OSR entry pruning of Program Bytecodes doesn't take into account try/catch
[WebKit-https.git] / JSTests / ChangeLog
1 2018-05-03  Michael Saboff  <msaboff@apple.com>
2
3         OSR entry pruning of Program Bytecodes doesn't take into account try/catch
4         https://bugs.webkit.org/show_bug.cgi?id=185281
5
6         Reviewed by Saam Barati.
7
8         New regression test.
9
10         * stress/baseline-osrentry-catch-is-reachable.js: Added.
11         (i.j.catch):
12
13 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
14
15         Unreviewed, rolling out r231197.
16
17         The test added with this change crashes on the 32-bit JSC bot.
18
19         Reverted changeset:
20
21         "Correctly detect string overflow when using the 'Function'
22         constructor"
23         https://bugs.webkit.org/show_bug.cgi?id=184883
24         https://trac.webkit.org/changeset/231197
25
26 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
27
28         JSC should know how to cache custom getter accesses on the prototype chain
29         https://bugs.webkit.org/show_bug.cgi?id=185213
30
31         Reviewed by Keith Miller.
32
33         * microbenchmarks/get-custom-getter.js: Added.
34         (test):
35
36 2018-05-02  Robin Morisset  <rmorisset@apple.com>
37
38         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
39         https://bugs.webkit.org/show_bug.cgi?id=183172
40
41         Reviewed by Filip Pizlo.
42
43         * stress/length-of-new-array-with-spread.js: Added.
44         (foo):
45         (bar):
46         (baz):
47
48 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
49
50         [JSC] Add SameValue DFG node
51         https://bugs.webkit.org/show_bug.cgi?id=185065
52
53         Reviewed by Saam Barati.
54
55         * microbenchmarks/object-is.js: Added.
56         (incognito):
57         (sameValue):
58         (test1):
59         (test2):
60         (test3):
61         (test4):
62         (test5):
63         (test6):
64         * stress/object-is.js: Added.
65         (shouldBe):
66         (is1):
67         (is2):
68         (is3):
69         (is4):
70         (is5):
71         (is6):
72         (is7):
73         (is8):
74         (is9):
75         (is10):
76         (is11):
77         (is12):
78         (is13):
79         (is14):
80         (is15):
81
82 2018-05-01  Robin Morisset  <rmorisset@apple.com>
83
84         Correctly detect string overflow when using the 'Function' constructor
85         https://bugs.webkit.org/show_bug.cgi?id=184883
86         <rdar://problem/36320331>
87
88         Reviewed by Filip Pizlo.
89
90         I put this regression test in the 'slowMicrobenchmarks' directory because it takes nearly 30s to run, and I am not sure where else to put it.
91
92         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
93         (catch):
94
95 2018-05-01  Robin Morisset  <rmorisset@apple.com>
96
97         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
98         https://bugs.webkit.org/show_bug.cgi?id=185162
99
100         Reviewed by Filip Pizlo.
101
102         * stress/incomplete-unicode-locale.js: Added.
103         (catch):
104
105 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
106
107         Add SetCallee as DFG-Operation
108         https://bugs.webkit.org/show_bug.cgi?id=184582
109
110         Reviewed by Filip Pizlo.
111
112         Added test that runs into infinite loop without updating the callee and
113         therefore emitting SetCallee in DFG for recursive tail calls.
114
115         * stress/closure-recursive-tail-call-infinite-loop.js: Added.
116         (Foo):
117         (second):
118         (first):
119         (return.closure):
120         (createClosure):
121
122 2018-04-30  Saam Barati  <sbarati@apple.com>
123
124         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
125         https://bugs.webkit.org/show_bug.cgi?id=185149
126         <rdar://problem/39455917>
127
128         Reviewed by Filip Pizlo.
129
130         * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.
131
132 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
133
134         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
135         https://bugs.webkit.org/show_bug.cgi?id=185126
136
137         Reviewed by Saam Barati.
138         
139         I found this bug by accident when I was writing this test for something else.
140         
141         This change also speeds up other benchmarks of this case that we already had. They are all called
142         the licm-dragons tests.
143
144         * microbenchmarks/licm-dragons-two-structures.js: Added.
145         (foo):
146
147 2018-04-29  Commit Queue  <commit-queue@webkit.org>
148
149         Unreviewed, rolling out r231137.
150         https://bugs.webkit.org/show_bug.cgi?id=185118
151
152         It is breaking Test262 language/expressions/multiplication
153         /order-of-evaluation.js (Requested by caiolima on #webkit).
154
155         Reverted changeset:
156
157         "[ESNext][BigInt] Implement support for "*" operation"
158         https://bugs.webkit.org/show_bug.cgi?id=183721
159         https://trac.webkit.org/changeset/231137
160
161 2018-04-28  Saam Barati  <sbarati@apple.com>
162
163         We don't model regexp effects properly
164         https://bugs.webkit.org/show_bug.cgi?id=185059
165         <rdar://problem/39736150>
166
167         Reviewed by Filip Pizlo.
168
169         * stress/regexp-exec-test-effectful-last-index.js: Added.
170         (assert):
171         (foo):
172         (i.regexLastIndex.toString):
173         (bar):
174
175 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
176
177         Token misspelled "tocken" in error message string
178         https://bugs.webkit.org/show_bug.cgi?id=185030
179
180         Reviewed by Saam Barati.
181
182         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
183         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
184         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
185         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
186         (testSyntaxError.String.raw.v):
187         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
188         (testSyntaxError.String.raw.a):
189
190 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
191
192         [ESNext][BigInt] Implement support for "*" operation
193         https://bugs.webkit.org/show_bug.cgi?id=183721
194
195         Reviewed by Saam Barati.
196
197         * bigIntTests.yaml:
198         * stress/big-int-mul-jit.js: Added.
199         * stress/big-int-mul-to-primitive-precedence.js: Added.
200         * stress/big-int-mul-to-primitive.js: Added.
201         * stress/big-int-mul-type-error.js: Added.
202         * stress/big-int-mul-wrapped-value.js: Added.
203         * stress/big-int-multiplication.js: Added.
204         * stress/big-int-multiply-memory-stress.js: Added.
205
206 2018-04-28  Commit Queue  <commit-queue@webkit.org>
207
208         Unreviewed, rolling out r231131.
209         https://bugs.webkit.org/show_bug.cgi?id=185112
210
211         It is breaking Debug build due to unchecked exception
212         (Requested by caiolima on #webkit).
213
214         Reverted changeset:
215
216         "[ESNext][BigInt] Implement support for "*" operation"
217         https://bugs.webkit.org/show_bug.cgi?id=183721
218         https://trac.webkit.org/changeset/231131
219
220 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
221
222         [ESNext][BigInt] Implement support for "*" operation
223         https://bugs.webkit.org/show_bug.cgi?id=183721
224
225         Reviewed by Saam Barati.
226
227         * bigIntTests.yaml:
228         * stress/big-int-mul-jit.js: Added.
229         * stress/big-int-mul-to-primitive-precedence.js: Added.
230         * stress/big-int-mul-to-primitive.js: Added.
231         * stress/big-int-mul-type-error.js: Added.
232         * stress/big-int-mul-wrapped-value.js: Added.
233         * stress/big-int-multiplication.js: Added.
234         * stress/big-int-multiply-memory-stress.js: Added.
235
236 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
237
238         Unreviewed, rolling out r231086.
239
240         Caused JSC test failures due to an unchecked exception.
241
242         Reverted changeset:
243
244         "[ESNext][BigInt] Implement support for "*" operation"
245         https://bugs.webkit.org/show_bug.cgi?id=183721
246         https://trac.webkit.org/changeset/231086
247
248 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
249
250         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
251
252         * test262.yaml: Mark tests as passing.
253
254 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
255
256         [ESNext][BigInt] Implement support for "*" operation
257         https://bugs.webkit.org/show_bug.cgi?id=183721
258
259         Reviewed by Saam Barati.
260
261         * bigIntTests.yaml:
262         * stress/big-int-mul-jit.js: Added.
263         * stress/big-int-mul-to-primitive-precedence.js: Added.
264         * stress/big-int-mul-to-primitive.js: Added.
265         * stress/big-int-mul-type-error.js: Added.
266         * stress/big-int-mul-wrapped-value.js: Added.
267         * stress/big-int-multiplication.js: Added.
268         * stress/big-int-multiply-memory-stress.js: Added.
269
270 2018-04-25  Robin Morisset  <rmorisset@apple.com>
271
272         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
273         https://bugs.webkit.org/show_bug.cgi?id=184773
274         <rdar://problem/37773612>
275
276         Reviewed by Filip Pizlo.
277
278         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
279         so I decided to add it to the stress tests nonetheless.
280
281         * stress/create-rest-while-having-a-bad-time.js: Added.
282         (f):
283         (g):
284         (h):
285
286 2018-04-25  Keith Miller  <keith_miller@apple.com>
287
288         Add missing scope release to functionProtoFuncToString
289         https://bugs.webkit.org/show_bug.cgi?id=184995
290
291         Reviewed by Saam Barati.
292
293         * stress/function-toString-arrow.js: Added.
294         (async):
295
296 2018-04-24  Keith Miller  <keith_miller@apple.com>
297
298         fromCharCode is missing some exception checks
299         https://bugs.webkit.org/show_bug.cgi?id=184952
300
301         Reviewed by Saam Barati.
302
303         * stress/fromCharCode-exception-check.js: Added.
304         (get catch):
305
306 2018-04-24  Mark Lam  <mark.lam@apple.com>
307
308         Gardening: test fix after r230863.
309         https://bugs.webkit.org/show_bug.cgi?id=184846
310         <rdar://problem/39390672>
311
312         Not reviewed.
313
314         * stress/json-stringified-overflow-2.js:
315         (catch):
316         * stress/json-stringified-overflow.js:
317         (catch):
318
319 2018-04-20  JF Bastien  <jfbastien@apple.com>
320
321         Handle more JSON stringify OOM
322         https://bugs.webkit.org/show_bug.cgi?id=184846
323         <rdar://problem/39390672>
324
325         Reviewed by Mark Lam.
326
327         * stress/json-stringified-overflow-2.js: Added. Same as the one
328         below, but with a bigger input which will trigger a different code
329         path.
330         (catch):
331         * stress/json-stringified-overflow.js: Modify the test to only
332         catch OOM on stringification. not on string creation.
333
334 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
335
336         [WebAssembly][Modules] Import tables in wasm modules
337         https://bugs.webkit.org/show_bug.cgi?id=184738
338
339         Reviewed by JF Bastien.
340
341         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
342         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
343         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
344         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
345         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
346         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
347         * wasm/modules/wasm-imports-wasm-exports.js:
348         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
349         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
350         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
351         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
352
353 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
354
355         [WebAssembly][Modules] Import globals from wasm modules
356         https://bugs.webkit.org/show_bug.cgi?id=184736
357
358         Reviewed by JF Bastien.
359
360         * wasm.yaml:
361         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
362         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
363         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
364         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
365         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
366         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
367         * wasm/modules/wasm-imports-wasm-exports.js:
368         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
369         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
370         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
371         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
372
373 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
374
375         Unreviewed, reland r230697, r230720, and r230724.
376         https://bugs.webkit.org/show_bug.cgi?id=184600
377
378         * wasm.yaml:
379         * wasm/modules/constant.wasm: Added.
380         * wasm/modules/constant.wat: Added.
381         * wasm/modules/default-import-star-error.js: Added.
382         (then):
383         * wasm/modules/default-import-star-error/entry.wasm: Added.
384         * wasm/modules/default-import-star-error/entry.wat: Added.
385         * wasm/modules/default-import-star-error/t0.js: Added.
386         * wasm/modules/default-import-star-error/t1.js: Added.
387         * wasm/modules/default-import-star-error/t2.js: Added.
388         (export.default.Cocoa):
389         * wasm/modules/js-wasm-cycle.js: Added.
390         * wasm/modules/js-wasm-cycle/entry.js: Added.
391         (from.string_appeared_here.export.return42):
392         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
393         * wasm/modules/js-wasm-cycle/sum.wat: Added.
394         * wasm/modules/js-wasm-function-namespace.js: Added.
395         (assert.throws):
396         * wasm/modules/js-wasm-function.js: Added.
397         (assert.throws):
398         * wasm/modules/js-wasm-global-namespace.js: Added.
399         (assert.throws):
400         * wasm/modules/js-wasm-global.js: Added.
401         (assert.throws):
402         * wasm/modules/js-wasm-memory-namespace.js: Added.
403         (assert.throws):
404         * wasm/modules/js-wasm-memory.js: Added.
405         (assert.throws):
406         * wasm/modules/js-wasm-start.js: Added.
407         (then):
408         * wasm/modules/js-wasm-table-namespace.js: Added.
409         (assert.throws):
410         * wasm/modules/js-wasm-table.js: Added.
411         (assert.throws):
412         * wasm/modules/memory.wasm: Added.
413         * wasm/modules/memory.wat: Added.
414         * wasm/modules/run-from-wasm.wasm: Added.
415         * wasm/modules/run-from-wasm.wat: Added.
416         * wasm/modules/run-from-wasm/check.js: Added.
417         (export.check):
418         * wasm/modules/start.wasm: Added.
419         * wasm/modules/start.wat: Added.
420         * wasm/modules/sum.wasm: Added.
421         * wasm/modules/sum.wat: Added.
422         * wasm/modules/table.wasm: Added.
423         * wasm/modules/table.wat: Added.
424         * wasm/modules/wasm-imports-js-exports.js: Added.
425         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
426         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
427         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
428         (export.sum):
429         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
430         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
431         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
432         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
433         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
434         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
435         * wasm/modules/wasm-imports-wasm-exports.js: Added.
436         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
437         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
438         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
439         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
440         * wasm/modules/wasm-js-cycle.js: Added.
441         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
442         * wasm/modules/wasm-js-cycle/entry.wat: Added.
443         * wasm/modules/wasm-js-cycle/sum.js: Added.
444         (from.string_appeared_here.export.sum):
445         * wasm/modules/wasm-wasm-cycle.js: Added.
446         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
447         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
448         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
449         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
450
451 2018-04-17  Commit Queue  <commit-queue@webkit.org>
452
453         Unreviewed, rolling out r230697, r230720, and r230724.
454         https://bugs.webkit.org/show_bug.cgi?id=184717
455
456         These caused multiple failures on the Test262 testers.
457         (Requested by mlewis13 on #webkit).
458
459         Reverted changesets:
460
461         "[WebAssembly][Modules] Prototype wasm import"
462         https://bugs.webkit.org/show_bug.cgi?id=184600
463         https://trac.webkit.org/changeset/230697
464
465         "[WebAssembly][Modules] Implement function import from wasm
466         modules"
467         https://bugs.webkit.org/show_bug.cgi?id=184689
468         https://trac.webkit.org/changeset/230720
469
470         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
471         https://bugs.webkit.org/show_bug.cgi?id=184703
472         https://trac.webkit.org/changeset/230724
473
474 2018-04-17  JF Bastien  <jfbastien@apple.com>
475
476         A put is not an ExistingProperty put when we transition a structure because of an attributes change
477         https://bugs.webkit.org/show_bug.cgi?id=184706
478         <rdar://problem/38871451>
479
480         Reviewed by Saam Barati.
481
482         * stress/put-by-id-direct-strict-transition.js: Added.
483         (const.foo):
484         (j.const.obj.set hello):
485         * stress/put-by-id-direct-transition.js: Added.
486         (const.foo):
487         (j.const.obj.set hello):
488         * stress/put-getter-setter-by-id-strict-transition.js: Added.
489         (const.foo):
490         (j.const.obj.set hello):
491         * stress/put-getter-setter-by-id-transition.js: Added.
492         (const.foo):
493         (j.const.obj.set hello):
494
495 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
496
497         PutStackSinkingPhase should know that KillStack means ConflictingFlush
498         https://bugs.webkit.org/show_bug.cgi?id=184672
499
500         Reviewed by Michael Saboff.
501
502         * stress/sink-put-stack-over-kill-stack.js: Added.
503         (avocado_1):
504         (apricot_0):
505         (__c_0):
506         (banana_2):
507
508 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
509
510         [JSC] Rename runWebAssembly to runWebAssemblySuite
511         https://bugs.webkit.org/show_bug.cgi?id=184703
512
513         Reviewed by JF Bastien.
514
515         And add runWebAssembly as a command to simplely run wasm modules.
516
517         * wasm.yaml:
518
519 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
520
521         [WebAssembly][Modules] Implement function import from wasm modules
522         https://bugs.webkit.org/show_bug.cgi?id=184689
523
524         Reviewed by JF Bastien.
525
526         * wasm.yaml:
527         * wasm/modules/js-wasm-cycle.js: Added.
528         * wasm/modules/js-wasm-cycle/entry.js: Added.
529         (from.string_appeared_here.export.return42):
530         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
531         * wasm/modules/js-wasm-cycle/sum.wat: Added.
532         * wasm/modules/run-from-wasm.wasm: Added.
533         * wasm/modules/run-from-wasm.wat: Added.
534         * wasm/modules/run-from-wasm/check.js: Added.
535         (export.check):
536         * wasm/modules/wasm-imports-js-exports.js: Added.
537         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
538         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
539         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
540         (export.sum):
541         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
542         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
543         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
544         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
545         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
546         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
547         * wasm/modules/wasm-imports-wasm-exports.js: Added.
548         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
549         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
550         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
551         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
552         * wasm/modules/wasm-js-cycle.js: Added.
553         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
554         * wasm/modules/wasm-js-cycle/entry.wat: Added.
555         * wasm/modules/wasm-js-cycle/sum.js: Added.
556         (from.string_appeared_here.export.sum):
557         * wasm/modules/wasm-wasm-cycle.js: Added.
558         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
559         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
560         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
561         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
562
563 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
564
565         [WebAssembly][Modules] Prototype wasm import
566         https://bugs.webkit.org/show_bug.cgi?id=184600
567
568         Reviewed by JF Bastien.
569
570         Add wasm and wat files since module loader want to load wasm files from FS.
571         Currently, importing the other modules from wasm is not supported.
572
573         * wasm.yaml:
574         * wasm/modules/constant.wasm: Added.
575         * wasm/modules/constant.wat: Added.
576         * wasm/modules/js-wasm-function-namespace.js: Added.
577         (assert.throws):
578         * wasm/modules/js-wasm-function.js: Added.
579         (assert.throws):
580         * wasm/modules/js-wasm-global-namespace.js: Added.
581         (assert.throws):
582         * wasm/modules/js-wasm-global.js: Added.
583         (assert.throws):
584         * wasm/modules/js-wasm-memory-namespace.js: Added.
585         (assert.throws):
586         * wasm/modules/js-wasm-memory.js: Added.
587         (assert.throws):
588         * wasm/modules/js-wasm-start.js: Added.
589         (then):
590         * wasm/modules/js-wasm-table-namespace.js: Added.
591         (assert.throws):
592         * wasm/modules/js-wasm-table.js: Added.
593         (assert.throws):
594         * wasm/modules/memory.wasm: Added.
595         * wasm/modules/memory.wat: Added.
596         * wasm/modules/start.wasm: Added.
597         * wasm/modules/start.wat: Added.
598         * wasm/modules/sum.wasm: Added.
599         * wasm/modules/sum.wat: Added.
600         * wasm/modules/table.wasm: Added.
601         * wasm/modules/table.wat: Added.
602
603 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
604
605         Function.prototype.caller shouldn't return generator bodies
606         https://bugs.webkit.org/show_bug.cgi?id=184630
607
608         Reviewed by Yusuke Suzuki.
609
610         * stress/function-caller-async-arrow-function-body.js: Added.
611         * stress/function-caller-async-function-body.js: Added.
612         * stress/function-caller-async-generator-body.js: Added.
613         * stress/function-caller-generator-body.js: Added.
614         * stress/function-caller-generator-method-body.js: Added.
615
616 2018-04-12  Tomas Popela  <tpopela@redhat.com>
617
618         Unreviewed, skip JIT tests if it isn't enabled
619
620         See https://bugs.webkit.org/show_bug.cgi?id=182730.
621
622         * stress/big-int-spec-to-primitive.js:
623         * stress/big-int-spec-to-this.js:
624
625 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
626
627         [ESNext][BigInt] Add support for BigInt in SpeculatedType
628         https://bugs.webkit.org/show_bug.cgi?id=182470
629
630         Reviewed by Saam Barati.
631
632         * stress/big-int-spec-to-primitive.js: Added.
633         * stress/big-int-spec-to-this.js: Added.
634         * stress/big-int-strict-equals-jit.js: Added.
635         * stress/big-int-strict-spec-to-this.js: Added.
636         * stress/big-int-type-of-proven-type.js: Added.
637
638 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
639
640         DFG AI and clobberize should agree with each other
641         https://bugs.webkit.org/show_bug.cgi?id=184440
642
643         Reviewed by Saam Barati.
644         
645         Add tests for all of the bugs I fixed.
646
647         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
648         (foo):
649         * stress/new-typed-array-cse-effects.js: Added.
650         (foo):
651         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
652         (foo.theO):
653         (foo):
654         * stress/string-from-char-code-change-structure-not-dead.js: Added.
655         (foo):
656         (i.valueOf):
657         (weirdValue.valueOf):
658         * stress/string-from-char-code-change-structure.js: Added.
659         (foo):
660         (i.valueOf):
661         (weirdValue.valueOf):
662
663 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
664
665         Fix errant Test262 files CRLF to LF for consistency with the original source
666         https://bugs.webkit.org/show_bug.cgi?id=184425
667
668         Reviewed by Yusuke Suzuki.
669
670         * test262/test/built-ins/Math/acosh/nan-returns.js:
671         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
672         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
673         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
674         * test262/test/built-ins/Math/cbrt/prop-desc.js:
675         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
676         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
677         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
678         * test262/test/built-ins/Math/log2/log2-basicTests.js:
679         * test262/test/built-ins/Math/sign/sign-specialVals.js:
680         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
681         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
682         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
683         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
684
685 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
686
687         Unreviewed, remove incorrect entry in test262.yaml
688         https://bugs.webkit.org/show_bug.cgi?id=184266
689
690         * test262.yaml:
691
692 2018-04-08  Valerie Young  <valerie@bocoup.com>
693
694         [JSC] Update Test262 to April 6 version
695         https://bugs.webkit.org/show_bug.cgi?id=184266
696
697         Rubber stamped by Yusuke Suzuki.
698
699 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
700
701         [JSC] Introduce op_get_by_id_direct
702         https://bugs.webkit.org/show_bug.cgi?id=183970
703
704         Reviewed by Filip Pizlo.
705
706         * stress/generator-prototype-copy.js: Added.
707         (gen):
708         (catch):
709         Adopted JF's tests.
710
711         * stress/generator-type-check.js: Added.
712         (shouldThrow):
713         (foo2):
714         (i.shouldThrow):
715         * stress/get-by-id-direct-getter.js: Added.
716         (shouldBe):
717         (shouldThrow):
718         (obj.get hello):
719         (builtin.createBuiltin):
720         (obj2.get length):
721         * stress/get-by-id-direct.js: Added.
722         (shouldBe):
723         (shouldThrow):
724         (builtin.createBuiltin):
725         * test262.yaml:
726         We fixed long-standing spec compatibility issue.
727         As a result, this patch makes several test262 tests passed!
728
729
730 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
731
732         Unreviewed, annotate test with @skip if $memoryLimited
733         https://bugs.webkit.org/show_bug.cgi?id=183894
734
735         * stress/json-stringified-overflow.js:
736
737 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
738
739         Add svn:eol-style to line-terminator-normalisation-CR.js
740         https://bugs.webkit.org/show_bug.cgi?id=184341
741
742         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
743
744 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
745
746         Unreviewed, remove errant LF from existing test262 test for CR line endings.
747
748         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
749
750 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
751
752         Unreviewed, rolling out r230320.
753
754         Revert fix, as the root cause lies elsewhere.
755
756         Reverted changeset:
757
758         "[test262] Mark line-terminator-normalisation-CR.js as a
759         binary file."
760         https://bugs.webkit.org/show_bug.cgi?id=184341
761         https://trac.webkit.org/changeset/230320
762
763 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
764
765         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
766         https://bugs.webkit.org/show_bug.cgi?id=184341
767
768         Reviewed by Yusuke Suzuki.
769
770         This test is all about CR line endings, but `svn-apply` can't deal with them.
771         Treating the file as binary ensures that its contents never are never shown in a diff.
772
773         * .gitattributes: Added.
774
775 2018-04-05  Robin Morisset  <rmorisset@apple.com>
776
777         Fix testcase (missing try/catch).
778         https://bugs.webkit.org/show_bug.cgi?id=183657
779
780         Unreviewed.
781
782         * stress/large-unshift-splice.js
783
784 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
785
786         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
787         https://bugs.webkit.org/show_bug.cgi?id=184319
788
789         Reviewed by Saam Barati.
790
791         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
792         (foo):
793         (bar):
794         * stress/array-push-nan-to-double-array.js: Added.
795         (foo):
796         (bar):
797
798 2018-04-03  Mark Lam  <mark.lam@apple.com>
799
800         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
801         https://bugs.webkit.org/show_bug.cgi?id=184284
802
803         Reviewed by Saam Barati.
804
805         * stress/js-fixed-array-out-of-memory.js:
806
807 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
808
809         JSC crash in JIT code with for-of loop and Array/Set iterators
810         https://bugs.webkit.org/show_bug.cgi?id=183174
811
812         Reviewed by Saam Barati.
813
814         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
815         (foo):
816         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
817         (f):
818
819 2018-03-30  JF Bastien  <jfbastien@apple.com>
820
821         WebAssembly: support DataView compilation
822         https://bugs.webkit.org/show_bug.cgi?id=183342
823
824         Reviewed by Mark Lam.
825
826         Test WebAssembly compilation using a DataView with offset.
827
828         * wasm/regress/183342.js: Added.
829         (attempt.catch):
830
831 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
832
833         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
834         https://bugs.webkit.org/show_bug.cgi?id=184189
835
836         Reviewed by JF Bastien.
837
838         * stress/load-hole-from-scope-into-live-var.js: Added.
839         (result.eval.try.switch):
840         (catch):
841
842 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
843
844         Unreviewed, rolling out r230102.
845
846         Caused assertion failures on JSC bots.
847
848         Reverted changeset:
849
850         "A stack overflow in the parsing of a builtin (called by
851         createExecutable) cause a crash instead of a catchable js
852         exception"
853         https://bugs.webkit.org/show_bug.cgi?id=184074
854         https://trac.webkit.org/changeset/230102
855
856 2018-03-30  Robin Morisset  <rmorisset@apple.com>
857
858         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
859         https://bugs.webkit.org/show_bug.cgi?id=183812
860
861         Reviewed by Keith Miller.
862
863         * stress/inlining-unreachable-non-tail.js: Added.
864         (foo.):
865         (foo):
866
867 2018-03-30  Robin Morisset  <rmorisset@apple.com>
868
869         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
870         https://bugs.webkit.org/show_bug.cgi?id=184074
871         <rdar://problem/37165897>
872
873         Reviewed by Keith Miller.
874
875         * stress/stack-overflow-while-parsing-builtin.js: Added.
876         (f):
877
878 2018-03-30  Robin Morisset  <rmorisset@apple.com>
879
880         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
881         https://bugs.webkit.org/show_bug.cgi?id=183657
882
883         Reviewed by Keith Miller.
884
885         * stress/large-unshift-splice.js: Added.
886         (make_contig_arr):
887
888 2018-03-28  Robin Morisset  <rmorisset@apple.com>
889
890         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
891         https://bugs.webkit.org/show_bug.cgi?id=183894
892
893         Reviewed by Saam Barati.
894
895         * stress/json-stringified-overflow.js: Added.
896         (catch):
897
898 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
899
900         DFG should know that CreateThis can be effectful
901         https://bugs.webkit.org/show_bug.cgi?id=184013
902
903         Reviewed by Saam Barati.
904
905         * stress/create-this-property-change.js: Added.
906         (Foo):
907         (RealBar):
908         (get if):
909         * stress/create-this-structure-change-without-cse.js: Added.
910         (Foo):
911         (RealBar):
912         (get if):
913         * stress/create-this-structure-change.js: Added.
914         (Foo):
915         (RealBar):
916         (get if):
917
918 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
919
920         [DFG] Introduces fused compare and jump
921         https://bugs.webkit.org/show_bug.cgi?id=177100
922
923         Reviewed by Mark Lam.
924
925         * stress/fused-jeq-slow.js: Added.
926         (shouldBe):
927         (testJEQ):
928         (testJNEQB):
929         (testJEQB):
930         (testJNEQF):
931         (testJEQF):
932         * stress/fused-jeq.js: Added.
933         (shouldBe):
934         (testJEQ):
935         (testJNEQB):
936         (testJEQB):
937         (testJNEQF):
938         (testJEQF):
939         * stress/fused-jstricteq-slow.js: Added.
940         (shouldBe):
941         (testJSTRICTEQ):
942         (testJNSTRICTEQB):
943         (testJSTRICTEQB):
944         (testJNSTRICTEQF):
945         (testJSTRICTEQF):
946         * stress/fused-jstricteq.js: Added.
947         (shouldBe):
948         (testJSTRICTEQ):
949         (testJNSTRICTEQB):
950         (testJSTRICTEQB):
951         (testJNSTRICTEQF):
952         (testJSTRICTEQF):
953
954 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
955
956         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
957         https://bugs.webkit.org/show_bug.cgi?id=183559
958
959         Reviewed by Mark Lam.
960
961         * stress/double-to-string-in-loop-removed.js: Added.
962         (test):
963         * stress/int32-to-string-in-loop-removed.js: Added.
964         (test):
965         * stress/int52-to-string-in-loop-removed.js: Added.
966         (test):
967
968 2018-03-22  Michael Saboff  <msaboff@apple.com>
969
970         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
971         https://bugs.webkit.org/show_bug.cgi?id=183901
972
973         Reviewed by Keith Miller.
974
975         New test.
976
977         * stress/array-reverse-doesnt-clobber.js: Added.
978         (testArrayReverse):
979         (createArrayOfArrays):
980         (createArrayStorage):
981
982 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
983
984         ScopedArguments should do poisoning and index masking
985         https://bugs.webkit.org/show_bug.cgi?id=183863
986
987         Reviewed by Mark Lam.
988         
989         Adds another stress test of scoped arguments.
990
991         * stress/scoped-arguments-test.js: Added.
992         (foo):
993
994 2018-03-20  Saam Barati  <sbarati@apple.com>
995
996         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
997         https://bugs.webkit.org/show_bug.cgi?id=183795
998         <rdar://problem/38298694>
999
1000         Reviewed by JF Bastien.
1001
1002         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
1003         (foo):
1004         (bar):
1005
1006 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1007
1008         [DFG][FTL] Add vectorLengthHint for NewArray
1009         https://bugs.webkit.org/show_bug.cgi?id=183694
1010
1011         Reviewed by Saam Barati.
1012
1013         * stress/vector-length-hint-array-constructor.js: Added.
1014         (shouldBe):
1015         (test):
1016         * stress/vector-length-hint-new-array.js: Added.
1017         (shouldBe):
1018         (test):
1019
1020 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1021
1022         [DFG][FTL] Make ArraySlice(0) code tight
1023         https://bugs.webkit.org/show_bug.cgi?id=183590
1024
1025         Reviewed by Saam Barati.
1026
1027         * stress/array-slice-with-zero.js: Added.
1028         (shouldBe):
1029         (test):
1030         (test2):
1031         * stress/array-slice-zero-args.js: Added.
1032         (shouldBe):
1033         (test):
1034
1035 2018-03-14  Caitlin Potter  <caitp@igalia.com>
1036
1037         [JSC] fix order of evaluation for ClassDefinitionEvaluation
1038         https://bugs.webkit.org/show_bug.cgi?id=183523
1039
1040         Reviewed by Keith Miller.
1041
1042         Computed property names need to be evaluated in source order during class
1043         definition evaluation, as it's observable (and specified to work this way).
1044
1045         This change improves compatibility with Chromium.
1046
1047         * stress/class_elements.js: Added.
1048         (test):
1049         (test.C.prototype.effect):
1050         (test.C.effect):
1051         (test.C.prototype.get effect):
1052         (test.C.prototype.set effect):
1053         (test.C):
1054
1055 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1056
1057         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
1058         https://bugs.webkit.org/show_bug.cgi?id=183310
1059
1060         Reviewed by Filip Pizlo.
1061
1062         * stress/ai-create-this-to-new-object-fire.js: Added.
1063         (assert):
1064         (test):
1065         (func):
1066         (check):
1067         (test.body.A):
1068         (test.body.B):
1069         (test.body):
1070         * stress/ai-create-this-to-new-object.js: Added.
1071         (assert):
1072         (test):
1073         (func):
1074         (check):
1075         (test.body.A):
1076         (test.body.B):
1077         (test.body):
1078
1079 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1080
1081         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
1082         https://bugs.webkit.org/show_bug.cgi?id=181848
1083
1084         Reviewed by Sam Weinig.
1085
1086         * microbenchmarks/regexp-u-global-es5.js: Added.
1087         (fn):
1088         * microbenchmarks/regexp-u-global-es6.js: Added.
1089         (fn):
1090         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
1091         (shouldBe):
1092         (test):
1093         (i.switch):
1094         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
1095         (shouldBe):
1096         (test):
1097
1098 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
1099
1100         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
1101         https://bugs.webkit.org/show_bug.cgi?id=183334
1102
1103         Reviewed by Žan Doberšek.
1104
1105         * stress/var-injection-cache-invalidation.js:
1106
1107 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
1108
1109         [ARM] Disable tests that run out of memory
1110         https://bugs.webkit.org/show_bug.cgi?id=182699
1111
1112         Reviewed by Žan Doberšek.
1113
1114         Skip tests that run of of memory. Do not run
1115         modules/module-jit-reachability.js without LLInt to prevent
1116         running out of executable memory.
1117
1118         * modules.yaml:
1119         * modules/module-jit-reachability.js:
1120         * stress/has-own-property-name-cache-string-keys.js:
1121         * stress/has-own-property-name-cache-symbol-keys.js:
1122
1123 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1124
1125         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1126         https://bugs.webkit.org/show_bug.cgi?id=183173
1127
1128         Reviewed by Saam Barati.
1129
1130         * stress/async-arrow-function-in-class-heritage.js: Added.
1131         (testSyntax):
1132         (testSyntaxError):
1133         (SyntaxError):
1134
1135 2018-03-01  Saam Barati  <sbarati@apple.com>
1136
1137         We need to clear cached structures when having a bad time
1138         https://bugs.webkit.org/show_bug.cgi?id=183256
1139         <rdar://problem/36245022>
1140
1141         Reviewed by Mark Lam.
1142
1143         * stress/having-a-bad-time-with-derived-arrays.js: Added.
1144         (assert):
1145         (defineSetter):
1146         (iterate):
1147         (doSlice):
1148
1149 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1150
1151         JSC crash with `import("")`
1152         https://bugs.webkit.org/show_bug.cgi?id=183175
1153
1154         Reviewed by Saam Barati.
1155
1156         * stress/import-with-empty-string.js: Added.
1157
1158 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1159
1160         Unreviewed, skip FTL tests if FTL is disabled
1161         https://bugs.webkit.org/show_bug.cgi?id=183071
1162
1163         * stress/has-indexed-property-array-storage-ftl.js:
1164         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1165
1166 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1167
1168         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1169         https://bugs.webkit.org/show_bug.cgi?id=182965
1170
1171         Reviewed by Saam Barati.
1172
1173         * stress/put-by-val-array-storage.js: Added.
1174         (shouldBe):
1175         (testArrayStorageInBounds):
1176         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1177         (shouldBe):
1178         (testInt32.createBuiltin):
1179         (set for):
1180         * stress/put-by-val-slow-put-array-storage.js: Added.
1181         (shouldBe):
1182         (testArrayStorageInBounds):
1183
1184 2018-02-26  Saam Barati  <sbarati@apple.com>
1185
1186         validateStackAccess should not validate if the offset is within the stack bounds
1187         https://bugs.webkit.org/show_bug.cgi?id=183067
1188         <rdar://problem/37749988>
1189
1190         Reviewed by Mark Lam.
1191
1192         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1193         (assert):
1194         (test.a):
1195         (test.b):
1196         (test):
1197
1198 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1199
1200         Unreviewed, skip FTL tests if FTL is disabled
1201         https://bugs.webkit.org/show_bug.cgi?id=183071
1202
1203         * stress/has-indexed-property-array-storage-ftl.js:
1204         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1205
1206 2018-02-23  Saam Barati  <sbarati@apple.com>
1207
1208         Make Number.isInteger an intrinsic
1209         https://bugs.webkit.org/show_bug.cgi?id=183088
1210
1211         Reviewed by JF Bastien.
1212
1213         * stress/number-is-integer-intrinsic.js: Added.
1214
1215 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1216
1217         WebAssembly: cache memory address / size on instance
1218         https://bugs.webkit.org/show_bug.cgi?id=177305
1219
1220         Reviewed by JF Bastien.
1221
1222         * wasm/function-tests/memory-reuse.js: Added.
1223         (createWasmInstance):
1224         (doCheckTrap):
1225         (doMemoryGrow):
1226         (doCheck):
1227         (checkWasmInstancesWithSharedMemory):
1228
1229 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1230
1231         [JSC] Implement $vm.ftlTrue function for FTL testing
1232         https://bugs.webkit.org/show_bug.cgi?id=183071
1233
1234         Reviewed by Mark Lam.
1235
1236         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1237         (foo):
1238         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1239         (foo):
1240         * stress/dead-fiat-value-to-int52.js:
1241         (foo):
1242         * stress/dead-osr-entry-value.js:
1243         (foo):
1244         * stress/fiat-value-to-int52-then-exit-not-double.js:
1245         (foo):
1246         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1247         (foo):
1248         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1249         (foo):
1250         * stress/fiat-value-to-int52-then-fold.js:
1251         (foo):
1252         * stress/fiat-value-to-int52.js:
1253         (foo):
1254         * stress/fold-based-on-int32-proof-mul-branch.js:
1255         (foo):
1256         * stress/fold-profiled-call-to-call.js:
1257         (foo):
1258         * stress/fold-to-double-constant-then-exit.js:
1259         (foo):
1260         * stress/fold-to-int52-constant-then-exit.js:
1261         (foo):
1262         * stress/fold-to-primitive-in-cfa.js:
1263         (foo):
1264         * stress/fold-to-primitive-to-identity-in-cfa.js:
1265         (foo):
1266         * stress/has-indexed-property-array-storage-ftl.js: Added.
1267         (shouldBe):
1268         (test1):
1269         (test2):
1270         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1271         (shouldBe):
1272         (test1):
1273         (test2):
1274         * stress/int52-ai-add-then-filter-int32.js:
1275         (foo):
1276         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1277         (foo):
1278         * stress/int52-ai-mul-then-filter-int32.js:
1279         (foo):
1280         * stress/int52-ai-neg-then-filter-int32.js:
1281         (foo):
1282         * stress/int52-ai-sub-then-filter-int32.js:
1283         (foo):
1284         * stress/licm-pre-header-cannot-exit-nested.js:
1285         (foo):
1286         * stress/licm-pre-header-cannot-exit.js:
1287         (foo):
1288         * stress/sparse-array-entry-update-144067.js:
1289         (useMemoryToTriggerGCs):
1290         * stress/test-spec-misc.js:
1291         (foo):
1292         * stress/tricky-array-bounds-checks.js:
1293         (foo):
1294
1295 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1296
1297         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1298         https://bugs.webkit.org/show_bug.cgi?id=182792
1299
1300         Reviewed by Mark Lam.
1301
1302         * stress/has-indexed-property-array-storage.js: Added.
1303         (shouldBe):
1304         (test1):
1305         (test2):
1306         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1307         (shouldBe):
1308         (test1):
1309         (test2):
1310
1311 2018-02-20  Saam Barati  <sbarati@apple.com>
1312
1313         DFG::VarargsForwardingPhase should eliminate getting argument length
1314         https://bugs.webkit.org/show_bug.cgi?id=182959
1315
1316         Reviewed by Keith Miller.
1317
1318         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1319
1320 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1321
1322         [FTL] Support ArrayPush for ArrayStorage
1323         https://bugs.webkit.org/show_bug.cgi?id=182782
1324
1325         Reviewed by Saam Barati.
1326
1327         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1328
1329         * stress/array-push-array-storage-beyond-int32.js: Added.
1330         (shouldBe):
1331         (test):
1332         * stress/array-push-array-storage.js: Added.
1333         (shouldBe):
1334         (test):
1335         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1336         (shouldBe):
1337         (test):
1338         * stress/array-push-multiple-storage-continuous.js: Added.
1339         (shouldBe):
1340         (test):
1341
1342 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1343
1344         [FTL] Support ArrayPop for ArrayStorage
1345         https://bugs.webkit.org/show_bug.cgi?id=182783
1346
1347         Reviewed by Saam Barati.
1348
1349         * stress/array-pop-array-storage.js: Added.
1350         (shouldBe):
1351         (test):
1352
1353 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1354
1355         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1356         https://bugs.webkit.org/show_bug.cgi?id=182731
1357
1358         Reviewed by Saam Barati.
1359
1360         * stress/arrayify-array-storage-array.js: Added.
1361         (shouldBe):
1362         (testArrayStorage):
1363         * stress/arrayify-array-storage-non-array.js: Added.
1364         (shouldBe):
1365         (testArrayStorage):
1366         * stress/arrayify-array-storage.js: Added.
1367         (shouldBe):
1368         (testArrayStorage):
1369         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1370         (shouldBe):
1371         (testArrayStorage):
1372         * stress/arrayify-slow-put-array-storage.js: Added.
1373         (shouldBe):
1374         (testArrayStorage):
1375
1376 2018-02-19  Saam Barati  <sbarati@apple.com>
1377
1378         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1379         https://bugs.webkit.org/show_bug.cgi?id=182942
1380         <rdar://problem/37584764>
1381
1382         Reviewed by Mark Lam.
1383
1384         * stress/get-prototype-create-this-effectful.js: Added.
1385
1386 2018-02-16  Saam Barati  <sbarati@apple.com>
1387
1388         Fix bugs from r228411
1389         https://bugs.webkit.org/show_bug.cgi?id=182851
1390         <rdar://problem/37577732>
1391
1392         Reviewed by JF Bastien.
1393
1394         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1395
1396 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1397
1398         Unreviewed, roll out r228366 since it did not progress anything.
1399
1400         * stress/gc-error-stack.js: Removed.
1401         * stress/no-gc-error-stack.js: Removed.
1402
1403 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1404
1405         Many stress tests fail with JIT disabled
1406         https://bugs.webkit.org/show_bug.cgi?id=182730
1407
1408         Reviewed by Saam Barati.
1409
1410         These tests are broken by design if the JIT is disabled - they test
1411         the return value of numberOfDFGCompiles(), which is always set to
1412         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1413
1414         * stress/arith-abs-on-various-types.js:
1415         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1416         * stress/arith-acos-on-various-types.js:
1417         * stress/arith-acosh-on-various-types.js:
1418         * stress/arith-asin-on-various-types.js:
1419         * stress/arith-asinh-on-various-types.js:
1420         * stress/arith-atan-on-various-types.js:
1421         * stress/arith-atanh-on-various-types.js:
1422         * stress/arith-cbrt-on-various-types.js:
1423         * stress/arith-ceil-on-various-types.js:
1424         * stress/arith-clz32-on-various-types.js:
1425         * stress/arith-cos-on-various-types.js:
1426         * stress/arith-cosh-on-various-types.js:
1427         * stress/arith-expm1-on-various-types.js:
1428         * stress/arith-floor-on-various-types.js:
1429         * stress/arith-fround-on-various-types.js:
1430         * stress/arith-log-on-various-types.js:
1431         * stress/arith-log10-on-various-types.js:
1432         * stress/arith-log2-on-various-types.js:
1433         * stress/arith-negate-on-various-types.js:
1434         * stress/arith-round-on-various-types.js:
1435         * stress/arith-sin-on-various-types.js:
1436         * stress/arith-sinh-on-various-types.js:
1437         * stress/arith-sqrt-on-various-types.js:
1438         * stress/arith-tan-on-various-types.js:
1439         * stress/arith-tanh-on-various-types.js:
1440         * stress/arith-trunc-on-various-types.js:
1441         * stress/compare-strict-eq-on-various-types.js:
1442
1443 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1444
1445         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1446
1447         Unreviewed test gardening.
1448
1449         * stress/new-largeish-contiguous-array-with-size.js:
1450
1451 2018-02-14  Saam Barati  <sbarati@apple.com>
1452
1453         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1454         https://bugs.webkit.org/show_bug.cgi?id=182801
1455
1456         Reviewed by Keith Miller.
1457
1458         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1459
1460 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1461
1462         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1463         https://bugs.webkit.org/show_bug.cgi?id=182526
1464
1465         Unreviewed test gardening.
1466
1467         * stress/activation-sink-default-value-tdz-error.js:
1468
1469 2018-02-13  Saam Barati  <sbarati@apple.com>
1470
1471         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1472         https://bugs.webkit.org/show_bug.cgi?id=182755
1473         <rdar://problem/37080864>
1474
1475         Reviewed by Keith Miller.
1476
1477         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1478         (test1.o.get 10005):
1479         (test1):
1480         (test2.o.get 1000):
1481         (test2):
1482
1483 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1484
1485         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1486         https://bugs.webkit.org/show_bug.cgi?id=182717
1487
1488         Reviewed by Yusuke Suzuki.
1489
1490         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1491         literals, to allow template callsite arrays to be collected when the
1492         code containing the tagged template call is collected. This spec change
1493         has received concensus and been ratified.
1494
1495         This change eliminates the eternal map associating template contents
1496         with arrays.
1497
1498         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1499         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1500         * stress/tagged-templates-identity.js:
1501         * stress/template-string-tags-eval.js:
1502         * test262.yaml:
1503
1504 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1505
1506         Support GetArrayLength on ArrayStorage in the FTL
1507         https://bugs.webkit.org/show_bug.cgi?id=182625
1508
1509         Reviewed by Saam Barati.
1510
1511         * stress/array-storage-length.js: Added.
1512         (shouldBe):
1513         (testInBound):
1514         (testUncountable):
1515         (testSlowPutInBound):
1516         (testSlowPutUncountable):
1517         * stress/undecided-length.js: Added.
1518         (shouldBe):
1519         (test2):
1520
1521 2018-02-12  Saam Barati  <sbarati@apple.com>
1522
1523         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1524         https://bugs.webkit.org/show_bug.cgi?id=182706
1525         <rdar://problem/36833681>
1526
1527         Reviewed by Filip Pizlo.
1528
1529         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1530         (effects):
1531         (foo):
1532
1533 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1534
1535         Don't waste memory for error.stack
1536         https://bugs.webkit.org/show_bug.cgi?id=182656
1537
1538         Reviewed by Saam Barati.
1539         
1540         Tests the policy.
1541
1542         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1543         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1544
1545 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1546
1547         [JSC] Update Test262 to Feb 9 version
1548         https://bugs.webkit.org/show_bug.cgi?id=182468
1549
1550         Reviewed by Saam Barati.
1551
1552 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1553
1554         Unreviewed, fix invalid line terminator in old test262 file part 2
1555         https://bugs.webkit.org/show_bug.cgi?id=182468
1556
1557         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1558
1559 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1560
1561         Unreviewed, fix invalid line terminator in old test262 file
1562         https://bugs.webkit.org/show_bug.cgi?id=182468
1563
1564         * test262/test/language/literals/regexp/7.8.5-1.js:
1565
1566 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1567
1568         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1569         https://bugs.webkit.org/show_bug.cgi?id=182440
1570
1571         Reviewed by Darin Adler.
1572
1573         * stress/array-flatmap.js: Added.
1574         (shouldBe):
1575         (shouldBeArray):
1576         (shouldThrow):
1577         (var):
1578         * stress/array-flatten.js: Added.
1579         (shouldBe):
1580         (shouldBeArray):
1581         * test262.yaml:
1582         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1583         (3.flatMap):
1584         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1585
1586 2018-02-06  Keith Miller  <keith_miller@apple.com>
1587
1588         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1589         https://bugs.webkit.org/show_bug.cgi?id=182549
1590         <rdar://problem/36189995>
1591
1592         Reviewed by Saam Barati.
1593
1594         * stress/var-injection-cache-invalidation.js: Added.
1595         (allocateLotsOfThings):
1596         (test):
1597
1598 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1599
1600         Unreviewed, follow up for test262 update
1601         https://bugs.webkit.org/show_bug.cgi?id=182288
1602
1603         * test262.yaml:
1604
1605 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1606
1607         Update test262 to Jan 30 version
1608         https://bugs.webkit.org/show_bug.cgi?id=182288
1609
1610         Unreviewed test gardening.
1611
1612         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1613
1614 2018-02-02  Saam Barati  <sbarati@apple.com>
1615
1616         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1617         https://bugs.webkit.org/show_bug.cgi?id=182368
1618         <rdar://problem/36932466>
1619
1620         Reviewed by Mark Lam.
1621
1622         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1623         (runNearStackLimit.t):
1624         (runNearStackLimit):
1625         (try.runNearStackLimit):
1626         (catch):
1627
1628 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1629
1630         Update test262 to Jan 30 version
1631         https://bugs.webkit.org/show_bug.cgi?id=182288
1632
1633         Rubber stamped by Saam Barati.
1634
1635         This patch updates test262 to the latest one, Jan 30 version.
1636         Since added and changed files are too many, we cannot create ChangeLog.
1637         The following files are changed.
1638
1639         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1640         including some special line terminators (like u2028, u2029).
1641
1642         * test262.yaml:
1643         * test262/test262-Revision.txt:
1644         * test262/*:
1645
1646 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1647
1648         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1649         https://bugs.webkit.org/show_bug.cgi?id=182411
1650
1651         Reviewed by Carlos Alberto Lopez Perez.
1652
1653         This is skipped only on arm memory limited platforms. Until recently
1654         it was not a problem on MIPS as the butterfly was not initialized. But
1655         since r227435, the butterfly is initialized in that test and therefore
1656         memory is allocated, and the test typically takes around 512M, which
1657         means it generally gets OOM-killed on the MIPS buildbot.
1658
1659         * mozilla/mozilla-tests.yaml:
1660
1661 2018-02-01  Mark Lam  <mark.lam@apple.com>
1662
1663         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1664         https://bugs.webkit.org/show_bug.cgi?id=182419
1665         <rdar://problem/37044945>
1666
1667         Reviewed by Saam Barati.
1668
1669         * stress/regress-182419.js: Added.
1670
1671 2018-02-01  Keith Miller  <keith_miller@apple.com>
1672
1673         Fix crashes due to mishandling custom sections.
1674         https://bugs.webkit.org/show_bug.cgi?id=182404
1675         <rdar://problem/36935863>
1676
1677         Reviewed by Saam Barati.
1678
1679         * wasm/Builder.js:
1680         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1681         * wasm/js-api/validate.js:
1682         (assert.truthy):
1683
1684 2018-01-31  Saam Barati  <sbarati@apple.com>
1685
1686         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1687         https://bugs.webkit.org/show_bug.cgi?id=182074
1688         <rdar://problem/36846261>
1689
1690         Reviewed by Mark Lam.
1691
1692         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1693         (assert):
1694         (let.func):
1695         (let.o.foo):
1696         (varFunc):
1697
1698 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1699
1700         Unreviewed, update test262 expects
1701         https://bugs.webkit.org/show_bug.cgi?id=182232
1702
1703         * test262.yaml:
1704
1705 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1706
1707         [JSC] Implement trimStart and trimEnd
1708         https://bugs.webkit.org/show_bug.cgi?id=182233
1709
1710         Reviewed by Mark Lam.
1711
1712         * stress/trim.js: Added.
1713         (shouldBe):
1714         (startTest):
1715         (endTest):
1716         (trimTest):
1717
1718 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1719
1720         [JSC] Relax line terminators in String to make JSON subset of JS
1721         https://bugs.webkit.org/show_bug.cgi?id=182232
1722
1723         Reviewed by Keith Miller.
1724
1725         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1726         * stress/relaxed-line-terminators-in-string.js: Added.
1727         (shouldBe):
1728
1729 2018-01-29  Michael Saboff  <msaboff@apple.com>
1730
1731         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1732         https://bugs.webkit.org/show_bug.cgi?id=182249
1733
1734         Reviewed by Keith Miller.
1735
1736         New regression test.
1737
1738         * stress/compare-clobber-untypeduse.js: Added.
1739
1740 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1741
1742         Unreviewed, rolling out r227725.
1743
1744         This caused internal failures.
1745
1746         Reverted changeset:
1747
1748         "JSC Sampling Profiler: Detect tester and testee when sampling
1749         in RegExp JIT"
1750         https://bugs.webkit.org/show_bug.cgi?id=152729
1751         https://trac.webkit.org/changeset/227725
1752
1753 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1754
1755         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1756         https://bugs.webkit.org/show_bug.cgi?id=152729
1757
1758         Reviewed by Saam Barati.
1759
1760         * stress/sampling-profiler-regexp.js: Added.
1761         (platformSupportsSamplingProfiler.test):
1762         (platformSupportsSamplingProfiler.baz):
1763         (platformSupportsSamplingProfiler):
1764
1765 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1766
1767         [DFG][FTL] WeakMap#set should have DFG node
1768         https://bugs.webkit.org/show_bug.cgi?id=180015
1769
1770         Reviewed by Saam Barati.
1771
1772         * stress/weakmap-set-change-get.js: Added.
1773         (shouldBe):
1774         (test):
1775         * stress/weakmap-set-cse.js: Added.
1776         (shouldBe):
1777         (test):
1778         * stress/weakset-add-change-get.js: Added.
1779         (shouldBe):
1780         * stress/weakset-add-cse.js: Added.
1781         (shouldBe):
1782
1783 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1784
1785         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1786         https://bugs.webkit.org/show_bug.cgi?id=182213
1787
1788         Reviewed by Mark Lam.
1789
1790         * stress/int32-min-to-string.js: Added.
1791         (shouldBe):
1792         (test2):
1793         (test4):
1794         (test8):
1795         (test16):
1796         (test32):
1797         * stress/zero-to-string.js: Added.
1798         (shouldBe):
1799         (test2):
1800         (test4):
1801         (test8):
1802         (test16):
1803         (test32):
1804
1805 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1806
1807         Add more module scope related tests with code evaluation by string
1808         https://bugs.webkit.org/show_bug.cgi?id=181983
1809
1810         Reviewed by Sam Weinig.
1811
1812         Add more module scope related tests. When the original tests are landed,
1813         we do not have browser integration. This patch adds more module scope tests
1814         with dynamically created script evaluation. We add tests with Function
1815         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1816
1817         * modules/scopes-eval.js: Added.
1818         (shouldBe):
1819         * modules/scopes.js:
1820         (shouldBe):
1821
1822 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1823
1824         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1825
1826         * microbenchmarks/array-push-3.js: Removed.
1827         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1828         * microbenchmarks/double-to-int32.js: Removed.
1829         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1830         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1831         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1832         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1833         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1834         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1835         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1836         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1837         * microbenchmarks/map-constant-key.js: Removed.
1838         * microbenchmarks/nested-function-parsing.js: Removed.
1839         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1840         * microbenchmarks/spread-large-array.js: Removed.
1841         * microbenchmarks/string-add-constant-folding.js: Removed.
1842         * microbenchmarks/to-lower-case.js: Removed.
1843         * microbenchmarks/undefined-property-access.js: Removed.
1844         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1845         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1846         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1847         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1848         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1849         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1850         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1851         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1852         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1853         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1854         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1855         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1856         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1857         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1858         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1859         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1860         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1861         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1862
1863 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1864
1865         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1866         https://bugs.webkit.org/show_bug.cgi?id=181739
1867         <rdar://problem/36627662>
1868
1869         Reviewed by Saam Barati.
1870
1871         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1872         (foo):
1873         (bar):
1874
1875 2018-01-22  Michael Saboff  <msaboff@apple.com>
1876
1877         DFG abstract interpreter needs to properly model effects of some Math ops
1878         https://bugs.webkit.org/show_bug.cgi?id=181886
1879
1880         Reviewed by Saam Barati.
1881
1882         New regression test.
1883
1884         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1885         (test):
1886
1887 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1888
1889         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1890         https://bugs.webkit.org/show_bug.cgi?id=181182
1891
1892         Reviewed by Darin Adler.
1893
1894         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1895         * stress/big-int-prototype-to-string-exception.js: Added.
1896         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1897         * stress/number-prototype-to-string-cast-overflow.js: Added.
1898         * stress/number-prototype-to-string-exception.js: Added.
1899         * stress/number-prototype-to-string-wrong-values.js: Added.
1900
1901 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1902
1903         Disable Atomics when SharedArrayBuffer isn’t enabled
1904         https://bugs.webkit.org/show_bug.cgi?id=181572
1905
1906         Unreviewed test gardening.
1907
1908         * test262.yaml: Skip tests that fail after this change.
1909
1910 2018-01-19  Saam Barati  <sbarati@apple.com>
1911
1912         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1913         https://bugs.webkit.org/show_bug.cgi?id=181877
1914         <rdar://problem/36630552>
1915
1916         Reviewed by Mark Lam.
1917
1918         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1919         (runNearStackLimit):
1920         (f1):
1921         (f2):
1922         (f3):
1923         (i.catch):
1924         (i.try.runNearStackLimit):
1925         (catch):
1926
1927 2018-01-19  Saam Barati  <sbarati@apple.com>
1928
1929         Spread's effects are modeled incorrectly both in AI and in Clobberize
1930         https://bugs.webkit.org/show_bug.cgi?id=181867
1931         <rdar://problem/36290415>
1932
1933         Reviewed by Michael Saboff.
1934
1935         * stress/ai-needs-to-model-spreads-effects.js: Added.
1936         (try.p.Symbol.iterator):
1937         (try.go):
1938         (catch):
1939         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1940         (assert):
1941         (foo):
1942         (a.Symbol.iterator):
1943
1944 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1945
1946         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1947         https://bugs.webkit.org/show_bug.cgi?id=181535
1948
1949         * stress/inserted-recovery-with-set-last-index.js:
1950
1951 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1952
1953         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1954         https://bugs.webkit.org/show_bug.cgi?id=181535
1955
1956         Reviewed by Saam Barati.
1957
1958         * stress/inserted-recovery-with-set-last-index.js: Added.
1959         (shouldBe):
1960         (foo):
1961         * stress/materialize-regexp-at-osr-exit.js: Added.
1962         (shouldBe):
1963         (test):
1964         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1965         (shouldBe):
1966         (test):
1967         * stress/materialize-regexp-cyclic-regexp.js: Added.
1968         (shouldBe):
1969         (test):
1970         (i.switch):
1971         * stress/materialize-regexp-cyclic.js: Added.
1972         (shouldBe):
1973         (test):
1974         (i.switch):
1975         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1976         (bar):
1977         (foo):
1978         (test):
1979         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1980         (bar):
1981         (foo):
1982         (test):
1983         * stress/materialize-regexp.js: Added.
1984         (shouldBe):
1985         (test):
1986         * stress/phantom-regexp-regexp-exec.js: Added.
1987         (shouldBe):
1988         (test):
1989         * stress/phantom-regexp-string-match.js: Added.
1990         (shouldBe):
1991         (test):
1992         * stress/regexp-last-index-sinking.js: Added.
1993         (shouldBe):
1994         (test):
1995
1996 2018-01-17  Saam Barati  <sbarati@apple.com>
1997
1998         Disable Atomics when SharedArrayBuffer isn’t enabled
1999         https://bugs.webkit.org/show_bug.cgi?id=181572
2000         <rdar://problem/36553206>
2001
2002         Reviewed by Michael Saboff.
2003
2004         * stress/isLockFree.js:
2005
2006 2018-01-17  Saam Barati  <sbarati@apple.com>
2007
2008         DFG::Node::convertToConstant needs to clear the varargs flags
2009         https://bugs.webkit.org/show_bug.cgi?id=181697
2010         <rdar://problem/36497332>
2011
2012         Reviewed by Yusuke Suzuki.
2013
2014         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
2015         (doIndexOf):
2016         (bar):
2017         (i.bar):
2018
2019 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
2020
2021         Unreviewed, rolling out r226937.
2022
2023         Tests added with this change are failing due to a missing
2024         exception check.
2025
2026         Reverted changeset:
2027
2028         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
2029         double to int32_t"
2030         https://bugs.webkit.org/show_bug.cgi?id=181182
2031         https://trac.webkit.org/changeset/226937
2032
2033 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
2034
2035         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
2036         https://bugs.webkit.org/show_bug.cgi?id=181182
2037
2038         Reviewed by Darin Adler.
2039
2040         * bigIntTests.yaml:
2041         * stress/big-int-constructor.js:
2042         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
2043         (assert):
2044         (assertThrowRangeError):
2045         * stress/number-prototype-to-string-cast-overflow.js: Added.
2046         (assert):
2047         (assertThrowRangeError):
2048
2049 2018-01-12  Saam Barati  <sbarati@apple.com>
2050
2051         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
2052         https://bugs.webkit.org/show_bug.cgi?id=181177
2053         <rdar://problem/36205704>
2054
2055         Reviewed by Yusuke Suzuki.
2056
2057         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
2058         (runNearStackLimit.t):
2059         (runNearStackLimit):
2060         (test.f):
2061         (test):
2062
2063 2018-01-12  Saam Barati  <sbarati@apple.com>
2064
2065         Each variant of a polymorphic inlined call should be exitOK at the top of the block
2066         https://bugs.webkit.org/show_bug.cgi?id=181562
2067         <rdar://problem/36445624>
2068
2069         Reviewed by Yusuke Suzuki.
2070
2071         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
2072         (f):
2073         (foo):
2074
2075 2018-01-11  Saam Barati  <sbarati@apple.com>
2076
2077         When inserting Unreachable in byte code parser we need to flush all the right things
2078         https://bugs.webkit.org/show_bug.cgi?id=181509
2079         <rdar://problem/36423110>
2080
2081         Reviewed by Mark Lam.
2082
2083         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
2084
2085 2018-01-11  Saam Barati  <sbarati@apple.com>
2086
2087         JITMathIC code in the FTL is wrong when code gets duplicated
2088         https://bugs.webkit.org/show_bug.cgi?id=181525
2089         <rdar://problem/36351993>
2090
2091         Reviewed by Michael Saboff and Keith Miller.
2092
2093         * stress/allow-math-ic-b3-code-duplication.js: Added.
2094
2095 2018-01-11  Saam Barati  <sbarati@apple.com>
2096
2097         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
2098         https://bugs.webkit.org/show_bug.cgi?id=181508
2099
2100         Reviewed by Yusuke Suzuki.
2101
2102         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
2103         (assert):
2104         (test1.foo):
2105         (test1):
2106         (test2.foo):
2107         (test2):
2108
2109 2018-01-09  Mark Lam  <mark.lam@apple.com>
2110
2111         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
2112         https://bugs.webkit.org/show_bug.cgi?id=181388
2113         <rdar://problem/36349351>
2114
2115         Reviewed by Saam Barati.
2116
2117         * stress/regress-181388.js: Added.
2118
2119 2018-01-08  JF Bastien  <jfbastien@apple.com>
2120
2121         WebAssembly: mask indexed accesses to Table
2122         https://bugs.webkit.org/show_bug.cgi?id=181412
2123         <rdar://problem/36363236>
2124
2125         Reviewed by Saam Barati.
2126
2127         Update error messages.
2128
2129         * wasm/js-api/table.js:
2130         (assert.throws.WebAssembly.Table.prototype.grow):
2131
2132 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
2133
2134         Disable SharedArrayBuffer tests missed in r226386.
2135         https://bugs.webkit.org/show_bug.cgi?id=181266
2136
2137         Unreviewed test gardening.
2138
2139         * test262.yaml:
2140
2141 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2142
2143         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
2144         https://bugs.webkit.org/show_bug.cgi?id=181321
2145
2146         Reviewed by Saam Barati.
2147
2148         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2149         (shouldBe):
2150         (testFunction):
2151         * test262.yaml:
2152
2153 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2154
2155         Unreviewed, attempt to fix test262 after r226386.
2156
2157         * test262.yaml:
2158
2159 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2160
2161         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2162         https://bugs.webkit.org/show_bug.cgi?id=179911
2163
2164         Reviewed by Saam Barati.
2165
2166         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2167
2168         * stress/map-set-change-get.js: Added.
2169         (shouldBe):
2170         (test):
2171         * stress/map-set-create-bucket.js: Added.
2172         (shouldBe):
2173         (test):
2174         * stress/set-add-create-bucket.js: Added.
2175         (shouldBe):
2176
2177 2018-01-03  Michael Saboff  <msaboff@apple.com>
2178
2179         Disable SharedArrayBuffers from Web API
2180         https://bugs.webkit.org/show_bug.cgi?id=181266
2181
2182         Reviewed by Saam Barati.
2183
2184         Disabled SharedArrayBuffer tests.
2185
2186         * stress/SharedArrayBuffer-opt.js:
2187         * stress/SharedArrayBuffer.js:
2188         * stress/array-buffer-byte-length.js:
2189         * stress/atomics-add-uint32.js:
2190         * stress/atomics-known-int-use.js:
2191         * stress/atomics-neg-zero.js:
2192         * stress/atomics-store-return.js:
2193         * stress/lars-sab-workers.js:
2194         * stress/regress-159779-1.js:
2195         * stress/regress-159779-2.js:
2196         * stress/regress-170473.js:
2197         * test262.yaml:
2198
2199 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2200
2201         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2202         https://bugs.webkit.org/show_bug.cgi?id=181258
2203
2204         Reviewed by Antonio Gomes.
2205
2206         * stress/big-int-constructor-gc.js:
2207         * stress/big-int-constructor-oom.js:
2208
2209 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2210
2211         Inlining of a function that ends in op_unreachable crashes
2212         https://bugs.webkit.org/show_bug.cgi?id=181027
2213
2214         Reviewed by Filip Pizlo.
2215
2216         * stress/inlining-unreachable.js: Added.
2217         (bar):
2218         (baz):
2219         (i.catch):
2220
2221 2018-01-02  Saam Barati  <sbarati@apple.com>
2222
2223         Incorrect assertion inside AccessCase
2224         https://bugs.webkit.org/show_bug.cgi?id=181200
2225         <rdar://problem/35494754>
2226
2227         Reviewed by Yusuke Suzuki.
2228
2229         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2230         (ctor):
2231         (theFunc):
2232         (run):
2233
2234 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2235
2236         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2237         https://bugs.webkit.org/show_bug.cgi?id=175359
2238
2239         Reviewed by Yusuke Suzuki.
2240
2241         * bigIntTests.yaml:
2242         * stress/big-int-as-key.js: Added.
2243         * stress/big-int-constructor-gc.js: Added.
2244         * stress/big-int-constructor-oom.js: Added.
2245         * stress/big-int-constructor-properties.js: Added.
2246         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2247         * stress/big-int-constructor-prototype.js: Added.
2248         * stress/big-int-constructor.js: Added.
2249         * stress/big-int-function-apply.js:
2250         * stress/big-int-length.js: Added.
2251         * stress/big-int-prop-descriptor.js: Added.
2252         * stress/big-int-proto-constructor.js: Added.
2253         * stress/big-int-proto-name.js: Added.
2254         * stress/big-int-prototype-properties.js: Added.
2255         * stress/big-int-prototype-proto.js: Added.
2256         * stress/big-int-prototype-value-of.js: Added.
2257         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2258         * stress/big-int-prototype-to-string-apply.js: Added.
2259         * stress/big-int-to-object.js: Added.
2260         * stress/big-int-to-string.js: Added.
2261
2262 2017-12-28  Saam Barati  <sbarati@apple.com>
2263
2264         Assertion used to determine if something is an async generator is wrong
2265         https://bugs.webkit.org/show_bug.cgi?id=181168
2266         <rdar://problem/35640560>
2267
2268         Reviewed by Yusuke Suzuki.
2269
2270         * stress/async-generator-assertion.js: Added.
2271
2272 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2273
2274         Skip stress/splay-flash-access tests on memory limited platforms
2275         https://bugs.webkit.org/show_bug.cgi?id=181086
2276
2277         Reviewed by Carlos Alberto Lopez Perez.
2278
2279         These tests use about 185M of memory, and occasionally get OOM-killed
2280         on memory limited platforms.
2281
2282         * stress/splay-flash-access-1ms.js:
2283         * stress/splay-flash-access.js:
2284
2285 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2286
2287         Skip slow jsc tests on embedded platforms
2288         https://bugs.webkit.org/show_bug.cgi?id=180937
2289
2290         Reviewed by Carlos Alberto Lopez Perez.
2291
2292         The tests typeProfiler/deltablue-for-of.js and
2293         typeProfiler/getter-richards.js take a very long time in the
2294         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2295         thus always timeout. They should be skipped on these platforms.
2296
2297         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2298         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2299
2300 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2301
2302         [JSC] Do not check isValid() in op_new_regexp
2303         https://bugs.webkit.org/show_bug.cgi?id=180970
2304
2305         Reviewed by Saam Barati.
2306
2307         * stress/regexp-syntax-error-invalid-flags.js: Added.
2308         (shouldThrow):
2309
2310 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2311
2312         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2313         https://bugs.webkit.org/show_bug.cgi?id=180712
2314
2315         Reviewed by Michael Catanzaro.
2316
2317         stress/call-apply-exponential-bytecode-size.js crashes if the
2318         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2319         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2320         should skip the test on other platforms.
2321
2322         * stress/call-apply-exponential-bytecode-size.js:
2323
2324 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2325
2326         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2327         https://bugs.webkit.org/show_bug.cgi?id=179762
2328
2329         Reviewed by Saam Barati.
2330
2331         * stress/call-varargs-double-new-array-buffer.js: Added.
2332         (assert):
2333         (bar):
2334         (foo):
2335         * stress/call-varargs-spread-new-array-buffer.js: Added.
2336         (assert):
2337         (bar):
2338         (foo):
2339         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2340         (assert):
2341         (bar):
2342         (foo):
2343         * stress/forward-varargs-double-new-array-buffer.js: Added.
2344         (assert):
2345         (test.baz):
2346         (test.bar):
2347         (test.foo):
2348         (test):
2349         * stress/new-array-buffer-sinking-osrexit.js: Added.
2350         (target):
2351         (test):
2352         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2353         (shouldBe):
2354         (test):
2355         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2356         (shouldBe):
2357         (target):
2358         (test):
2359         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2360         (assert):
2361         (test1.bar):
2362         (test1.foo):
2363         (test1):
2364         (test2.bar):
2365         (test2.foo):
2366         (test3.baz):
2367         (test3.bar):
2368         (test3.foo):
2369         (test4.baz):
2370         (test4.bar):
2371         (test4.foo):
2372         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2373         (assert):
2374         (test.baz):
2375         (test.bar):
2376         (test.foo):
2377         (test):
2378         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2379         (assert):
2380         (baz):
2381         (bar):
2382         (effects):
2383         (foo):
2384
2385 2017-12-14  Saam Barati  <sbarati@apple.com>
2386
2387         The CleanUp after LICM is erroneously removing a Check
2388         https://bugs.webkit.org/show_bug.cgi?id=180852
2389         <rdar://problem/36063494>
2390
2391         Reviewed by Filip Pizlo.
2392
2393         * stress/dont-run-cleanup-after-licm.js: Added.
2394
2395 2017-12-14  Michael Saboff  <msaboff@apple.com>
2396
2397         REGRESSION (r225695): Repro crash on yahoo login page
2398         https://bugs.webkit.org/show_bug.cgi?id=180761
2399
2400         Reviewed by JF Bastien.
2401
2402         New regression test.
2403
2404         * stress/regress-180761.js: Added.
2405
2406 2017-12-13  Keith Miller  <keith_miller@apple.com>
2407
2408         JSObjects should have a mask for loading indexed properties
2409         https://bugs.webkit.org/show_bug.cgi?id=180768
2410
2411         Reviewed by Mark Lam.
2412
2413         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2414         (test):
2415
2416 2017-12-13  Saam Barati  <sbarati@apple.com>
2417
2418         Arrow functions need their own structure because they have different properties than sloppy functions
2419         https://bugs.webkit.org/show_bug.cgi?id=180779
2420         <rdar://problem/35814591>
2421
2422         Reviewed by Mark Lam.
2423
2424         * stress/arrow-function-needs-its-own-structure.js: Added.
2425         (assert):
2426         (readPrototype):
2427         (noInline.let.f1):
2428         (noInline):
2429
2430 2017-12-13  Saam Barati  <sbarati@apple.com>
2431
2432         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2433         https://bugs.webkit.org/show_bug.cgi?id=163579
2434         <rdar://problem/35455798>
2435
2436         Reviewed by Mark Lam.
2437
2438         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2439         (assert):
2440         (test1):
2441         (i.test1):
2442         (i.test1.C):
2443         (i.test1.async.foo):
2444         (i.test1.foo):
2445         (test2):
2446
2447 2017-12-13  Saam Barati  <sbarati@apple.com>
2448
2449         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2450         https://bugs.webkit.org/show_bug.cgi?id=180734
2451         <rdar://problem/35640547>
2452
2453         Reviewed by Yusuke Suzuki.
2454
2455         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2456         (__isPropertyOfType):
2457         (__getProperties):
2458         (__getObjects):
2459         (__getRandomObject):
2460         (theClass.):
2461         (theClass):
2462         (childClass):
2463         (counter.catch):
2464
2465 2017-12-12  Saam Barati  <sbarati@apple.com>
2466
2467         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2468         https://bugs.webkit.org/show_bug.cgi?id=180725
2469         <rdar://problem/35970511>
2470
2471         Reviewed by Michael Saboff.
2472
2473         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2474         (f1):
2475         (f2):
2476         (let.o2.valueOf):
2477
2478 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2479
2480         [JSC] Implement optimized WeakMap and WeakSet
2481         https://bugs.webkit.org/show_bug.cgi?id=179929
2482
2483         Reviewed by Saam Barati.
2484
2485         * microbenchmarks/weak-map-key.js:
2486         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2487         (assert):
2488         (objectKey):
2489         (let.start.Date.now):
2490         * stress/basic-weakmap.js: Added.
2491         (shouldBe):
2492         (test):
2493         * stress/basic-weakset.js: Added.
2494         (shouldBe):
2495         (test.set new):
2496         * stress/weakmap-cse-set-break.js: Added.
2497         (shouldBe):
2498         (test):
2499         * stress/weakmap-cse.js: Added.
2500         (shouldBe):
2501         (test):
2502         * stress/weakmap-gc.js: Added.
2503         (test):
2504         * stress/weakset-cse-add-break.js: Added.
2505         (shouldBe):
2506         (test.set new):
2507         * stress/weakset-cse.js: Added.
2508         (shouldBe):
2509         (test.set new):
2510         * stress/weakset-gc.js: Added.
2511         (test.set add):
2512         (test.set new):
2513         (test):
2514
2515 2017-12-12  Saam Barati  <sbarati@apple.com>
2516
2517         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2518         https://bugs.webkit.org/show_bug.cgi?id=180723
2519         <rdar://problem/35859726>
2520
2521         Reviewed by JF Bastien.
2522
2523         * stress/get-my-argument-by-val-constant-folding.js: Added.
2524         (test):
2525         (catch):
2526
2527 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2528
2529         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2530         https://bugs.webkit.org/show_bug.cgi?id=179000
2531
2532         Reviewed by Darin Adler and Yusuke Suzuki.
2533
2534         * bigIntTests.yaml: Added.
2535         * stress/big-int-literal-line-terminator.js: Added.
2536         * stress/big-int-literals.js: Added.
2537         * stress/big-int-operations-error.js: Added.
2538         * stress/big-int-type-of.js: Added.
2539         * stress/big-int-white-space-trailing-leading.js: Added.
2540         * stress/big-int-function-apply.js: Added.
2541
2542 2017-12-11  Saam Barati  <sbarati@apple.com>
2543
2544         We need to disableCaching() in ErrorInstance when we materialize properties
2545         https://bugs.webkit.org/show_bug.cgi?id=180343
2546         <rdar://problem/35833002>
2547
2548         Reviewed by Mark Lam.
2549
2550         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2551         (assert):
2552         (makeError):
2553         (storeToStack):
2554         (storeToStackAlreadyMaterialized):
2555
2556 2017-12-05  JF Bastien  <jfbastien@apple.com>
2557
2558         WebAssembly: don't eagerly checksum
2559         https://bugs.webkit.org/show_bug.cgi?id=180441
2560         <rdar://problem/35156628>
2561
2562         Reviewed by Saam Barati.
2563
2564         Checksum is now disabled, so tests only have <?> as the module
2565         name.
2566
2567         * wasm/function-tests/nameSection.js:
2568         * wasm/function-tests/stack-overflow.js:
2569         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2570         (assertOverflows.assertThrows):
2571         (assertOverflows):
2572         * wasm/function-tests/stack-trace.js:
2573
2574 2017-12-04  JF Bastien  <jfbastien@apple.com>
2575
2576         Proxy all functions, except the $ objects
2577         https://bugs.webkit.org/show_bug.cgi?id=180375
2578
2579         Reviewed by Saam Barati.
2580
2581         It looks like this test may have broken some executions because I
2582         call some internal objects. Explicitly ignore objects whose name
2583         starts with "$" because it's a bad idea anyways.
2584
2585         * stress/proxy-all-the-parameters.js:
2586         (generateObjects):
2587         (get throw):
2588
2589 2017-12-04  Saam Barati  <sbarati@apple.com>
2590
2591         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2592         https://bugs.webkit.org/show_bug.cgi?id=180366
2593         <rdar://problem/35685877>
2594
2595         Reviewed by Michael Saboff.
2596
2597         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2598         (theParent):
2599         (test1.base.getParentStaticValue):
2600         (test1.base):
2601         (test1.__v_24888.prototype.set prop):
2602         (test1.__v_24888):
2603         (test2.base.getParentStaticValue):
2604         (test2.base):
2605         (test2.__v_24888.prototype.set prop):
2606         (test2.__v_24888):
2607         (test2):
2608
2609 2017-12-01  JF Bastien  <jfbastien@apple.com>
2610
2611         Try proxying all function arguments
2612         https://bugs.webkit.org/show_bug.cgi?id=180306
2613
2614         Reviewed by Saam Barati.
2615
2616         * stress/proxy-all-the-parameters.js: Added.
2617         (isPropertyOfType):
2618         (getProperties):
2619         (generateObjects):
2620         (getObjects):
2621         (getFunctions):
2622         (get throw):
2623         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2624
2625 2017-12-01  JF Bastien  <jfbastien@apple.com>
2626
2627         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2628         https://bugs.webkit.org/show_bug.cgi?id=180297
2629         <rdar://problem/35745556>
2630
2631         Reviewed by Mark Lam.
2632
2633         * stress/math-exceptions.js: Added.
2634         (get try):
2635         (catch):
2636
2637 2017-12-01  JF Bastien  <jfbastien@apple.com>
2638
2639         JavaScriptCore: add test for weird class static getters
2640         https://bugs.webkit.org/show_bug.cgi?id=180281
2641         <rdar://problem/35592139>
2642
2643         Reviewed by Mark Lam.
2644
2645         I fixed a bug for it in r224927 and didn't add a test. Do so.
2646
2647         * stress/class-static-get-weird.js: Added.
2648         (c.prototype.get name):
2649         (c):
2650         (c.prototype.get arguments):
2651         (c.prototype.get caller):
2652         (c.prototype.get length):
2653
2654 2017-12-01  Saam Barati  <sbarati@apple.com>
2655
2656         Having a bad time needs to handle ArrayClass indexing type as well
2657         https://bugs.webkit.org/show_bug.cgi?id=180274
2658         <rdar://problem/35667869>
2659
2660         Reviewed by Keith Miller and Mark Lam.
2661
2662         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2663         (assert):
2664         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2665         (assert):
2666
2667 2017-12-01  JF Bastien  <jfbastien@apple.com>
2668
2669         WebAssembly: restore cached stack limit after out-call
2670         https://bugs.webkit.org/show_bug.cgi?id=179106
2671         <rdar://problem/35337525>
2672
2673         Reviewed by Saam Barati.
2674
2675         * wasm/function-tests/double-instance.js: Added.
2676         (const.imp.boom):
2677         (const.imp.get callAnother):
2678
2679 2017-11-30  JF Bastien  <jfbastien@apple.com>
2680
2681         WebAssembly: improve stack trace
2682         https://bugs.webkit.org/show_bug.cgi?id=179343
2683
2684         Reviewed by Saam Barati.
2685
2686         Update the tests to follow the new format. Notably, SHA1 module
2687         hash is now included in traces, and stubs are properly identified.
2688
2689         * wasm/assert.js: Add an assertion which matches regular expressions.
2690         * wasm/function-tests/nameSection.js:
2691         * wasm/function-tests/stack-overflow.js:
2692         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2693         (assertOverflows.assertThrows.wasm.1):
2694         (assertOverflows.assertThrows.wasm.0):
2695         (assertOverflows.assertThrows):
2696         (assertOverflows):
2697         * wasm/function-tests/stack-trace.js:
2698         (import.Builder.from.string_appeared_here.assert): Deleted.
2699         * wasm/function-tests/trap-after-cross-instance-call.js:
2700         (wasmFrameCountFromError):
2701         * wasm/function-tests/trap-load-2.js:
2702         (wasmFrameCountFromError):
2703         * wasm/function-tests/trap-load.js:
2704         (wasmFrameCountFromError):
2705
2706 2017-11-30  Mark Lam  <mark.lam@apple.com>
2707
2708         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2709         https://bugs.webkit.org/show_bug.cgi?id=180219
2710         <rdar://problem/35696536>
2711
2712         Reviewed by Filip Pizlo.
2713
2714         * stress/regress-180219.js: Added.
2715
2716 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2717
2718         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2719         https://bugs.webkit.org/show_bug.cgi?id=180190
2720
2721         Reviewed by Mark Lam.
2722
2723         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2724         (shouldBe):
2725         (test1):
2726         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2727         (shouldBe):
2728         (test1):
2729         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2730         (shouldBe):
2731         (test1):
2732         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2733         (shouldBe):
2734         (test1):
2735         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2736         (shouldBe):
2737         (test1):
2738         * stress/operation-in-may-have-negative-int32.js: Added.
2739         (shouldBe):
2740         (test2):
2741         * stress/operation-in-negative-int32-cast.js: Added.
2742         (shouldBe):
2743         (test1):
2744
2745 2017-11-28  JF Bastien  <jfbastien@apple.com>
2746
2747         Strict and sloppy functions shouldn't share structure
2748         https://bugs.webkit.org/show_bug.cgi?id=180103
2749         <rdar://problem/35667847>
2750
2751         Reviewed by Saam Barati.
2752
2753         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2754         because the IC was wrong.
2755         (foo):
2756         (bar):
2757         (baz):
2758         (catch):
2759         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2760         in this patch, but may as well test odd strict mode corner cases.
2761         (bar):
2762         (baz):
2763         (catch):
2764         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2765         (foo):
2766         (bar):
2767         (baz):
2768         (catch):
2769         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2770         next file, but with invalidation of the FunctionExecutable's
2771         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2772         slower path.
2773         (foo):
2774         (bar.const.x):
2775         (bar.const.y):
2776         (bar):
2777         (catch):
2778         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2779         strict nesting works correctly.
2780         (foo):
2781         (bar.baz):
2782         (bar):
2783         * stress/strict-function-structure.js: Added. The test used to
2784         assert in objectProtoFuncHasOwnProperty.
2785         (foo):
2786         (bar):
2787         (baz):
2788         * stress/strict-nested-function-structure.js: Added. Nesting.
2789         (foo):
2790         (bar):
2791         (baz.boo):
2792         (baz):
2793
2794 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2795
2796         The recursive tail call optimisation is wrong on closures
2797         https://bugs.webkit.org/show_bug.cgi?id=179835
2798
2799         Reviewed by Saam Barati.
2800
2801         * stress/closure-recursive-tail-call.js: Added.
2802         (makeClosure):
2803
2804 2017-11-27  JF Bastien  <jfbastien@apple.com>
2805
2806         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2807         https://bugs.webkit.org/show_bug.cgi?id=180051
2808         <rdar://problem/35614371>
2809
2810         Reviewed by Saam Barati.
2811
2812         * stress/rest-parameter-negative.js: Added.
2813         (__f_5484):
2814         (catch):
2815         (__f_5485):
2816         (__v_22598.catch):
2817
2818 2017-11-27  Saam Barati  <sbarati@apple.com>
2819
2820         Spread can escape when CreateRest does not
2821         https://bugs.webkit.org/show_bug.cgi?id=180057
2822         <rdar://problem/35676119>
2823
2824         Reviewed by JF Bastien.
2825
2826         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2827         (assert):
2828         (getProperties):
2829         (theFunc):
2830         (let.obj.valueOf):
2831
2832 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2833
2834         [DFG] Add NormalizeMapKey DFG IR
2835         https://bugs.webkit.org/show_bug.cgi?id=179912
2836
2837         Reviewed by Saam Barati.
2838
2839         * stress/map-untyped-normalize-cse.js: Added.
2840         (shouldBe):
2841         (test):
2842         * stress/map-untyped-normalize.js: Added.
2843         (shouldBe):
2844         (test):
2845         * stress/set-untyped-normalize-cse.js: Added.
2846         (shouldBe):
2847         (set return.set has.set has):
2848         * stress/set-untyped-normalize.js: Added.
2849         (shouldBe):
2850         (set return.set has):
2851
2852 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2853
2854         [FTL] Support DeleteById and DeleteByVal
2855         https://bugs.webkit.org/show_bug.cgi?id=180022
2856
2857         Reviewed by Saam Barati.
2858
2859         * stress/delete-by-id.js: Added.
2860         (shouldBe):
2861         (test1):
2862         (test2):
2863         * stress/delete-by-val-ftl.js: Added.
2864         (shouldBe):
2865         (test1):
2866         (test2):
2867
2868 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2869
2870         [DFG] Introduce {Set,Map,WeakMap}Fields
2871         https://bugs.webkit.org/show_bug.cgi?id=179925
2872
2873         Reviewed by Saam Barati.
2874
2875         * stress/map-set-clobber-map-get.js: Added.
2876         (shouldBe):
2877         (test):
2878         * stress/map-set-does-not-clobber-set-has.js: Added.
2879         (shouldBe):
2880         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2881         (shouldBe):
2882         (test):
2883         * stress/set-add-clobber-set-has.js: Added.
2884         (shouldBe):
2885         * stress/set-add-does-not-clobber-map-get.js: Added.
2886         (shouldBe):
2887
2888 2017-11-24  Mark Lam  <mark.lam@apple.com>
2889
2890         Move unsafe jsc shell test functions to the $vm object.
2891         https://bugs.webkit.org/show_bug.cgi?id=179980
2892
2893         Reviewed by Yusuke Suzuki.
2894
2895         * controlFlowProfiler/driver/driver.js:
2896         * controlFlowProfiler/execution-count.js:
2897         * controlFlowProfiler/if-statement.js:
2898         * controlFlowProfiler/loop-statements.js:
2899         * controlFlowProfiler/switch-statements.js:
2900         * controlFlowProfiler/test-jit.js:
2901         * exceptionFuzz/3d-cube.js:
2902         * exceptionFuzz/date-format-xparb.js:
2903         * exceptionFuzz/earley-boyer.js:
2904         * heapProfiler/basic-edges.js:
2905         * heapProfiler/property-edge-types.js:
2906         * microbenchmarks/try-get-by-id-basic.js:
2907         * microbenchmarks/try-get-by-id-polymorphic.js:
2908         * modules/namespace-object-try-get.js:
2909         * stress/argument-count-bytecode.js:
2910         * stress/argument-intrinsic-basic.js:
2911         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2912         * stress/argument-intrinsic-inlining-with-result-escape.js:
2913         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2914         * stress/argument-intrinsic-inlining-with-vararg.js:
2915         * stress/argument-intrinsic-nested-inlining.js:
2916         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2917         * stress/argument-intrinsic-with-stack-write.js:
2918         * stress/arity-mismatch-get-argument.js:
2919         * stress/array-message-passing.js:
2920         * stress/array-push-with-force-exit.js:
2921         * stress/check-dom-with-signature.js:
2922         * stress/check-sub-class.js:
2923         * stress/compare-eq-incomplete-profile.js:
2924         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2925         * stress/do-eval-virtual-call-correctly.js:
2926         * stress/dom-jit-with-poly-proto.js:
2927         * stress/domjit-exception-ic.js:
2928         * stress/domjit-exception.js:
2929         * stress/domjit-getter-complex-with-incorrect-object.js:
2930         * stress/domjit-getter-complex.js:
2931         * stress/domjit-getter-poly.js:
2932         * stress/domjit-getter-proto.js:
2933         * stress/domjit-getter-super-poly.js:
2934         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2935         * stress/domjit-getter-type-check.js:
2936         * stress/domjit-getter.js:
2937         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2938         * stress/for-in-proxy-target-changed-structure.js:
2939         * stress/for-in-proxy.js:
2940         * stress/generational-opaque-roots.js:
2941         * stress/global-const-redeclaration-setting-2.js:
2942         * stress/global-const-redeclaration-setting-3.js:
2943         * stress/global-const-redeclaration-setting-4.js:
2944         * stress/global-const-redeclaration-setting-5.js:
2945         * stress/global-const-redeclaration-setting.js:
2946         * stress/import-basic.js:
2947         * stress/import-from-eval.js:
2948         * stress/import-reject-with-exception.js:
2949         * stress/import-syntax.js:
2950         * stress/impure-get-own-property-slot-inline-cache.js:
2951         * stress/is-constructor.js:
2952         * stress/istypedarrayview-intrinsic.js:
2953         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2954         * stress/jsc-test-functions-should-be-more-robust.js:
2955         * stress/object-toString-with-proxy.js:
2956         * stress/poly-proto-custom-value-and-accessor.js:
2957         * stress/proxy-inline-cache.js:
2958         * stress/re-execute-error-module.js:
2959         * stress/regress-150532.js:
2960         * stress/regress-156992.js:
2961         * stress/regress-179619.js:
2962         * stress/resources/shadow-chicken-support.js:
2963         * stress/runtime-array.js:
2964         * stress/sampling-profiler-microtasks.js:
2965         * stress/shadow-chicken-enabled.js:
2966         * stress/spread-correct-global-object-on-exception.js:
2967         * stress/super-get-by-id.js:
2968         * stress/tailCallForwardArguments.js:
2969         * stress/to-object-intrinsic-boolean-edge.js:
2970         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2971         * stress/to-object-intrinsic-number-edge.js:
2972         * stress/to-object-intrinsic-object-edge.js:
2973         * stress/to-object-intrinsic-string-edge.js:
2974         * stress/to-object-intrinsic-symbol-edge.js:
2975         * stress/to-object-intrinsic.js:
2976         * stress/try-catch-custom-getter-as-get-by-id.js:
2977         * stress/try-get-by-id-poly-proto.js:
2978         * stress/try-get-by-id-should-spill-registers-dfg.js:
2979         * stress/try-get-by-id.js:
2980         * typeProfiler/arrow-functions.js:
2981         * typeProfiler/basic.js:
2982         * typeProfiler/captured.js:
2983         * typeProfiler/classes.js:
2984         * typeProfiler/dfg-jit-optimizations.js:
2985         * typeProfiler/dictionary-mode.js:
2986         * typeProfiler/es6-block-scoping.js:
2987         * typeProfiler/es6-classes.js:
2988         * typeProfiler/inheritance.js:
2989         * typeProfiler/int52-dfg.js:
2990         * typeProfiler/loop.js:
2991         * typeProfiler/optional-fields.js:
2992         * typeProfiler/overflow.js:
2993         * typeProfiler/return.js:
2994         * typeProfiler/symbol.js:
2995         * typeProfiler/weird-prototype-chain.js:
2996
2997 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2998
2999         [DFG][FTL] Support MapSet / SetAdd intrinsics
3000         https://bugs.webkit.org/show_bug.cgi?id=179858
3001
3002         Reviewed by Saam Barati.
3003
3004         * microbenchmarks/map-has-and-set.js: Added.
3005         (test):
3006         * stress/map-set-check-failure.js: Added.
3007         (shouldBe):
3008         (shouldThrow):
3009         (target):
3010         * stress/map-set-cse.js: Added.
3011         (shouldBe):
3012         (test):
3013         * stress/set-add-check-failure.js: Added.
3014         (shouldBe):
3015         (shouldThrow):
3016         (set shouldThrow):
3017         * stress/set-add-cse.js: Added.
3018         (shouldBe):
3019
3020 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3021
3022         [JSC] Allow poly proto for intrinsic getters
3023         https://bugs.webkit.org/show_bug.cgi?id=179550
3024
3025         Reviewed by Saam Barati.
3026
3027         This change is also tested by existing tests.
3028
3029             1. stress/intrinsic-getter-with-poly-proto.js
3030             2. stress/poly-proto-intrinsic-getter-correctness.js
3031
3032         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
3033         (shouldBe):
3034         (makePolyProtoObject.foo.C):
3035         (makePolyProtoObject.foo):
3036         (makePolyProtoObject):
3037         (target):
3038         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
3039         (shouldBe):
3040         (makePolyProtoObject.foo.C):
3041         (makePolyProtoObject.foo):
3042         (makePolyProtoObject):
3043         (target):
3044
3045 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
3046
3047         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
3048         https://bugs.webkit.org/show_bug.cgi?id=179744
3049
3050         Reviewed by Michael Catanzaro.
3051
3052         This test uses too much memory for our buildbots on these platforms
3053         and gets OOM-killed.
3054
3055         * stress/unshiftCountSlowCase-correct-postCapacity.js:
3056         Skip if $memoryLimited and linux.
3057
3058 2017-11-17  JF Bastien  <jfbastien@apple.com>
3059
3060         WebAssembly JS API: throw when a promise can't be created
3061         https://bugs.webkit.org/show_bug.cgi?id=179826
3062         <rdar://problem/35455813>
3063
3064         Reviewed by Mark Lam.
3065
3066         Test WebAssembly.{compile,instantiate} where promise creation
3067         fails because of a stack overflow.
3068
3069         * wasm/js-api/promise-stack-overflow.js: Added.
3070         (const.runNearStackLimit.f.const.t):
3071         (async.testCompile):
3072         (async.testInstantiate):
3073
3074 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3075
3076         Unreviewed, mark regress-178385.js as memory exhausting
3077
3078         * stress/regress-178385.js:
3079
3080 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
3081
3082         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
3083
3084         Unreviewed test gardening.
3085
3086         * test262.yaml:
3087
3088 2017-11-16  Robin Morisset  <rmorisset@apple.com>
3089
3090         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
3091         https://bugs.webkit.org/show_bug.cgi?id=179763
3092         <rdar://problem/35550513>
3093
3094         Reviewed by Keith Miller.
3095
3096         Just adding a slightly cleaned-up version of the original fuzzer-found test.
3097
3098         * stress/tdz-this-in-try-catch.js: Added.
3099         (__v_6388):
3100         (__v_6392):
3101
3102 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3103
3104         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3105         https://bugs.webkit.org/show_bug.cgi?id=179594
3106
3107         Reviewed by Saam Barati.
3108
3109         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
3110         (shouldBe):
3111         (args):
3112         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
3113         (shouldBe):
3114         (args):
3115
3116 2017-11-14  Saam Barati  <sbarati@apple.com>
3117
3118         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3119         https://bugs.webkit.org/show_bug.cgi?id=179639
3120         <rdar://problem/35513018>
3121
3122         Reviewed by JF Bastien.
3123
3124         * wasm/function-tests/grow-memory-cause-gc.js: Added.
3125         (escape):
3126         (i.func):
3127
3128 2017-11-13  Mark Lam  <mark.lam@apple.com>
3129
3130         Add more overflow check book-keeping for MarkedArgumentBuffer.
3131         https://bugs.webkit.org/show_bug.cgi?id=179634
3132         <rdar://problem/35492517>
3133
3134         Reviewed by Saam Barati.
3135
3136         * stress/regress-179634.js: Added.
3137
3138 2017-11-13  Mark Lam  <mark.lam@apple.com>
3139
3140         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3141         https://bugs.webkit.org/show_bug.cgi?id=179619
3142         <rdar://problem/35492518>
3143
3144         Reviewed by Saam Barati.
3145
3146         * stress/regress-179619.js: Added.
3147
3148 2017-11-12  Mark Lam  <mark.lam@apple.com>
3149
3150         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3151         https://bugs.webkit.org/show_bug.cgi?id=179562
3152         <rdar://problem/35467022>
3153
3154         Reviewed by Saam Barati.
3155
3156         * regress-179562.js: Added.
3157
3158 2017-11-08  Saam Barati  <sbarati@apple.com>
3159
3160         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3161         https://bugs.webkit.org/show_bug.cgi?id=177792
3162
3163         Reviewed by Yusuke Suzuki.
3164
3165         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3166         (assert):
3167         (foo.Foo.prototype.ensureX):
3168         (foo.Foo):
3169         (foo):
3170         (access):
3171
3172 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3173
3174         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3175         https://bugs.webkit.org/show_bug.cgi?id=178592
3176
3177         Unreviewed test gardening.
3178
3179         * test262.yaml:
3180
3181 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3182
3183         Turn recursive tail calls into loops
3184         https://bugs.webkit.org/show_bug.cgi?id=176601
3185
3186         Reviewed by Saam Barati.
3187
3188         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3189
3190         Add some simple test that computes factorial in several ways, and other trivial computations.
3191         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3192         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3193         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3194         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3195
3196         * stress/inline-call-to-recursive-tail-call.js: Added.
3197         (factorial.aux):
3198         (factorial):
3199         (factorial2.aux2):
3200         (factorial2.id):
3201         (factorial2):
3202         (factorial3.aux3):
3203         (factorial3):
3204         (aux4):
3205         (factorial4):
3206         (foo):
3207         (auxBar):
3208         (bar):
3209         (test):
3210
3211 2017-11-07  Mark Lam  <mark.lam@apple.com>
3212
3213         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3214         https://bugs.webkit.org/show_bug.cgi?id=179355
3215         <rdar://problem/35263053>
3216
3217         Reviewed by Saam Barati.
3218
3219         * stress/regress-179355.js: Added.
3220
3221 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3222
3223         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3224         https://bugs.webkit.org/show_bug.cgi?id=144458
3225
3226         Reviewed by Saam Barati.
3227
3228         * microbenchmarks/dfg-internal-function-call.js: Added.
3229         (target):
3230         * microbenchmarks/dfg-internal-function-construct.js: Added.
3231         (target):
3232         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3233         (target):
3234         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3235         (target):
3236         * stress/dfg-internal-function-call.js: Added.
3237         (shouldBe):
3238         (target):
3239         * stress/dfg-internal-function-construct.js: Added.
3240         (shouldBe):
3241         (target):
3242         * stress/internal-function-call.js: Added.
3243         (shouldBe):
3244         * stress/internal-function-construct.js: Added.
3245         (shouldBe):
3246
3247 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3248
3249         [Win] Skip stress/regress-178385.js.
3250         https://bugs.webkit.org/show_bug.cgi?id=179298
3251
3252         Unreviewed test gardening.
3253
3254         * stress/regress-178385.js:
3255
3256 2017-11-03  Keith Miller  <keith_miller@apple.com>
3257
3258         Add test for ic with side effects
3259         https://bugs.webkit.org/show_bug.cgi?id=179268
3260
3261         Reviewed by Saam Barati.
3262
3263         * stress/put-inline-cache-side-effects.js: Added.
3264         (let.i.of.objs.keys):
3265         (f):
3266
3267 2017-11-03  Mark Lam  <mark.lam@apple.com>
3268
3269         CachedCall (and its clients) needs overflow checks.
3270         https://bugs.webkit.org/show_bug.cgi?id=179185
3271
3272         Reviewed by JF Bastien.
3273
3274         * stress/regress-179185.js: Added.
3275
3276 2017-11-02  Michael Saboff  <msaboff@apple.com>
3277
3278         DFG needs to handle code motion of code in for..in loop bodies
3279         https://bugs.webkit.org/show_bug.cgi?id=179212
3280
3281         Reviewed by Keith Miller.
3282
3283         New regression test.
3284
3285         * stress/for-in-side-effects.js: Added.
3286         (getPrototypeOf):
3287         (reset):
3288         (testWithoutFTL.f):
3289         (testWithoutFTL):
3290         (testWithFTL.f):
3291         (testWithFTL):
3292
3293 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3294
3295         AI does not correctly model the clobber case of ArithClz32
3296         https://bugs.webkit.org/show_bug.cgi?id=179188
3297
3298         Reviewed by Michael Saboff.
3299
3300         * stress/arith-clz32-effects.js: Added.
3301         (foo):
3302         (valueOf):
3303
3304 2017-11-01  Michael Saboff  <msaboff@apple.com>
3305
3306         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3307         https://bugs.webkit.org/show_bug.cgi?id=179140
3308
3309         Reviewed by Saam Barati.
3310
3311         New regression test.
3312
3313         * stress/regress-179140.js: Added.
3314         (testWithoutFTL):
3315         (testWithFTL):
3316
3317 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3318
3319         [JSC] Introduce @toObject
3320         https://bugs.webkit.org/show_bug.cgi?id=178726
3321
3322         Reviewed by Saam Barati.
3323
3324         * stress/array-copywithin.js:
3325         (shouldThrow):
3326         * stress/object-constructor-boolean-edge.js: Added.
3327         (shouldBe):
3328         (test):
3329         * stress/object-constructor-global.js: Added.
3330         (shouldBe):
3331         * stress/object-constructor-null-edge.js: Added.
3332         (shouldBe):
3333         (test):
3334         * stress/object-constructor-number-edge.js: Added.
3335         (shouldBe):
3336         (test):
3337         * stress/object-constructor-object-edge.js: Added.
3338         (shouldBe):
3339         (test):
3340         (i.arg):
3341         * stress/object-constructor-string-edge.js: Added.
3342         (shouldBe):
3343         (test):
3344         * stress/object-constructor-symbol-edge.js: Added.
3345         (shouldBe):
3346         (test):
3347         * stress/object-constructor-undefined-edge.js: Added.
3348         (shouldBe):
3349         (test):
3350         * stress/symbol-array-from.js: Added.
3351         (shouldBe):
3352         * stress/to-object-intrinsic-boolean-edge.js: Added.
3353         (shouldBe):
3354         (builtin.createBuiltin):
3355         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3356         (shouldThrow):
3357         * stress/to-object-intrinsic-number-edge.js: Added.
3358         (shouldBe):
3359         (builtin.createBuiltin):
3360         * stress/to-object-intrinsic-object-edge.js: Added.
3361         (shouldBe):
3362         (builtin.createBuiltin):
3363         (i.arg):
3364         * stress/to-object-intrinsic-string-edge.js: Added.
3365         (shouldBe):
3366         (builtin.createBuiltin):
3367         * stress/to-object-intrinsic-symbol-edge.js: Added.
3368         (shouldBe):
3369         (builtin.createBuiltin):
3370         * stress/to-object-intrinsic.js: Added.
3371         (shouldBe):
3372         (shouldThrow):
3373         (builtin.createBuiltin):
3374
3375 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3376
3377         [DFG][FTL] Introduce StringSlice
3378         https://bugs.webkit.org/show_bug.cgi?id=178934
3379
3380         Reviewed by Saam Barati.
3381
3382         * microbenchmarks/string-slice-empty.js: Added.
3383         (slice):
3384         * microbenchmarks/string-slice-one-char.js: Added.
3385         (slice):
3386         * microbenchmarks/string-slice.js: Added.
3387         (slice):
3388
3389 2017-10-26  Michael Saboff  <msaboff@apple.com>
3390
3391         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3392         https://bugs.webkit.org/show_bug.cgi?id=178890
3393
3394         Reviewed by Keith Miller.
3395
3396         New regression test.
3397
3398         * stress/regress-178890.js: Added.
3399
3400 2017-10-26  Mark Lam  <mark.lam@apple.com>
3401
3402         JSRopeString::RopeBuilder::append() should check for overflows.
3403         https://bugs.webkit.org/show_bug.cgi?id=178385
3404         <rdar://problem/35027468>
3405
3406         Reviewed by Saam Barati.
3407
3408         * stress/regress-178385.js: Added.
3409
3410 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3411
3412         Unreviewed, rolling out r223961.
3413
3414         The change that required this has been rolled out.
3415
3416         Reverted changeset:
3417
3418         "Mark test262.yaml/test262/test/language/statements/try/tco-
3419         catch.js as passing."
3420         https://bugs.webkit.org/show_bug.cgi?id=178592
3421         https://trac.webkit.org/changeset/223961
3422
3423 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3424
3425         Unreviewed, rolling out r223691 and r223729.
3426         https://bugs.webkit.org/show_bug.cgi?id=178834
3427
3428         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3429         by rniwa on #webkit).
3430
3431         Reverted changesets:
3432
3433         "Turn recursive tail calls into loops"
3434         https://bugs.webkit.org/show_bug.cgi?id=176601
3435         https://trac.webkit.org/changeset/223691
3436
3437         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3438         comparison is always false due to limited range of data type
3439         [-Wtype-limits]"
3440         https://bugs.webkit.org/show_bug.cgi?id=178543
3441         https://trac.webkit.org/changeset/223729
3442
3443 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3444
3445         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3446         https://bugs.webkit.org/show_bug.cgi?id=178592
3447
3448         Unreviewed test gardening.
3449
3450         * test262.yaml:
3451
3452 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3453
3454         [FTL] Support NewStringObject
3455         https://bugs.webkit.org/show_bug.cgi?id=178737
3456
3457         Reviewed by Saam Barati.
3458
3459         * stress/new-string-object.js: Added.
3460         (shouldBe):
3461         (test):
3462
3463 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3464
3465         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3466         https://bugs.webkit.org/show_bug.cgi?id=178308
3467
3468         Reviewed by Mark Lam.
3469
3470         * test262.yaml:
3471
3472 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3473
3474         [JSC] Use fastJoin in Array#toString
3475         https://bugs.webkit.org/show_bug.cgi?id=178062
3476
3477         Reviewed by Darin Adler.
3478
3479         * microbenchmarks/contiguous-array-to-string.js: Added.
3480         (target):
3481         * microbenchmarks/double-array-to-string.js: Added.
3482         (target):
3483         * microbenchmarks/int32-array-to-string.js: Added.
3484         (target):
3485
3486 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3487
3488         stress/check-string-ident.js is improperly skipped
3489         https://bugs.webkit.org/show_bug.cgi?id=178642
3490
3491         Reviewed by Saam Barati.
3492
3493         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3494         since it enforces the run-jsc-stress-tests script to still set up the
3495         test to run, despite the skip directive that's used before.
3496
3497 2017-10-20  Mark Lam  <mark.lam@apple.com>
3498
3499         Add a test case for r214334.
3500         https://bugs.webkit.org/show_bug.cgi?id=169941
3501         <rdar://problem/31221258>
3502
3503         Reviewed by JF Bastien.
3504
3505         * stress/regress-169941.js: Added.
3506
3507 2017-10-19  JF Bastien  <jfbastien@apple.com>
3508
3509         WebAssembly: no VM / JS version of everything but Instance
3510         https://bugs.webkit.org/show_bug.cgi?id=177473
3511
3512         Reviewed by Filip Pizlo, Saam Barati.
3513
3514         - Exceeding max on memory growth now returns a range error as per
3515         spec. This is a (very minor) breaking change: it used to throw OOM
3516         error. Update the corresponding test.
3517
3518         * wasm/js-api/memory-grow.js:
3519         (assertEq):
3520         * wasm/js-api/table.js:
3521         (assert.throws):
3522
3523 2017-10-19  Mark Lam  <mark.lam@apple.com>
3524
3525         Stringifier::appendStringifiedValue() is missing an exception check.
3526         https://bugs.webkit.org/show_bug.cgi?id=178386
3527         <rdar://problem/35027610>
3528
3529         Reviewed by Saam Barati.
3530
3531         * stress/regress-178386.js: Added.
3532
3533 2017-10-19  Michael Saboff  <msaboff@apple.com>
3534
3535         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3536         https://bugs.webkit.org/show_bug.cgi?id=178521
3537
3538         Reviewed by JF Bastien.
3539
3540         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3541         now passes with the current version (5.0) of the Emoji spec.
3542
3543 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3544
3545         Turn recursive tail calls into loops
3546         https://bugs.webkit.org/show_bug.cgi?id=176601
3547
3548         Reviewed by Saam Barati.
3549
3550         Add some simple test that computes factorial in several ways, and other trivial computations.
3551         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3552         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3553         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3554         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3555
3556         * stress/inline-call-to-recursive-tail-call.js: Added.
3557         (factorial.aux):
3558         (factorial):
3559         (factorial2.aux):
3560         (factorial2.id):
3561         (factorial2):
3562         (factorial3.aux):
3563         (factorial3):
3564         (aux):
3565         (factorial4):
3566         (test):
3567
3568 2017-10-18  Mark Lam  <mark.lam@apple.com>
3569
3570         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3571         https://bugs.webkit.org/show_bug.cgi?id=177600
3572         <rdar://problem/34710985>
3573
3574         Reviewed by Saam Barati.
3575
3576         * stress/regress-177600.js: Added.
3577
3578 2017-10-18  Mark Lam  <mark.lam@apple.com>
3579
3580         The compiler should always register a structure when it adds its transitionWatchPointSet.
3581         https://bugs.webkit.org/show_bug.cgi?id=178420
3582         <rdar://problem/34814024>
3583
3584         Reviewed by Saam Barati and Filip Pizlo.
3585
3586         * stress/regress-178420.js: Added.
3587         (new.Array.10000.map):
3588
3589 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3590
3591         [JSC] __proto__ getter should be fast
3592         https://bugs.webkit.org/show_bug.cgi?id=178067
3593
3594         Reviewed by Saam Barati.
3595
3596         * stress/dfg-object-proto-accessor.js: Added.
3597         (shouldBe):
3598         (shouldThrow):
3599         (target):
3600         * stress/dfg-object-proto-getter.js: Added.
3601         (shouldBe):
3602         (shouldThrow):
3603         (target):
3604         * stress/dfg-object-prototype-of.js: Added.
3605         (shouldBe):
3606         (shouldThrow):
3607         (target):
3608         * stress/dfg-reflect-get-prototype-of.js: Added.
3609         (shouldBe):
3610         (shouldThrow):
3611         (target):
3612         * stress/intrinsic-getter-with-poly-proto.js: Added.
3613         (shouldBe):
3614         (makePolyProtoObject.foo.C):
3615         (makePolyProtoObject.foo):
3616         (makePolyProtoObject):
3617         (target):
3618         * stress/object-get-prototype-of-filtered.js: Added.
3619         (shouldBe):
3620         (shouldThrow):
3621         (target):
3622         (i.Cocoa):
3623         * stress/object-get-prototype-of-mono-proto.js: Added.
3624         (shouldBe):
3625         (makePolyProtoObject.foo.C):
3626         (makePolyProtoObject.foo):
3627         (makePolyProtoObject):
3628         (target):
3629         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3630         (shouldBe):
3631         (makePolyProtoObject.foo.C):
3632         (makePolyProtoObject.foo):
3633         (makePolyProtoObject):
3634         (target):
3635         * stress/object-get-prototype-of-poly-proto.js: Added.
3636         (shouldBe):
3637         (makePolyProtoObject.foo.C):
3638         (makePolyProtoObject.foo):
3639         (makePolyProtoObject):
3640         (target):
3641         * stress/object-proto-getter-filtered.js: Added.
3642         (shouldBe):
3643         (shouldThrow):
3644         (target):
3645         (i.Cocoa):
3646         * stress/object-proto-getter-poly-mono-proto.js: Added.
3647         (shouldBe):
3648         (makePolyProtoObject.foo.C):
3649         (makePolyProtoObject.foo):
3650         (makePolyProtoObject):
3651         (target):
3652         * stress/object-proto-getter-poly-proto.js: Added.
3653         (shouldBe):
3654         (makePolyProtoObject.foo.C):
3655         (makePolyProtoObject.foo):
3656         (makePolyProtoObject):
3657         (target):
3658         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3659         * stress/string-proto.js: Added.
3660         (shouldBe):
3661         (target):
3662
3663 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3664
3665         Unreviewed, rolling out r223523.
3666
3667         A test for this change is failing on debug JSC bots.
3668
3669         Reverted changeset:
3670
3671         "[JSC] __proto__ getter should be fast"
3672         https://bugs.webkit.org/show_bug.cgi?id=178067
3673         https://trac.webkit.org/changeset/223523
3674
3675 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3676
3677         [JSC] __proto__ getter should be fast
3678         https://bugs.webkit.org/show_bug.cgi?id=178067
3679
3680         Reviewed by Saam Barati.
3681
3682         * stress/dfg-object-proto-accessor.js: Added.
3683         (shouldBe):
3684         (shouldThrow):
3685         (target):
3686         * stress/dfg-object-proto-getter.js: Added.
3687         (shouldBe):
3688         (shouldThrow):
3689         (target):
3690         * stress/dfg-object-prototype-of.js: Added.
3691         (shouldBe):
3692         (shouldThrow):
3693         (target):
3694         * stress/dfg-reflect-get-prototype-of.js: Added.
3695         (shouldBe):
3696         (shouldThrow):
3697         (target):
3698         * stress/object-get-prototype-of-filtered.js: Added.
3699         (shouldBe):
3700         (shouldThrow):
3701         (target):
3702         (i.Cocoa):
3703         * stress/object-get-prototype-of-mono-proto.js: Added.
3704         (shouldBe):
3705         (makePolyProtoObject.foo.C):
3706         (makePolyProtoObject.foo):
3707         (makePolyProtoObject):
3708         (target):
3709         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3710         (shouldBe):
3711         (makePolyProtoObject.foo.C):
3712         (makePolyProtoObject.foo):
3713         (makePolyProtoObject):
3714         (target):
3715         * stress/object-get-prototype-of-poly-proto.js: Added.
3716         (shouldBe):
3717         (makePolyProtoObject.foo.C):
3718         (makePolyProtoObject.foo):
3719         (makePolyProtoObject):
3720         (target):
3721         * stress/object-proto-getter-filtered.js: Added.
3722         (shouldBe):
3723         (shouldThrow):
3724         (target):
3725         (i.Cocoa):
3726         * stress/object-proto-getter-poly-mono-proto.js: Added.
3727         (shouldBe):
3728         (makePolyProtoObject.foo.C):
3729         (makePolyProtoObject.foo):
3730         (makePolyProtoObject):
3731         (target):
3732         * stress/object-proto-getter-poly-proto.js: Added.
3733         (shouldBe):
3734         (makePolyProtoObject.foo.C):
3735         (makePolyProtoObject.foo):
3736         (makePolyProtoObject):
3737         (target):
3738         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3739         * stress/string-proto.js: Added.
3740         (shouldBe):
3741         (target):
3742
3743 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3744
3745         Reland "Add Above/Below comparisons for UInt32 patterns"
3746         https://bugs.webkit.org/show_bug.cgi?id=177281
3747
3748         Reviewed by Saam Barati.
3749
3750         * stress/uint32-comparison-jump.js: Added.
3751         (shouldBe):
3752         (above):
3753         (aboveOrEqual):
3754         (below):
3755         (belowOrEqual):
3756         (notAbove):
3757         (notAboveOrEqual):
3758         (notBelow):
3759         (notBelowOrEqual):
3760         * stress/uint32-comparison.js: Added.
3761         (shouldBe):
3762         (above):
3763         (aboveOrEqual):
3764         (below):
3765         (belowOrEqual):
3766         (aboveTest):
3767         (aboveOrEqualTest):
3768         (belowTest):
3769         (belowOrEqualTest):
3770
3771 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3772
3773         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3774         https://bugs.webkit.org/show_bug.cgi?id=178210
3775
3776         Reviewed by Saam Barati.
3777
3778         * wasm/function-tests/trap-from-start-async.js:
3779         (async.StartTrapsAsync):
3780         * wasm/function-tests/trap-from-start.js:
3781         (StartTraps):
3782         * wasm/js-api/web-assembly-function.js:
3783         (assert.eq.Object.getPrototypeOf):
3784         * wasm/js-api/wrapper-function.js:
3785         (return.new.WebAssembly.Module):
3786         (assert.throws.makeInstance): Deleted.
3787         (assert.throws.Bar): Deleted.
3788         (assert.throws): Deleted.
3789
3790 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3791
3792         Enable gigacage on iOS
3793         https://bugs.webkit.org/show_bug.cgi?id=177586
3794
3795         Reviewed by JF Bastien.
3796         
3797         Add tests for when Gigacage gets runtime disabled.
3798
3799         * stress/disable-gigacage-arrays.js: Added.
3800         (foo):
3801         * stress/disable-gigacage-strings.js: Added.
3802         (foo):
3803         * stress/disable-gigacage-typed-arrays.js: Added.
3804         (foo):
3805
3806 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3807
3808         import.meta should not be assignable
3809         https://bugs.webkit.org/show_bug.cgi?id=178202
3810
3811         Reviewed by Saam Barati.
3812
3813         * modules/import-meta-assignment.js: Added.
3814         (shouldThrow):
3815         (SyntaxError.import.meta.can.shouldThrow):
3816
3817 2017-10-11  Saam Barati  <sbarati@apple.com>
3818
3819         Unreviewed. Actually skip certain type profiler tests in debug.
3820
3821         * typeProfiler.yaml:
3822         * typeProfiler/deltablue-for-of.js:
3823         * typeProfiler/getter-richards.js:
3824
3825 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3826
3827         Unreviewed, rolling out r223113 and r223121.
3828         https://bugs.webkit.org/show_bug.cgi?id=178182
3829
3830         Reintroduced 20% regression on Kraken (Requested by rniwa on
3831         #webkit).
3832
3833         Reverted changesets:
3834
3835         "Enable gigacage on iOS"
3836         https://bugs.webkit.org/show_bug.cgi?id=177586
3837         https://trac.webkit.org/changeset/223113
3838
3839         "Use one virtual allocation for all gigacages and their
3840         runways"
3841         https://bugs.webkit.org/show_bug.cgi?id=178050
3842         https://trac.webkit.org/changeset/223121
3843
3844 2017-10-11  Michael Saboff  <msaboff@apple.com>
3845
3846         Disable test262 named capture group tests with direct unicode names and with references before definitions
3847         https://bugs.webkit.org/show_bug.cgi?id=178177
3848
3849         Reviewed by Keith Miller.
3850
3851         Bugs to track fixing these test are:
3852         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3853             "Add support in named capture group identifiers for direct surrogate pairs"
3854         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3855             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3856
3857         * test262.yaml:
3858
3859 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3860
3861         Object properties are undefined in super.call() but not in this.call()
3862         https://bugs.webkit.org/show_bug.cgi?id=177230
3863
3864         Reviewed by Saam Barati.
3865
3866         * stress/super-call-function-subclass.js: Added.
3867         (assert):
3868         (A.prototype.t):
3869         (A):
3870         * stress/super-dot-call-and-apply.js: Added.
3871         (assert):
3872         (A):
3873         (A.prototype.call):
3874         (A.prototype.apply):
3875         (B.prototype.testSuper):
3876         (B):
3877         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3878         (D.prototype.testSuper):
3879         (D):
3880
3881 2017-10-10  Saam Barati  <sbarati@apple.com>
3882
3883         The prototype cache should be aware of the Executable it generates a Structure for
3884         https://bugs.webkit.org/show_bug.cgi?id=177907
3885
3886         Reviewed by Filip Pizlo.
3887
3888         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3889         (assert):
3890         (foo.C):
3891         (foo):
3892         (bar.C):
3893         (bar):
3894         (access):
3895         (makeLongChain):
3896         (accessY):
3897
3898 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3899
3900         `async` should be able to be used as an imported binding name
3901         https://bugs.webkit.org/show_bug.cgi?id=176573
3902
3903         Reviewed by Saam Barati.
3904
3905         * modules/import-default-async.js: Added.
3906         * modules/import-named-async-as.js: Added.
3907         * modules/import-named-async.js: Added.
3908         * modules/import-named-async/target.js: Added.
3909         * modules/import-namespace-async.js: Added.
3910         * test262.yaml:
3911
3912 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3913
3914         Enable gigacage on iOS
3915         https://bugs.webkit.org/show_bug.cgi?id=177586
3916
3917         Reviewed by JF Bastien.
3918         
3919         Add tests for when Gigacage gets runtime disabled.
3920
3921         * stress/disable-gigacage-arrays.js: Added.
3922         (foo):
3923         * stress/disable-gigacage-strings.js: Added.
3924         (foo):
3925         * stress/disable-gigacage-typed-arrays.js: Added.
3926         (foo):
3927
3928 2017-10-09  Michael Saboff  <msaboff@apple.com>
3929
3930         Implement RegExp Unicode property escapes
3931         https://bugs.webkit.org/show_bug.cgi?id=172069
3932
3933         Reviewed by JF Bastien.
3934
3935         Enabled Unicode Property tests.
3936
3937         * test262.yaml:
3938
3939 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3940
3941         Unreviewed, rolling out r223015 and r223025.
3942         https://bugs.webkit.org/show_bug.cgi?id=178093
3943
3944         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3945         #webkit).
3946
3947         Reverted changesets:
3948
3949         "Enable gigacage on iOS"
3950         https://bugs.webkit.org/show_bug.cgi?id=177586
3951         http://trac.webkit.org/changeset/223015
3952
3953         "Unreviewed, disable Gigacage on ARM64 Linux"
3954         https://bugs.webkit.org/show_bug.cgi?id=177586
3955         http://trac.webkit.org/changeset/223025
3956
3957 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3958
3959         Update expectations for test262 tests that pass after r223043.
3960         https://bugs.webkit.org/show_bug.cgi?id=176685
3961
3962         Unreviewed test gardening.
3963
3964         * test262.yaml:
3965
3966 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3967
3968         Unreviewed, rolling out r223022.
3969
3970         This change introduced 18 test262 failures.
3971
3972         Reverted changeset:
3973
3974         "`async` should be able to be used as an imported binding
3975         name"
3976         https://bugs.webkit.org/show_bug.cgi?id=176573
3977         http://trac.webkit.org/changeset/223022
3978
3979 2017-10-09  Saam Barati  <sbarati@apple.com>
3980
3981         3 poly-proto JSC tests timing out on debug after r222827
3982         https://bugs.webkit.org/show_bug.cgi?id=177880
3983         <rdar://problem/34817122>
3984
3985         Unreviewed.
3986
3987         I'm skipping these type profiler tests on debug since they are long running.
3988
3989         * typeProfiler/deltablue-for-of.js:
3990         * typeProfiler/getter-richards.js:
3991
3992 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3993
3994         Safari 10 /11 problem with if (!await get(something)).
3995         https://bugs.webkit.org/show_bug.cgi?id=176685
3996
3997         Reviewed by Saam Barati.
3998
3999         * stress/async-await-basic.js:
4000         (awaitEpression.async):
4001         * stress/async-await-syntax.js:
4002         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
4003         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
4004
4005 2017-10-08  Saam Barati  <sbarati@apple.com>
4006
4007         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
4008
4009         * typeProfiler/deltablue-for-of.js:
4010         * typeProfiler/getter-richards.js:
4011
4012 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
4013
4014         `async` should be able to be used as an imported binding name
4015         https://bugs.webkit.org/show_bug.cgi?id=176573
4016
4017         Reviewed by Darin Adler.
4018
4019         * modules/import-default-async.js: Added.
4020         * modules/import-named-async-as.js: Added.
4021         * modules/import-named-async.js: Added.
4022         * modules/import-named-async/target.js: Added.
4023         * modules/import-namespace-async.js: Added.
4024
4025 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
4026
4027         Enable gigacage on iOS
4028         https://bugs.webkit.org/show_bug.cgi?id=177586
4029
4030         Reviewed by JF Bastien.
4031         
4032         Add tests for when Gigacage gets runtime disabled.
4033
4034         * stress/disable-gigacage-arrays.js: Added.
4035         (foo):
4036         * stress/disable-gigacage-strings.js: Added.
4037         (foo):
4038         * stress/disable-gigacage-typed-arrays.js: Added.
4039         (foo):
4040
4041 2017-10-06  Commit Queue  <commit-queue@webkit.org>
4042
4043         Unreviewed, rolling out r222791 and r222873.
4044         https://bugs.webkit.org/show_bug.cgi?id=178031
4045
4046         Caused crashes with workers/wasm LayoutTests (Requested by
4047         ryanhaddad on #webkit).
4048
4049         Reverted changesets:
4050
4051         "WebAssembly: no VM / JS version of everything but Instance"
4052         https://bugs.webkit.org/show_bug.cgi?id=177473
4053         http://trac.webkit.org/changeset/222791
4054
4055         "WebAssembly: address no VM / JS follow-ups"
4056         https://bugs.webkit.org/show_bug.cgi?id=177887
4057         http://trac.webkit.org/changeset/222873
4058
4059 2017-10-05  Saam Barati  <sbarati@apple.com>
4060
4061         Make sure all prototypes under poly proto get added into the VM's prototype map
4062         https://bugs.webkit.org/show_bug.cgi?id=177909
4063
4064         Reviewed by Keith Miller.
4065
4066         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
4067         (assert):
4068         (foo.C):
4069         (foo):
4070         (set x):
4071
4072 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
4073
4074         [JSC] Introduce import.meta
4075         https://bugs.webkit.org/show_bug.cgi?id=177703
4076
4077         Reviewed by Filip Pizlo.
4078
4079         * modules/import-meta-syntax.js: Added.
4080         (shouldThrow):
4081         (shouldNotThrow):
4082         * modules/import-meta.js: Added.
4083         * modules/import-meta/cocoa.js: Added.
4084         * modules/resources/assert.js:
4085         (export.shouldNotThrow):
4086         * stress/import-syntax.js:
4087
4088 2017-10-04  Saam Barati  <sbarati@apple.com>
4089
4090         Make pertinent AccessCases watch the poly proto watchpoint
4091         https://bugs.webkit.org/show_bug.cgi?id=177765
4092
4093         Reviewed by Keith Miller.
4094
4095         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
4096         (assert):
4097         (foo.C):
4098         (foo):
4099         (validate):
4100         * stress/poly-proto-clear-stub.js: Added.
4101         (assert):
4102         (foo.C):
4103         (foo):
4104
4105 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
4106
4107         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
4108
4109         Unreviewed test gardening.
4110
4111         * test262.yaml:
4112
4113 2017-10-04  Saam Barati  <sbarati@apple.com>
4114
4115         3 poly-proto JSC tests timing out on debug after r222827
4116         https://bugs.webkit.org/show_bug.cgi?id=177880
4117
4118         Rubber stamped by Mark Lam.
4119
4120         * microbenchmarks/poly-proto-access.js:
4121         * typeProfiler/deltablue-for-of.js:
4122         * typeProfiler/getter-richards.js:
4123
4124 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
4125
4126         Unreviewed, marking tco-catch.js as a failure after test262 update
4127         https://bugs.webkit.org/show_bug.cgi?id=177859
4128
4129         * test262.yaml:
4130
4131 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4132
4133         Unreviewed, marking one async iterator test262 test failed
4134         https://bugs.webkit.org/show_bug.cgi?id=177859
4135
4136         * test262.yaml:
4137
4138 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4139
4140         [Test262] Update Test262 to Oct 4 version
4141         https://bugs.webkit.org/show_bug.cgi?id=177859
4142
4143         Reviewed by Sam Weinig.
4144
4145         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
4146         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
4147
4148         * test262.yaml:
4149         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
4150         (checkSequence):
4151         * test262/harness/typeCoercion.js:
4152         (testCoercibleToIndexZero):
4153         (testCoercibleToIndexOne):
4154         (testCoercibleToIndexFromIndex):
4155         (testNotCoercibleToIndex.testPrimitiveValue):
4156         (testNotCoercibleToInteger):
4157         (testCoercibleToBigIntZero.testPrimitiveValue):
4158         (testCoercibleToBigIntZero):
4159         (testCoercibleToBigIntOne.testPrimitiveValue):
4160         (testCoercibleToBigIntOne):
4161         (testPrimitiveValue):
4162         (testCoercibleToBigIntFromBigInt):
4163         (testNotCoercibleToBigInt.testPrimitiveValue):
4164         (testNotCoercibleToBigInt.testStringValue):
4165         (testNotCoercibleToBigInt):
4166         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
4167         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
4168         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
4169         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
4170         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
4171         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
4172         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
4173         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
4174         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
4175         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
4176         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
4177         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
4178         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
4179         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
4180         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
4181         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
4182         (testCoercibleToBigIntZero):
4183         (testCoercibleToBigIntOne):
4184         (testNotCoercibleToBigInt):
4185         (MyError): Deleted.
4186         (valueOf): Deleted.
4187         (toString): Deleted.
4188         (Symbol.toPrimitive): Deleted.
4189         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
4190         (testCoercibleToIndexZero):
4191         (testCoercibleToIndexOne):
4192         (testNotCoercibleToIndex):
4193         (MyError): Deleted.
4194         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
4195         (assert.sameValue.BigInt.asIntN.toString): Deleted.
4196         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
4197         (BigInt.asIntN.valueOf): Deleted.
4198         (BigInt.asIntN.toString): Deleted.
4199         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
4200         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
4201         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
4202         (testCoercibleToBigIntZero):
4203         (testCoercibleToBigIntOne):
4204         (testNotCoercibleToBigInt):
4205         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
4206         (testCoercibleToIndexZero):
4207         (testCoercibleToIndexOne):
4208         (testNotCoercibleToIndex):
4209         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
4210         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
4211         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
4212         (bits.valueOf):
4213         (bigint.valueOf):
4214         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
4215         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
4216         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
4217         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
4218         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
4219         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
4220         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
4221         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
4222         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
4223         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
4224         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
4225         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
4226         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
4227         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
4228         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
4229         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
4230         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
4231         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
4232         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
4233         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
4234         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
4235         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
4236         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
4237         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
4238         (replacer):
4239         (BigInt.prototype.toJSON):
4240         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
4241         (replacer):
4242         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
4243         (BigInt.prototype.toJSON):
4244         * test262/test/built-ins/JSON/stringify/bigint.js:
4245         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
4246         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
4247         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
4248         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
4249         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
4250         * test262/test/built-ins/Object/proto-from-ctor.js:
4251         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
4252         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
4253         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
4254         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
4255         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
4256         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
4257         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
4258         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
4259         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
4260         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
4261         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
4262         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
4263         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
4264         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
4265         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
4266         * test262/test/built-ins/Proxy/get-fn-realm.js:
4267         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
4268         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
4269         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
4270         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
4271         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
4272         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
4273         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
4274         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
4275         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
4276         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
4277         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
4278         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
4279         (i6.replace):
4280         (i6b.replace):
4281         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
4282         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
4283         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
4284         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
4285         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
4286         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
4287         * test262/test/built-ins/RegExp/u180e.js: Added.
4288         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
4289         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
4290         * test262/test/built-ins/String/proto-from-ctor-realm.js:
4291         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
4292         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
4293         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
4294         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
4295         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
4296         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
4297         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
4298         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
4299         * test262/test/built-ins/String/prototype/endsWith/length.js:
4300         * test262/test/built-ins/String/prototype/endsWith/name.js:
4301         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
4302         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
4303         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
4304         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
4305         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
4306         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
4307         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
4308         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
4309         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
4310         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
4311         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
4312         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
4313         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
4314         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
4315         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
4316         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
4317         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4318         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4319         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4320         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4321         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4322         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4323         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4324         * test262/test/built-ins/String/prototype/includes/includes.js:
4325         * test262/test/built-ins/String/prototype/includes/length.js:
4326         * test262/test/built-ins/String/prototype/includes/name.js:
4327         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4328         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4329         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4330         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4331         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4332         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4333         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4334         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4335         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4336         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4337         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4338         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4339         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4340         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4341         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4342         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4343         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4344         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4345         * test262/test/built-ins/String/prototype/trim/u180e.js:
4346         * test262/test/built-ins/Symbol/for/cross-realm.js:
4347         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4348         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4349         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4350         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4351         * test262/test/built-ins/Symbol/match/cross-realm.js:
4352         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4353         * test262/test/built-ins/Symbol/search/cross-realm.js:
4354         * test262/test/built-ins/Symbol/species/cross-realm.js:
4355         * test262/test/built-ins/Symbol/split/cross-realm.js:
4356         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4357         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4358         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4359         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4360         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4361         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4362         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4363         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4364         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4365         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4366         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4367         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4368         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4369         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4370         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4371         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4372         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4373         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4374         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4375         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4376         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4377         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4378         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4379         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4380         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4381         * test262/test/language/eval-code/indirect/realm.js:
4382         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4383         (o.get z):
4384         (o.get a):
4385         * test262/test/language/expressions/call/eval-realm-indirect.js:
4386         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4387         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4388         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4389         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4390         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4391         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4392         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4393         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4394         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4395         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4396