26b8546c06c87211f1c4d3eea00fe5594a018515
[WebKit-https.git] / JSTests / ChangeLog
1 2018-02-23  Saam Barati  <sbarati@apple.com>
2
3         Make Number.isInteger an intrinsic
4         https://bugs.webkit.org/show_bug.cgi?id=183088
5
6         Reviewed by JF Bastien.
7
8         * stress/number-is-integer-intrinsic.js: Added.
9
10 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
11
12         WebAssembly: cache memory address / size on instance
13         https://bugs.webkit.org/show_bug.cgi?id=177305
14
15         Reviewed by JF Bastien.
16
17         * wasm/function-tests/memory-reuse.js: Added.
18         (createWasmInstance):
19         (doCheckTrap):
20         (doMemoryGrow):
21         (doCheck):
22         (checkWasmInstancesWithSharedMemory):
23
24 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
25
26         [JSC] Implement $vm.ftlTrue function for FTL testing
27         https://bugs.webkit.org/show_bug.cgi?id=183071
28
29         Reviewed by Mark Lam.
30
31         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
32         (foo):
33         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
34         (foo):
35         * stress/dead-fiat-value-to-int52.js:
36         (foo):
37         * stress/dead-osr-entry-value.js:
38         (foo):
39         * stress/fiat-value-to-int52-then-exit-not-double.js:
40         (foo):
41         * stress/fiat-value-to-int52-then-exit-not-int52.js:
42         (foo):
43         * stress/fiat-value-to-int52-then-fail-to-fold.js:
44         (foo):
45         * stress/fiat-value-to-int52-then-fold.js:
46         (foo):
47         * stress/fiat-value-to-int52.js:
48         (foo):
49         * stress/fold-based-on-int32-proof-mul-branch.js:
50         (foo):
51         * stress/fold-profiled-call-to-call.js:
52         (foo):
53         * stress/fold-to-double-constant-then-exit.js:
54         (foo):
55         * stress/fold-to-int52-constant-then-exit.js:
56         (foo):
57         * stress/fold-to-primitive-in-cfa.js:
58         (foo):
59         * stress/fold-to-primitive-to-identity-in-cfa.js:
60         (foo):
61         * stress/has-indexed-property-array-storage-ftl.js: Added.
62         (shouldBe):
63         (test1):
64         (test2):
65         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
66         (shouldBe):
67         (test1):
68         (test2):
69         * stress/int52-ai-add-then-filter-int32.js:
70         (foo):
71         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
72         (foo):
73         * stress/int52-ai-mul-then-filter-int32.js:
74         (foo):
75         * stress/int52-ai-neg-then-filter-int32.js:
76         (foo):
77         * stress/int52-ai-sub-then-filter-int32.js:
78         (foo):
79         * stress/licm-pre-header-cannot-exit-nested.js:
80         (foo):
81         * stress/licm-pre-header-cannot-exit.js:
82         (foo):
83         * stress/sparse-array-entry-update-144067.js:
84         (useMemoryToTriggerGCs):
85         * stress/test-spec-misc.js:
86         (foo):
87         * stress/tricky-array-bounds-checks.js:
88         (foo):
89
90 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
91
92         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
93         https://bugs.webkit.org/show_bug.cgi?id=182792
94
95         Reviewed by Mark Lam.
96
97         * stress/has-indexed-property-array-storage.js: Added.
98         (shouldBe):
99         (test1):
100         (test2):
101         * stress/has-indexed-property-slow-put-array-storage.js: Added.
102         (shouldBe):
103         (test1):
104         (test2):
105
106 2018-02-20  Saam Barati  <sbarati@apple.com>
107
108         DFG::VarargsForwardingPhase should eliminate getting argument length
109         https://bugs.webkit.org/show_bug.cgi?id=182959
110
111         Reviewed by Keith Miller.
112
113         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
114
115 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
116
117         [FTL] Support ArrayPush for ArrayStorage
118         https://bugs.webkit.org/show_bug.cgi?id=182782
119
120         Reviewed by Saam Barati.
121
122         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
123
124         * stress/array-push-array-storage-beyond-int32.js: Added.
125         (shouldBe):
126         (test):
127         * stress/array-push-array-storage.js: Added.
128         (shouldBe):
129         (test):
130         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
131         (shouldBe):
132         (test):
133         * stress/array-push-multiple-storage-continuous.js: Added.
134         (shouldBe):
135         (test):
136
137 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
138
139         [FTL] Support ArrayPop for ArrayStorage
140         https://bugs.webkit.org/show_bug.cgi?id=182783
141
142         Reviewed by Saam Barati.
143
144         * stress/array-pop-array-storage.js: Added.
145         (shouldBe):
146         (test):
147
148 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
149
150         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
151         https://bugs.webkit.org/show_bug.cgi?id=182731
152
153         Reviewed by Saam Barati.
154
155         * stress/arrayify-array-storage-array.js: Added.
156         (shouldBe):
157         (testArrayStorage):
158         * stress/arrayify-array-storage-non-array.js: Added.
159         (shouldBe):
160         (testArrayStorage):
161         * stress/arrayify-array-storage.js: Added.
162         (shouldBe):
163         (testArrayStorage):
164         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
165         (shouldBe):
166         (testArrayStorage):
167         * stress/arrayify-slow-put-array-storage.js: Added.
168         (shouldBe):
169         (testArrayStorage):
170
171 2018-02-19  Saam Barati  <sbarati@apple.com>
172
173         Don't use JSFunction's allocation profile when getting the prototype can be effectful
174         https://bugs.webkit.org/show_bug.cgi?id=182942
175         <rdar://problem/37584764>
176
177         Reviewed by Mark Lam.
178
179         * stress/get-prototype-create-this-effectful.js: Added.
180
181 2018-02-16  Saam Barati  <sbarati@apple.com>
182
183         Fix bugs from r228411
184         https://bugs.webkit.org/show_bug.cgi?id=182851
185         <rdar://problem/37577732>
186
187         Reviewed by JF Bastien.
188
189         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
190
191 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
192
193         Unreviewed, roll out r228366 since it did not progress anything.
194
195         * stress/gc-error-stack.js: Removed.
196         * stress/no-gc-error-stack.js: Removed.
197
198 2018-02-15  Tomas Popela  <tpopela@redhat.com>
199
200         Many stress tests fail with JIT disabled
201         https://bugs.webkit.org/show_bug.cgi?id=182730
202
203         Reviewed by Saam Barati.
204
205         These tests are broken by design if the JIT is disabled - they test
206         the return value of numberOfDFGCompiles(), which is always set to
207         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
208
209         * stress/arith-abs-on-various-types.js:
210         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
211         * stress/arith-acos-on-various-types.js:
212         * stress/arith-acosh-on-various-types.js:
213         * stress/arith-asin-on-various-types.js:
214         * stress/arith-asinh-on-various-types.js:
215         * stress/arith-atan-on-various-types.js:
216         * stress/arith-atanh-on-various-types.js:
217         * stress/arith-cbrt-on-various-types.js:
218         * stress/arith-ceil-on-various-types.js:
219         * stress/arith-clz32-on-various-types.js:
220         * stress/arith-cos-on-various-types.js:
221         * stress/arith-cosh-on-various-types.js:
222         * stress/arith-expm1-on-various-types.js:
223         * stress/arith-floor-on-various-types.js:
224         * stress/arith-fround-on-various-types.js:
225         * stress/arith-log-on-various-types.js:
226         * stress/arith-log10-on-various-types.js:
227         * stress/arith-log2-on-various-types.js:
228         * stress/arith-negate-on-various-types.js:
229         * stress/arith-round-on-various-types.js:
230         * stress/arith-sin-on-various-types.js:
231         * stress/arith-sinh-on-various-types.js:
232         * stress/arith-sqrt-on-various-types.js:
233         * stress/arith-tan-on-various-types.js:
234         * stress/arith-tanh-on-various-types.js:
235         * stress/arith-trunc-on-various-types.js:
236         * stress/compare-strict-eq-on-various-types.js:
237
238 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
239
240         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
241
242         Unreviewed test gardening.
243
244         * stress/new-largeish-contiguous-array-with-size.js:
245
246 2018-02-14  Saam Barati  <sbarati@apple.com>
247
248         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
249         https://bugs.webkit.org/show_bug.cgi?id=182801
250
251         Reviewed by Keith Miller.
252
253         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
254
255 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
256
257         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
258         https://bugs.webkit.org/show_bug.cgi?id=182526
259
260         Unreviewed test gardening.
261
262         * stress/activation-sink-default-value-tdz-error.js:
263
264 2018-02-13  Saam Barati  <sbarati@apple.com>
265
266         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
267         https://bugs.webkit.org/show_bug.cgi?id=182755
268         <rdar://problem/37080864>
269
270         Reviewed by Keith Miller.
271
272         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
273         (test1.o.get 10005):
274         (test1):
275         (test2.o.get 1000):
276         (test2):
277
278 2018-02-13  Caitlin Potter  <caitp@igalia.com>
279
280         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
281         https://bugs.webkit.org/show_bug.cgi?id=182717
282
283         Reviewed by Yusuke Suzuki.
284
285         https://github.com/tc39/ecma262/pull/890 imposes a change to template
286         literals, to allow template callsite arrays to be collected when the
287         code containing the tagged template call is collected. This spec change
288         has received concensus and been ratified.
289
290         This change eliminates the eternal map associating template contents
291         with arrays.
292
293         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
294         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
295         * stress/tagged-templates-identity.js:
296         * stress/template-string-tags-eval.js:
297         * test262.yaml:
298
299 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
300
301         Support GetArrayLength on ArrayStorage in the FTL
302         https://bugs.webkit.org/show_bug.cgi?id=182625
303
304         Reviewed by Saam Barati.
305
306         * stress/array-storage-length.js: Added.
307         (shouldBe):
308         (testInBound):
309         (testUncountable):
310         (testSlowPutInBound):
311         (testSlowPutUncountable):
312         * stress/undecided-length.js: Added.
313         (shouldBe):
314         (test2):
315
316 2018-02-12  Saam Barati  <sbarati@apple.com>
317
318         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
319         https://bugs.webkit.org/show_bug.cgi?id=182706
320         <rdar://problem/36833681>
321
322         Reviewed by Filip Pizlo.
323
324         * stress/get-array-length-phantom-new-array-buffer.js: Added.
325         (effects):
326         (foo):
327
328 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
329
330         Don't waste memory for error.stack
331         https://bugs.webkit.org/show_bug.cgi?id=182656
332
333         Reviewed by Saam Barati.
334         
335         Tests the policy.
336
337         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
338         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
339
340 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
341
342         [JSC] Update Test262 to Feb 9 version
343         https://bugs.webkit.org/show_bug.cgi?id=182468
344
345         Reviewed by Saam Barati.
346
347 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
348
349         Unreviewed, fix invalid line terminator in old test262 file part 2
350         https://bugs.webkit.org/show_bug.cgi?id=182468
351
352         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
353
354 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
355
356         Unreviewed, fix invalid line terminator in old test262 file
357         https://bugs.webkit.org/show_bug.cgi?id=182468
358
359         * test262/test/language/literals/regexp/7.8.5-1.js:
360
361 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
362
363         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
364         https://bugs.webkit.org/show_bug.cgi?id=182440
365
366         Reviewed by Darin Adler.
367
368         * stress/array-flatmap.js: Added.
369         (shouldBe):
370         (shouldBeArray):
371         (shouldThrow):
372         (var):
373         * stress/array-flatten.js: Added.
374         (shouldBe):
375         (shouldBeArray):
376         * test262.yaml:
377         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
378         (3.flatMap):
379         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
380
381 2018-02-06  Keith Miller  <keith_miller@apple.com>
382
383         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
384         https://bugs.webkit.org/show_bug.cgi?id=182549
385         <rdar://problem/36189995>
386
387         Reviewed by Saam Barati.
388
389         * stress/var-injection-cache-invalidation.js: Added.
390         (allocateLotsOfThings):
391         (test):
392
393 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
394
395         Unreviewed, follow up for test262 update
396         https://bugs.webkit.org/show_bug.cgi?id=182288
397
398         * test262.yaml:
399
400 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
401
402         Update test262 to Jan 30 version
403         https://bugs.webkit.org/show_bug.cgi?id=182288
404
405         Unreviewed test gardening.
406
407         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
408
409 2018-02-02  Saam Barati  <sbarati@apple.com>
410
411         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
412         https://bugs.webkit.org/show_bug.cgi?id=182368
413         <rdar://problem/36932466>
414
415         Reviewed by Mark Lam.
416
417         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
418         (runNearStackLimit.t):
419         (runNearStackLimit):
420         (try.runNearStackLimit):
421         (catch):
422
423 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
424
425         Update test262 to Jan 30 version
426         https://bugs.webkit.org/show_bug.cgi?id=182288
427
428         Rubber stamped by Saam Barati.
429
430         This patch updates test262 to the latest one, Jan 30 version.
431         Since added and changed files are too many, we cannot create ChangeLog.
432         The following files are changed.
433
434         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
435         including some special line terminators (like u2028, u2029).
436
437         * test262.yaml:
438         * test262/test262-Revision.txt:
439         * test262/*:
440
441 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
442
443         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
444         https://bugs.webkit.org/show_bug.cgi?id=182411
445
446         Reviewed by Carlos Alberto Lopez Perez.
447
448         This is skipped only on arm memory limited platforms. Until recently
449         it was not a problem on MIPS as the butterfly was not initialized. But
450         since r227435, the butterfly is initialized in that test and therefore
451         memory is allocated, and the test typically takes around 512M, which
452         means it generally gets OOM-killed on the MIPS buildbot.
453
454         * mozilla/mozilla-tests.yaml:
455
456 2018-02-01  Mark Lam  <mark.lam@apple.com>
457
458         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
459         https://bugs.webkit.org/show_bug.cgi?id=182419
460         <rdar://problem/37044945>
461
462         Reviewed by Saam Barati.
463
464         * stress/regress-182419.js: Added.
465
466 2018-02-01  Keith Miller  <keith_miller@apple.com>
467
468         Fix crashes due to mishandling custom sections.
469         https://bugs.webkit.org/show_bug.cgi?id=182404
470         <rdar://problem/36935863>
471
472         Reviewed by Saam Barati.
473
474         * wasm/Builder.js:
475         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
476         * wasm/js-api/validate.js:
477         (assert.truthy):
478
479 2018-01-31  Saam Barati  <sbarati@apple.com>
480
481         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
482         https://bugs.webkit.org/show_bug.cgi?id=182074
483         <rdar://problem/36846261>
484
485         Reviewed by Mark Lam.
486
487         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
488         (assert):
489         (let.func):
490         (let.o.foo):
491         (varFunc):
492
493 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
494
495         Unreviewed, update test262 expects
496         https://bugs.webkit.org/show_bug.cgi?id=182232
497
498         * test262.yaml:
499
500 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
501
502         [JSC] Implement trimStart and trimEnd
503         https://bugs.webkit.org/show_bug.cgi?id=182233
504
505         Reviewed by Mark Lam.
506
507         * stress/trim.js: Added.
508         (shouldBe):
509         (startTest):
510         (endTest):
511         (trimTest):
512
513 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
514
515         [JSC] Relax line terminators in String to make JSON subset of JS
516         https://bugs.webkit.org/show_bug.cgi?id=182232
517
518         Reviewed by Keith Miller.
519
520         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
521         * stress/relaxed-line-terminators-in-string.js: Added.
522         (shouldBe):
523
524 2018-01-29  Michael Saboff  <msaboff@apple.com>
525
526         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
527         https://bugs.webkit.org/show_bug.cgi?id=182249
528
529         Reviewed by Keith Miller.
530
531         New regression test.
532
533         * stress/compare-clobber-untypeduse.js: Added.
534
535 2018-01-29  Matt Lewis  <jlewis3@apple.com>
536
537         Unreviewed, rolling out r227725.
538
539         This caused internal failures.
540
541         Reverted changeset:
542
543         "JSC Sampling Profiler: Detect tester and testee when sampling
544         in RegExp JIT"
545         https://bugs.webkit.org/show_bug.cgi?id=152729
546         https://trac.webkit.org/changeset/227725
547
548 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
549
550         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
551         https://bugs.webkit.org/show_bug.cgi?id=152729
552
553         Reviewed by Saam Barati.
554
555         * stress/sampling-profiler-regexp.js: Added.
556         (platformSupportsSamplingProfiler.test):
557         (platformSupportsSamplingProfiler.baz):
558         (platformSupportsSamplingProfiler):
559
560 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
561
562         [DFG][FTL] WeakMap#set should have DFG node
563         https://bugs.webkit.org/show_bug.cgi?id=180015
564
565         Reviewed by Saam Barati.
566
567         * stress/weakmap-set-change-get.js: Added.
568         (shouldBe):
569         (test):
570         * stress/weakmap-set-cse.js: Added.
571         (shouldBe):
572         (test):
573         * stress/weakset-add-change-get.js: Added.
574         (shouldBe):
575         * stress/weakset-add-cse.js: Added.
576         (shouldBe):
577
578 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
579
580         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
581         https://bugs.webkit.org/show_bug.cgi?id=182213
582
583         Reviewed by Mark Lam.
584
585         * stress/int32-min-to-string.js: Added.
586         (shouldBe):
587         (test2):
588         (test4):
589         (test8):
590         (test16):
591         (test32):
592         * stress/zero-to-string.js: Added.
593         (shouldBe):
594         (test2):
595         (test4):
596         (test8):
597         (test16):
598         (test32):
599
600 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
601
602         Add more module scope related tests with code evaluation by string
603         https://bugs.webkit.org/show_bug.cgi?id=181983
604
605         Reviewed by Sam Weinig.
606
607         Add more module scope related tests. When the original tests are landed,
608         we do not have browser integration. This patch adds more module scope tests
609         with dynamically created script evaluation. We add tests with Function
610         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
611
612         * modules/scopes-eval.js: Added.
613         (shouldBe):
614         * modules/scopes.js:
615         (shouldBe):
616
617 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
618
619         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
620
621         * microbenchmarks/array-push-3.js: Removed.
622         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
623         * microbenchmarks/double-to-int32.js: Removed.
624         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
625         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
626         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
627         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
628         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
629         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
630         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
631         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
632         * microbenchmarks/map-constant-key.js: Removed.
633         * microbenchmarks/nested-function-parsing.js: Removed.
634         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
635         * microbenchmarks/spread-large-array.js: Removed.
636         * microbenchmarks/string-add-constant-folding.js: Removed.
637         * microbenchmarks/to-lower-case.js: Removed.
638         * microbenchmarks/undefined-property-access.js: Removed.
639         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
640         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
641         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
642         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
643         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
644         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
645         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
646         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
647         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
648         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
649         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
650         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
651         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
652         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
653         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
654         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
655         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
656         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
657
658 2018-01-23  Robin Morisset  <rmorisset@apple.com>
659
660         Update the argument count in DFGByteCodeParser::handleRecursiveCall
661         https://bugs.webkit.org/show_bug.cgi?id=181739
662         <rdar://problem/36627662>
663
664         Reviewed by Saam Barati.
665
666         * stress/recursive-tail-call-with-different-argument-count.js: Added.
667         (foo):
668         (bar):
669
670 2018-01-22  Michael Saboff  <msaboff@apple.com>
671
672         DFG abstract interpreter needs to properly model effects of some Math ops
673         https://bugs.webkit.org/show_bug.cgi?id=181886
674
675         Reviewed by Saam Barati.
676
677         New regression test.
678
679         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
680         (test):
681
682 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
683
684         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
685         https://bugs.webkit.org/show_bug.cgi?id=181182
686
687         Reviewed by Darin Adler.
688
689         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
690         * stress/big-int-prototype-to-string-exception.js: Added.
691         * stress/big-int-prototype-to-string-wrong-values.js: Added.
692         * stress/number-prototype-to-string-cast-overflow.js: Added.
693         * stress/number-prototype-to-string-exception.js: Added.
694         * stress/number-prototype-to-string-wrong-values.js: Added.
695
696 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
697
698         Disable Atomics when SharedArrayBuffer isn’t enabled
699         https://bugs.webkit.org/show_bug.cgi?id=181572
700
701         Unreviewed test gardening.
702
703         * test262.yaml: Skip tests that fail after this change.
704
705 2018-01-19  Saam Barati  <sbarati@apple.com>
706
707         Kill ArithNegate's ArithProfile assert inside BytecodeParser
708         https://bugs.webkit.org/show_bug.cgi?id=181877
709         <rdar://problem/36630552>
710
711         Reviewed by Mark Lam.
712
713         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
714         (runNearStackLimit):
715         (f1):
716         (f2):
717         (f3):
718         (i.catch):
719         (i.try.runNearStackLimit):
720         (catch):
721
722 2018-01-19  Saam Barati  <sbarati@apple.com>
723
724         Spread's effects are modeled incorrectly both in AI and in Clobberize
725         https://bugs.webkit.org/show_bug.cgi?id=181867
726         <rdar://problem/36290415>
727
728         Reviewed by Michael Saboff.
729
730         * stress/ai-needs-to-model-spreads-effects.js: Added.
731         (try.p.Symbol.iterator):
732         (try.go):
733         (catch):
734         * stress/clobberize-needs-to-model-spread-effects.js: Added.
735         (assert):
736         (foo):
737         (a.Symbol.iterator):
738
739 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
740
741         Unreviewed, reduce count of iteration to fix timing out debug JSC test
742         https://bugs.webkit.org/show_bug.cgi?id=181535
743
744         * stress/inserted-recovery-with-set-last-index.js:
745
746 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
747
748         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
749         https://bugs.webkit.org/show_bug.cgi?id=181535
750
751         Reviewed by Saam Barati.
752
753         * stress/inserted-recovery-with-set-last-index.js: Added.
754         (shouldBe):
755         (foo):
756         * stress/materialize-regexp-at-osr-exit.js: Added.
757         (shouldBe):
758         (test):
759         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
760         (shouldBe):
761         (test):
762         * stress/materialize-regexp-cyclic-regexp.js: Added.
763         (shouldBe):
764         (test):
765         (i.switch):
766         * stress/materialize-regexp-cyclic.js: Added.
767         (shouldBe):
768         (test):
769         (i.switch):
770         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
771         (bar):
772         (foo):
773         (test):
774         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
775         (bar):
776         (foo):
777         (test):
778         * stress/materialize-regexp.js: Added.
779         (shouldBe):
780         (test):
781         * stress/phantom-regexp-regexp-exec.js: Added.
782         (shouldBe):
783         (test):
784         * stress/phantom-regexp-string-match.js: Added.
785         (shouldBe):
786         (test):
787         * stress/regexp-last-index-sinking.js: Added.
788         (shouldBe):
789         (test):
790
791 2018-01-17  Saam Barati  <sbarati@apple.com>
792
793         Disable Atomics when SharedArrayBuffer isn’t enabled
794         https://bugs.webkit.org/show_bug.cgi?id=181572
795         <rdar://problem/36553206>
796
797         Reviewed by Michael Saboff.
798
799         * stress/isLockFree.js:
800
801 2018-01-17  Saam Barati  <sbarati@apple.com>
802
803         DFG::Node::convertToConstant needs to clear the varargs flags
804         https://bugs.webkit.org/show_bug.cgi?id=181697
805         <rdar://problem/36497332>
806
807         Reviewed by Yusuke Suzuki.
808
809         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
810         (doIndexOf):
811         (bar):
812         (i.bar):
813
814 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
815
816         Unreviewed, rolling out r226937.
817
818         Tests added with this change are failing due to a missing
819         exception check.
820
821         Reverted changeset:
822
823         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
824         double to int32_t"
825         https://bugs.webkit.org/show_bug.cgi?id=181182
826         https://trac.webkit.org/changeset/226937
827
828 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
829
830         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
831         https://bugs.webkit.org/show_bug.cgi?id=181182
832
833         Reviewed by Darin Adler.
834
835         * bigIntTests.yaml:
836         * stress/big-int-constructor.js:
837         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
838         (assert):
839         (assertThrowRangeError):
840         * stress/number-prototype-to-string-cast-overflow.js: Added.
841         (assert):
842         (assertThrowRangeError):
843
844 2018-01-12  Saam Barati  <sbarati@apple.com>
845
846         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
847         https://bugs.webkit.org/show_bug.cgi?id=181177
848         <rdar://problem/36205704>
849
850         Reviewed by Yusuke Suzuki.
851
852         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
853         (runNearStackLimit.t):
854         (runNearStackLimit):
855         (test.f):
856         (test):
857
858 2018-01-12  Saam Barati  <sbarati@apple.com>
859
860         Each variant of a polymorphic inlined call should be exitOK at the top of the block
861         https://bugs.webkit.org/show_bug.cgi?id=181562
862         <rdar://problem/36445624>
863
864         Reviewed by Yusuke Suzuki.
865
866         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
867         (f):
868         (foo):
869
870 2018-01-11  Saam Barati  <sbarati@apple.com>
871
872         When inserting Unreachable in byte code parser we need to flush all the right things
873         https://bugs.webkit.org/show_bug.cgi?id=181509
874         <rdar://problem/36423110>
875
876         Reviewed by Mark Lam.
877
878         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
879
880 2018-01-11  Saam Barati  <sbarati@apple.com>
881
882         JITMathIC code in the FTL is wrong when code gets duplicated
883         https://bugs.webkit.org/show_bug.cgi?id=181525
884         <rdar://problem/36351993>
885
886         Reviewed by Michael Saboff and Keith Miller.
887
888         * stress/allow-math-ic-b3-code-duplication.js: Added.
889
890 2018-01-11  Saam Barati  <sbarati@apple.com>
891
892         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
893         https://bugs.webkit.org/show_bug.cgi?id=181508
894
895         Reviewed by Yusuke Suzuki.
896
897         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
898         (assert):
899         (test1.foo):
900         (test1):
901         (test2.foo):
902         (test2):
903
904 2018-01-09  Mark Lam  <mark.lam@apple.com>
905
906         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
907         https://bugs.webkit.org/show_bug.cgi?id=181388
908         <rdar://problem/36349351>
909
910         Reviewed by Saam Barati.
911
912         * stress/regress-181388.js: Added.
913
914 2018-01-08  JF Bastien  <jfbastien@apple.com>
915
916         WebAssembly: mask indexed accesses to Table
917         https://bugs.webkit.org/show_bug.cgi?id=181412
918         <rdar://problem/36363236>
919
920         Reviewed by Saam Barati.
921
922         Update error messages.
923
924         * wasm/js-api/table.js:
925         (assert.throws.WebAssembly.Table.prototype.grow):
926
927 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
928
929         Disable SharedArrayBuffer tests missed in r226386.
930         https://bugs.webkit.org/show_bug.cgi?id=181266
931
932         Unreviewed test gardening.
933
934         * test262.yaml:
935
936 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
937
938         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
939         https://bugs.webkit.org/show_bug.cgi?id=181321
940
941         Reviewed by Saam Barati.
942
943         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
944         (shouldBe):
945         (testFunction):
946         * test262.yaml:
947
948 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
949
950         Unreviewed, attempt to fix test262 after r226386.
951
952         * test262.yaml:
953
954 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
955
956         [DFG] Define defs for MapSet/SetAdd to participate in CSE
957         https://bugs.webkit.org/show_bug.cgi?id=179911
958
959         Reviewed by Saam Barati.
960
961         In addition to these tests, map-set-cse.js and set-add-cse.js work.
962
963         * stress/map-set-change-get.js: Added.
964         (shouldBe):
965         (test):
966         * stress/map-set-create-bucket.js: Added.
967         (shouldBe):
968         (test):
969         * stress/set-add-create-bucket.js: Added.
970         (shouldBe):
971
972 2018-01-03  Michael Saboff  <msaboff@apple.com>
973
974         Disable SharedArrayBuffers from Web API
975         https://bugs.webkit.org/show_bug.cgi?id=181266
976
977         Reviewed by Saam Barati.
978
979         Disabled SharedArrayBuffer tests.
980
981         * stress/SharedArrayBuffer-opt.js:
982         * stress/SharedArrayBuffer.js:
983         * stress/array-buffer-byte-length.js:
984         * stress/atomics-add-uint32.js:
985         * stress/atomics-known-int-use.js:
986         * stress/atomics-neg-zero.js:
987         * stress/atomics-store-return.js:
988         * stress/lars-sab-workers.js:
989         * stress/regress-159779-1.js:
990         * stress/regress-159779-2.js:
991         * stress/regress-170473.js:
992         * test262.yaml:
993
994 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
995
996         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
997         https://bugs.webkit.org/show_bug.cgi?id=181258
998
999         Reviewed by Antonio Gomes.
1000
1001         * stress/big-int-constructor-gc.js:
1002         * stress/big-int-constructor-oom.js:
1003
1004 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1005
1006         Inlining of a function that ends in op_unreachable crashes
1007         https://bugs.webkit.org/show_bug.cgi?id=181027
1008
1009         Reviewed by Filip Pizlo.
1010
1011         * stress/inlining-unreachable.js: Added.
1012         (bar):
1013         (baz):
1014         (i.catch):
1015
1016 2018-01-02  Saam Barati  <sbarati@apple.com>
1017
1018         Incorrect assertion inside AccessCase
1019         https://bugs.webkit.org/show_bug.cgi?id=181200
1020         <rdar://problem/35494754>
1021
1022         Reviewed by Yusuke Suzuki.
1023
1024         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1025         (ctor):
1026         (theFunc):
1027         (run):
1028
1029 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1030
1031         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1032         https://bugs.webkit.org/show_bug.cgi?id=175359
1033
1034         Reviewed by Yusuke Suzuki.
1035
1036         * bigIntTests.yaml:
1037         * stress/big-int-as-key.js: Added.
1038         * stress/big-int-constructor-gc.js: Added.
1039         * stress/big-int-constructor-oom.js: Added.
1040         * stress/big-int-constructor-properties.js: Added.
1041         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1042         * stress/big-int-constructor-prototype.js: Added.
1043         * stress/big-int-constructor.js: Added.
1044         * stress/big-int-function-apply.js:
1045         * stress/big-int-length.js: Added.
1046         * stress/big-int-prop-descriptor.js: Added.
1047         * stress/big-int-proto-constructor.js: Added.
1048         * stress/big-int-proto-name.js: Added.
1049         * stress/big-int-prototype-properties.js: Added.
1050         * stress/big-int-prototype-proto.js: Added.
1051         * stress/big-int-prototype-value-of.js: Added.
1052         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1053         * stress/big-int-prototype-to-string-apply.js: Added.
1054         * stress/big-int-to-object.js: Added.
1055         * stress/big-int-to-string.js: Added.
1056
1057 2017-12-28  Saam Barati  <sbarati@apple.com>
1058
1059         Assertion used to determine if something is an async generator is wrong
1060         https://bugs.webkit.org/show_bug.cgi?id=181168
1061         <rdar://problem/35640560>
1062
1063         Reviewed by Yusuke Suzuki.
1064
1065         * stress/async-generator-assertion.js: Added.
1066
1067 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1068
1069         Skip stress/splay-flash-access tests on memory limited platforms
1070         https://bugs.webkit.org/show_bug.cgi?id=181086
1071
1072         Reviewed by Carlos Alberto Lopez Perez.
1073
1074         These tests use about 185M of memory, and occasionally get OOM-killed
1075         on memory limited platforms.
1076
1077         * stress/splay-flash-access-1ms.js:
1078         * stress/splay-flash-access.js:
1079
1080 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1081
1082         Skip slow jsc tests on embedded platforms
1083         https://bugs.webkit.org/show_bug.cgi?id=180937
1084
1085         Reviewed by Carlos Alberto Lopez Perez.
1086
1087         The tests typeProfiler/deltablue-for-of.js and
1088         typeProfiler/getter-richards.js take a very long time in the
1089         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1090         thus always timeout. They should be skipped on these platforms.
1091
1092         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1093         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1094
1095 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1096
1097         [JSC] Do not check isValid() in op_new_regexp
1098         https://bugs.webkit.org/show_bug.cgi?id=180970
1099
1100         Reviewed by Saam Barati.
1101
1102         * stress/regexp-syntax-error-invalid-flags.js: Added.
1103         (shouldThrow):
1104
1105 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1106
1107         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1108         https://bugs.webkit.org/show_bug.cgi?id=180712
1109
1110         Reviewed by Michael Catanzaro.
1111
1112         stress/call-apply-exponential-bytecode-size.js crashes if the
1113         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1114         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1115         should skip the test on other platforms.
1116
1117         * stress/call-apply-exponential-bytecode-size.js:
1118
1119 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1120
1121         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1122         https://bugs.webkit.org/show_bug.cgi?id=179762
1123
1124         Reviewed by Saam Barati.
1125
1126         * stress/call-varargs-double-new-array-buffer.js: Added.
1127         (assert):
1128         (bar):
1129         (foo):
1130         * stress/call-varargs-spread-new-array-buffer.js: Added.
1131         (assert):
1132         (bar):
1133         (foo):
1134         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1135         (assert):
1136         (bar):
1137         (foo):
1138         * stress/forward-varargs-double-new-array-buffer.js: Added.
1139         (assert):
1140         (test.baz):
1141         (test.bar):
1142         (test.foo):
1143         (test):
1144         * stress/new-array-buffer-sinking-osrexit.js: Added.
1145         (target):
1146         (test):
1147         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1148         (shouldBe):
1149         (test):
1150         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1151         (shouldBe):
1152         (target):
1153         (test):
1154         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1155         (assert):
1156         (test1.bar):
1157         (test1.foo):
1158         (test1):
1159         (test2.bar):
1160         (test2.foo):
1161         (test3.baz):
1162         (test3.bar):
1163         (test3.foo):
1164         (test4.baz):
1165         (test4.bar):
1166         (test4.foo):
1167         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1168         (assert):
1169         (test.baz):
1170         (test.bar):
1171         (test.foo):
1172         (test):
1173         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1174         (assert):
1175         (baz):
1176         (bar):
1177         (effects):
1178         (foo):
1179
1180 2017-12-14  Saam Barati  <sbarati@apple.com>
1181
1182         The CleanUp after LICM is erroneously removing a Check
1183         https://bugs.webkit.org/show_bug.cgi?id=180852
1184         <rdar://problem/36063494>
1185
1186         Reviewed by Filip Pizlo.
1187
1188         * stress/dont-run-cleanup-after-licm.js: Added.
1189
1190 2017-12-14  Michael Saboff  <msaboff@apple.com>
1191
1192         REGRESSION (r225695): Repro crash on yahoo login page
1193         https://bugs.webkit.org/show_bug.cgi?id=180761
1194
1195         Reviewed by JF Bastien.
1196
1197         New regression test.
1198
1199         * stress/regress-180761.js: Added.
1200
1201 2017-12-13  Keith Miller  <keith_miller@apple.com>
1202
1203         JSObjects should have a mask for loading indexed properties
1204         https://bugs.webkit.org/show_bug.cgi?id=180768
1205
1206         Reviewed by Mark Lam.
1207
1208         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1209         (test):
1210
1211 2017-12-13  Saam Barati  <sbarati@apple.com>
1212
1213         Arrow functions need their own structure because they have different properties than sloppy functions
1214         https://bugs.webkit.org/show_bug.cgi?id=180779
1215         <rdar://problem/35814591>
1216
1217         Reviewed by Mark Lam.
1218
1219         * stress/arrow-function-needs-its-own-structure.js: Added.
1220         (assert):
1221         (readPrototype):
1222         (noInline.let.f1):
1223         (noInline):
1224
1225 2017-12-13  Saam Barati  <sbarati@apple.com>
1226
1227         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1228         https://bugs.webkit.org/show_bug.cgi?id=163579
1229         <rdar://problem/35455798>
1230
1231         Reviewed by Mark Lam.
1232
1233         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1234         (assert):
1235         (test1):
1236         (i.test1):
1237         (i.test1.C):
1238         (i.test1.async.foo):
1239         (i.test1.foo):
1240         (test2):
1241
1242 2017-12-13  Saam Barati  <sbarati@apple.com>
1243
1244         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1245         https://bugs.webkit.org/show_bug.cgi?id=180734
1246         <rdar://problem/35640547>
1247
1248         Reviewed by Yusuke Suzuki.
1249
1250         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1251         (__isPropertyOfType):
1252         (__getProperties):
1253         (__getObjects):
1254         (__getRandomObject):
1255         (theClass.):
1256         (theClass):
1257         (childClass):
1258         (counter.catch):
1259
1260 2017-12-12  Saam Barati  <sbarati@apple.com>
1261
1262         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1263         https://bugs.webkit.org/show_bug.cgi?id=180725
1264         <rdar://problem/35970511>
1265
1266         Reviewed by Michael Saboff.
1267
1268         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1269         (f1):
1270         (f2):
1271         (let.o2.valueOf):
1272
1273 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1274
1275         [JSC] Implement optimized WeakMap and WeakSet
1276         https://bugs.webkit.org/show_bug.cgi?id=179929
1277
1278         Reviewed by Saam Barati.
1279
1280         * microbenchmarks/weak-map-key.js:
1281         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1282         (assert):
1283         (objectKey):
1284         (let.start.Date.now):
1285         * stress/basic-weakmap.js: Added.
1286         (shouldBe):
1287         (test):
1288         * stress/basic-weakset.js: Added.
1289         (shouldBe):
1290         (test.set new):
1291         * stress/weakmap-cse-set-break.js: Added.
1292         (shouldBe):
1293         (test):
1294         * stress/weakmap-cse.js: Added.
1295         (shouldBe):
1296         (test):
1297         * stress/weakmap-gc.js: Added.
1298         (test):
1299         * stress/weakset-cse-add-break.js: Added.
1300         (shouldBe):
1301         (test.set new):
1302         * stress/weakset-cse.js: Added.
1303         (shouldBe):
1304         (test.set new):
1305         * stress/weakset-gc.js: Added.
1306         (test.set add):
1307         (test.set new):
1308         (test):
1309
1310 2017-12-12  Saam Barati  <sbarati@apple.com>
1311
1312         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1313         https://bugs.webkit.org/show_bug.cgi?id=180723
1314         <rdar://problem/35859726>
1315
1316         Reviewed by JF Bastien.
1317
1318         * stress/get-my-argument-by-val-constant-folding.js: Added.
1319         (test):
1320         (catch):
1321
1322 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1323
1324         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1325         https://bugs.webkit.org/show_bug.cgi?id=179000
1326
1327         Reviewed by Darin Adler and Yusuke Suzuki.
1328
1329         * bigIntTests.yaml: Added.
1330         * stress/big-int-literal-line-terminator.js: Added.
1331         * stress/big-int-literals.js: Added.
1332         * stress/big-int-operations-error.js: Added.
1333         * stress/big-int-type-of.js: Added.
1334         * stress/big-int-white-space-trailing-leading.js: Added.
1335         * stress/big-int-function-apply.js: Added.
1336
1337 2017-12-11  Saam Barati  <sbarati@apple.com>
1338
1339         We need to disableCaching() in ErrorInstance when we materialize properties
1340         https://bugs.webkit.org/show_bug.cgi?id=180343
1341         <rdar://problem/35833002>
1342
1343         Reviewed by Mark Lam.
1344
1345         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1346         (assert):
1347         (makeError):
1348         (storeToStack):
1349         (storeToStackAlreadyMaterialized):
1350
1351 2017-12-05  JF Bastien  <jfbastien@apple.com>
1352
1353         WebAssembly: don't eagerly checksum
1354         https://bugs.webkit.org/show_bug.cgi?id=180441
1355         <rdar://problem/35156628>
1356
1357         Reviewed by Saam Barati.
1358
1359         Checksum is now disabled, so tests only have <?> as the module
1360         name.
1361
1362         * wasm/function-tests/nameSection.js:
1363         * wasm/function-tests/stack-overflow.js:
1364         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1365         (assertOverflows.assertThrows):
1366         (assertOverflows):
1367         * wasm/function-tests/stack-trace.js:
1368
1369 2017-12-04  JF Bastien  <jfbastien@apple.com>
1370
1371         Proxy all functions, except the $ objects
1372         https://bugs.webkit.org/show_bug.cgi?id=180375
1373
1374         Reviewed by Saam Barati.
1375
1376         It looks like this test may have broken some executions because I
1377         call some internal objects. Explicitly ignore objects whose name
1378         starts with "$" because it's a bad idea anyways.
1379
1380         * stress/proxy-all-the-parameters.js:
1381         (generateObjects):
1382         (get throw):
1383
1384 2017-12-04  Saam Barati  <sbarati@apple.com>
1385
1386         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1387         https://bugs.webkit.org/show_bug.cgi?id=180366
1388         <rdar://problem/35685877>
1389
1390         Reviewed by Michael Saboff.
1391
1392         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1393         (theParent):
1394         (test1.base.getParentStaticValue):
1395         (test1.base):
1396         (test1.__v_24888.prototype.set prop):
1397         (test1.__v_24888):
1398         (test2.base.getParentStaticValue):
1399         (test2.base):
1400         (test2.__v_24888.prototype.set prop):
1401         (test2.__v_24888):
1402         (test2):
1403
1404 2017-12-01  JF Bastien  <jfbastien@apple.com>
1405
1406         Try proxying all function arguments
1407         https://bugs.webkit.org/show_bug.cgi?id=180306
1408
1409         Reviewed by Saam Barati.
1410
1411         * stress/proxy-all-the-parameters.js: Added.
1412         (isPropertyOfType):
1413         (getProperties):
1414         (generateObjects):
1415         (getObjects):
1416         (getFunctions):
1417         (get throw):
1418         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1419
1420 2017-12-01  JF Bastien  <jfbastien@apple.com>
1421
1422         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1423         https://bugs.webkit.org/show_bug.cgi?id=180297
1424         <rdar://problem/35745556>
1425
1426         Reviewed by Mark Lam.
1427
1428         * stress/math-exceptions.js: Added.
1429         (get try):
1430         (catch):
1431
1432 2017-12-01  JF Bastien  <jfbastien@apple.com>
1433
1434         JavaScriptCore: add test for weird class static getters
1435         https://bugs.webkit.org/show_bug.cgi?id=180281
1436         <rdar://problem/35592139>
1437
1438         Reviewed by Mark Lam.
1439
1440         I fixed a bug for it in r224927 and didn't add a test. Do so.
1441
1442         * stress/class-static-get-weird.js: Added.
1443         (c.prototype.get name):
1444         (c):
1445         (c.prototype.get arguments):
1446         (c.prototype.get caller):
1447         (c.prototype.get length):
1448
1449 2017-12-01  Saam Barati  <sbarati@apple.com>
1450
1451         Having a bad time needs to handle ArrayClass indexing type as well
1452         https://bugs.webkit.org/show_bug.cgi?id=180274
1453         <rdar://problem/35667869>
1454
1455         Reviewed by Keith Miller and Mark Lam.
1456
1457         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1458         (assert):
1459         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1460         (assert):
1461
1462 2017-12-01  JF Bastien  <jfbastien@apple.com>
1463
1464         WebAssembly: restore cached stack limit after out-call
1465         https://bugs.webkit.org/show_bug.cgi?id=179106
1466         <rdar://problem/35337525>
1467
1468         Reviewed by Saam Barati.
1469
1470         * wasm/function-tests/double-instance.js: Added.
1471         (const.imp.boom):
1472         (const.imp.get callAnother):
1473
1474 2017-11-30  JF Bastien  <jfbastien@apple.com>
1475
1476         WebAssembly: improve stack trace
1477         https://bugs.webkit.org/show_bug.cgi?id=179343
1478
1479         Reviewed by Saam Barati.
1480
1481         Update the tests to follow the new format. Notably, SHA1 module
1482         hash is now included in traces, and stubs are properly identified.
1483
1484         * wasm/assert.js: Add an assertion which matches regular expressions.
1485         * wasm/function-tests/nameSection.js:
1486         * wasm/function-tests/stack-overflow.js:
1487         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1488         (assertOverflows.assertThrows.wasm.1):
1489         (assertOverflows.assertThrows.wasm.0):
1490         (assertOverflows.assertThrows):
1491         (assertOverflows):
1492         * wasm/function-tests/stack-trace.js:
1493         (import.Builder.from.string_appeared_here.assert): Deleted.
1494         * wasm/function-tests/trap-after-cross-instance-call.js:
1495         (wasmFrameCountFromError):
1496         * wasm/function-tests/trap-load-2.js:
1497         (wasmFrameCountFromError):
1498         * wasm/function-tests/trap-load.js:
1499         (wasmFrameCountFromError):
1500
1501 2017-11-30  Mark Lam  <mark.lam@apple.com>
1502
1503         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1504         https://bugs.webkit.org/show_bug.cgi?id=180219
1505         <rdar://problem/35696536>
1506
1507         Reviewed by Filip Pizlo.
1508
1509         * stress/regress-180219.js: Added.
1510
1511 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1512
1513         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1514         https://bugs.webkit.org/show_bug.cgi?id=180190
1515
1516         Reviewed by Mark Lam.
1517
1518         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1519         (shouldBe):
1520         (test1):
1521         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1522         (shouldBe):
1523         (test1):
1524         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1525         (shouldBe):
1526         (test1):
1527         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1528         (shouldBe):
1529         (test1):
1530         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1531         (shouldBe):
1532         (test1):
1533         * stress/operation-in-may-have-negative-int32.js: Added.
1534         (shouldBe):
1535         (test2):
1536         * stress/operation-in-negative-int32-cast.js: Added.
1537         (shouldBe):
1538         (test1):
1539
1540 2017-11-28  JF Bastien  <jfbastien@apple.com>
1541
1542         Strict and sloppy functions shouldn't share structure
1543         https://bugs.webkit.org/show_bug.cgi?id=180103
1544         <rdar://problem/35667847>
1545
1546         Reviewed by Saam Barati.
1547
1548         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1549         because the IC was wrong.
1550         (foo):
1551         (bar):
1552         (baz):
1553         (catch):
1554         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1555         in this patch, but may as well test odd strict mode corner cases.
1556         (bar):
1557         (baz):
1558         (catch):
1559         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1560         (foo):
1561         (bar):
1562         (baz):
1563         (catch):
1564         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1565         next file, but with invalidation of the FunctionExecutable's
1566         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1567         slower path.
1568         (foo):
1569         (bar.const.x):
1570         (bar.const.y):
1571         (bar):
1572         (catch):
1573         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1574         strict nesting works correctly.
1575         (foo):
1576         (bar.baz):
1577         (bar):
1578         * stress/strict-function-structure.js: Added. The test used to
1579         assert in objectProtoFuncHasOwnProperty.
1580         (foo):
1581         (bar):
1582         (baz):
1583         * stress/strict-nested-function-structure.js: Added. Nesting.
1584         (foo):
1585         (bar):
1586         (baz.boo):
1587         (baz):
1588
1589 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1590
1591         The recursive tail call optimisation is wrong on closures
1592         https://bugs.webkit.org/show_bug.cgi?id=179835
1593
1594         Reviewed by Saam Barati.
1595
1596         * stress/closure-recursive-tail-call.js: Added.
1597         (makeClosure):
1598
1599 2017-11-27  JF Bastien  <jfbastien@apple.com>
1600
1601         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1602         https://bugs.webkit.org/show_bug.cgi?id=180051
1603         <rdar://problem/35614371>
1604
1605         Reviewed by Saam Barati.
1606
1607         * stress/rest-parameter-negative.js: Added.
1608         (__f_5484):
1609         (catch):
1610         (__f_5485):
1611         (__v_22598.catch):
1612
1613 2017-11-27  Saam Barati  <sbarati@apple.com>
1614
1615         Spread can escape when CreateRest does not
1616         https://bugs.webkit.org/show_bug.cgi?id=180057
1617         <rdar://problem/35676119>
1618
1619         Reviewed by JF Bastien.
1620
1621         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1622         (assert):
1623         (getProperties):
1624         (theFunc):
1625         (let.obj.valueOf):
1626
1627 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1628
1629         [DFG] Add NormalizeMapKey DFG IR
1630         https://bugs.webkit.org/show_bug.cgi?id=179912
1631
1632         Reviewed by Saam Barati.
1633
1634         * stress/map-untyped-normalize-cse.js: Added.
1635         (shouldBe):
1636         (test):
1637         * stress/map-untyped-normalize.js: Added.
1638         (shouldBe):
1639         (test):
1640         * stress/set-untyped-normalize-cse.js: Added.
1641         (shouldBe):
1642         (set return.set has.set has):
1643         * stress/set-untyped-normalize.js: Added.
1644         (shouldBe):
1645         (set return.set has):
1646
1647 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1648
1649         [FTL] Support DeleteById and DeleteByVal
1650         https://bugs.webkit.org/show_bug.cgi?id=180022
1651
1652         Reviewed by Saam Barati.
1653
1654         * stress/delete-by-id.js: Added.
1655         (shouldBe):
1656         (test1):
1657         (test2):
1658         * stress/delete-by-val-ftl.js: Added.
1659         (shouldBe):
1660         (test1):
1661         (test2):
1662
1663 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1664
1665         [DFG] Introduce {Set,Map,WeakMap}Fields
1666         https://bugs.webkit.org/show_bug.cgi?id=179925
1667
1668         Reviewed by Saam Barati.
1669
1670         * stress/map-set-clobber-map-get.js: Added.
1671         (shouldBe):
1672         (test):
1673         * stress/map-set-does-not-clobber-set-has.js: Added.
1674         (shouldBe):
1675         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1676         (shouldBe):
1677         (test):
1678         * stress/set-add-clobber-set-has.js: Added.
1679         (shouldBe):
1680         * stress/set-add-does-not-clobber-map-get.js: Added.
1681         (shouldBe):
1682
1683 2017-11-24  Mark Lam  <mark.lam@apple.com>
1684
1685         Move unsafe jsc shell test functions to the $vm object.
1686         https://bugs.webkit.org/show_bug.cgi?id=179980
1687
1688         Reviewed by Yusuke Suzuki.
1689
1690         * controlFlowProfiler/driver/driver.js:
1691         * controlFlowProfiler/execution-count.js:
1692         * controlFlowProfiler/if-statement.js:
1693         * controlFlowProfiler/loop-statements.js:
1694         * controlFlowProfiler/switch-statements.js:
1695         * controlFlowProfiler/test-jit.js:
1696         * exceptionFuzz/3d-cube.js:
1697         * exceptionFuzz/date-format-xparb.js:
1698         * exceptionFuzz/earley-boyer.js:
1699         * heapProfiler/basic-edges.js:
1700         * heapProfiler/property-edge-types.js:
1701         * microbenchmarks/try-get-by-id-basic.js:
1702         * microbenchmarks/try-get-by-id-polymorphic.js:
1703         * modules/namespace-object-try-get.js:
1704         * stress/argument-count-bytecode.js:
1705         * stress/argument-intrinsic-basic.js:
1706         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1707         * stress/argument-intrinsic-inlining-with-result-escape.js:
1708         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1709         * stress/argument-intrinsic-inlining-with-vararg.js:
1710         * stress/argument-intrinsic-nested-inlining.js:
1711         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1712         * stress/argument-intrinsic-with-stack-write.js:
1713         * stress/arity-mismatch-get-argument.js:
1714         * stress/array-message-passing.js:
1715         * stress/array-push-with-force-exit.js:
1716         * stress/check-dom-with-signature.js:
1717         * stress/check-sub-class.js:
1718         * stress/compare-eq-incomplete-profile.js:
1719         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1720         * stress/do-eval-virtual-call-correctly.js:
1721         * stress/dom-jit-with-poly-proto.js:
1722         * stress/domjit-exception-ic.js:
1723         * stress/domjit-exception.js:
1724         * stress/domjit-getter-complex-with-incorrect-object.js:
1725         * stress/domjit-getter-complex.js:
1726         * stress/domjit-getter-poly.js:
1727         * stress/domjit-getter-proto.js:
1728         * stress/domjit-getter-super-poly.js:
1729         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1730         * stress/domjit-getter-type-check.js:
1731         * stress/domjit-getter.js:
1732         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1733         * stress/for-in-proxy-target-changed-structure.js:
1734         * stress/for-in-proxy.js:
1735         * stress/generational-opaque-roots.js:
1736         * stress/global-const-redeclaration-setting-2.js:
1737         * stress/global-const-redeclaration-setting-3.js:
1738         * stress/global-const-redeclaration-setting-4.js:
1739         * stress/global-const-redeclaration-setting-5.js:
1740         * stress/global-const-redeclaration-setting.js:
1741         * stress/import-basic.js:
1742         * stress/import-from-eval.js:
1743         * stress/import-reject-with-exception.js:
1744         * stress/import-syntax.js:
1745         * stress/impure-get-own-property-slot-inline-cache.js:
1746         * stress/is-constructor.js:
1747         * stress/istypedarrayview-intrinsic.js:
1748         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1749         * stress/jsc-test-functions-should-be-more-robust.js:
1750         * stress/object-toString-with-proxy.js:
1751         * stress/poly-proto-custom-value-and-accessor.js:
1752         * stress/proxy-inline-cache.js:
1753         * stress/re-execute-error-module.js:
1754         * stress/regress-150532.js:
1755         * stress/regress-156992.js:
1756         * stress/regress-179619.js:
1757         * stress/resources/shadow-chicken-support.js:
1758         * stress/runtime-array.js:
1759         * stress/sampling-profiler-microtasks.js:
1760         * stress/shadow-chicken-enabled.js:
1761         * stress/spread-correct-global-object-on-exception.js:
1762         * stress/super-get-by-id.js:
1763         * stress/tailCallForwardArguments.js:
1764         * stress/to-object-intrinsic-boolean-edge.js:
1765         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1766         * stress/to-object-intrinsic-number-edge.js:
1767         * stress/to-object-intrinsic-object-edge.js:
1768         * stress/to-object-intrinsic-string-edge.js:
1769         * stress/to-object-intrinsic-symbol-edge.js:
1770         * stress/to-object-intrinsic.js:
1771         * stress/try-catch-custom-getter-as-get-by-id.js:
1772         * stress/try-get-by-id-poly-proto.js:
1773         * stress/try-get-by-id-should-spill-registers-dfg.js:
1774         * stress/try-get-by-id.js:
1775         * typeProfiler/arrow-functions.js:
1776         * typeProfiler/basic.js:
1777         * typeProfiler/captured.js:
1778         * typeProfiler/classes.js:
1779         * typeProfiler/dfg-jit-optimizations.js:
1780         * typeProfiler/dictionary-mode.js:
1781         * typeProfiler/es6-block-scoping.js:
1782         * typeProfiler/es6-classes.js:
1783         * typeProfiler/inheritance.js:
1784         * typeProfiler/int52-dfg.js:
1785         * typeProfiler/loop.js:
1786         * typeProfiler/optional-fields.js:
1787         * typeProfiler/overflow.js:
1788         * typeProfiler/return.js:
1789         * typeProfiler/symbol.js:
1790         * typeProfiler/weird-prototype-chain.js:
1791
1792 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1793
1794         [DFG][FTL] Support MapSet / SetAdd intrinsics
1795         https://bugs.webkit.org/show_bug.cgi?id=179858
1796
1797         Reviewed by Saam Barati.
1798
1799         * microbenchmarks/map-has-and-set.js: Added.
1800         (test):
1801         * stress/map-set-check-failure.js: Added.
1802         (shouldBe):
1803         (shouldThrow):
1804         (target):
1805         * stress/map-set-cse.js: Added.
1806         (shouldBe):
1807         (test):
1808         * stress/set-add-check-failure.js: Added.
1809         (shouldBe):
1810         (shouldThrow):
1811         (set shouldThrow):
1812         * stress/set-add-cse.js: Added.
1813         (shouldBe):
1814
1815 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1816
1817         [JSC] Allow poly proto for intrinsic getters
1818         https://bugs.webkit.org/show_bug.cgi?id=179550
1819
1820         Reviewed by Saam Barati.
1821
1822         This change is also tested by existing tests.
1823
1824             1. stress/intrinsic-getter-with-poly-proto.js
1825             2. stress/poly-proto-intrinsic-getter-correctness.js
1826
1827         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1828         (shouldBe):
1829         (makePolyProtoObject.foo.C):
1830         (makePolyProtoObject.foo):
1831         (makePolyProtoObject):
1832         (target):
1833         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1834         (shouldBe):
1835         (makePolyProtoObject.foo.C):
1836         (makePolyProtoObject.foo):
1837         (makePolyProtoObject):
1838         (target):
1839
1840 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1841
1842         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1843         https://bugs.webkit.org/show_bug.cgi?id=179744
1844
1845         Reviewed by Michael Catanzaro.
1846
1847         This test uses too much memory for our buildbots on these platforms
1848         and gets OOM-killed.
1849
1850         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1851         Skip if $memoryLimited and linux.
1852
1853 2017-11-17  JF Bastien  <jfbastien@apple.com>
1854
1855         WebAssembly JS API: throw when a promise can't be created
1856         https://bugs.webkit.org/show_bug.cgi?id=179826
1857         <rdar://problem/35455813>
1858
1859         Reviewed by Mark Lam.
1860
1861         Test WebAssembly.{compile,instantiate} where promise creation
1862         fails because of a stack overflow.
1863
1864         * wasm/js-api/promise-stack-overflow.js: Added.
1865         (const.runNearStackLimit.f.const.t):
1866         (async.testCompile):
1867         (async.testInstantiate):
1868
1869 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1870
1871         Unreviewed, mark regress-178385.js as memory exhausting
1872
1873         * stress/regress-178385.js:
1874
1875 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1876
1877         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1878
1879         Unreviewed test gardening.
1880
1881         * test262.yaml:
1882
1883 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1884
1885         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1886         https://bugs.webkit.org/show_bug.cgi?id=179763
1887         <rdar://problem/35550513>
1888
1889         Reviewed by Keith Miller.
1890
1891         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1892
1893         * stress/tdz-this-in-try-catch.js: Added.
1894         (__v_6388):
1895         (__v_6392):
1896
1897 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1898
1899         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1900         https://bugs.webkit.org/show_bug.cgi?id=179594
1901
1902         Reviewed by Saam Barati.
1903
1904         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1905         (shouldBe):
1906         (args):
1907         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1908         (shouldBe):
1909         (args):
1910
1911 2017-11-14  Saam Barati  <sbarati@apple.com>
1912
1913         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1914         https://bugs.webkit.org/show_bug.cgi?id=179639
1915         <rdar://problem/35513018>
1916
1917         Reviewed by JF Bastien.
1918
1919         * wasm/function-tests/grow-memory-cause-gc.js: Added.
1920         (escape):
1921         (i.func):
1922
1923 2017-11-13  Mark Lam  <mark.lam@apple.com>
1924
1925         Add more overflow check book-keeping for MarkedArgumentBuffer.
1926         https://bugs.webkit.org/show_bug.cgi?id=179634
1927         <rdar://problem/35492517>
1928
1929         Reviewed by Saam Barati.
1930
1931         * stress/regress-179634.js: Added.
1932
1933 2017-11-13  Mark Lam  <mark.lam@apple.com>
1934
1935         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1936         https://bugs.webkit.org/show_bug.cgi?id=179619
1937         <rdar://problem/35492518>
1938
1939         Reviewed by Saam Barati.
1940
1941         * stress/regress-179619.js: Added.
1942
1943 2017-11-12  Mark Lam  <mark.lam@apple.com>
1944
1945         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1946         https://bugs.webkit.org/show_bug.cgi?id=179562
1947         <rdar://problem/35467022>
1948
1949         Reviewed by Saam Barati.
1950
1951         * regress-179562.js: Added.
1952
1953 2017-11-08  Saam Barati  <sbarati@apple.com>
1954
1955         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1956         https://bugs.webkit.org/show_bug.cgi?id=177792
1957
1958         Reviewed by Yusuke Suzuki.
1959
1960         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
1961         (assert):
1962         (foo.Foo.prototype.ensureX):
1963         (foo.Foo):
1964         (foo):
1965         (access):
1966
1967 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
1968
1969         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1970         https://bugs.webkit.org/show_bug.cgi?id=178592
1971
1972         Unreviewed test gardening.
1973
1974         * test262.yaml:
1975
1976 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1977
1978         Turn recursive tail calls into loops
1979         https://bugs.webkit.org/show_bug.cgi?id=176601
1980
1981         Reviewed by Saam Barati.
1982
1983         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1984
1985         Add some simple test that computes factorial in several ways, and other trivial computations.
1986         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1987         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1988         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1989         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1990
1991         * stress/inline-call-to-recursive-tail-call.js: Added.
1992         (factorial.aux):
1993         (factorial):
1994         (factorial2.aux2):
1995         (factorial2.id):
1996         (factorial2):
1997         (factorial3.aux3):
1998         (factorial3):
1999         (aux4):
2000         (factorial4):
2001         (foo):
2002         (auxBar):
2003         (bar):
2004         (test):
2005
2006 2017-11-07  Mark Lam  <mark.lam@apple.com>
2007
2008         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2009         https://bugs.webkit.org/show_bug.cgi?id=179355
2010         <rdar://problem/35263053>
2011
2012         Reviewed by Saam Barati.
2013
2014         * stress/regress-179355.js: Added.
2015
2016 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2017
2018         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2019         https://bugs.webkit.org/show_bug.cgi?id=144458
2020
2021         Reviewed by Saam Barati.
2022
2023         * microbenchmarks/dfg-internal-function-call.js: Added.
2024         (target):
2025         * microbenchmarks/dfg-internal-function-construct.js: Added.
2026         (target):
2027         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2028         (target):
2029         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2030         (target):
2031         * stress/dfg-internal-function-call.js: Added.
2032         (shouldBe):
2033         (target):
2034         * stress/dfg-internal-function-construct.js: Added.
2035         (shouldBe):
2036         (target):
2037         * stress/internal-function-call.js: Added.
2038         (shouldBe):
2039         * stress/internal-function-construct.js: Added.
2040         (shouldBe):
2041
2042 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2043
2044         [Win] Skip stress/regress-178385.js.
2045         https://bugs.webkit.org/show_bug.cgi?id=179298
2046
2047         Unreviewed test gardening.
2048
2049         * stress/regress-178385.js:
2050
2051 2017-11-03  Keith Miller  <keith_miller@apple.com>
2052
2053         Add test for ic with side effects
2054         https://bugs.webkit.org/show_bug.cgi?id=179268
2055
2056         Reviewed by Saam Barati.
2057
2058         * stress/put-inline-cache-side-effects.js: Added.
2059         (let.i.of.objs.keys):
2060         (f):
2061
2062 2017-11-03  Mark Lam  <mark.lam@apple.com>
2063
2064         CachedCall (and its clients) needs overflow checks.
2065         https://bugs.webkit.org/show_bug.cgi?id=179185
2066
2067         Reviewed by JF Bastien.
2068
2069         * stress/regress-179185.js: Added.
2070
2071 2017-11-02  Michael Saboff  <msaboff@apple.com>
2072
2073         DFG needs to handle code motion of code in for..in loop bodies
2074         https://bugs.webkit.org/show_bug.cgi?id=179212
2075
2076         Reviewed by Keith Miller.
2077
2078         New regression test.
2079
2080         * stress/for-in-side-effects.js: Added.
2081         (getPrototypeOf):
2082         (reset):
2083         (testWithoutFTL.f):
2084         (testWithoutFTL):
2085         (testWithFTL.f):
2086         (testWithFTL):
2087
2088 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2089
2090         AI does not correctly model the clobber case of ArithClz32
2091         https://bugs.webkit.org/show_bug.cgi?id=179188
2092
2093         Reviewed by Michael Saboff.
2094
2095         * stress/arith-clz32-effects.js: Added.
2096         (foo):
2097         (valueOf):
2098
2099 2017-11-01  Michael Saboff  <msaboff@apple.com>
2100
2101         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2102         https://bugs.webkit.org/show_bug.cgi?id=179140
2103
2104         Reviewed by Saam Barati.
2105
2106         New regression test.
2107
2108         * stress/regress-179140.js: Added.
2109         (testWithoutFTL):
2110         (testWithFTL):
2111
2112 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2113
2114         [JSC] Introduce @toObject
2115         https://bugs.webkit.org/show_bug.cgi?id=178726
2116
2117         Reviewed by Saam Barati.
2118
2119         * stress/array-copywithin.js:
2120         (shouldThrow):
2121         * stress/object-constructor-boolean-edge.js: Added.
2122         (shouldBe):
2123         (test):
2124         * stress/object-constructor-global.js: Added.
2125         (shouldBe):
2126         * stress/object-constructor-null-edge.js: Added.
2127         (shouldBe):
2128         (test):
2129         * stress/object-constructor-number-edge.js: Added.
2130         (shouldBe):
2131         (test):
2132         * stress/object-constructor-object-edge.js: Added.
2133         (shouldBe):
2134         (test):
2135         (i.arg):
2136         * stress/object-constructor-string-edge.js: Added.
2137         (shouldBe):
2138         (test):
2139         * stress/object-constructor-symbol-edge.js: Added.
2140         (shouldBe):
2141         (test):
2142         * stress/object-constructor-undefined-edge.js: Added.
2143         (shouldBe):
2144         (test):
2145         * stress/symbol-array-from.js: Added.
2146         (shouldBe):
2147         * stress/to-object-intrinsic-boolean-edge.js: Added.
2148         (shouldBe):
2149         (builtin.createBuiltin):
2150         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2151         (shouldThrow):
2152         * stress/to-object-intrinsic-number-edge.js: Added.
2153         (shouldBe):
2154         (builtin.createBuiltin):
2155         * stress/to-object-intrinsic-object-edge.js: Added.
2156         (shouldBe):
2157         (builtin.createBuiltin):
2158         (i.arg):
2159         * stress/to-object-intrinsic-string-edge.js: Added.
2160         (shouldBe):
2161         (builtin.createBuiltin):
2162         * stress/to-object-intrinsic-symbol-edge.js: Added.
2163         (shouldBe):
2164         (builtin.createBuiltin):
2165         * stress/to-object-intrinsic.js: Added.
2166         (shouldBe):
2167         (shouldThrow):
2168         (builtin.createBuiltin):
2169
2170 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2171
2172         [DFG][FTL] Introduce StringSlice
2173         https://bugs.webkit.org/show_bug.cgi?id=178934
2174
2175         Reviewed by Saam Barati.
2176
2177         * microbenchmarks/string-slice-empty.js: Added.
2178         (slice):
2179         * microbenchmarks/string-slice-one-char.js: Added.
2180         (slice):
2181         * microbenchmarks/string-slice.js: Added.
2182         (slice):
2183
2184 2017-10-26  Michael Saboff  <msaboff@apple.com>
2185
2186         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2187         https://bugs.webkit.org/show_bug.cgi?id=178890
2188
2189         Reviewed by Keith Miller.
2190
2191         New regression test.
2192
2193         * stress/regress-178890.js: Added.
2194
2195 2017-10-26  Mark Lam  <mark.lam@apple.com>
2196
2197         JSRopeString::RopeBuilder::append() should check for overflows.
2198         https://bugs.webkit.org/show_bug.cgi?id=178385
2199         <rdar://problem/35027468>
2200
2201         Reviewed by Saam Barati.
2202
2203         * stress/regress-178385.js: Added.
2204
2205 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2206
2207         Unreviewed, rolling out r223961.
2208
2209         The change that required this has been rolled out.
2210
2211         Reverted changeset:
2212
2213         "Mark test262.yaml/test262/test/language/statements/try/tco-
2214         catch.js as passing."
2215         https://bugs.webkit.org/show_bug.cgi?id=178592
2216         https://trac.webkit.org/changeset/223961
2217
2218 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2219
2220         Unreviewed, rolling out r223691 and r223729.
2221         https://bugs.webkit.org/show_bug.cgi?id=178834
2222
2223         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2224         by rniwa on #webkit).
2225
2226         Reverted changesets:
2227
2228         "Turn recursive tail calls into loops"
2229         https://bugs.webkit.org/show_bug.cgi?id=176601
2230         https://trac.webkit.org/changeset/223691
2231
2232         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2233         comparison is always false due to limited range of data type
2234         [-Wtype-limits]"
2235         https://bugs.webkit.org/show_bug.cgi?id=178543
2236         https://trac.webkit.org/changeset/223729
2237
2238 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2239
2240         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2241         https://bugs.webkit.org/show_bug.cgi?id=178592
2242
2243         Unreviewed test gardening.
2244
2245         * test262.yaml:
2246
2247 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2248
2249         [FTL] Support NewStringObject
2250         https://bugs.webkit.org/show_bug.cgi?id=178737
2251
2252         Reviewed by Saam Barati.
2253
2254         * stress/new-string-object.js: Added.
2255         (shouldBe):
2256         (test):
2257
2258 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2259
2260         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2261         https://bugs.webkit.org/show_bug.cgi?id=178308
2262
2263         Reviewed by Mark Lam.
2264
2265         * test262.yaml:
2266
2267 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2268
2269         [JSC] Use fastJoin in Array#toString
2270         https://bugs.webkit.org/show_bug.cgi?id=178062
2271
2272         Reviewed by Darin Adler.
2273
2274         * microbenchmarks/contiguous-array-to-string.js: Added.
2275         (target):
2276         * microbenchmarks/double-array-to-string.js: Added.
2277         (target):
2278         * microbenchmarks/int32-array-to-string.js: Added.
2279         (target):
2280
2281 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2282
2283         stress/check-string-ident.js is improperly skipped
2284         https://bugs.webkit.org/show_bug.cgi?id=178642
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2289         since it enforces the run-jsc-stress-tests script to still set up the
2290         test to run, despite the skip directive that's used before.
2291
2292 2017-10-20  Mark Lam  <mark.lam@apple.com>
2293
2294         Add a test case for r214334.
2295         https://bugs.webkit.org/show_bug.cgi?id=169941
2296         <rdar://problem/31221258>
2297
2298         Reviewed by JF Bastien.
2299
2300         * stress/regress-169941.js: Added.
2301
2302 2017-10-19  JF Bastien  <jfbastien@apple.com>
2303
2304         WebAssembly: no VM / JS version of everything but Instance
2305         https://bugs.webkit.org/show_bug.cgi?id=177473
2306
2307         Reviewed by Filip Pizlo, Saam Barati.
2308
2309         - Exceeding max on memory growth now returns a range error as per
2310         spec. This is a (very minor) breaking change: it used to throw OOM
2311         error. Update the corresponding test.
2312
2313         * wasm/js-api/memory-grow.js:
2314         (assertEq):
2315         * wasm/js-api/table.js:
2316         (assert.throws):
2317
2318 2017-10-19  Mark Lam  <mark.lam@apple.com>
2319
2320         Stringifier::appendStringifiedValue() is missing an exception check.
2321         https://bugs.webkit.org/show_bug.cgi?id=178386
2322         <rdar://problem/35027610>
2323
2324         Reviewed by Saam Barati.
2325
2326         * stress/regress-178386.js: Added.
2327
2328 2017-10-19  Michael Saboff  <msaboff@apple.com>
2329
2330         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2331         https://bugs.webkit.org/show_bug.cgi?id=178521
2332
2333         Reviewed by JF Bastien.
2334
2335         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2336         now passes with the current version (5.0) of the Emoji spec.
2337
2338 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2339
2340         Turn recursive tail calls into loops
2341         https://bugs.webkit.org/show_bug.cgi?id=176601
2342
2343         Reviewed by Saam Barati.
2344
2345         Add some simple test that computes factorial in several ways, and other trivial computations.
2346         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2347         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2348         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2349         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2350
2351         * stress/inline-call-to-recursive-tail-call.js: Added.
2352         (factorial.aux):
2353         (factorial):
2354         (factorial2.aux):
2355         (factorial2.id):
2356         (factorial2):
2357         (factorial3.aux):
2358         (factorial3):
2359         (aux):
2360         (factorial4):
2361         (test):
2362
2363 2017-10-18  Mark Lam  <mark.lam@apple.com>
2364
2365         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2366         https://bugs.webkit.org/show_bug.cgi?id=177600
2367         <rdar://problem/34710985>
2368
2369         Reviewed by Saam Barati.
2370
2371         * stress/regress-177600.js: Added.
2372
2373 2017-10-18  Mark Lam  <mark.lam@apple.com>
2374
2375         The compiler should always register a structure when it adds its transitionWatchPointSet.
2376         https://bugs.webkit.org/show_bug.cgi?id=178420
2377         <rdar://problem/34814024>
2378
2379         Reviewed by Saam Barati and Filip Pizlo.
2380
2381         * stress/regress-178420.js: Added.
2382         (new.Array.10000.map):
2383
2384 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2385
2386         [JSC] __proto__ getter should be fast
2387         https://bugs.webkit.org/show_bug.cgi?id=178067
2388
2389         Reviewed by Saam Barati.
2390
2391         * stress/dfg-object-proto-accessor.js: Added.
2392         (shouldBe):
2393         (shouldThrow):
2394         (target):
2395         * stress/dfg-object-proto-getter.js: Added.
2396         (shouldBe):
2397         (shouldThrow):
2398         (target):
2399         * stress/dfg-object-prototype-of.js: Added.
2400         (shouldBe):
2401         (shouldThrow):
2402         (target):
2403         * stress/dfg-reflect-get-prototype-of.js: Added.
2404         (shouldBe):
2405         (shouldThrow):
2406         (target):
2407         * stress/intrinsic-getter-with-poly-proto.js: Added.
2408         (shouldBe):
2409         (makePolyProtoObject.foo.C):
2410         (makePolyProtoObject.foo):
2411         (makePolyProtoObject):
2412         (target):
2413         * stress/object-get-prototype-of-filtered.js: Added.
2414         (shouldBe):
2415         (shouldThrow):
2416         (target):
2417         (i.Cocoa):
2418         * stress/object-get-prototype-of-mono-proto.js: Added.
2419         (shouldBe):
2420         (makePolyProtoObject.foo.C):
2421         (makePolyProtoObject.foo):
2422         (makePolyProtoObject):
2423         (target):
2424         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2425         (shouldBe):
2426         (makePolyProtoObject.foo.C):
2427         (makePolyProtoObject.foo):
2428         (makePolyProtoObject):
2429         (target):
2430         * stress/object-get-prototype-of-poly-proto.js: Added.
2431         (shouldBe):
2432         (makePolyProtoObject.foo.C):
2433         (makePolyProtoObject.foo):
2434         (makePolyProtoObject):
2435         (target):
2436         * stress/object-proto-getter-filtered.js: Added.
2437         (shouldBe):
2438         (shouldThrow):
2439         (target):
2440         (i.Cocoa):
2441         * stress/object-proto-getter-poly-mono-proto.js: Added.
2442         (shouldBe):
2443         (makePolyProtoObject.foo.C):
2444         (makePolyProtoObject.foo):
2445         (makePolyProtoObject):
2446         (target):
2447         * stress/object-proto-getter-poly-proto.js: Added.
2448         (shouldBe):
2449         (makePolyProtoObject.foo.C):
2450         (makePolyProtoObject.foo):
2451         (makePolyProtoObject):
2452         (target):
2453         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2454         * stress/string-proto.js: Added.
2455         (shouldBe):
2456         (target):
2457
2458 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2459
2460         Unreviewed, rolling out r223523.
2461
2462         A test for this change is failing on debug JSC bots.
2463
2464         Reverted changeset:
2465
2466         "[JSC] __proto__ getter should be fast"
2467         https://bugs.webkit.org/show_bug.cgi?id=178067
2468         https://trac.webkit.org/changeset/223523
2469
2470 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2471
2472         [JSC] __proto__ getter should be fast
2473         https://bugs.webkit.org/show_bug.cgi?id=178067
2474
2475         Reviewed by Saam Barati.
2476
2477         * stress/dfg-object-proto-accessor.js: Added.
2478         (shouldBe):
2479         (shouldThrow):
2480         (target):
2481         * stress/dfg-object-proto-getter.js: Added.
2482         (shouldBe):
2483         (shouldThrow):
2484         (target):
2485         * stress/dfg-object-prototype-of.js: Added.
2486         (shouldBe):
2487         (shouldThrow):
2488         (target):
2489         * stress/dfg-reflect-get-prototype-of.js: Added.
2490         (shouldBe):
2491         (shouldThrow):
2492         (target):
2493         * stress/object-get-prototype-of-filtered.js: Added.
2494         (shouldBe):
2495         (shouldThrow):
2496         (target):
2497         (i.Cocoa):
2498         * stress/object-get-prototype-of-mono-proto.js: Added.
2499         (shouldBe):
2500         (makePolyProtoObject.foo.C):
2501         (makePolyProtoObject.foo):
2502         (makePolyProtoObject):
2503         (target):
2504         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2505         (shouldBe):
2506         (makePolyProtoObject.foo.C):
2507         (makePolyProtoObject.foo):
2508         (makePolyProtoObject):
2509         (target):
2510         * stress/object-get-prototype-of-poly-proto.js: Added.
2511         (shouldBe):
2512         (makePolyProtoObject.foo.C):
2513         (makePolyProtoObject.foo):
2514         (makePolyProtoObject):
2515         (target):
2516         * stress/object-proto-getter-filtered.js: Added.
2517         (shouldBe):
2518         (shouldThrow):
2519         (target):
2520         (i.Cocoa):
2521         * stress/object-proto-getter-poly-mono-proto.js: Added.
2522         (shouldBe):
2523         (makePolyProtoObject.foo.C):
2524         (makePolyProtoObject.foo):
2525         (makePolyProtoObject):
2526         (target):
2527         * stress/object-proto-getter-poly-proto.js: Added.
2528         (shouldBe):
2529         (makePolyProtoObject.foo.C):
2530         (makePolyProtoObject.foo):
2531         (makePolyProtoObject):
2532         (target):
2533         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2534         * stress/string-proto.js: Added.
2535         (shouldBe):
2536         (target):
2537
2538 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2539
2540         Reland "Add Above/Below comparisons for UInt32 patterns"
2541         https://bugs.webkit.org/show_bug.cgi?id=177281
2542
2543         Reviewed by Saam Barati.
2544
2545         * stress/uint32-comparison-jump.js: Added.
2546         (shouldBe):
2547         (above):
2548         (aboveOrEqual):
2549         (below):
2550         (belowOrEqual):
2551         (notAbove):
2552         (notAboveOrEqual):
2553         (notBelow):
2554         (notBelowOrEqual):
2555         * stress/uint32-comparison.js: Added.
2556         (shouldBe):
2557         (above):
2558         (aboveOrEqual):
2559         (below):
2560         (belowOrEqual):
2561         (aboveTest):
2562         (aboveOrEqualTest):
2563         (belowTest):
2564         (belowOrEqualTest):
2565
2566 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2567
2568         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2569         https://bugs.webkit.org/show_bug.cgi?id=178210
2570
2571         Reviewed by Saam Barati.
2572
2573         * wasm/function-tests/trap-from-start-async.js:
2574         (async.StartTrapsAsync):
2575         * wasm/function-tests/trap-from-start.js:
2576         (StartTraps):
2577         * wasm/js-api/web-assembly-function.js:
2578         (assert.eq.Object.getPrototypeOf):
2579         * wasm/js-api/wrapper-function.js:
2580         (return.new.WebAssembly.Module):
2581         (assert.throws.makeInstance): Deleted.
2582         (assert.throws.Bar): Deleted.
2583         (assert.throws): Deleted.
2584
2585 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2586
2587         Enable gigacage on iOS
2588         https://bugs.webkit.org/show_bug.cgi?id=177586
2589
2590         Reviewed by JF Bastien.
2591         
2592         Add tests for when Gigacage gets runtime disabled.
2593
2594         * stress/disable-gigacage-arrays.js: Added.
2595         (foo):
2596         * stress/disable-gigacage-strings.js: Added.
2597         (foo):
2598         * stress/disable-gigacage-typed-arrays.js: Added.
2599         (foo):
2600
2601 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2602
2603         import.meta should not be assignable
2604         https://bugs.webkit.org/show_bug.cgi?id=178202
2605
2606         Reviewed by Saam Barati.
2607
2608         * modules/import-meta-assignment.js: Added.
2609         (shouldThrow):
2610         (SyntaxError.import.meta.can.shouldThrow):
2611
2612 2017-10-11  Saam Barati  <sbarati@apple.com>
2613
2614         Unreviewed. Actually skip certain type profiler tests in debug.
2615
2616         * typeProfiler.yaml:
2617         * typeProfiler/deltablue-for-of.js:
2618         * typeProfiler/getter-richards.js:
2619
2620 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2621
2622         Unreviewed, rolling out r223113 and r223121.
2623         https://bugs.webkit.org/show_bug.cgi?id=178182
2624
2625         Reintroduced 20% regression on Kraken (Requested by rniwa on
2626         #webkit).
2627
2628         Reverted changesets:
2629
2630         "Enable gigacage on iOS"
2631         https://bugs.webkit.org/show_bug.cgi?id=177586
2632         https://trac.webkit.org/changeset/223113
2633
2634         "Use one virtual allocation for all gigacages and their
2635         runways"
2636         https://bugs.webkit.org/show_bug.cgi?id=178050
2637         https://trac.webkit.org/changeset/223121
2638
2639 2017-10-11  Michael Saboff  <msaboff@apple.com>
2640
2641         Disable test262 named capture group tests with direct unicode names and with references before definitions
2642         https://bugs.webkit.org/show_bug.cgi?id=178177
2643
2644         Reviewed by Keith Miller.
2645
2646         Bugs to track fixing these test are:
2647         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2648             "Add support in named capture group identifiers for direct surrogate pairs"
2649         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2650             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2651
2652         * test262.yaml:
2653
2654 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2655
2656         Object properties are undefined in super.call() but not in this.call()
2657         https://bugs.webkit.org/show_bug.cgi?id=177230
2658
2659         Reviewed by Saam Barati.
2660
2661         * stress/super-call-function-subclass.js: Added.
2662         (assert):
2663         (A.prototype.t):
2664         (A):
2665         * stress/super-dot-call-and-apply.js: Added.
2666         (assert):
2667         (A):
2668         (A.prototype.call):
2669         (A.prototype.apply):
2670         (B.prototype.testSuper):
2671         (B):
2672         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2673         (D.prototype.testSuper):
2674         (D):
2675
2676 2017-10-10  Saam Barati  <sbarati@apple.com>
2677
2678         The prototype cache should be aware of the Executable it generates a Structure for
2679         https://bugs.webkit.org/show_bug.cgi?id=177907
2680
2681         Reviewed by Filip Pizlo.
2682
2683         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2684         (assert):
2685         (foo.C):
2686         (foo):
2687         (bar.C):
2688         (bar):
2689         (access):
2690         (makeLongChain):
2691         (accessY):
2692
2693 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2694
2695         `async` should be able to be used as an imported binding name
2696         https://bugs.webkit.org/show_bug.cgi?id=176573
2697
2698         Reviewed by Saam Barati.
2699
2700         * modules/import-default-async.js: Added.
2701         * modules/import-named-async-as.js: Added.
2702         * modules/import-named-async.js: Added.
2703         * modules/import-named-async/target.js: Added.
2704         * modules/import-namespace-async.js: Added.
2705         * test262.yaml:
2706
2707 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2708
2709         Enable gigacage on iOS
2710         https://bugs.webkit.org/show_bug.cgi?id=177586
2711
2712         Reviewed by JF Bastien.
2713         
2714         Add tests for when Gigacage gets runtime disabled.
2715
2716         * stress/disable-gigacage-arrays.js: Added.
2717         (foo):
2718         * stress/disable-gigacage-strings.js: Added.
2719         (foo):
2720         * stress/disable-gigacage-typed-arrays.js: Added.
2721         (foo):
2722
2723 2017-10-09  Michael Saboff  <msaboff@apple.com>
2724
2725         Implement RegExp Unicode property escapes
2726         https://bugs.webkit.org/show_bug.cgi?id=172069
2727
2728         Reviewed by JF Bastien.
2729
2730         Enabled Unicode Property tests.
2731
2732         * test262.yaml:
2733
2734 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2735
2736         Unreviewed, rolling out r223015 and r223025.
2737         https://bugs.webkit.org/show_bug.cgi?id=178093
2738
2739         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2740         #webkit).
2741
2742         Reverted changesets:
2743
2744         "Enable gigacage on iOS"
2745         https://bugs.webkit.org/show_bug.cgi?id=177586
2746         http://trac.webkit.org/changeset/223015
2747
2748         "Unreviewed, disable Gigacage on ARM64 Linux"
2749         https://bugs.webkit.org/show_bug.cgi?id=177586
2750         http://trac.webkit.org/changeset/223025
2751
2752 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2753
2754         Update expectations for test262 tests that pass after r223043.
2755         https://bugs.webkit.org/show_bug.cgi?id=176685
2756
2757         Unreviewed test gardening.
2758
2759         * test262.yaml:
2760
2761 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2762
2763         Unreviewed, rolling out r223022.
2764
2765         This change introduced 18 test262 failures.
2766
2767         Reverted changeset:
2768
2769         "`async` should be able to be used as an imported binding
2770         name"
2771         https://bugs.webkit.org/show_bug.cgi?id=176573
2772         http://trac.webkit.org/changeset/223022
2773
2774 2017-10-09  Saam Barati  <sbarati@apple.com>
2775
2776         3 poly-proto JSC tests timing out on debug after r222827
2777         https://bugs.webkit.org/show_bug.cgi?id=177880
2778         <rdar://problem/34817122>
2779
2780         Unreviewed.
2781
2782         I'm skipping these type profiler tests on debug since they are long running.
2783
2784         * typeProfiler/deltablue-for-of.js:
2785         * typeProfiler/getter-richards.js:
2786
2787 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2788
2789         Safari 10 /11 problem with if (!await get(something)).
2790         https://bugs.webkit.org/show_bug.cgi?id=176685
2791
2792         Reviewed by Saam Barati.
2793
2794         * stress/async-await-basic.js:
2795         (awaitEpression.async):
2796         * stress/async-await-syntax.js:
2797         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2798         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2799
2800 2017-10-08  Saam Barati  <sbarati@apple.com>
2801
2802         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2803
2804         * typeProfiler/deltablue-for-of.js:
2805         * typeProfiler/getter-richards.js:
2806
2807 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2808
2809         `async` should be able to be used as an imported binding name
2810         https://bugs.webkit.org/show_bug.cgi?id=176573
2811
2812         Reviewed by Darin Adler.
2813
2814         * modules/import-default-async.js: Added.
2815         * modules/import-named-async-as.js: Added.
2816         * modules/import-named-async.js: Added.
2817         * modules/import-named-async/target.js: Added.
2818         * modules/import-namespace-async.js: Added.
2819
2820 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2821
2822         Enable gigacage on iOS
2823         https://bugs.webkit.org/show_bug.cgi?id=177586
2824
2825         Reviewed by JF Bastien.
2826         
2827         Add tests for when Gigacage gets runtime disabled.
2828
2829         * stress/disable-gigacage-arrays.js: Added.
2830         (foo):
2831         * stress/disable-gigacage-strings.js: Added.
2832         (foo):
2833         * stress/disable-gigacage-typed-arrays.js: Added.
2834         (foo):
2835
2836 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2837
2838         Unreviewed, rolling out r222791 and r222873.
2839         https://bugs.webkit.org/show_bug.cgi?id=178031
2840
2841         Caused crashes with workers/wasm LayoutTests (Requested by
2842         ryanhaddad on #webkit).
2843
2844         Reverted changesets:
2845
2846         "WebAssembly: no VM / JS version of everything but Instance"
2847         https://bugs.webkit.org/show_bug.cgi?id=177473
2848         http://trac.webkit.org/changeset/222791
2849
2850         "WebAssembly: address no VM / JS follow-ups"
2851         https://bugs.webkit.org/show_bug.cgi?id=177887
2852         http://trac.webkit.org/changeset/222873
2853
2854 2017-10-05  Saam Barati  <sbarati@apple.com>
2855
2856         Make sure all prototypes under poly proto get added into the VM's prototype map
2857         https://bugs.webkit.org/show_bug.cgi?id=177909
2858
2859         Reviewed by Keith Miller.
2860
2861         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2862         (assert):
2863         (foo.C):
2864         (foo):
2865         (set x):
2866
2867 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2868
2869         [JSC] Introduce import.meta
2870         https://bugs.webkit.org/show_bug.cgi?id=177703
2871
2872         Reviewed by Filip Pizlo.
2873
2874         * modules/import-meta-syntax.js: Added.
2875         (shouldThrow):
2876         (shouldNotThrow):
2877         * modules/import-meta.js: Added.
2878         * modules/import-meta/cocoa.js: Added.
2879         * modules/resources/assert.js:
2880         (export.shouldNotThrow):
2881         * stress/import-syntax.js:
2882
2883 2017-10-04  Saam Barati  <sbarati@apple.com>
2884
2885         Make pertinent AccessCases watch the poly proto watchpoint
2886         https://bugs.webkit.org/show_bug.cgi?id=177765
2887
2888         Reviewed by Keith Miller.
2889
2890         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2891         (assert):
2892         (foo.C):
2893         (foo):
2894         (validate):
2895         * stress/poly-proto-clear-stub.js: Added.
2896         (assert):
2897         (foo.C):
2898         (foo):
2899
2900 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2901
2902         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2903
2904         Unreviewed test gardening.
2905
2906         * test262.yaml:
2907
2908 2017-10-04  Saam Barati  <sbarati@apple.com>
2909
2910         3 poly-proto JSC tests timing out on debug after r222827
2911         https://bugs.webkit.org/show_bug.cgi?id=177880
2912
2913         Rubber stamped by Mark Lam.
2914
2915         * microbenchmarks/poly-proto-access.js:
2916         * typeProfiler/deltablue-for-of.js:
2917         * typeProfiler/getter-richards.js:
2918
2919 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
2920
2921         Unreviewed, marking tco-catch.js as a failure after test262 update
2922         https://bugs.webkit.org/show_bug.cgi?id=177859
2923
2924         * test262.yaml:
2925
2926 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2927
2928         Unreviewed, marking one async iterator test262 test failed
2929         https://bugs.webkit.org/show_bug.cgi?id=177859
2930
2931         * test262.yaml:
2932
2933 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2934
2935         [Test262] Update Test262 to Oct 4 version
2936         https://bugs.webkit.org/show_bug.cgi?id=177859
2937
2938         Reviewed by Sam Weinig.
2939
2940         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
2941         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
2942
2943         * test262.yaml:
2944         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
2945         (checkSequence):
2946         * test262/harness/typeCoercion.js:
2947         (testCoercibleToIndexZero):
2948         (testCoercibleToIndexOne):
2949         (testCoercibleToIndexFromIndex):
2950         (testNotCoercibleToIndex.testPrimitiveValue):
2951         (testNotCoercibleToInteger):
2952         (testCoercibleToBigIntZero.testPrimitiveValue):
2953         (testCoercibleToBigIntZero):
2954         (testCoercibleToBigIntOne.testPrimitiveValue):
2955         (testCoercibleToBigIntOne):
2956         (testPrimitiveValue):
2957         (testCoercibleToBigIntFromBigInt):
2958         (testNotCoercibleToBigInt.testPrimitiveValue):
2959         (testNotCoercibleToBigInt.testStringValue):
2960         (testNotCoercibleToBigInt):
2961         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
2962         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
2963         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
2964         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
2965         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
2966         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
2967         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
2968         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
2969         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
2970         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
2971         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
2972         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
2973         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
2974         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
2975         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
2976         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
2977         (testCoercibleToBigIntZero):
2978         (testCoercibleToBigIntOne):
2979         (testNotCoercibleToBigInt):
2980         (MyError): Deleted.
2981         (valueOf): Deleted.
2982         (toString): Deleted.
2983         (Symbol.toPrimitive): Deleted.
2984         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
2985         (testCoercibleToIndexZero):
2986         (testCoercibleToIndexOne):
2987         (testNotCoercibleToIndex):
2988         (MyError): Deleted.
2989         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
2990         (assert.sameValue.BigInt.asIntN.toString): Deleted.
2991         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
2992         (BigInt.asIntN.valueOf): Deleted.
2993         (BigInt.asIntN.toString): Deleted.
2994         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
2995         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
2996         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
2997         (testCoercibleToBigIntZero):
2998         (testCoercibleToBigIntOne):
2999         (testNotCoercibleToBigInt):
3000         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3001         (testCoercibleToIndexZero):
3002         (testCoercibleToIndexOne):
3003         (testNotCoercibleToIndex):
3004         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3005         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3006         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3007         (bits.valueOf):
3008         (bigint.valueOf):
3009         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3010         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3011         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3012         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3013         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3014         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3015         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3016         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3017         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3018         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3019         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3020         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3021         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3022         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3023         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3024         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3025         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3026         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3027         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3028         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3029         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3030         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3031         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3032         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3033         (replacer):
3034         (BigInt.prototype.toJSON):
3035         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3036         (replacer):
3037         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3038         (BigInt.prototype.toJSON):
3039         * test262/test/built-ins/JSON/stringify/bigint.js:
3040         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3041         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3042         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3043         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3044         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3045         * test262/test/built-ins/Object/proto-from-ctor.js:
3046         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3047         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3048         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3049         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3050         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3051         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3052         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3053         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3054         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3055         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3056         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3057         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3058         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3059         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3060         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3061         * test262/test/built-ins/Proxy/get-fn-realm.js:
3062         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3063         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3064         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3065         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3066         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3067         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3068         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3069         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3070         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3071         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3072         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3073         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3074         (i6.replace):
3075         (i6b.replace):
3076         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3077         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3078         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3079         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3080         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3081         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3082         * test262/test/built-ins/RegExp/u180e.js: Added.
3083         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3084         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3085         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3086         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3087         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3088         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3089         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3090         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3091         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3092         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3093         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3094         * test262/test/built-ins/String/prototype/endsWith/length.js:
3095         * test262/test/built-ins/String/prototype/endsWith/name.js:
3096         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3097         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3098         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3099         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3100         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3101         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3102         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3103         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3104         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3105         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3106         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3107         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3108         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3109         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3110         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3111         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3112         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3113         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3114         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3115         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3116         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3117         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3118         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3119         * test262/test/built-ins/String/prototype/includes/includes.js:
3120         * test262/test/built-ins/String/prototype/includes/length.js:
3121         * test262/test/built-ins/String/prototype/includes/name.js:
3122         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3123         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3124         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3125         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3126         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3127         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3128         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3129         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3130         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3131         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3132         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3133         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3134         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3135         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3136         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3137         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3138         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3139         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3140         * test262/test/built-ins/String/prototype/trim/u180e.js:
3141         * test262/test/built-ins/Symbol/for/cross-realm.js:
3142         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3143         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3144         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3145         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3146         * test262/test/built-ins/Symbol/match/cross-realm.js:
3147         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3148         * test262/test/built-ins/Symbol/search/cross-realm.js:
3149         * test262/test/built-ins/Symbol/species/cross-realm.js:
3150         * test262/test/built-ins/Symbol/split/cross-realm.js:
3151         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3152         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3153         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3154         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3155         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3156         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3157         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3158         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3159         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3160         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3161         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3162         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3163         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3164         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3165         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3166         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3167         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3168         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3169         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3170         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3171         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3172         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3173         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3174         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3175         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3176         * test262/test/language/eval-code/indirect/realm.js:
3177         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3178         (o.get z):
3179         (o.get a):
3180         * test262/test/language/expressions/call/eval-realm-indirect.js:
3181         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3182         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3183         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3184         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3185         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3186         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3187         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3188         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3189         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3190         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3191         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3192         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3193         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3194         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3195         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3196         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3197         * test262/test/language/expressions/less-than/bigint-and-number.js:
3198         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3199         * test262/test/language/expressions/super/realm.js:
3200         * test262/test/language/expressions/tagged-template/cache-realm.js:
3201         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3202         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3203         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3204         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3205         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3206         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3207         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3208         (o.get z):
3209         (o.get a):
3210         * test262/test/language/statements/for-of/iterator-next-reference.js:
3211         (next):
3212         (iterator.next): Deleted.
3213         (x.of.iterable.): Deleted.
3214         (x.of.iterable.get return): Deleted.
3215         (x.of.iterable.iterator.next): Deleted.
3216         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3217         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3218         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3219         * test262/test/language/white-space/mongolian-vowel-separator.js:
3220         * test262/test262-Revision.txt:
3221
3222 2017-10-03  Saam Barati  <sbarati@apple.com>
3223
3224         Implement polymorphic prototypes
3225         https://bugs.webkit.org/show_bug.cgi?id=176391
3226
3227         Reviewed by Filip Pizlo.
3228
3229         * microbenchmarks/poly-proto-access.js: Added.
3230         (assert):
3231         (foo.C):
3232         (foo.C.prototype.get bar):
3233         (foo):
3234         (bar):
3235         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3236         (assert):
3237         (makePolyProtoObject.foo.C):
3238         (makePolyProtoObject.foo):
3239         (makePolyProtoObject):
3240         (performSet):
3241         * microbenchmarks/poly-proto-setter-speed.js: Added.
3242         (assert):
3243         (makePolyProtoObject.foo.C):
3244         (makePolyProtoObject.foo.C.prototype.set p):
3245         (makePolyProtoObject.foo):
3246         (makePolyProtoObject):
3247         (performSet):
3248         * stress/constructor-with-return.js:
3249         (i.tests.forEach.Constructor):
3250         (i.tests.forEach):
3251         (tests.forEach.Constructor): Deleted.
3252         (tests.forEach): Deleted.
3253         * stress/dom-jit-with-poly-proto.js: Added.
3254         (assert):
3255         (makePolyProtoObject.foo.C):
3256         (makePolyProtoObject.foo):
3257         (makePolyProtoObject):
3258         (validate):
3259         * stress/poly-proto-custom-value-and-accessor.js: Added.
3260         (assert):
3261         (makePolyProtoObject.foo.C):
3262         (makePolyProtoObject.foo):
3263         (makePolyProtoObject):
3264         (items.forEach):
3265         (set get for):
3266         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3267         (assert):
3268         (makePolyProtoObject.foo.C):
3269         (makePolyProtoObject.foo):
3270         (makePolyProtoObject):
3271         (foo):
3272         * stress/poly-proto-miss.js: Added.
3273         (makePolyProtoInstanceWithNullPrototype.foo.C):
3274         (makePolyProtoInstanceWithNullPrototype.foo):
3275         (makePolyProtoInstanceWithNullPrototype):
3276         (assert):
3277         (validate):
3278         * stress/poly-proto-op-in-caching.js: Added.
3279         (assert):
3280         (makePolyProtoObject.foo.C):
3281         (makePolyProtoObject.foo):
3282         (makePolyProtoObject):
3283         (validate):
3284         (validate2):
3285         * stress/poly-proto-put-transition.js: Added.
3286         (assert):
3287         (makePolyProtoObject.foo.C):
3288         (makePolyProtoObject.foo):
3289         (makePolyProtoObject):
3290         (performSet):
3291         (i.obj.__proto__.set p):
3292         * stress/poly-proto-set-prototype.js: Added.
3293         (assert):
3294         (let.alternateProto.get x):
3295         (let.alternateProto2.get y):
3296         (let.alternateProto2.get x):
3297         (foo.C):
3298         (foo):
3299         (validate):
3300         * stress/poly-proto-setter.js: Added.
3301         (assert):
3302         (makePolyProtoObject.foo.C):
3303         (makePolyProtoObject.foo.C.prototype.set p):
3304         (makePolyProtoObject.foo.C.prototype.get p):
3305         (makePolyProtoObject.foo):
3306         (makePolyProtoObject):
3307         (performSet):
3308         * stress/poly-proto-using-inheritance.js: Added.
3309         (assert):
3310         (foo.C):
3311         (foo.C.prototype.get baz):
3312         (foo):
3313         (bar.C):
3314         (bar):
3315         (validate):
3316         * stress/primitive-poly-proto.js: Added.
3317         (makePolyProtoInstance.foo.C):
3318         (makePolyProtoInstance.foo):
3319         (makePolyProtoInstance):
3320         (assert):
3321         (validate):
3322         * stress/prototype-is-not-js-object.js: Added.
3323         (foo.bar):
3324         (foo):
3325         (assert):
3326         (validate):
3327         * stress/try-get-by-id-poly-proto.js: Added.
3328         (assert):
3329         (makePolyProtoObject.foo.C):
3330         (makePolyProtoObject.foo):
3331         (makePolyProtoObject):
3332         (tryGetByIdText):
3333         (x.__proto__.get bar):
3334         (validate):
3335         * typeProfiler/overflow.js:
3336
3337 2017-10-03  JF Bastien  <jfbastien@apple.com>
3338
3339         WebAssembly: no VM / JS version of everything but Instance
3340         https://bugs.webkit.org/show_bug.cgi?id=177473
3341
3342         Reviewed by Filip Pizlo.
3343
3344         - Exceeding max on memory growth now returns a range error as per
3345         spec. This is a (very minor) breaking change: it used to throw OOM
3346         error. Update the corresponding test.
3347
3348         * wasm/js-api/memory-grow.js:
3349         (assertEq):
3350         * wasm/js-api/table.js:
3351         (assert.throws):
3352
3353 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3354
3355         Skip JSC test stress/regress-159779-2.js on debug.
3356         https://bugs.webkit.org/show_bug.cgi?id=177204
3357
3358         Unreviewed test gardening.
3359
3360         * stress/regress-159779-2.js:
3361
3362 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3363
3364         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3365         https://bugs.webkit.org/show_bug.cgi?id=175642
3366
3367         Reviewed by Darin Adler.
3368
3369         * ChakraCore/test/Function/apply3.baseline-jsc:
3370
3371 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3372
3373         Unreviewed, rolling out r222564.
3374         https://bugs.webkit.org/show_bug.cgi?id=177720
3375
3376         "It regressed JetStream by 2% on iOS caused by a 50%
3377         regression on the bigfib subtest" (Requested by saamyjoon on
3378         #webkit).
3379
3380         Reverted changeset:
3381
3382         "Add Above/Below comparisons for UInt32 patterns"
3383         https://bugs.webkit.org/show_bug.cgi?id=177281
3384         http://trac.webkit.org/changeset/222564
3385
3386 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3387
3388         [DFG] Support ArrayPush with multiple args
3389         https://bugs.webkit.org/show_bug.cgi?id=175823
3390
3391         Reviewed by Saam Barati.
3392
3393         * microbenchmarks/array-push-0.js: Added.
3394         (arrayPush0):
3395         * microbenchmarks/array-push-1.js: Added.
3396         (arrayPush1):
3397         * microbenchmarks/array-push-2.js: Added.
3398         (arrayPush2):
3399         * microbenchmarks/array-push-3.js: Added.
3400         (arrayPush3):
3401         * stress/array-push-multiple-contiguous.js: Added.
3402         (shouldBe):
3403         (test):
3404         * stress/array-push-multiple-double-nan.js: Added.
3405         (shouldBe):
3406         (test):
3407         * stress/array-push-multiple-double.js: Added.
3408         (shouldBe):
3409         (test):
3410         * stress/array-push-multiple-int32.js: Added.
3411         (shouldBe):
3412         (test):
3413         * stress/array-push-multiple-many-contiguous.js: Added.
3414         (shouldBe):
3415         (test):
3416         * stress/array-push-multiple-many-double.js: Added.
3417         (shouldBe):
3418         (test):
3419         * stress/array-push-multiple-many-int32.js: Added.
3420         (shouldBe):
3421         (test):
3422         * stress/array-push-multiple-many-storage.js: Added.
3423         (shouldBe):
3424         (test):
3425         * stress/array-push-multiple-storage.js: Added.
3426         (shouldBe):
3427         (test):
3428         * stress/array-push-with-force-exit.js: Added.
3429         (target.createBuiltin):
3430
3431 2017-09-29  Saam Barati  <sbarati@apple.com>
3432
3433         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3434         https://bugs.webkit.org/show_bug.cgi?id=177639
3435
3436         Reviewed by Geoffrey Garen.
3437
3438         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3439         (assert):
3440         (Class):
3441         (items.forEach):
3442         (set get for):
3443
3444 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3445
3446         Unreviewed, rolling out r222563, r222565, and r222581.
3447         https://bugs.webkit.org/show_bug.cgi?id=177675
3448
3449         "It causes a crash when playing youtube videos" (Requested by
3450         saamyjoon on #webkit).
3451
3452         Reverted changesets:
3453
3454         "[DFG] Support ArrayPush with multiple args"
3455         https://bugs.webkit.org/show_bug.cgi?id=175823
3456         http://trac.webkit.org/changeset/222563
3457
3458         "Unreviewed, build fix after r222563"
3459         https://bugs.webkit.org/show_bug.cgi?id=175823
3460         http://trac.webkit.org/changeset/222565
3461
3462         "Unreviewed, fix x86 breaking due to exhausted registers"
3463         https://bugs.webkit.org/show_bug.cgi?id=175823
3464         http://trac.webkit.org/changeset/222581
3465
3466 2017-09-28  Mark Lam  <mark.lam@apple.com>
3467
3468         test262: Unexpected passes after r222617 and r222618.
3469         https://bugs.webkit.org/show_bug.cgi?id=177622
3470         <rdar://problem/34725960>
3471
3472         Reviewed by Saam Barati.
3473
3474         Update test262.yaml for tests that are now passing.
3475
3476         * test262.yaml:
3477
3478 2017-09-27  Michael Saboff  <msaboff@apple.com>
3479
3480         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3481         https://bugs.webkit.org/show_bug.cgi?id=177570
3482
3483         Reviewed by Filip Pizlo.
3484
3485         New regression test.
3486
3487         * stress/regress-177570.js: Added.
3488
3489 2017-09-28  Michael Saboff  <msaboff@apple.com>
3490
3491         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3492         https://bugs.webkit.org/show_bug.cgi?id=177423
3493
3494         Reviewed by Mark Lam.
3495
3496         Updated regression test.
3497
3498         * stress/regress-177423.js:
3499         (catch):
3500
3501 2017-09-27  Mark Lam  <mark.lam@apple.com>
3502
3503         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3504         https://bugs.webkit.org/show_bug.cgi?id=177584
3505         <rdar://problem/34463903>
3506
3507         Reviewed by Saam Barati.
3508
3509         * stress/regress-177584.js: Added.
3510         (assertEqual):
3511         (Array.prototype.Symbol.species):
3512
3513 2017-09-27  Saam Barati  <sbarati@apple.com>
3514
3515         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3516         https://bugs.webkit.org/show_bug.cgi?id=177523
3517
3518         Reviewed by Mark Lam.
3519
3520         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3521         (assert):
3522         (Test):
3523         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3524         (addMethods):
3525         (i.Test.prototype.propName):
3526
3527 2017-09-27  Mark Lam  <mark.lam@apple.com>
3528
3529         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3530         https://bugs.webkit.org/show_bug.cgi?id=177423
3531         <rdar://problem/34621320>
3532
3533         Reviewed by Keith Miller.
3534
3535         * stress/regress-177423.js: Added.
3536
3537 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3538
3539         Add Above/Below comparisons for UInt32 patterns
3540         https://bugs.webkit.org/show_bug.cgi?id=177281
3541
3542         Reviewed by Saam Barati.
3543
3544         * stress/uint32-comparison-jump.js: Added.
3545         (shouldBe):
3546         (above):
3547         (aboveOrEqual):
3548         (below):
3549         (belowOrEqual):
3550         (notAbove):
3551         (notAboveOrEqual):
3552         (notBelow):
3553         (notBelowOrEqual):
3554         * stress/uint32-comparison.js: Added.
3555         (shouldBe):
3556         (above):
3557         (aboveOrEqual):
3558         (below):
3559         (belowOrEqual):
3560         (aboveTest):
3561         (aboveOrEqualTest):
3562         (belowTest):
3563         (belowOrEqualTest):
3564
3565 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3566
3567         [DFG] Support ArrayPush with multiple args
3568         https://bugs.webkit.org/show_bug.cgi?id=175823
3569
3570         Reviewed by Saam Barati.
3571
3572         * microbenchmarks/array-push-0.js: Added.
3573         (arrayPush0):
3574         * microbenchmarks/array-push-1.js: Added.
3575         (arrayPush1):
3576         * microbenchmarks/array-push-2.js: Added.
3577         (arrayPush2):
3578         * microbenchmarks/array-push-3.js: Added.
3579         (arrayPush3):
3580         * stress/array-push-multiple-contiguous.js: Added.
3581         (shouldBe):
3582         (test):
3583         * stress/array-push-multiple-double-nan.js: Added.
3584         (shouldBe):
3585         (test):
3586         * stress/array-push-multiple-double.js: Added.
3587         (shouldBe):
3588         (test):
3589         * stress/array-push-multiple-int32.js: Added.
3590         (shouldBe):
3591         (test):
3592         * stress/array-push-multiple-many-contiguous.js: Added.
3593         (shouldBe):
3594         (test):
3595         * stress/array-push-multiple-many-double.js: Added.
3596         (shouldBe):
3597         (test):
3598         * stress/array-push-multiple-many-int32.js: Added.
3599         (shouldBe):
3600         (test):
3601         * stress/array-push-multiple-many-storage.js: Added.
3602         (shouldBe):
3603         (test):
3604         * stress/array-push-multiple-storage.js: Added.
3605         (shouldBe):
3606         (test):
3607
3608 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3609
3610         Unreviewed, rolling out r222518.
3611         https://bugs.webkit.org/show_bug.cgi?id=177507
3612
3613         Break the High Sierra build (Requested by yusukesuzuki on
3614         #webkit).
3615
3616         Reverted changeset:
3617
3618         "Add Above/Below comparisons for UInt32 patterns"
3619         https://bugs.webkit.org/show_bug.cgi?id=177281
3620         http://trac.webkit.org/changeset/222518
3621
3622 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3623
3624         Add Above/Below comparisons for UInt32 patterns
3625         https://bugs.webkit.org/show_bug.cgi?id=177281
3626
3627         Reviewed by Saam Barati.
3628
3629         * stress/uint32-comparison-jump.js: Added.
3630         (shouldBe):
3631         (above):
3632         (aboveOrEqual):
3633         (below):
3634         (belowOrEqual):
3635         (notAbove):
3636         (notAboveOrEqual):
3637         (notBelow):
3638         (notBelowOrEqual):
3639         * stress/uint32-comparison.js: Added.
3640         (shouldBe):
3641         (above):
3642         (aboveOrEqual):
3643         (below):
3644         (belowOrEqual):
3645         (aboveTest):
3646         (aboveOrEqualTest):
3647         (belowTest):
3648         (belowOrEqualTest):
3649
3650 2017-09-23  Keith Miller  <keith_miller@apple.com>
3651
3652         Fix infinite looping test262 test
3653         https://bugs.webkit.org/show_bug.cgi?id=177412
3654
3655         Reviewed by Yusuke Suzuki.
3656
3657         This test was poorly designed since failing it would cause the vm
3658         to inifinite loop. I've fixed it locally and will fix it on github pending
3659         the results of next weeks tc39 meeting.
3660
3661         * test262.yaml:
3662         * test262/test/language/statements/for-of/iterator-next-reference.js:
3663
3664 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
3665
3666         test262: $.agent became $262.agent in test262 update
3667         https://bugs.webkit.org/show_bug.cgi?id=177407
3668
3669         Reviewed by Yusuke Suzuki.
3670
3671         * test262.yaml:
3672         ~320 tests pass now that we correctly make $262 available.
3673
3674 2017-09-22  Keith Miller  <keith_miller@apple.com>
3675
3676         Speculatively change iteration protocall to use the same next function
3677         https://bugs.webkit.org/show_bug.cgi?id=175653
3678
3679         Reviewed by Saam Barati.
3680
3681         Change test to match the new iteration behavior.
3682
3683         * stress/spread-optimized-properly.js:
3684
3685 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3686
3687         [DFG][FTL] Profile array vector length for array allocation
3688         https://bugs.webkit.org/show_bug.cgi?id=177051
3689
3690         Reviewed by Saam Barati.
3691
3692         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3693         (target):
3694
3695 2017-09-22  Commit Queue  <commit-queue@webkit.org>
3696
3697         Unreviewed, rolling out r222380.
3698         https://bugs.webkit.org/show_bug.cgi?id=177352
3699
3700         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
3701         #webkit).
3702
3703         Reverted changeset:
3704
3705         "[DFG][FTL] Profile array vector length for array allocation"
3706         https://bugs.webkit.org/show_bug.cgi?id=177051
3707         http://trac.webkit.org/changeset/222380
3708
3709 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3710
3711         [DFG][FTL] Profile array vector length for array allocation
3712         https://bugs.webkit.org/show_bug.cgi?id=177051
3713
3714         Reviewed by Saam Barati.
3715
3716         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3717         (target):
3718
3719 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
3720
3721         Skip new hanging test262 tests.
3722         https://bugs.webkit.org/show_bug.cgi?id=177326
3723
3724         Unreviewed test gardening.
3725
3726         * test262.yaml:
3727
3728 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
3729
3730         Mark 6 test262 tests as passing.
3731         https://bugs.webkit.org/show_bug.cgi?id=177307
3732
3733         Unreviewed test gardening.
3734
3735         * test262.yaml:
3736
3737 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3738
3739         Unreviewed follow-up to r222311.
3740
3741         * test262/harness/sta.js:
3742         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
3743         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
3744         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
3745         * test262/test/built-ins/Array/from/elements-added-after.js:
3746         * test262/test/built-ins/Array/from/elements-deleted-after.js:
3747         * test262/test/built-ins/Array/from/elements-updated-after.js:
3748         * test262/test/built-ins/Array/from/from-array.js:
3749         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
3750         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
3751         * test262/test/built-ins/Array/from/source-array-boundary.js:
3752         * test262/test/built-ins/Array/from/source-object-constructor.js:
3753         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
3754         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
3755         * test262/test/built-ins/Array/from/source-object-length.js:
3756         * test262/test/built-ins/Array/from/source-object-missing.js:
3757         * test262/test/built-ins/Array/from/source-object-without.js:
3758         * test262/test/built-ins/Array/from/this-null.js:
3759         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
3760         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
3761         * test262/test/language/literals/numeric/7.8.3-1gs.js:
3762         * test262/test/language/literals/numeric/7.8.3-2gs.js:
3763         * test262/test/language/literals/numeric/7.8.3-3gs.js:
3764         * test262/test/language/literals/regexp/7.8.5-1gs.js:
3765         * test262/test/language/literals/string/7.8.4-1gs.js:
3766         Fix some files that I failed to update when I applied my patch.
3767
3768 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3769
3770         Update test262 tests
3771         https://bugs.webkit.org/show_bug.cgi?id=177220
3772
3773         Reviewed by Saam Barati and Yusuke Suzuki.
3774
3775         * test262.yaml:
3776         * test262/test262-Revision.txt:
3777         New rebaselined expectations for all tests.
3778
3779         * test262/*:
3780         Updated.
3781
3782 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3783
3784         [DFG] Remove ToThis more aggressively
3785         https://bugs.webkit.org/show_bug.cgi?id=177056
3786
3787         Reviewed by Saam Barati.
3788
3789         * stress/generator-with-this-strict.js: Added.
3790         (shouldBe):
3791         (generator):
3792         (target):
3793         * stress/generator-with-this.js: Added.
3794         (shouldBe):
3795         (generator):
3796         (target):
3797
3798 2017-09-17  Michael Saboff  <msaboff@apple.com>
3799
3800         https://bugs.webkit.org/show_bug.cgi?id=177038
3801         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
3802
3803         Reviewed by JF Bastien.
3804
3805         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
3806         as it dies using too much memory.
3807
3808 2017-09-15  Saam Barati  <sbarati@apple.com>
3809
3810         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
3811         https://bugs.webkit.org/show_bug.cgi?id=176981
3812
3813         Reviewed by Yusuke Suzuki.
3814
3815         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
3816         (assert):
3817         (verify):
3818         (func):
3819         (const.bar.createBuiltin):
3820
3821 2017-09-14  Saam Barati  <sbarati@apple.com>
3822
3823         It should be valid to exit before each set when doing arity fixup when inlining
3824         https://bugs.webkit.org/show_bug.cgi?id=176948
3825
3826         Reviewed by Keith Miller.
3827
3828         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
3829         (baz):
3830         (bar):
3831         (foo):
3832
3833 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3834
3835         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
3836         https://bugs.webkit.org/show_bug.cgi?id=176867
3837
3838         Reviewed by Sam Weinig.
3839
3840         * microbenchmarks/object-get-own-property-symbols.js: Added.
3841         (test):
3842
3843 2017-09-13  Mark Lam  <mark.lam@apple.com>
3844
3845         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
3846         https://bugs.webkit.org/show_bug.cgi?id=176888
3847         <rdar://problem/34381832>
3848
3849         Not reviewed.
3850
3851         * stress/op_mod-ConstVar.js:
3852         * stress/op_mod-VarConst.js:
3853         * stress/op_mod-VarVar.js:
3854
3855 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
3856
3857         Skip 3 op_mod tests on Debug JSC bots.
3858         https://bugs.webkit.org/show_bug.cgi?id=176630
3859
3860         Unreviewed test gardening.
3861
3862         * stress/op_mod-ConstVar.js:
3863         * stress/op_mod-VarConst.js:
3864         * stress/op_mod-VarVar.js:
3865
3866 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3867
3868         [JSC] Fix Array allocation in Object.keys
3869         https://bugs.webkit.org/show_bug.cgi?id=176826
3870
3871         Reviewed by Saam Barati.
3872
3873         * stress/object-own-property-keys.js: Added.
3874         (shouldBe):
3875
3876 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3877
3878         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3879         https://bugs.webkit.org/show_bug.cgi?id=176010
3880
3881         Reviewed by Filip Pizlo.
3882
3883         * microbenchmarks/weak-map-key.js: Added.
3884         (assert):
3885         (objectKey):
3886         (let.start.Date.now):
3887
3888 2017-09-12  Mark Lam  <mark.lam@apple.com>
3889
3890         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
3891         https://bugs.webkit.org/show_bug.cgi?id=176630
3892
3893         Reviewed by JF Bastien.
3894
3895         Debug builds are just slow, and these tests do a lot.  They pass when I run them
3896         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
3897         a speculative fix for the bots that are seeing these fail.
3898
3899         I also undid the skipping of the op_mod tests for debug builds.
3900
3901         * stress/op_div-ConstVar.js:
3902         * stress/op_div-VarConst.js:
3903         * stress/op_div-VarVar.js:
3904         * stress/op_mod-ConstVar.js:
3905         * stress/op_mod-VarConst.js:
3906         * stress/op_mod-VarVar.js:
3907
3908 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
3909
3910         Skip stress/value-to-boolean.js on Debug bots.
3911         https://bugs.webkit.org/show_bug.cgi?id=176787
3912
3913         Unreviewed test gardening.
3914
3915         * stress/value-to-boolean.js:
3916
3917 2017-09-11  Mark Lam  <mark.lam@apple.com>
3918
3919         Change test expectation for test262/test/language/statements/try/tco-catch.js
3920         https://bugs.webkit.org/show_bug.cgi?id=176749
3921
3922         Rubber stamped by Keith Miller.
3923
3924         It's been failing since at least r221821.  I'm changing the test expectation to
3925         fail to green the bots while I investigate some more.
3926
3927         * test262.yaml:
3928
3929 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
3930
3931         Unreviewed, rolling out r221854.
3932
3933         The test added with this change fails on 32-bit JSC bots.
3934
3935         Reverted changeset:
3936
3937         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
3938         https://bugs.webkit.org/show_bug.cgi?id=176010
3939         http://trac.webkit.org/changeset/221854
3940
3941 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3942
3943         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3944         https://bugs.webkit.org/show_bug.cgi?id=176010
3945
3946         Reviewed by Filip Pizlo.
3947
3948         * microbenchmarks/weak-map-key.js: Added.
3949         (assert):
3950         (objectKey):
3951         (let.start.Date.now):
3952
3953 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3954
3955         [JSC] Optimize Object.keys by using careful array allocation
3956         https://bugs.webkit.org/show_bug.cgi?id=176654
3957
3958         Reviewed by Darin Adler.
3959
3960         * microbenchmarks/object-keys.js: Added.
3961         (test):
3962
3963 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
3964
3965         Error should compute .stack and friends lazily
3966         https://bugs.webkit.org/show_bug.cgi?id=176645
3967
3968         Reviewed by Saam Barati.
3969
3970         * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
3971         * microbenchmarks/new-error.js: Added.
3972         * microbenchmarks/throw.js: Added.
3973
3974 2017-09-09  Mark Lam  <mark.lam@apple.com>
3975
3976         [Re-landing] Use JIT probes for DFG OSR exit.
3977         https://bugs.webkit.org/show_bug.cgi?id=175144
3978         <rdar://problem/33437050>
3979
3980         Not reviewed.  Original patch reviewed by Saam Barati.
3981
3982         Disable these tests for debug builds because they run too slow with the new OSR exit.
3983
3984         * stress/op_mod-ConstVar.js:
3985         * stress/op_mod-VarConst.js:
3986         * stress/op_mod-VarVar.js:
3987
3988 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3989
3990         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3991         https://bugs.webkit.org/show_bug.cgi?id=176300
3992
3993         Reviewed by Saam Barati.
3994
3995         * stress/new-array-with-size-div.js: Added.
3996         (shouldBe):
3997         (test):
3998         (i.i):
3999
4000 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
4001
4002         [DFG] PutByVal with Array::Generic is too generic
4003         https://bugs.webkit.org/show_bug.cgi?id=176345
4004
4005         Reviewed by Filip Pizlo.
4006
4007         * stress/object-assign-symbols.js: Added.
4008         (shouldBe):
4009         (test):
4010         * stress/object-assign.js: Added.
4011         (shouldBe):
4012         (test):
4013         (i.shouldBe.JSON.stringify.test):
4014
4015 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
4016
4017         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
4018         https://bugs.webkit.org/show_bug.cgi?id=176590
4019
4020         Reviewed by Saam Barati.
4021
4022         * microbenchmarks/object-iterate-symbols.js: Added.
4023         (test):
4024         * microbenchmarks/object-iterate.js: Added.
4025         (test):
4026         * stress/object-iterate-symbols.js: Added.
4027         (shouldBe):
4028         (test):
4029         * stress/object-iterate.js: Added.
4030         (shouldBe):
4031         (test):
4032
4033 2017-09-07  Per Arne Vollan  <pvollan@apple.com>
4034
4035         [Win32] 10 JSC stress tests are failing.
4036         https://bugs.webkit.org/show_bug.cgi?id=176538
4037
4038         Reviewed by Mark Lam.
4039
4040         Skip tests on Windows to make the bots green.
4041
4042         * ChakraCore.yaml:
4043         * stress/date-relaxed.js:
4044
4045 2017-09-06  Mark Lam  <mark.lam@apple.com>
4046
4047         constructGenericTypedArrayViewWithArguments() is missing an exception check.
4048         https://bugs.webkit.org/show_bug.cgi?id=176485
4049         <rdar://problem/33898874>
4050
4051         Reviewed by Keith Miller.
4052
4053         * stress/regress-176485.js: Added.
4054
4055 2017-09-05  Saam Barati  <sbarati@apple.com>
4056
4057         isNotCellSpeculation is wrong with respect to SpecEmpty
4058         https://bugs.webkit.org/show_bug.cgi?id=176429
4059
4060         Reviewed by Michael Saboff.
4061
4062         * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
4063         (Foo):
4064
4065 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
4066
4067         test262: Completion values for control flow do not match the spec
4068         https://bugs.webkit.org/show_bug.cgi?id=171265
4069
4070         Reviewed by Saam Barati.
4071
4072         * stress/completion-value.js:
4073         Condensed test for completion values in top level statements.
4074
4075         * stress/super-get-by-id.js:
4076         ClassDeclaration when evaled no longer produce values. Convert
4077         these to ClassExpressions so they produce the class value.
4078         
4079         * ChakraCore/test/GlobalFunctions/evalreturns3.baseline-jsc:
4080         This is a progression for currect spec behavior.
4081
4082         * mozilla/mozilla-tests.yaml:
4083         This test is now outdated, so mark it as failing for that reason.
4084
4085         * test262.yaml:
4086         Passing all "cptn" completion value tests.
4087
4088 2017-09-04  Saam Barati  <sbarati@apple.com>
4089
4090         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
4091         https://bugs.webkit.org/show_bug.cgi?id=176317
4092
4093         Reviewed by Keith Miller.
4094
4095         * stress/dont-crash-when-hoist-check-structure-on-tdz.js: Added.
4096         (Foo):
4097
4098 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
4099
4100         [DFG][FTL] Efficiently execute number#toString()
4101         https://bugs.webkit.org/show_bug.cgi?id=170007
4102
4103         Reviewed by Keith Miller.
4104
4105         * microbenchmarks/number-to-string-strength-reduction.js: Added.
4106         (test):
4107         * microbenchmarks/number-to-string-with-radix-10.js: Added.
4108         (test):
4109         * microbenchmarks/number-to-string-with-radix-cse.js: Added.
4110         (test):
4111         * microbenchmarks/number-to-string-with-radix.js: Added.
4112         (test):
4113         * stress/number-to-string-strength-reduction.js: Added.
4114         (shouldBe):
4115         (test):
4116         * stress/number-to-string-with-radix-10.js: Added.
4117         (shouldBe):
4118         (test):
4119         * stress/number-to-string-with-radix-cse.js: Added.
4120         (shouldBe):
4121         (test):
4122         * stress/number-to-string-with-radix-invalid.js: Added.
4123         (shouldThrow):
4124         * stress/number-to-string-with-radix-watchpoint.js: Added.
4125         (shouldBe):
4126         (test):
4127         (i.i.1e3.Number.prototype.toString):
4128         * stress/number-to-string-with-radix.js: Added.
4129         (shouldBe):
4130         (test):
4131
4132 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
4133
4134         [DFG] Relax arity requirement
4135         https://bugs.webkit.org/show_bug.cgi?id=175523
4136
4137         Reviewed by Saam Barati.
4138
4139         * stress/arity-mismatch-arguments-length.js: Added.
4140         (shouldBe):
4141         (test1):
4142         (test):
4143         * stress/arity-mismatch-get-argument.js: Added.
4144         (shouldBe):
4145         (builtin.createBuiltin):
4146         (test):
4147         * stress/arity-mismatch-inlining-extra-slots.js: Added.
4148         (shouldBe):
4149         (inlineTarget):
4150         (test):
4151         * stress/arity-mismatch-inlining.js: Added.
4152         (shouldBe):
4153         (inlineTarget):
4154         (test):
4155         * stress/arity-mismatch-rest.js: Added.
4156         (shouldBe):
4157         (test2):
4158         (test1):
4159         (test):
4160
4161 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
4162
4163         [JSC] Fix "name" and "length" of Proxy revoke function
4164         https://bugs.webkit.org/show_bug.cgi?id=176155
4165
4166         Reviewed by Mark Lam.
4167
4168         * test262.yaml:
4169
4170 2017-08-31  Saam Barati  <sbarati@apple.com>
4171
4172         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
4173         https://bugs.webkit.org/show_bug.cgi?id=176206
4174
4175         Reviewed by Keith Miller.
4176
4177         * stress/compare-semantic-origin-op-negate-method-of-getting-a-value-profile.js: Added.
4178         (a):
4179         (b):
4180         (foo):
4181
4182 2017-08-31  Ryan Haddad  <ryanhaddad@apple.com>
4183
4184         Skip two slow JSC tests after r221422.
4185
4186         Unreviewed test gardening.
4187
4188         * stress/regexp-prototype-match-on-too-long-rope.js:
4189         * stress/regexp-prototype-test-on-too-long-rope.js:
4190
4191 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
4192
4193         Unreviewed, skipping slow tests.
4194         
4195         These tests are now timing out. They would have always been slow. The timeouts are probably because OOMs
4196         work differently now.
4197
4198         * stress/regexp-prototype-exec-on-too-long-rope.js:
4199         * stress/string-prototype-charCodeAt-on-too-long-rope.js:
4200
4201 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
4202
4203         [JSC] Use reifying system for "name" property of builtin JSFunction
4204         https://bugs.webkit.org/show_bug.cgi?id=175260
4205
4206         Reviewed by Saam Barati.
4207
4208         * stress/accessors-get-set-prefix.js:
4209         * stress/builtin-function-name.js: Added.
4210         (shouldBe):
4211         (shouldThrow):
4212         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
4213         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
4214         * stress/private-name-as-anonymous-builtin.js: Added.
4215         (shouldBe):
4216         (NotPromise):
4217
4218 2017-08-30  Saam Barati  <sbarati@apple.com>
4219
4220         Unreviewed. Make test stop printing.
4221
4222         * microbenchmarks/fake-iterators-that-throw-when-finished.js:
4223
4224 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
4225
4226         Unreviewed, rolling out r221327.
4227
4228         This change caused test262 failures.
4229
4230         Reverted changeset:
4231
4232         "[JSC] Use reifying system for "name" property of builtin
4233         JSFunction"
4234         https://bugs.webkit.org/show_bug.cgi?id=175260
4235         http://trac.webkit.org/changeset/221327
4236
4237 2017-08-30  Saam Barati  <sbarati@apple.com>
4238
4239         semicolon is being interpreted as an = in the LiteralParser
4240         https://bugs.webkit.org/show_bug.cgi?id=176114
4241
4242         Reviewed by Oliver Hunt.
4243
4244         * stress/jsonp-literal-parser-semicolon-is-not-assignment.js: Added.
4245         * stress/resources/literal-parser-test-case.js: Added.
4246
4247 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
4248
4249         [ESNext] Async iteration - Implement async iteration statement: for-await-of
4250         https://bugs.webkit.org/show_bug.cgi?id=166698
4251
4252         Reviewed by Yusuke Suzuki.
4253
4254         * stress/async-iteration-for-await-of-syntax.js: Added.
4255         (assert):
4256         (checkSyntax):
4257         (checkSyntaxError):
4258         (checkSimpleAsyncGeneratorSloppyMode):
4259         (checkSimpleAsyncGeneratorStrictMode):
4260         (checkNestedAsyncGenerators):
4261         (checkSimpleAsyncGeneratorSyntaxErrorInStrictMode):
4262         * stress/async-iteration-for-await-of.js: Added.
4263         (assert):
4264         (async.foo):
4265         (async.boo):
4266         (const.boo.async):
4267
4268 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
4269
4270         [JSC] Use reifying system for "name" property of builtin JSFunction
4271         https://bugs.webkit.org/show_bug.cgi?id=175260
4272
4273         Reviewed by Saam Barati.
4274
4275         * stress/accessors-get-set-prefix.js:
4276         * stress/builtin-function-name.js: Added.
4277         (shouldBe):
4278         (shouldThrow):
4279         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
4280         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
4281
4282 2017-08-25  Saam Barati  <sbarati@apple.com>
4283
4284         Support compiling catch in the DFG
4285         https://bugs.webkit.org/show_bug.cgi?id=174590
4286         <rdar://problem/34047845>
4287
4288         Reviewed by Filip Pizlo.
4289
4290         * microbenchmarks/delta-blue-try-catch.js: Added.
4291         (exception):
4292         (value):
4293         (OrderedCollection):
4294         (OrderedCollection.prototype.add):
4295         (OrderedCollection.prototype.at):
4296         (OrderedCollection.prototype.size):
4297         (OrderedCollection.prototype.removeFirst):
4298         (OrderedCollection.prototype.remove):
4299         (Strength):
4300         (Strength.stronger):
4301         (Strength.weaker):
4302         (Strength.weakestOf):
4303         (Strength.strongest):
4304         (Strength.prototype.nextWeaker):
4305         (Constraint):
4306         (Constraint.prototype.addConstraint):
4307         (Constraint.prototype.satisfy):
4308         (Constraint.prototype.destroyConstraint):
4309         (Constraint.prototype.isInput):
4310         (UnaryConstraint):
4311         (UnaryConstraint.prototype.addToGraph):
4312         (UnaryConstraint.prototype.chooseMethod):
4313         (UnaryConstraint.prototype.isSatisfied):
4314         (UnaryConstraint.prototype.markInputs):
4315         (UnaryConstraint.prototype.output):
4316         (UnaryConstraint.prototype.recalculate):
4317         (UnaryConstraint.prototype.markUnsatisfied):
4318         (UnaryConstraint.prototype.inputsKnown):
4319         (UnaryConstraint.prototype.removeFromGraph):
4320         (StayConstraint):
4321         (StayConstraint.prototype.execute):
4322         (EditConstraint.prototype.isInput):
4323         (EditConstraint.prototype.execute):
4324         (BinaryConstraint):
4325         (BinaryConstraint.prototype.chooseMethod):
4326         (BinaryConstraint.prototype.addToGraph):
4327         (BinaryConstraint.prototype.isSatisfied):
4328         (BinaryConstraint.prototype.markInputs):
4329         (BinaryConstraint.prototype.input):
4330         (BinaryConstraint.prototype.output):
4331         (BinaryConstraint.prototype.recalculate):
4332         (BinaryConstraint.prototype.markUnsatisfied):
4333         (BinaryConstraint.prototype.inputsKnown):
4334         (BinaryConstraint.prototype.removeFromGraph):
4335         (ScaleConstraint):
4336         (ScaleConstraint.prototype.addToGraph):
4337         (ScaleConstraint.prototype.removeFromGraph):
4338         (ScaleConstraint.prototype.markInputs):
4339         (ScaleConstraint.prototype.execute):
4340         (ScaleConstraint.prototype.recalculate):
4341         (EqualityConstraint):
4342         (EqualityConstraint.prototype.execute):
4343         (Variable):
4344         (Variable.prototype.addConstraint):
4345         (Variable.prototype.removeConstraint):
4346         (Planner):
4347         (Planner.prototype.incrementalAdd):
4348         (Planner.prototype.incrementalRemove):
4349         (Planner.prototype.newMark):
4350         (Planner.prototype.makePlan):
4351         (Planner.prototype.extractPlanFromConstraints):
4352         (Planner.prototype.addPropagate):
4353         (Planner.prototype.removePropagateFrom):
4354         (Planner.prototype.addConstraintsConsumingTo):
4355         (Plan):
4356         (Plan.prototype.addConstraint):
4357         (Plan.prototype.size):
4358         (Plan.prototype.constraintAt):
4359         (Plan.prototype.execute):
4360         (chainTest):
4361         (projectionTest):
4362         (change):
4363         (deltaBlue):
4364         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Added.
4365         (assert):
4366         (Numbers):
4367         (Numbers.prototype.next):
4368         (return.Transpose):
4369         (return.Transpose.prototype.next):
4370         (transpose):
4371         (verifyEven):
4372         (verifyString):
4373         (foo):
4374         (runIterators):
4375         * microbenchmarks/try-catch-word-count.js: Added.
4376         (let.assert):
4377         (EOF):
4378         (let.texts):
4379         (let.o.apply):
4380         (foo):
4381         (bar):
4382         (f):
4383         (run):
4384         (test1):
4385         (test2):
4386         (test3):
4387         (fn):
4388         (A):
4389         (B):
4390         (A.prototype.getValue):
4391         (B.prototype.getParentValue):
4392         (strlen):
4393         (sum.0):
4394         (test):
4395         (result.test.o):
4396         (set add.set add):
4397         (set forEach):
4398         (stringHash):
4399         (set if):
4400         (testFunction):
4401         (set delete.set has.set add):
4402         * stress/catch-set-argument-speculation-failure.js: Added.
4403         (o):
4404         (e):
4405         (e2):
4406         (escape):
4407         (baz):
4408         (noInline.run):
4409         (noInline):
4410         * stress/osr-enter-to-catch-with-set-local-type-check-failure.js: Added.
4411         (foo):
4412         (e):
4413         (baz):
4414         (bar):
4415
4416 2017-08-24  Commit Queue  <commit-queue@webkit.org>
4417
4418         Unreviewed, rolling out r221119, r221124, and r221143.
4419         https://bugs.webkit.org/show_bug.cgi?id=175973
4420
4421         "I think it regressed JSBench by 20%" (Requested by saamyjoon
4422         on #webkit).
4423
4424         Reverted changesets:
4425
4426         "Support compiling catch in the DFG"
4427         https://bugs.webkit.org/show_bug.cgi?id=174590
4428         http://trac.webkit.org/changeset/221119
4429