Unreviewed, rolling out r231197.
[WebKit-https.git] / JSTests / ChangeLog
1 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r231197.
4
5         The test added with this change crashes on the 32-bit JSC bot.
6
7         Reverted changeset:
8
9         "Correctly detect string overflow when using the 'Function'
10         constructor"
11         https://bugs.webkit.org/show_bug.cgi?id=184883
12         https://trac.webkit.org/changeset/231197
13
14 2018-05-02  Filip Pizlo  <fpizlo@apple.com>
15
16         JSC should know how to cache custom getter accesses on the prototype chain
17         https://bugs.webkit.org/show_bug.cgi?id=185213
18
19         Reviewed by Keith Miller.
20
21         * microbenchmarks/get-custom-getter.js: Added.
22         (test):
23
24 2018-05-02  Robin Morisset  <rmorisset@apple.com>
25
26         emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
27         https://bugs.webkit.org/show_bug.cgi?id=183172
28
29         Reviewed by Filip Pizlo.
30
31         * stress/length-of-new-array-with-spread.js: Added.
32         (foo):
33         (bar):
34         (baz):
35
36 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
37
38         [JSC] Add SameValue DFG node
39         https://bugs.webkit.org/show_bug.cgi?id=185065
40
41         Reviewed by Saam Barati.
42
43         * microbenchmarks/object-is.js: Added.
44         (incognito):
45         (sameValue):
46         (test1):
47         (test2):
48         (test3):
49         (test4):
50         (test5):
51         (test6):
52         * stress/object-is.js: Added.
53         (shouldBe):
54         (is1):
55         (is2):
56         (is3):
57         (is4):
58         (is5):
59         (is6):
60         (is7):
61         (is8):
62         (is9):
63         (is10):
64         (is11):
65         (is12):
66         (is13):
67         (is14):
68         (is15):
69
70 2018-05-01  Robin Morisset  <rmorisset@apple.com>
71
72         Correctly detect string overflow when using the 'Function' constructor
73         https://bugs.webkit.org/show_bug.cgi?id=184883
74         <rdar://problem/36320331>
75
76         Reviewed by Filip Pizlo.
77
78         I put this regression test in the 'slowMicrobenchmarks' directory because it takes nearly 30s to run, and I am not sure where else to put it.
79
80         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
81         (catch):
82
83 2018-05-01  Robin Morisset  <rmorisset@apple.com>
84
85         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
86         https://bugs.webkit.org/show_bug.cgi?id=185162
87
88         Reviewed by Filip Pizlo.
89
90         * stress/incomplete-unicode-locale.js: Added.
91         (catch):
92
93 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
94
95         Add SetCallee as DFG-Operation
96         https://bugs.webkit.org/show_bug.cgi?id=184582
97
98         Reviewed by Filip Pizlo.
99
100         Added test that runs into infinite loop without updating the callee and
101         therefore emitting SetCallee in DFG for recursive tail calls.
102
103         * stress/closure-recursive-tail-call-infinite-loop.js: Added.
104         (Foo):
105         (second):
106         (first):
107         (return.closure):
108         (createClosure):
109
110 2018-04-30  Saam Barati  <sbarati@apple.com>
111
112         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
113         https://bugs.webkit.org/show_bug.cgi?id=185149
114         <rdar://problem/39455917>
115
116         Reviewed by Filip Pizlo.
117
118         * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.
119
120 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
121
122         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
123         https://bugs.webkit.org/show_bug.cgi?id=185126
124
125         Reviewed by Saam Barati.
126         
127         I found this bug by accident when I was writing this test for something else.
128         
129         This change also speeds up other benchmarks of this case that we already had. They are all called
130         the licm-dragons tests.
131
132         * microbenchmarks/licm-dragons-two-structures.js: Added.
133         (foo):
134
135 2018-04-29  Commit Queue  <commit-queue@webkit.org>
136
137         Unreviewed, rolling out r231137.
138         https://bugs.webkit.org/show_bug.cgi?id=185118
139
140         It is breaking Test262 language/expressions/multiplication
141         /order-of-evaluation.js (Requested by caiolima on #webkit).
142
143         Reverted changeset:
144
145         "[ESNext][BigInt] Implement support for "*" operation"
146         https://bugs.webkit.org/show_bug.cgi?id=183721
147         https://trac.webkit.org/changeset/231137
148
149 2018-04-28  Saam Barati  <sbarati@apple.com>
150
151         We don't model regexp effects properly
152         https://bugs.webkit.org/show_bug.cgi?id=185059
153         <rdar://problem/39736150>
154
155         Reviewed by Filip Pizlo.
156
157         * stress/regexp-exec-test-effectful-last-index.js: Added.
158         (assert):
159         (foo):
160         (i.regexLastIndex.toString):
161         (bar):
162
163 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
164
165         Token misspelled "tocken" in error message string
166         https://bugs.webkit.org/show_bug.cgi?id=185030
167
168         Reviewed by Saam Barati.
169
170         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
171         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
172         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
173         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
174         (testSyntaxError.String.raw.v):
175         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
176         (testSyntaxError.String.raw.a):
177
178 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
179
180         [ESNext][BigInt] Implement support for "*" operation
181         https://bugs.webkit.org/show_bug.cgi?id=183721
182
183         Reviewed by Saam Barati.
184
185         * bigIntTests.yaml:
186         * stress/big-int-mul-jit.js: Added.
187         * stress/big-int-mul-to-primitive-precedence.js: Added.
188         * stress/big-int-mul-to-primitive.js: Added.
189         * stress/big-int-mul-type-error.js: Added.
190         * stress/big-int-mul-wrapped-value.js: Added.
191         * stress/big-int-multiplication.js: Added.
192         * stress/big-int-multiply-memory-stress.js: Added.
193
194 2018-04-28  Commit Queue  <commit-queue@webkit.org>
195
196         Unreviewed, rolling out r231131.
197         https://bugs.webkit.org/show_bug.cgi?id=185112
198
199         It is breaking Debug build due to unchecked exception
200         (Requested by caiolima on #webkit).
201
202         Reverted changeset:
203
204         "[ESNext][BigInt] Implement support for "*" operation"
205         https://bugs.webkit.org/show_bug.cgi?id=183721
206         https://trac.webkit.org/changeset/231131
207
208 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
209
210         [ESNext][BigInt] Implement support for "*" operation
211         https://bugs.webkit.org/show_bug.cgi?id=183721
212
213         Reviewed by Saam Barati.
214
215         * bigIntTests.yaml:
216         * stress/big-int-mul-jit.js: Added.
217         * stress/big-int-mul-to-primitive-precedence.js: Added.
218         * stress/big-int-mul-to-primitive.js: Added.
219         * stress/big-int-mul-type-error.js: Added.
220         * stress/big-int-mul-wrapped-value.js: Added.
221         * stress/big-int-multiplication.js: Added.
222         * stress/big-int-multiply-memory-stress.js: Added.
223
224 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
225
226         Unreviewed, rolling out r231086.
227
228         Caused JSC test failures due to an unchecked exception.
229
230         Reverted changeset:
231
232         "[ESNext][BigInt] Implement support for "*" operation"
233         https://bugs.webkit.org/show_bug.cgi?id=183721
234         https://trac.webkit.org/changeset/231086
235
236 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
237
238         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
239
240         * test262.yaml: Mark tests as passing.
241
242 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
243
244         [ESNext][BigInt] Implement support for "*" operation
245         https://bugs.webkit.org/show_bug.cgi?id=183721
246
247         Reviewed by Saam Barati.
248
249         * bigIntTests.yaml:
250         * stress/big-int-mul-jit.js: Added.
251         * stress/big-int-mul-to-primitive-precedence.js: Added.
252         * stress/big-int-mul-to-primitive.js: Added.
253         * stress/big-int-mul-type-error.js: Added.
254         * stress/big-int-mul-wrapped-value.js: Added.
255         * stress/big-int-multiplication.js: Added.
256         * stress/big-int-multiply-memory-stress.js: Added.
257
258 2018-04-25  Robin Morisset  <rmorisset@apple.com>
259
260         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
261         https://bugs.webkit.org/show_bug.cgi?id=184773
262         <rdar://problem/37773612>
263
264         Reviewed by Filip Pizlo.
265
266         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
267         so I decided to add it to the stress tests nonetheless.
268
269         * stress/create-rest-while-having-a-bad-time.js: Added.
270         (f):
271         (g):
272         (h):
273
274 2018-04-25  Keith Miller  <keith_miller@apple.com>
275
276         Add missing scope release to functionProtoFuncToString
277         https://bugs.webkit.org/show_bug.cgi?id=184995
278
279         Reviewed by Saam Barati.
280
281         * stress/function-toString-arrow.js: Added.
282         (async):
283
284 2018-04-24  Keith Miller  <keith_miller@apple.com>
285
286         fromCharCode is missing some exception checks
287         https://bugs.webkit.org/show_bug.cgi?id=184952
288
289         Reviewed by Saam Barati.
290
291         * stress/fromCharCode-exception-check.js: Added.
292         (get catch):
293
294 2018-04-24  Mark Lam  <mark.lam@apple.com>
295
296         Gardening: test fix after r230863.
297         https://bugs.webkit.org/show_bug.cgi?id=184846
298         <rdar://problem/39390672>
299
300         Not reviewed.
301
302         * stress/json-stringified-overflow-2.js:
303         (catch):
304         * stress/json-stringified-overflow.js:
305         (catch):
306
307 2018-04-20  JF Bastien  <jfbastien@apple.com>
308
309         Handle more JSON stringify OOM
310         https://bugs.webkit.org/show_bug.cgi?id=184846
311         <rdar://problem/39390672>
312
313         Reviewed by Mark Lam.
314
315         * stress/json-stringified-overflow-2.js: Added. Same as the one
316         below, but with a bigger input which will trigger a different code
317         path.
318         (catch):
319         * stress/json-stringified-overflow.js: Modify the test to only
320         catch OOM on stringification. not on string creation.
321
322 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
323
324         [WebAssembly][Modules] Import tables in wasm modules
325         https://bugs.webkit.org/show_bug.cgi?id=184738
326
327         Reviewed by JF Bastien.
328
329         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
330         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
331         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
332         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
333         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
334         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
335         * wasm/modules/wasm-imports-wasm-exports.js:
336         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
337         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
338         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
339         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
340
341 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
342
343         [WebAssembly][Modules] Import globals from wasm modules
344         https://bugs.webkit.org/show_bug.cgi?id=184736
345
346         Reviewed by JF Bastien.
347
348         * wasm.yaml:
349         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
350         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
351         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
352         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
353         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
354         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
355         * wasm/modules/wasm-imports-wasm-exports.js:
356         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
357         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
358         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
359         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
360
361 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
362
363         Unreviewed, reland r230697, r230720, and r230724.
364         https://bugs.webkit.org/show_bug.cgi?id=184600
365
366         * wasm.yaml:
367         * wasm/modules/constant.wasm: Added.
368         * wasm/modules/constant.wat: Added.
369         * wasm/modules/default-import-star-error.js: Added.
370         (then):
371         * wasm/modules/default-import-star-error/entry.wasm: Added.
372         * wasm/modules/default-import-star-error/entry.wat: Added.
373         * wasm/modules/default-import-star-error/t0.js: Added.
374         * wasm/modules/default-import-star-error/t1.js: Added.
375         * wasm/modules/default-import-star-error/t2.js: Added.
376         (export.default.Cocoa):
377         * wasm/modules/js-wasm-cycle.js: Added.
378         * wasm/modules/js-wasm-cycle/entry.js: Added.
379         (from.string_appeared_here.export.return42):
380         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
381         * wasm/modules/js-wasm-cycle/sum.wat: Added.
382         * wasm/modules/js-wasm-function-namespace.js: Added.
383         (assert.throws):
384         * wasm/modules/js-wasm-function.js: Added.
385         (assert.throws):
386         * wasm/modules/js-wasm-global-namespace.js: Added.
387         (assert.throws):
388         * wasm/modules/js-wasm-global.js: Added.
389         (assert.throws):
390         * wasm/modules/js-wasm-memory-namespace.js: Added.
391         (assert.throws):
392         * wasm/modules/js-wasm-memory.js: Added.
393         (assert.throws):
394         * wasm/modules/js-wasm-start.js: Added.
395         (then):
396         * wasm/modules/js-wasm-table-namespace.js: Added.
397         (assert.throws):
398         * wasm/modules/js-wasm-table.js: Added.
399         (assert.throws):
400         * wasm/modules/memory.wasm: Added.
401         * wasm/modules/memory.wat: Added.
402         * wasm/modules/run-from-wasm.wasm: Added.
403         * wasm/modules/run-from-wasm.wat: Added.
404         * wasm/modules/run-from-wasm/check.js: Added.
405         (export.check):
406         * wasm/modules/start.wasm: Added.
407         * wasm/modules/start.wat: Added.
408         * wasm/modules/sum.wasm: Added.
409         * wasm/modules/sum.wat: Added.
410         * wasm/modules/table.wasm: Added.
411         * wasm/modules/table.wat: Added.
412         * wasm/modules/wasm-imports-js-exports.js: Added.
413         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
414         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
415         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
416         (export.sum):
417         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
418         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
419         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
420         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
421         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
422         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
423         * wasm/modules/wasm-imports-wasm-exports.js: Added.
424         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
425         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
426         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
427         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
428         * wasm/modules/wasm-js-cycle.js: Added.
429         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
430         * wasm/modules/wasm-js-cycle/entry.wat: Added.
431         * wasm/modules/wasm-js-cycle/sum.js: Added.
432         (from.string_appeared_here.export.sum):
433         * wasm/modules/wasm-wasm-cycle.js: Added.
434         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
435         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
436         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
437         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
438
439 2018-04-17  Commit Queue  <commit-queue@webkit.org>
440
441         Unreviewed, rolling out r230697, r230720, and r230724.
442         https://bugs.webkit.org/show_bug.cgi?id=184717
443
444         These caused multiple failures on the Test262 testers.
445         (Requested by mlewis13 on #webkit).
446
447         Reverted changesets:
448
449         "[WebAssembly][Modules] Prototype wasm import"
450         https://bugs.webkit.org/show_bug.cgi?id=184600
451         https://trac.webkit.org/changeset/230697
452
453         "[WebAssembly][Modules] Implement function import from wasm
454         modules"
455         https://bugs.webkit.org/show_bug.cgi?id=184689
456         https://trac.webkit.org/changeset/230720
457
458         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
459         https://bugs.webkit.org/show_bug.cgi?id=184703
460         https://trac.webkit.org/changeset/230724
461
462 2018-04-17  JF Bastien  <jfbastien@apple.com>
463
464         A put is not an ExistingProperty put when we transition a structure because of an attributes change
465         https://bugs.webkit.org/show_bug.cgi?id=184706
466         <rdar://problem/38871451>
467
468         Reviewed by Saam Barati.
469
470         * stress/put-by-id-direct-strict-transition.js: Added.
471         (const.foo):
472         (j.const.obj.set hello):
473         * stress/put-by-id-direct-transition.js: Added.
474         (const.foo):
475         (j.const.obj.set hello):
476         * stress/put-getter-setter-by-id-strict-transition.js: Added.
477         (const.foo):
478         (j.const.obj.set hello):
479         * stress/put-getter-setter-by-id-transition.js: Added.
480         (const.foo):
481         (j.const.obj.set hello):
482
483 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
484
485         PutStackSinkingPhase should know that KillStack means ConflictingFlush
486         https://bugs.webkit.org/show_bug.cgi?id=184672
487
488         Reviewed by Michael Saboff.
489
490         * stress/sink-put-stack-over-kill-stack.js: Added.
491         (avocado_1):
492         (apricot_0):
493         (__c_0):
494         (banana_2):
495
496 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
497
498         [JSC] Rename runWebAssembly to runWebAssemblySuite
499         https://bugs.webkit.org/show_bug.cgi?id=184703
500
501         Reviewed by JF Bastien.
502
503         And add runWebAssembly as a command to simplely run wasm modules.
504
505         * wasm.yaml:
506
507 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
508
509         [WebAssembly][Modules] Implement function import from wasm modules
510         https://bugs.webkit.org/show_bug.cgi?id=184689
511
512         Reviewed by JF Bastien.
513
514         * wasm.yaml:
515         * wasm/modules/js-wasm-cycle.js: Added.
516         * wasm/modules/js-wasm-cycle/entry.js: Added.
517         (from.string_appeared_here.export.return42):
518         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
519         * wasm/modules/js-wasm-cycle/sum.wat: Added.
520         * wasm/modules/run-from-wasm.wasm: Added.
521         * wasm/modules/run-from-wasm.wat: Added.
522         * wasm/modules/run-from-wasm/check.js: Added.
523         (export.check):
524         * wasm/modules/wasm-imports-js-exports.js: Added.
525         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
526         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
527         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
528         (export.sum):
529         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
530         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
531         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
532         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
533         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
534         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
535         * wasm/modules/wasm-imports-wasm-exports.js: Added.
536         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
537         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
538         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
539         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
540         * wasm/modules/wasm-js-cycle.js: Added.
541         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
542         * wasm/modules/wasm-js-cycle/entry.wat: Added.
543         * wasm/modules/wasm-js-cycle/sum.js: Added.
544         (from.string_appeared_here.export.sum):
545         * wasm/modules/wasm-wasm-cycle.js: Added.
546         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
547         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
548         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
549         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
550
551 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
552
553         [WebAssembly][Modules] Prototype wasm import
554         https://bugs.webkit.org/show_bug.cgi?id=184600
555
556         Reviewed by JF Bastien.
557
558         Add wasm and wat files since module loader want to load wasm files from FS.
559         Currently, importing the other modules from wasm is not supported.
560
561         * wasm.yaml:
562         * wasm/modules/constant.wasm: Added.
563         * wasm/modules/constant.wat: Added.
564         * wasm/modules/js-wasm-function-namespace.js: Added.
565         (assert.throws):
566         * wasm/modules/js-wasm-function.js: Added.
567         (assert.throws):
568         * wasm/modules/js-wasm-global-namespace.js: Added.
569         (assert.throws):
570         * wasm/modules/js-wasm-global.js: Added.
571         (assert.throws):
572         * wasm/modules/js-wasm-memory-namespace.js: Added.
573         (assert.throws):
574         * wasm/modules/js-wasm-memory.js: Added.
575         (assert.throws):
576         * wasm/modules/js-wasm-start.js: Added.
577         (then):
578         * wasm/modules/js-wasm-table-namespace.js: Added.
579         (assert.throws):
580         * wasm/modules/js-wasm-table.js: Added.
581         (assert.throws):
582         * wasm/modules/memory.wasm: Added.
583         * wasm/modules/memory.wat: Added.
584         * wasm/modules/start.wasm: Added.
585         * wasm/modules/start.wat: Added.
586         * wasm/modules/sum.wasm: Added.
587         * wasm/modules/sum.wat: Added.
588         * wasm/modules/table.wasm: Added.
589         * wasm/modules/table.wat: Added.
590
591 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
592
593         Function.prototype.caller shouldn't return generator bodies
594         https://bugs.webkit.org/show_bug.cgi?id=184630
595
596         Reviewed by Yusuke Suzuki.
597
598         * stress/function-caller-async-arrow-function-body.js: Added.
599         * stress/function-caller-async-function-body.js: Added.
600         * stress/function-caller-async-generator-body.js: Added.
601         * stress/function-caller-generator-body.js: Added.
602         * stress/function-caller-generator-method-body.js: Added.
603
604 2018-04-12  Tomas Popela  <tpopela@redhat.com>
605
606         Unreviewed, skip JIT tests if it isn't enabled
607
608         See https://bugs.webkit.org/show_bug.cgi?id=182730.
609
610         * stress/big-int-spec-to-primitive.js:
611         * stress/big-int-spec-to-this.js:
612
613 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
614
615         [ESNext][BigInt] Add support for BigInt in SpeculatedType
616         https://bugs.webkit.org/show_bug.cgi?id=182470
617
618         Reviewed by Saam Barati.
619
620         * stress/big-int-spec-to-primitive.js: Added.
621         * stress/big-int-spec-to-this.js: Added.
622         * stress/big-int-strict-equals-jit.js: Added.
623         * stress/big-int-strict-spec-to-this.js: Added.
624         * stress/big-int-type-of-proven-type.js: Added.
625
626 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
627
628         DFG AI and clobberize should agree with each other
629         https://bugs.webkit.org/show_bug.cgi?id=184440
630
631         Reviewed by Saam Barati.
632         
633         Add tests for all of the bugs I fixed.
634
635         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
636         (foo):
637         * stress/new-typed-array-cse-effects.js: Added.
638         (foo):
639         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
640         (foo.theO):
641         (foo):
642         * stress/string-from-char-code-change-structure-not-dead.js: Added.
643         (foo):
644         (i.valueOf):
645         (weirdValue.valueOf):
646         * stress/string-from-char-code-change-structure.js: Added.
647         (foo):
648         (i.valueOf):
649         (weirdValue.valueOf):
650
651 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
652
653         Fix errant Test262 files CRLF to LF for consistency with the original source
654         https://bugs.webkit.org/show_bug.cgi?id=184425
655
656         Reviewed by Yusuke Suzuki.
657
658         * test262/test/built-ins/Math/acosh/nan-returns.js:
659         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
660         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
661         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
662         * test262/test/built-ins/Math/cbrt/prop-desc.js:
663         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
664         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
665         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
666         * test262/test/built-ins/Math/log2/log2-basicTests.js:
667         * test262/test/built-ins/Math/sign/sign-specialVals.js:
668         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
669         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
670         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
671         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
672
673 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
674
675         Unreviewed, remove incorrect entry in test262.yaml
676         https://bugs.webkit.org/show_bug.cgi?id=184266
677
678         * test262.yaml:
679
680 2018-04-08  Valerie Young  <valerie@bocoup.com>
681
682         [JSC] Update Test262 to April 6 version
683         https://bugs.webkit.org/show_bug.cgi?id=184266
684
685         Rubber stamped by Yusuke Suzuki.
686
687 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
688
689         [JSC] Introduce op_get_by_id_direct
690         https://bugs.webkit.org/show_bug.cgi?id=183970
691
692         Reviewed by Filip Pizlo.
693
694         * stress/generator-prototype-copy.js: Added.
695         (gen):
696         (catch):
697         Adopted JF's tests.
698
699         * stress/generator-type-check.js: Added.
700         (shouldThrow):
701         (foo2):
702         (i.shouldThrow):
703         * stress/get-by-id-direct-getter.js: Added.
704         (shouldBe):
705         (shouldThrow):
706         (obj.get hello):
707         (builtin.createBuiltin):
708         (obj2.get length):
709         * stress/get-by-id-direct.js: Added.
710         (shouldBe):
711         (shouldThrow):
712         (builtin.createBuiltin):
713         * test262.yaml:
714         We fixed long-standing spec compatibility issue.
715         As a result, this patch makes several test262 tests passed!
716
717
718 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
719
720         Unreviewed, annotate test with @skip if $memoryLimited
721         https://bugs.webkit.org/show_bug.cgi?id=183894
722
723         * stress/json-stringified-overflow.js:
724
725 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
726
727         Add svn:eol-style to line-terminator-normalisation-CR.js
728         https://bugs.webkit.org/show_bug.cgi?id=184341
729
730         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
731
732 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
733
734         Unreviewed, remove errant LF from existing test262 test for CR line endings.
735
736         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
737
738 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
739
740         Unreviewed, rolling out r230320.
741
742         Revert fix, as the root cause lies elsewhere.
743
744         Reverted changeset:
745
746         "[test262] Mark line-terminator-normalisation-CR.js as a
747         binary file."
748         https://bugs.webkit.org/show_bug.cgi?id=184341
749         https://trac.webkit.org/changeset/230320
750
751 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
752
753         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
754         https://bugs.webkit.org/show_bug.cgi?id=184341
755
756         Reviewed by Yusuke Suzuki.
757
758         This test is all about CR line endings, but `svn-apply` can't deal with them.
759         Treating the file as binary ensures that its contents never are never shown in a diff.
760
761         * .gitattributes: Added.
762
763 2018-04-05  Robin Morisset  <rmorisset@apple.com>
764
765         Fix testcase (missing try/catch).
766         https://bugs.webkit.org/show_bug.cgi?id=183657
767
768         Unreviewed.
769
770         * stress/large-unshift-splice.js
771
772 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
773
774         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
775         https://bugs.webkit.org/show_bug.cgi?id=184319
776
777         Reviewed by Saam Barati.
778
779         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
780         (foo):
781         (bar):
782         * stress/array-push-nan-to-double-array.js: Added.
783         (foo):
784         (bar):
785
786 2018-04-03  Mark Lam  <mark.lam@apple.com>
787
788         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
789         https://bugs.webkit.org/show_bug.cgi?id=184284
790
791         Reviewed by Saam Barati.
792
793         * stress/js-fixed-array-out-of-memory.js:
794
795 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
796
797         JSC crash in JIT code with for-of loop and Array/Set iterators
798         https://bugs.webkit.org/show_bug.cgi?id=183174
799
800         Reviewed by Saam Barati.
801
802         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
803         (foo):
804         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
805         (f):
806
807 2018-03-30  JF Bastien  <jfbastien@apple.com>
808
809         WebAssembly: support DataView compilation
810         https://bugs.webkit.org/show_bug.cgi?id=183342
811
812         Reviewed by Mark Lam.
813
814         Test WebAssembly compilation using a DataView with offset.
815
816         * wasm/regress/183342.js: Added.
817         (attempt.catch):
818
819 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
820
821         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
822         https://bugs.webkit.org/show_bug.cgi?id=184189
823
824         Reviewed by JF Bastien.
825
826         * stress/load-hole-from-scope-into-live-var.js: Added.
827         (result.eval.try.switch):
828         (catch):
829
830 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
831
832         Unreviewed, rolling out r230102.
833
834         Caused assertion failures on JSC bots.
835
836         Reverted changeset:
837
838         "A stack overflow in the parsing of a builtin (called by
839         createExecutable) cause a crash instead of a catchable js
840         exception"
841         https://bugs.webkit.org/show_bug.cgi?id=184074
842         https://trac.webkit.org/changeset/230102
843
844 2018-03-30  Robin Morisset  <rmorisset@apple.com>
845
846         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
847         https://bugs.webkit.org/show_bug.cgi?id=183812
848
849         Reviewed by Keith Miller.
850
851         * stress/inlining-unreachable-non-tail.js: Added.
852         (foo.):
853         (foo):
854
855 2018-03-30  Robin Morisset  <rmorisset@apple.com>
856
857         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
858         https://bugs.webkit.org/show_bug.cgi?id=184074
859         <rdar://problem/37165897>
860
861         Reviewed by Keith Miller.
862
863         * stress/stack-overflow-while-parsing-builtin.js: Added.
864         (f):
865
866 2018-03-30  Robin Morisset  <rmorisset@apple.com>
867
868         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
869         https://bugs.webkit.org/show_bug.cgi?id=183657
870
871         Reviewed by Keith Miller.
872
873         * stress/large-unshift-splice.js: Added.
874         (make_contig_arr):
875
876 2018-03-28  Robin Morisset  <rmorisset@apple.com>
877
878         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
879         https://bugs.webkit.org/show_bug.cgi?id=183894
880
881         Reviewed by Saam Barati.
882
883         * stress/json-stringified-overflow.js: Added.
884         (catch):
885
886 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
887
888         DFG should know that CreateThis can be effectful
889         https://bugs.webkit.org/show_bug.cgi?id=184013
890
891         Reviewed by Saam Barati.
892
893         * stress/create-this-property-change.js: Added.
894         (Foo):
895         (RealBar):
896         (get if):
897         * stress/create-this-structure-change-without-cse.js: Added.
898         (Foo):
899         (RealBar):
900         (get if):
901         * stress/create-this-structure-change.js: Added.
902         (Foo):
903         (RealBar):
904         (get if):
905
906 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
907
908         [DFG] Introduces fused compare and jump
909         https://bugs.webkit.org/show_bug.cgi?id=177100
910
911         Reviewed by Mark Lam.
912
913         * stress/fused-jeq-slow.js: Added.
914         (shouldBe):
915         (testJEQ):
916         (testJNEQB):
917         (testJEQB):
918         (testJNEQF):
919         (testJEQF):
920         * stress/fused-jeq.js: Added.
921         (shouldBe):
922         (testJEQ):
923         (testJNEQB):
924         (testJEQB):
925         (testJNEQF):
926         (testJEQF):
927         * stress/fused-jstricteq-slow.js: Added.
928         (shouldBe):
929         (testJSTRICTEQ):
930         (testJNSTRICTEQB):
931         (testJSTRICTEQB):
932         (testJNSTRICTEQF):
933         (testJSTRICTEQF):
934         * stress/fused-jstricteq.js: Added.
935         (shouldBe):
936         (testJSTRICTEQ):
937         (testJNSTRICTEQB):
938         (testJSTRICTEQB):
939         (testJNSTRICTEQF):
940         (testJSTRICTEQF):
941
942 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
943
944         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
945         https://bugs.webkit.org/show_bug.cgi?id=183559
946
947         Reviewed by Mark Lam.
948
949         * stress/double-to-string-in-loop-removed.js: Added.
950         (test):
951         * stress/int32-to-string-in-loop-removed.js: Added.
952         (test):
953         * stress/int52-to-string-in-loop-removed.js: Added.
954         (test):
955
956 2018-03-22  Michael Saboff  <msaboff@apple.com>
957
958         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
959         https://bugs.webkit.org/show_bug.cgi?id=183901
960
961         Reviewed by Keith Miller.
962
963         New test.
964
965         * stress/array-reverse-doesnt-clobber.js: Added.
966         (testArrayReverse):
967         (createArrayOfArrays):
968         (createArrayStorage):
969
970 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
971
972         ScopedArguments should do poisoning and index masking
973         https://bugs.webkit.org/show_bug.cgi?id=183863
974
975         Reviewed by Mark Lam.
976         
977         Adds another stress test of scoped arguments.
978
979         * stress/scoped-arguments-test.js: Added.
980         (foo):
981
982 2018-03-20  Saam Barati  <sbarati@apple.com>
983
984         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
985         https://bugs.webkit.org/show_bug.cgi?id=183795
986         <rdar://problem/38298694>
987
988         Reviewed by JF Bastien.
989
990         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
991         (foo):
992         (bar):
993
994 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
995
996         [DFG][FTL] Add vectorLengthHint for NewArray
997         https://bugs.webkit.org/show_bug.cgi?id=183694
998
999         Reviewed by Saam Barati.
1000
1001         * stress/vector-length-hint-array-constructor.js: Added.
1002         (shouldBe):
1003         (test):
1004         * stress/vector-length-hint-new-array.js: Added.
1005         (shouldBe):
1006         (test):
1007
1008 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1009
1010         [DFG][FTL] Make ArraySlice(0) code tight
1011         https://bugs.webkit.org/show_bug.cgi?id=183590
1012
1013         Reviewed by Saam Barati.
1014
1015         * stress/array-slice-with-zero.js: Added.
1016         (shouldBe):
1017         (test):
1018         (test2):
1019         * stress/array-slice-zero-args.js: Added.
1020         (shouldBe):
1021         (test):
1022
1023 2018-03-14  Caitlin Potter  <caitp@igalia.com>
1024
1025         [JSC] fix order of evaluation for ClassDefinitionEvaluation
1026         https://bugs.webkit.org/show_bug.cgi?id=183523
1027
1028         Reviewed by Keith Miller.
1029
1030         Computed property names need to be evaluated in source order during class
1031         definition evaluation, as it's observable (and specified to work this way).
1032
1033         This change improves compatibility with Chromium.
1034
1035         * stress/class_elements.js: Added.
1036         (test):
1037         (test.C.prototype.effect):
1038         (test.C.effect):
1039         (test.C.prototype.get effect):
1040         (test.C.prototype.set effect):
1041         (test.C):
1042
1043 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1044
1045         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
1046         https://bugs.webkit.org/show_bug.cgi?id=183310
1047
1048         Reviewed by Filip Pizlo.
1049
1050         * stress/ai-create-this-to-new-object-fire.js: Added.
1051         (assert):
1052         (test):
1053         (func):
1054         (check):
1055         (test.body.A):
1056         (test.body.B):
1057         (test.body):
1058         * stress/ai-create-this-to-new-object.js: Added.
1059         (assert):
1060         (test):
1061         (func):
1062         (check):
1063         (test.body.A):
1064         (test.body.B):
1065         (test.body):
1066
1067 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1068
1069         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
1070         https://bugs.webkit.org/show_bug.cgi?id=181848
1071
1072         Reviewed by Sam Weinig.
1073
1074         * microbenchmarks/regexp-u-global-es5.js: Added.
1075         (fn):
1076         * microbenchmarks/regexp-u-global-es6.js: Added.
1077         (fn):
1078         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
1079         (shouldBe):
1080         (test):
1081         (i.switch):
1082         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
1083         (shouldBe):
1084         (test):
1085
1086 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
1087
1088         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
1089         https://bugs.webkit.org/show_bug.cgi?id=183334
1090
1091         Reviewed by Žan Doberšek.
1092
1093         * stress/var-injection-cache-invalidation.js:
1094
1095 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
1096
1097         [ARM] Disable tests that run out of memory
1098         https://bugs.webkit.org/show_bug.cgi?id=182699
1099
1100         Reviewed by Žan Doberšek.
1101
1102         Skip tests that run of of memory. Do not run
1103         modules/module-jit-reachability.js without LLInt to prevent
1104         running out of executable memory.
1105
1106         * modules.yaml:
1107         * modules/module-jit-reachability.js:
1108         * stress/has-own-property-name-cache-string-keys.js:
1109         * stress/has-own-property-name-cache-symbol-keys.js:
1110
1111 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1112
1113         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1114         https://bugs.webkit.org/show_bug.cgi?id=183173
1115
1116         Reviewed by Saam Barati.
1117
1118         * stress/async-arrow-function-in-class-heritage.js: Added.
1119         (testSyntax):
1120         (testSyntaxError):
1121         (SyntaxError):
1122
1123 2018-03-01  Saam Barati  <sbarati@apple.com>
1124
1125         We need to clear cached structures when having a bad time
1126         https://bugs.webkit.org/show_bug.cgi?id=183256
1127         <rdar://problem/36245022>
1128
1129         Reviewed by Mark Lam.
1130
1131         * stress/having-a-bad-time-with-derived-arrays.js: Added.
1132         (assert):
1133         (defineSetter):
1134         (iterate):
1135         (doSlice):
1136
1137 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1138
1139         JSC crash with `import("")`
1140         https://bugs.webkit.org/show_bug.cgi?id=183175
1141
1142         Reviewed by Saam Barati.
1143
1144         * stress/import-with-empty-string.js: Added.
1145
1146 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1147
1148         Unreviewed, skip FTL tests if FTL is disabled
1149         https://bugs.webkit.org/show_bug.cgi?id=183071
1150
1151         * stress/has-indexed-property-array-storage-ftl.js:
1152         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1153
1154 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1155
1156         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1157         https://bugs.webkit.org/show_bug.cgi?id=182965
1158
1159         Reviewed by Saam Barati.
1160
1161         * stress/put-by-val-array-storage.js: Added.
1162         (shouldBe):
1163         (testArrayStorageInBounds):
1164         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1165         (shouldBe):
1166         (testInt32.createBuiltin):
1167         (set for):
1168         * stress/put-by-val-slow-put-array-storage.js: Added.
1169         (shouldBe):
1170         (testArrayStorageInBounds):
1171
1172 2018-02-26  Saam Barati  <sbarati@apple.com>
1173
1174         validateStackAccess should not validate if the offset is within the stack bounds
1175         https://bugs.webkit.org/show_bug.cgi?id=183067
1176         <rdar://problem/37749988>
1177
1178         Reviewed by Mark Lam.
1179
1180         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1181         (assert):
1182         (test.a):
1183         (test.b):
1184         (test):
1185
1186 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1187
1188         Unreviewed, skip FTL tests if FTL is disabled
1189         https://bugs.webkit.org/show_bug.cgi?id=183071
1190
1191         * stress/has-indexed-property-array-storage-ftl.js:
1192         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1193
1194 2018-02-23  Saam Barati  <sbarati@apple.com>
1195
1196         Make Number.isInteger an intrinsic
1197         https://bugs.webkit.org/show_bug.cgi?id=183088
1198
1199         Reviewed by JF Bastien.
1200
1201         * stress/number-is-integer-intrinsic.js: Added.
1202
1203 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1204
1205         WebAssembly: cache memory address / size on instance
1206         https://bugs.webkit.org/show_bug.cgi?id=177305
1207
1208         Reviewed by JF Bastien.
1209
1210         * wasm/function-tests/memory-reuse.js: Added.
1211         (createWasmInstance):
1212         (doCheckTrap):
1213         (doMemoryGrow):
1214         (doCheck):
1215         (checkWasmInstancesWithSharedMemory):
1216
1217 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1218
1219         [JSC] Implement $vm.ftlTrue function for FTL testing
1220         https://bugs.webkit.org/show_bug.cgi?id=183071
1221
1222         Reviewed by Mark Lam.
1223
1224         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1225         (foo):
1226         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1227         (foo):
1228         * stress/dead-fiat-value-to-int52.js:
1229         (foo):
1230         * stress/dead-osr-entry-value.js:
1231         (foo):
1232         * stress/fiat-value-to-int52-then-exit-not-double.js:
1233         (foo):
1234         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1235         (foo):
1236         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1237         (foo):
1238         * stress/fiat-value-to-int52-then-fold.js:
1239         (foo):
1240         * stress/fiat-value-to-int52.js:
1241         (foo):
1242         * stress/fold-based-on-int32-proof-mul-branch.js:
1243         (foo):
1244         * stress/fold-profiled-call-to-call.js:
1245         (foo):
1246         * stress/fold-to-double-constant-then-exit.js:
1247         (foo):
1248         * stress/fold-to-int52-constant-then-exit.js:
1249         (foo):
1250         * stress/fold-to-primitive-in-cfa.js:
1251         (foo):
1252         * stress/fold-to-primitive-to-identity-in-cfa.js:
1253         (foo):
1254         * stress/has-indexed-property-array-storage-ftl.js: Added.
1255         (shouldBe):
1256         (test1):
1257         (test2):
1258         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1259         (shouldBe):
1260         (test1):
1261         (test2):
1262         * stress/int52-ai-add-then-filter-int32.js:
1263         (foo):
1264         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1265         (foo):
1266         * stress/int52-ai-mul-then-filter-int32.js:
1267         (foo):
1268         * stress/int52-ai-neg-then-filter-int32.js:
1269         (foo):
1270         * stress/int52-ai-sub-then-filter-int32.js:
1271         (foo):
1272         * stress/licm-pre-header-cannot-exit-nested.js:
1273         (foo):
1274         * stress/licm-pre-header-cannot-exit.js:
1275         (foo):
1276         * stress/sparse-array-entry-update-144067.js:
1277         (useMemoryToTriggerGCs):
1278         * stress/test-spec-misc.js:
1279         (foo):
1280         * stress/tricky-array-bounds-checks.js:
1281         (foo):
1282
1283 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1284
1285         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1286         https://bugs.webkit.org/show_bug.cgi?id=182792
1287
1288         Reviewed by Mark Lam.
1289
1290         * stress/has-indexed-property-array-storage.js: Added.
1291         (shouldBe):
1292         (test1):
1293         (test2):
1294         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1295         (shouldBe):
1296         (test1):
1297         (test2):
1298
1299 2018-02-20  Saam Barati  <sbarati@apple.com>
1300
1301         DFG::VarargsForwardingPhase should eliminate getting argument length
1302         https://bugs.webkit.org/show_bug.cgi?id=182959
1303
1304         Reviewed by Keith Miller.
1305
1306         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1307
1308 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1309
1310         [FTL] Support ArrayPush for ArrayStorage
1311         https://bugs.webkit.org/show_bug.cgi?id=182782
1312
1313         Reviewed by Saam Barati.
1314
1315         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1316
1317         * stress/array-push-array-storage-beyond-int32.js: Added.
1318         (shouldBe):
1319         (test):
1320         * stress/array-push-array-storage.js: Added.
1321         (shouldBe):
1322         (test):
1323         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1324         (shouldBe):
1325         (test):
1326         * stress/array-push-multiple-storage-continuous.js: Added.
1327         (shouldBe):
1328         (test):
1329
1330 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1331
1332         [FTL] Support ArrayPop for ArrayStorage
1333         https://bugs.webkit.org/show_bug.cgi?id=182783
1334
1335         Reviewed by Saam Barati.
1336
1337         * stress/array-pop-array-storage.js: Added.
1338         (shouldBe):
1339         (test):
1340
1341 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1342
1343         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1344         https://bugs.webkit.org/show_bug.cgi?id=182731
1345
1346         Reviewed by Saam Barati.
1347
1348         * stress/arrayify-array-storage-array.js: Added.
1349         (shouldBe):
1350         (testArrayStorage):
1351         * stress/arrayify-array-storage-non-array.js: Added.
1352         (shouldBe):
1353         (testArrayStorage):
1354         * stress/arrayify-array-storage.js: Added.
1355         (shouldBe):
1356         (testArrayStorage):
1357         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1358         (shouldBe):
1359         (testArrayStorage):
1360         * stress/arrayify-slow-put-array-storage.js: Added.
1361         (shouldBe):
1362         (testArrayStorage):
1363
1364 2018-02-19  Saam Barati  <sbarati@apple.com>
1365
1366         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1367         https://bugs.webkit.org/show_bug.cgi?id=182942
1368         <rdar://problem/37584764>
1369
1370         Reviewed by Mark Lam.
1371
1372         * stress/get-prototype-create-this-effectful.js: Added.
1373
1374 2018-02-16  Saam Barati  <sbarati@apple.com>
1375
1376         Fix bugs from r228411
1377         https://bugs.webkit.org/show_bug.cgi?id=182851
1378         <rdar://problem/37577732>
1379
1380         Reviewed by JF Bastien.
1381
1382         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1383
1384 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1385
1386         Unreviewed, roll out r228366 since it did not progress anything.
1387
1388         * stress/gc-error-stack.js: Removed.
1389         * stress/no-gc-error-stack.js: Removed.
1390
1391 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1392
1393         Many stress tests fail with JIT disabled
1394         https://bugs.webkit.org/show_bug.cgi?id=182730
1395
1396         Reviewed by Saam Barati.
1397
1398         These tests are broken by design if the JIT is disabled - they test
1399         the return value of numberOfDFGCompiles(), which is always set to
1400         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1401
1402         * stress/arith-abs-on-various-types.js:
1403         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1404         * stress/arith-acos-on-various-types.js:
1405         * stress/arith-acosh-on-various-types.js:
1406         * stress/arith-asin-on-various-types.js:
1407         * stress/arith-asinh-on-various-types.js:
1408         * stress/arith-atan-on-various-types.js:
1409         * stress/arith-atanh-on-various-types.js:
1410         * stress/arith-cbrt-on-various-types.js:
1411         * stress/arith-ceil-on-various-types.js:
1412         * stress/arith-clz32-on-various-types.js:
1413         * stress/arith-cos-on-various-types.js:
1414         * stress/arith-cosh-on-various-types.js:
1415         * stress/arith-expm1-on-various-types.js:
1416         * stress/arith-floor-on-various-types.js:
1417         * stress/arith-fround-on-various-types.js:
1418         * stress/arith-log-on-various-types.js:
1419         * stress/arith-log10-on-various-types.js:
1420         * stress/arith-log2-on-various-types.js:
1421         * stress/arith-negate-on-various-types.js:
1422         * stress/arith-round-on-various-types.js:
1423         * stress/arith-sin-on-various-types.js:
1424         * stress/arith-sinh-on-various-types.js:
1425         * stress/arith-sqrt-on-various-types.js:
1426         * stress/arith-tan-on-various-types.js:
1427         * stress/arith-tanh-on-various-types.js:
1428         * stress/arith-trunc-on-various-types.js:
1429         * stress/compare-strict-eq-on-various-types.js:
1430
1431 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1432
1433         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1434
1435         Unreviewed test gardening.
1436
1437         * stress/new-largeish-contiguous-array-with-size.js:
1438
1439 2018-02-14  Saam Barati  <sbarati@apple.com>
1440
1441         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1442         https://bugs.webkit.org/show_bug.cgi?id=182801
1443
1444         Reviewed by Keith Miller.
1445
1446         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1447
1448 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1449
1450         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1451         https://bugs.webkit.org/show_bug.cgi?id=182526
1452
1453         Unreviewed test gardening.
1454
1455         * stress/activation-sink-default-value-tdz-error.js:
1456
1457 2018-02-13  Saam Barati  <sbarati@apple.com>
1458
1459         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1460         https://bugs.webkit.org/show_bug.cgi?id=182755
1461         <rdar://problem/37080864>
1462
1463         Reviewed by Keith Miller.
1464
1465         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1466         (test1.o.get 10005):
1467         (test1):
1468         (test2.o.get 1000):
1469         (test2):
1470
1471 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1472
1473         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1474         https://bugs.webkit.org/show_bug.cgi?id=182717
1475
1476         Reviewed by Yusuke Suzuki.
1477
1478         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1479         literals, to allow template callsite arrays to be collected when the
1480         code containing the tagged template call is collected. This spec change
1481         has received concensus and been ratified.
1482
1483         This change eliminates the eternal map associating template contents
1484         with arrays.
1485
1486         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1487         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1488         * stress/tagged-templates-identity.js:
1489         * stress/template-string-tags-eval.js:
1490         * test262.yaml:
1491
1492 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1493
1494         Support GetArrayLength on ArrayStorage in the FTL
1495         https://bugs.webkit.org/show_bug.cgi?id=182625
1496
1497         Reviewed by Saam Barati.
1498
1499         * stress/array-storage-length.js: Added.
1500         (shouldBe):
1501         (testInBound):
1502         (testUncountable):
1503         (testSlowPutInBound):
1504         (testSlowPutUncountable):
1505         * stress/undecided-length.js: Added.
1506         (shouldBe):
1507         (test2):
1508
1509 2018-02-12  Saam Barati  <sbarati@apple.com>
1510
1511         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1512         https://bugs.webkit.org/show_bug.cgi?id=182706
1513         <rdar://problem/36833681>
1514
1515         Reviewed by Filip Pizlo.
1516
1517         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1518         (effects):
1519         (foo):
1520
1521 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1522
1523         Don't waste memory for error.stack
1524         https://bugs.webkit.org/show_bug.cgi?id=182656
1525
1526         Reviewed by Saam Barati.
1527         
1528         Tests the policy.
1529
1530         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1531         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1532
1533 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1534
1535         [JSC] Update Test262 to Feb 9 version
1536         https://bugs.webkit.org/show_bug.cgi?id=182468
1537
1538         Reviewed by Saam Barati.
1539
1540 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1541
1542         Unreviewed, fix invalid line terminator in old test262 file part 2
1543         https://bugs.webkit.org/show_bug.cgi?id=182468
1544
1545         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1546
1547 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1548
1549         Unreviewed, fix invalid line terminator in old test262 file
1550         https://bugs.webkit.org/show_bug.cgi?id=182468
1551
1552         * test262/test/language/literals/regexp/7.8.5-1.js:
1553
1554 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1555
1556         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1557         https://bugs.webkit.org/show_bug.cgi?id=182440
1558
1559         Reviewed by Darin Adler.
1560
1561         * stress/array-flatmap.js: Added.
1562         (shouldBe):
1563         (shouldBeArray):
1564         (shouldThrow):
1565         (var):
1566         * stress/array-flatten.js: Added.
1567         (shouldBe):
1568         (shouldBeArray):
1569         * test262.yaml:
1570         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1571         (3.flatMap):
1572         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1573
1574 2018-02-06  Keith Miller  <keith_miller@apple.com>
1575
1576         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1577         https://bugs.webkit.org/show_bug.cgi?id=182549
1578         <rdar://problem/36189995>
1579
1580         Reviewed by Saam Barati.
1581
1582         * stress/var-injection-cache-invalidation.js: Added.
1583         (allocateLotsOfThings):
1584         (test):
1585
1586 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1587
1588         Unreviewed, follow up for test262 update
1589         https://bugs.webkit.org/show_bug.cgi?id=182288
1590
1591         * test262.yaml:
1592
1593 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1594
1595         Update test262 to Jan 30 version
1596         https://bugs.webkit.org/show_bug.cgi?id=182288
1597
1598         Unreviewed test gardening.
1599
1600         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1601
1602 2018-02-02  Saam Barati  <sbarati@apple.com>
1603
1604         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1605         https://bugs.webkit.org/show_bug.cgi?id=182368
1606         <rdar://problem/36932466>
1607
1608         Reviewed by Mark Lam.
1609
1610         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1611         (runNearStackLimit.t):
1612         (runNearStackLimit):
1613         (try.runNearStackLimit):
1614         (catch):
1615
1616 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1617
1618         Update test262 to Jan 30 version
1619         https://bugs.webkit.org/show_bug.cgi?id=182288
1620
1621         Rubber stamped by Saam Barati.
1622
1623         This patch updates test262 to the latest one, Jan 30 version.
1624         Since added and changed files are too many, we cannot create ChangeLog.
1625         The following files are changed.
1626
1627         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1628         including some special line terminators (like u2028, u2029).
1629
1630         * test262.yaml:
1631         * test262/test262-Revision.txt:
1632         * test262/*:
1633
1634 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1635
1636         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1637         https://bugs.webkit.org/show_bug.cgi?id=182411
1638
1639         Reviewed by Carlos Alberto Lopez Perez.
1640
1641         This is skipped only on arm memory limited platforms. Until recently
1642         it was not a problem on MIPS as the butterfly was not initialized. But
1643         since r227435, the butterfly is initialized in that test and therefore
1644         memory is allocated, and the test typically takes around 512M, which
1645         means it generally gets OOM-killed on the MIPS buildbot.
1646
1647         * mozilla/mozilla-tests.yaml:
1648
1649 2018-02-01  Mark Lam  <mark.lam@apple.com>
1650
1651         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1652         https://bugs.webkit.org/show_bug.cgi?id=182419
1653         <rdar://problem/37044945>
1654
1655         Reviewed by Saam Barati.
1656
1657         * stress/regress-182419.js: Added.
1658
1659 2018-02-01  Keith Miller  <keith_miller@apple.com>
1660
1661         Fix crashes due to mishandling custom sections.
1662         https://bugs.webkit.org/show_bug.cgi?id=182404
1663         <rdar://problem/36935863>
1664
1665         Reviewed by Saam Barati.
1666
1667         * wasm/Builder.js:
1668         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1669         * wasm/js-api/validate.js:
1670         (assert.truthy):
1671
1672 2018-01-31  Saam Barati  <sbarati@apple.com>
1673
1674         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1675         https://bugs.webkit.org/show_bug.cgi?id=182074
1676         <rdar://problem/36846261>
1677
1678         Reviewed by Mark Lam.
1679
1680         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1681         (assert):
1682         (let.func):
1683         (let.o.foo):
1684         (varFunc):
1685
1686 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1687
1688         Unreviewed, update test262 expects
1689         https://bugs.webkit.org/show_bug.cgi?id=182232
1690
1691         * test262.yaml:
1692
1693 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1694
1695         [JSC] Implement trimStart and trimEnd
1696         https://bugs.webkit.org/show_bug.cgi?id=182233
1697
1698         Reviewed by Mark Lam.
1699
1700         * stress/trim.js: Added.
1701         (shouldBe):
1702         (startTest):
1703         (endTest):
1704         (trimTest):
1705
1706 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1707
1708         [JSC] Relax line terminators in String to make JSON subset of JS
1709         https://bugs.webkit.org/show_bug.cgi?id=182232
1710
1711         Reviewed by Keith Miller.
1712
1713         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1714         * stress/relaxed-line-terminators-in-string.js: Added.
1715         (shouldBe):
1716
1717 2018-01-29  Michael Saboff  <msaboff@apple.com>
1718
1719         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1720         https://bugs.webkit.org/show_bug.cgi?id=182249
1721
1722         Reviewed by Keith Miller.
1723
1724         New regression test.
1725
1726         * stress/compare-clobber-untypeduse.js: Added.
1727
1728 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1729
1730         Unreviewed, rolling out r227725.
1731
1732         This caused internal failures.
1733
1734         Reverted changeset:
1735
1736         "JSC Sampling Profiler: Detect tester and testee when sampling
1737         in RegExp JIT"
1738         https://bugs.webkit.org/show_bug.cgi?id=152729
1739         https://trac.webkit.org/changeset/227725
1740
1741 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1742
1743         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1744         https://bugs.webkit.org/show_bug.cgi?id=152729
1745
1746         Reviewed by Saam Barati.
1747
1748         * stress/sampling-profiler-regexp.js: Added.
1749         (platformSupportsSamplingProfiler.test):
1750         (platformSupportsSamplingProfiler.baz):
1751         (platformSupportsSamplingProfiler):
1752
1753 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1754
1755         [DFG][FTL] WeakMap#set should have DFG node
1756         https://bugs.webkit.org/show_bug.cgi?id=180015
1757
1758         Reviewed by Saam Barati.
1759
1760         * stress/weakmap-set-change-get.js: Added.
1761         (shouldBe):
1762         (test):
1763         * stress/weakmap-set-cse.js: Added.
1764         (shouldBe):
1765         (test):
1766         * stress/weakset-add-change-get.js: Added.
1767         (shouldBe):
1768         * stress/weakset-add-cse.js: Added.
1769         (shouldBe):
1770
1771 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1772
1773         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1774         https://bugs.webkit.org/show_bug.cgi?id=182213
1775
1776         Reviewed by Mark Lam.
1777
1778         * stress/int32-min-to-string.js: Added.
1779         (shouldBe):
1780         (test2):
1781         (test4):
1782         (test8):
1783         (test16):
1784         (test32):
1785         * stress/zero-to-string.js: Added.
1786         (shouldBe):
1787         (test2):
1788         (test4):
1789         (test8):
1790         (test16):
1791         (test32):
1792
1793 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1794
1795         Add more module scope related tests with code evaluation by string
1796         https://bugs.webkit.org/show_bug.cgi?id=181983
1797
1798         Reviewed by Sam Weinig.
1799
1800         Add more module scope related tests. When the original tests are landed,
1801         we do not have browser integration. This patch adds more module scope tests
1802         with dynamically created script evaluation. We add tests with Function
1803         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1804
1805         * modules/scopes-eval.js: Added.
1806         (shouldBe):
1807         * modules/scopes.js:
1808         (shouldBe):
1809
1810 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1811
1812         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1813
1814         * microbenchmarks/array-push-3.js: Removed.
1815         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1816         * microbenchmarks/double-to-int32.js: Removed.
1817         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1818         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1819         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1820         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1821         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1822         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1823         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1824         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1825         * microbenchmarks/map-constant-key.js: Removed.
1826         * microbenchmarks/nested-function-parsing.js: Removed.
1827         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1828         * microbenchmarks/spread-large-array.js: Removed.
1829         * microbenchmarks/string-add-constant-folding.js: Removed.
1830         * microbenchmarks/to-lower-case.js: Removed.
1831         * microbenchmarks/undefined-property-access.js: Removed.
1832         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1833         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1834         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1835         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1836         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1837         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1838         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1839         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1840         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1841         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1842         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1843         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1844         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1845         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1846         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1847         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1848         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1849         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1850
1851 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1852
1853         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1854         https://bugs.webkit.org/show_bug.cgi?id=181739
1855         <rdar://problem/36627662>
1856
1857         Reviewed by Saam Barati.
1858
1859         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1860         (foo):
1861         (bar):
1862
1863 2018-01-22  Michael Saboff  <msaboff@apple.com>
1864
1865         DFG abstract interpreter needs to properly model effects of some Math ops
1866         https://bugs.webkit.org/show_bug.cgi?id=181886
1867
1868         Reviewed by Saam Barati.
1869
1870         New regression test.
1871
1872         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1873         (test):
1874
1875 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1876
1877         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1878         https://bugs.webkit.org/show_bug.cgi?id=181182
1879
1880         Reviewed by Darin Adler.
1881
1882         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1883         * stress/big-int-prototype-to-string-exception.js: Added.
1884         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1885         * stress/number-prototype-to-string-cast-overflow.js: Added.
1886         * stress/number-prototype-to-string-exception.js: Added.
1887         * stress/number-prototype-to-string-wrong-values.js: Added.
1888
1889 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1890
1891         Disable Atomics when SharedArrayBuffer isn’t enabled
1892         https://bugs.webkit.org/show_bug.cgi?id=181572
1893
1894         Unreviewed test gardening.
1895
1896         * test262.yaml: Skip tests that fail after this change.
1897
1898 2018-01-19  Saam Barati  <sbarati@apple.com>
1899
1900         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1901         https://bugs.webkit.org/show_bug.cgi?id=181877
1902         <rdar://problem/36630552>
1903
1904         Reviewed by Mark Lam.
1905
1906         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1907         (runNearStackLimit):
1908         (f1):
1909         (f2):
1910         (f3):
1911         (i.catch):
1912         (i.try.runNearStackLimit):
1913         (catch):
1914
1915 2018-01-19  Saam Barati  <sbarati@apple.com>
1916
1917         Spread's effects are modeled incorrectly both in AI and in Clobberize
1918         https://bugs.webkit.org/show_bug.cgi?id=181867
1919         <rdar://problem/36290415>
1920
1921         Reviewed by Michael Saboff.
1922
1923         * stress/ai-needs-to-model-spreads-effects.js: Added.
1924         (try.p.Symbol.iterator):
1925         (try.go):
1926         (catch):
1927         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1928         (assert):
1929         (foo):
1930         (a.Symbol.iterator):
1931
1932 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1933
1934         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1935         https://bugs.webkit.org/show_bug.cgi?id=181535
1936
1937         * stress/inserted-recovery-with-set-last-index.js:
1938
1939 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1940
1941         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1942         https://bugs.webkit.org/show_bug.cgi?id=181535
1943
1944         Reviewed by Saam Barati.
1945
1946         * stress/inserted-recovery-with-set-last-index.js: Added.
1947         (shouldBe):
1948         (foo):
1949         * stress/materialize-regexp-at-osr-exit.js: Added.
1950         (shouldBe):
1951         (test):
1952         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1953         (shouldBe):
1954         (test):
1955         * stress/materialize-regexp-cyclic-regexp.js: Added.
1956         (shouldBe):
1957         (test):
1958         (i.switch):
1959         * stress/materialize-regexp-cyclic.js: Added.
1960         (shouldBe):
1961         (test):
1962         (i.switch):
1963         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1964         (bar):
1965         (foo):
1966         (test):
1967         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1968         (bar):
1969         (foo):
1970         (test):
1971         * stress/materialize-regexp.js: Added.
1972         (shouldBe):
1973         (test):
1974         * stress/phantom-regexp-regexp-exec.js: Added.
1975         (shouldBe):
1976         (test):
1977         * stress/phantom-regexp-string-match.js: Added.
1978         (shouldBe):
1979         (test):
1980         * stress/regexp-last-index-sinking.js: Added.
1981         (shouldBe):
1982         (test):
1983
1984 2018-01-17  Saam Barati  <sbarati@apple.com>
1985
1986         Disable Atomics when SharedArrayBuffer isn’t enabled
1987         https://bugs.webkit.org/show_bug.cgi?id=181572
1988         <rdar://problem/36553206>
1989
1990         Reviewed by Michael Saboff.
1991
1992         * stress/isLockFree.js:
1993
1994 2018-01-17  Saam Barati  <sbarati@apple.com>
1995
1996         DFG::Node::convertToConstant needs to clear the varargs flags
1997         https://bugs.webkit.org/show_bug.cgi?id=181697
1998         <rdar://problem/36497332>
1999
2000         Reviewed by Yusuke Suzuki.
2001
2002         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
2003         (doIndexOf):
2004         (bar):
2005         (i.bar):
2006
2007 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
2008
2009         Unreviewed, rolling out r226937.
2010
2011         Tests added with this change are failing due to a missing
2012         exception check.
2013
2014         Reverted changeset:
2015
2016         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
2017         double to int32_t"
2018         https://bugs.webkit.org/show_bug.cgi?id=181182
2019         https://trac.webkit.org/changeset/226937
2020
2021 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
2022
2023         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
2024         https://bugs.webkit.org/show_bug.cgi?id=181182
2025
2026         Reviewed by Darin Adler.
2027
2028         * bigIntTests.yaml:
2029         * stress/big-int-constructor.js:
2030         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
2031         (assert):
2032         (assertThrowRangeError):
2033         * stress/number-prototype-to-string-cast-overflow.js: Added.
2034         (assert):
2035         (assertThrowRangeError):
2036
2037 2018-01-12  Saam Barati  <sbarati@apple.com>
2038
2039         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
2040         https://bugs.webkit.org/show_bug.cgi?id=181177
2041         <rdar://problem/36205704>
2042
2043         Reviewed by Yusuke Suzuki.
2044
2045         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
2046         (runNearStackLimit.t):
2047         (runNearStackLimit):
2048         (test.f):
2049         (test):
2050
2051 2018-01-12  Saam Barati  <sbarati@apple.com>
2052
2053         Each variant of a polymorphic inlined call should be exitOK at the top of the block
2054         https://bugs.webkit.org/show_bug.cgi?id=181562
2055         <rdar://problem/36445624>
2056
2057         Reviewed by Yusuke Suzuki.
2058
2059         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
2060         (f):
2061         (foo):
2062
2063 2018-01-11  Saam Barati  <sbarati@apple.com>
2064
2065         When inserting Unreachable in byte code parser we need to flush all the right things
2066         https://bugs.webkit.org/show_bug.cgi?id=181509
2067         <rdar://problem/36423110>
2068
2069         Reviewed by Mark Lam.
2070
2071         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
2072
2073 2018-01-11  Saam Barati  <sbarati@apple.com>
2074
2075         JITMathIC code in the FTL is wrong when code gets duplicated
2076         https://bugs.webkit.org/show_bug.cgi?id=181525
2077         <rdar://problem/36351993>
2078
2079         Reviewed by Michael Saboff and Keith Miller.
2080
2081         * stress/allow-math-ic-b3-code-duplication.js: Added.
2082
2083 2018-01-11  Saam Barati  <sbarati@apple.com>
2084
2085         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
2086         https://bugs.webkit.org/show_bug.cgi?id=181508
2087
2088         Reviewed by Yusuke Suzuki.
2089
2090         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
2091         (assert):
2092         (test1.foo):
2093         (test1):
2094         (test2.foo):
2095         (test2):
2096
2097 2018-01-09  Mark Lam  <mark.lam@apple.com>
2098
2099         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
2100         https://bugs.webkit.org/show_bug.cgi?id=181388
2101         <rdar://problem/36349351>
2102
2103         Reviewed by Saam Barati.
2104
2105         * stress/regress-181388.js: Added.
2106
2107 2018-01-08  JF Bastien  <jfbastien@apple.com>
2108
2109         WebAssembly: mask indexed accesses to Table
2110         https://bugs.webkit.org/show_bug.cgi?id=181412
2111         <rdar://problem/36363236>
2112
2113         Reviewed by Saam Barati.
2114
2115         Update error messages.
2116
2117         * wasm/js-api/table.js:
2118         (assert.throws.WebAssembly.Table.prototype.grow):
2119
2120 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
2121
2122         Disable SharedArrayBuffer tests missed in r226386.
2123         https://bugs.webkit.org/show_bug.cgi?id=181266
2124
2125         Unreviewed test gardening.
2126
2127         * test262.yaml:
2128
2129 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2130
2131         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
2132         https://bugs.webkit.org/show_bug.cgi?id=181321
2133
2134         Reviewed by Saam Barati.
2135
2136         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2137         (shouldBe):
2138         (testFunction):
2139         * test262.yaml:
2140
2141 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2142
2143         Unreviewed, attempt to fix test262 after r226386.
2144
2145         * test262.yaml:
2146
2147 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2148
2149         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2150         https://bugs.webkit.org/show_bug.cgi?id=179911
2151
2152         Reviewed by Saam Barati.
2153
2154         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2155
2156         * stress/map-set-change-get.js: Added.
2157         (shouldBe):
2158         (test):
2159         * stress/map-set-create-bucket.js: Added.
2160         (shouldBe):
2161         (test):
2162         * stress/set-add-create-bucket.js: Added.
2163         (shouldBe):
2164
2165 2018-01-03  Michael Saboff  <msaboff@apple.com>
2166
2167         Disable SharedArrayBuffers from Web API
2168         https://bugs.webkit.org/show_bug.cgi?id=181266
2169
2170         Reviewed by Saam Barati.
2171
2172         Disabled SharedArrayBuffer tests.
2173
2174         * stress/SharedArrayBuffer-opt.js:
2175         * stress/SharedArrayBuffer.js:
2176         * stress/array-buffer-byte-length.js:
2177         * stress/atomics-add-uint32.js:
2178         * stress/atomics-known-int-use.js:
2179         * stress/atomics-neg-zero.js:
2180         * stress/atomics-store-return.js:
2181         * stress/lars-sab-workers.js:
2182         * stress/regress-159779-1.js:
2183         * stress/regress-159779-2.js:
2184         * stress/regress-170473.js:
2185         * test262.yaml:
2186
2187 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2188
2189         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2190         https://bugs.webkit.org/show_bug.cgi?id=181258
2191
2192         Reviewed by Antonio Gomes.
2193
2194         * stress/big-int-constructor-gc.js:
2195         * stress/big-int-constructor-oom.js:
2196
2197 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2198
2199         Inlining of a function that ends in op_unreachable crashes
2200         https://bugs.webkit.org/show_bug.cgi?id=181027
2201
2202         Reviewed by Filip Pizlo.
2203
2204         * stress/inlining-unreachable.js: Added.
2205         (bar):
2206         (baz):
2207         (i.catch):
2208
2209 2018-01-02  Saam Barati  <sbarati@apple.com>
2210
2211         Incorrect assertion inside AccessCase
2212         https://bugs.webkit.org/show_bug.cgi?id=181200
2213         <rdar://problem/35494754>
2214
2215         Reviewed by Yusuke Suzuki.
2216
2217         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2218         (ctor):
2219         (theFunc):
2220         (run):
2221
2222 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2223
2224         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2225         https://bugs.webkit.org/show_bug.cgi?id=175359
2226
2227         Reviewed by Yusuke Suzuki.
2228
2229         * bigIntTests.yaml:
2230         * stress/big-int-as-key.js: Added.
2231         * stress/big-int-constructor-gc.js: Added.
2232         * stress/big-int-constructor-oom.js: Added.
2233         * stress/big-int-constructor-properties.js: Added.
2234         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2235         * stress/big-int-constructor-prototype.js: Added.
2236         * stress/big-int-constructor.js: Added.
2237         * stress/big-int-function-apply.js:
2238         * stress/big-int-length.js: Added.
2239         * stress/big-int-prop-descriptor.js: Added.
2240         * stress/big-int-proto-constructor.js: Added.
2241         * stress/big-int-proto-name.js: Added.
2242         * stress/big-int-prototype-properties.js: Added.
2243         * stress/big-int-prototype-proto.js: Added.
2244         * stress/big-int-prototype-value-of.js: Added.
2245         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2246         * stress/big-int-prototype-to-string-apply.js: Added.
2247         * stress/big-int-to-object.js: Added.
2248         * stress/big-int-to-string.js: Added.
2249
2250 2017-12-28  Saam Barati  <sbarati@apple.com>
2251
2252         Assertion used to determine if something is an async generator is wrong
2253         https://bugs.webkit.org/show_bug.cgi?id=181168
2254         <rdar://problem/35640560>
2255
2256         Reviewed by Yusuke Suzuki.
2257
2258         * stress/async-generator-assertion.js: Added.
2259
2260 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2261
2262         Skip stress/splay-flash-access tests on memory limited platforms
2263         https://bugs.webkit.org/show_bug.cgi?id=181086
2264
2265         Reviewed by Carlos Alberto Lopez Perez.
2266
2267         These tests use about 185M of memory, and occasionally get OOM-killed
2268         on memory limited platforms.
2269
2270         * stress/splay-flash-access-1ms.js:
2271         * stress/splay-flash-access.js:
2272
2273 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2274
2275         Skip slow jsc tests on embedded platforms
2276         https://bugs.webkit.org/show_bug.cgi?id=180937
2277
2278         Reviewed by Carlos Alberto Lopez Perez.
2279
2280         The tests typeProfiler/deltablue-for-of.js and
2281         typeProfiler/getter-richards.js take a very long time in the
2282         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2283         thus always timeout. They should be skipped on these platforms.
2284
2285         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2286         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2287
2288 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2289
2290         [JSC] Do not check isValid() in op_new_regexp
2291         https://bugs.webkit.org/show_bug.cgi?id=180970
2292
2293         Reviewed by Saam Barati.
2294
2295         * stress/regexp-syntax-error-invalid-flags.js: Added.
2296         (shouldThrow):
2297
2298 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2299
2300         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2301         https://bugs.webkit.org/show_bug.cgi?id=180712
2302
2303         Reviewed by Michael Catanzaro.
2304
2305         stress/call-apply-exponential-bytecode-size.js crashes if the
2306         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2307         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2308         should skip the test on other platforms.
2309
2310         * stress/call-apply-exponential-bytecode-size.js:
2311
2312 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2313
2314         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2315         https://bugs.webkit.org/show_bug.cgi?id=179762
2316
2317         Reviewed by Saam Barati.
2318
2319         * stress/call-varargs-double-new-array-buffer.js: Added.
2320         (assert):
2321         (bar):
2322         (foo):
2323         * stress/call-varargs-spread-new-array-buffer.js: Added.
2324         (assert):
2325         (bar):
2326         (foo):
2327         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2328         (assert):
2329         (bar):
2330         (foo):
2331         * stress/forward-varargs-double-new-array-buffer.js: Added.
2332         (assert):
2333         (test.baz):
2334         (test.bar):
2335         (test.foo):
2336         (test):
2337         * stress/new-array-buffer-sinking-osrexit.js: Added.
2338         (target):
2339         (test):
2340         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2341         (shouldBe):
2342         (test):
2343         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2344         (shouldBe):
2345         (target):
2346         (test):
2347         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2348         (assert):
2349         (test1.bar):
2350         (test1.foo):
2351         (test1):
2352         (test2.bar):
2353         (test2.foo):
2354         (test3.baz):
2355         (test3.bar):
2356         (test3.foo):
2357         (test4.baz):
2358         (test4.bar):
2359         (test4.foo):
2360         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2361         (assert):
2362         (test.baz):
2363         (test.bar):
2364         (test.foo):
2365         (test):
2366         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2367         (assert):
2368         (baz):
2369         (bar):
2370         (effects):
2371         (foo):
2372
2373 2017-12-14  Saam Barati  <sbarati@apple.com>
2374
2375         The CleanUp after LICM is erroneously removing a Check
2376         https://bugs.webkit.org/show_bug.cgi?id=180852
2377         <rdar://problem/36063494>
2378
2379         Reviewed by Filip Pizlo.
2380
2381         * stress/dont-run-cleanup-after-licm.js: Added.
2382
2383 2017-12-14  Michael Saboff  <msaboff@apple.com>
2384
2385         REGRESSION (r225695): Repro crash on yahoo login page
2386         https://bugs.webkit.org/show_bug.cgi?id=180761
2387
2388         Reviewed by JF Bastien.
2389
2390         New regression test.
2391
2392         * stress/regress-180761.js: Added.
2393
2394 2017-12-13  Keith Miller  <keith_miller@apple.com>
2395
2396         JSObjects should have a mask for loading indexed properties
2397         https://bugs.webkit.org/show_bug.cgi?id=180768
2398
2399         Reviewed by Mark Lam.
2400
2401         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2402         (test):
2403
2404 2017-12-13  Saam Barati  <sbarati@apple.com>
2405
2406         Arrow functions need their own structure because they have different properties than sloppy functions
2407         https://bugs.webkit.org/show_bug.cgi?id=180779
2408         <rdar://problem/35814591>
2409
2410         Reviewed by Mark Lam.
2411
2412         * stress/arrow-function-needs-its-own-structure.js: Added.
2413         (assert):
2414         (readPrototype):
2415         (noInline.let.f1):
2416         (noInline):
2417
2418 2017-12-13  Saam Barati  <sbarati@apple.com>
2419
2420         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2421         https://bugs.webkit.org/show_bug.cgi?id=163579
2422         <rdar://problem/35455798>
2423
2424         Reviewed by Mark Lam.
2425
2426         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2427         (assert):
2428         (test1):
2429         (i.test1):
2430         (i.test1.C):
2431         (i.test1.async.foo):
2432         (i.test1.foo):
2433         (test2):
2434
2435 2017-12-13  Saam Barati  <sbarati@apple.com>
2436
2437         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2438         https://bugs.webkit.org/show_bug.cgi?id=180734
2439         <rdar://problem/35640547>
2440
2441         Reviewed by Yusuke Suzuki.
2442
2443         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2444         (__isPropertyOfType):
2445         (__getProperties):
2446         (__getObjects):
2447         (__getRandomObject):
2448         (theClass.):
2449         (theClass):
2450         (childClass):
2451         (counter.catch):
2452
2453 2017-12-12  Saam Barati  <sbarati@apple.com>
2454
2455         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2456         https://bugs.webkit.org/show_bug.cgi?id=180725
2457         <rdar://problem/35970511>
2458
2459         Reviewed by Michael Saboff.
2460
2461         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2462         (f1):
2463         (f2):
2464         (let.o2.valueOf):
2465
2466 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2467
2468         [JSC] Implement optimized WeakMap and WeakSet
2469         https://bugs.webkit.org/show_bug.cgi?id=179929
2470
2471         Reviewed by Saam Barati.
2472
2473         * microbenchmarks/weak-map-key.js:
2474         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2475         (assert):
2476         (objectKey):
2477         (let.start.Date.now):
2478         * stress/basic-weakmap.js: Added.
2479         (shouldBe):
2480         (test):
2481         * stress/basic-weakset.js: Added.
2482         (shouldBe):
2483         (test.set new):
2484         * stress/weakmap-cse-set-break.js: Added.
2485         (shouldBe):
2486         (test):
2487         * stress/weakmap-cse.js: Added.
2488         (shouldBe):
2489         (test):
2490         * stress/weakmap-gc.js: Added.
2491         (test):
2492         * stress/weakset-cse-add-break.js: Added.
2493         (shouldBe):
2494         (test.set new):
2495         * stress/weakset-cse.js: Added.
2496         (shouldBe):
2497         (test.set new):
2498         * stress/weakset-gc.js: Added.
2499         (test.set add):
2500         (test.set new):
2501         (test):
2502
2503 2017-12-12  Saam Barati  <sbarati@apple.com>
2504
2505         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2506         https://bugs.webkit.org/show_bug.cgi?id=180723
2507         <rdar://problem/35859726>
2508
2509         Reviewed by JF Bastien.
2510
2511         * stress/get-my-argument-by-val-constant-folding.js: Added.
2512         (test):
2513         (catch):
2514
2515 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2516
2517         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2518         https://bugs.webkit.org/show_bug.cgi?id=179000
2519
2520         Reviewed by Darin Adler and Yusuke Suzuki.
2521
2522         * bigIntTests.yaml: Added.
2523         * stress/big-int-literal-line-terminator.js: Added.
2524         * stress/big-int-literals.js: Added.
2525         * stress/big-int-operations-error.js: Added.
2526         * stress/big-int-type-of.js: Added.
2527         * stress/big-int-white-space-trailing-leading.js: Added.
2528         * stress/big-int-function-apply.js: Added.
2529
2530 2017-12-11  Saam Barati  <sbarati@apple.com>
2531
2532         We need to disableCaching() in ErrorInstance when we materialize properties
2533         https://bugs.webkit.org/show_bug.cgi?id=180343
2534         <rdar://problem/35833002>
2535
2536         Reviewed by Mark Lam.
2537
2538         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2539         (assert):
2540         (makeError):
2541         (storeToStack):
2542         (storeToStackAlreadyMaterialized):
2543
2544 2017-12-05  JF Bastien  <jfbastien@apple.com>
2545
2546         WebAssembly: don't eagerly checksum
2547         https://bugs.webkit.org/show_bug.cgi?id=180441
2548         <rdar://problem/35156628>
2549
2550         Reviewed by Saam Barati.
2551
2552         Checksum is now disabled, so tests only have <?> as the module
2553         name.
2554
2555         * wasm/function-tests/nameSection.js:
2556         * wasm/function-tests/stack-overflow.js:
2557         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2558         (assertOverflows.assertThrows):
2559         (assertOverflows):
2560         * wasm/function-tests/stack-trace.js:
2561
2562 2017-12-04  JF Bastien  <jfbastien@apple.com>
2563
2564         Proxy all functions, except the $ objects
2565         https://bugs.webkit.org/show_bug.cgi?id=180375
2566
2567         Reviewed by Saam Barati.
2568
2569         It looks like this test may have broken some executions because I
2570         call some internal objects. Explicitly ignore objects whose name
2571         starts with "$" because it's a bad idea anyways.
2572
2573         * stress/proxy-all-the-parameters.js:
2574         (generateObjects):
2575         (get throw):
2576
2577 2017-12-04  Saam Barati  <sbarati@apple.com>
2578
2579         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2580         https://bugs.webkit.org/show_bug.cgi?id=180366
2581         <rdar://problem/35685877>
2582
2583         Reviewed by Michael Saboff.
2584
2585         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2586         (theParent):
2587         (test1.base.getParentStaticValue):
2588         (test1.base):
2589         (test1.__v_24888.prototype.set prop):
2590         (test1.__v_24888):
2591         (test2.base.getParentStaticValue):
2592         (test2.base):
2593         (test2.__v_24888.prototype.set prop):
2594         (test2.__v_24888):
2595         (test2):
2596
2597 2017-12-01  JF Bastien  <jfbastien@apple.com>
2598
2599         Try proxying all function arguments
2600         https://bugs.webkit.org/show_bug.cgi?id=180306
2601
2602         Reviewed by Saam Barati.
2603
2604         * stress/proxy-all-the-parameters.js: Added.
2605         (isPropertyOfType):
2606         (getProperties):
2607         (generateObjects):
2608         (getObjects):
2609         (getFunctions):
2610         (get throw):
2611         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2612
2613 2017-12-01  JF Bastien  <jfbastien@apple.com>
2614
2615         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2616         https://bugs.webkit.org/show_bug.cgi?id=180297
2617         <rdar://problem/35745556>
2618
2619         Reviewed by Mark Lam.
2620
2621         * stress/math-exceptions.js: Added.
2622         (get try):
2623         (catch):
2624
2625 2017-12-01  JF Bastien  <jfbastien@apple.com>
2626
2627         JavaScriptCore: add test for weird class static getters
2628         https://bugs.webkit.org/show_bug.cgi?id=180281
2629         <rdar://problem/35592139>
2630
2631         Reviewed by Mark Lam.
2632
2633         I fixed a bug for it in r224927 and didn't add a test. Do so.
2634
2635         * stress/class-static-get-weird.js: Added.
2636         (c.prototype.get name):
2637         (c):
2638         (c.prototype.get arguments):
2639         (c.prototype.get caller):
2640         (c.prototype.get length):
2641
2642 2017-12-01  Saam Barati  <sbarati@apple.com>
2643
2644         Having a bad time needs to handle ArrayClass indexing type as well
2645         https://bugs.webkit.org/show_bug.cgi?id=180274
2646         <rdar://problem/35667869>
2647
2648         Reviewed by Keith Miller and Mark Lam.
2649
2650         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2651         (assert):
2652         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2653         (assert):
2654
2655 2017-12-01  JF Bastien  <jfbastien@apple.com>
2656
2657         WebAssembly: restore cached stack limit after out-call
2658         https://bugs.webkit.org/show_bug.cgi?id=179106
2659         <rdar://problem/35337525>
2660
2661         Reviewed by Saam Barati.
2662
2663         * wasm/function-tests/double-instance.js: Added.
2664         (const.imp.boom):
2665         (const.imp.get callAnother):
2666
2667 2017-11-30  JF Bastien  <jfbastien@apple.com>
2668
2669         WebAssembly: improve stack trace
2670         https://bugs.webkit.org/show_bug.cgi?id=179343
2671
2672         Reviewed by Saam Barati.
2673
2674         Update the tests to follow the new format. Notably, SHA1 module
2675         hash is now included in traces, and stubs are properly identified.
2676
2677         * wasm/assert.js: Add an assertion which matches regular expressions.
2678         * wasm/function-tests/nameSection.js:
2679         * wasm/function-tests/stack-overflow.js:
2680         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2681         (assertOverflows.assertThrows.wasm.1):
2682         (assertOverflows.assertThrows.wasm.0):
2683         (assertOverflows.assertThrows):
2684         (assertOverflows):
2685         * wasm/function-tests/stack-trace.js:
2686         (import.Builder.from.string_appeared_here.assert): Deleted.
2687         * wasm/function-tests/trap-after-cross-instance-call.js:
2688         (wasmFrameCountFromError):
2689         * wasm/function-tests/trap-load-2.js:
2690         (wasmFrameCountFromError):
2691         * wasm/function-tests/trap-load.js:
2692         (wasmFrameCountFromError):
2693
2694 2017-11-30  Mark Lam  <mark.lam@apple.com>
2695
2696         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2697         https://bugs.webkit.org/show_bug.cgi?id=180219
2698         <rdar://problem/35696536>
2699
2700         Reviewed by Filip Pizlo.
2701
2702         * stress/regress-180219.js: Added.
2703
2704 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2705
2706         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2707         https://bugs.webkit.org/show_bug.cgi?id=180190
2708
2709         Reviewed by Mark Lam.
2710
2711         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2712         (shouldBe):
2713         (test1):
2714         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2715         (shouldBe):
2716         (test1):
2717         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2718         (shouldBe):
2719         (test1):
2720         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2721         (shouldBe):
2722         (test1):
2723         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2724         (shouldBe):
2725         (test1):
2726         * stress/operation-in-may-have-negative-int32.js: Added.
2727         (shouldBe):
2728         (test2):
2729         * stress/operation-in-negative-int32-cast.js: Added.
2730         (shouldBe):
2731         (test1):
2732
2733 2017-11-28  JF Bastien  <jfbastien@apple.com>
2734
2735         Strict and sloppy functions shouldn't share structure
2736         https://bugs.webkit.org/show_bug.cgi?id=180103
2737         <rdar://problem/35667847>
2738
2739         Reviewed by Saam Barati.
2740
2741         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2742         because the IC was wrong.
2743         (foo):
2744         (bar):
2745         (baz):
2746         (catch):
2747         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2748         in this patch, but may as well test odd strict mode corner cases.
2749         (bar):
2750         (baz):
2751         (catch):
2752         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2753         (foo):
2754         (bar):
2755         (baz):
2756         (catch):
2757         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2758         next file, but with invalidation of the FunctionExecutable's
2759         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2760         slower path.
2761         (foo):
2762         (bar.const.x):
2763         (bar.const.y):
2764         (bar):
2765         (catch):
2766         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2767         strict nesting works correctly.
2768         (foo):
2769         (bar.baz):
2770         (bar):
2771         * stress/strict-function-structure.js: Added. The test used to
2772         assert in objectProtoFuncHasOwnProperty.
2773         (foo):
2774         (bar):
2775         (baz):
2776         * stress/strict-nested-function-structure.js: Added. Nesting.
2777         (foo):
2778         (bar):
2779         (baz.boo):
2780         (baz):
2781
2782 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2783
2784         The recursive tail call optimisation is wrong on closures
2785         https://bugs.webkit.org/show_bug.cgi?id=179835
2786
2787         Reviewed by Saam Barati.
2788
2789         * stress/closure-recursive-tail-call.js: Added.
2790         (makeClosure):
2791
2792 2017-11-27  JF Bastien  <jfbastien@apple.com>
2793
2794         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2795         https://bugs.webkit.org/show_bug.cgi?id=180051
2796         <rdar://problem/35614371>
2797
2798         Reviewed by Saam Barati.
2799
2800         * stress/rest-parameter-negative.js: Added.
2801         (__f_5484):
2802         (catch):
2803         (__f_5485):
2804         (__v_22598.catch):
2805
2806 2017-11-27  Saam Barati  <sbarati@apple.com>
2807
2808         Spread can escape when CreateRest does not
2809         https://bugs.webkit.org/show_bug.cgi?id=180057
2810         <rdar://problem/35676119>
2811
2812         Reviewed by JF Bastien.
2813
2814         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2815         (assert):
2816         (getProperties):
2817         (theFunc):
2818         (let.obj.valueOf):
2819
2820 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2821
2822         [DFG] Add NormalizeMapKey DFG IR
2823         https://bugs.webkit.org/show_bug.cgi?id=179912
2824
2825         Reviewed by Saam Barati.
2826
2827         * stress/map-untyped-normalize-cse.js: Added.
2828         (shouldBe):
2829         (test):
2830         * stress/map-untyped-normalize.js: Added.
2831         (shouldBe):
2832         (test):
2833         * stress/set-untyped-normalize-cse.js: Added.
2834         (shouldBe):
2835         (set return.set has.set has):
2836         * stress/set-untyped-normalize.js: Added.
2837         (shouldBe):
2838         (set return.set has):
2839
2840 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2841
2842         [FTL] Support DeleteById and DeleteByVal
2843         https://bugs.webkit.org/show_bug.cgi?id=180022
2844
2845         Reviewed by Saam Barati.
2846
2847         * stress/delete-by-id.js: Added.
2848         (shouldBe):
2849         (test1):
2850         (test2):
2851         * stress/delete-by-val-ftl.js: Added.
2852         (shouldBe):
2853         (test1):
2854         (test2):
2855
2856 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2857
2858         [DFG] Introduce {Set,Map,WeakMap}Fields
2859         https://bugs.webkit.org/show_bug.cgi?id=179925
2860
2861         Reviewed by Saam Barati.
2862
2863         * stress/map-set-clobber-map-get.js: Added.
2864         (shouldBe):
2865         (test):
2866         * stress/map-set-does-not-clobber-set-has.js: Added.
2867         (shouldBe):
2868         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2869         (shouldBe):
2870         (test):
2871         * stress/set-add-clobber-set-has.js: Added.
2872         (shouldBe):
2873         * stress/set-add-does-not-clobber-map-get.js: Added.
2874         (shouldBe):
2875
2876 2017-11-24  Mark Lam  <mark.lam@apple.com>
2877
2878         Move unsafe jsc shell test functions to the $vm object.
2879         https://bugs.webkit.org/show_bug.cgi?id=179980
2880
2881         Reviewed by Yusuke Suzuki.
2882
2883         * controlFlowProfiler/driver/driver.js:
2884         * controlFlowProfiler/execution-count.js:
2885         * controlFlowProfiler/if-statement.js:
2886         * controlFlowProfiler/loop-statements.js:
2887         * controlFlowProfiler/switch-statements.js:
2888         * controlFlowProfiler/test-jit.js:
2889         * exceptionFuzz/3d-cube.js:
2890         * exceptionFuzz/date-format-xparb.js:
2891         * exceptionFuzz/earley-boyer.js:
2892         * heapProfiler/basic-edges.js:
2893         * heapProfiler/property-edge-types.js:
2894         * microbenchmarks/try-get-by-id-basic.js:
2895         * microbenchmarks/try-get-by-id-polymorphic.js:
2896         * modules/namespace-object-try-get.js:
2897         * stress/argument-count-bytecode.js:
2898         * stress/argument-intrinsic-basic.js:
2899         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2900         * stress/argument-intrinsic-inlining-with-result-escape.js:
2901         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2902         * stress/argument-intrinsic-inlining-with-vararg.js:
2903         * stress/argument-intrinsic-nested-inlining.js:
2904         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2905         * stress/argument-intrinsic-with-stack-write.js:
2906         * stress/arity-mismatch-get-argument.js:
2907         * stress/array-message-passing.js:
2908         * stress/array-push-with-force-exit.js:
2909         * stress/check-dom-with-signature.js:
2910         * stress/check-sub-class.js:
2911         * stress/compare-eq-incomplete-profile.js:
2912         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2913         * stress/do-eval-virtual-call-correctly.js:
2914         * stress/dom-jit-with-poly-proto.js:
2915         * stress/domjit-exception-ic.js:
2916         * stress/domjit-exception.js:
2917         * stress/domjit-getter-complex-with-incorrect-object.js:
2918         * stress/domjit-getter-complex.js:
2919         * stress/domjit-getter-poly.js:
2920         * stress/domjit-getter-proto.js:
2921         * stress/domjit-getter-super-poly.js:
2922         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2923         * stress/domjit-getter-type-check.js:
2924         * stress/domjit-getter.js:
2925         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2926         * stress/for-in-proxy-target-changed-structure.js:
2927         * stress/for-in-proxy.js:
2928         * stress/generational-opaque-roots.js:
2929         * stress/global-const-redeclaration-setting-2.js:
2930         * stress/global-const-redeclaration-setting-3.js:
2931         * stress/global-const-redeclaration-setting-4.js:
2932         * stress/global-const-redeclaration-setting-5.js:
2933         * stress/global-const-redeclaration-setting.js:
2934         * stress/import-basic.js:
2935         * stress/import-from-eval.js:
2936         * stress/import-reject-with-exception.js:
2937         * stress/import-syntax.js:
2938         * stress/impure-get-own-property-slot-inline-cache.js:
2939         * stress/is-constructor.js:
2940         * stress/istypedarrayview-intrinsic.js:
2941         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2942         * stress/jsc-test-functions-should-be-more-robust.js:
2943         * stress/object-toString-with-proxy.js:
2944         * stress/poly-proto-custom-value-and-accessor.js:
2945         * stress/proxy-inline-cache.js:
2946         * stress/re-execute-error-module.js:
2947         * stress/regress-150532.js:
2948         * stress/regress-156992.js:
2949         * stress/regress-179619.js:
2950         * stress/resources/shadow-chicken-support.js:
2951         * stress/runtime-array.js:
2952         * stress/sampling-profiler-microtasks.js:
2953         * stress/shadow-chicken-enabled.js:
2954         * stress/spread-correct-global-object-on-exception.js:
2955         * stress/super-get-by-id.js:
2956         * stress/tailCallForwardArguments.js:
2957         * stress/to-object-intrinsic-boolean-edge.js:
2958         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2959         * stress/to-object-intrinsic-number-edge.js:
2960         * stress/to-object-intrinsic-object-edge.js:
2961         * stress/to-object-intrinsic-string-edge.js:
2962         * stress/to-object-intrinsic-symbol-edge.js:
2963         * stress/to-object-intrinsic.js:
2964         * stress/try-catch-custom-getter-as-get-by-id.js:
2965         * stress/try-get-by-id-poly-proto.js:
2966         * stress/try-get-by-id-should-spill-registers-dfg.js:
2967         * stress/try-get-by-id.js:
2968         * typeProfiler/arrow-functions.js:
2969         * typeProfiler/basic.js:
2970         * typeProfiler/captured.js:
2971         * typeProfiler/classes.js:
2972         * typeProfiler/dfg-jit-optimizations.js:
2973         * typeProfiler/dictionary-mode.js:
2974         * typeProfiler/es6-block-scoping.js:
2975         * typeProfiler/es6-classes.js:
2976         * typeProfiler/inheritance.js:
2977         * typeProfiler/int52-dfg.js:
2978         * typeProfiler/loop.js:
2979         * typeProfiler/optional-fields.js:
2980         * typeProfiler/overflow.js:
2981         * typeProfiler/return.js:
2982         * typeProfiler/symbol.js:
2983         * typeProfiler/weird-prototype-chain.js:
2984
2985 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2986
2987         [DFG][FTL] Support MapSet / SetAdd intrinsics
2988         https://bugs.webkit.org/show_bug.cgi?id=179858
2989
2990         Reviewed by Saam Barati.
2991
2992         * microbenchmarks/map-has-and-set.js: Added.
2993         (test):
2994         * stress/map-set-check-failure.js: Added.
2995         (shouldBe):
2996         (shouldThrow):
2997         (target):
2998         * stress/map-set-cse.js: Added.
2999         (shouldBe):
3000         (test):
3001         * stress/set-add-check-failure.js: Added.
3002         (shouldBe):
3003         (shouldThrow):
3004         (set shouldThrow):
3005         * stress/set-add-cse.js: Added.
3006         (shouldBe):
3007
3008 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3009
3010         [JSC] Allow poly proto for intrinsic getters
3011         https://bugs.webkit.org/show_bug.cgi?id=179550
3012
3013         Reviewed by Saam Barati.
3014
3015         This change is also tested by existing tests.
3016
3017             1. stress/intrinsic-getter-with-poly-proto.js
3018             2. stress/poly-proto-intrinsic-getter-correctness.js
3019
3020         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
3021         (shouldBe):
3022         (makePolyProtoObject.foo.C):
3023         (makePolyProtoObject.foo):
3024         (makePolyProtoObject):
3025         (target):
3026         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
3027         (shouldBe):
3028         (makePolyProtoObject.foo.C):
3029         (makePolyProtoObject.foo):
3030         (makePolyProtoObject):
3031         (target):
3032
3033 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
3034
3035         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
3036         https://bugs.webkit.org/show_bug.cgi?id=179744
3037
3038         Reviewed by Michael Catanzaro.
3039
3040         This test uses too much memory for our buildbots on these platforms
3041         and gets OOM-killed.
3042
3043         * stress/unshiftCountSlowCase-correct-postCapacity.js:
3044         Skip if $memoryLimited and linux.
3045
3046 2017-11-17  JF Bastien  <jfbastien@apple.com>
3047
3048         WebAssembly JS API: throw when a promise can't be created
3049         https://bugs.webkit.org/show_bug.cgi?id=179826
3050         <rdar://problem/35455813>
3051
3052         Reviewed by Mark Lam.
3053
3054         Test WebAssembly.{compile,instantiate} where promise creation
3055         fails because of a stack overflow.
3056
3057         * wasm/js-api/promise-stack-overflow.js: Added.
3058         (const.runNearStackLimit.f.const.t):
3059         (async.testCompile):
3060         (async.testInstantiate):
3061
3062 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3063
3064         Unreviewed, mark regress-178385.js as memory exhausting
3065
3066         * stress/regress-178385.js:
3067
3068 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
3069
3070         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
3071
3072         Unreviewed test gardening.
3073
3074         * test262.yaml:
3075
3076 2017-11-16  Robin Morisset  <rmorisset@apple.com>
3077
3078         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
3079         https://bugs.webkit.org/show_bug.cgi?id=179763
3080         <rdar://problem/35550513>
3081
3082         Reviewed by Keith Miller.
3083
3084         Just adding a slightly cleaned-up version of the original fuzzer-found test.
3085
3086         * stress/tdz-this-in-try-catch.js: Added.
3087         (__v_6388):
3088         (__v_6392):
3089
3090 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3091
3092         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3093         https://bugs.webkit.org/show_bug.cgi?id=179594
3094
3095         Reviewed by Saam Barati.
3096
3097         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
3098         (shouldBe):
3099         (args):
3100         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
3101         (shouldBe):
3102         (args):
3103
3104 2017-11-14  Saam Barati  <sbarati@apple.com>
3105
3106         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3107         https://bugs.webkit.org/show_bug.cgi?id=179639
3108         <rdar://problem/35513018>
3109
3110         Reviewed by JF Bastien.
3111
3112         * wasm/function-tests/grow-memory-cause-gc.js: Added.
3113         (escape):
3114         (i.func):
3115
3116 2017-11-13  Mark Lam  <mark.lam@apple.com>
3117
3118         Add more overflow check book-keeping for MarkedArgumentBuffer.
3119         https://bugs.webkit.org/show_bug.cgi?id=179634
3120         <rdar://problem/35492517>
3121
3122         Reviewed by Saam Barati.
3123
3124         * stress/regress-179634.js: Added.
3125
3126 2017-11-13  Mark Lam  <mark.lam@apple.com>
3127
3128         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3129         https://bugs.webkit.org/show_bug.cgi?id=179619
3130         <rdar://problem/35492518>
3131
3132         Reviewed by Saam Barati.
3133
3134         * stress/regress-179619.js: Added.
3135
3136 2017-11-12  Mark Lam  <mark.lam@apple.com>
3137
3138         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3139         https://bugs.webkit.org/show_bug.cgi?id=179562
3140         <rdar://problem/35467022>
3141
3142         Reviewed by Saam Barati.
3143
3144         * regress-179562.js: Added.
3145
3146 2017-11-08  Saam Barati  <sbarati@apple.com>
3147
3148         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3149         https://bugs.webkit.org/show_bug.cgi?id=177792
3150
3151         Reviewed by Yusuke Suzuki.
3152
3153         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3154         (assert):
3155         (foo.Foo.prototype.ensureX):
3156         (foo.Foo):
3157         (foo):
3158         (access):
3159
3160 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3161
3162         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3163         https://bugs.webkit.org/show_bug.cgi?id=178592
3164
3165         Unreviewed test gardening.
3166
3167         * test262.yaml:
3168
3169 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3170
3171         Turn recursive tail calls into loops
3172         https://bugs.webkit.org/show_bug.cgi?id=176601
3173
3174         Reviewed by Saam Barati.
3175
3176         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3177
3178         Add some simple test that computes factorial in several ways, and other trivial computations.
3179         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3180         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3181         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3182         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3183
3184         * stress/inline-call-to-recursive-tail-call.js: Added.
3185         (factorial.aux):
3186         (factorial):
3187         (factorial2.aux2):
3188         (factorial2.id):
3189         (factorial2):
3190         (factorial3.aux3):
3191         (factorial3):
3192         (aux4):
3193         (factorial4):
3194         (foo):
3195         (auxBar):
3196         (bar):
3197         (test):
3198
3199 2017-11-07  Mark Lam  <mark.lam@apple.com>
3200
3201         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3202         https://bugs.webkit.org/show_bug.cgi?id=179355
3203         <rdar://problem/35263053>
3204
3205         Reviewed by Saam Barati.
3206
3207         * stress/regress-179355.js: Added.
3208
3209 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3212         https://bugs.webkit.org/show_bug.cgi?id=144458
3213
3214         Reviewed by Saam Barati.
3215
3216         * microbenchmarks/dfg-internal-function-call.js: Added.
3217         (target):
3218         * microbenchmarks/dfg-internal-function-construct.js: Added.
3219         (target):
3220         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3221         (target):
3222         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3223         (target):
3224         * stress/dfg-internal-function-call.js: Added.
3225         (shouldBe):
3226         (target):
3227         * stress/dfg-internal-function-construct.js: Added.
3228         (shouldBe):
3229         (target):
3230         * stress/internal-function-call.js: Added.
3231         (shouldBe):
3232         * stress/internal-function-construct.js: Added.
3233         (shouldBe):
3234
3235 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3236
3237         [Win] Skip stress/regress-178385.js.
3238         https://bugs.webkit.org/show_bug.cgi?id=179298
3239
3240         Unreviewed test gardening.
3241
3242         * stress/regress-178385.js:
3243
3244 2017-11-03  Keith Miller  <keith_miller@apple.com>
3245
3246         Add test for ic with side effects
3247         https://bugs.webkit.org/show_bug.cgi?id=179268
3248
3249         Reviewed by Saam Barati.
3250
3251         * stress/put-inline-cache-side-effects.js: Added.
3252         (let.i.of.objs.keys):
3253         (f):
3254
3255 2017-11-03  Mark Lam  <mark.lam@apple.com>
3256
3257         CachedCall (and its clients) needs overflow checks.
3258         https://bugs.webkit.org/show_bug.cgi?id=179185
3259
3260         Reviewed by JF Bastien.
3261
3262         * stress/regress-179185.js: Added.
3263
3264 2017-11-02  Michael Saboff  <msaboff@apple.com>
3265
3266         DFG needs to handle code motion of code in for..in loop bodies
3267         https://bugs.webkit.org/show_bug.cgi?id=179212
3268
3269         Reviewed by Keith Miller.
3270
3271         New regression test.
3272
3273         * stress/for-in-side-effects.js: Added.
3274         (getPrototypeOf):
3275         (reset):
3276         (testWithoutFTL.f):
3277         (testWithoutFTL):
3278         (testWithFTL.f):
3279         (testWithFTL):
3280
3281 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3282
3283         AI does not correctly model the clobber case of ArithClz32
3284         https://bugs.webkit.org/show_bug.cgi?id=179188
3285
3286         Reviewed by Michael Saboff.
3287
3288         * stress/arith-clz32-effects.js: Added.
3289         (foo):
3290         (valueOf):
3291
3292 2017-11-01  Michael Saboff  <msaboff@apple.com>
3293
3294         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3295         https://bugs.webkit.org/show_bug.cgi?id=179140
3296
3297         Reviewed by Saam Barati.
3298
3299         New regression test.
3300
3301         * stress/regress-179140.js: Added.
3302         (testWithoutFTL):
3303         (testWithFTL):
3304
3305 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3306
3307         [JSC] Introduce @toObject
3308         https://bugs.webkit.org/show_bug.cgi?id=178726
3309
3310         Reviewed by Saam Barati.
3311
3312         * stress/array-copywithin.js:
3313         (shouldThrow):
3314         * stress/object-constructor-boolean-edge.js: Added.
3315         (shouldBe):
3316         (test):
3317         * stress/object-constructor-global.js: Added.
3318         (shouldBe):
3319         * stress/object-constructor-null-edge.js: Added.
3320         (shouldBe):
3321         (test):
3322         * stress/object-constructor-number-edge.js: Added.
3323         (shouldBe):
3324         (test):
3325         * stress/object-constructor-object-edge.js: Added.
3326         (shouldBe):
3327         (test):
3328         (i.arg):
3329         * stress/object-constructor-string-edge.js: Added.
3330         (shouldBe):
3331         (test):
3332         * stress/object-constructor-symbol-edge.js: Added.
3333         (shouldBe):
3334         (test):
3335         * stress/object-constructor-undefined-edge.js: Added.
3336         (shouldBe):
3337         (test):
3338         * stress/symbol-array-from.js: Added.
3339         (shouldBe):
3340         * stress/to-object-intrinsic-boolean-edge.js: Added.
3341         (shouldBe):
3342         (builtin.createBuiltin):
3343         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3344         (shouldThrow):
3345         * stress/to-object-intrinsic-number-edge.js: Added.
3346         (shouldBe):
3347         (builtin.createBuiltin):
3348         * stress/to-object-intrinsic-object-edge.js: Added.
3349         (shouldBe):
3350         (builtin.createBuiltin):
3351         (i.arg):
3352         * stress/to-object-intrinsic-string-edge.js: Added.
3353         (shouldBe):
3354         (builtin.createBuiltin):
3355         * stress/to-object-intrinsic-symbol-edge.js: Added.
3356         (shouldBe):
3357         (builtin.createBuiltin):
3358         * stress/to-object-intrinsic.js: Added.
3359         (shouldBe):
3360         (shouldThrow):
3361         (builtin.createBuiltin):
3362
3363 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3364
3365         [DFG][FTL] Introduce StringSlice
3366         https://bugs.webkit.org/show_bug.cgi?id=178934
3367
3368         Reviewed by Saam Barati.
3369
3370         * microbenchmarks/string-slice-empty.js: Added.
3371         (slice):
3372         * microbenchmarks/string-slice-one-char.js: Added.
3373         (slice):
3374         * microbenchmarks/string-slice.js: Added.
3375         (slice):
3376
3377 2017-10-26  Michael Saboff  <msaboff@apple.com>
3378
3379         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3380         https://bugs.webkit.org/show_bug.cgi?id=178890
3381
3382         Reviewed by Keith Miller.
3383
3384         New regression test.
3385
3386         * stress/regress-178890.js: Added.
3387
3388 2017-10-26  Mark Lam  <mark.lam@apple.com>
3389
3390         JSRopeString::RopeBuilder::append() should check for overflows.
3391         https://bugs.webkit.org/show_bug.cgi?id=178385
3392         <rdar://problem/35027468>
3393
3394         Reviewed by Saam Barati.
3395
3396         * stress/regress-178385.js: Added.
3397
3398 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3399
3400         Unreviewed, rolling out r223961.
3401
3402         The change that required this has been rolled out.
3403
3404         Reverted changeset:
3405
3406         "Mark test262.yaml/test262/test/language/statements/try/tco-
3407         catch.js as passing."
3408         https://bugs.webkit.org/show_bug.cgi?id=178592
3409         https://trac.webkit.org/changeset/223961
3410
3411 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3412
3413         Unreviewed, rolling out r223691 and r223729.
3414         https://bugs.webkit.org/show_bug.cgi?id=178834
3415
3416         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3417         by rniwa on #webkit).
3418
3419         Reverted changesets:
3420
3421         "Turn recursive tail calls into loops"
3422         https://bugs.webkit.org/show_bug.cgi?id=176601
3423         https://trac.webkit.org/changeset/223691
3424
3425         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3426         comparison is always false due to limited range of data type
3427         [-Wtype-limits]"
3428         https://bugs.webkit.org/show_bug.cgi?id=178543
3429         https://trac.webkit.org/changeset/223729
3430
3431 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3432
3433         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3434         https://bugs.webkit.org/show_bug.cgi?id=178592
3435
3436         Unreviewed test gardening.
3437
3438         * test262.yaml:
3439
3440 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3441
3442         [FTL] Support NewStringObject
3443         https://bugs.webkit.org/show_bug.cgi?id=178737
3444
3445         Reviewed by Saam Barati.
3446
3447         * stress/new-string-object.js: Added.
3448         (shouldBe):
3449         (test):
3450
3451 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3452
3453         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3454         https://bugs.webkit.org/show_bug.cgi?id=178308
3455
3456         Reviewed by Mark Lam.
3457
3458         * test262.yaml:
3459
3460 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3461
3462         [JSC] Use fastJoin in Array#toString
3463         https://bugs.webkit.org/show_bug.cgi?id=178062
3464
3465         Reviewed by Darin Adler.
3466
3467         * microbenchmarks/contiguous-array-to-string.js: Added.
3468         (target):
3469         * microbenchmarks/double-array-to-string.js: Added.
3470         (target):
3471         * microbenchmarks/int32-array-to-string.js: Added.
3472         (target):
3473
3474 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3475
3476         stress/check-string-ident.js is improperly skipped
3477         https://bugs.webkit.org/show_bug.cgi?id=178642
3478
3479         Reviewed by Saam Barati.
3480
3481         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3482         since it enforces the run-jsc-stress-tests script to still set up the
3483         test to run, despite the skip directive that's used before.
3484
3485 2017-10-20  Mark Lam  <mark.lam@apple.com>
3486
3487         Add a test case for r214334.
3488         https://bugs.webkit.org/show_bug.cgi?id=169941
3489         <rdar://problem/31221258>
3490
3491         Reviewed by JF Bastien.
3492
3493         * stress/regress-169941.js: Added.
3494
3495 2017-10-19  JF Bastien  <jfbastien@apple.com>
3496
3497         WebAssembly: no VM / JS version of everything but Instance
3498         https://bugs.webkit.org/show_bug.cgi?id=177473
3499
3500         Reviewed by Filip Pizlo, Saam Barati.
3501
3502         - Exceeding max on memory growth now returns a range error as per
3503         spec. This is a (very minor) breaking change: it used to throw OOM
3504         error. Update the corresponding test.
3505
3506         * wasm/js-api/memory-grow.js:
3507         (assertEq):
3508         * wasm/js-api/table.js:
3509         (assert.throws):
3510
3511 2017-10-19  Mark Lam  <mark.lam@apple.com>
3512
3513         Stringifier::appendStringifiedValue() is missing an exception check.
3514         https://bugs.webkit.org/show_bug.cgi?id=178386
3515         <rdar://problem/35027610>
3516
3517         Reviewed by Saam Barati.
3518
3519         * stress/regress-178386.js: Added.
3520
3521 2017-10-19  Michael Saboff  <msaboff@apple.com>
3522
3523         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3524         https://bugs.webkit.org/show_bug.cgi?id=178521
3525
3526         Reviewed by JF Bastien.
3527
3528         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3529         now passes with the current version (5.0) of the Emoji spec.
3530
3531 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3532
3533         Turn recursive tail calls into loops
3534         https://bugs.webkit.org/show_bug.cgi?id=176601
3535
3536         Reviewed by Saam Barati.
3537
3538         Add some simple test that computes factorial in several ways, and other trivial computations.
3539         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3540         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3541         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3542         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3543
3544         * stress/inline-call-to-recursive-tail-call.js: Added.
3545         (factorial.aux):
3546         (factorial):
3547         (factorial2.aux):
3548         (factorial2.id):
3549         (factorial2):
3550         (factorial3.aux):
3551         (factorial3):
3552         (aux):
3553         (factorial4):
3554         (test):
3555
3556 2017-10-18  Mark Lam  <mark.lam@apple.com>
3557
3558         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3559         https://bugs.webkit.org/show_bug.cgi?id=177600
3560         <rdar://problem/34710985>
3561
3562         Reviewed by Saam Barati.
3563
3564         * stress/regress-177600.js: Added.
3565
3566 2017-10-18  Mark Lam  <mark.lam@apple.com>
3567
3568         The compiler should always register a structure when it adds its transitionWatchPointSet.
3569         https://bugs.webkit.org/show_bug.cgi?id=178420
3570         <rdar://problem/34814024>
3571
3572         Reviewed by Saam Barati and Filip Pizlo.
3573
3574         * stress/regress-178420.js: Added.
3575         (new.Array.10000.map):
3576
3577 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3578
3579         [JSC] __proto__ getter should be fast
3580         https://bugs.webkit.org/show_bug.cgi?id=178067
3581
3582         Reviewed by Saam Barati.
3583
3584         * stress/dfg-object-proto-accessor.js: Added.
3585         (shouldBe):
3586         (shouldThrow):
3587         (target):
3588         * stress/dfg-object-proto-getter.js: Added.
3589         (shouldBe):
3590         (shouldThrow):
3591         (target):
3592         * stress/dfg-object-prototype-of.js: Added.
3593         (shouldBe):
3594         (shouldThrow):
3595         (target):
3596         * stress/dfg-reflect-get-prototype-of.js: Added.
3597         (shouldBe):
3598         (shouldThrow):
3599         (target):
3600         * stress/intrinsic-getter-with-poly-proto.js: Added.
3601         (shouldBe):
3602         (makePolyProtoObject.foo.C):
3603         (makePolyProtoObject.foo):
3604         (makePolyProtoObject):
3605         (target):
3606         * stress/object-get-prototype-of-filtered.js: Added.
3607         (shouldBe):
3608         (shouldThrow):
3609         (target):
3610         (i.Cocoa):
3611         * stress/object-get-prototype-of-mono-proto.js: Added.
3612         (shouldBe):
3613         (makePolyProtoObject.foo.C):
3614         (makePolyProtoObject.foo):
3615         (makePolyProtoObject):
3616         (target):
3617         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3618         (shouldBe):
3619         (makePolyProtoObject.foo.C):
3620         (makePolyProtoObject.foo):
3621         (makePolyProtoObject):
3622         (target):
3623         * stress/object-get-prototype-of-poly-proto.js: Added.
3624         (shouldBe):
3625         (makePolyProtoObject.foo.C):
3626         (makePolyProtoObject.foo):
3627         (makePolyProtoObject):
3628         (target):
3629         * stress/object-proto-getter-filtered.js: Added.
3630         (shouldBe):
3631         (shouldThrow):
3632         (target):
3633         (i.Cocoa):
3634         * stress/object-proto-getter-poly-mono-proto.js: Added.
3635         (shouldBe):
3636         (makePolyProtoObject.foo.C):
3637         (makePolyProtoObject.foo):
3638         (makePolyProtoObject):
3639         (target):
3640         * stress/object-proto-getter-poly-proto.js: Added.
3641         (shouldBe):
3642         (makePolyProtoObject.foo.C):
3643         (makePolyProtoObject.foo):
3644         (makePolyProtoObject):
3645         (target):
3646         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3647         * stress/string-proto.js: Added.
3648         (shouldBe):
3649         (target):
3650
3651 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3652
3653         Unreviewed, rolling out r223523.
3654
3655         A test for this change is failing on debug JSC bots.
3656
3657         Reverted changeset:
3658
3659         "[JSC] __proto__ getter should be fast"
3660         https://bugs.webkit.org/show_bug.cgi?id=178067
3661         https://trac.webkit.org/changeset/223523
3662
3663 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3664
3665         [JSC] __proto__ getter should be fast
3666         https://bugs.webkit.org/show_bug.cgi?id=178067
3667
3668         Reviewed by Saam Barati.
3669
3670         * stress/dfg-object-proto-accessor.js: Added.
3671         (shouldBe):
3672         (shouldThrow):
3673         (target):
3674         * stress/dfg-object-proto-getter.js: Added.
3675         (shouldBe):
3676         (shouldThrow):
3677         (target):
3678         * stress/dfg-object-prototype-of.js: Added.
3679         (shouldBe):
3680         (shouldThrow):
3681         (target):
3682         * stress/dfg-reflect-get-prototype-of.js: Added.
3683         (shouldBe):
3684         (shouldThrow):
3685         (target):
3686         * stress/object-get-prototype-of-filtered.js: Added.
3687         (shouldBe):
3688         (shouldThrow):
3689         (target):
3690         (i.Cocoa):
3691         * stress/object-get-prototype-of-mono-proto.js: Added.
3692         (shouldBe):
3693         (makePolyProtoObject.foo.C):
3694         (makePolyProtoObject.foo):
3695         (makePolyProtoObject):
3696         (target):
3697         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3698         (shouldBe):
3699         (makePolyProtoObject.foo.C):
3700         (makePolyProtoObject.foo):
3701         (makePolyProtoObject):
3702         (target):
3703         * stress/object-get-prototype-of-poly-proto.js: Added.
3704         (shouldBe):
3705         (makePolyProtoObject.foo.C):
3706         (makePolyProtoObject.foo):
3707         (makePolyProtoObject):
3708         (target):
3709         * stress/object-proto-getter-filtered.js: Added.
3710         (shouldBe):
3711         (shouldThrow):
3712         (target):
3713         (i.Cocoa):
3714         * stress/object-proto-getter-poly-mono-proto.js: Added.
3715         (shouldBe):
3716         (makePolyProtoObject.foo.C):
3717         (makePolyProtoObject.foo):
3718         (makePolyProtoObject):
3719         (target):
3720         * stress/object-proto-getter-poly-proto.js: Added.
3721         (shouldBe):
3722         (makePolyProtoObject.foo.C):
3723         (makePolyProtoObject.foo):
3724         (makePolyProtoObject):
3725         (target):
3726         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3727         * stress/string-proto.js: Added.
3728         (shouldBe):
3729         (target):
3730
3731 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3732
3733         Reland "Add Above/Below comparisons for UInt32 patterns"
3734         https://bugs.webkit.org/show_bug.cgi?id=177281
3735
3736         Reviewed by Saam Barati.
3737
3738         * stress/uint32-comparison-jump.js: Added.
3739         (shouldBe):
3740         (above):
3741         (aboveOrEqual):
3742         (below):
3743         (belowOrEqual):
3744         (notAbove):
3745         (notAboveOrEqual):
3746         (notBelow):
3747         (notBelowOrEqual):
3748         * stress/uint32-comparison.js: Added.
3749         (shouldBe):
3750         (above):
3751         (aboveOrEqual):
3752         (below):
3753         (belowOrEqual):
3754         (aboveTest):
3755         (aboveOrEqualTest):
3756         (belowTest):
3757         (belowOrEqualTest):
3758
3759 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3760
3761         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3762         https://bugs.webkit.org/show_bug.cgi?id=178210
3763
3764         Reviewed by Saam Barati.
3765
3766         * wasm/function-tests/trap-from-start-async.js:
3767         (async.StartTrapsAsync):
3768         * wasm/function-tests/trap-from-start.js:
3769         (StartTraps):
3770         * wasm/js-api/web-assembly-function.js:
3771         (assert.eq.Object.getPrototypeOf):
3772         * wasm/js-api/wrapper-function.js:
3773         (return.new.WebAssembly.Module):
3774         (assert.throws.makeInstance): Deleted.
3775         (assert.throws.Bar): Deleted.
3776         (assert.throws): Deleted.
3777
3778 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3779
3780         Enable gigacage on iOS
3781         https://bugs.webkit.org/show_bug.cgi?id=177586
3782
3783         Reviewed by JF Bastien.
3784         
3785         Add tests for when Gigacage gets runtime disabled.
3786
3787         * stress/disable-gigacage-arrays.js: Added.
3788         (foo):
3789         * stress/disable-gigacage-strings.js: Added.
3790         (foo):
3791         * stress/disable-gigacage-typed-arrays.js: Added.
3792         (foo):
3793
3794 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3795
3796         import.meta should not be assignable
3797         https://bugs.webkit.org/show_bug.cgi?id=178202
3798
3799         Reviewed by Saam Barati.
3800
3801         * modules/import-meta-assignment.js: Added.
3802         (shouldThrow):
3803         (SyntaxError.import.meta.can.shouldThrow):
3804
3805 2017-10-11  Saam Barati  <sbarati@apple.com>
3806
3807         Unreviewed. Actually skip certain type profiler tests in debug.
3808
3809         * typeProfiler.yaml:
3810         * typeProfiler/deltablue-for-of.js:
3811         * typeProfiler/getter-richards.js:
3812
3813 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3814
3815         Unreviewed, rolling out r223113 and r223121.
3816         https://bugs.webkit.org/show_bug.cgi?id=178182
3817
3818         Reintroduced 20% regression on Kraken (Requested by rniwa on
3819         #webkit).
3820
3821         Reverted changesets:
3822
3823         "Enable gigacage on iOS"
3824         https://bugs.webkit.org/show_bug.cgi?id=177586
3825         https://trac.webkit.org/changeset/223113
3826
3827         "Use one virtual allocation for all gigacages and their
3828         runways"
3829         https://bugs.webkit.org/show_bug.cgi?id=178050
3830         https://trac.webkit.org/changeset/223121
3831
3832 2017-10-11  Michael Saboff  <msaboff@apple.com>
3833
3834         Disable test262 named capture group tests with direct unicode names and with references before definitions
3835         https://bugs.webkit.org/show_bug.cgi?id=178177
3836
3837         Reviewed by Keith Miller.
3838
3839         Bugs to track fixing these test are:
3840         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3841             "Add support in named capture group identifiers for direct surrogate pairs"
3842         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3843             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3844
3845         * test262.yaml:
3846
3847 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3848
3849         Object properties are undefined in super.call() but not in this.call()
3850         https://bugs.webkit.org/show_bug.cgi?id=177230
3851
3852         Reviewed by Saam Barati.
3853
3854         * stress/super-call-function-subclass.js: Added.
3855         (assert):
3856         (A.prototype.t):
3857         (A):
3858         * stress/super-dot-call-and-apply.js: Added.
3859         (assert):
3860         (A):
3861         (A.prototype.call):
3862         (A.prototype.apply):
3863         (B.prototype.testSuper):
3864         (B):
3865         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3866         (D.prototype.testSuper):
3867         (D):
3868
3869 2017-10-10  Saam Barati  <sbarati@apple.com>
3870
3871         The prototype cache should be aware of the Executable it generates a Structure for
3872         https://bugs.webkit.org/show_bug.cgi?id=177907
3873
3874         Reviewed by Filip Pizlo.
3875
3876         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3877         (assert):
3878         (foo.C):
3879         (foo):
3880         (bar.C):
3881         (bar):
3882         (access):
3883         (makeLongChain):
3884         (accessY):
3885
3886 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3887
3888         `async` should be able to be used as an imported binding name
3889         https://bugs.webkit.org/show_bug.cgi?id=176573
3890
3891         Reviewed by Saam Barati.
3892
3893         * modules/import-default-async.js: Added.
3894         * modules/import-named-async-as.js: Added.
3895         * modules/import-named-async.js: Added.
3896         * modules/import-named-async/target.js: Added.
3897         * modules/import-namespace-async.js: Added.
3898         * test262.yaml:
3899
3900 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3901
3902         Enable gigacage on iOS
3903         https://bugs.webkit.org/show_bug.cgi?id=177586
3904
3905         Reviewed by JF Bastien.
3906         
3907         Add tests for when Gigacage gets runtime disabled.
3908
3909         * stress/disable-gigacage-arrays.js: Added.
3910         (foo):
3911         * stress/disable-gigacage-strings.js: Added.
3912         (foo):
3913         * stress/disable-gigacage-typed-arrays.js: Added.
3914         (foo):
3915
3916 2017-10-09  Michael Saboff  <msaboff@apple.com>
3917
3918         Implement RegExp Unicode property escapes
3919         https://bugs.webkit.org/show_bug.cgi?id=172069
3920
3921         Reviewed by JF Bastien.
3922
3923         Enabled Unicode Property tests.
3924
3925         * test262.yaml:
3926
3927 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3928
3929         Unreviewed, rolling out r223015 and r223025.
3930         https://bugs.webkit.org/show_bug.cgi?id=178093
3931
3932         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3933         #webkit).
3934
3935         Reverted changesets:
3936
3937         "Enable gigacage on iOS"
3938         https://bugs.webkit.org/show_bug.cgi?id=177586
3939         http://trac.webkit.org/changeset/223015
3940
3941         "Unreviewed, disable Gigacage on ARM64 Linux"
3942         https://bugs.webkit.org/show_bug.cgi?id=177586
3943         http://trac.webkit.org/changeset/223025
3944
3945 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3946
3947         Update expectations for test262 tests that pass after r223043.
3948         https://bugs.webkit.org/show_bug.cgi?id=176685
3949
3950         Unreviewed test gardening.
3951
3952         * test262.yaml:
3953
3954 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3955
3956         Unreviewed, rolling out r223022.
3957
3958         This change introduced 18 test262 failures.
3959
3960         Reverted changeset:
3961
3962         "`async` should be able to be used as an imported binding
3963         name"
3964         https://bugs.webkit.org/show_bug.cgi?id=176573
3965         http://trac.webkit.org/changeset/223022
3966
3967 2017-10-09  Saam Barati  <sbarati@apple.com>
3968
3969         3 poly-proto JSC tests timing out on debug after r222827
3970         https://bugs.webkit.org/show_bug.cgi?id=177880
3971         <rdar://problem/34817122>
3972
3973         Unreviewed.
3974
3975         I'm skipping these type profiler tests on debug since they are long running.
3976
3977         * typeProfiler/deltablue-for-of.js:
3978         * typeProfiler/getter-richards.js:
3979
3980 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3981
3982         Safari 10 /11 problem with if (!await get(something)).
3983         https://bugs.webkit.org/show_bug.cgi?id=176685
3984
3985         Reviewed by Saam Barati.
3986
3987         * stress/async-await-basic.js:
3988         (awaitEpression.async):
3989         * stress/async-await-syntax.js:
3990         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3991         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3992
3993 2017-10-08  Saam Barati  <sbarati@apple.com>
3994
3995         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3996
3997         * typeProfiler/deltablue-for-of.js:
3998         * typeProfiler/getter-richards.js:
3999
4000 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
4001
4002         `async` should be able to be used as an imported binding name
4003         https://bugs.webkit.org/show_bug.cgi?id=176573
4004
4005         Reviewed by Darin Adler.
4006
4007         * modules/import-default-async.js: Added.
4008         * modules/import-named-async-as.js: Added.
4009         * modules/import-named-async.js: Added.
4010         * modules/import-named-async/target.js: Added.
4011         * modules/import-namespace-async.js: Added.
4012
4013 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
4014
4015         Enable gigacage on iOS
4016         https://bugs.webkit.org/show_bug.cgi?id=177586
4017
4018         Reviewed by JF Bastien.
4019         
4020         Add tests for when Gigacage gets runtime disabled.
4021
4022         * stress/disable-gigacage-arrays.js: Added.
4023         (foo):
4024         * stress/disable-gigacage-strings.js: Added.
4025         (foo):
4026         * stress/disable-gigacage-typed-arrays.js: Added.
4027         (foo):
4028
4029 2017-10-06  Commit Queue  <commit-queue@webkit.org>
4030
4031         Unreviewed, rolling out r222791 and r222873.
4032         https://bugs.webkit.org/show_bug.cgi?id=178031
4033
4034         Caused crashes with workers/wasm LayoutTests (Requested by
4035         ryanhaddad on #webkit).
4036
4037         Reverted changesets:
4038
4039         "WebAssembly: no VM / JS version of everything but Instance"
4040         https://bugs.webkit.org/show_bug.cgi?id=177473
4041         http://trac.webkit.org/changeset/222791
4042
4043         "WebAssembly: address no VM / JS follow-ups"
4044         https://bugs.webkit.org/show_bug.cgi?id=177887
4045         http://trac.webkit.org/changeset/222873
4046
4047 2017-10-05  Saam Barati  <sbarati@apple.com>
4048
4049         Make sure all prototypes under poly proto get added into the VM's prototype map
4050         https://bugs.webkit.org/show_bug.cgi?id=177909
4051
4052         Reviewed by Keith Miller.
4053
4054         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
4055         (assert):
4056         (foo.C):
4057         (foo):
4058         (set x):
4059
4060 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
4061
4062         [JSC] Introduce import.meta
4063         https://bugs.webkit.org/show_bug.cgi?id=177703
4064
4065         Reviewed by Filip Pizlo.
4066
4067         * modules/import-meta-syntax.js: Added.
4068         (shouldThrow):
4069         (shouldNotThrow):
4070         * modules/import-meta.js: Added.
4071         * modules/import-meta/cocoa.js: Added.
4072         * modules/resources/assert.js:
4073         (export.shouldNotThrow):
4074         * stress/import-syntax.js:
4075
4076 2017-10-04  Saam Barati  <sbarati@apple.com>
4077
4078         Make pertinent AccessCases watch the poly proto watchpoint
4079         https://bugs.webkit.org/show_bug.cgi?id=177765
4080
4081         Reviewed by Keith Miller.
4082
4083         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
4084         (assert):
4085         (foo.C):
4086         (foo):
4087         (validate):
4088         * stress/poly-proto-clear-stub.js: Added.
4089         (assert):
4090         (foo.C):
4091         (foo):
4092
4093 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
4094
4095         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
4096
4097         Unreviewed test gardening.
4098
4099         * test262.yaml:
4100
4101 2017-10-04  Saam Barati  <sbarati@apple.com>
4102
4103         3 poly-proto JSC tests timing out on debug after r222827
4104         https://bugs.webkit.org/show_bug.cgi?id=177880
4105
4106         Rubber stamped by Mark Lam.
4107
4108         * microbenchmarks/poly-proto-access.js:
4109         * typeProfiler/deltablue-for-of.js:
4110         * typeProfiler/getter-richards.js:
4111
4112 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
4113
4114         Unreviewed, marking tco-catch.js as a failure after test262 update
4115         https://bugs.webkit.org/show_bug.cgi?id=177859
4116
4117         * test262.yaml:
4118
4119 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4120
4121         Unreviewed, marking one async iterator test262 test failed
4122         https://bugs.webkit.org/show_bug.cgi?id=177859
4123
4124         * test262.yaml:
4125
4126 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4127
4128         [Test262] Update Test262 to Oct 4 version
4129         https://bugs.webkit.org/show_bug.cgi?id=177859
4130
4131         Reviewed by Sam Weinig.
4132
4133         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
4134         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
4135
4136         * test262.yaml:
4137         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
4138         (checkSequence):
4139         * test262/harness/typeCoercion.js:
4140         (testCoercibleToIndexZero):
4141         (testCoercibleToIndexOne):
4142         (testCoercibleToIndexFromIndex):
4143         (testNotCoercibleToIndex.testPrimitiveValue):
4144         (testNotCoercibleToInteger):
4145         (testCoercibleToBigIntZero.testPrimitiveValue):
4146         (testCoercibleToBigIntZero):
4147         (testCoercibleToBigIntOne.testPrimitiveValue):
4148         (testCoercibleToBigIntOne):
4149         (testPrimitiveValue):
4150         (testCoercibleToBigIntFromBigInt):
4151         (testNotCoercibleToBigInt.testPrimitiveValue):
4152         (testNotCoercibleToBigInt.testStringValue):
4153         (testNotCoercibleToBigInt):
4154         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
4155         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
4156         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
4157         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
4158         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
4159         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
4160         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
4161         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
4162         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
4163         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
4164         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
4165         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
4166         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
4167         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
4168         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
4169         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
4170         (testCoercibleToBigIntZero):
4171         (testCoercibleToBigIntOne):
4172         (testNotCoercibleToBigInt):
4173         (MyError): Deleted.
4174         (valueOf): Deleted.
4175         (toString): Deleted.
4176         (Symbol.toPrimitive): Deleted.
4177         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
4178         (testCoercibleToIndexZero):
4179         (testCoercibleToIndexOne):
4180         (testNotCoercibleToIndex):
4181         (MyError): Deleted.
4182         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
4183         (assert.sameValue.BigInt.asIntN.toString): Deleted.
4184         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
4185         (BigInt.asIntN.valueOf): Deleted.
4186         (BigInt.asIntN.toString): Deleted.
4187         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
4188         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
4189         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
4190         (testCoercibleToBigIntZero):
4191         (testCoercibleToBigIntOne):
4192         (testNotCoercibleToBigInt):
4193         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
4194         (testCoercibleToIndexZero):
4195         (testCoercibleToIndexOne):
4196         (testNotCoercibleToIndex):
4197         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
4198         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
4199         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
4200         (bits.valueOf):
4201         (bigint.valueOf):
4202         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
4203         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
4204         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
4205         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
4206         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
4207         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
4208         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
4209         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
4210         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
4211         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
4212         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
4213         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
4214         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
4215         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
4216         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
4217         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
4218         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
4219         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
4220         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
4221         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
4222         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
4223         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
4224         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
4225         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
4226         (replacer):
4227         (BigInt.prototype.toJSON):
4228         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
4229         (replacer):
4230         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
4231         (BigInt.prototype.toJSON):
4232         * test262/test/built-ins/JSON/stringify/bigint.js:
4233         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
4234         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
4235         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
4236         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
4237         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
4238         * test262/test/built-ins/Object/proto-from-ctor.js:
4239         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
4240         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
4241         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
4242         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
4243         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
4244         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
4245         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
4246         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
4247         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
4248         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
4249         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
4250         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
4251         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
4252         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
4253         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
4254         * test262/test/built-ins/Proxy/get-fn-realm.js:
4255         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
4256         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
4257         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
4258         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
4259         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
4260         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
4261         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
4262         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
4263         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
4264         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
4265         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
4266         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
4267         (i6.replace):
4268         (i6b.replace):
4269         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
4270         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
4271         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
4272         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
4273         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
4274         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
4275         * test262/test/built-ins/RegExp/u180e.js: Added.
4276         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
4277         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
4278         * test262/test/built-ins/String/proto-from-ctor-realm.js:
4279         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
4280         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
4281         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
4282         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
4283         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
4284         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
4285         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
4286         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
4287         * test262/test/built-ins/String/prototype/endsWith/length.js:
4288         * test262/test/built-ins/String/prototype/endsWith/name.js:
4289         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
4290         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
4291         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
4292         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
4293         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
4294         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
4295         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
4296         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
4297         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
4298         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
4299         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
4300         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
4301         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
4302         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
4303         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
4304         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
4305         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4306         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4307         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4308         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4309         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4310         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4311         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4312         * test262/test/built-ins/String/prototype/includes/includes.js:
4313         * test262/test/built-ins/String/prototype/includes/length.js:
4314         * test262/test/built-ins/String/prototype/includes/name.js:
4315         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4316         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4317         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4318         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4319         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4320         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4321         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4322         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4323         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4324         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4325         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4326         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4327         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4328         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4329         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4330         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4331         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4332         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4333         * test262/test/built-ins/String/prototype/trim/u180e.js:
4334         * test262/test/built-ins/Symbol/for/cross-realm.js:
4335         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4336         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4337         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4338         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4339         * test262/test/built-ins/Symbol/match/cross-realm.js:
4340         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4341         * test262/test/built-ins/Symbol/search/cross-realm.js:
4342         * test262/test/built-ins/Symbol/species/cross-realm.js:
4343         * test262/test/built-ins/Symbol/split/cross-realm.js:
4344         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4345         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4346         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4347         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4348         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4349         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4350         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4351         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4352         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4353         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4354         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4355         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4356         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4357         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4358         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4359         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4360         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4361         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4362         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4363         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4364         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4365         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4366         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4367         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4368         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4369         * test262/test/language/eval-code/indirect/realm.js:
4370         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4371         (o.get z):
4372         (o.get a):
4373         * test262/test/language/expressions/call/eval-realm-indirect.js:
4374         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4375         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4376         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4377         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4378         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4379         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4380         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4381         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4382         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4383         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4384         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
4385         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
4386         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
4387         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
4388         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
4389         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
4390         * test262/test/language/expressions/less-than/bigint-and-number.js:
4391         * test262/test/language/expressions/new/non-ctor-err-realm.js:
4392         * test262/test/language/expressions/super/realm.js:
4393         *&nb