[JSC] Add SameValue DFG node
[WebKit-https.git] / JSTests / ChangeLog
1 2018-05-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Add SameValue DFG node
4         https://bugs.webkit.org/show_bug.cgi?id=185065
5
6         Reviewed by Saam Barati.
7
8         * microbenchmarks/object-is.js: Added.
9         (incognito):
10         (sameValue):
11         (test1):
12         (test2):
13         (test3):
14         (test4):
15         (test5):
16         (test6):
17         * stress/object-is.js: Added.
18         (shouldBe):
19         (is1):
20         (is2):
21         (is3):
22         (is4):
23         (is5):
24         (is6):
25         (is7):
26         (is8):
27         (is9):
28         (is10):
29         (is11):
30         (is12):
31         (is13):
32         (is14):
33         (is15):
34
35 2018-05-01  Robin Morisset  <rmorisset@apple.com>
36
37         Correctly detect string overflow when using the 'Function' constructor
38         https://bugs.webkit.org/show_bug.cgi?id=184883
39         <rdar://problem/36320331>
40
41         Reviewed by Filip Pizlo.
42
43         I put this regression test in the 'slowMicrobenchmarks' directory because it takes nearly 30s to run, and I am not sure where else to put it.
44
45         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
46         (catch):
47
48 2018-05-01  Robin Morisset  <rmorisset@apple.com>
49
50         IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
51         https://bugs.webkit.org/show_bug.cgi?id=185162
52
53         Reviewed by Filip Pizlo.
54
55         * stress/incomplete-unicode-locale.js: Added.
56         (catch):
57
58 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
59
60         Add SetCallee as DFG-Operation
61         https://bugs.webkit.org/show_bug.cgi?id=184582
62
63         Reviewed by Filip Pizlo.
64
65         Added test that runs into infinite loop without updating the callee and
66         therefore emitting SetCallee in DFG for recursive tail calls.
67
68         * stress/closure-recursive-tail-call-infinite-loop.js: Added.
69         (Foo):
70         (second):
71         (first):
72         (return.closure):
73         (createClosure):
74
75 2018-04-30  Saam Barati  <sbarati@apple.com>
76
77         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
78         https://bugs.webkit.org/show_bug.cgi?id=185149
79         <rdar://problem/39455917>
80
81         Reviewed by Filip Pizlo.
82
83         * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.
84
85 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
86
87         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
88         https://bugs.webkit.org/show_bug.cgi?id=185126
89
90         Reviewed by Saam Barati.
91         
92         I found this bug by accident when I was writing this test for something else.
93         
94         This change also speeds up other benchmarks of this case that we already had. They are all called
95         the licm-dragons tests.
96
97         * microbenchmarks/licm-dragons-two-structures.js: Added.
98         (foo):
99
100 2018-04-29  Commit Queue  <commit-queue@webkit.org>
101
102         Unreviewed, rolling out r231137.
103         https://bugs.webkit.org/show_bug.cgi?id=185118
104
105         It is breaking Test262 language/expressions/multiplication
106         /order-of-evaluation.js (Requested by caiolima on #webkit).
107
108         Reverted changeset:
109
110         "[ESNext][BigInt] Implement support for "*" operation"
111         https://bugs.webkit.org/show_bug.cgi?id=183721
112         https://trac.webkit.org/changeset/231137
113
114 2018-04-28  Saam Barati  <sbarati@apple.com>
115
116         We don't model regexp effects properly
117         https://bugs.webkit.org/show_bug.cgi?id=185059
118         <rdar://problem/39736150>
119
120         Reviewed by Filip Pizlo.
121
122         * stress/regexp-exec-test-effectful-last-index.js: Added.
123         (assert):
124         (foo):
125         (i.regexLastIndex.toString):
126         (bar):
127
128 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
129
130         Token misspelled "tocken" in error message string
131         https://bugs.webkit.org/show_bug.cgi?id=185030
132
133         Reviewed by Saam Barati.
134
135         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
136         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
137         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
138         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
139         (testSyntaxError.String.raw.v):
140         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
141         (testSyntaxError.String.raw.a):
142
143 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
144
145         [ESNext][BigInt] Implement support for "*" operation
146         https://bugs.webkit.org/show_bug.cgi?id=183721
147
148         Reviewed by Saam Barati.
149
150         * bigIntTests.yaml:
151         * stress/big-int-mul-jit.js: Added.
152         * stress/big-int-mul-to-primitive-precedence.js: Added.
153         * stress/big-int-mul-to-primitive.js: Added.
154         * stress/big-int-mul-type-error.js: Added.
155         * stress/big-int-mul-wrapped-value.js: Added.
156         * stress/big-int-multiplication.js: Added.
157         * stress/big-int-multiply-memory-stress.js: Added.
158
159 2018-04-28  Commit Queue  <commit-queue@webkit.org>
160
161         Unreviewed, rolling out r231131.
162         https://bugs.webkit.org/show_bug.cgi?id=185112
163
164         It is breaking Debug build due to unchecked exception
165         (Requested by caiolima on #webkit).
166
167         Reverted changeset:
168
169         "[ESNext][BigInt] Implement support for "*" operation"
170         https://bugs.webkit.org/show_bug.cgi?id=183721
171         https://trac.webkit.org/changeset/231131
172
173 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
174
175         [ESNext][BigInt] Implement support for "*" operation
176         https://bugs.webkit.org/show_bug.cgi?id=183721
177
178         Reviewed by Saam Barati.
179
180         * bigIntTests.yaml:
181         * stress/big-int-mul-jit.js: Added.
182         * stress/big-int-mul-to-primitive-precedence.js: Added.
183         * stress/big-int-mul-to-primitive.js: Added.
184         * stress/big-int-mul-type-error.js: Added.
185         * stress/big-int-mul-wrapped-value.js: Added.
186         * stress/big-int-multiplication.js: Added.
187         * stress/big-int-multiply-memory-stress.js: Added.
188
189 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
190
191         Unreviewed, rolling out r231086.
192
193         Caused JSC test failures due to an unchecked exception.
194
195         Reverted changeset:
196
197         "[ESNext][BigInt] Implement support for "*" operation"
198         https://bugs.webkit.org/show_bug.cgi?id=183721
199         https://trac.webkit.org/changeset/231086
200
201 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
202
203         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
204
205         * test262.yaml: Mark tests as passing.
206
207 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
208
209         [ESNext][BigInt] Implement support for "*" operation
210         https://bugs.webkit.org/show_bug.cgi?id=183721
211
212         Reviewed by Saam Barati.
213
214         * bigIntTests.yaml:
215         * stress/big-int-mul-jit.js: Added.
216         * stress/big-int-mul-to-primitive-precedence.js: Added.
217         * stress/big-int-mul-to-primitive.js: Added.
218         * stress/big-int-mul-type-error.js: Added.
219         * stress/big-int-mul-wrapped-value.js: Added.
220         * stress/big-int-multiplication.js: Added.
221         * stress/big-int-multiply-memory-stress.js: Added.
222
223 2018-04-25  Robin Morisset  <rmorisset@apple.com>
224
225         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
226         https://bugs.webkit.org/show_bug.cgi?id=184773
227         <rdar://problem/37773612>
228
229         Reviewed by Filip Pizlo.
230
231         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
232         so I decided to add it to the stress tests nonetheless.
233
234         * stress/create-rest-while-having-a-bad-time.js: Added.
235         (f):
236         (g):
237         (h):
238
239 2018-04-25  Keith Miller  <keith_miller@apple.com>
240
241         Add missing scope release to functionProtoFuncToString
242         https://bugs.webkit.org/show_bug.cgi?id=184995
243
244         Reviewed by Saam Barati.
245
246         * stress/function-toString-arrow.js: Added.
247         (async):
248
249 2018-04-24  Keith Miller  <keith_miller@apple.com>
250
251         fromCharCode is missing some exception checks
252         https://bugs.webkit.org/show_bug.cgi?id=184952
253
254         Reviewed by Saam Barati.
255
256         * stress/fromCharCode-exception-check.js: Added.
257         (get catch):
258
259 2018-04-24  Mark Lam  <mark.lam@apple.com>
260
261         Gardening: test fix after r230863.
262         https://bugs.webkit.org/show_bug.cgi?id=184846
263         <rdar://problem/39390672>
264
265         Not reviewed.
266
267         * stress/json-stringified-overflow-2.js:
268         (catch):
269         * stress/json-stringified-overflow.js:
270         (catch):
271
272 2018-04-20  JF Bastien  <jfbastien@apple.com>
273
274         Handle more JSON stringify OOM
275         https://bugs.webkit.org/show_bug.cgi?id=184846
276         <rdar://problem/39390672>
277
278         Reviewed by Mark Lam.
279
280         * stress/json-stringified-overflow-2.js: Added. Same as the one
281         below, but with a bigger input which will trigger a different code
282         path.
283         (catch):
284         * stress/json-stringified-overflow.js: Modify the test to only
285         catch OOM on stringification. not on string creation.
286
287 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
288
289         [WebAssembly][Modules] Import tables in wasm modules
290         https://bugs.webkit.org/show_bug.cgi?id=184738
291
292         Reviewed by JF Bastien.
293
294         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
295         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
296         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
297         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
298         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
299         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
300         * wasm/modules/wasm-imports-wasm-exports.js:
301         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
302         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
303         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
304         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
305
306 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
307
308         [WebAssembly][Modules] Import globals from wasm modules
309         https://bugs.webkit.org/show_bug.cgi?id=184736
310
311         Reviewed by JF Bastien.
312
313         * wasm.yaml:
314         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
315         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
316         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
317         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
318         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
319         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
320         * wasm/modules/wasm-imports-wasm-exports.js:
321         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
322         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
323         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
324         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
325
326 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
327
328         Unreviewed, reland r230697, r230720, and r230724.
329         https://bugs.webkit.org/show_bug.cgi?id=184600
330
331         * wasm.yaml:
332         * wasm/modules/constant.wasm: Added.
333         * wasm/modules/constant.wat: Added.
334         * wasm/modules/default-import-star-error.js: Added.
335         (then):
336         * wasm/modules/default-import-star-error/entry.wasm: Added.
337         * wasm/modules/default-import-star-error/entry.wat: Added.
338         * wasm/modules/default-import-star-error/t0.js: Added.
339         * wasm/modules/default-import-star-error/t1.js: Added.
340         * wasm/modules/default-import-star-error/t2.js: Added.
341         (export.default.Cocoa):
342         * wasm/modules/js-wasm-cycle.js: Added.
343         * wasm/modules/js-wasm-cycle/entry.js: Added.
344         (from.string_appeared_here.export.return42):
345         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
346         * wasm/modules/js-wasm-cycle/sum.wat: Added.
347         * wasm/modules/js-wasm-function-namespace.js: Added.
348         (assert.throws):
349         * wasm/modules/js-wasm-function.js: Added.
350         (assert.throws):
351         * wasm/modules/js-wasm-global-namespace.js: Added.
352         (assert.throws):
353         * wasm/modules/js-wasm-global.js: Added.
354         (assert.throws):
355         * wasm/modules/js-wasm-memory-namespace.js: Added.
356         (assert.throws):
357         * wasm/modules/js-wasm-memory.js: Added.
358         (assert.throws):
359         * wasm/modules/js-wasm-start.js: Added.
360         (then):
361         * wasm/modules/js-wasm-table-namespace.js: Added.
362         (assert.throws):
363         * wasm/modules/js-wasm-table.js: Added.
364         (assert.throws):
365         * wasm/modules/memory.wasm: Added.
366         * wasm/modules/memory.wat: Added.
367         * wasm/modules/run-from-wasm.wasm: Added.
368         * wasm/modules/run-from-wasm.wat: Added.
369         * wasm/modules/run-from-wasm/check.js: Added.
370         (export.check):
371         * wasm/modules/start.wasm: Added.
372         * wasm/modules/start.wat: Added.
373         * wasm/modules/sum.wasm: Added.
374         * wasm/modules/sum.wat: Added.
375         * wasm/modules/table.wasm: Added.
376         * wasm/modules/table.wat: Added.
377         * wasm/modules/wasm-imports-js-exports.js: Added.
378         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
379         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
380         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
381         (export.sum):
382         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
383         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
384         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
385         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
386         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
387         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
388         * wasm/modules/wasm-imports-wasm-exports.js: Added.
389         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
390         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
391         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
392         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
393         * wasm/modules/wasm-js-cycle.js: Added.
394         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
395         * wasm/modules/wasm-js-cycle/entry.wat: Added.
396         * wasm/modules/wasm-js-cycle/sum.js: Added.
397         (from.string_appeared_here.export.sum):
398         * wasm/modules/wasm-wasm-cycle.js: Added.
399         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
400         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
401         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
402         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
403
404 2018-04-17  Commit Queue  <commit-queue@webkit.org>
405
406         Unreviewed, rolling out r230697, r230720, and r230724.
407         https://bugs.webkit.org/show_bug.cgi?id=184717
408
409         These caused multiple failures on the Test262 testers.
410         (Requested by mlewis13 on #webkit).
411
412         Reverted changesets:
413
414         "[WebAssembly][Modules] Prototype wasm import"
415         https://bugs.webkit.org/show_bug.cgi?id=184600
416         https://trac.webkit.org/changeset/230697
417
418         "[WebAssembly][Modules] Implement function import from wasm
419         modules"
420         https://bugs.webkit.org/show_bug.cgi?id=184689
421         https://trac.webkit.org/changeset/230720
422
423         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
424         https://bugs.webkit.org/show_bug.cgi?id=184703
425         https://trac.webkit.org/changeset/230724
426
427 2018-04-17  JF Bastien  <jfbastien@apple.com>
428
429         A put is not an ExistingProperty put when we transition a structure because of an attributes change
430         https://bugs.webkit.org/show_bug.cgi?id=184706
431         <rdar://problem/38871451>
432
433         Reviewed by Saam Barati.
434
435         * stress/put-by-id-direct-strict-transition.js: Added.
436         (const.foo):
437         (j.const.obj.set hello):
438         * stress/put-by-id-direct-transition.js: Added.
439         (const.foo):
440         (j.const.obj.set hello):
441         * stress/put-getter-setter-by-id-strict-transition.js: Added.
442         (const.foo):
443         (j.const.obj.set hello):
444         * stress/put-getter-setter-by-id-transition.js: Added.
445         (const.foo):
446         (j.const.obj.set hello):
447
448 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
449
450         PutStackSinkingPhase should know that KillStack means ConflictingFlush
451         https://bugs.webkit.org/show_bug.cgi?id=184672
452
453         Reviewed by Michael Saboff.
454
455         * stress/sink-put-stack-over-kill-stack.js: Added.
456         (avocado_1):
457         (apricot_0):
458         (__c_0):
459         (banana_2):
460
461 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
462
463         [JSC] Rename runWebAssembly to runWebAssemblySuite
464         https://bugs.webkit.org/show_bug.cgi?id=184703
465
466         Reviewed by JF Bastien.
467
468         And add runWebAssembly as a command to simplely run wasm modules.
469
470         * wasm.yaml:
471
472 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
473
474         [WebAssembly][Modules] Implement function import from wasm modules
475         https://bugs.webkit.org/show_bug.cgi?id=184689
476
477         Reviewed by JF Bastien.
478
479         * wasm.yaml:
480         * wasm/modules/js-wasm-cycle.js: Added.
481         * wasm/modules/js-wasm-cycle/entry.js: Added.
482         (from.string_appeared_here.export.return42):
483         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
484         * wasm/modules/js-wasm-cycle/sum.wat: Added.
485         * wasm/modules/run-from-wasm.wasm: Added.
486         * wasm/modules/run-from-wasm.wat: Added.
487         * wasm/modules/run-from-wasm/check.js: Added.
488         (export.check):
489         * wasm/modules/wasm-imports-js-exports.js: Added.
490         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
491         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
492         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
493         (export.sum):
494         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
495         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
496         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
497         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
498         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
499         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
500         * wasm/modules/wasm-imports-wasm-exports.js: Added.
501         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
502         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
503         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
504         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
505         * wasm/modules/wasm-js-cycle.js: Added.
506         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
507         * wasm/modules/wasm-js-cycle/entry.wat: Added.
508         * wasm/modules/wasm-js-cycle/sum.js: Added.
509         (from.string_appeared_here.export.sum):
510         * wasm/modules/wasm-wasm-cycle.js: Added.
511         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
512         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
513         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
514         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
515
516 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
517
518         [WebAssembly][Modules] Prototype wasm import
519         https://bugs.webkit.org/show_bug.cgi?id=184600
520
521         Reviewed by JF Bastien.
522
523         Add wasm and wat files since module loader want to load wasm files from FS.
524         Currently, importing the other modules from wasm is not supported.
525
526         * wasm.yaml:
527         * wasm/modules/constant.wasm: Added.
528         * wasm/modules/constant.wat: Added.
529         * wasm/modules/js-wasm-function-namespace.js: Added.
530         (assert.throws):
531         * wasm/modules/js-wasm-function.js: Added.
532         (assert.throws):
533         * wasm/modules/js-wasm-global-namespace.js: Added.
534         (assert.throws):
535         * wasm/modules/js-wasm-global.js: Added.
536         (assert.throws):
537         * wasm/modules/js-wasm-memory-namespace.js: Added.
538         (assert.throws):
539         * wasm/modules/js-wasm-memory.js: Added.
540         (assert.throws):
541         * wasm/modules/js-wasm-start.js: Added.
542         (then):
543         * wasm/modules/js-wasm-table-namespace.js: Added.
544         (assert.throws):
545         * wasm/modules/js-wasm-table.js: Added.
546         (assert.throws):
547         * wasm/modules/memory.wasm: Added.
548         * wasm/modules/memory.wat: Added.
549         * wasm/modules/start.wasm: Added.
550         * wasm/modules/start.wat: Added.
551         * wasm/modules/sum.wasm: Added.
552         * wasm/modules/sum.wat: Added.
553         * wasm/modules/table.wasm: Added.
554         * wasm/modules/table.wat: Added.
555
556 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
557
558         Function.prototype.caller shouldn't return generator bodies
559         https://bugs.webkit.org/show_bug.cgi?id=184630
560
561         Reviewed by Yusuke Suzuki.
562
563         * stress/function-caller-async-arrow-function-body.js: Added.
564         * stress/function-caller-async-function-body.js: Added.
565         * stress/function-caller-async-generator-body.js: Added.
566         * stress/function-caller-generator-body.js: Added.
567         * stress/function-caller-generator-method-body.js: Added.
568
569 2018-04-12  Tomas Popela  <tpopela@redhat.com>
570
571         Unreviewed, skip JIT tests if it isn't enabled
572
573         See https://bugs.webkit.org/show_bug.cgi?id=182730.
574
575         * stress/big-int-spec-to-primitive.js:
576         * stress/big-int-spec-to-this.js:
577
578 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
579
580         [ESNext][BigInt] Add support for BigInt in SpeculatedType
581         https://bugs.webkit.org/show_bug.cgi?id=182470
582
583         Reviewed by Saam Barati.
584
585         * stress/big-int-spec-to-primitive.js: Added.
586         * stress/big-int-spec-to-this.js: Added.
587         * stress/big-int-strict-equals-jit.js: Added.
588         * stress/big-int-strict-spec-to-this.js: Added.
589         * stress/big-int-type-of-proven-type.js: Added.
590
591 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
592
593         DFG AI and clobberize should agree with each other
594         https://bugs.webkit.org/show_bug.cgi?id=184440
595
596         Reviewed by Saam Barati.
597         
598         Add tests for all of the bugs I fixed.
599
600         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
601         (foo):
602         * stress/new-typed-array-cse-effects.js: Added.
603         (foo):
604         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
605         (foo.theO):
606         (foo):
607         * stress/string-from-char-code-change-structure-not-dead.js: Added.
608         (foo):
609         (i.valueOf):
610         (weirdValue.valueOf):
611         * stress/string-from-char-code-change-structure.js: Added.
612         (foo):
613         (i.valueOf):
614         (weirdValue.valueOf):
615
616 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
617
618         Fix errant Test262 files CRLF to LF for consistency with the original source
619         https://bugs.webkit.org/show_bug.cgi?id=184425
620
621         Reviewed by Yusuke Suzuki.
622
623         * test262/test/built-ins/Math/acosh/nan-returns.js:
624         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
625         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
626         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
627         * test262/test/built-ins/Math/cbrt/prop-desc.js:
628         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
629         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
630         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
631         * test262/test/built-ins/Math/log2/log2-basicTests.js:
632         * test262/test/built-ins/Math/sign/sign-specialVals.js:
633         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
634         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
635         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
636         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
637
638 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
639
640         Unreviewed, remove incorrect entry in test262.yaml
641         https://bugs.webkit.org/show_bug.cgi?id=184266
642
643         * test262.yaml:
644
645 2018-04-08  Valerie Young  <valerie@bocoup.com>
646
647         [JSC] Update Test262 to April 6 version
648         https://bugs.webkit.org/show_bug.cgi?id=184266
649
650         Rubber stamped by Yusuke Suzuki.
651
652 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
653
654         [JSC] Introduce op_get_by_id_direct
655         https://bugs.webkit.org/show_bug.cgi?id=183970
656
657         Reviewed by Filip Pizlo.
658
659         * stress/generator-prototype-copy.js: Added.
660         (gen):
661         (catch):
662         Adopted JF's tests.
663
664         * stress/generator-type-check.js: Added.
665         (shouldThrow):
666         (foo2):
667         (i.shouldThrow):
668         * stress/get-by-id-direct-getter.js: Added.
669         (shouldBe):
670         (shouldThrow):
671         (obj.get hello):
672         (builtin.createBuiltin):
673         (obj2.get length):
674         * stress/get-by-id-direct.js: Added.
675         (shouldBe):
676         (shouldThrow):
677         (builtin.createBuiltin):
678         * test262.yaml:
679         We fixed long-standing spec compatibility issue.
680         As a result, this patch makes several test262 tests passed!
681
682
683 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
684
685         Unreviewed, annotate test with @skip if $memoryLimited
686         https://bugs.webkit.org/show_bug.cgi?id=183894
687
688         * stress/json-stringified-overflow.js:
689
690 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
691
692         Add svn:eol-style to line-terminator-normalisation-CR.js
693         https://bugs.webkit.org/show_bug.cgi?id=184341
694
695         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
696
697 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
698
699         Unreviewed, remove errant LF from existing test262 test for CR line endings.
700
701         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
702
703 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
704
705         Unreviewed, rolling out r230320.
706
707         Revert fix, as the root cause lies elsewhere.
708
709         Reverted changeset:
710
711         "[test262] Mark line-terminator-normalisation-CR.js as a
712         binary file."
713         https://bugs.webkit.org/show_bug.cgi?id=184341
714         https://trac.webkit.org/changeset/230320
715
716 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
717
718         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
719         https://bugs.webkit.org/show_bug.cgi?id=184341
720
721         Reviewed by Yusuke Suzuki.
722
723         This test is all about CR line endings, but `svn-apply` can't deal with them.
724         Treating the file as binary ensures that its contents never are never shown in a diff.
725
726         * .gitattributes: Added.
727
728 2018-04-05  Robin Morisset  <rmorisset@apple.com>
729
730         Fix testcase (missing try/catch).
731         https://bugs.webkit.org/show_bug.cgi?id=183657
732
733         Unreviewed.
734
735         * stress/large-unshift-splice.js
736
737 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
738
739         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
740         https://bugs.webkit.org/show_bug.cgi?id=184319
741
742         Reviewed by Saam Barati.
743
744         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
745         (foo):
746         (bar):
747         * stress/array-push-nan-to-double-array.js: Added.
748         (foo):
749         (bar):
750
751 2018-04-03  Mark Lam  <mark.lam@apple.com>
752
753         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
754         https://bugs.webkit.org/show_bug.cgi?id=184284
755
756         Reviewed by Saam Barati.
757
758         * stress/js-fixed-array-out-of-memory.js:
759
760 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
761
762         JSC crash in JIT code with for-of loop and Array/Set iterators
763         https://bugs.webkit.org/show_bug.cgi?id=183174
764
765         Reviewed by Saam Barati.
766
767         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
768         (foo):
769         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
770         (f):
771
772 2018-03-30  JF Bastien  <jfbastien@apple.com>
773
774         WebAssembly: support DataView compilation
775         https://bugs.webkit.org/show_bug.cgi?id=183342
776
777         Reviewed by Mark Lam.
778
779         Test WebAssembly compilation using a DataView with offset.
780
781         * wasm/regress/183342.js: Added.
782         (attempt.catch):
783
784 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
785
786         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
787         https://bugs.webkit.org/show_bug.cgi?id=184189
788
789         Reviewed by JF Bastien.
790
791         * stress/load-hole-from-scope-into-live-var.js: Added.
792         (result.eval.try.switch):
793         (catch):
794
795 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
796
797         Unreviewed, rolling out r230102.
798
799         Caused assertion failures on JSC bots.
800
801         Reverted changeset:
802
803         "A stack overflow in the parsing of a builtin (called by
804         createExecutable) cause a crash instead of a catchable js
805         exception"
806         https://bugs.webkit.org/show_bug.cgi?id=184074
807         https://trac.webkit.org/changeset/230102
808
809 2018-03-30  Robin Morisset  <rmorisset@apple.com>
810
811         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
812         https://bugs.webkit.org/show_bug.cgi?id=183812
813
814         Reviewed by Keith Miller.
815
816         * stress/inlining-unreachable-non-tail.js: Added.
817         (foo.):
818         (foo):
819
820 2018-03-30  Robin Morisset  <rmorisset@apple.com>
821
822         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
823         https://bugs.webkit.org/show_bug.cgi?id=184074
824         <rdar://problem/37165897>
825
826         Reviewed by Keith Miller.
827
828         * stress/stack-overflow-while-parsing-builtin.js: Added.
829         (f):
830
831 2018-03-30  Robin Morisset  <rmorisset@apple.com>
832
833         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
834         https://bugs.webkit.org/show_bug.cgi?id=183657
835
836         Reviewed by Keith Miller.
837
838         * stress/large-unshift-splice.js: Added.
839         (make_contig_arr):
840
841 2018-03-28  Robin Morisset  <rmorisset@apple.com>
842
843         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
844         https://bugs.webkit.org/show_bug.cgi?id=183894
845
846         Reviewed by Saam Barati.
847
848         * stress/json-stringified-overflow.js: Added.
849         (catch):
850
851 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
852
853         DFG should know that CreateThis can be effectful
854         https://bugs.webkit.org/show_bug.cgi?id=184013
855
856         Reviewed by Saam Barati.
857
858         * stress/create-this-property-change.js: Added.
859         (Foo):
860         (RealBar):
861         (get if):
862         * stress/create-this-structure-change-without-cse.js: Added.
863         (Foo):
864         (RealBar):
865         (get if):
866         * stress/create-this-structure-change.js: Added.
867         (Foo):
868         (RealBar):
869         (get if):
870
871 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
872
873         [DFG] Introduces fused compare and jump
874         https://bugs.webkit.org/show_bug.cgi?id=177100
875
876         Reviewed by Mark Lam.
877
878         * stress/fused-jeq-slow.js: Added.
879         (shouldBe):
880         (testJEQ):
881         (testJNEQB):
882         (testJEQB):
883         (testJNEQF):
884         (testJEQF):
885         * stress/fused-jeq.js: Added.
886         (shouldBe):
887         (testJEQ):
888         (testJNEQB):
889         (testJEQB):
890         (testJNEQF):
891         (testJEQF):
892         * stress/fused-jstricteq-slow.js: Added.
893         (shouldBe):
894         (testJSTRICTEQ):
895         (testJNSTRICTEQB):
896         (testJSTRICTEQB):
897         (testJNSTRICTEQF):
898         (testJSTRICTEQF):
899         * stress/fused-jstricteq.js: Added.
900         (shouldBe):
901         (testJSTRICTEQ):
902         (testJNSTRICTEQB):
903         (testJSTRICTEQB):
904         (testJNSTRICTEQF):
905         (testJSTRICTEQF):
906
907 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
908
909         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
910         https://bugs.webkit.org/show_bug.cgi?id=183559
911
912         Reviewed by Mark Lam.
913
914         * stress/double-to-string-in-loop-removed.js: Added.
915         (test):
916         * stress/int32-to-string-in-loop-removed.js: Added.
917         (test):
918         * stress/int52-to-string-in-loop-removed.js: Added.
919         (test):
920
921 2018-03-22  Michael Saboff  <msaboff@apple.com>
922
923         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
924         https://bugs.webkit.org/show_bug.cgi?id=183901
925
926         Reviewed by Keith Miller.
927
928         New test.
929
930         * stress/array-reverse-doesnt-clobber.js: Added.
931         (testArrayReverse):
932         (createArrayOfArrays):
933         (createArrayStorage):
934
935 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
936
937         ScopedArguments should do poisoning and index masking
938         https://bugs.webkit.org/show_bug.cgi?id=183863
939
940         Reviewed by Mark Lam.
941         
942         Adds another stress test of scoped arguments.
943
944         * stress/scoped-arguments-test.js: Added.
945         (foo):
946
947 2018-03-20  Saam Barati  <sbarati@apple.com>
948
949         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
950         https://bugs.webkit.org/show_bug.cgi?id=183795
951         <rdar://problem/38298694>
952
953         Reviewed by JF Bastien.
954
955         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
956         (foo):
957         (bar):
958
959 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
960
961         [DFG][FTL] Add vectorLengthHint for NewArray
962         https://bugs.webkit.org/show_bug.cgi?id=183694
963
964         Reviewed by Saam Barati.
965
966         * stress/vector-length-hint-array-constructor.js: Added.
967         (shouldBe):
968         (test):
969         * stress/vector-length-hint-new-array.js: Added.
970         (shouldBe):
971         (test):
972
973 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
974
975         [DFG][FTL] Make ArraySlice(0) code tight
976         https://bugs.webkit.org/show_bug.cgi?id=183590
977
978         Reviewed by Saam Barati.
979
980         * stress/array-slice-with-zero.js: Added.
981         (shouldBe):
982         (test):
983         (test2):
984         * stress/array-slice-zero-args.js: Added.
985         (shouldBe):
986         (test):
987
988 2018-03-14  Caitlin Potter  <caitp@igalia.com>
989
990         [JSC] fix order of evaluation for ClassDefinitionEvaluation
991         https://bugs.webkit.org/show_bug.cgi?id=183523
992
993         Reviewed by Keith Miller.
994
995         Computed property names need to be evaluated in source order during class
996         definition evaluation, as it's observable (and specified to work this way).
997
998         This change improves compatibility with Chromium.
999
1000         * stress/class_elements.js: Added.
1001         (test):
1002         (test.C.prototype.effect):
1003         (test.C.effect):
1004         (test.C.prototype.get effect):
1005         (test.C.prototype.set effect):
1006         (test.C):
1007
1008 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1009
1010         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
1011         https://bugs.webkit.org/show_bug.cgi?id=183310
1012
1013         Reviewed by Filip Pizlo.
1014
1015         * stress/ai-create-this-to-new-object-fire.js: Added.
1016         (assert):
1017         (test):
1018         (func):
1019         (check):
1020         (test.body.A):
1021         (test.body.B):
1022         (test.body):
1023         * stress/ai-create-this-to-new-object.js: Added.
1024         (assert):
1025         (test):
1026         (func):
1027         (check):
1028         (test.body.A):
1029         (test.body.B):
1030         (test.body):
1031
1032 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1033
1034         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
1035         https://bugs.webkit.org/show_bug.cgi?id=181848
1036
1037         Reviewed by Sam Weinig.
1038
1039         * microbenchmarks/regexp-u-global-es5.js: Added.
1040         (fn):
1041         * microbenchmarks/regexp-u-global-es6.js: Added.
1042         (fn):
1043         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
1044         (shouldBe):
1045         (test):
1046         (i.switch):
1047         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
1048         (shouldBe):
1049         (test):
1050
1051 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
1052
1053         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
1054         https://bugs.webkit.org/show_bug.cgi?id=183334
1055
1056         Reviewed by Žan Doberšek.
1057
1058         * stress/var-injection-cache-invalidation.js:
1059
1060 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
1061
1062         [ARM] Disable tests that run out of memory
1063         https://bugs.webkit.org/show_bug.cgi?id=182699
1064
1065         Reviewed by Žan Doberšek.
1066
1067         Skip tests that run of of memory. Do not run
1068         modules/module-jit-reachability.js without LLInt to prevent
1069         running out of executable memory.
1070
1071         * modules.yaml:
1072         * modules/module-jit-reachability.js:
1073         * stress/has-own-property-name-cache-string-keys.js:
1074         * stress/has-own-property-name-cache-symbol-keys.js:
1075
1076 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1077
1078         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1079         https://bugs.webkit.org/show_bug.cgi?id=183173
1080
1081         Reviewed by Saam Barati.
1082
1083         * stress/async-arrow-function-in-class-heritage.js: Added.
1084         (testSyntax):
1085         (testSyntaxError):
1086         (SyntaxError):
1087
1088 2018-03-01  Saam Barati  <sbarati@apple.com>
1089
1090         We need to clear cached structures when having a bad time
1091         https://bugs.webkit.org/show_bug.cgi?id=183256
1092         <rdar://problem/36245022>
1093
1094         Reviewed by Mark Lam.
1095
1096         * stress/having-a-bad-time-with-derived-arrays.js: Added.
1097         (assert):
1098         (defineSetter):
1099         (iterate):
1100         (doSlice):
1101
1102 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1103
1104         JSC crash with `import("")`
1105         https://bugs.webkit.org/show_bug.cgi?id=183175
1106
1107         Reviewed by Saam Barati.
1108
1109         * stress/import-with-empty-string.js: Added.
1110
1111 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1112
1113         Unreviewed, skip FTL tests if FTL is disabled
1114         https://bugs.webkit.org/show_bug.cgi?id=183071
1115
1116         * stress/has-indexed-property-array-storage-ftl.js:
1117         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1118
1119 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1120
1121         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1122         https://bugs.webkit.org/show_bug.cgi?id=182965
1123
1124         Reviewed by Saam Barati.
1125
1126         * stress/put-by-val-array-storage.js: Added.
1127         (shouldBe):
1128         (testArrayStorageInBounds):
1129         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1130         (shouldBe):
1131         (testInt32.createBuiltin):
1132         (set for):
1133         * stress/put-by-val-slow-put-array-storage.js: Added.
1134         (shouldBe):
1135         (testArrayStorageInBounds):
1136
1137 2018-02-26  Saam Barati  <sbarati@apple.com>
1138
1139         validateStackAccess should not validate if the offset is within the stack bounds
1140         https://bugs.webkit.org/show_bug.cgi?id=183067
1141         <rdar://problem/37749988>
1142
1143         Reviewed by Mark Lam.
1144
1145         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1146         (assert):
1147         (test.a):
1148         (test.b):
1149         (test):
1150
1151 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1152
1153         Unreviewed, skip FTL tests if FTL is disabled
1154         https://bugs.webkit.org/show_bug.cgi?id=183071
1155
1156         * stress/has-indexed-property-array-storage-ftl.js:
1157         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1158
1159 2018-02-23  Saam Barati  <sbarati@apple.com>
1160
1161         Make Number.isInteger an intrinsic
1162         https://bugs.webkit.org/show_bug.cgi?id=183088
1163
1164         Reviewed by JF Bastien.
1165
1166         * stress/number-is-integer-intrinsic.js: Added.
1167
1168 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1169
1170         WebAssembly: cache memory address / size on instance
1171         https://bugs.webkit.org/show_bug.cgi?id=177305
1172
1173         Reviewed by JF Bastien.
1174
1175         * wasm/function-tests/memory-reuse.js: Added.
1176         (createWasmInstance):
1177         (doCheckTrap):
1178         (doMemoryGrow):
1179         (doCheck):
1180         (checkWasmInstancesWithSharedMemory):
1181
1182 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1183
1184         [JSC] Implement $vm.ftlTrue function for FTL testing
1185         https://bugs.webkit.org/show_bug.cgi?id=183071
1186
1187         Reviewed by Mark Lam.
1188
1189         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1190         (foo):
1191         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1192         (foo):
1193         * stress/dead-fiat-value-to-int52.js:
1194         (foo):
1195         * stress/dead-osr-entry-value.js:
1196         (foo):
1197         * stress/fiat-value-to-int52-then-exit-not-double.js:
1198         (foo):
1199         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1200         (foo):
1201         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1202         (foo):
1203         * stress/fiat-value-to-int52-then-fold.js:
1204         (foo):
1205         * stress/fiat-value-to-int52.js:
1206         (foo):
1207         * stress/fold-based-on-int32-proof-mul-branch.js:
1208         (foo):
1209         * stress/fold-profiled-call-to-call.js:
1210         (foo):
1211         * stress/fold-to-double-constant-then-exit.js:
1212         (foo):
1213         * stress/fold-to-int52-constant-then-exit.js:
1214         (foo):
1215         * stress/fold-to-primitive-in-cfa.js:
1216         (foo):
1217         * stress/fold-to-primitive-to-identity-in-cfa.js:
1218         (foo):
1219         * stress/has-indexed-property-array-storage-ftl.js: Added.
1220         (shouldBe):
1221         (test1):
1222         (test2):
1223         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1224         (shouldBe):
1225         (test1):
1226         (test2):
1227         * stress/int52-ai-add-then-filter-int32.js:
1228         (foo):
1229         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1230         (foo):
1231         * stress/int52-ai-mul-then-filter-int32.js:
1232         (foo):
1233         * stress/int52-ai-neg-then-filter-int32.js:
1234         (foo):
1235         * stress/int52-ai-sub-then-filter-int32.js:
1236         (foo):
1237         * stress/licm-pre-header-cannot-exit-nested.js:
1238         (foo):
1239         * stress/licm-pre-header-cannot-exit.js:
1240         (foo):
1241         * stress/sparse-array-entry-update-144067.js:
1242         (useMemoryToTriggerGCs):
1243         * stress/test-spec-misc.js:
1244         (foo):
1245         * stress/tricky-array-bounds-checks.js:
1246         (foo):
1247
1248 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1249
1250         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1251         https://bugs.webkit.org/show_bug.cgi?id=182792
1252
1253         Reviewed by Mark Lam.
1254
1255         * stress/has-indexed-property-array-storage.js: Added.
1256         (shouldBe):
1257         (test1):
1258         (test2):
1259         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1260         (shouldBe):
1261         (test1):
1262         (test2):
1263
1264 2018-02-20  Saam Barati  <sbarati@apple.com>
1265
1266         DFG::VarargsForwardingPhase should eliminate getting argument length
1267         https://bugs.webkit.org/show_bug.cgi?id=182959
1268
1269         Reviewed by Keith Miller.
1270
1271         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1272
1273 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1274
1275         [FTL] Support ArrayPush for ArrayStorage
1276         https://bugs.webkit.org/show_bug.cgi?id=182782
1277
1278         Reviewed by Saam Barati.
1279
1280         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1281
1282         * stress/array-push-array-storage-beyond-int32.js: Added.
1283         (shouldBe):
1284         (test):
1285         * stress/array-push-array-storage.js: Added.
1286         (shouldBe):
1287         (test):
1288         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1289         (shouldBe):
1290         (test):
1291         * stress/array-push-multiple-storage-continuous.js: Added.
1292         (shouldBe):
1293         (test):
1294
1295 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1296
1297         [FTL] Support ArrayPop for ArrayStorage
1298         https://bugs.webkit.org/show_bug.cgi?id=182783
1299
1300         Reviewed by Saam Barati.
1301
1302         * stress/array-pop-array-storage.js: Added.
1303         (shouldBe):
1304         (test):
1305
1306 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1307
1308         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1309         https://bugs.webkit.org/show_bug.cgi?id=182731
1310
1311         Reviewed by Saam Barati.
1312
1313         * stress/arrayify-array-storage-array.js: Added.
1314         (shouldBe):
1315         (testArrayStorage):
1316         * stress/arrayify-array-storage-non-array.js: Added.
1317         (shouldBe):
1318         (testArrayStorage):
1319         * stress/arrayify-array-storage.js: Added.
1320         (shouldBe):
1321         (testArrayStorage):
1322         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1323         (shouldBe):
1324         (testArrayStorage):
1325         * stress/arrayify-slow-put-array-storage.js: Added.
1326         (shouldBe):
1327         (testArrayStorage):
1328
1329 2018-02-19  Saam Barati  <sbarati@apple.com>
1330
1331         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1332         https://bugs.webkit.org/show_bug.cgi?id=182942
1333         <rdar://problem/37584764>
1334
1335         Reviewed by Mark Lam.
1336
1337         * stress/get-prototype-create-this-effectful.js: Added.
1338
1339 2018-02-16  Saam Barati  <sbarati@apple.com>
1340
1341         Fix bugs from r228411
1342         https://bugs.webkit.org/show_bug.cgi?id=182851
1343         <rdar://problem/37577732>
1344
1345         Reviewed by JF Bastien.
1346
1347         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1348
1349 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1350
1351         Unreviewed, roll out r228366 since it did not progress anything.
1352
1353         * stress/gc-error-stack.js: Removed.
1354         * stress/no-gc-error-stack.js: Removed.
1355
1356 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1357
1358         Many stress tests fail with JIT disabled
1359         https://bugs.webkit.org/show_bug.cgi?id=182730
1360
1361         Reviewed by Saam Barati.
1362
1363         These tests are broken by design if the JIT is disabled - they test
1364         the return value of numberOfDFGCompiles(), which is always set to
1365         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1366
1367         * stress/arith-abs-on-various-types.js:
1368         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1369         * stress/arith-acos-on-various-types.js:
1370         * stress/arith-acosh-on-various-types.js:
1371         * stress/arith-asin-on-various-types.js:
1372         * stress/arith-asinh-on-various-types.js:
1373         * stress/arith-atan-on-various-types.js:
1374         * stress/arith-atanh-on-various-types.js:
1375         * stress/arith-cbrt-on-various-types.js:
1376         * stress/arith-ceil-on-various-types.js:
1377         * stress/arith-clz32-on-various-types.js:
1378         * stress/arith-cos-on-various-types.js:
1379         * stress/arith-cosh-on-various-types.js:
1380         * stress/arith-expm1-on-various-types.js:
1381         * stress/arith-floor-on-various-types.js:
1382         * stress/arith-fround-on-various-types.js:
1383         * stress/arith-log-on-various-types.js:
1384         * stress/arith-log10-on-various-types.js:
1385         * stress/arith-log2-on-various-types.js:
1386         * stress/arith-negate-on-various-types.js:
1387         * stress/arith-round-on-various-types.js:
1388         * stress/arith-sin-on-various-types.js:
1389         * stress/arith-sinh-on-various-types.js:
1390         * stress/arith-sqrt-on-various-types.js:
1391         * stress/arith-tan-on-various-types.js:
1392         * stress/arith-tanh-on-various-types.js:
1393         * stress/arith-trunc-on-various-types.js:
1394         * stress/compare-strict-eq-on-various-types.js:
1395
1396 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1397
1398         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1399
1400         Unreviewed test gardening.
1401
1402         * stress/new-largeish-contiguous-array-with-size.js:
1403
1404 2018-02-14  Saam Barati  <sbarati@apple.com>
1405
1406         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1407         https://bugs.webkit.org/show_bug.cgi?id=182801
1408
1409         Reviewed by Keith Miller.
1410
1411         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1412
1413 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1414
1415         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1416         https://bugs.webkit.org/show_bug.cgi?id=182526
1417
1418         Unreviewed test gardening.
1419
1420         * stress/activation-sink-default-value-tdz-error.js:
1421
1422 2018-02-13  Saam Barati  <sbarati@apple.com>
1423
1424         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1425         https://bugs.webkit.org/show_bug.cgi?id=182755
1426         <rdar://problem/37080864>
1427
1428         Reviewed by Keith Miller.
1429
1430         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1431         (test1.o.get 10005):
1432         (test1):
1433         (test2.o.get 1000):
1434         (test2):
1435
1436 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1437
1438         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1439         https://bugs.webkit.org/show_bug.cgi?id=182717
1440
1441         Reviewed by Yusuke Suzuki.
1442
1443         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1444         literals, to allow template callsite arrays to be collected when the
1445         code containing the tagged template call is collected. This spec change
1446         has received concensus and been ratified.
1447
1448         This change eliminates the eternal map associating template contents
1449         with arrays.
1450
1451         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1452         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1453         * stress/tagged-templates-identity.js:
1454         * stress/template-string-tags-eval.js:
1455         * test262.yaml:
1456
1457 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1458
1459         Support GetArrayLength on ArrayStorage in the FTL
1460         https://bugs.webkit.org/show_bug.cgi?id=182625
1461
1462         Reviewed by Saam Barati.
1463
1464         * stress/array-storage-length.js: Added.
1465         (shouldBe):
1466         (testInBound):
1467         (testUncountable):
1468         (testSlowPutInBound):
1469         (testSlowPutUncountable):
1470         * stress/undecided-length.js: Added.
1471         (shouldBe):
1472         (test2):
1473
1474 2018-02-12  Saam Barati  <sbarati@apple.com>
1475
1476         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1477         https://bugs.webkit.org/show_bug.cgi?id=182706
1478         <rdar://problem/36833681>
1479
1480         Reviewed by Filip Pizlo.
1481
1482         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1483         (effects):
1484         (foo):
1485
1486 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1487
1488         Don't waste memory for error.stack
1489         https://bugs.webkit.org/show_bug.cgi?id=182656
1490
1491         Reviewed by Saam Barati.
1492         
1493         Tests the policy.
1494
1495         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1496         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1497
1498 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1499
1500         [JSC] Update Test262 to Feb 9 version
1501         https://bugs.webkit.org/show_bug.cgi?id=182468
1502
1503         Reviewed by Saam Barati.
1504
1505 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1506
1507         Unreviewed, fix invalid line terminator in old test262 file part 2
1508         https://bugs.webkit.org/show_bug.cgi?id=182468
1509
1510         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1511
1512 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1513
1514         Unreviewed, fix invalid line terminator in old test262 file
1515         https://bugs.webkit.org/show_bug.cgi?id=182468
1516
1517         * test262/test/language/literals/regexp/7.8.5-1.js:
1518
1519 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1520
1521         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1522         https://bugs.webkit.org/show_bug.cgi?id=182440
1523
1524         Reviewed by Darin Adler.
1525
1526         * stress/array-flatmap.js: Added.
1527         (shouldBe):
1528         (shouldBeArray):
1529         (shouldThrow):
1530         (var):
1531         * stress/array-flatten.js: Added.
1532         (shouldBe):
1533         (shouldBeArray):
1534         * test262.yaml:
1535         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1536         (3.flatMap):
1537         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1538
1539 2018-02-06  Keith Miller  <keith_miller@apple.com>
1540
1541         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1542         https://bugs.webkit.org/show_bug.cgi?id=182549
1543         <rdar://problem/36189995>
1544
1545         Reviewed by Saam Barati.
1546
1547         * stress/var-injection-cache-invalidation.js: Added.
1548         (allocateLotsOfThings):
1549         (test):
1550
1551 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1552
1553         Unreviewed, follow up for test262 update
1554         https://bugs.webkit.org/show_bug.cgi?id=182288
1555
1556         * test262.yaml:
1557
1558 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1559
1560         Update test262 to Jan 30 version
1561         https://bugs.webkit.org/show_bug.cgi?id=182288
1562
1563         Unreviewed test gardening.
1564
1565         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1566
1567 2018-02-02  Saam Barati  <sbarati@apple.com>
1568
1569         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1570         https://bugs.webkit.org/show_bug.cgi?id=182368
1571         <rdar://problem/36932466>
1572
1573         Reviewed by Mark Lam.
1574
1575         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1576         (runNearStackLimit.t):
1577         (runNearStackLimit):
1578         (try.runNearStackLimit):
1579         (catch):
1580
1581 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1582
1583         Update test262 to Jan 30 version
1584         https://bugs.webkit.org/show_bug.cgi?id=182288
1585
1586         Rubber stamped by Saam Barati.
1587
1588         This patch updates test262 to the latest one, Jan 30 version.
1589         Since added and changed files are too many, we cannot create ChangeLog.
1590         The following files are changed.
1591
1592         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1593         including some special line terminators (like u2028, u2029).
1594
1595         * test262.yaml:
1596         * test262/test262-Revision.txt:
1597         * test262/*:
1598
1599 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1600
1601         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1602         https://bugs.webkit.org/show_bug.cgi?id=182411
1603
1604         Reviewed by Carlos Alberto Lopez Perez.
1605
1606         This is skipped only on arm memory limited platforms. Until recently
1607         it was not a problem on MIPS as the butterfly was not initialized. But
1608         since r227435, the butterfly is initialized in that test and therefore
1609         memory is allocated, and the test typically takes around 512M, which
1610         means it generally gets OOM-killed on the MIPS buildbot.
1611
1612         * mozilla/mozilla-tests.yaml:
1613
1614 2018-02-01  Mark Lam  <mark.lam@apple.com>
1615
1616         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1617         https://bugs.webkit.org/show_bug.cgi?id=182419
1618         <rdar://problem/37044945>
1619
1620         Reviewed by Saam Barati.
1621
1622         * stress/regress-182419.js: Added.
1623
1624 2018-02-01  Keith Miller  <keith_miller@apple.com>
1625
1626         Fix crashes due to mishandling custom sections.
1627         https://bugs.webkit.org/show_bug.cgi?id=182404
1628         <rdar://problem/36935863>
1629
1630         Reviewed by Saam Barati.
1631
1632         * wasm/Builder.js:
1633         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1634         * wasm/js-api/validate.js:
1635         (assert.truthy):
1636
1637 2018-01-31  Saam Barati  <sbarati@apple.com>
1638
1639         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1640         https://bugs.webkit.org/show_bug.cgi?id=182074
1641         <rdar://problem/36846261>
1642
1643         Reviewed by Mark Lam.
1644
1645         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1646         (assert):
1647         (let.func):
1648         (let.o.foo):
1649         (varFunc):
1650
1651 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1652
1653         Unreviewed, update test262 expects
1654         https://bugs.webkit.org/show_bug.cgi?id=182232
1655
1656         * test262.yaml:
1657
1658 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1659
1660         [JSC] Implement trimStart and trimEnd
1661         https://bugs.webkit.org/show_bug.cgi?id=182233
1662
1663         Reviewed by Mark Lam.
1664
1665         * stress/trim.js: Added.
1666         (shouldBe):
1667         (startTest):
1668         (endTest):
1669         (trimTest):
1670
1671 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1672
1673         [JSC] Relax line terminators in String to make JSON subset of JS
1674         https://bugs.webkit.org/show_bug.cgi?id=182232
1675
1676         Reviewed by Keith Miller.
1677
1678         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1679         * stress/relaxed-line-terminators-in-string.js: Added.
1680         (shouldBe):
1681
1682 2018-01-29  Michael Saboff  <msaboff@apple.com>
1683
1684         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1685         https://bugs.webkit.org/show_bug.cgi?id=182249
1686
1687         Reviewed by Keith Miller.
1688
1689         New regression test.
1690
1691         * stress/compare-clobber-untypeduse.js: Added.
1692
1693 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1694
1695         Unreviewed, rolling out r227725.
1696
1697         This caused internal failures.
1698
1699         Reverted changeset:
1700
1701         "JSC Sampling Profiler: Detect tester and testee when sampling
1702         in RegExp JIT"
1703         https://bugs.webkit.org/show_bug.cgi?id=152729
1704         https://trac.webkit.org/changeset/227725
1705
1706 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1707
1708         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1709         https://bugs.webkit.org/show_bug.cgi?id=152729
1710
1711         Reviewed by Saam Barati.
1712
1713         * stress/sampling-profiler-regexp.js: Added.
1714         (platformSupportsSamplingProfiler.test):
1715         (platformSupportsSamplingProfiler.baz):
1716         (platformSupportsSamplingProfiler):
1717
1718 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1719
1720         [DFG][FTL] WeakMap#set should have DFG node
1721         https://bugs.webkit.org/show_bug.cgi?id=180015
1722
1723         Reviewed by Saam Barati.
1724
1725         * stress/weakmap-set-change-get.js: Added.
1726         (shouldBe):
1727         (test):
1728         * stress/weakmap-set-cse.js: Added.
1729         (shouldBe):
1730         (test):
1731         * stress/weakset-add-change-get.js: Added.
1732         (shouldBe):
1733         * stress/weakset-add-cse.js: Added.
1734         (shouldBe):
1735
1736 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1737
1738         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1739         https://bugs.webkit.org/show_bug.cgi?id=182213
1740
1741         Reviewed by Mark Lam.
1742
1743         * stress/int32-min-to-string.js: Added.
1744         (shouldBe):
1745         (test2):
1746         (test4):
1747         (test8):
1748         (test16):
1749         (test32):
1750         * stress/zero-to-string.js: Added.
1751         (shouldBe):
1752         (test2):
1753         (test4):
1754         (test8):
1755         (test16):
1756         (test32):
1757
1758 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1759
1760         Add more module scope related tests with code evaluation by string
1761         https://bugs.webkit.org/show_bug.cgi?id=181983
1762
1763         Reviewed by Sam Weinig.
1764
1765         Add more module scope related tests. When the original tests are landed,
1766         we do not have browser integration. This patch adds more module scope tests
1767         with dynamically created script evaluation. We add tests with Function
1768         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1769
1770         * modules/scopes-eval.js: Added.
1771         (shouldBe):
1772         * modules/scopes.js:
1773         (shouldBe):
1774
1775 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1776
1777         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1778
1779         * microbenchmarks/array-push-3.js: Removed.
1780         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1781         * microbenchmarks/double-to-int32.js: Removed.
1782         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1783         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1784         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1785         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1786         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1787         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1788         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1789         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1790         * microbenchmarks/map-constant-key.js: Removed.
1791         * microbenchmarks/nested-function-parsing.js: Removed.
1792         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1793         * microbenchmarks/spread-large-array.js: Removed.
1794         * microbenchmarks/string-add-constant-folding.js: Removed.
1795         * microbenchmarks/to-lower-case.js: Removed.
1796         * microbenchmarks/undefined-property-access.js: Removed.
1797         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1798         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1799         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1800         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1801         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1802         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1803         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1804         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1805         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1806         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1807         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1808         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1809         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1810         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1811         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1812         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1813         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1814         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1815
1816 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1817
1818         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1819         https://bugs.webkit.org/show_bug.cgi?id=181739
1820         <rdar://problem/36627662>
1821
1822         Reviewed by Saam Barati.
1823
1824         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1825         (foo):
1826         (bar):
1827
1828 2018-01-22  Michael Saboff  <msaboff@apple.com>
1829
1830         DFG abstract interpreter needs to properly model effects of some Math ops
1831         https://bugs.webkit.org/show_bug.cgi?id=181886
1832
1833         Reviewed by Saam Barati.
1834
1835         New regression test.
1836
1837         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1838         (test):
1839
1840 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1841
1842         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1843         https://bugs.webkit.org/show_bug.cgi?id=181182
1844
1845         Reviewed by Darin Adler.
1846
1847         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1848         * stress/big-int-prototype-to-string-exception.js: Added.
1849         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1850         * stress/number-prototype-to-string-cast-overflow.js: Added.
1851         * stress/number-prototype-to-string-exception.js: Added.
1852         * stress/number-prototype-to-string-wrong-values.js: Added.
1853
1854 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1855
1856         Disable Atomics when SharedArrayBuffer isn’t enabled
1857         https://bugs.webkit.org/show_bug.cgi?id=181572
1858
1859         Unreviewed test gardening.
1860
1861         * test262.yaml: Skip tests that fail after this change.
1862
1863 2018-01-19  Saam Barati  <sbarati@apple.com>
1864
1865         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1866         https://bugs.webkit.org/show_bug.cgi?id=181877
1867         <rdar://problem/36630552>
1868
1869         Reviewed by Mark Lam.
1870
1871         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1872         (runNearStackLimit):
1873         (f1):
1874         (f2):
1875         (f3):
1876         (i.catch):
1877         (i.try.runNearStackLimit):
1878         (catch):
1879
1880 2018-01-19  Saam Barati  <sbarati@apple.com>
1881
1882         Spread's effects are modeled incorrectly both in AI and in Clobberize
1883         https://bugs.webkit.org/show_bug.cgi?id=181867
1884         <rdar://problem/36290415>
1885
1886         Reviewed by Michael Saboff.
1887
1888         * stress/ai-needs-to-model-spreads-effects.js: Added.
1889         (try.p.Symbol.iterator):
1890         (try.go):
1891         (catch):
1892         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1893         (assert):
1894         (foo):
1895         (a.Symbol.iterator):
1896
1897 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1898
1899         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1900         https://bugs.webkit.org/show_bug.cgi?id=181535
1901
1902         * stress/inserted-recovery-with-set-last-index.js:
1903
1904 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1905
1906         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1907         https://bugs.webkit.org/show_bug.cgi?id=181535
1908
1909         Reviewed by Saam Barati.
1910
1911         * stress/inserted-recovery-with-set-last-index.js: Added.
1912         (shouldBe):
1913         (foo):
1914         * stress/materialize-regexp-at-osr-exit.js: Added.
1915         (shouldBe):
1916         (test):
1917         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1918         (shouldBe):
1919         (test):
1920         * stress/materialize-regexp-cyclic-regexp.js: Added.
1921         (shouldBe):
1922         (test):
1923         (i.switch):
1924         * stress/materialize-regexp-cyclic.js: Added.
1925         (shouldBe):
1926         (test):
1927         (i.switch):
1928         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1929         (bar):
1930         (foo):
1931         (test):
1932         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1933         (bar):
1934         (foo):
1935         (test):
1936         * stress/materialize-regexp.js: Added.
1937         (shouldBe):
1938         (test):
1939         * stress/phantom-regexp-regexp-exec.js: Added.
1940         (shouldBe):
1941         (test):
1942         * stress/phantom-regexp-string-match.js: Added.
1943         (shouldBe):
1944         (test):
1945         * stress/regexp-last-index-sinking.js: Added.
1946         (shouldBe):
1947         (test):
1948
1949 2018-01-17  Saam Barati  <sbarati@apple.com>
1950
1951         Disable Atomics when SharedArrayBuffer isn’t enabled
1952         https://bugs.webkit.org/show_bug.cgi?id=181572
1953         <rdar://problem/36553206>
1954
1955         Reviewed by Michael Saboff.
1956
1957         * stress/isLockFree.js:
1958
1959 2018-01-17  Saam Barati  <sbarati@apple.com>
1960
1961         DFG::Node::convertToConstant needs to clear the varargs flags
1962         https://bugs.webkit.org/show_bug.cgi?id=181697
1963         <rdar://problem/36497332>
1964
1965         Reviewed by Yusuke Suzuki.
1966
1967         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1968         (doIndexOf):
1969         (bar):
1970         (i.bar):
1971
1972 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1973
1974         Unreviewed, rolling out r226937.
1975
1976         Tests added with this change are failing due to a missing
1977         exception check.
1978
1979         Reverted changeset:
1980
1981         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1982         double to int32_t"
1983         https://bugs.webkit.org/show_bug.cgi?id=181182
1984         https://trac.webkit.org/changeset/226937
1985
1986 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1987
1988         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1989         https://bugs.webkit.org/show_bug.cgi?id=181182
1990
1991         Reviewed by Darin Adler.
1992
1993         * bigIntTests.yaml:
1994         * stress/big-int-constructor.js:
1995         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1996         (assert):
1997         (assertThrowRangeError):
1998         * stress/number-prototype-to-string-cast-overflow.js: Added.
1999         (assert):
2000         (assertThrowRangeError):
2001
2002 2018-01-12  Saam Barati  <sbarati@apple.com>
2003
2004         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
2005         https://bugs.webkit.org/show_bug.cgi?id=181177
2006         <rdar://problem/36205704>
2007
2008         Reviewed by Yusuke Suzuki.
2009
2010         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
2011         (runNearStackLimit.t):
2012         (runNearStackLimit):
2013         (test.f):
2014         (test):
2015
2016 2018-01-12  Saam Barati  <sbarati@apple.com>
2017
2018         Each variant of a polymorphic inlined call should be exitOK at the top of the block
2019         https://bugs.webkit.org/show_bug.cgi?id=181562
2020         <rdar://problem/36445624>
2021
2022         Reviewed by Yusuke Suzuki.
2023
2024         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
2025         (f):
2026         (foo):
2027
2028 2018-01-11  Saam Barati  <sbarati@apple.com>
2029
2030         When inserting Unreachable in byte code parser we need to flush all the right things
2031         https://bugs.webkit.org/show_bug.cgi?id=181509
2032         <rdar://problem/36423110>
2033
2034         Reviewed by Mark Lam.
2035
2036         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
2037
2038 2018-01-11  Saam Barati  <sbarati@apple.com>
2039
2040         JITMathIC code in the FTL is wrong when code gets duplicated
2041         https://bugs.webkit.org/show_bug.cgi?id=181525
2042         <rdar://problem/36351993>
2043
2044         Reviewed by Michael Saboff and Keith Miller.
2045
2046         * stress/allow-math-ic-b3-code-duplication.js: Added.
2047
2048 2018-01-11  Saam Barati  <sbarati@apple.com>
2049
2050         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
2051         https://bugs.webkit.org/show_bug.cgi?id=181508
2052
2053         Reviewed by Yusuke Suzuki.
2054
2055         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
2056         (assert):
2057         (test1.foo):
2058         (test1):
2059         (test2.foo):
2060         (test2):
2061
2062 2018-01-09  Mark Lam  <mark.lam@apple.com>
2063
2064         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
2065         https://bugs.webkit.org/show_bug.cgi?id=181388
2066         <rdar://problem/36349351>
2067
2068         Reviewed by Saam Barati.
2069
2070         * stress/regress-181388.js: Added.
2071
2072 2018-01-08  JF Bastien  <jfbastien@apple.com>
2073
2074         WebAssembly: mask indexed accesses to Table
2075         https://bugs.webkit.org/show_bug.cgi?id=181412
2076         <rdar://problem/36363236>
2077
2078         Reviewed by Saam Barati.
2079
2080         Update error messages.
2081
2082         * wasm/js-api/table.js:
2083         (assert.throws.WebAssembly.Table.prototype.grow):
2084
2085 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
2086
2087         Disable SharedArrayBuffer tests missed in r226386.
2088         https://bugs.webkit.org/show_bug.cgi?id=181266
2089
2090         Unreviewed test gardening.
2091
2092         * test262.yaml:
2093
2094 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2095
2096         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
2097         https://bugs.webkit.org/show_bug.cgi?id=181321
2098
2099         Reviewed by Saam Barati.
2100
2101         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2102         (shouldBe):
2103         (testFunction):
2104         * test262.yaml:
2105
2106 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2107
2108         Unreviewed, attempt to fix test262 after r226386.
2109
2110         * test262.yaml:
2111
2112 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2113
2114         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2115         https://bugs.webkit.org/show_bug.cgi?id=179911
2116
2117         Reviewed by Saam Barati.
2118
2119         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2120
2121         * stress/map-set-change-get.js: Added.
2122         (shouldBe):
2123         (test):
2124         * stress/map-set-create-bucket.js: Added.
2125         (shouldBe):
2126         (test):
2127         * stress/set-add-create-bucket.js: Added.
2128         (shouldBe):
2129
2130 2018-01-03  Michael Saboff  <msaboff@apple.com>
2131
2132         Disable SharedArrayBuffers from Web API
2133         https://bugs.webkit.org/show_bug.cgi?id=181266
2134
2135         Reviewed by Saam Barati.
2136
2137         Disabled SharedArrayBuffer tests.
2138
2139         * stress/SharedArrayBuffer-opt.js:
2140         * stress/SharedArrayBuffer.js:
2141         * stress/array-buffer-byte-length.js:
2142         * stress/atomics-add-uint32.js:
2143         * stress/atomics-known-int-use.js:
2144         * stress/atomics-neg-zero.js:
2145         * stress/atomics-store-return.js:
2146         * stress/lars-sab-workers.js:
2147         * stress/regress-159779-1.js:
2148         * stress/regress-159779-2.js:
2149         * stress/regress-170473.js:
2150         * test262.yaml:
2151
2152 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2153
2154         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2155         https://bugs.webkit.org/show_bug.cgi?id=181258
2156
2157         Reviewed by Antonio Gomes.
2158
2159         * stress/big-int-constructor-gc.js:
2160         * stress/big-int-constructor-oom.js:
2161
2162 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2163
2164         Inlining of a function that ends in op_unreachable crashes
2165         https://bugs.webkit.org/show_bug.cgi?id=181027
2166
2167         Reviewed by Filip Pizlo.
2168
2169         * stress/inlining-unreachable.js: Added.
2170         (bar):
2171         (baz):
2172         (i.catch):
2173
2174 2018-01-02  Saam Barati  <sbarati@apple.com>
2175
2176         Incorrect assertion inside AccessCase
2177         https://bugs.webkit.org/show_bug.cgi?id=181200
2178         <rdar://problem/35494754>
2179
2180         Reviewed by Yusuke Suzuki.
2181
2182         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2183         (ctor):
2184         (theFunc):
2185         (run):
2186
2187 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2188
2189         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2190         https://bugs.webkit.org/show_bug.cgi?id=175359
2191
2192         Reviewed by Yusuke Suzuki.
2193
2194         * bigIntTests.yaml:
2195         * stress/big-int-as-key.js: Added.
2196         * stress/big-int-constructor-gc.js: Added.
2197         * stress/big-int-constructor-oom.js: Added.
2198         * stress/big-int-constructor-properties.js: Added.
2199         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2200         * stress/big-int-constructor-prototype.js: Added.
2201         * stress/big-int-constructor.js: Added.
2202         * stress/big-int-function-apply.js:
2203         * stress/big-int-length.js: Added.
2204         * stress/big-int-prop-descriptor.js: Added.
2205         * stress/big-int-proto-constructor.js: Added.
2206         * stress/big-int-proto-name.js: Added.
2207         * stress/big-int-prototype-properties.js: Added.
2208         * stress/big-int-prototype-proto.js: Added.
2209         * stress/big-int-prototype-value-of.js: Added.
2210         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2211         * stress/big-int-prototype-to-string-apply.js: Added.
2212         * stress/big-int-to-object.js: Added.
2213         * stress/big-int-to-string.js: Added.
2214
2215 2017-12-28  Saam Barati  <sbarati@apple.com>
2216
2217         Assertion used to determine if something is an async generator is wrong
2218         https://bugs.webkit.org/show_bug.cgi?id=181168
2219         <rdar://problem/35640560>
2220
2221         Reviewed by Yusuke Suzuki.
2222
2223         * stress/async-generator-assertion.js: Added.
2224
2225 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2226
2227         Skip stress/splay-flash-access tests on memory limited platforms
2228         https://bugs.webkit.org/show_bug.cgi?id=181086
2229
2230         Reviewed by Carlos Alberto Lopez Perez.
2231
2232         These tests use about 185M of memory, and occasionally get OOM-killed
2233         on memory limited platforms.
2234
2235         * stress/splay-flash-access-1ms.js:
2236         * stress/splay-flash-access.js:
2237
2238 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2239
2240         Skip slow jsc tests on embedded platforms
2241         https://bugs.webkit.org/show_bug.cgi?id=180937
2242
2243         Reviewed by Carlos Alberto Lopez Perez.
2244
2245         The tests typeProfiler/deltablue-for-of.js and
2246         typeProfiler/getter-richards.js take a very long time in the
2247         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2248         thus always timeout. They should be skipped on these platforms.
2249
2250         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2251         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2252
2253 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2254
2255         [JSC] Do not check isValid() in op_new_regexp
2256         https://bugs.webkit.org/show_bug.cgi?id=180970
2257
2258         Reviewed by Saam Barati.
2259
2260         * stress/regexp-syntax-error-invalid-flags.js: Added.
2261         (shouldThrow):
2262
2263 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2264
2265         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2266         https://bugs.webkit.org/show_bug.cgi?id=180712
2267
2268         Reviewed by Michael Catanzaro.
2269
2270         stress/call-apply-exponential-bytecode-size.js crashes if the
2271         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2272         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2273         should skip the test on other platforms.
2274
2275         * stress/call-apply-exponential-bytecode-size.js:
2276
2277 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2278
2279         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2280         https://bugs.webkit.org/show_bug.cgi?id=179762
2281
2282         Reviewed by Saam Barati.
2283
2284         * stress/call-varargs-double-new-array-buffer.js: Added.
2285         (assert):
2286         (bar):
2287         (foo):
2288         * stress/call-varargs-spread-new-array-buffer.js: Added.
2289         (assert):
2290         (bar):
2291         (foo):
2292         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2293         (assert):
2294         (bar):
2295         (foo):
2296         * stress/forward-varargs-double-new-array-buffer.js: Added.
2297         (assert):
2298         (test.baz):
2299         (test.bar):
2300         (test.foo):
2301         (test):
2302         * stress/new-array-buffer-sinking-osrexit.js: Added.
2303         (target):
2304         (test):
2305         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2306         (shouldBe):
2307         (test):
2308         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2309         (shouldBe):
2310         (target):
2311         (test):
2312         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2313         (assert):
2314         (test1.bar):
2315         (test1.foo):
2316         (test1):
2317         (test2.bar):
2318         (test2.foo):
2319         (test3.baz):
2320         (test3.bar):
2321         (test3.foo):
2322         (test4.baz):
2323         (test4.bar):
2324         (test4.foo):
2325         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2326         (assert):
2327         (test.baz):
2328         (test.bar):
2329         (test.foo):
2330         (test):
2331         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2332         (assert):
2333         (baz):
2334         (bar):
2335         (effects):
2336         (foo):
2337
2338 2017-12-14  Saam Barati  <sbarati@apple.com>
2339
2340         The CleanUp after LICM is erroneously removing a Check
2341         https://bugs.webkit.org/show_bug.cgi?id=180852
2342         <rdar://problem/36063494>
2343
2344         Reviewed by Filip Pizlo.
2345
2346         * stress/dont-run-cleanup-after-licm.js: Added.
2347
2348 2017-12-14  Michael Saboff  <msaboff@apple.com>
2349
2350         REGRESSION (r225695): Repro crash on yahoo login page
2351         https://bugs.webkit.org/show_bug.cgi?id=180761
2352
2353         Reviewed by JF Bastien.
2354
2355         New regression test.
2356
2357         * stress/regress-180761.js: Added.
2358
2359 2017-12-13  Keith Miller  <keith_miller@apple.com>
2360
2361         JSObjects should have a mask for loading indexed properties
2362         https://bugs.webkit.org/show_bug.cgi?id=180768
2363
2364         Reviewed by Mark Lam.
2365
2366         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2367         (test):
2368
2369 2017-12-13  Saam Barati  <sbarati@apple.com>
2370
2371         Arrow functions need their own structure because they have different properties than sloppy functions
2372         https://bugs.webkit.org/show_bug.cgi?id=180779
2373         <rdar://problem/35814591>
2374
2375         Reviewed by Mark Lam.
2376
2377         * stress/arrow-function-needs-its-own-structure.js: Added.
2378         (assert):
2379         (readPrototype):
2380         (noInline.let.f1):
2381         (noInline):
2382
2383 2017-12-13  Saam Barati  <sbarati@apple.com>
2384
2385         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2386         https://bugs.webkit.org/show_bug.cgi?id=163579
2387         <rdar://problem/35455798>
2388
2389         Reviewed by Mark Lam.
2390
2391         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2392         (assert):
2393         (test1):
2394         (i.test1):
2395         (i.test1.C):
2396         (i.test1.async.foo):
2397         (i.test1.foo):
2398         (test2):
2399
2400 2017-12-13  Saam Barati  <sbarati@apple.com>
2401
2402         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2403         https://bugs.webkit.org/show_bug.cgi?id=180734
2404         <rdar://problem/35640547>
2405
2406         Reviewed by Yusuke Suzuki.
2407
2408         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2409         (__isPropertyOfType):
2410         (__getProperties):
2411         (__getObjects):
2412         (__getRandomObject):
2413         (theClass.):
2414         (theClass):
2415         (childClass):
2416         (counter.catch):
2417
2418 2017-12-12  Saam Barati  <sbarati@apple.com>
2419
2420         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2421         https://bugs.webkit.org/show_bug.cgi?id=180725
2422         <rdar://problem/35970511>
2423
2424         Reviewed by Michael Saboff.
2425
2426         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2427         (f1):
2428         (f2):
2429         (let.o2.valueOf):
2430
2431 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2432
2433         [JSC] Implement optimized WeakMap and WeakSet
2434         https://bugs.webkit.org/show_bug.cgi?id=179929
2435
2436         Reviewed by Saam Barati.
2437
2438         * microbenchmarks/weak-map-key.js:
2439         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2440         (assert):
2441         (objectKey):
2442         (let.start.Date.now):
2443         * stress/basic-weakmap.js: Added.
2444         (shouldBe):
2445         (test):
2446         * stress/basic-weakset.js: Added.
2447         (shouldBe):
2448         (test.set new):
2449         * stress/weakmap-cse-set-break.js: Added.
2450         (shouldBe):
2451         (test):
2452         * stress/weakmap-cse.js: Added.
2453         (shouldBe):
2454         (test):
2455         * stress/weakmap-gc.js: Added.
2456         (test):
2457         * stress/weakset-cse-add-break.js: Added.
2458         (shouldBe):
2459         (test.set new):
2460         * stress/weakset-cse.js: Added.
2461         (shouldBe):
2462         (test.set new):
2463         * stress/weakset-gc.js: Added.
2464         (test.set add):
2465         (test.set new):
2466         (test):
2467
2468 2017-12-12  Saam Barati  <sbarati@apple.com>
2469
2470         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2471         https://bugs.webkit.org/show_bug.cgi?id=180723
2472         <rdar://problem/35859726>
2473
2474         Reviewed by JF Bastien.
2475
2476         * stress/get-my-argument-by-val-constant-folding.js: Added.
2477         (test):
2478         (catch):
2479
2480 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2481
2482         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2483         https://bugs.webkit.org/show_bug.cgi?id=179000
2484
2485         Reviewed by Darin Adler and Yusuke Suzuki.
2486
2487         * bigIntTests.yaml: Added.
2488         * stress/big-int-literal-line-terminator.js: Added.
2489         * stress/big-int-literals.js: Added.
2490         * stress/big-int-operations-error.js: Added.
2491         * stress/big-int-type-of.js: Added.
2492         * stress/big-int-white-space-trailing-leading.js: Added.
2493         * stress/big-int-function-apply.js: Added.
2494
2495 2017-12-11  Saam Barati  <sbarati@apple.com>
2496
2497         We need to disableCaching() in ErrorInstance when we materialize properties
2498         https://bugs.webkit.org/show_bug.cgi?id=180343
2499         <rdar://problem/35833002>
2500
2501         Reviewed by Mark Lam.
2502
2503         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2504         (assert):
2505         (makeError):
2506         (storeToStack):
2507         (storeToStackAlreadyMaterialized):
2508
2509 2017-12-05  JF Bastien  <jfbastien@apple.com>
2510
2511         WebAssembly: don't eagerly checksum
2512         https://bugs.webkit.org/show_bug.cgi?id=180441
2513         <rdar://problem/35156628>
2514
2515         Reviewed by Saam Barati.
2516
2517         Checksum is now disabled, so tests only have <?> as the module
2518         name.
2519
2520         * wasm/function-tests/nameSection.js:
2521         * wasm/function-tests/stack-overflow.js:
2522         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2523         (assertOverflows.assertThrows):
2524         (assertOverflows):
2525         * wasm/function-tests/stack-trace.js:
2526
2527 2017-12-04  JF Bastien  <jfbastien@apple.com>
2528
2529         Proxy all functions, except the $ objects
2530         https://bugs.webkit.org/show_bug.cgi?id=180375
2531
2532         Reviewed by Saam Barati.
2533
2534         It looks like this test may have broken some executions because I
2535         call some internal objects. Explicitly ignore objects whose name
2536         starts with "$" because it's a bad idea anyways.
2537
2538         * stress/proxy-all-the-parameters.js:
2539         (generateObjects):
2540         (get throw):
2541
2542 2017-12-04  Saam Barati  <sbarati@apple.com>
2543
2544         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2545         https://bugs.webkit.org/show_bug.cgi?id=180366
2546         <rdar://problem/35685877>
2547
2548         Reviewed by Michael Saboff.
2549
2550         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2551         (theParent):
2552         (test1.base.getParentStaticValue):
2553         (test1.base):
2554         (test1.__v_24888.prototype.set prop):
2555         (test1.__v_24888):
2556         (test2.base.getParentStaticValue):
2557         (test2.base):
2558         (test2.__v_24888.prototype.set prop):
2559         (test2.__v_24888):
2560         (test2):
2561
2562 2017-12-01  JF Bastien  <jfbastien@apple.com>
2563
2564         Try proxying all function arguments
2565         https://bugs.webkit.org/show_bug.cgi?id=180306
2566
2567         Reviewed by Saam Barati.
2568
2569         * stress/proxy-all-the-parameters.js: Added.
2570         (isPropertyOfType):
2571         (getProperties):
2572         (generateObjects):
2573         (getObjects):
2574         (getFunctions):
2575         (get throw):
2576         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2577
2578 2017-12-01  JF Bastien  <jfbastien@apple.com>
2579
2580         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2581         https://bugs.webkit.org/show_bug.cgi?id=180297
2582         <rdar://problem/35745556>
2583
2584         Reviewed by Mark Lam.
2585
2586         * stress/math-exceptions.js: Added.
2587         (get try):
2588         (catch):
2589
2590 2017-12-01  JF Bastien  <jfbastien@apple.com>
2591
2592         JavaScriptCore: add test for weird class static getters
2593         https://bugs.webkit.org/show_bug.cgi?id=180281
2594         <rdar://problem/35592139>
2595
2596         Reviewed by Mark Lam.
2597
2598         I fixed a bug for it in r224927 and didn't add a test. Do so.
2599
2600         * stress/class-static-get-weird.js: Added.
2601         (c.prototype.get name):
2602         (c):
2603         (c.prototype.get arguments):
2604         (c.prototype.get caller):
2605         (c.prototype.get length):
2606
2607 2017-12-01  Saam Barati  <sbarati@apple.com>
2608
2609         Having a bad time needs to handle ArrayClass indexing type as well
2610         https://bugs.webkit.org/show_bug.cgi?id=180274
2611         <rdar://problem/35667869>
2612
2613         Reviewed by Keith Miller and Mark Lam.
2614
2615         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2616         (assert):
2617         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2618         (assert):
2619
2620 2017-12-01  JF Bastien  <jfbastien@apple.com>
2621
2622         WebAssembly: restore cached stack limit after out-call
2623         https://bugs.webkit.org/show_bug.cgi?id=179106
2624         <rdar://problem/35337525>
2625
2626         Reviewed by Saam Barati.
2627
2628         * wasm/function-tests/double-instance.js: Added.
2629         (const.imp.boom):
2630         (const.imp.get callAnother):
2631
2632 2017-11-30  JF Bastien  <jfbastien@apple.com>
2633
2634         WebAssembly: improve stack trace
2635         https://bugs.webkit.org/show_bug.cgi?id=179343
2636
2637         Reviewed by Saam Barati.
2638
2639         Update the tests to follow the new format. Notably, SHA1 module
2640         hash is now included in traces, and stubs are properly identified.
2641
2642         * wasm/assert.js: Add an assertion which matches regular expressions.
2643         * wasm/function-tests/nameSection.js:
2644         * wasm/function-tests/stack-overflow.js:
2645         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2646         (assertOverflows.assertThrows.wasm.1):
2647         (assertOverflows.assertThrows.wasm.0):
2648         (assertOverflows.assertThrows):
2649         (assertOverflows):
2650         * wasm/function-tests/stack-trace.js:
2651         (import.Builder.from.string_appeared_here.assert): Deleted.
2652         * wasm/function-tests/trap-after-cross-instance-call.js:
2653         (wasmFrameCountFromError):
2654         * wasm/function-tests/trap-load-2.js:
2655         (wasmFrameCountFromError):
2656         * wasm/function-tests/trap-load.js:
2657         (wasmFrameCountFromError):
2658
2659 2017-11-30  Mark Lam  <mark.lam@apple.com>
2660
2661         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2662         https://bugs.webkit.org/show_bug.cgi?id=180219
2663         <rdar://problem/35696536>
2664
2665         Reviewed by Filip Pizlo.
2666
2667         * stress/regress-180219.js: Added.
2668
2669 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2670
2671         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2672         https://bugs.webkit.org/show_bug.cgi?id=180190
2673
2674         Reviewed by Mark Lam.
2675
2676         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2677         (shouldBe):
2678         (test1):
2679         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2680         (shouldBe):
2681         (test1):
2682         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2683         (shouldBe):
2684         (test1):
2685         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2686         (shouldBe):
2687         (test1):
2688         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2689         (shouldBe):
2690         (test1):
2691         * stress/operation-in-may-have-negative-int32.js: Added.
2692         (shouldBe):
2693         (test2):
2694         * stress/operation-in-negative-int32-cast.js: Added.
2695         (shouldBe):
2696         (test1):
2697
2698 2017-11-28  JF Bastien  <jfbastien@apple.com>
2699
2700         Strict and sloppy functions shouldn't share structure
2701         https://bugs.webkit.org/show_bug.cgi?id=180103
2702         <rdar://problem/35667847>
2703
2704         Reviewed by Saam Barati.
2705
2706         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2707         because the IC was wrong.
2708         (foo):
2709         (bar):
2710         (baz):
2711         (catch):
2712         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2713         in this patch, but may as well test odd strict mode corner cases.
2714         (bar):
2715         (baz):
2716         (catch):
2717         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2718         (foo):
2719         (bar):
2720         (baz):
2721         (catch):
2722         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2723         next file, but with invalidation of the FunctionExecutable's
2724         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2725         slower path.
2726         (foo):
2727         (bar.const.x):
2728         (bar.const.y):
2729         (bar):
2730         (catch):
2731         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2732         strict nesting works correctly.
2733         (foo):
2734         (bar.baz):
2735         (bar):
2736         * stress/strict-function-structure.js: Added. The test used to
2737         assert in objectProtoFuncHasOwnProperty.
2738         (foo):
2739         (bar):
2740         (baz):
2741         * stress/strict-nested-function-structure.js: Added. Nesting.
2742         (foo):
2743         (bar):
2744         (baz.boo):
2745         (baz):
2746
2747 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2748
2749         The recursive tail call optimisation is wrong on closures
2750         https://bugs.webkit.org/show_bug.cgi?id=179835
2751
2752         Reviewed by Saam Barati.
2753
2754         * stress/closure-recursive-tail-call.js: Added.
2755         (makeClosure):
2756
2757 2017-11-27  JF Bastien  <jfbastien@apple.com>
2758
2759         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2760         https://bugs.webkit.org/show_bug.cgi?id=180051
2761         <rdar://problem/35614371>
2762
2763         Reviewed by Saam Barati.
2764
2765         * stress/rest-parameter-negative.js: Added.
2766         (__f_5484):
2767         (catch):
2768         (__f_5485):
2769         (__v_22598.catch):
2770
2771 2017-11-27  Saam Barati  <sbarati@apple.com>
2772
2773         Spread can escape when CreateRest does not
2774         https://bugs.webkit.org/show_bug.cgi?id=180057
2775         <rdar://problem/35676119>
2776
2777         Reviewed by JF Bastien.
2778
2779         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2780         (assert):
2781         (getProperties):
2782         (theFunc):
2783         (let.obj.valueOf):
2784
2785 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2786
2787         [DFG] Add NormalizeMapKey DFG IR
2788         https://bugs.webkit.org/show_bug.cgi?id=179912
2789
2790         Reviewed by Saam Barati.
2791
2792         * stress/map-untyped-normalize-cse.js: Added.
2793         (shouldBe):
2794         (test):
2795         * stress/map-untyped-normalize.js: Added.
2796         (shouldBe):
2797         (test):
2798         * stress/set-untyped-normalize-cse.js: Added.
2799         (shouldBe):
2800         (set return.set has.set has):
2801         * stress/set-untyped-normalize.js: Added.
2802         (shouldBe):
2803         (set return.set has):
2804
2805 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2806
2807         [FTL] Support DeleteById and DeleteByVal
2808         https://bugs.webkit.org/show_bug.cgi?id=180022
2809
2810         Reviewed by Saam Barati.
2811
2812         * stress/delete-by-id.js: Added.
2813         (shouldBe):
2814         (test1):
2815         (test2):
2816         * stress/delete-by-val-ftl.js: Added.
2817         (shouldBe):
2818         (test1):
2819         (test2):
2820
2821 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2822
2823         [DFG] Introduce {Set,Map,WeakMap}Fields
2824         https://bugs.webkit.org/show_bug.cgi?id=179925
2825
2826         Reviewed by Saam Barati.
2827
2828         * stress/map-set-clobber-map-get.js: Added.
2829         (shouldBe):
2830         (test):
2831         * stress/map-set-does-not-clobber-set-has.js: Added.
2832         (shouldBe):
2833         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2834         (shouldBe):
2835         (test):
2836         * stress/set-add-clobber-set-has.js: Added.
2837         (shouldBe):
2838         * stress/set-add-does-not-clobber-map-get.js: Added.
2839         (shouldBe):
2840
2841 2017-11-24  Mark Lam  <mark.lam@apple.com>
2842
2843         Move unsafe jsc shell test functions to the $vm object.
2844         https://bugs.webkit.org/show_bug.cgi?id=179980
2845
2846         Reviewed by Yusuke Suzuki.
2847
2848         * controlFlowProfiler/driver/driver.js:
2849         * controlFlowProfiler/execution-count.js:
2850         * controlFlowProfiler/if-statement.js:
2851         * controlFlowProfiler/loop-statements.js:
2852         * controlFlowProfiler/switch-statements.js:
2853         * controlFlowProfiler/test-jit.js:
2854         * exceptionFuzz/3d-cube.js:
2855         * exceptionFuzz/date-format-xparb.js:
2856         * exceptionFuzz/earley-boyer.js:
2857         * heapProfiler/basic-edges.js:
2858         * heapProfiler/property-edge-types.js:
2859         * microbenchmarks/try-get-by-id-basic.js:
2860         * microbenchmarks/try-get-by-id-polymorphic.js:
2861         * modules/namespace-object-try-get.js:
2862         * stress/argument-count-bytecode.js:
2863         * stress/argument-intrinsic-basic.js:
2864         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2865         * stress/argument-intrinsic-inlining-with-result-escape.js:
2866         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2867         * stress/argument-intrinsic-inlining-with-vararg.js:
2868         * stress/argument-intrinsic-nested-inlining.js:
2869         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2870         * stress/argument-intrinsic-with-stack-write.js:
2871         * stress/arity-mismatch-get-argument.js:
2872         * stress/array-message-passing.js:
2873         * stress/array-push-with-force-exit.js:
2874         * stress/check-dom-with-signature.js:
2875         * stress/check-sub-class.js:
2876         * stress/compare-eq-incomplete-profile.js:
2877         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2878         * stress/do-eval-virtual-call-correctly.js:
2879         * stress/dom-jit-with-poly-proto.js:
2880         * stress/domjit-exception-ic.js:
2881         * stress/domjit-exception.js:
2882         * stress/domjit-getter-complex-with-incorrect-object.js:
2883         * stress/domjit-getter-complex.js:
2884         * stress/domjit-getter-poly.js:
2885         * stress/domjit-getter-proto.js:
2886         * stress/domjit-getter-super-poly.js:
2887         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2888         * stress/domjit-getter-type-check.js:
2889         * stress/domjit-getter.js:
2890         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2891         * stress/for-in-proxy-target-changed-structure.js:
2892         * stress/for-in-proxy.js:
2893         * stress/generational-opaque-roots.js:
2894         * stress/global-const-redeclaration-setting-2.js:
2895         * stress/global-const-redeclaration-setting-3.js:
2896         * stress/global-const-redeclaration-setting-4.js:
2897         * stress/global-const-redeclaration-setting-5.js:
2898         * stress/global-const-redeclaration-setting.js:
2899         * stress/import-basic.js:
2900         * stress/import-from-eval.js:
2901         * stress/import-reject-with-exception.js:
2902         * stress/import-syntax.js:
2903         * stress/impure-get-own-property-slot-inline-cache.js:
2904         * stress/is-constructor.js:
2905         * stress/istypedarrayview-intrinsic.js:
2906         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2907         * stress/jsc-test-functions-should-be-more-robust.js:
2908         * stress/object-toString-with-proxy.js:
2909         * stress/poly-proto-custom-value-and-accessor.js:
2910         * stress/proxy-inline-cache.js:
2911         * stress/re-execute-error-module.js:
2912         * stress/regress-150532.js:
2913         * stress/regress-156992.js:
2914         * stress/regress-179619.js:
2915         * stress/resources/shadow-chicken-support.js:
2916         * stress/runtime-array.js:
2917         * stress/sampling-profiler-microtasks.js:
2918         * stress/shadow-chicken-enabled.js:
2919         * stress/spread-correct-global-object-on-exception.js:
2920         * stress/super-get-by-id.js:
2921         * stress/tailCallForwardArguments.js:
2922         * stress/to-object-intrinsic-boolean-edge.js:
2923         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2924         * stress/to-object-intrinsic-number-edge.js:
2925         * stress/to-object-intrinsic-object-edge.js:
2926         * stress/to-object-intrinsic-string-edge.js:
2927         * stress/to-object-intrinsic-symbol-edge.js:
2928         * stress/to-object-intrinsic.js:
2929         * stress/try-catch-custom-getter-as-get-by-id.js:
2930         * stress/try-get-by-id-poly-proto.js:
2931         * stress/try-get-by-id-should-spill-registers-dfg.js:
2932         * stress/try-get-by-id.js:
2933         * typeProfiler/arrow-functions.js:
2934         * typeProfiler/basic.js:
2935         * typeProfiler/captured.js:
2936         * typeProfiler/classes.js:
2937         * typeProfiler/dfg-jit-optimizations.js:
2938         * typeProfiler/dictionary-mode.js:
2939         * typeProfiler/es6-block-scoping.js:
2940         * typeProfiler/es6-classes.js:
2941         * typeProfiler/inheritance.js:
2942         * typeProfiler/int52-dfg.js:
2943         * typeProfiler/loop.js:
2944         * typeProfiler/optional-fields.js:
2945         * typeProfiler/overflow.js:
2946         * typeProfiler/return.js:
2947         * typeProfiler/symbol.js:
2948         * typeProfiler/weird-prototype-chain.js:
2949
2950 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2951
2952         [DFG][FTL] Support MapSet / SetAdd intrinsics
2953         https://bugs.webkit.org/show_bug.cgi?id=179858
2954
2955         Reviewed by Saam Barati.
2956
2957         * microbenchmarks/map-has-and-set.js: Added.
2958         (test):
2959         * stress/map-set-check-failure.js: Added.
2960         (shouldBe):
2961         (shouldThrow):
2962         (target):
2963         * stress/map-set-cse.js: Added.
2964         (shouldBe):
2965         (test):
2966         * stress/set-add-check-failure.js: Added.
2967         (shouldBe):
2968         (shouldThrow):
2969         (set shouldThrow):
2970         * stress/set-add-cse.js: Added.
2971         (shouldBe):
2972
2973 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2974
2975         [JSC] Allow poly proto for intrinsic getters
2976         https://bugs.webkit.org/show_bug.cgi?id=179550
2977
2978         Reviewed by Saam Barati.
2979
2980         This change is also tested by existing tests.
2981
2982             1. stress/intrinsic-getter-with-poly-proto.js
2983             2. stress/poly-proto-intrinsic-getter-correctness.js
2984
2985         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2986         (shouldBe):
2987         (makePolyProtoObject.foo.C):
2988         (makePolyProtoObject.foo):
2989         (makePolyProtoObject):
2990         (target):
2991         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2992         (shouldBe):
2993         (makePolyProtoObject.foo.C):
2994         (makePolyProtoObject.foo):
2995         (makePolyProtoObject):
2996         (target):
2997
2998 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2999
3000         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
3001         https://bugs.webkit.org/show_bug.cgi?id=179744
3002
3003         Reviewed by Michael Catanzaro.
3004
3005         This test uses too much memory for our buildbots on these platforms
3006         and gets OOM-killed.
3007
3008         * stress/unshiftCountSlowCase-correct-postCapacity.js:
3009         Skip if $memoryLimited and linux.
3010
3011 2017-11-17  JF Bastien  <jfbastien@apple.com>
3012
3013         WebAssembly JS API: throw when a promise can't be created
3014         https://bugs.webkit.org/show_bug.cgi?id=179826
3015         <rdar://problem/35455813>
3016
3017         Reviewed by Mark Lam.
3018
3019         Test WebAssembly.{compile,instantiate} where promise creation
3020         fails because of a stack overflow.
3021
3022         * wasm/js-api/promise-stack-overflow.js: Added.
3023         (const.runNearStackLimit.f.const.t):
3024         (async.testCompile):
3025         (async.testInstantiate):
3026
3027 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3028
3029         Unreviewed, mark regress-178385.js as memory exhausting
3030
3031         * stress/regress-178385.js:
3032
3033 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
3034
3035         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
3036
3037         Unreviewed test gardening.
3038
3039         * test262.yaml:
3040
3041 2017-11-16  Robin Morisset  <rmorisset@apple.com>
3042
3043         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
3044         https://bugs.webkit.org/show_bug.cgi?id=179763
3045         <rdar://problem/35550513>
3046
3047         Reviewed by Keith Miller.
3048
3049         Just adding a slightly cleaned-up version of the original fuzzer-found test.
3050
3051         * stress/tdz-this-in-try-catch.js: Added.
3052         (__v_6388):
3053         (__v_6392):
3054
3055 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3056
3057         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3058         https://bugs.webkit.org/show_bug.cgi?id=179594
3059
3060         Reviewed by Saam Barati.
3061
3062         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
3063         (shouldBe):
3064         (args):
3065         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
3066         (shouldBe):
3067         (args):
3068
3069 2017-11-14  Saam Barati  <sbarati@apple.com>
3070
3071         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3072         https://bugs.webkit.org/show_bug.cgi?id=179639
3073         <rdar://problem/35513018>
3074
3075         Reviewed by JF Bastien.
3076
3077         * wasm/function-tests/grow-memory-cause-gc.js: Added.
3078         (escape):
3079         (i.func):
3080
3081 2017-11-13  Mark Lam  <mark.lam@apple.com>
3082
3083         Add more overflow check book-keeping for MarkedArgumentBuffer.
3084         https://bugs.webkit.org/show_bug.cgi?id=179634
3085         <rdar://problem/35492517>
3086
3087         Reviewed by Saam Barati.
3088
3089         * stress/regress-179634.js: Added.
3090
3091 2017-11-13  Mark Lam  <mark.lam@apple.com>
3092
3093         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3094         https://bugs.webkit.org/show_bug.cgi?id=179619
3095         <rdar://problem/35492518>
3096
3097         Reviewed by Saam Barati.
3098
3099         * stress/regress-179619.js: Added.
3100
3101 2017-11-12  Mark Lam  <mark.lam@apple.com>
3102
3103         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3104         https://bugs.webkit.org/show_bug.cgi?id=179562
3105         <rdar://problem/35467022>
3106
3107         Reviewed by Saam Barati.
3108
3109         * regress-179562.js: Added.
3110
3111 2017-11-08  Saam Barati  <sbarati@apple.com>
3112
3113         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3114         https://bugs.webkit.org/show_bug.cgi?id=177792
3115
3116         Reviewed by Yusuke Suzuki.
3117
3118         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3119         (assert):
3120         (foo.Foo.prototype.ensureX):
3121         (foo.Foo):
3122         (foo):
3123         (access):
3124
3125 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3126
3127         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3128         https://bugs.webkit.org/show_bug.cgi?id=178592
3129
3130         Unreviewed test gardening.
3131
3132         * test262.yaml:
3133
3134 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3135
3136         Turn recursive tail calls into loops
3137         https://bugs.webkit.org/show_bug.cgi?id=176601
3138
3139         Reviewed by Saam Barati.
3140
3141         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3142
3143         Add some simple test that computes factorial in several ways, and other trivial computations.
3144         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3145         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3146         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3147         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3148
3149         * stress/inline-call-to-recursive-tail-call.js: Added.
3150         (factorial.aux):
3151         (factorial):
3152         (factorial2.aux2):
3153         (factorial2.id):
3154         (factorial2):
3155         (factorial3.aux3):
3156         (factorial3):
3157         (aux4):
3158         (factorial4):
3159         (foo):
3160         (auxBar):
3161         (bar):
3162         (test):
3163
3164 2017-11-07  Mark Lam  <mark.lam@apple.com>
3165
3166         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3167         https://bugs.webkit.org/show_bug.cgi?id=179355
3168         <rdar://problem/35263053>
3169
3170         Reviewed by Saam Barati.
3171
3172         * stress/regress-179355.js: Added.
3173
3174 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3175
3176         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3177         https://bugs.webkit.org/show_bug.cgi?id=144458
3178
3179         Reviewed by Saam Barati.
3180
3181         * microbenchmarks/dfg-internal-function-call.js: Added.
3182         (target):
3183         * microbenchmarks/dfg-internal-function-construct.js: Added.
3184         (target):
3185         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3186         (target):
3187         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3188         (target):
3189         * stress/dfg-internal-function-call.js: Added.
3190         (shouldBe):
3191         (target):
3192         * stress/dfg-internal-function-construct.js: Added.
3193         (shouldBe):
3194         (target):
3195         * stress/internal-function-call.js: Added.
3196         (shouldBe):
3197         * stress/internal-function-construct.js: Added.
3198         (shouldBe):
3199
3200 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3201
3202         [Win] Skip stress/regress-178385.js.
3203         https://bugs.webkit.org/show_bug.cgi?id=179298
3204
3205         Unreviewed test gardening.
3206
3207         * stress/regress-178385.js:
3208
3209 2017-11-03  Keith Miller  <keith_miller@apple.com>
3210
3211         Add test for ic with side effects
3212         https://bugs.webkit.org/show_bug.cgi?id=179268
3213
3214         Reviewed by Saam Barati.
3215
3216         * stress/put-inline-cache-side-effects.js: Added.
3217         (let.i.of.objs.keys):
3218         (f):
3219
3220 2017-11-03  Mark Lam  <mark.lam@apple.com>
3221
3222         CachedCall (and its clients) needs overflow checks.
3223         https://bugs.webkit.org/show_bug.cgi?id=179185
3224
3225         Reviewed by JF Bastien.
3226
3227         * stress/regress-179185.js: Added.
3228
3229 2017-11-02  Michael Saboff  <msaboff@apple.com>
3230
3231         DFG needs to handle code motion of code in for..in loop bodies
3232         https://bugs.webkit.org/show_bug.cgi?id=179212
3233
3234         Reviewed by Keith Miller.
3235
3236         New regression test.
3237
3238         * stress/for-in-side-effects.js: Added.
3239         (getPrototypeOf):
3240         (reset):
3241         (testWithoutFTL.f):
3242         (testWithoutFTL):
3243         (testWithFTL.f):
3244         (testWithFTL):
3245
3246 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3247
3248         AI does not correctly model the clobber case of ArithClz32
3249         https://bugs.webkit.org/show_bug.cgi?id=179188
3250
3251         Reviewed by Michael Saboff.
3252
3253         * stress/arith-clz32-effects.js: Added.
3254         (foo):
3255         (valueOf):
3256
3257 2017-11-01  Michael Saboff  <msaboff@apple.com>
3258
3259         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3260         https://bugs.webkit.org/show_bug.cgi?id=179140
3261
3262         Reviewed by Saam Barati.
3263
3264         New regression test.
3265
3266         * stress/regress-179140.js: Added.
3267         (testWithoutFTL):
3268         (testWithFTL):
3269
3270 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3271
3272         [JSC] Introduce @toObject
3273         https://bugs.webkit.org/show_bug.cgi?id=178726
3274
3275         Reviewed by Saam Barati.
3276
3277         * stress/array-copywithin.js:
3278         (shouldThrow):
3279         * stress/object-constructor-boolean-edge.js: Added.
3280         (shouldBe):
3281         (test):
3282         * stress/object-constructor-global.js: Added.
3283         (shouldBe):
3284         * stress/object-constructor-null-edge.js: Added.
3285         (shouldBe):
3286         (test):
3287         * stress/object-constructor-number-edge.js: Added.
3288         (shouldBe):
3289         (test):
3290         * stress/object-constructor-object-edge.js: Added.
3291         (shouldBe):
3292         (test):
3293         (i.arg):
3294         * stress/object-constructor-string-edge.js: Added.
3295         (shouldBe):
3296         (test):
3297         * stress/object-constructor-symbol-edge.js: Added.
3298         (shouldBe):
3299         (test):
3300         * stress/object-constructor-undefined-edge.js: Added.
3301         (shouldBe):
3302         (test):
3303         * stress/symbol-array-from.js: Added.
3304         (shouldBe):
3305         * stress/to-object-intrinsic-boolean-edge.js: Added.
3306         (shouldBe):
3307         (builtin.createBuiltin):
3308         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3309         (shouldThrow):
3310         * stress/to-object-intrinsic-number-edge.js: Added.
3311         (shouldBe):
3312         (builtin.createBuiltin):
3313         * stress/to-object-intrinsic-object-edge.js: Added.
3314         (shouldBe):
3315         (builtin.createBuiltin):
3316         (i.arg):
3317         * stress/to-object-intrinsic-string-edge.js: Added.
3318         (shouldBe):
3319         (builtin.createBuiltin):
3320         * stress/to-object-intrinsic-symbol-edge.js: Added.
3321         (shouldBe):
3322         (builtin.createBuiltin):
3323         * stress/to-object-intrinsic.js: Added.
3324         (shouldBe):
3325         (shouldThrow):
3326         (builtin.createBuiltin):
3327
3328 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3329
3330         [DFG][FTL] Introduce StringSlice
3331         https://bugs.webkit.org/show_bug.cgi?id=178934
3332
3333         Reviewed by Saam Barati.
3334
3335         * microbenchmarks/string-slice-empty.js: Added.
3336         (slice):
3337         * microbenchmarks/string-slice-one-char.js: Added.
3338         (slice):
3339         * microbenchmarks/string-slice.js: Added.
3340         (slice):
3341
3342 2017-10-26  Michael Saboff  <msaboff@apple.com>
3343
3344         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3345         https://bugs.webkit.org/show_bug.cgi?id=178890
3346
3347         Reviewed by Keith Miller.
3348
3349         New regression test.
3350
3351         * stress/regress-178890.js: Added.
3352
3353 2017-10-26  Mark Lam  <mark.lam@apple.com>
3354
3355         JSRopeString::RopeBuilder::append() should check for overflows.
3356         https://bugs.webkit.org/show_bug.cgi?id=178385
3357         <rdar://problem/35027468>
3358
3359         Reviewed by Saam Barati.
3360
3361         * stress/regress-178385.js: Added.
3362
3363 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3364
3365         Unreviewed, rolling out r223961.
3366
3367         The change that required this has been rolled out.
3368
3369         Reverted changeset:
3370
3371         "Mark test262.yaml/test262/test/language/statements/try/tco-
3372         catch.js as passing."
3373         https://bugs.webkit.org/show_bug.cgi?id=178592
3374         https://trac.webkit.org/changeset/223961
3375
3376 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3377
3378         Unreviewed, rolling out r223691 and r223729.
3379         https://bugs.webkit.org/show_bug.cgi?id=178834
3380
3381         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3382         by rniwa on #webkit).
3383
3384         Reverted changesets:
3385
3386         "Turn recursive tail calls into loops"
3387         https://bugs.webkit.org/show_bug.cgi?id=176601
3388         https://trac.webkit.org/changeset/223691
3389
3390         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3391         comparison is always false due to limited range of data type
3392         [-Wtype-limits]"
3393         https://bugs.webkit.org/show_bug.cgi?id=178543
3394         https://trac.webkit.org/changeset/223729
3395
3396 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3397
3398         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3399         https://bugs.webkit.org/show_bug.cgi?id=178592
3400
3401         Unreviewed test gardening.
3402
3403         * test262.yaml:
3404
3405 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3406
3407         [FTL] Support NewStringObject
3408         https://bugs.webkit.org/show_bug.cgi?id=178737
3409
3410         Reviewed by Saam Barati.
3411
3412         * stress/new-string-object.js: Added.
3413         (shouldBe):
3414         (test):
3415
3416 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3417
3418         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3419         https://bugs.webkit.org/show_bug.cgi?id=178308
3420
3421         Reviewed by Mark Lam.
3422
3423         * test262.yaml:
3424
3425 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3426
3427         [JSC] Use fastJoin in Array#toString
3428         https://bugs.webkit.org/show_bug.cgi?id=178062
3429
3430         Reviewed by Darin Adler.
3431
3432         * microbenchmarks/contiguous-array-to-string.js: Added.
3433         (target):
3434         * microbenchmarks/double-array-to-string.js: Added.
3435         (target):
3436         * microbenchmarks/int32-array-to-string.js: Added.
3437         (target):
3438
3439 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3440
3441         stress/check-string-ident.js is improperly skipped
3442         https://bugs.webkit.org/show_bug.cgi?id=178642
3443
3444         Reviewed by Saam Barati.
3445
3446         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3447         since it enforces the run-jsc-stress-tests script to still set up the
3448         test to run, despite the skip directive that's used before.
3449
3450 2017-10-20  Mark Lam  <mark.lam@apple.com>
3451
3452         Add a test case for r214334.
3453         https://bugs.webkit.org/show_bug.cgi?id=169941
3454         <rdar://problem/31221258>
3455
3456         Reviewed by JF Bastien.
3457
3458         * stress/regress-169941.js: Added.
3459
3460 2017-10-19  JF Bastien  <jfbastien@apple.com>
3461
3462         WebAssembly: no VM / JS version of everything but Instance
3463         https://bugs.webkit.org/show_bug.cgi?id=177473
3464
3465         Reviewed by Filip Pizlo, Saam Barati.
3466
3467         - Exceeding max on memory growth now returns a range error as per
3468         spec. This is a (very minor) breaking change: it used to throw OOM
3469         error. Update the corresponding test.
3470
3471         * wasm/js-api/memory-grow.js:
3472         (assertEq):
3473         * wasm/js-api/table.js:
3474         (assert.throws):
3475
3476 2017-10-19  Mark Lam  <mark.lam@apple.com>
3477
3478         Stringifier::appendStringifiedValue() is missing an exception check.
3479         https://bugs.webkit.org/show_bug.cgi?id=178386
3480         <rdar://problem/35027610>
3481
3482         Reviewed by Saam Barati.
3483
3484         * stress/regress-178386.js: Added.
3485
3486 2017-10-19  Michael Saboff  <msaboff@apple.com>
3487
3488         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3489         https://bugs.webkit.org/show_bug.cgi?id=178521
3490
3491         Reviewed by JF Bastien.
3492
3493         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3494         now passes with the current version (5.0) of the Emoji spec.
3495
3496 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3497
3498         Turn recursive tail calls into loops
3499         https://bugs.webkit.org/show_bug.cgi?id=176601
3500
3501         Reviewed by Saam Barati.
3502
3503         Add some simple test that computes factorial in several ways, and other trivial computations.
3504         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3505         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3506         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3507         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3508
3509         * stress/inline-call-to-recursive-tail-call.js: Added.
3510         (factorial.aux):
3511         (factorial):
3512         (factorial2.aux):
3513         (factorial2.id):
3514         (factorial2):
3515         (factorial3.aux):
3516         (factorial3):
3517         (aux):
3518         (factorial4):
3519         (test):
3520
3521 2017-10-18  Mark Lam  <mark.lam@apple.com>
3522
3523         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3524         https://bugs.webkit.org/show_bug.cgi?id=177600
3525         <rdar://problem/34710985>
3526
3527         Reviewed by Saam Barati.
3528
3529         * stress/regress-177600.js: Added.
3530
3531 2017-10-18  Mark Lam  <mark.lam@apple.com>
3532
3533         The compiler should always register a structure when it adds its transitionWatchPointSet.
3534         https://bugs.webkit.org/show_bug.cgi?id=178420
3535         <rdar://problem/34814024>
3536
3537         Reviewed by Saam Barati and Filip Pizlo.
3538
3539         * stress/regress-178420.js: Added.
3540         (new.Array.10000.map):
3541
3542 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3543
3544         [JSC] __proto__ getter should be fast
3545         https://bugs.webkit.org/show_bug.cgi?id=178067
3546
3547         Reviewed by Saam Barati.
3548
3549         * stress/dfg-object-proto-accessor.js: Added.
3550         (shouldBe):
3551         (shouldThrow):
3552         (target):
3553         * stress/dfg-object-proto-getter.js: Added.
3554         (shouldBe):
3555         (shouldThrow):
3556         (target):
3557         * stress/dfg-object-prototype-of.js: Added.
3558         (shouldBe):
3559         (shouldThrow):
3560         (target):
3561         * stress/dfg-reflect-get-prototype-of.js: Added.
3562         (shouldBe):
3563         (shouldThrow):
3564         (target):
3565         * stress/intrinsic-getter-with-poly-proto.js: Added.
3566         (shouldBe):
3567         (makePolyProtoObject.foo.C):
3568         (makePolyProtoObject.foo):
3569         (makePolyProtoObject):
3570         (target):
3571         * stress/object-get-prototype-of-filtered.js: Added.
3572         (shouldBe):
3573         (shouldThrow):
3574         (target):
3575         (i.Cocoa):
3576         * stress/object-get-prototype-of-mono-proto.js: Added.
3577         (shouldBe):
3578         (makePolyProtoObject.foo.C):
3579         (makePolyProtoObject.foo):
3580         (makePolyProtoObject):
3581         (target):
3582         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3583         (shouldBe):
3584         (makePolyProtoObject.foo.C):
3585         (makePolyProtoObject.foo):
3586         (makePolyProtoObject):
3587         (target):
3588         * stress/object-get-prototype-of-poly-proto.js: Added.
3589         (shouldBe):
3590         (makePolyProtoObject.foo.C):
3591         (makePolyProtoObject.foo):
3592         (makePolyProtoObject):
3593         (target):
3594         * stress/object-proto-getter-filtered.js: Added.
3595         (shouldBe):
3596         (shouldThrow):
3597         (target):
3598         (i.Cocoa):
3599         * stress/object-proto-getter-poly-mono-proto.js: Added.
3600         (shouldBe):
3601         (makePolyProtoObject.foo.C):
3602         (makePolyProtoObject.foo):
3603         (makePolyProtoObject):
3604         (target):
3605         * stress/object-proto-getter-poly-proto.js: Added.
3606         (shouldBe):
3607         (makePolyProtoObject.foo.C):
3608         (makePolyProtoObject.foo):
3609         (makePolyProtoObject):
3610         (target):
3611         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3612         * stress/string-proto.js: Added.
3613         (shouldBe):
3614         (target):
3615
3616 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3617
3618         Unreviewed, rolling out r223523.
3619
3620         A test for this change is failing on debug JSC bots.
3621
3622         Reverted changeset:
3623
3624         "[JSC] __proto__ getter should be fast"
3625         https://bugs.webkit.org/show_bug.cgi?id=178067
3626         https://trac.webkit.org/changeset/223523
3627
3628 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3629
3630         [JSC] __proto__ getter should be fast
3631         https://bugs.webkit.org/show_bug.cgi?id=178067
3632
3633         Reviewed by Saam Barati.
3634
3635         * stress/dfg-object-proto-accessor.js: Added.
3636         (shouldBe):
3637         (shouldThrow):
3638         (target):
3639         * stress/dfg-object-proto-getter.js: Added.
3640         (shouldBe):
3641         (shouldThrow):
3642         (target):
3643         * stress/dfg-object-prototype-of.js: Added.
3644         (shouldBe):
3645         (shouldThrow):
3646         (target):
3647         * stress/dfg-reflect-get-prototype-of.js: Added.
3648         (shouldBe):
3649         (shouldThrow):
3650         (target):
3651         * stress/object-get-prototype-of-filtered.js: Added.
3652         (shouldBe):
3653         (shouldThrow):
3654         (target):
3655         (i.Cocoa):
3656         * stress/object-get-prototype-of-mono-proto.js: Added.
3657         (shouldBe):
3658         (makePolyProtoObject.foo.C):
3659         (makePolyProtoObject.foo):
3660         (makePolyProtoObject):
3661         (target):
3662         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3663         (shouldBe):
3664         (makePolyProtoObject.foo.C):
3665         (makePolyProtoObject.foo):
3666         (makePolyProtoObject):
3667         (target):
3668         * stress/object-get-prototype-of-poly-proto.js: Added.
3669         (shouldBe):
3670         (makePolyProtoObject.foo.C):
3671         (makePolyProtoObject.foo):
3672         (makePolyProtoObject):
3673         (target):
3674         * stress/object-proto-getter-filtered.js: Added.
3675         (shouldBe):
3676         (shouldThrow):
3677         (target):
3678         (i.Cocoa):
3679         * stress/object-proto-getter-poly-mono-proto.js: Added.
3680         (shouldBe):
3681         (makePolyProtoObject.foo.C):
3682         (makePolyProtoObject.foo):
3683         (makePolyProtoObject):
3684         (target):
3685         * stress/object-proto-getter-poly-proto.js: Added.
3686         (shouldBe):
3687         (makePolyProtoObject.foo.C):
3688         (makePolyProtoObject.foo):
3689         (makePolyProtoObject):
3690         (target):
3691         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3692         * stress/string-proto.js: Added.
3693         (shouldBe):
3694         (target):
3695
3696 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3697
3698         Reland "Add Above/Below comparisons for UInt32 patterns"
3699         https://bugs.webkit.org/show_bug.cgi?id=177281
3700
3701         Reviewed by Saam Barati.
3702
3703         * stress/uint32-comparison-jump.js: Added.
3704         (shouldBe):
3705         (above):
3706         (aboveOrEqual):
3707         (below):
3708         (belowOrEqual):
3709         (notAbove):
3710         (notAboveOrEqual):
3711         (notBelow):
3712         (notBelowOrEqual):
3713         * stress/uint32-comparison.js: Added.
3714         (shouldBe):
3715         (above):
3716         (aboveOrEqual):
3717         (below):
3718         (belowOrEqual):
3719         (aboveTest):
3720         (aboveOrEqualTest):
3721         (belowTest):
3722         (belowOrEqualTest):
3723
3724 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3725
3726         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3727         https://bugs.webkit.org/show_bug.cgi?id=178210
3728
3729         Reviewed by Saam Barati.
3730
3731         * wasm/function-tests/trap-from-start-async.js:
3732         (async.StartTrapsAsync):
3733         * wasm/function-tests/trap-from-start.js:
3734         (StartTraps):
3735         * wasm/js-api/web-assembly-function.js:
3736         (assert.eq.Object.getPrototypeOf):
3737         * wasm/js-api/wrapper-function.js:
3738         (return.new.WebAssembly.Module):
3739         (assert.throws.makeInstance): Deleted.
3740         (assert.throws.Bar): Deleted.
3741         (assert.throws): Deleted.
3742
3743 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3744
3745         Enable gigacage on iOS
3746         https://bugs.webkit.org/show_bug.cgi?id=177586
3747
3748         Reviewed by JF Bastien.
3749         
3750         Add tests for when Gigacage gets runtime disabled.
3751
3752         * stress/disable-gigacage-arrays.js: Added.
3753         (foo):
3754         * stress/disable-gigacage-strings.js: Added.
3755         (foo):
3756         * stress/disable-gigacage-typed-arrays.js: Added.
3757         (foo):
3758
3759 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3760
3761         import.meta should not be assignable
3762         https://bugs.webkit.org/show_bug.cgi?id=178202
3763
3764         Reviewed by Saam Barati.
3765
3766         * modules/import-meta-assignment.js: Added.
3767         (shouldThrow):
3768         (SyntaxError.import.meta.can.shouldThrow):
3769
3770 2017-10-11  Saam Barati  <sbarati@apple.com>
3771
3772         Unreviewed. Actually skip certain type profiler tests in debug.
3773
3774         * typeProfiler.yaml:
3775         * typeProfiler/deltablue-for-of.js:
3776         * typeProfiler/getter-richards.js:
3777
3778 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3779
3780         Unreviewed, rolling out r223113 and r223121.
3781         https://bugs.webkit.org/show_bug.cgi?id=178182
3782
3783         Reintroduced 20% regression on Kraken (Requested by rniwa on
3784         #webkit).
3785
3786         Reverted changesets:
3787
3788         "Enable gigacage on iOS"
3789         https://bugs.webkit.org/show_bug.cgi?id=177586
3790         https://trac.webkit.org/changeset/223113
3791
3792         "Use one virtual allocation for all gigacages and their
3793         runways"
3794         https://bugs.webkit.org/show_bug.cgi?id=178050
3795         https://trac.webkit.org/changeset/223121
3796
3797 2017-10-11  Michael Saboff  <msaboff@apple.com>
3798
3799         Disable test262 named capture group tests with direct unicode names and with references before definitions
3800         https://bugs.webkit.org/show_bug.cgi?id=178177
3801
3802         Reviewed by Keith Miller.
3803
3804         Bugs to track fixing these test are:
3805         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3806             "Add support in named capture group identifiers for direct surrogate pairs"
3807         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3808             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3809
3810         * test262.yaml:
3811
3812 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3813
3814         Object properties are undefined in super.call() but not in this.call()
3815         https://bugs.webkit.org/show_bug.cgi?id=177230
3816
3817         Reviewed by Saam Barati.
3818
3819         * stress/super-call-function-subclass.js: Added.
3820         (assert):
3821         (A.prototype.t):
3822         (A):
3823         * stress/super-dot-call-and-apply.js: Added.
3824         (assert):
3825         (A):
3826         (A.prototype.call):
3827         (A.prototype.apply):
3828         (B.prototype.testSuper):
3829         (B):
3830         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3831         (D.prototype.testSuper):
3832         (D):
3833
3834 2017-10-10  Saam Barati  <sbarati@apple.com>
3835
3836         The prototype cache should be aware of the Executable it generates a Structure for
3837         https://bugs.webkit.org/show_bug.cgi?id=177907
3838
3839         Reviewed by Filip Pizlo.
3840
3841         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3842         (assert):
3843         (foo.C):
3844         (foo):
3845         (bar.C):
3846         (bar):
3847         (access):
3848         (makeLongChain):
3849         (accessY):
3850
3851 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3852
3853         `async` should be able to be used as an imported binding name
3854         https://bugs.webkit.org/show_bug.cgi?id=176573
3855
3856         Reviewed by Saam Barati.
3857
3858         * modules/import-default-async.js: Added.
3859         * modules/import-named-async-as.js: Added.
3860         * modules/import-named-async.js: Added.
3861         * modules/import-named-async/target.js: Added.
3862         * modules/import-namespace-async.js: Added.
3863         * test262.yaml:
3864
3865 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3866
3867         Enable gigacage on iOS
3868         https://bugs.webkit.org/show_bug.cgi?id=177586
3869
3870         Reviewed by JF Bastien.
3871         
3872         Add tests for when Gigacage gets runtime disabled.
3873
3874         * stress/disable-gigacage-arrays.js: Added.
3875         (foo):
3876         * stress/disable-gigacage-strings.js: Added.
3877         (foo):
3878         * stress/disable-gigacage-typed-arrays.js: Added.
3879         (foo):
3880
3881 2017-10-09  Michael Saboff  <msaboff@apple.com>
3882
3883         Implement RegExp Unicode property escapes
3884         https://bugs.webkit.org/show_bug.cgi?id=172069
3885
3886         Reviewed by JF Bastien.
3887
3888         Enabled Unicode Property tests.
3889
3890         * test262.yaml:
3891
3892 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3893
3894         Unreviewed, rolling out r223015 and r223025.
3895         https://bugs.webkit.org/show_bug.cgi?id=178093
3896
3897         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3898         #webkit).
3899
3900         Reverted changesets:
3901
3902         "Enable gigacage on iOS"
3903         https://bugs.webkit.org/show_bug.cgi?id=177586
3904         http://trac.webkit.org/changeset/223015
3905
3906         "Unreviewed, disable Gigacage on ARM64 Linux"
3907         https://bugs.webkit.org/show_bug.cgi?id=177586
3908         http://trac.webkit.org/changeset/223025
3909
3910 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3911
3912         Update expectations for test262 tests that pass after r223043.
3913         https://bugs.webkit.org/show_bug.cgi?id=176685
3914
3915         Unreviewed test gardening.
3916
3917         * test262.yaml:
3918
3919 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3920
3921         Unreviewed, rolling out r223022.
3922
3923         This change introduced 18 test262 failures.
3924
3925         Reverted changeset:
3926
3927         "`async` should be able to be used as an imported binding
3928         name"
3929         https://bugs.webkit.org/show_bug.cgi?id=176573
3930         http://trac.webkit.org/changeset/223022
3931
3932 2017-10-09  Saam Barati  <sbarati@apple.com>
3933
3934         3 poly-proto JSC tests timing out on debug after r222827
3935         https://bugs.webkit.org/show_bug.cgi?id=177880
3936         <rdar://problem/34817122>
3937
3938         Unreviewed.
3939
3940         I'm skipping these type profiler tests on debug since they are long running.
3941
3942         * typeProfiler/deltablue-for-of.js:
3943         * typeProfiler/getter-richards.js:
3944
3945 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3946
3947         Safari 10 /11 problem with if (!await get(something)).
3948         https://bugs.webkit.org/show_bug.cgi?id=176685
3949
3950         Reviewed by Saam Barati.
3951
3952         * stress/async-await-basic.js:
3953         (awaitEpression.async):
3954         * stress/async-await-syntax.js:
3955         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3956         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3957
3958 2017-10-08  Saam Barati  <sbarati@apple.com>
3959
3960         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3961
3962         * typeProfiler/deltablue-for-of.js:
3963         * typeProfiler/getter-richards.js:
3964
3965 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3966
3967         `async` should be able to be used as an imported binding name
3968         https://bugs.webkit.org/show_bug.cgi?id=176573
3969
3970         Reviewed by Darin Adler.
3971
3972         * modules/import-default-async.js: Added.
3973         * modules/import-named-async-as.js: Added.
3974         * modules/import-named-async.js: Added.
3975         * modules/import-named-async/target.js: Added.
3976         * modules/import-namespace-async.js: Added.
3977
3978 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3979
3980         Enable gigacage on iOS
3981         https://bugs.webkit.org/show_bug.cgi?id=177586
3982
3983         Reviewed by JF Bastien.
3984         
3985         Add tests for when Gigacage gets runtime disabled.
3986
3987         * stress/disable-gigacage-arrays.js: Added.
3988         (foo):
3989         * stress/disable-gigacage-strings.js: Added.
3990         (foo):
3991         * stress/disable-gigacage-typed-arrays.js: Added.
3992         (foo):
3993
3994 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3995
3996         Unreviewed, rolling out r222791 and r222873.
3997         https://bugs.webkit.org/show_bug.cgi?id=178031
3998
3999         Caused crashes with workers/wasm LayoutTests (Requested by
4000         ryanhaddad on #webkit).
4001
4002         Reverted changesets:
4003
4004         "WebAssembly: no VM / JS version of everything but Instance"
4005         https://bugs.webkit.org/show_bug.cgi?id=177473
4006         http://trac.webkit.org/changeset/222791
4007
4008         "WebAssembly: address no VM / JS follow-ups"
4009         https://bugs.webkit.org/show_bug.cgi?id=177887
4010         http://trac.webkit.org/changeset/222873
4011
4012 2017-10-05  Saam Barati  <sbarati@apple.com>
4013
4014         Make sure all prototypes under poly proto get added into the VM's prototype map
4015         https://bugs.webkit.org/show_bug.cgi?id=177909
4016
4017         Reviewed by Keith Miller.
4018
4019         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
4020         (assert):
4021         (foo.C):
4022         (foo):
4023         (set x):
4024
4025 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
4026
4027         [JSC] Introduce import.meta
4028         https://bugs.webkit.org/show_bug.cgi?id=177703
4029
4030         Reviewed by Filip Pizlo.
4031
4032         * modules/import-meta-syntax.js: Added.
4033         (shouldThrow):
4034         (shouldNotThrow):
4035         * modules/import-meta.js: Added.
4036         * modules/import-meta/cocoa.js: Added.
4037         * modules/resources/assert.js:
4038         (export.shouldNotThrow):
4039         * stress/import-syntax.js:
4040
4041 2017-10-04  Saam Barati  <sbarati@apple.com>
4042
4043         Make pertinent AccessCases watch the poly proto watchpoint
4044         https://bugs.webkit.org/show_bug.cgi?id=177765
4045
4046         Reviewed by Keith Miller.
4047
4048         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
4049         (assert):
4050         (foo.C):
4051         (foo):
4052         (validate):
4053         * stress/poly-proto-clear-stub.js: Added.
4054         (assert):
4055         (foo.C):
4056         (foo):
4057
4058 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
4059
4060         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
4061
4062         Unreviewed test gardening.
4063
4064         * test262.yaml:
4065
4066 2017-10-04  Saam Barati  <sbarati@apple.com>
4067
4068         3 poly-proto JSC tests timing out on debug after r222827
4069         https://bugs.webkit.org/show_bug.cgi?id=177880
4070
4071         Rubber stamped by Mark Lam.
4072
4073         * microbenchmarks/poly-proto-access.js:
4074         * typeProfiler/deltablue-for-of.js:
4075         * typeProfiler/getter-richards.js:
4076
4077 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
4078
4079         Unreviewed, marking tco-catch.js as a failure after test262 update
4080         https://bugs.webkit.org/show_bug.cgi?id=177859
4081
4082         * test262.yaml:
4083
4084 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4085
4086         Unreviewed, marking one async iterator test262 test failed
4087         https://bugs.webkit.org/show_bug.cgi?id=177859
4088
4089         * test262.yaml:
4090
4091 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
4092
4093         [Test262] Update Test262 to Oct 4 version
4094         https://bugs.webkit.org/show_bug.cgi?id=177859
4095
4096         Reviewed by Sam Weinig.
4097
4098         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
4099         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
4100
4101         * test262.yaml:
4102         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
4103         (checkSequence):
4104         * test262/harness/typeCoercion.js:
4105         (testCoercibleToIndexZero):
4106         (testCoercibleToIndexOne):
4107         (testCoercibleToIndexFromIndex):
4108         (testNotCoercibleToIndex.testPrimitiveValue):
4109         (testNotCoercibleToInteger):
4110         (testCoercibleToBigIntZero.testPrimitiveValue):
4111         (testCoercibleToBigIntZero):
4112         (testCoercibleToBigIntOne.testPrimitiveValue):
4113         (testCoercibleToBigIntOne):
4114         (testPrimitiveValue):
4115         (testCoercibleToBigIntFromBigInt):
4116         (testNotCoercibleToBigInt.testPrimitiveValue):
4117         (testNotCoercibleToBigInt.testStringValue):
4118         (testNotCoercibleToBigInt):
4119         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
4120         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
4121         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
4122         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
4123         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
4124         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
4125         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
4126         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
4127         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
4128         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
4129         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
4130         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
4131         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
4132         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
4133         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
4134         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
4135         (testCoercibleToBigIntZero):
4136         (testCoercibleToBigIntOne):
4137         (testNotCoercibleToBigInt):
4138         (MyError): Deleted.
4139         (valueOf): Deleted.
4140         (toString): Deleted.
4141         (Symbol.toPrimitive): Deleted.
4142         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
4143         (testCoercibleToIndexZero):
4144         (testCoercibleToIndexOne):
4145         (testNotCoercibleToIndex):
4146         (MyError): Deleted.
4147         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
4148         (assert.sameValue.BigInt.asIntN.toString): Deleted.
4149         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
4150         (BigInt.asIntN.valueOf): Deleted.
4151         (BigInt.asIntN.toString): Deleted.
4152         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
4153         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
4154         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
4155         (testCoercibleToBigIntZero):
4156         (testCoercibleToBigIntOne):
4157         (testNotCoercibleToBigInt):
4158         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
4159         (testCoercibleToIndexZero):
4160         (testCoercibleToIndexOne):
4161         (testNotCoercibleToIndex):
4162         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
4163         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
4164         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
4165         (bits.valueOf):
4166         (bigint.valueOf):
4167         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
4168         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
4169         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
4170         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
4171         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
4172         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
4173         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
4174         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
4175         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
4176         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
4177         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
4178         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
4179         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
4180         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
4181         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
4182         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
4183         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
4184         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
4185         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
4186         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
4187         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
4188         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
4189         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
4190         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
4191         (replacer):
4192         (BigInt.prototype.toJSON):
4193         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
4194         (replacer):
4195         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
4196         (BigInt.prototype.toJSON):
4197         * test262/test/built-ins/JSON/stringify/bigint.js:
4198         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
4199         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
4200         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
4201         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
4202         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
4203         * test262/test/built-ins/Object/proto-from-ctor.js:
4204         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
4205         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
4206         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
4207         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
4208         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
4209         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
4210         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
4211         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
4212         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
4213         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
4214         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
4215         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
4216         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
4217         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
4218         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
4219         * test262/test/built-ins/Proxy/get-fn-realm.js:
4220         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
4221         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
4222         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
4223         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
4224         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
4225         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
4226         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
4227         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
4228         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
4229         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
4230         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
4231         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
4232         (i6.replace):
4233         (i6b.replace):
4234         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
4235         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
4236         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
4237         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
4238         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
4239         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
4240         * test262/test/built-ins/RegExp/u180e.js: Added.
4241         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
4242         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
4243         * test262/test/built-ins/String/proto-from-ctor-realm.js:
4244         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
4245         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
4246         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
4247         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
4248         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
4249         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
4250         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
4251         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
4252         * test262/test/built-ins/String/prototype/endsWith/length.js:
4253         * test262/test/built-ins/String/prototype/endsWith/name.js:
4254         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
4255         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
4256         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
4257         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
4258         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
4259         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
4260         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
4261         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
4262         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
4263         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
4264         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
4265         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
4266         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
4267         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
4268         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
4269         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
4270         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4271         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4272         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4273         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4274         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4275         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4276         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4277         * test262/test/built-ins/String/prototype/includes/includes.js:
4278         * test262/test/built-ins/String/prototype/includes/length.js:
4279         * test262/test/built-ins/String/prototype/includes/name.js:
4280         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4281         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4282         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4283         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4284         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4285         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4286         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4287         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4288         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4289         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4290         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4291         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4292         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4293         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4294         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4295         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4296         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4297         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4298         * test262/test/built-ins/String/prototype/trim/u180e.js:
4299         * test262/test/built-ins/Symbol/for/cross-realm.js:
4300         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4301         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4302         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4303         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4304         * test262/test/built-ins/Symbol/match/cross-realm.js:
4305         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4306         * test262/test/built-ins/Symbol/search/cross-realm.js:
4307         * test262/test/built-ins/Symbol/species/cross-realm.js:
4308         * test262/test/built-ins/Symbol/split/cross-realm.js:
4309         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4310         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4311         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4312         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4313         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4314         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4315         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4316         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4317         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4318         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4319         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4320         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4321         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4322         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4323         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4324         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4325         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4326         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4327         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4328         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4329         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4330         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4331         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4332         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4333         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4334         * test262/test/language/eval-code/indirect/realm.js:
4335         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4336         (o.get z):
4337         (o.get a):
4338         * test262/test/language/expressions/call/eval-realm-indirect.js:
4339         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4340         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4341         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4342         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4343         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4344         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4345         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4346         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4347         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4348         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4349         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
4350         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
4351         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
4352         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
4353         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
4354         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
4355         * test262/test/language/expressions/less-than/bigint-and-number.js:
4356         * test262/test/language/expressions/new/non-ctor-err-realm.js:
4357         * test262/test/language/expressions/super/realm.js:
4358         * test262/test/language/expressions/tagged-template/cache-realm.js:
4359         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
4360         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
4361         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
4362         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
4363         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
4364         * test262/test/language/literals/string/mongolian-vowel-separator.js:
4365         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
4366         (o.get z):
4367         (o.get a):
4368         * test262/test/language/statements/for-of/iterator-next-reference.js:
4369         (next):
4370         (iterator.next): Deleted.
4371         (x.of.iterable.): Deleted.
4372         (x.of.iterable.get return): Deleted.
4373         (x.of.iterable.iterator.next): Deleted.
4374         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
4375         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
4376         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
4377         * test262/test/language/white-space/mongolian-vowel-separator.js:
4378         * test262/test262-Revision.txt:
4379
4380 2017-10-03  Saam Barati  <sbarati@apple.com>
4381
4382         Implement polymorphic prototypes
4383         https://bugs.webkit.org/show_bug.cgi?id=176391
4384
4385         Reviewed by Filip Pizlo.
4386
4387         * microbenchmarks/poly-proto-access.js: Added.
4388         (assert):
4389        &n