Unreviewed test gardening.
3238
3239         * test262.yaml:
3240
3241 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3242
3243         Turn recursive tail calls into loops
3244         https://bugs.webkit.org/show_bug.cgi?id=176601
3245
3246         Reviewed by Saam Barati.
3247
3248         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3249
3250         Add some simple test that computes factorial in several ways, and other trivial computations.
3251         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3252         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3253         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3254         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3255
3256         * stress/inline-call-to-recursive-tail-call.js: Added.
3257         (factorial.aux):
3258         (factorial):
3259         (factorial2.aux2):
3260         (factorial2.id):
3261         (factorial2):
3262         (factorial3.aux3):
3263         (factorial3):
3264         (aux4):
3265         (factorial4):
3266         (foo):
3267         (auxBar):
3268         (bar):
3269         (test):
3270
3271 2017-11-07  Mark Lam  <mark.lam@apple.com>
3272
3273         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3274         https://bugs.webkit.org/show_bug.cgi?id=179355
3275         <rdar://problem/35263053>
3276
3277         Reviewed by Saam Barati.
3278
3279         * stress/regress-179355.js: Added.
3280
3281 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3282
3283         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3284         https://bugs.webkit.org/show_bug.cgi?id=144458
3285
3286         Reviewed by Saam Barati.
3287
3288         * microbenchmarks/dfg-internal-function-call.js: Added.
3289         (target):
3290         * microbenchmarks/dfg-internal-function-construct.js: Added.
3291         (target):
3292         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3293         (target):
3294         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3295         (target):
3296         * stress/dfg-internal-function-call.js: Added.
3297         (shouldBe):
3298         (target):
3299         * stress/dfg-internal-function-construct.js: Added.
3300         (shouldBe):
3301         (target):
3302         * stress/internal-function-call.js: Added.
3303         (shouldBe):
3304         * stress/internal-function-construct.js: Added.
3305         (shouldBe):
3306
3307 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3308
3309         [Win] Skip stress/regress-178385.js.
3310         https://bugs.webkit.org/show_bug.cgi?id=179298
3311
3312         Unreviewed test gardening.
3313
3314         * stress/regress-178385.js:
3315
3316 2017-11-03  Keith Miller  <keith_miller@apple.com>
3317
3318         Add test for ic with side effects
3319         https://bugs.webkit.org/show_bug.cgi?id=179268
3320
3321         Reviewed by Saam Barati.
3322
3323         * stress/put-inline-cache-side-effects.js: Added.
3324         (let.i.of.objs.keys):
3325         (f):
3326
3327 2017-11-03  Mark Lam  <mark.lam@apple.com>
3328
3329         CachedCall (and its clients) needs overflow checks.
3330         https://bugs.webkit.org/show_bug.cgi?id=179185
3331
3332         Reviewed by JF Bastien.
3333
3334         * stress/regress-179185.js: Added.
3335
3336 2017-11-02  Michael Saboff  <msaboff@apple.com>
3337
3338         DFG needs to handle code motion of code in for..in loop bodies
3339         https://bugs.webkit.org/show_bug.cgi?id=179212
3340
3341         Reviewed by Keith Miller.
3342
3343         New regression test.
3344
3345         * stress/for-in-side-effects.js: Added.
3346         (getPrototypeOf):
3347         (reset):
3348         (testWithoutFTL.f):
3349         (testWithoutFTL):
3350         (testWithFTL.f):
3351         (testWithFTL):
3352
3353 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3354
3355         AI does not correctly model the clobber case of ArithClz32
3356         https://bugs.webkit.org/show_bug.cgi?id=179188
3357
3358         Reviewed by Michael Saboff.
3359
3360         * stress/arith-clz32-effects.js: Added.
3361         (foo):
3362         (valueOf):
3363
3364 2017-11-01  Michael Saboff  <msaboff@apple.com>
3365
3366         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3367         https://bugs.webkit.org/show_bug.cgi?id=179140
3368
3369         Reviewed by Saam Barati.
3370
3371         New regression test.
3372
3373         * stress/regress-179140.js: Added.
3374         (testWithoutFTL):
3375         (testWithFTL):
3376
3377 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3378
3379         [JSC] Introduce @toObject
3380         https://bugs.webkit.org/show_bug.cgi?id=178726
3381
3382         Reviewed by Saam Barati.
3383
3384         * stress/array-copywithin.js:
3385         (shouldThrow):
3386         * stress/object-constructor-boolean-edge.js: Added.
3387         (shouldBe):
3388         (test):
3389         * stress/object-constructor-global.js: Added.
3390         (shouldBe):
3391         * stress/object-constructor-null-edge.js: Added.
3392         (shouldBe):
3393         (test):
3394         * stress/object-constructor-number-edge.js: Added.
3395         (shouldBe):
3396         (test):
3397         * stress/object-constructor-object-edge.js: Added.
3398         (shouldBe):
3399         (test):
3400         (i.arg):
3401         * stress/object-constructor-string-edge.js: Added.
3402         (shouldBe):
3403         (test):
3404         * stress/object-constructor-symbol-edge.js: Added.
3405         (shouldBe):
3406         (test):
3407         * stress/object-constructor-undefined-edge.js: Added.
3408         (shouldBe):
3409         (test):
3410         * stress/symbol-array-from.js: Added.
3411         (shouldBe):
3412         * stress/to-object-intrinsic-boolean-edge.js: Added.
3413         (shouldBe):
3414         (builtin.createBuiltin):
3415         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3416         (shouldThrow):
3417         * stress/to-object-intrinsic-number-edge.js: Added.
3418         (shouldBe):
3419         (builtin.createBuiltin):
3420         * stress/to-object-intrinsic-object-edge.js: Added.
3421         (shouldBe):
3422         (builtin.createBuiltin):
3423         (i.arg):
3424         * stress/to-object-intrinsic-string-edge.js: Added.
3425         (shouldBe):
3426         (builtin.createBuiltin):
3427         * stress/to-object-intrinsic-symbol-edge.js: Added.
3428         (shouldBe):
3429         (builtin.createBuiltin):
3430         * stress/to-object-intrinsic.js: Added.
3431         (shouldBe):
3432         (shouldThrow):
3433         (builtin.createBuiltin):
3434
3435 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3436
3437         [DFG][FTL] Introduce StringSlice
3438         https://bugs.webkit.org/show_bug.cgi?id=178934
3439
3440         Reviewed by Saam Barati.
3441
3442         * microbenchmarks/string-slice-empty.js: Added.
3443         (slice):
3444         * microbenchmarks/string-slice-one-char.js: Added.
3445         (slice):
3446         * microbenchmarks/string-slice.js: Added.
3447         (slice):
3448
3449 2017-10-26  Michael Saboff  <msaboff@apple.com>
3450
3451         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3452         https://bugs.webkit.org/show_bug.cgi?id=178890
3453
3454         Reviewed by Keith Miller.
3455
3456         New regression test.
3457
3458         * stress/regress-178890.js: Added.
3459
3460 2017-10-26  Mark Lam  <mark.lam@apple.com>
3461
3462         JSRopeString::RopeBuilder::append() should check for overflows.
3463         https://bugs.webkit.org/show_bug.cgi?id=178385
3464         <rdar://problem/35027468>
3465
3466         Reviewed by Saam Barati.
3467
3468         * stress/regress-178385.js: Added.
3469
3470 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3471
3472         Unreviewed, rolling out r223961.
3473
3474         The change that required this has been rolled out.
3475
3476         Reverted changeset:
3477
3478         "Mark test262.yaml/test262/test/language/statements/try/tco-
3479         catch.js as passing."
3480         https://bugs.webkit.org/show_bug.cgi?id=178592
3481         https://trac.webkit.org/changeset/223961
3482
3483 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3484
3485         Unreviewed, rolling out r223691 and r223729.
3486         https://bugs.webkit.org/show_bug.cgi?id=178834
3487
3488         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3489         by rniwa on #webkit).
3490
3491         Reverted changesets:
3492
3493         "Turn recursive tail calls into loops"
3494         https://bugs.webkit.org/show_bug.cgi?id=176601
3495         https://trac.webkit.org/changeset/223691
3496
3497         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3498         comparison is always false due to limited range of data type
3499         [-Wtype-limits]"
3500         https://bugs.webkit.org/show_bug.cgi?id=178543
3501         https://trac.webkit.org/changeset/223729
3502
3503 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3504
3505         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3506         https://bugs.webkit.org/show_bug.cgi?id=178592
3507
3508         Unreviewed test gardening.
3509
3510         * test262.yaml:
3511
3512 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3513
3514         [FTL] Support NewStringObject
3515         https://bugs.webkit.org/show_bug.cgi?id=178737
3516
3517         Reviewed by Saam Barati.
3518
3519         * stress/new-string-object.js: Added.
3520         (shouldBe):
3521         (test):
3522
3523 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3524
3525         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3526         https://bugs.webkit.org/show_bug.cgi?id=178308
3527
3528         Reviewed by Mark Lam.
3529
3530         * test262.yaml:
3531
3532 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3533
3534         [JSC] Use fastJoin in Array#toString
3535         https://bugs.webkit.org/show_bug.cgi?id=178062
3536
3537         Reviewed by Darin Adler.
3538
3539         * microbenchmarks/contiguous-array-to-string.js: Added.
3540         (target):
3541         * microbenchmarks/double-array-to-string.js: Added.
3542         (target):
3543         * microbenchmarks/int32-array-to-string.js: Added.
3544         (target):
3545
3546 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3547
3548         stress/check-string-ident.js is improperly skipped
3549         https://bugs.webkit.org/show_bug.cgi?id=178642
3550
3551         Reviewed by Saam Barati.
3552
3553         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3554         since it enforces the run-jsc-stress-tests script to still set up the
3555         test to run, despite the skip directive that's used before.
3556
3557 2017-10-20  Mark Lam  <mark.lam@apple.com>
3558
3559         Add a test case for r214334.
3560         https://bugs.webkit.org/show_bug.cgi?id=169941
3561         <rdar://problem/31221258>
3562
3563         Reviewed by JF Bastien.
3564
3565         * stress/regress-169941.js: Added.
3566
3567 2017-10-19  JF Bastien  <jfbastien@apple.com>
3568
3569         WebAssembly: no VM / JS version of everything but Instance
3570         https://bugs.webkit.org/show_bug.cgi?id=177473
3571
3572         Reviewed by Filip Pizlo, Saam Barati.
3573
3574         - Exceeding max on memory growth now returns a range error as per
3575         spec. This is a (very minor) breaking change: it used to throw OOM
3576         error. Update the corresponding test.
3577
3578         * wasm/js-api/memory-grow.js:
3579         (assertEq):
3580         * wasm/js-api/table.js:
3581         (assert.throws):
3582
3583 2017-10-19  Mark Lam  <mark.lam@apple.com>
3584
3585         Stringifier::appendStringifiedValue() is missing an exception check.
3586         https://bugs.webkit.org/show_bug.cgi?id=178386
3587         <rdar://problem/35027610>
3588
3589         Reviewed by Saam Barati.
3590
3591         * stress/regress-178386.js: Added.
3592
3593 2017-10-19  Michael Saboff  <msaboff@apple.com>
3594
3595         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3596         https://bugs.webkit.org/show_bug.cgi?id=178521
3597
3598         Reviewed by JF Bastien.
3599
3600         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3601         now passes with the current version (5.0) of the Emoji spec.
3602
3603 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3604
3605         Turn recursive tail calls into loops
3606         https://bugs.webkit.org/show_bug.cgi?id=176601
3607
3608         Reviewed by Saam Barati.
3609
3610         Add some simple test that computes factorial in several ways, and other trivial computations.
3611         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3612         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3613         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3614         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3615
3616         * stress/inline-call-to-recursive-tail-call.js: Added.
3617         (factorial.aux):
3618         (factorial):
3619         (factorial2.aux):
3620         (factorial2.id):
3621         (factorial2):
3622         (factorial3.aux):
3623         (factorial3):
3624         (aux):
3625         (factorial4):
3626         (test):
3627
3628 2017-10-18  Mark Lam  <mark.lam@apple.com>
3629
3630         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3631         https://bugs.webkit.org/show_bug.cgi?id=177600
3632         <rdar://problem/34710985>
3633
3634         Reviewed by Saam Barati.
3635
3636         * stress/regress-177600.js: Added.
3637
3638 2017-10-18  Mark Lam  <mark.lam@apple.com>
3639
3640         The compiler should always register a structure when it adds its transitionWatchPointSet.
3641         https://bugs.webkit.org/show_bug.cgi?id=178420
3642         <rdar://problem/34814024>
3643
3644         Reviewed by Saam Barati and Filip Pizlo.
3645
3646         * stress/regress-178420.js: Added.
3647         (new.Array.10000.map):
3648
3649 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3650
3651         [JSC] __proto__ getter should be fast
3652         https://bugs.webkit.org/show_bug.cgi?id=178067
3653
3654         Reviewed by Saam Barati.
3655
3656         * stress/dfg-object-proto-accessor.js: Added.
3657         (shouldBe):
3658         (shouldThrow):
3659         (target):
3660         * stress/dfg-object-proto-getter.js: Added.
3661         (shouldBe):
3662         (shouldThrow):
3663         (target):
3664         * stress/dfg-object-prototype-of.js: Added.
3665         (shouldBe):
3666         (shouldThrow):
3667         (target):
3668         * stress/dfg-reflect-get-prototype-of.js: Added.
3669         (shouldBe):
3670         (shouldThrow):
3671         (target):
3672         * stress/intrinsic-getter-with-poly-proto.js: Added.
3673         (shouldBe):
3674         (makePolyProtoObject.foo.C):
3675         (makePolyProtoObject.foo):
3676         (makePolyProtoObject):
3677         (target):
3678         * stress/object-get-prototype-of-filtered.js: Added.
3679         (shouldBe):
3680         (shouldThrow):
3681         (target):
3682         (i.Cocoa):
3683         * stress/object-get-prototype-of-mono-proto.js: Added.
3684         (shouldBe):
3685         (makePolyProtoObject.foo.C):
3686         (makePolyProtoObject.foo):
3687         (makePolyProtoObject):
3688         (target):
3689         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3690         (shouldBe):
3691         (makePolyProtoObject.foo.C):
3692         (makePolyProtoObject.foo):
3693         (makePolyProtoObject):
3694         (target):
3695         * stress/object-get-prototype-of-poly-proto.js: Added.
3696         (shouldBe):
3697         (makePolyProtoObject.foo.C):
3698         (makePolyProtoObject.foo):
3699         (makePolyProtoObject):
3700         (target):
3701         * stress/object-proto-getter-filtered.js: Added.
3702         (shouldBe):
3703         (shouldThrow):
3704         (target):
3705         (i.Cocoa):
3706         * stress/object-proto-getter-poly-mono-proto.js: Added.
3707         (shouldBe):
3708         (makePolyProtoObject.foo.C):
3709         (makePolyProtoObject.foo):
3710         (makePolyProtoObject):
3711         (target):
3712         * stress/object-proto-getter-poly-proto.js: Added.
3713         (shouldBe):
3714         (makePolyProtoObject.foo.C):
3715         (makePolyProtoObject.foo):
3716         (makePolyProtoObject):
3717         (target):
3718         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3719         * stress/string-proto.js: Added.
3720         (shouldBe):
3721         (target):
3722
3723 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3724
3725         Unreviewed, rolling out r223523.
3726
3727         A test for this change is failing on debug JSC bots.
3728
3729         Reverted changeset:
3730
3731         "[JSC] __proto__ getter should be fast"
3732         https://bugs.webkit.org/show_bug.cgi?id=178067
3733         https://trac.webkit.org/changeset/223523
3734
3735 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3736
3737         [JSC] __proto__ getter should be fast
3738         https://bugs.webkit.org/show_bug.cgi?id=178067
3739
3740         Reviewed by Saam Barati.
3741
3742         * stress/dfg-object-proto-accessor.js: Added.
3743         (shouldBe):
3744         (shouldThrow):
3745         (target):
3746         * stress/dfg-object-proto-getter.js: Added.
3747         (shouldBe):
3748         (shouldThrow):
3749         (target):
3750         * stress/dfg-object-prototype-of.js: Added.
3751         (shouldBe):
3752         (shouldThrow):
3753         (target):
3754         * stress/dfg-reflect-get-prototype-of.js: Added.
3755         (shouldBe):
3756         (shouldThrow):
3757         (target):
3758         * stress/object-get-prototype-of-filtered.js: Added.
3759         (shouldBe):
3760         (shouldThrow):
3761         (target):
3762         (i.Cocoa):
3763         * stress/object-get-prototype-of-mono-proto.js: Added.
3764         (shouldBe):
3765         (makePolyProtoObject.foo.C):
3766         (makePolyProtoObject.foo):
3767         (makePolyProtoObject):
3768         (target):
3769         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3770         (shouldBe):
3771         (makePolyProtoObject.foo.C):
3772         (makePolyProtoObject.foo):
3773         (makePolyProtoObject):
3774         (target):
3775         * stress/object-get-prototype-of-poly-proto.js: Added.
3776         (shouldBe):
3777         (makePolyProtoObject.foo.C):
3778         (makePolyProtoObject.foo):
3779         (makePolyProtoObject):
3780         (target):
3781         * stress/object-proto-getter-filtered.js: Added.
3782         (shouldBe):
3783         (shouldThrow):
3784         (target):
3785         (i.Cocoa):
3786         * stress/object-proto-getter-poly-mono-proto.js: Added.
3787         (shouldBe):
3788         (makePolyProtoObject.foo.C):
3789         (makePolyProtoObject.foo):
3790         (makePolyProtoObject):
3791         (target):
3792         * stress/object-proto-getter-poly-proto.js: Added.
3793         (shouldBe):
3794         (makePolyProtoObject.foo.C):
3795         (makePolyProtoObject.foo):
3796         (makePolyProtoObject):
3797         (target):
3798         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3799         * stress/string-proto.js: Added.
3800         (shouldBe):
3801         (target):
3802
3803 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3804
3805         Reland "Add Above/Below comparisons for UInt32 patterns"
3806         https://bugs.webkit.org/show_bug.cgi?id=177281
3807
3808         Reviewed by Saam Barati.
3809
3810         * stress/uint32-comparison-jump.js: Added.
3811         (shouldBe):
3812         (above):
3813         (aboveOrEqual):
3814         (below):
3815         (belowOrEqual):
3816         (notAbove):
3817         (notAboveOrEqual):
3818         (notBelow):
3819         (notBelowOrEqual):
3820         * stress/uint32-comparison.js: Added.
3821         (shouldBe):
3822         (above):
3823         (aboveOrEqual):
3824         (below):
3825         (belowOrEqual):
3826         (aboveTest):
3827         (aboveOrEqualTest):
3828         (belowTest):
3829         (belowOrEqualTest):
3830
3831 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3832
3833         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3834         https://bugs.webkit.org/show_bug.cgi?id=178210
3835
3836         Reviewed by Saam Barati.
3837
3838         * wasm/function-tests/trap-from-start-async.js:
3839         (async.StartTrapsAsync):
3840         * wasm/function-tests/trap-from-start.js:
3841         (StartTraps):
3842         * wasm/js-api/web-assembly-function.js:
3843         (assert.eq.Object.getPrototypeOf):
3844         * wasm/js-api/wrapper-function.js:
3845         (return.new.WebAssembly.Module):
3846         (assert.throws.makeInstance): Deleted.
3847         (assert.throws.Bar): Deleted.
3848         (assert.throws): Deleted.
3849
3850 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3851
3852         Enable gigacage on iOS
3853         https://bugs.webkit.org/show_bug.cgi?id=177586
3854
3855         Reviewed by JF Bastien.
3856         
3857         Add tests for when Gigacage gets runtime disabled.
3858
3859         * stress/disable-gigacage-arrays.js: Added.
3860         (foo):
3861         * stress/disable-gigacage-strings.js: Added.
3862         (foo):
3863         * stress/disable-gigacage-typed-arrays.js: Added.
3864         (foo):
3865
3866 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3867
3868         import.meta should not be assignable
3869         https://bugs.webkit.org/show_bug.cgi?id=178202
3870
3871         Reviewed by Saam Barati.
3872
3873         * modules/import-meta-assignment.js: Added.
3874         (shouldThrow):
3875         (SyntaxError.import.meta.can.shouldThrow):
3876
3877 2017-10-11  Saam Barati  <sbarati@apple.com>
3878
3879         Unreviewed. Actually skip certain type profiler tests in debug.
3880
3881         * typeProfiler.yaml:
3882         * typeProfiler/deltablue-for-of.js:
3883         * typeProfiler/getter-richards.js:
3884
3885 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3886
3887         Unreviewed, rolling out r223113 and r223121.
3888         https://bugs.webkit.org/show_bug.cgi?id=178182
3889
3890         Reintroduced 20% regression on Kraken (Requested by rniwa on
3891         #webkit).
3892
3893         Reverted changesets:
3894
3895         "Enable gigacage on iOS"
3896         https://bugs.webkit.org/show_bug.cgi?id=177586
3897         https://trac.webkit.org/changeset/223113
3898
3899         "Use one virtual allocation for all gigacages and their
3900         runways"
3901         https://bugs.webkit.org/show_bug.cgi?id=178050
3902         https://trac.webkit.org/changeset/223121
3903
3904 2017-10-11  Michael Saboff  <msaboff@apple.com>
3905
3906         Disable test262 named capture group tests with direct unicode names and with references before definitions
3907         https://bugs.webkit.org/show_bug.cgi?id=178177
3908
3909         Reviewed by Keith Miller.
3910
3911         Bugs to track fixing these test are:
3912         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3913             "Add support in named capture group identifiers for direct surrogate pairs"
3914         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3915             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3916
3917         * test262.yaml:
3918
3919 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3920
3921         Object properties are undefined in super.call() but not in this.call()
3922         https://bugs.webkit.org/show_bug.cgi?id=177230
3923
3924         Reviewed by Saam Barati.
3925
3926         * stress/super-call-function-subclass.js: Added.
3927         (assert):
3928         (A.prototype.t):
3929         (A):
3930         * stress/super-dot-call-and-apply.js: Added.
3931         (assert):
3932         (A):
3933         (A.prototype.call):
3934         (A.prototype.apply):
3935         (B.prototype.testSuper):
3936         (B):
3937         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3938         (D.prototype.testSuper):
3939         (D):
3940
3941 2017-10-10  Saam Barati  <sbarati@apple.com>
3942
3943         The prototype cache should be aware of the Executable it generates a Structure for
3944         https://bugs.webkit.org/show_bug.cgi?id=177907
3945
3946         Reviewed by Filip Pizlo.
3947
3948         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3949         (assert):
3950         (foo.C):
3951         (foo):
3952         (bar.C):
3953         (bar):
3954         (access):
3955         (makeLongChain):
3956         (accessY):
3957
3958 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3959
3960         `async` should be able to be used as an imported binding name
3961         https://bugs.webkit.org/show_bug.cgi?id=176573
3962
3963         Reviewed by Saam Barati.
3964
3965         * modules/import-default-async.js: Added.
3966         * modules/import-named-async-as.js: Added.
3967         * modules/import-named-async.js: Added.
3968         * modules/import-named-async/target.js: Added.
3969         * modules/import-namespace-async.js: Added.
3970         * test262.yaml:
3971
3972 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3973
3974         Enable gigacage on iOS
3975         https://bugs.webkit.org/show_bug.cgi?id=177586
3976
3977         Reviewed by JF Bastien.
3978         
3979         Add tests for when Gigacage gets runtime disabled.
3980
3981         * stress/disable-gigacage-arrays.js: Added.
3982         (foo):
3983         * stress/disable-gigacage-strings.js: Added.
3984         (foo):
3985         * stress/disable-gigacage-typed-arrays.js: Added.
3986         (foo):
3987
3988 2017-10-09  Michael Saboff  <msaboff@apple.com>
3989
3990         Implement RegExp Unicode property escapes
3991         https://bugs.webkit.org/show_bug.cgi?id=172069
3992
3993         Reviewed by JF Bastien.
3994
3995         Enabled Unicode Property tests.
3996
3997         * test262.yaml:
3998
3999 2017-10-09  Commit Queue  <commit-queue@webkit.org>
4000
4001         Unreviewed, rolling out r223015 and r223025.
4002         https://bugs.webkit.org/show_bug.cgi?id=178093
4003
4004         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
4005         #webkit).
4006
4007         Reverted changesets:
4008
4009         "Enable gigacage on iOS"
4010         https://bugs.webkit.org/show_bug.cgi?id=177586
4011         http://trac.webkit.org/changeset/223015
4012
4013         "Unreviewed, disable Gigacage on ARM64 Linux"
4014         https://bugs.webkit.org/show_bug.cgi?id=177586
4015         http://trac.webkit.org/changeset/223025
4016
4017 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
4018
4019         Update expectations for test262 tests that pass after r223043.
4020         https://bugs.webkit.org/show_bug.cgi?id=176685
4021
4022         Unreviewed test gardening.
4023
4024         * test262.yaml:
4025
4026 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
4027
4028         Unreviewed, rolling out r223022.
4029
4030         This change introduced 18 test262 failures.
4031
4032         Reverted changeset:
4033
4034         "`async` should be able to be used as an imported binding
4035         name"
4036         https://bugs.webkit.org/show_bug.cgi?id=176573
4037         http://trac.webkit.org/changeset/223022
4038
4039 2017-10-09  Saam Barati  <sbarati@apple.com>
4040
4041         3 poly-proto JSC tests timing out on debug after r222827
4042         https://bugs.webkit.org/show_bug.cgi?id=177880
4043         <rdar://problem/34817122>
4044
4045         Unreviewed.
4046
4047         I'm skipping these type profiler tests on debug since they are long running.
4048
4049         * typeProfiler/deltablue-for-of.js:
4050         * typeProfiler/getter-richards.js:
4051
4052 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
4053
4054         Safari 10 /11 problem with if (!await get(something)).
4055         https://bugs.webkit.org/show_bug.cgi?id=176685
4056
4057         Reviewed by Saam Barati.
4058
4059         * stress/async-await-basic.js:
4060         (awaitEpression.async):
4061         * stress/async-await-syntax.js:
4062         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
4063         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
4064
4065 2017-10-08  Saam Barati  <sbarati@apple.com>
4066
4067         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
4068
4069         * typeProfiler/deltablue-for-of.js:
4070         * typeProfiler/getter-richards.js:
4071
4072 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
4073
4074         `async` should be able to be used as an imported binding name
4075         https://bugs.webkit.org/show_bug.cgi?id=176573
4076
4077         Reviewed by Darin Adler.
4078
4079         * modules/import-default-async.js: Added.
4080         * modules/import-named-async-as.js: Added.
4081         * modules/import-named-async.js: Added.
4082         * modules/import-named-async/target.js: Added.
4083         * modules/import-namespace-async.js: Added.
4084
4085 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
4086
4087         Enable gigacage on iOS
4088         https://bugs.webkit.org/show_bug.cgi?id=177586
4089
4090         Reviewed by JF Bastien.
4091         
4092         Add tests for when Gigacage gets runtime disabled.
4093
4094         * stress/disable-gigacage-arrays.js: Added.
4095         (foo):
4096         * stress/disable-gigacage-strings.js: Added.
4097         (foo):
4098         * stress/disable-gigacage-typed-arrays.js: Added.
4099         (foo):
4100
4101 2017-10-06  Commit Queue  <commit-queue@webkit.org>
4102
4103         Unreviewed, rolling out r222791 and r222873.
4104         https://bugs.webkit.org/show_bug.cgi?id=178031
4105
4106         Caused crashes with workers/wasm LayoutTests (Requested by
4107         ryanhaddad on #webkit).
4108
4109         Reverted changesets:
4110
4111         "WebAssembly: no VM / JS version of everything but Instance"
4112         https://bugs.webkit.org/show_bug.cgi?id=177473
4113         http://trac.webkit.org/changeset/222791
4114
4115         "WebAssembly: address no VM / JS follow-ups"
4116         https://bugs.webkit.org/show_bug.cgi?id=177887
4117         http://trac.webkit.org/changeset/222873
4118
4119 2017-10-05  Saam Barati  <sbarati@apple.com>
4120
4121         Make sure all prototypes under poly proto get added into the VM's prototype map
4122         https://bugs.webkit.org/show_bug.cgi?id=177909
4123
4124         Reviewed by Keith Miller.
4125
4126         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
4127         (assert):
4128         (foo.C):
4129         (foo):
4130         (set x):
4131
4132 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
4133
4134         [JSC] Introduce import.meta
4135         https://bugs.webkit.org/show_bug.cgi?id=177703
4136
4137         Reviewed by Filip Pizlo.
4138
4139         * modules/import-meta-syntax.js: Added.
4140         (shouldThrow):
4141         (shouldNotThrow):
4142         * modules/import-meta.js: Added.
4143         * modules/import-meta/cocoa.js: Added.
4144         * modules/resources/assert.js:
4145         (export.shouldNotThrow):
4146         * stress/import-syntax.js:
4147
4148 2017-10-04  Saam Barati  <sbarati@apple.com>
4149
4150         Make pertinent AccessCases watch the poly proto watchpoint
4151         https://bugs.webkit.org/show_bug.cgi?id=177765
4152
4153         Reviewed by Keith Miller.
4154
4155         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
4156         (assert):
4157         (foo.C):
4158         (foo):
4159         (validate):
4160         * stress/poly-proto-clear-stub.js: Added.
4161         (assert):
4162         (foo.C):
4163         (foo):
4164
4165 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
4166
4167         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
4168
4169         Unreviewed test gardening.
4170
4171         * test262.yaml:
4172
4173 2017-10-04  Saam Barati  <sbarati@apple.com>
4174
4175         3 poly-proto JSC tests timing out on debug after r222827
4176         https://bugs.webkit.org/show_bug.cgi?id=177880
4177
4178         Rubber stamped by Mark Lam.
4179
4180         * microbenchmarks/poly-proto-access.js:
4181         * typeProfiler/deltablue-for-of.js:
4182         * typeProfiler/getter-richards.js:
4183
4184 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
4185
4186         Unreviewed, marking tco-catch.js as a failure after test262 update
4187         https://bugs.webkit.org/show_bug.cgi?id=177859
4188
4189         * test262.yaml:
4190
4191 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4192
4193         Unreviewed, marking one async iterator test262 test failed
4194         https://bugs.webkit.org/show_bug.cgi?id=177859
4195
4196         * test262.yaml:
4197
4198 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4199
4200         [Test262] Update Test262 to Oct 4 version
4201         https://bugs.webkit.org/show_bug.cgi?id=177859
4202
4203         Reviewed by Sam Weinig.
4204
4205         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
4206         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
4207
4208         * test262.yaml:
4209         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
4210         (checkSequence):
4211         * test262/harness/typeCoercion.js:
4212         (testCoercibleToIndexZero):
4213         (testCoercibleToIndexOne):
4214         (testCoercibleToIndexFromIndex):
4215         (testNotCoercibleToIndex.testPrimitiveValue):
4216         (testNotCoercibleToInteger):
4217         (testCoercibleToBigIntZero.testPrimitiveValue):
4218         (testCoercibleToBigIntZero):
4219         (testCoercibleToBigIntOne.testPrimitiveValue):
4220         (testCoercibleToBigIntOne):
4221         (testPrimitiveValue):
4222         (testCoercibleToBigIntFromBigInt):
4223         (testNotCoercibleToBigInt.testPrimitiveValue):
4224         (testNotCoercibleToBigInt.testStringValue):
4225         (testNotCoercibleToBigInt):
4226         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
4227         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
4228         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
4229         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
4230         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
4231         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
4232         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
4233         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
4234         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
4235         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
4236         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
4237         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
4238         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
4239         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
4240         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
4241         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
4242         (testCoercibleToBigIntZero):
4243         (testCoercibleToBigIntOne):
4244         (testNotCoercibleToBigInt):
4245         (MyError): Deleted.
4246         (valueOf): Deleted.
4247         (toString): Deleted.
4248         (Symbol.toPrimitive): Deleted.
4249         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
4250         (testCoercibleToIndexZero):
4251         (testCoercibleToIndexOne):
4252         (testNotCoercibleToIndex):
4253         (MyError): Deleted.
4254         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
4255         (assert.sameValue.BigInt.asIntN.toString): Deleted.
4256         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
4257         (BigInt.asIntN.valueOf): Deleted.
4258         (BigInt.asIntN.toString): Deleted.
4259         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
4260         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
4261         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
4262         (testCoercibleToBigIntZero):
4263         (testCoercibleToBigIntOne):
4264         (testNotCoercibleToBigInt):
4265         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
4266         (testCoercibleToIndexZero):
4267         (testCoercibleToIndexOne):
4268         (testNotCoercibleToIndex):
4269         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
4270         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
4271         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
4272         (bits.valueOf):
4273         (bigint.valueOf):
4274         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
4275         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
4276         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
4277         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
4278         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
4279         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
4280         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
4281         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
4282         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
4283         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
4284         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
4285         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
4286         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
4287         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
4288         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
4289         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
4290         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
4291         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
4292         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
4293         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
4294         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
4295         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
4296         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
4297         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
4298         (replacer):
4299         (BigInt.prototype.toJSON):
4300         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
4301         (replacer):
4302         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
4303         (BigInt.prototype.toJSON):
4304         * test262/test/built-ins/JSON/stringify/bigint.js:
4305         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
4306         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
4307         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
4308         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
4309         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
4310         * test262/test/built-ins/Object/proto-from-ctor.js:
4311         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
4312         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
4313         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
4314         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
4315         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
4316         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
4317         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
4318         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
4319         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
4320         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
4321         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
4322         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
4323         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
4324         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
4325         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
4326         * test262/test/built-ins/Proxy/get-fn-realm.js:
4327         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
4328         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
4329         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
4330         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
4331         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
4332         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
4333         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
4334         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
4335         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
4336         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
4337         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
4338         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
4339         (i6.replace):
4340         (i6b.replace):
4341         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
4342         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
4343         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
4344         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
4345         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
4346         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
4347         * test262/test/built-ins/RegExp/u180e.js: Added.
4348         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
4349         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
4350         * test262/test/built-ins/String/proto-from-ctor-realm.js:
4351         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
4352         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
4353         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
4354         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
4355         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
4356         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
4357         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
4358         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
4359         * test262/test/built-ins/String/prototype/endsWith/length.js:
4360         * test262/test/built-ins/String/prototype/endsWith/name.js:
4361         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
4362         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
4363         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
4364         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
4365         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
4366         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
4367         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
4368         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
4369         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
4370         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
4371         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
4372         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
4373         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
4374         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
4375         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
4376         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
4377         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4378         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4379         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4380         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4381         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4382         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4383         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4384         * test262/test/built-ins/String/prototype/includes/includes.js:
4385         * test262/test/built-ins/String/prototype/includes/length.js:
4386         * test262/test/built-ins/String/prototype/includes/name.js:
4387         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4388         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4389         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4390         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4391         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4392         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4393         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4394         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4395         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4396         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4397         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4398         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4399         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4400         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4401         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4402         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4403         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4404         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4405         * test262/test/built-ins/String/prototype/trim/u180e.js:
4406         * test262/test/built-ins/Symbol/for/cross-realm.js:
4407         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4408         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js: