3b5692a5c4023842ddac7be3b2c7bfb9389d31f8
[WebKit-https.git] / JSTests / ChangeLog
1 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
4         https://bugs.webkit.org/show_bug.cgi?id=183173
5
6         Reviewed by Saam Barati.
7
8         * stress/async-arrow-function-in-class-heritage.js: Added.
9         (testSyntax):
10         (testSyntaxError):
11         (SyntaxError):
12
13 2018-03-01  Saam Barati  <sbarati@apple.com>
14
15         We need to clear cached structures when having a bad time
16         https://bugs.webkit.org/show_bug.cgi?id=183256
17         <rdar://problem/36245022>
18
19         Reviewed by Mark Lam.
20
21         * stress/having-a-bad-time-with-derived-arrays.js: Added.
22         (assert):
23         (defineSetter):
24         (iterate):
25         (doSlice):
26
27 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
28
29         JSC crash with `import("")`
30         https://bugs.webkit.org/show_bug.cgi?id=183175
31
32         Reviewed by Saam Barati.
33
34         * stress/import-with-empty-string.js: Added.
35
36 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
37
38         Unreviewed, skip FTL tests if FTL is disabled
39         https://bugs.webkit.org/show_bug.cgi?id=183071
40
41         * stress/has-indexed-property-array-storage-ftl.js:
42         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
43
44 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
45
46         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
47         https://bugs.webkit.org/show_bug.cgi?id=182965
48
49         Reviewed by Saam Barati.
50
51         * stress/put-by-val-array-storage.js: Added.
52         (shouldBe):
53         (testArrayStorageInBounds):
54         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
55         (shouldBe):
56         (testInt32.createBuiltin):
57         (set for):
58         * stress/put-by-val-slow-put-array-storage.js: Added.
59         (shouldBe):
60         (testArrayStorageInBounds):
61
62 2018-02-26  Saam Barati  <sbarati@apple.com>
63
64         validateStackAccess should not validate if the offset is within the stack bounds
65         https://bugs.webkit.org/show_bug.cgi?id=183067
66         <rdar://problem/37749988>
67
68         Reviewed by Mark Lam.
69
70         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
71         (assert):
72         (test.a):
73         (test.b):
74         (test):
75
76 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
77
78         Unreviewed, skip FTL tests if FTL is disabled
79         https://bugs.webkit.org/show_bug.cgi?id=183071
80
81         * stress/has-indexed-property-array-storage-ftl.js:
82         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
83
84 2018-02-23  Saam Barati  <sbarati@apple.com>
85
86         Make Number.isInteger an intrinsic
87         https://bugs.webkit.org/show_bug.cgi?id=183088
88
89         Reviewed by JF Bastien.
90
91         * stress/number-is-integer-intrinsic.js: Added.
92
93 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
94
95         WebAssembly: cache memory address / size on instance
96         https://bugs.webkit.org/show_bug.cgi?id=177305
97
98         Reviewed by JF Bastien.
99
100         * wasm/function-tests/memory-reuse.js: Added.
101         (createWasmInstance):
102         (doCheckTrap):
103         (doMemoryGrow):
104         (doCheck):
105         (checkWasmInstancesWithSharedMemory):
106
107 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
108
109         [JSC] Implement $vm.ftlTrue function for FTL testing
110         https://bugs.webkit.org/show_bug.cgi?id=183071
111
112         Reviewed by Mark Lam.
113
114         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
115         (foo):
116         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
117         (foo):
118         * stress/dead-fiat-value-to-int52.js:
119         (foo):
120         * stress/dead-osr-entry-value.js:
121         (foo):
122         * stress/fiat-value-to-int52-then-exit-not-double.js:
123         (foo):
124         * stress/fiat-value-to-int52-then-exit-not-int52.js:
125         (foo):
126         * stress/fiat-value-to-int52-then-fail-to-fold.js:
127         (foo):
128         * stress/fiat-value-to-int52-then-fold.js:
129         (foo):
130         * stress/fiat-value-to-int52.js:
131         (foo):
132         * stress/fold-based-on-int32-proof-mul-branch.js:
133         (foo):
134         * stress/fold-profiled-call-to-call.js:
135         (foo):
136         * stress/fold-to-double-constant-then-exit.js:
137         (foo):
138         * stress/fold-to-int52-constant-then-exit.js:
139         (foo):
140         * stress/fold-to-primitive-in-cfa.js:
141         (foo):
142         * stress/fold-to-primitive-to-identity-in-cfa.js:
143         (foo):
144         * stress/has-indexed-property-array-storage-ftl.js: Added.
145         (shouldBe):
146         (test1):
147         (test2):
148         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
149         (shouldBe):
150         (test1):
151         (test2):
152         * stress/int52-ai-add-then-filter-int32.js:
153         (foo):
154         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
155         (foo):
156         * stress/int52-ai-mul-then-filter-int32.js:
157         (foo):
158         * stress/int52-ai-neg-then-filter-int32.js:
159         (foo):
160         * stress/int52-ai-sub-then-filter-int32.js:
161         (foo):
162         * stress/licm-pre-header-cannot-exit-nested.js:
163         (foo):
164         * stress/licm-pre-header-cannot-exit.js:
165         (foo):
166         * stress/sparse-array-entry-update-144067.js:
167         (useMemoryToTriggerGCs):
168         * stress/test-spec-misc.js:
169         (foo):
170         * stress/tricky-array-bounds-checks.js:
171         (foo):
172
173 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
174
175         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
176         https://bugs.webkit.org/show_bug.cgi?id=182792
177
178         Reviewed by Mark Lam.
179
180         * stress/has-indexed-property-array-storage.js: Added.
181         (shouldBe):
182         (test1):
183         (test2):
184         * stress/has-indexed-property-slow-put-array-storage.js: Added.
185         (shouldBe):
186         (test1):
187         (test2):
188
189 2018-02-20  Saam Barati  <sbarati@apple.com>
190
191         DFG::VarargsForwardingPhase should eliminate getting argument length
192         https://bugs.webkit.org/show_bug.cgi?id=182959
193
194         Reviewed by Keith Miller.
195
196         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
197
198 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
199
200         [FTL] Support ArrayPush for ArrayStorage
201         https://bugs.webkit.org/show_bug.cgi?id=182782
202
203         Reviewed by Saam Barati.
204
205         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
206
207         * stress/array-push-array-storage-beyond-int32.js: Added.
208         (shouldBe):
209         (test):
210         * stress/array-push-array-storage.js: Added.
211         (shouldBe):
212         (test):
213         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
214         (shouldBe):
215         (test):
216         * stress/array-push-multiple-storage-continuous.js: Added.
217         (shouldBe):
218         (test):
219
220 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
221
222         [FTL] Support ArrayPop for ArrayStorage
223         https://bugs.webkit.org/show_bug.cgi?id=182783
224
225         Reviewed by Saam Barati.
226
227         * stress/array-pop-array-storage.js: Added.
228         (shouldBe):
229         (test):
230
231 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
232
233         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
234         https://bugs.webkit.org/show_bug.cgi?id=182731
235
236         Reviewed by Saam Barati.
237
238         * stress/arrayify-array-storage-array.js: Added.
239         (shouldBe):
240         (testArrayStorage):
241         * stress/arrayify-array-storage-non-array.js: Added.
242         (shouldBe):
243         (testArrayStorage):
244         * stress/arrayify-array-storage.js: Added.
245         (shouldBe):
246         (testArrayStorage):
247         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
248         (shouldBe):
249         (testArrayStorage):
250         * stress/arrayify-slow-put-array-storage.js: Added.
251         (shouldBe):
252         (testArrayStorage):
253
254 2018-02-19  Saam Barati  <sbarati@apple.com>
255
256         Don't use JSFunction's allocation profile when getting the prototype can be effectful
257         https://bugs.webkit.org/show_bug.cgi?id=182942
258         <rdar://problem/37584764>
259
260         Reviewed by Mark Lam.
261
262         * stress/get-prototype-create-this-effectful.js: Added.
263
264 2018-02-16  Saam Barati  <sbarati@apple.com>
265
266         Fix bugs from r228411
267         https://bugs.webkit.org/show_bug.cgi?id=182851
268         <rdar://problem/37577732>
269
270         Reviewed by JF Bastien.
271
272         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
273
274 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
275
276         Unreviewed, roll out r228366 since it did not progress anything.
277
278         * stress/gc-error-stack.js: Removed.
279         * stress/no-gc-error-stack.js: Removed.
280
281 2018-02-15  Tomas Popela  <tpopela@redhat.com>
282
283         Many stress tests fail with JIT disabled
284         https://bugs.webkit.org/show_bug.cgi?id=182730
285
286         Reviewed by Saam Barati.
287
288         These tests are broken by design if the JIT is disabled - they test
289         the return value of numberOfDFGCompiles(), which is always set to
290         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
291
292         * stress/arith-abs-on-various-types.js:
293         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
294         * stress/arith-acos-on-various-types.js:
295         * stress/arith-acosh-on-various-types.js:
296         * stress/arith-asin-on-various-types.js:
297         * stress/arith-asinh-on-various-types.js:
298         * stress/arith-atan-on-various-types.js:
299         * stress/arith-atanh-on-various-types.js:
300         * stress/arith-cbrt-on-various-types.js:
301         * stress/arith-ceil-on-various-types.js:
302         * stress/arith-clz32-on-various-types.js:
303         * stress/arith-cos-on-various-types.js:
304         * stress/arith-cosh-on-various-types.js:
305         * stress/arith-expm1-on-various-types.js:
306         * stress/arith-floor-on-various-types.js:
307         * stress/arith-fround-on-various-types.js:
308         * stress/arith-log-on-various-types.js:
309         * stress/arith-log10-on-various-types.js:
310         * stress/arith-log2-on-various-types.js:
311         * stress/arith-negate-on-various-types.js:
312         * stress/arith-round-on-various-types.js:
313         * stress/arith-sin-on-various-types.js:
314         * stress/arith-sinh-on-various-types.js:
315         * stress/arith-sqrt-on-various-types.js:
316         * stress/arith-tan-on-various-types.js:
317         * stress/arith-tanh-on-various-types.js:
318         * stress/arith-trunc-on-various-types.js:
319         * stress/compare-strict-eq-on-various-types.js:
320
321 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
322
323         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
324
325         Unreviewed test gardening.
326
327         * stress/new-largeish-contiguous-array-with-size.js:
328
329 2018-02-14  Saam Barati  <sbarati@apple.com>
330
331         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
332         https://bugs.webkit.org/show_bug.cgi?id=182801
333
334         Reviewed by Keith Miller.
335
336         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
337
338 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
339
340         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
341         https://bugs.webkit.org/show_bug.cgi?id=182526
342
343         Unreviewed test gardening.
344
345         * stress/activation-sink-default-value-tdz-error.js:
346
347 2018-02-13  Saam Barati  <sbarati@apple.com>
348
349         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
350         https://bugs.webkit.org/show_bug.cgi?id=182755
351         <rdar://problem/37080864>
352
353         Reviewed by Keith Miller.
354
355         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
356         (test1.o.get 10005):
357         (test1):
358         (test2.o.get 1000):
359         (test2):
360
361 2018-02-13  Caitlin Potter  <caitp@igalia.com>
362
363         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
364         https://bugs.webkit.org/show_bug.cgi?id=182717
365
366         Reviewed by Yusuke Suzuki.
367
368         https://github.com/tc39/ecma262/pull/890 imposes a change to template
369         literals, to allow template callsite arrays to be collected when the
370         code containing the tagged template call is collected. This spec change
371         has received concensus and been ratified.
372
373         This change eliminates the eternal map associating template contents
374         with arrays.
375
376         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
377         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
378         * stress/tagged-templates-identity.js:
379         * stress/template-string-tags-eval.js:
380         * test262.yaml:
381
382 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
383
384         Support GetArrayLength on ArrayStorage in the FTL
385         https://bugs.webkit.org/show_bug.cgi?id=182625
386
387         Reviewed by Saam Barati.
388
389         * stress/array-storage-length.js: Added.
390         (shouldBe):
391         (testInBound):
392         (testUncountable):
393         (testSlowPutInBound):
394         (testSlowPutUncountable):
395         * stress/undecided-length.js: Added.
396         (shouldBe):
397         (test2):
398
399 2018-02-12  Saam Barati  <sbarati@apple.com>
400
401         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
402         https://bugs.webkit.org/show_bug.cgi?id=182706
403         <rdar://problem/36833681>
404
405         Reviewed by Filip Pizlo.
406
407         * stress/get-array-length-phantom-new-array-buffer.js: Added.
408         (effects):
409         (foo):
410
411 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
412
413         Don't waste memory for error.stack
414         https://bugs.webkit.org/show_bug.cgi?id=182656
415
416         Reviewed by Saam Barati.
417         
418         Tests the policy.
419
420         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
421         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
422
423 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
424
425         [JSC] Update Test262 to Feb 9 version
426         https://bugs.webkit.org/show_bug.cgi?id=182468
427
428         Reviewed by Saam Barati.
429
430 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
431
432         Unreviewed, fix invalid line terminator in old test262 file part 2
433         https://bugs.webkit.org/show_bug.cgi?id=182468
434
435         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
436
437 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
438
439         Unreviewed, fix invalid line terminator in old test262 file
440         https://bugs.webkit.org/show_bug.cgi?id=182468
441
442         * test262/test/language/literals/regexp/7.8.5-1.js:
443
444 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
445
446         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
447         https://bugs.webkit.org/show_bug.cgi?id=182440
448
449         Reviewed by Darin Adler.
450
451         * stress/array-flatmap.js: Added.
452         (shouldBe):
453         (shouldBeArray):
454         (shouldThrow):
455         (var):
456         * stress/array-flatten.js: Added.
457         (shouldBe):
458         (shouldBeArray):
459         * test262.yaml:
460         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
461         (3.flatMap):
462         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
463
464 2018-02-06  Keith Miller  <keith_miller@apple.com>
465
466         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
467         https://bugs.webkit.org/show_bug.cgi?id=182549
468         <rdar://problem/36189995>
469
470         Reviewed by Saam Barati.
471
472         * stress/var-injection-cache-invalidation.js: Added.
473         (allocateLotsOfThings):
474         (test):
475
476 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
477
478         Unreviewed, follow up for test262 update
479         https://bugs.webkit.org/show_bug.cgi?id=182288
480
481         * test262.yaml:
482
483 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
484
485         Update test262 to Jan 30 version
486         https://bugs.webkit.org/show_bug.cgi?id=182288
487
488         Unreviewed test gardening.
489
490         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
491
492 2018-02-02  Saam Barati  <sbarati@apple.com>
493
494         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
495         https://bugs.webkit.org/show_bug.cgi?id=182368
496         <rdar://problem/36932466>
497
498         Reviewed by Mark Lam.
499
500         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
501         (runNearStackLimit.t):
502         (runNearStackLimit):
503         (try.runNearStackLimit):
504         (catch):
505
506 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
507
508         Update test262 to Jan 30 version
509         https://bugs.webkit.org/show_bug.cgi?id=182288
510
511         Rubber stamped by Saam Barati.
512
513         This patch updates test262 to the latest one, Jan 30 version.
514         Since added and changed files are too many, we cannot create ChangeLog.
515         The following files are changed.
516
517         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
518         including some special line terminators (like u2028, u2029).
519
520         * test262.yaml:
521         * test262/test262-Revision.txt:
522         * test262/*:
523
524 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
525
526         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
527         https://bugs.webkit.org/show_bug.cgi?id=182411
528
529         Reviewed by Carlos Alberto Lopez Perez.
530
531         This is skipped only on arm memory limited platforms. Until recently
532         it was not a problem on MIPS as the butterfly was not initialized. But
533         since r227435, the butterfly is initialized in that test and therefore
534         memory is allocated, and the test typically takes around 512M, which
535         means it generally gets OOM-killed on the MIPS buildbot.
536
537         * mozilla/mozilla-tests.yaml:
538
539 2018-02-01  Mark Lam  <mark.lam@apple.com>
540
541         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
542         https://bugs.webkit.org/show_bug.cgi?id=182419
543         <rdar://problem/37044945>
544
545         Reviewed by Saam Barati.
546
547         * stress/regress-182419.js: Added.
548
549 2018-02-01  Keith Miller  <keith_miller@apple.com>
550
551         Fix crashes due to mishandling custom sections.
552         https://bugs.webkit.org/show_bug.cgi?id=182404
553         <rdar://problem/36935863>
554
555         Reviewed by Saam Barati.
556
557         * wasm/Builder.js:
558         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
559         * wasm/js-api/validate.js:
560         (assert.truthy):
561
562 2018-01-31  Saam Barati  <sbarati@apple.com>
563
564         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
565         https://bugs.webkit.org/show_bug.cgi?id=182074
566         <rdar://problem/36846261>
567
568         Reviewed by Mark Lam.
569
570         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
571         (assert):
572         (let.func):
573         (let.o.foo):
574         (varFunc):
575
576 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
577
578         Unreviewed, update test262 expects
579         https://bugs.webkit.org/show_bug.cgi?id=182232
580
581         * test262.yaml:
582
583 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
584
585         [JSC] Implement trimStart and trimEnd
586         https://bugs.webkit.org/show_bug.cgi?id=182233
587
588         Reviewed by Mark Lam.
589
590         * stress/trim.js: Added.
591         (shouldBe):
592         (startTest):
593         (endTest):
594         (trimTest):
595
596 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
597
598         [JSC] Relax line terminators in String to make JSON subset of JS
599         https://bugs.webkit.org/show_bug.cgi?id=182232
600
601         Reviewed by Keith Miller.
602
603         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
604         * stress/relaxed-line-terminators-in-string.js: Added.
605         (shouldBe):
606
607 2018-01-29  Michael Saboff  <msaboff@apple.com>
608
609         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
610         https://bugs.webkit.org/show_bug.cgi?id=182249
611
612         Reviewed by Keith Miller.
613
614         New regression test.
615
616         * stress/compare-clobber-untypeduse.js: Added.
617
618 2018-01-29  Matt Lewis  <jlewis3@apple.com>
619
620         Unreviewed, rolling out r227725.
621
622         This caused internal failures.
623
624         Reverted changeset:
625
626         "JSC Sampling Profiler: Detect tester and testee when sampling
627         in RegExp JIT"
628         https://bugs.webkit.org/show_bug.cgi?id=152729
629         https://trac.webkit.org/changeset/227725
630
631 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
632
633         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
634         https://bugs.webkit.org/show_bug.cgi?id=152729
635
636         Reviewed by Saam Barati.
637
638         * stress/sampling-profiler-regexp.js: Added.
639         (platformSupportsSamplingProfiler.test):
640         (platformSupportsSamplingProfiler.baz):
641         (platformSupportsSamplingProfiler):
642
643 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
644
645         [DFG][FTL] WeakMap#set should have DFG node
646         https://bugs.webkit.org/show_bug.cgi?id=180015
647
648         Reviewed by Saam Barati.
649
650         * stress/weakmap-set-change-get.js: Added.
651         (shouldBe):
652         (test):
653         * stress/weakmap-set-cse.js: Added.
654         (shouldBe):
655         (test):
656         * stress/weakset-add-change-get.js: Added.
657         (shouldBe):
658         * stress/weakset-add-cse.js: Added.
659         (shouldBe):
660
661 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
662
663         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
664         https://bugs.webkit.org/show_bug.cgi?id=182213
665
666         Reviewed by Mark Lam.
667
668         * stress/int32-min-to-string.js: Added.
669         (shouldBe):
670         (test2):
671         (test4):
672         (test8):
673         (test16):
674         (test32):
675         * stress/zero-to-string.js: Added.
676         (shouldBe):
677         (test2):
678         (test4):
679         (test8):
680         (test16):
681         (test32):
682
683 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
684
685         Add more module scope related tests with code evaluation by string
686         https://bugs.webkit.org/show_bug.cgi?id=181983
687
688         Reviewed by Sam Weinig.
689
690         Add more module scope related tests. When the original tests are landed,
691         we do not have browser integration. This patch adds more module scope tests
692         with dynamically created script evaluation. We add tests with Function
693         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
694
695         * modules/scopes-eval.js: Added.
696         (shouldBe):
697         * modules/scopes.js:
698         (shouldBe):
699
700 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
701
702         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
703
704         * microbenchmarks/array-push-3.js: Removed.
705         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
706         * microbenchmarks/double-to-int32.js: Removed.
707         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
708         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
709         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
710         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
711         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
712         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
713         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
714         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
715         * microbenchmarks/map-constant-key.js: Removed.
716         * microbenchmarks/nested-function-parsing.js: Removed.
717         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
718         * microbenchmarks/spread-large-array.js: Removed.
719         * microbenchmarks/string-add-constant-folding.js: Removed.
720         * microbenchmarks/to-lower-case.js: Removed.
721         * microbenchmarks/undefined-property-access.js: Removed.
722         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
723         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
724         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
725         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
726         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
727         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
728         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
729         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
730         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
731         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
732         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
733         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
734         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
735         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
736         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
737         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
738         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
739         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
740
741 2018-01-23  Robin Morisset  <rmorisset@apple.com>
742
743         Update the argument count in DFGByteCodeParser::handleRecursiveCall
744         https://bugs.webkit.org/show_bug.cgi?id=181739
745         <rdar://problem/36627662>
746
747         Reviewed by Saam Barati.
748
749         * stress/recursive-tail-call-with-different-argument-count.js: Added.
750         (foo):
751         (bar):
752
753 2018-01-22  Michael Saboff  <msaboff@apple.com>
754
755         DFG abstract interpreter needs to properly model effects of some Math ops
756         https://bugs.webkit.org/show_bug.cgi?id=181886
757
758         Reviewed by Saam Barati.
759
760         New regression test.
761
762         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
763         (test):
764
765 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
766
767         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
768         https://bugs.webkit.org/show_bug.cgi?id=181182
769
770         Reviewed by Darin Adler.
771
772         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
773         * stress/big-int-prototype-to-string-exception.js: Added.
774         * stress/big-int-prototype-to-string-wrong-values.js: Added.
775         * stress/number-prototype-to-string-cast-overflow.js: Added.
776         * stress/number-prototype-to-string-exception.js: Added.
777         * stress/number-prototype-to-string-wrong-values.js: Added.
778
779 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
780
781         Disable Atomics when SharedArrayBuffer isn’t enabled
782         https://bugs.webkit.org/show_bug.cgi?id=181572
783
784         Unreviewed test gardening.
785
786         * test262.yaml: Skip tests that fail after this change.
787
788 2018-01-19  Saam Barati  <sbarati@apple.com>
789
790         Kill ArithNegate's ArithProfile assert inside BytecodeParser
791         https://bugs.webkit.org/show_bug.cgi?id=181877
792         <rdar://problem/36630552>
793
794         Reviewed by Mark Lam.
795
796         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
797         (runNearStackLimit):
798         (f1):
799         (f2):
800         (f3):
801         (i.catch):
802         (i.try.runNearStackLimit):
803         (catch):
804
805 2018-01-19  Saam Barati  <sbarati@apple.com>
806
807         Spread's effects are modeled incorrectly both in AI and in Clobberize
808         https://bugs.webkit.org/show_bug.cgi?id=181867
809         <rdar://problem/36290415>
810
811         Reviewed by Michael Saboff.
812
813         * stress/ai-needs-to-model-spreads-effects.js: Added.
814         (try.p.Symbol.iterator):
815         (try.go):
816         (catch):
817         * stress/clobberize-needs-to-model-spread-effects.js: Added.
818         (assert):
819         (foo):
820         (a.Symbol.iterator):
821
822 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
823
824         Unreviewed, reduce count of iteration to fix timing out debug JSC test
825         https://bugs.webkit.org/show_bug.cgi?id=181535
826
827         * stress/inserted-recovery-with-set-last-index.js:
828
829 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
830
831         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
832         https://bugs.webkit.org/show_bug.cgi?id=181535
833
834         Reviewed by Saam Barati.
835
836         * stress/inserted-recovery-with-set-last-index.js: Added.
837         (shouldBe):
838         (foo):
839         * stress/materialize-regexp-at-osr-exit.js: Added.
840         (shouldBe):
841         (test):
842         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
843         (shouldBe):
844         (test):
845         * stress/materialize-regexp-cyclic-regexp.js: Added.
846         (shouldBe):
847         (test):
848         (i.switch):
849         * stress/materialize-regexp-cyclic.js: Added.
850         (shouldBe):
851         (test):
852         (i.switch):
853         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
854         (bar):
855         (foo):
856         (test):
857         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
858         (bar):
859         (foo):
860         (test):
861         * stress/materialize-regexp.js: Added.
862         (shouldBe):
863         (test):
864         * stress/phantom-regexp-regexp-exec.js: Added.
865         (shouldBe):
866         (test):
867         * stress/phantom-regexp-string-match.js: Added.
868         (shouldBe):
869         (test):
870         * stress/regexp-last-index-sinking.js: Added.
871         (shouldBe):
872         (test):
873
874 2018-01-17  Saam Barati  <sbarati@apple.com>
875
876         Disable Atomics when SharedArrayBuffer isn’t enabled
877         https://bugs.webkit.org/show_bug.cgi?id=181572
878         <rdar://problem/36553206>
879
880         Reviewed by Michael Saboff.
881
882         * stress/isLockFree.js:
883
884 2018-01-17  Saam Barati  <sbarati@apple.com>
885
886         DFG::Node::convertToConstant needs to clear the varargs flags
887         https://bugs.webkit.org/show_bug.cgi?id=181697
888         <rdar://problem/36497332>
889
890         Reviewed by Yusuke Suzuki.
891
892         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
893         (doIndexOf):
894         (bar):
895         (i.bar):
896
897 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
898
899         Unreviewed, rolling out r226937.
900
901         Tests added with this change are failing due to a missing
902         exception check.
903
904         Reverted changeset:
905
906         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
907         double to int32_t"
908         https://bugs.webkit.org/show_bug.cgi?id=181182
909         https://trac.webkit.org/changeset/226937
910
911 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
912
913         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
914         https://bugs.webkit.org/show_bug.cgi?id=181182
915
916         Reviewed by Darin Adler.
917
918         * bigIntTests.yaml:
919         * stress/big-int-constructor.js:
920         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
921         (assert):
922         (assertThrowRangeError):
923         * stress/number-prototype-to-string-cast-overflow.js: Added.
924         (assert):
925         (assertThrowRangeError):
926
927 2018-01-12  Saam Barati  <sbarati@apple.com>
928
929         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
930         https://bugs.webkit.org/show_bug.cgi?id=181177
931         <rdar://problem/36205704>
932
933         Reviewed by Yusuke Suzuki.
934
935         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
936         (runNearStackLimit.t):
937         (runNearStackLimit):
938         (test.f):
939         (test):
940
941 2018-01-12  Saam Barati  <sbarati@apple.com>
942
943         Each variant of a polymorphic inlined call should be exitOK at the top of the block
944         https://bugs.webkit.org/show_bug.cgi?id=181562
945         <rdar://problem/36445624>
946
947         Reviewed by Yusuke Suzuki.
948
949         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
950         (f):
951         (foo):
952
953 2018-01-11  Saam Barati  <sbarati@apple.com>
954
955         When inserting Unreachable in byte code parser we need to flush all the right things
956         https://bugs.webkit.org/show_bug.cgi?id=181509
957         <rdar://problem/36423110>
958
959         Reviewed by Mark Lam.
960
961         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
962
963 2018-01-11  Saam Barati  <sbarati@apple.com>
964
965         JITMathIC code in the FTL is wrong when code gets duplicated
966         https://bugs.webkit.org/show_bug.cgi?id=181525
967         <rdar://problem/36351993>
968
969         Reviewed by Michael Saboff and Keith Miller.
970
971         * stress/allow-math-ic-b3-code-duplication.js: Added.
972
973 2018-01-11  Saam Barati  <sbarati@apple.com>
974
975         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
976         https://bugs.webkit.org/show_bug.cgi?id=181508
977
978         Reviewed by Yusuke Suzuki.
979
980         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
981         (assert):
982         (test1.foo):
983         (test1):
984         (test2.foo):
985         (test2):
986
987 2018-01-09  Mark Lam  <mark.lam@apple.com>
988
989         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
990         https://bugs.webkit.org/show_bug.cgi?id=181388
991         <rdar://problem/36349351>
992
993         Reviewed by Saam Barati.
994
995         * stress/regress-181388.js: Added.
996
997 2018-01-08  JF Bastien  <jfbastien@apple.com>
998
999         WebAssembly: mask indexed accesses to Table
1000         https://bugs.webkit.org/show_bug.cgi?id=181412
1001         <rdar://problem/36363236>
1002
1003         Reviewed by Saam Barati.
1004
1005         Update error messages.
1006
1007         * wasm/js-api/table.js:
1008         (assert.throws.WebAssembly.Table.prototype.grow):
1009
1010 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1011
1012         Disable SharedArrayBuffer tests missed in r226386.
1013         https://bugs.webkit.org/show_bug.cgi?id=181266
1014
1015         Unreviewed test gardening.
1016
1017         * test262.yaml:
1018
1019 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1020
1021         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1022         https://bugs.webkit.org/show_bug.cgi?id=181321
1023
1024         Reviewed by Saam Barati.
1025
1026         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1027         (shouldBe):
1028         (testFunction):
1029         * test262.yaml:
1030
1031 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1032
1033         Unreviewed, attempt to fix test262 after r226386.
1034
1035         * test262.yaml:
1036
1037 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1038
1039         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1040         https://bugs.webkit.org/show_bug.cgi?id=179911
1041
1042         Reviewed by Saam Barati.
1043
1044         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1045
1046         * stress/map-set-change-get.js: Added.
1047         (shouldBe):
1048         (test):
1049         * stress/map-set-create-bucket.js: Added.
1050         (shouldBe):
1051         (test):
1052         * stress/set-add-create-bucket.js: Added.
1053         (shouldBe):
1054
1055 2018-01-03  Michael Saboff  <msaboff@apple.com>
1056
1057         Disable SharedArrayBuffers from Web API
1058         https://bugs.webkit.org/show_bug.cgi?id=181266
1059
1060         Reviewed by Saam Barati.
1061
1062         Disabled SharedArrayBuffer tests.
1063
1064         * stress/SharedArrayBuffer-opt.js:
1065         * stress/SharedArrayBuffer.js:
1066         * stress/array-buffer-byte-length.js:
1067         * stress/atomics-add-uint32.js:
1068         * stress/atomics-known-int-use.js:
1069         * stress/atomics-neg-zero.js:
1070         * stress/atomics-store-return.js:
1071         * stress/lars-sab-workers.js:
1072         * stress/regress-159779-1.js:
1073         * stress/regress-159779-2.js:
1074         * stress/regress-170473.js:
1075         * test262.yaml:
1076
1077 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1078
1079         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1080         https://bugs.webkit.org/show_bug.cgi?id=181258
1081
1082         Reviewed by Antonio Gomes.
1083
1084         * stress/big-int-constructor-gc.js:
1085         * stress/big-int-constructor-oom.js:
1086
1087 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1088
1089         Inlining of a function that ends in op_unreachable crashes
1090         https://bugs.webkit.org/show_bug.cgi?id=181027
1091
1092         Reviewed by Filip Pizlo.
1093
1094         * stress/inlining-unreachable.js: Added.
1095         (bar):
1096         (baz):
1097         (i.catch):
1098
1099 2018-01-02  Saam Barati  <sbarati@apple.com>
1100
1101         Incorrect assertion inside AccessCase
1102         https://bugs.webkit.org/show_bug.cgi?id=181200
1103         <rdar://problem/35494754>
1104
1105         Reviewed by Yusuke Suzuki.
1106
1107         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1108         (ctor):
1109         (theFunc):
1110         (run):
1111
1112 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1113
1114         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1115         https://bugs.webkit.org/show_bug.cgi?id=175359
1116
1117         Reviewed by Yusuke Suzuki.
1118
1119         * bigIntTests.yaml:
1120         * stress/big-int-as-key.js: Added.
1121         * stress/big-int-constructor-gc.js: Added.
1122         * stress/big-int-constructor-oom.js: Added.
1123         * stress/big-int-constructor-properties.js: Added.
1124         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1125         * stress/big-int-constructor-prototype.js: Added.
1126         * stress/big-int-constructor.js: Added.
1127         * stress/big-int-function-apply.js:
1128         * stress/big-int-length.js: Added.
1129         * stress/big-int-prop-descriptor.js: Added.
1130         * stress/big-int-proto-constructor.js: Added.
1131         * stress/big-int-proto-name.js: Added.
1132         * stress/big-int-prototype-properties.js: Added.
1133         * stress/big-int-prototype-proto.js: Added.
1134         * stress/big-int-prototype-value-of.js: Added.
1135         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1136         * stress/big-int-prototype-to-string-apply.js: Added.
1137         * stress/big-int-to-object.js: Added.
1138         * stress/big-int-to-string.js: Added.
1139
1140 2017-12-28  Saam Barati  <sbarati@apple.com>
1141
1142         Assertion used to determine if something is an async generator is wrong
1143         https://bugs.webkit.org/show_bug.cgi?id=181168
1144         <rdar://problem/35640560>
1145
1146         Reviewed by Yusuke Suzuki.
1147
1148         * stress/async-generator-assertion.js: Added.
1149
1150 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1151
1152         Skip stress/splay-flash-access tests on memory limited platforms
1153         https://bugs.webkit.org/show_bug.cgi?id=181086
1154
1155         Reviewed by Carlos Alberto Lopez Perez.
1156
1157         These tests use about 185M of memory, and occasionally get OOM-killed
1158         on memory limited platforms.
1159
1160         * stress/splay-flash-access-1ms.js:
1161         * stress/splay-flash-access.js:
1162
1163 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1164
1165         Skip slow jsc tests on embedded platforms
1166         https://bugs.webkit.org/show_bug.cgi?id=180937
1167
1168         Reviewed by Carlos Alberto Lopez Perez.
1169
1170         The tests typeProfiler/deltablue-for-of.js and
1171         typeProfiler/getter-richards.js take a very long time in the
1172         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1173         thus always timeout. They should be skipped on these platforms.
1174
1175         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1176         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1177
1178 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1179
1180         [JSC] Do not check isValid() in op_new_regexp
1181         https://bugs.webkit.org/show_bug.cgi?id=180970
1182
1183         Reviewed by Saam Barati.
1184
1185         * stress/regexp-syntax-error-invalid-flags.js: Added.
1186         (shouldThrow):
1187
1188 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1189
1190         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1191         https://bugs.webkit.org/show_bug.cgi?id=180712
1192
1193         Reviewed by Michael Catanzaro.
1194
1195         stress/call-apply-exponential-bytecode-size.js crashes if the
1196         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1197         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1198         should skip the test on other platforms.
1199
1200         * stress/call-apply-exponential-bytecode-size.js:
1201
1202 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1203
1204         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1205         https://bugs.webkit.org/show_bug.cgi?id=179762
1206
1207         Reviewed by Saam Barati.
1208
1209         * stress/call-varargs-double-new-array-buffer.js: Added.
1210         (assert):
1211         (bar):
1212         (foo):
1213         * stress/call-varargs-spread-new-array-buffer.js: Added.
1214         (assert):
1215         (bar):
1216         (foo):
1217         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1218         (assert):
1219         (bar):
1220         (foo):
1221         * stress/forward-varargs-double-new-array-buffer.js: Added.
1222         (assert):
1223         (test.baz):
1224         (test.bar):
1225         (test.foo):
1226         (test):
1227         * stress/new-array-buffer-sinking-osrexit.js: Added.
1228         (target):
1229         (test):
1230         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1231         (shouldBe):
1232         (test):
1233         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1234         (shouldBe):
1235         (target):
1236         (test):
1237         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1238         (assert):
1239         (test1.bar):
1240         (test1.foo):
1241         (test1):
1242         (test2.bar):
1243         (test2.foo):
1244         (test3.baz):
1245         (test3.bar):
1246         (test3.foo):
1247         (test4.baz):
1248         (test4.bar):
1249         (test4.foo):
1250         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1251         (assert):
1252         (test.baz):
1253         (test.bar):
1254         (test.foo):
1255         (test):
1256         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1257         (assert):
1258         (baz):
1259         (bar):
1260         (effects):
1261         (foo):
1262
1263 2017-12-14  Saam Barati  <sbarati@apple.com>
1264
1265         The CleanUp after LICM is erroneously removing a Check
1266         https://bugs.webkit.org/show_bug.cgi?id=180852
1267         <rdar://problem/36063494>
1268
1269         Reviewed by Filip Pizlo.
1270
1271         * stress/dont-run-cleanup-after-licm.js: Added.
1272
1273 2017-12-14  Michael Saboff  <msaboff@apple.com>
1274
1275         REGRESSION (r225695): Repro crash on yahoo login page
1276         https://bugs.webkit.org/show_bug.cgi?id=180761
1277
1278         Reviewed by JF Bastien.
1279
1280         New regression test.
1281
1282         * stress/regress-180761.js: Added.
1283
1284 2017-12-13  Keith Miller  <keith_miller@apple.com>
1285
1286         JSObjects should have a mask for loading indexed properties
1287         https://bugs.webkit.org/show_bug.cgi?id=180768
1288
1289         Reviewed by Mark Lam.
1290
1291         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1292         (test):
1293
1294 2017-12-13  Saam Barati  <sbarati@apple.com>
1295
1296         Arrow functions need their own structure because they have different properties than sloppy functions
1297         https://bugs.webkit.org/show_bug.cgi?id=180779
1298         <rdar://problem/35814591>
1299
1300         Reviewed by Mark Lam.
1301
1302         * stress/arrow-function-needs-its-own-structure.js: Added.
1303         (assert):
1304         (readPrototype):
1305         (noInline.let.f1):
1306         (noInline):
1307
1308 2017-12-13  Saam Barati  <sbarati@apple.com>
1309
1310         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1311         https://bugs.webkit.org/show_bug.cgi?id=163579
1312         <rdar://problem/35455798>
1313
1314         Reviewed by Mark Lam.
1315
1316         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1317         (assert):
1318         (test1):
1319         (i.test1):
1320         (i.test1.C):
1321         (i.test1.async.foo):
1322         (i.test1.foo):
1323         (test2):
1324
1325 2017-12-13  Saam Barati  <sbarati@apple.com>
1326
1327         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1328         https://bugs.webkit.org/show_bug.cgi?id=180734
1329         <rdar://problem/35640547>
1330
1331         Reviewed by Yusuke Suzuki.
1332
1333         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1334         (__isPropertyOfType):
1335         (__getProperties):
1336         (__getObjects):
1337         (__getRandomObject):
1338         (theClass.):
1339         (theClass):
1340         (childClass):
1341         (counter.catch):
1342
1343 2017-12-12  Saam Barati  <sbarati@apple.com>
1344
1345         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1346         https://bugs.webkit.org/show_bug.cgi?id=180725
1347         <rdar://problem/35970511>
1348
1349         Reviewed by Michael Saboff.
1350
1351         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1352         (f1):
1353         (f2):
1354         (let.o2.valueOf):
1355
1356 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1357
1358         [JSC] Implement optimized WeakMap and WeakSet
1359         https://bugs.webkit.org/show_bug.cgi?id=179929
1360
1361         Reviewed by Saam Barati.
1362
1363         * microbenchmarks/weak-map-key.js:
1364         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1365         (assert):
1366         (objectKey):
1367         (let.start.Date.now):
1368         * stress/basic-weakmap.js: Added.
1369         (shouldBe):
1370         (test):
1371         * stress/basic-weakset.js: Added.
1372         (shouldBe):
1373         (test.set new):
1374         * stress/weakmap-cse-set-break.js: Added.
1375         (shouldBe):
1376         (test):
1377         * stress/weakmap-cse.js: Added.
1378         (shouldBe):
1379         (test):
1380         * stress/weakmap-gc.js: Added.
1381         (test):
1382         * stress/weakset-cse-add-break.js: Added.
1383         (shouldBe):
1384         (test.set new):
1385         * stress/weakset-cse.js: Added.
1386         (shouldBe):
1387         (test.set new):
1388         * stress/weakset-gc.js: Added.
1389         (test.set add):
1390         (test.set new):
1391         (test):
1392
1393 2017-12-12  Saam Barati  <sbarati@apple.com>
1394
1395         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1396         https://bugs.webkit.org/show_bug.cgi?id=180723
1397         <rdar://problem/35859726>
1398
1399         Reviewed by JF Bastien.
1400
1401         * stress/get-my-argument-by-val-constant-folding.js: Added.
1402         (test):
1403         (catch):
1404
1405 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1406
1407         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1408         https://bugs.webkit.org/show_bug.cgi?id=179000
1409
1410         Reviewed by Darin Adler and Yusuke Suzuki.
1411
1412         * bigIntTests.yaml: Added.
1413         * stress/big-int-literal-line-terminator.js: Added.
1414         * stress/big-int-literals.js: Added.
1415         * stress/big-int-operations-error.js: Added.
1416         * stress/big-int-type-of.js: Added.
1417         * stress/big-int-white-space-trailing-leading.js: Added.
1418         * stress/big-int-function-apply.js: Added.
1419
1420 2017-12-11  Saam Barati  <sbarati@apple.com>
1421
1422         We need to disableCaching() in ErrorInstance when we materialize properties
1423         https://bugs.webkit.org/show_bug.cgi?id=180343
1424         <rdar://problem/35833002>
1425
1426         Reviewed by Mark Lam.
1427
1428         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1429         (assert):
1430         (makeError):
1431         (storeToStack):
1432         (storeToStackAlreadyMaterialized):
1433
1434 2017-12-05  JF Bastien  <jfbastien@apple.com>
1435
1436         WebAssembly: don't eagerly checksum
1437         https://bugs.webkit.org/show_bug.cgi?id=180441
1438         <rdar://problem/35156628>
1439
1440         Reviewed by Saam Barati.
1441
1442         Checksum is now disabled, so tests only have <?> as the module
1443         name.
1444
1445         * wasm/function-tests/nameSection.js:
1446         * wasm/function-tests/stack-overflow.js:
1447         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1448         (assertOverflows.assertThrows):
1449         (assertOverflows):
1450         * wasm/function-tests/stack-trace.js:
1451
1452 2017-12-04  JF Bastien  <jfbastien@apple.com>
1453
1454         Proxy all functions, except the $ objects
1455         https://bugs.webkit.org/show_bug.cgi?id=180375
1456
1457         Reviewed by Saam Barati.
1458
1459         It looks like this test may have broken some executions because I
1460         call some internal objects. Explicitly ignore objects whose name
1461         starts with "$" because it's a bad idea anyways.
1462
1463         * stress/proxy-all-the-parameters.js:
1464         (generateObjects):
1465         (get throw):
1466
1467 2017-12-04  Saam Barati  <sbarati@apple.com>
1468
1469         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1470         https://bugs.webkit.org/show_bug.cgi?id=180366
1471         <rdar://problem/35685877>
1472
1473         Reviewed by Michael Saboff.
1474
1475         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1476         (theParent):
1477         (test1.base.getParentStaticValue):
1478         (test1.base):
1479         (test1.__v_24888.prototype.set prop):
1480         (test1.__v_24888):
1481         (test2.base.getParentStaticValue):
1482         (test2.base):
1483         (test2.__v_24888.prototype.set prop):
1484         (test2.__v_24888):
1485         (test2):
1486
1487 2017-12-01  JF Bastien  <jfbastien@apple.com>
1488
1489         Try proxying all function arguments
1490         https://bugs.webkit.org/show_bug.cgi?id=180306
1491
1492         Reviewed by Saam Barati.
1493
1494         * stress/proxy-all-the-parameters.js: Added.
1495         (isPropertyOfType):
1496         (getProperties):
1497         (generateObjects):
1498         (getObjects):
1499         (getFunctions):
1500         (get throw):
1501         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1502
1503 2017-12-01  JF Bastien  <jfbastien@apple.com>
1504
1505         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1506         https://bugs.webkit.org/show_bug.cgi?id=180297
1507         <rdar://problem/35745556>
1508
1509         Reviewed by Mark Lam.
1510
1511         * stress/math-exceptions.js: Added.
1512         (get try):
1513         (catch):
1514
1515 2017-12-01  JF Bastien  <jfbastien@apple.com>
1516
1517         JavaScriptCore: add test for weird class static getters
1518         https://bugs.webkit.org/show_bug.cgi?id=180281
1519         <rdar://problem/35592139>
1520
1521         Reviewed by Mark Lam.
1522
1523         I fixed a bug for it in r224927 and didn't add a test. Do so.
1524
1525         * stress/class-static-get-weird.js: Added.
1526         (c.prototype.get name):
1527         (c):
1528         (c.prototype.get arguments):
1529         (c.prototype.get caller):
1530         (c.prototype.get length):
1531
1532 2017-12-01  Saam Barati  <sbarati@apple.com>
1533
1534         Having a bad time needs to handle ArrayClass indexing type as well
1535         https://bugs.webkit.org/show_bug.cgi?id=180274
1536         <rdar://problem/35667869>
1537
1538         Reviewed by Keith Miller and Mark Lam.
1539
1540         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1541         (assert):
1542         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1543         (assert):
1544
1545 2017-12-01  JF Bastien  <jfbastien@apple.com>
1546
1547         WebAssembly: restore cached stack limit after out-call
1548         https://bugs.webkit.org/show_bug.cgi?id=179106
1549         <rdar://problem/35337525>
1550
1551         Reviewed by Saam Barati.
1552
1553         * wasm/function-tests/double-instance.js: Added.
1554         (const.imp.boom):
1555         (const.imp.get callAnother):
1556
1557 2017-11-30  JF Bastien  <jfbastien@apple.com>
1558
1559         WebAssembly: improve stack trace
1560         https://bugs.webkit.org/show_bug.cgi?id=179343
1561
1562         Reviewed by Saam Barati.
1563
1564         Update the tests to follow the new format. Notably, SHA1 module
1565         hash is now included in traces, and stubs are properly identified.
1566
1567         * wasm/assert.js: Add an assertion which matches regular expressions.
1568         * wasm/function-tests/nameSection.js:
1569         * wasm/function-tests/stack-overflow.js:
1570         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1571         (assertOverflows.assertThrows.wasm.1):
1572         (assertOverflows.assertThrows.wasm.0):
1573         (assertOverflows.assertThrows):
1574         (assertOverflows):
1575         * wasm/function-tests/stack-trace.js:
1576         (import.Builder.from.string_appeared_here.assert): Deleted.
1577         * wasm/function-tests/trap-after-cross-instance-call.js:
1578         (wasmFrameCountFromError):
1579         * wasm/function-tests/trap-load-2.js:
1580         (wasmFrameCountFromError):
1581         * wasm/function-tests/trap-load.js:
1582         (wasmFrameCountFromError):
1583
1584 2017-11-30  Mark Lam  <mark.lam@apple.com>
1585
1586         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1587         https://bugs.webkit.org/show_bug.cgi?id=180219
1588         <rdar://problem/35696536>
1589
1590         Reviewed by Filip Pizlo.
1591
1592         * stress/regress-180219.js: Added.
1593
1594 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1595
1596         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1597         https://bugs.webkit.org/show_bug.cgi?id=180190
1598
1599         Reviewed by Mark Lam.
1600
1601         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1602         (shouldBe):
1603         (test1):
1604         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1605         (shouldBe):
1606         (test1):
1607         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1608         (shouldBe):
1609         (test1):
1610         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1611         (shouldBe):
1612         (test1):
1613         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1614         (shouldBe):
1615         (test1):
1616         * stress/operation-in-may-have-negative-int32.js: Added.
1617         (shouldBe):
1618         (test2):
1619         * stress/operation-in-negative-int32-cast.js: Added.
1620         (shouldBe):
1621         (test1):
1622
1623 2017-11-28  JF Bastien  <jfbastien@apple.com>
1624
1625         Strict and sloppy functions shouldn't share structure
1626         https://bugs.webkit.org/show_bug.cgi?id=180103
1627         <rdar://problem/35667847>
1628
1629         Reviewed by Saam Barati.
1630
1631         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1632         because the IC was wrong.
1633         (foo):
1634         (bar):
1635         (baz):
1636         (catch):
1637         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1638         in this patch, but may as well test odd strict mode corner cases.
1639         (bar):
1640         (baz):
1641         (catch):
1642         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1643         (foo):
1644         (bar):
1645         (baz):
1646         (catch):
1647         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1648         next file, but with invalidation of the FunctionExecutable's
1649         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1650         slower path.
1651         (foo):
1652         (bar.const.x):
1653         (bar.const.y):
1654         (bar):
1655         (catch):
1656         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1657         strict nesting works correctly.
1658         (foo):
1659         (bar.baz):
1660         (bar):
1661         * stress/strict-function-structure.js: Added. The test used to
1662         assert in objectProtoFuncHasOwnProperty.
1663         (foo):
1664         (bar):
1665         (baz):
1666         * stress/strict-nested-function-structure.js: Added. Nesting.
1667         (foo):
1668         (bar):
1669         (baz.boo):
1670         (baz):
1671
1672 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1673
1674         The recursive tail call optimisation is wrong on closures
1675         https://bugs.webkit.org/show_bug.cgi?id=179835
1676
1677         Reviewed by Saam Barati.
1678
1679         * stress/closure-recursive-tail-call.js: Added.
1680         (makeClosure):
1681
1682 2017-11-27  JF Bastien  <jfbastien@apple.com>
1683
1684         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1685         https://bugs.webkit.org/show_bug.cgi?id=180051
1686         <rdar://problem/35614371>
1687
1688         Reviewed by Saam Barati.
1689
1690         * stress/rest-parameter-negative.js: Added.
1691         (__f_5484):
1692         (catch):
1693         (__f_5485):
1694         (__v_22598.catch):
1695
1696 2017-11-27  Saam Barati  <sbarati@apple.com>
1697
1698         Spread can escape when CreateRest does not
1699         https://bugs.webkit.org/show_bug.cgi?id=180057
1700         <rdar://problem/35676119>
1701
1702         Reviewed by JF Bastien.
1703
1704         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1705         (assert):
1706         (getProperties):
1707         (theFunc):
1708         (let.obj.valueOf):
1709
1710 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1711
1712         [DFG] Add NormalizeMapKey DFG IR
1713         https://bugs.webkit.org/show_bug.cgi?id=179912
1714
1715         Reviewed by Saam Barati.
1716
1717         * stress/map-untyped-normalize-cse.js: Added.
1718         (shouldBe):
1719         (test):
1720         * stress/map-untyped-normalize.js: Added.
1721         (shouldBe):
1722         (test):
1723         * stress/set-untyped-normalize-cse.js: Added.
1724         (shouldBe):
1725         (set return.set has.set has):
1726         * stress/set-untyped-normalize.js: Added.
1727         (shouldBe):
1728         (set return.set has):
1729
1730 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1731
1732         [FTL] Support DeleteById and DeleteByVal
1733         https://bugs.webkit.org/show_bug.cgi?id=180022
1734
1735         Reviewed by Saam Barati.
1736
1737         * stress/delete-by-id.js: Added.
1738         (shouldBe):
1739         (test1):
1740         (test2):
1741         * stress/delete-by-val-ftl.js: Added.
1742         (shouldBe):
1743         (test1):
1744         (test2):
1745
1746 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1747
1748         [DFG] Introduce {Set,Map,WeakMap}Fields
1749         https://bugs.webkit.org/show_bug.cgi?id=179925
1750
1751         Reviewed by Saam Barati.
1752
1753         * stress/map-set-clobber-map-get.js: Added.
1754         (shouldBe):
1755         (test):
1756         * stress/map-set-does-not-clobber-set-has.js: Added.
1757         (shouldBe):
1758         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1759         (shouldBe):
1760         (test):
1761         * stress/set-add-clobber-set-has.js: Added.
1762         (shouldBe):
1763         * stress/set-add-does-not-clobber-map-get.js: Added.
1764         (shouldBe):
1765
1766 2017-11-24  Mark Lam  <mark.lam@apple.com>
1767
1768         Move unsafe jsc shell test functions to the $vm object.
1769         https://bugs.webkit.org/show_bug.cgi?id=179980
1770
1771         Reviewed by Yusuke Suzuki.
1772
1773         * controlFlowProfiler/driver/driver.js:
1774         * controlFlowProfiler/execution-count.js:
1775         * controlFlowProfiler/if-statement.js:
1776         * controlFlowProfiler/loop-statements.js:
1777         * controlFlowProfiler/switch-statements.js:
1778         * controlFlowProfiler/test-jit.js:
1779         * exceptionFuzz/3d-cube.js:
1780         * exceptionFuzz/date-format-xparb.js:
1781         * exceptionFuzz/earley-boyer.js:
1782         * heapProfiler/basic-edges.js:
1783         * heapProfiler/property-edge-types.js:
1784         * microbenchmarks/try-get-by-id-basic.js:
1785         * microbenchmarks/try-get-by-id-polymorphic.js:
1786         * modules/namespace-object-try-get.js:
1787         * stress/argument-count-bytecode.js:
1788         * stress/argument-intrinsic-basic.js:
1789         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1790         * stress/argument-intrinsic-inlining-with-result-escape.js:
1791         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1792         * stress/argument-intrinsic-inlining-with-vararg.js:
1793         * stress/argument-intrinsic-nested-inlining.js:
1794         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1795         * stress/argument-intrinsic-with-stack-write.js:
1796         * stress/arity-mismatch-get-argument.js:
1797         * stress/array-message-passing.js:
1798         * stress/array-push-with-force-exit.js:
1799         * stress/check-dom-with-signature.js:
1800         * stress/check-sub-class.js:
1801         * stress/compare-eq-incomplete-profile.js:
1802         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1803         * stress/do-eval-virtual-call-correctly.js:
1804         * stress/dom-jit-with-poly-proto.js:
1805         * stress/domjit-exception-ic.js:
1806         * stress/domjit-exception.js:
1807         * stress/domjit-getter-complex-with-incorrect-object.js:
1808         * stress/domjit-getter-complex.js:
1809         * stress/domjit-getter-poly.js:
1810         * stress/domjit-getter-proto.js:
1811         * stress/domjit-getter-super-poly.js:
1812         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1813         * stress/domjit-getter-type-check.js:
1814         * stress/domjit-getter.js:
1815         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1816         * stress/for-in-proxy-target-changed-structure.js:
1817         * stress/for-in-proxy.js:
1818         * stress/generational-opaque-roots.js:
1819         * stress/global-const-redeclaration-setting-2.js:
1820         * stress/global-const-redeclaration-setting-3.js:
1821         * stress/global-const-redeclaration-setting-4.js:
1822         * stress/global-const-redeclaration-setting-5.js:
1823         * stress/global-const-redeclaration-setting.js:
1824         * stress/import-basic.js:
1825         * stress/import-from-eval.js:
1826         * stress/import-reject-with-exception.js:
1827         * stress/import-syntax.js:
1828         * stress/impure-get-own-property-slot-inline-cache.js:
1829         * stress/is-constructor.js:
1830         * stress/istypedarrayview-intrinsic.js:
1831         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1832         * stress/jsc-test-functions-should-be-more-robust.js:
1833         * stress/object-toString-with-proxy.js:
1834         * stress/poly-proto-custom-value-and-accessor.js:
1835         * stress/proxy-inline-cache.js:
1836         * stress/re-execute-error-module.js:
1837         * stress/regress-150532.js:
1838         * stress/regress-156992.js:
1839         * stress/regress-179619.js:
1840         * stress/resources/shadow-chicken-support.js:
1841         * stress/runtime-array.js:
1842         * stress/sampling-profiler-microtasks.js:
1843         * stress/shadow-chicken-enabled.js:
1844         * stress/spread-correct-global-object-on-exception.js:
1845         * stress/super-get-by-id.js:
1846         * stress/tailCallForwardArguments.js:
1847         * stress/to-object-intrinsic-boolean-edge.js:
1848         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1849         * stress/to-object-intrinsic-number-edge.js:
1850         * stress/to-object-intrinsic-object-edge.js:
1851         * stress/to-object-intrinsic-string-edge.js:
1852         * stress/to-object-intrinsic-symbol-edge.js:
1853         * stress/to-object-intrinsic.js:
1854         * stress/try-catch-custom-getter-as-get-by-id.js:
1855         * stress/try-get-by-id-poly-proto.js:
1856         * stress/try-get-by-id-should-spill-registers-dfg.js:
1857         * stress/try-get-by-id.js:
1858         * typeProfiler/arrow-functions.js:
1859         * typeProfiler/basic.js:
1860         * typeProfiler/captured.js:
1861         * typeProfiler/classes.js:
1862         * typeProfiler/dfg-jit-optimizations.js:
1863         * typeProfiler/dictionary-mode.js:
1864         * typeProfiler/es6-block-scoping.js:
1865         * typeProfiler/es6-classes.js:
1866         * typeProfiler/inheritance.js:
1867         * typeProfiler/int52-dfg.js:
1868         * typeProfiler/loop.js:
1869         * typeProfiler/optional-fields.js:
1870         * typeProfiler/overflow.js:
1871         * typeProfiler/return.js:
1872         * typeProfiler/symbol.js:
1873         * typeProfiler/weird-prototype-chain.js:
1874
1875 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1876
1877         [DFG][FTL] Support MapSet / SetAdd intrinsics
1878         https://bugs.webkit.org/show_bug.cgi?id=179858
1879
1880         Reviewed by Saam Barati.
1881
1882         * microbenchmarks/map-has-and-set.js: Added.
1883         (test):
1884         * stress/map-set-check-failure.js: Added.
1885         (shouldBe):
1886         (shouldThrow):
1887         (target):
1888         * stress/map-set-cse.js: Added.
1889         (shouldBe):
1890         (test):
1891         * stress/set-add-check-failure.js: Added.
1892         (shouldBe):
1893         (shouldThrow):
1894         (set shouldThrow):
1895         * stress/set-add-cse.js: Added.
1896         (shouldBe):
1897
1898 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1899
1900         [JSC] Allow poly proto for intrinsic getters
1901         https://bugs.webkit.org/show_bug.cgi?id=179550
1902
1903         Reviewed by Saam Barati.
1904
1905         This change is also tested by existing tests.
1906
1907             1. stress/intrinsic-getter-with-poly-proto.js
1908             2. stress/poly-proto-intrinsic-getter-correctness.js
1909
1910         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1911         (shouldBe):
1912         (makePolyProtoObject.foo.C):
1913         (makePolyProtoObject.foo):
1914         (makePolyProtoObject):
1915         (target):
1916         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1917         (shouldBe):
1918         (makePolyProtoObject.foo.C):
1919         (makePolyProtoObject.foo):
1920         (makePolyProtoObject):
1921         (target):
1922
1923 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1924
1925         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1926         https://bugs.webkit.org/show_bug.cgi?id=179744
1927
1928         Reviewed by Michael Catanzaro.
1929
1930         This test uses too much memory for our buildbots on these platforms
1931         and gets OOM-killed.
1932
1933         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1934         Skip if $memoryLimited and linux.
1935
1936 2017-11-17  JF Bastien  <jfbastien@apple.com>
1937
1938         WebAssembly JS API: throw when a promise can't be created
1939         https://bugs.webkit.org/show_bug.cgi?id=179826
1940         <rdar://problem/35455813>
1941
1942         Reviewed by Mark Lam.
1943
1944         Test WebAssembly.{compile,instantiate} where promise creation
1945         fails because of a stack overflow.
1946
1947         * wasm/js-api/promise-stack-overflow.js: Added.
1948         (const.runNearStackLimit.f.const.t):
1949         (async.testCompile):
1950         (async.testInstantiate):
1951
1952 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1953
1954         Unreviewed, mark regress-178385.js as memory exhausting
1955
1956         * stress/regress-178385.js:
1957
1958 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1959
1960         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1961
1962         Unreviewed test gardening.
1963
1964         * test262.yaml:
1965
1966 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1967
1968         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1969         https://bugs.webkit.org/show_bug.cgi?id=179763
1970         <rdar://problem/35550513>
1971
1972         Reviewed by Keith Miller.
1973
1974         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1975
1976         * stress/tdz-this-in-try-catch.js: Added.
1977         (__v_6388):
1978         (__v_6392):
1979
1980 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1981
1982         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1983         https://bugs.webkit.org/show_bug.cgi?id=179594
1984
1985         Reviewed by Saam Barati.
1986
1987         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1988         (shouldBe):
1989         (args):
1990         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1991         (shouldBe):
1992         (args):
1993
1994 2017-11-14  Saam Barati  <sbarati@apple.com>
1995
1996         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1997         https://bugs.webkit.org/show_bug.cgi?id=179639
1998         <rdar://problem/35513018>
1999
2000         Reviewed by JF Bastien.
2001
2002         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2003         (escape):
2004         (i.func):
2005
2006 2017-11-13  Mark Lam  <mark.lam@apple.com>
2007
2008         Add more overflow check book-keeping for MarkedArgumentBuffer.
2009         https://bugs.webkit.org/show_bug.cgi?id=179634
2010         <rdar://problem/35492517>
2011
2012         Reviewed by Saam Barati.
2013
2014         * stress/regress-179634.js: Added.
2015
2016 2017-11-13  Mark Lam  <mark.lam@apple.com>
2017
2018         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2019         https://bugs.webkit.org/show_bug.cgi?id=179619
2020         <rdar://problem/35492518>
2021
2022         Reviewed by Saam Barati.
2023
2024         * stress/regress-179619.js: Added.
2025
2026 2017-11-12  Mark Lam  <mark.lam@apple.com>
2027
2028         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2029         https://bugs.webkit.org/show_bug.cgi?id=179562
2030         <rdar://problem/35467022>
2031
2032         Reviewed by Saam Barati.
2033
2034         * regress-179562.js: Added.
2035
2036 2017-11-08  Saam Barati  <sbarati@apple.com>
2037
2038         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2039         https://bugs.webkit.org/show_bug.cgi?id=177792
2040
2041         Reviewed by Yusuke Suzuki.
2042
2043         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2044         (assert):
2045         (foo.Foo.prototype.ensureX):
2046         (foo.Foo):
2047         (foo):
2048         (access):
2049
2050 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2051
2052         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2053         https://bugs.webkit.org/show_bug.cgi?id=178592
2054
2055         Unreviewed test gardening.
2056
2057         * test262.yaml:
2058
2059 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2060
2061         Turn recursive tail calls into loops
2062         https://bugs.webkit.org/show_bug.cgi?id=176601
2063
2064         Reviewed by Saam Barati.
2065
2066         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2067
2068         Add some simple test that computes factorial in several ways, and other trivial computations.
2069         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2070         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2071         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2072         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2073
2074         * stress/inline-call-to-recursive-tail-call.js: Added.
2075         (factorial.aux):
2076         (factorial):
2077         (factorial2.aux2):
2078         (factorial2.id):
2079         (factorial2):
2080         (factorial3.aux3):
2081         (factorial3):
2082         (aux4):
2083         (factorial4):
2084         (foo):
2085         (auxBar):
2086         (bar):
2087         (test):
2088
2089 2017-11-07  Mark Lam  <mark.lam@apple.com>
2090
2091         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2092         https://bugs.webkit.org/show_bug.cgi?id=179355
2093         <rdar://problem/35263053>
2094
2095         Reviewed by Saam Barati.
2096
2097         * stress/regress-179355.js: Added.
2098
2099 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2100
2101         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2102         https://bugs.webkit.org/show_bug.cgi?id=144458
2103
2104         Reviewed by Saam Barati.
2105
2106         * microbenchmarks/dfg-internal-function-call.js: Added.
2107         (target):
2108         * microbenchmarks/dfg-internal-function-construct.js: Added.
2109         (target):
2110         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2111         (target):
2112         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2113         (target):
2114         * stress/dfg-internal-function-call.js: Added.
2115         (shouldBe):
2116         (target):
2117         * stress/dfg-internal-function-construct.js: Added.
2118         (shouldBe):
2119         (target):
2120         * stress/internal-function-call.js: Added.
2121         (shouldBe):
2122         * stress/internal-function-construct.js: Added.
2123         (shouldBe):
2124
2125 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2126
2127         [Win] Skip stress/regress-178385.js.
2128         https://bugs.webkit.org/show_bug.cgi?id=179298
2129
2130         Unreviewed test gardening.
2131
2132         * stress/regress-178385.js:
2133
2134 2017-11-03  Keith Miller  <keith_miller@apple.com>
2135
2136         Add test for ic with side effects
2137         https://bugs.webkit.org/show_bug.cgi?id=179268
2138
2139         Reviewed by Saam Barati.
2140
2141         * stress/put-inline-cache-side-effects.js: Added.
2142         (let.i.of.objs.keys):
2143         (f):
2144
2145 2017-11-03  Mark Lam  <mark.lam@apple.com>
2146
2147         CachedCall (and its clients) needs overflow checks.
2148         https://bugs.webkit.org/show_bug.cgi?id=179185
2149
2150         Reviewed by JF Bastien.
2151
2152         * stress/regress-179185.js: Added.
2153
2154 2017-11-02  Michael Saboff  <msaboff@apple.com>
2155
2156         DFG needs to handle code motion of code in for..in loop bodies
2157         https://bugs.webkit.org/show_bug.cgi?id=179212
2158
2159         Reviewed by Keith Miller.
2160
2161         New regression test.
2162
2163         * stress/for-in-side-effects.js: Added.
2164         (getPrototypeOf):
2165         (reset):
2166         (testWithoutFTL.f):
2167         (testWithoutFTL):
2168         (testWithFTL.f):
2169         (testWithFTL):
2170
2171 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2172
2173         AI does not correctly model the clobber case of ArithClz32
2174         https://bugs.webkit.org/show_bug.cgi?id=179188
2175
2176         Reviewed by Michael Saboff.
2177
2178         * stress/arith-clz32-effects.js: Added.
2179         (foo):
2180         (valueOf):
2181
2182 2017-11-01  Michael Saboff  <msaboff@apple.com>
2183
2184         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2185         https://bugs.webkit.org/show_bug.cgi?id=179140
2186
2187         Reviewed by Saam Barati.
2188
2189         New regression test.
2190
2191         * stress/regress-179140.js: Added.
2192         (testWithoutFTL):
2193         (testWithFTL):
2194
2195 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2196
2197         [JSC] Introduce @toObject
2198         https://bugs.webkit.org/show_bug.cgi?id=178726
2199
2200         Reviewed by Saam Barati.
2201
2202         * stress/array-copywithin.js:
2203         (shouldThrow):
2204         * stress/object-constructor-boolean-edge.js: Added.
2205         (shouldBe):
2206         (test):
2207         * stress/object-constructor-global.js: Added.
2208         (shouldBe):
2209         * stress/object-constructor-null-edge.js: Added.
2210         (shouldBe):
2211         (test):
2212         * stress/object-constructor-number-edge.js: Added.
2213         (shouldBe):
2214         (test):
2215         * stress/object-constructor-object-edge.js: Added.
2216         (shouldBe):
2217         (test):
2218         (i.arg):
2219         * stress/object-constructor-string-edge.js: Added.
2220         (shouldBe):
2221         (test):
2222         * stress/object-constructor-symbol-edge.js: Added.
2223         (shouldBe):
2224         (test):
2225         * stress/object-constructor-undefined-edge.js: Added.
2226         (shouldBe):
2227         (test):
2228         * stress/symbol-array-from.js: Added.
2229         (shouldBe):
2230         * stress/to-object-intrinsic-boolean-edge.js: Added.
2231         (shouldBe):
2232         (builtin.createBuiltin):
2233         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2234         (shouldThrow):
2235         * stress/to-object-intrinsic-number-edge.js: Added.
2236         (shouldBe):
2237         (builtin.createBuiltin):
2238         * stress/to-object-intrinsic-object-edge.js: Added.
2239         (shouldBe):
2240         (builtin.createBuiltin):
2241         (i.arg):
2242         * stress/to-object-intrinsic-string-edge.js: Added.
2243         (shouldBe):
2244         (builtin.createBuiltin):
2245         * stress/to-object-intrinsic-symbol-edge.js: Added.
2246         (shouldBe):
2247         (builtin.createBuiltin):
2248         * stress/to-object-intrinsic.js: Added.
2249         (shouldBe):
2250         (shouldThrow):
2251         (builtin.createBuiltin):
2252
2253 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2254
2255         [DFG][FTL] Introduce StringSlice
2256         https://bugs.webkit.org/show_bug.cgi?id=178934
2257
2258         Reviewed by Saam Barati.
2259
2260         * microbenchmarks/string-slice-empty.js: Added.
2261         (slice):
2262         * microbenchmarks/string-slice-one-char.js: Added.
2263         (slice):
2264         * microbenchmarks/string-slice.js: Added.
2265         (slice):
2266
2267 2017-10-26  Michael Saboff  <msaboff@apple.com>
2268
2269         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2270         https://bugs.webkit.org/show_bug.cgi?id=178890
2271
2272         Reviewed by Keith Miller.
2273
2274         New regression test.
2275
2276         * stress/regress-178890.js: Added.
2277
2278 2017-10-26  Mark Lam  <mark.lam@apple.com>
2279
2280         JSRopeString::RopeBuilder::append() should check for overflows.
2281         https://bugs.webkit.org/show_bug.cgi?id=178385
2282         <rdar://problem/35027468>
2283
2284         Reviewed by Saam Barati.
2285
2286         * stress/regress-178385.js: Added.
2287
2288 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2289
2290         Unreviewed, rolling out r223961.
2291
2292         The change that required this has been rolled out.
2293
2294         Reverted changeset:
2295
2296         "Mark test262.yaml/test262/test/language/statements/try/tco-
2297         catch.js as passing."
2298         https://bugs.webkit.org/show_bug.cgi?id=178592
2299         https://trac.webkit.org/changeset/223961
2300
2301 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2302
2303         Unreviewed, rolling out r223691 and r223729.
2304         https://bugs.webkit.org/show_bug.cgi?id=178834
2305
2306         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2307         by rniwa on #webkit).
2308
2309         Reverted changesets:
2310
2311         "Turn recursive tail calls into loops"
2312         https://bugs.webkit.org/show_bug.cgi?id=176601
2313         https://trac.webkit.org/changeset/223691
2314
2315         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2316         comparison is always false due to limited range of data type
2317         [-Wtype-limits]"
2318         https://bugs.webkit.org/show_bug.cgi?id=178543
2319         https://trac.webkit.org/changeset/223729
2320
2321 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2322
2323         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2324         https://bugs.webkit.org/show_bug.cgi?id=178592
2325
2326         Unreviewed test gardening.
2327
2328         * test262.yaml:
2329
2330 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2331
2332         [FTL] Support NewStringObject
2333         https://bugs.webkit.org/show_bug.cgi?id=178737
2334
2335         Reviewed by Saam Barati.
2336
2337         * stress/new-string-object.js: Added.
2338         (shouldBe):
2339         (test):
2340
2341 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2342
2343         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2344         https://bugs.webkit.org/show_bug.cgi?id=178308
2345
2346         Reviewed by Mark Lam.
2347
2348         * test262.yaml:
2349
2350 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2351
2352         [JSC] Use fastJoin in Array#toString
2353         https://bugs.webkit.org/show_bug.cgi?id=178062
2354
2355         Reviewed by Darin Adler.
2356
2357         * microbenchmarks/contiguous-array-to-string.js: Added.
2358         (target):
2359         * microbenchmarks/double-array-to-string.js: Added.
2360         (target):
2361         * microbenchmarks/int32-array-to-string.js: Added.
2362         (target):
2363
2364 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2365
2366         stress/check-string-ident.js is improperly skipped
2367         https://bugs.webkit.org/show_bug.cgi?id=178642
2368
2369         Reviewed by Saam Barati.
2370
2371         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2372         since it enforces the run-jsc-stress-tests script to still set up the
2373         test to run, despite the skip directive that's used before.
2374
2375 2017-10-20  Mark Lam  <mark.lam@apple.com>
2376
2377         Add a test case for r214334.
2378         https://bugs.webkit.org/show_bug.cgi?id=169941
2379         <rdar://problem/31221258>
2380
2381         Reviewed by JF Bastien.
2382
2383         * stress/regress-169941.js: Added.
2384
2385 2017-10-19  JF Bastien  <jfbastien@apple.com>
2386
2387         WebAssembly: no VM / JS version of everything but Instance
2388         https://bugs.webkit.org/show_bug.cgi?id=177473
2389
2390         Reviewed by Filip Pizlo, Saam Barati.
2391
2392         - Exceeding max on memory growth now returns a range error as per
2393         spec. This is a (very minor) breaking change: it used to throw OOM
2394         error. Update the corresponding test.
2395
2396         * wasm/js-api/memory-grow.js:
2397         (assertEq):
2398         * wasm/js-api/table.js:
2399         (assert.throws):
2400
2401 2017-10-19  Mark Lam  <mark.lam@apple.com>
2402
2403         Stringifier::appendStringifiedValue() is missing an exception check.
2404         https://bugs.webkit.org/show_bug.cgi?id=178386
2405         <rdar://problem/35027610>
2406
2407         Reviewed by Saam Barati.
2408
2409         * stress/regress-178386.js: Added.
2410
2411 2017-10-19  Michael Saboff  <msaboff@apple.com>
2412
2413         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2414         https://bugs.webkit.org/show_bug.cgi?id=178521
2415
2416         Reviewed by JF Bastien.
2417
2418         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2419         now passes with the current version (5.0) of the Emoji spec.
2420
2421 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2422
2423         Turn recursive tail calls into loops
2424         https://bugs.webkit.org/show_bug.cgi?id=176601
2425
2426         Reviewed by Saam Barati.
2427
2428         Add some simple test that computes factorial in several ways, and other trivial computations.
2429         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2430         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2431         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2432         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2433
2434         * stress/inline-call-to-recursive-tail-call.js: Added.
2435         (factorial.aux):
2436         (factorial):
2437         (factorial2.aux):
2438         (factorial2.id):
2439         (factorial2):
2440         (factorial3.aux):
2441         (factorial3):
2442         (aux):
2443         (factorial4):
2444         (test):
2445
2446 2017-10-18  Mark Lam  <mark.lam@apple.com>
2447
2448         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2449         https://bugs.webkit.org/show_bug.cgi?id=177600
2450         <rdar://problem/34710985>
2451
2452         Reviewed by Saam Barati.
2453
2454         * stress/regress-177600.js: Added.
2455
2456 2017-10-18  Mark Lam  <mark.lam@apple.com>
2457
2458         The compiler should always register a structure when it adds its transitionWatchPointSet.
2459         https://bugs.webkit.org/show_bug.cgi?id=178420
2460         <rdar://problem/34814024>
2461
2462         Reviewed by Saam Barati and Filip Pizlo.
2463
2464         * stress/regress-178420.js: Added.
2465         (new.Array.10000.map):
2466
2467 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2468
2469         [JSC] __proto__ getter should be fast
2470         https://bugs.webkit.org/show_bug.cgi?id=178067
2471
2472         Reviewed by Saam Barati.
2473
2474         * stress/dfg-object-proto-accessor.js: Added.
2475         (shouldBe):
2476         (shouldThrow):
2477         (target):
2478         * stress/dfg-object-proto-getter.js: Added.
2479         (shouldBe):
2480         (shouldThrow):
2481         (target):
2482         * stress/dfg-object-prototype-of.js: Added.
2483         (shouldBe):
2484         (shouldThrow):
2485         (target):
2486         * stress/dfg-reflect-get-prototype-of.js: Added.
2487         (shouldBe):
2488         (shouldThrow):
2489         (target):
2490         * stress/intrinsic-getter-with-poly-proto.js: Added.
2491         (shouldBe):
2492         (makePolyProtoObject.foo.C):
2493         (makePolyProtoObject.foo):
2494         (makePolyProtoObject):
2495         (target):
2496         * stress/object-get-prototype-of-filtered.js: Added.
2497         (shouldBe):
2498         (shouldThrow):
2499         (target):
2500         (i.Cocoa):
2501         * stress/object-get-prototype-of-mono-proto.js: Added.
2502         (shouldBe):
2503         (makePolyProtoObject.foo.C):
2504         (makePolyProtoObject.foo):
2505         (makePolyProtoObject):
2506         (target):
2507         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2508         (shouldBe):
2509         (makePolyProtoObject.foo.C):
2510         (makePolyProtoObject.foo):
2511         (makePolyProtoObject):
2512         (target):
2513         * stress/object-get-prototype-of-poly-proto.js: Added.
2514         (shouldBe):
2515         (makePolyProtoObject.foo.C):
2516         (makePolyProtoObject.foo):
2517         (makePolyProtoObject):
2518         (target):
2519         * stress/object-proto-getter-filtered.js: Added.
2520         (shouldBe):
2521         (shouldThrow):
2522         (target):
2523         (i.Cocoa):
2524         * stress/object-proto-getter-poly-mono-proto.js: Added.
2525         (shouldBe):
2526         (makePolyProtoObject.foo.C):
2527         (makePolyProtoObject.foo):
2528         (makePolyProtoObject):
2529         (target):
2530         * stress/object-proto-getter-poly-proto.js: Added.
2531         (shouldBe):
2532         (makePolyProtoObject.foo.C):
2533         (makePolyProtoObject.foo):
2534         (makePolyProtoObject):
2535         (target):
2536         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2537         * stress/string-proto.js: Added.
2538         (shouldBe):
2539         (target):
2540
2541 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2542
2543         Unreviewed, rolling out r223523.
2544
2545         A test for this change is failing on debug JSC bots.
2546
2547         Reverted changeset:
2548
2549         "[JSC] __proto__ getter should be fast"
2550         https://bugs.webkit.org/show_bug.cgi?id=178067
2551         https://trac.webkit.org/changeset/223523
2552
2553 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2554
2555         [JSC] __proto__ getter should be fast
2556         https://bugs.webkit.org/show_bug.cgi?id=178067
2557
2558         Reviewed by Saam Barati.
2559
2560         * stress/dfg-object-proto-accessor.js: Added.
2561         (shouldBe):
2562         (shouldThrow):
2563         (target):
2564         * stress/dfg-object-proto-getter.js: Added.
2565         (shouldBe):
2566         (shouldThrow):
2567         (target):
2568         * stress/dfg-object-prototype-of.js: Added.
2569         (shouldBe):
2570         (shouldThrow):
2571         (target):
2572         * stress/dfg-reflect-get-prototype-of.js: Added.
2573         (shouldBe):
2574         (shouldThrow):
2575         (target):
2576         * stress/object-get-prototype-of-filtered.js: Added.
2577         (shouldBe):
2578         (shouldThrow):
2579         (target):
2580         (i.Cocoa):
2581         * stress/object-get-prototype-of-mono-proto.js: Added.
2582         (shouldBe):
2583         (makePolyProtoObject.foo.C):
2584         (makePolyProtoObject.foo):
2585         (makePolyProtoObject):
2586         (target):
2587         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2588         (shouldBe):
2589         (makePolyProtoObject.foo.C):
2590         (makePolyProtoObject.foo):
2591         (makePolyProtoObject):
2592         (target):
2593         * stress/object-get-prototype-of-poly-proto.js: Added.
2594         (shouldBe):
2595         (makePolyProtoObject.foo.C):
2596         (makePolyProtoObject.foo):
2597         (makePolyProtoObject):
2598         (target):
2599         * stress/object-proto-getter-filtered.js: Added.
2600         (shouldBe):
2601         (shouldThrow):
2602         (target):
2603         (i.Cocoa):
2604         * stress/object-proto-getter-poly-mono-proto.js: Added.
2605         (shouldBe):
2606         (makePolyProtoObject.foo.C):
2607         (makePolyProtoObject.foo):
2608         (makePolyProtoObject):
2609         (target):
2610         * stress/object-proto-getter-poly-proto.js: Added.
2611         (shouldBe):
2612         (makePolyProtoObject.foo.C):
2613         (makePolyProtoObject.foo):
2614         (makePolyProtoObject):
2615         (target):
2616         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2617         * stress/string-proto.js: Added.
2618         (shouldBe):
2619         (target):
2620
2621 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2622
2623         Reland "Add Above/Below comparisons for UInt32 patterns"
2624         https://bugs.webkit.org/show_bug.cgi?id=177281
2625
2626         Reviewed by Saam Barati.
2627
2628         * stress/uint32-comparison-jump.js: Added.
2629         (shouldBe):
2630         (above):
2631         (aboveOrEqual):
2632         (below):
2633         (belowOrEqual):
2634         (notAbove):
2635         (notAboveOrEqual):
2636         (notBelow):
2637         (notBelowOrEqual):
2638         * stress/uint32-comparison.js: Added.
2639         (shouldBe):
2640         (above):
2641         (aboveOrEqual):
2642         (below):
2643         (belowOrEqual):
2644         (aboveTest):
2645         (aboveOrEqualTest):
2646         (belowTest):
2647         (belowOrEqualTest):
2648
2649 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2650
2651         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2652         https://bugs.webkit.org/show_bug.cgi?id=178210
2653
2654         Reviewed by Saam Barati.
2655
2656         * wasm/function-tests/trap-from-start-async.js:
2657         (async.StartTrapsAsync):
2658         * wasm/function-tests/trap-from-start.js:
2659         (StartTraps):
2660         * wasm/js-api/web-assembly-function.js:
2661         (assert.eq.Object.getPrototypeOf):
2662         * wasm/js-api/wrapper-function.js:
2663         (return.new.WebAssembly.Module):
2664         (assert.throws.makeInstance): Deleted.
2665         (assert.throws.Bar): Deleted.
2666         (assert.throws): Deleted.
2667
2668 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2669
2670         Enable gigacage on iOS
2671         https://bugs.webkit.org/show_bug.cgi?id=177586
2672
2673         Reviewed by JF Bastien.
2674         
2675         Add tests for when Gigacage gets runtime disabled.
2676
2677         * stress/disable-gigacage-arrays.js: Added.
2678         (foo):
2679         * stress/disable-gigacage-strings.js: Added.
2680         (foo):
2681         * stress/disable-gigacage-typed-arrays.js: Added.
2682         (foo):
2683
2684 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2685
2686         import.meta should not be assignable
2687         https://bugs.webkit.org/show_bug.cgi?id=178202
2688
2689         Reviewed by Saam Barati.
2690
2691         * modules/import-meta-assignment.js: Added.
2692         (shouldThrow):
2693         (SyntaxError.import.meta.can.shouldThrow):
2694
2695 2017-10-11  Saam Barati  <sbarati@apple.com>
2696
2697         Unreviewed. Actually skip certain type profiler tests in debug.
2698
2699         * typeProfiler.yaml:
2700         * typeProfiler/deltablue-for-of.js:
2701         * typeProfiler/getter-richards.js:
2702
2703 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2704
2705         Unreviewed, rolling out r223113 and r223121.
2706         https://bugs.webkit.org/show_bug.cgi?id=178182
2707
2708         Reintroduced 20% regression on Kraken (Requested by rniwa on
2709         #webkit).
2710
2711         Reverted changesets:
2712
2713         "Enable gigacage on iOS"
2714         https://bugs.webkit.org/show_bug.cgi?id=177586
2715         https://trac.webkit.org/changeset/223113
2716
2717         "Use one virtual allocation for all gigacages and their
2718         runways"
2719         https://bugs.webkit.org/show_bug.cgi?id=178050
2720         https://trac.webkit.org/changeset/223121
2721
2722 2017-10-11  Michael Saboff  <msaboff@apple.com>
2723
2724         Disable test262 named capture group tests with direct unicode names and with references before definitions
2725         https://bugs.webkit.org/show_bug.cgi?id=178177
2726
2727         Reviewed by Keith Miller.
2728
2729         Bugs to track fixing these test are:
2730         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2731             "Add support in named capture group identifiers for direct surrogate pairs"
2732         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2733             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2734
2735         * test262.yaml:
2736
2737 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2738
2739         Object properties are undefined in super.call() but not in this.call()
2740         https://bugs.webkit.org/show_bug.cgi?id=177230
2741
2742         Reviewed by Saam Barati.
2743
2744         * stress/super-call-function-subclass.js: Added.
2745         (assert):
2746         (A.prototype.t):
2747         (A):
2748         * stress/super-dot-call-and-apply.js: Added.
2749         (assert):
2750         (A):
2751         (A.prototype.call):
2752         (A.prototype.apply):
2753         (B.prototype.testSuper):
2754         (B):
2755         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2756         (D.prototype.testSuper):
2757         (D):
2758
2759 2017-10-10  Saam Barati  <sbarati@apple.com>
2760
2761         The prototype cache should be aware of the Executable it generates a Structure for
2762         https://bugs.webkit.org/show_bug.cgi?id=177907
2763
2764         Reviewed by Filip Pizlo.
2765
2766         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2767         (assert):
2768         (foo.C):
2769         (foo):
2770         (bar.C):
2771         (bar):
2772         (access):
2773         (makeLongChain):
2774         (accessY):
2775
2776 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2777
2778         `async` should be able to be used as an imported binding name
2779         https://bugs.webkit.org/show_bug.cgi?id=176573
2780
2781         Reviewed by Saam Barati.
2782
2783         * modules/import-default-async.js: Added.
2784         * modules/import-named-async-as.js: Added.
2785         * modules/import-named-async.js: Added.
2786         * modules/import-named-async/target.js: Added.
2787         * modules/import-namespace-async.js: Added.
2788         * test262.yaml:
2789
2790 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2791
2792         Enable gigacage on iOS
2793         https://bugs.webkit.org/show_bug.cgi?id=177586
2794
2795         Reviewed by JF Bastien.
2796         
2797         Add tests for when Gigacage gets runtime disabled.
2798
2799         * stress/disable-gigacage-arrays.js: Added.
2800         (foo):
2801         * stress/disable-gigacage-strings.js: Added.
2802         (foo):
2803         * stress/disable-gigacage-typed-arrays.js: Added.
2804         (foo):
2805
2806 2017-10-09  Michael Saboff  <msaboff@apple.com>
2807
2808         Implement RegExp Unicode property escapes
2809         https://bugs.webkit.org/show_bug.cgi?id=172069
2810
2811         Reviewed by JF Bastien.
2812
2813         Enabled Unicode Property tests.
2814
2815         * test262.yaml:
2816
2817 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2818
2819         Unreviewed, rolling out r223015 and r223025.
2820         https://bugs.webkit.org/show_bug.cgi?id=178093
2821
2822         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2823         #webkit).
2824
2825         Reverted changesets:
2826
2827         "Enable gigacage on iOS"
2828         https://bugs.webkit.org/show_bug.cgi?id=177586
2829         http://trac.webkit.org/changeset/223015
2830
2831         "Unreviewed, disable Gigacage on ARM64 Linux"
2832         https://bugs.webkit.org/show_bug.cgi?id=177586
2833         http://trac.webkit.org/changeset/223025
2834
2835 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2836
2837         Update expectations for test262 tests that pass after r223043.
2838         https://bugs.webkit.org/show_bug.cgi?id=176685
2839
2840         Unreviewed test gardening.
2841
2842         * test262.yaml:
2843
2844 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2845
2846         Unreviewed, rolling out r223022.
2847
2848         This change introduced 18 test262 failures.
2849
2850         Reverted changeset:
2851
2852         "`async` should be able to be used as an imported binding
2853         name"
2854         https://bugs.webkit.org/show_bug.cgi?id=176573
2855         http://trac.webkit.org/changeset/223022
2856
2857 2017-10-09  Saam Barati  <sbarati@apple.com>
2858
2859         3 poly-proto JSC tests timing out on debug after r222827
2860         https://bugs.webkit.org/show_bug.cgi?id=177880
2861         <rdar://problem/34817122>
2862
2863         Unreviewed.
2864
2865         I'm skipping these type profiler tests on debug since they are long running.
2866
2867         * typeProfiler/deltablue-for-of.js:
2868         * typeProfiler/getter-richards.js:
2869
2870 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2871
2872         Safari 10 /11 problem with if (!await get(something)).
2873         https://bugs.webkit.org/show_bug.cgi?id=176685
2874
2875         Reviewed by Saam Barati.
2876
2877         * stress/async-await-basic.js:
2878         (awaitEpression.async):
2879         * stress/async-await-syntax.js:
2880         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2881         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2882
2883 2017-10-08  Saam Barati  <sbarati@apple.com>
2884
2885         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2886
2887         * typeProfiler/deltablue-for-of.js:
2888         * typeProfiler/getter-richards.js:
2889
2890 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2891
2892         `async` should be able to be used as an imported binding name
2893         https://bugs.webkit.org/show_bug.cgi?id=176573
2894
2895         Reviewed by Darin Adler.
2896
2897         * modules/import-default-async.js: Added.
2898         * modules/import-named-async-as.js: Added.
2899         * modules/import-named-async.js: Added.
2900         * modules/import-named-async/target.js: Added.
2901         * modules/import-namespace-async.js: Added.
2902
2903 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2904
2905         Enable gigacage on iOS
2906         https://bugs.webkit.org/show_bug.cgi?id=177586
2907
2908         Reviewed by JF Bastien.
2909         
2910         Add tests for when Gigacage gets runtime disabled.
2911
2912         * stress/disable-gigacage-arrays.js: Added.
2913         (foo):
2914         * stress/disable-gigacage-strings.js: Added.
2915         (foo):
2916         * stress/disable-gigacage-typed-arrays.js: Added.
2917         (foo):
2918
2919 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2920
2921         Unreviewed, rolling out r222791 and r222873.
2922         https://bugs.webkit.org/show_bug.cgi?id=178031
2923
2924         Caused crashes with workers/wasm LayoutTests (Requested by
2925         ryanhaddad on #webkit).
2926
2927         Reverted changesets:
2928
2929         "WebAssembly: no VM / JS version of everything but Instance"
2930         https://bugs.webkit.org/show_bug.cgi?id=177473
2931         http://trac.webkit.org/changeset/222791
2932
2933         "WebAssembly: address no VM / JS follow-ups"
2934         https://bugs.webkit.org/show_bug.cgi?id=177887
2935         http://trac.webkit.org/changeset/222873
2936
2937 2017-10-05  Saam Barati  <sbarati@apple.com>
2938
2939         Make sure all prototypes under poly proto get added into the VM's prototype map
2940         https://bugs.webkit.org/show_bug.cgi?id=177909
2941
2942         Reviewed by Keith Miller.
2943
2944         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2945         (assert):
2946         (foo.C):
2947         (foo):
2948         (set x):
2949
2950 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2951
2952         [JSC] Introduce import.meta
2953         https://bugs.webkit.org/show_bug.cgi?id=177703
2954
2955         Reviewed by Filip Pizlo.
2956
2957         * modules/import-meta-syntax.js: Added.
2958         (shouldThrow):
2959         (shouldNotThrow):
2960         * modules/import-meta.js: Added.
2961         * modules/import-meta/cocoa.js: Added.
2962         * modules/resources/assert.js:
2963         (export.shouldNotThrow):
2964         * stress/import-syntax.js:
2965
2966 2017-10-04  Saam Barati  <sbarati@apple.com>
2967
2968         Make pertinent AccessCases watch the poly proto watchpoint
2969         https://bugs.webkit.org/show_bug.cgi?id=177765
2970
2971         Reviewed by Keith Miller.
2972
2973         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2974         (assert):
2975         (foo.C):
2976         (foo):
2977         (validate):
2978         * stress/poly-proto-clear-stub.js: Added.
2979         (assert):
2980         (foo.C):
2981         (foo):
2982
2983 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2984
2985         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2986
2987         Unreviewed test gardening.
2988
2989         * test262.yaml:
2990
2991 2017-10-04  Saam Barati  <sbarati@apple.com>
2992
2993         3 poly-proto JSC tests timing out on debug after r222827
2994         https://bugs.webkit.org/show_bug.cgi?id=177880
2995
2996         Rubber stamped by Mark Lam.
2997
2998         * microbenchmarks/poly-proto-access.js:
2999         * typeProfiler/deltablue-for-of.js:
3000         * typeProfiler/getter-richards.js:
3001
3002 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3003
3004         Unreviewed, marking tco-catch.js as a failure after test262 update
3005         https://bugs.webkit.org/show_bug.cgi?id=177859
3006
3007         * test262.yaml:
3008
3009 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3010
3011         Unreviewed, marking one async iterator test262 test failed
3012         https://bugs.webkit.org/show_bug.cgi?id=177859
3013
3014         * test262.yaml:
3015
3016 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3017
3018         [Test262] Update Test262 to Oct 4 version
3019         https://bugs.webkit.org/show_bug.cgi?id=177859
3020
3021         Reviewed by Sam Weinig.
3022
3023         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3024         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3025
3026         * test262.yaml:
3027         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3028         (checkSequence):
3029         * test262/harness/typeCoercion.js:
3030         (testCoercibleToIndexZero):
3031         (testCoercibleToIndexOne):
3032         (testCoercibleToIndexFromIndex):
3033         (testNotCoercibleToIndex.testPrimitiveValue):
3034         (testNotCoercibleToInteger):
3035         (testCoercibleToBigIntZero.testPrimitiveValue):
3036         (testCoercibleToBigIntZero):
3037         (testCoercibleToBigIntOne.testPrimitiveValue):
3038         (testCoercibleToBigIntOne):
3039         (testPrimitiveValue):
3040         (testCoercibleToBigIntFromBigInt):
3041         (testNotCoercibleToBigInt.testPrimitiveValue):
3042         (testNotCoercibleToBigInt.testStringValue):
3043         (testNotCoercibleToBigInt):
3044         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3045         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3046         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3047         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3048         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3049         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3050         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3051         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3052         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3053         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3054         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3055         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3056         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3057         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3058         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3059         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3060         (testCoercibleToBigIntZero):
3061         (testCoercibleToBigIntOne):
3062         (testNotCoercibleToBigInt):
3063         (MyError): Deleted.
3064         (valueOf): Deleted.
3065         (toString): Deleted.
3066         (Symbol.toPrimitive): Deleted.
3067         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3068         (testCoercibleToIndexZero):
3069         (testCoercibleToIndexOne):
3070         (testNotCoercibleToIndex):
3071         (MyError): Deleted.
3072         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3073         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3074         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3075         (BigInt.asIntN.valueOf): Deleted.
3076         (BigInt.asIntN.toString): Deleted.
3077         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3078         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3079         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3080         (testCoercibleToBigIntZero):
3081         (testCoercibleToBigIntOne):
3082         (testNotCoercibleToBigInt):
3083         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3084         (testCoercibleToIndexZero):
3085         (testCoercibleToIndexOne):
3086         (testNotCoercibleToIndex):
3087         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3088         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3089         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3090         (bits.valueOf):
3091         (bigint.valueOf):
3092         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3093         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3094         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3095         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3096         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3097         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3098         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3099         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3100         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3101         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3102         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3103         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3104         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3105         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3106         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3107         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3108         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3109         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3110         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3111         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3112         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3113         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3114         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3115         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3116         (replacer):
3117         (BigInt.prototype.toJSON):
3118         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3119         (replacer):
3120         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3121         (BigInt.prototype.toJSON):
3122         * test262/test/built-ins/JSON/stringify/bigint.js:
3123         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3124         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3125         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3126         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3127         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3128         * test262/test/built-ins/Object/proto-from-ctor.js:
3129         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3130         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3131         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3132         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3133         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3134         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3135         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3136         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3137         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3138         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3139         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3140         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3141         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3142         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3143         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3144         * test262/test/built-ins/Proxy/get-fn-realm.js:
3145         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3146         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3147         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3148         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3149         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3150         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3151         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3152         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3153         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3154         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3155         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3156         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3157         (i6.replace):
3158         (i6b.replace):
3159         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3160         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3161         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3162         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3163         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3164         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3165         * test262/test/built-ins/RegExp/u180e.js: Added.
3166         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3167         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3168         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3169         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3170         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3171         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3172         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3173         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3174         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3175         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3176         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3177         * test262/test/built-ins/String/prototype/endsWith/length.js:
3178         * test262/test/built-ins/String/prototype/endsWith/name.js:
3179         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3180         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3181         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3182         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3183         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3184         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3185         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3186         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3187         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3188         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3189         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3190         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3191         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3192         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3193         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3194         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3195         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3196         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3197         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3198         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3199         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3200         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3201         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3202         * test262/test/built-ins/String/prototype/includes/includes.js:
3203         * test262/test/built-ins/String/prototype/includes/length.js:
3204         * test262/test/built-ins/String/prototype/includes/name.js:
3205         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3206         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3207         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3208         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3209         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3210         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3211         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3212         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3213         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3214         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3215         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3216         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3217         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3218         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3219         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3220         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3221         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3222         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3223         * test262/test/built-ins/String/prototype/trim/u180e.js:
3224         * test262/test/built-ins/Symbol/for/cross-realm.js:
3225         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3226         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3227         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3228         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3229         * test262/test/built-ins/Symbol/match/cross-realm.js:
3230         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3231         * test262/test/built-ins/Symbol/search/cross-realm.js:
3232         * test262/test/built-ins/Symbol/species/cross-realm.js:
3233         * test262/test/built-ins/Symbol/split/cross-realm.js:
3234         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3235         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3236         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3237         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3238         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3239         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3240         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3241         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3242         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3243         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3244         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3245         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3246         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3247         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3248         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3249         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3250         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3251         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3252         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3253         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3254         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3255         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3256         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3257         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3258         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3259         * test262/test/language/eval-code/indirect/realm.js:
3260         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3261         (o.get z):
3262         (o.get a):
3263         * test262/test/language/expressions/call/eval-realm-indirect.js:
3264         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3265         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3266         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3267         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3268         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3269         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3270         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3271         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3272         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3273         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3274         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3275         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3276         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3277         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3278         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3279         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3280         * test262/test/language/expressions/less-than/bigint-and-number.js:
3281         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3282         * test262/test/language/expressions/super/realm.js:
3283         * test262/test/language/expressions/tagged-template/cache-realm.js:
3284         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3285         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3286         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3287         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3288         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3289         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3290         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3291         (o.get z):
3292         (o.get a):
3293         * test262/test/language/statements/for-of/iterator-next-reference.js:
3294         (next):
3295         (iterator.next): Deleted.
3296         (x.of.iterable.): Deleted.
3297         (x.of.iterable.get return): Deleted.
3298         (x.of.iterable.iterator.next): Deleted.
3299         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3300         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3301         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3302         * test262/test/language/white-space/mongolian-vowel-separator.js:
3303         * test262/test262-Revision.txt:
3304
3305 2017-10-03  Saam Barati  <sbarati@apple.com>
3306
3307         Implement polymorphic prototypes
3308         https://bugs.webkit.org/show_bug.cgi?id=176391
3309
3310         Reviewed by Filip Pizlo.
3311
3312         * microbenchmarks/poly-proto-access.js: Added.
3313         (assert):
3314         (foo.C):
3315         (foo.C.prototype.get bar):
3316         (foo):
3317         (bar):
3318         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3319         (assert):
3320         (makePolyProtoObject.foo.C):
3321         (makePolyProtoObject.foo):
3322         (makePolyProtoObject):
3323         (performSet):
3324         * microbenchmarks/poly-proto-setter-speed.js: Added.
3325         (assert):
3326         (makePolyProtoObject.foo.C):
3327         (makePolyProtoObject.foo.C.prototype.set p):
3328         (makePolyProtoObject.foo):
3329         (makePolyProtoObject):
3330         (performSet):
3331         * stress/constructor-with-return.js:
3332         (i.tests.forEach.Constructor):
3333         (i.tests.forEach):
3334         (tests.forEach.Constructor): Deleted.
3335         (tests.forEach): Deleted.
3336         * stress/dom-jit-with-poly-proto.js: Added.
3337         (assert):
3338         (makePolyProtoObject.foo.C):
3339         (makePolyProtoObject.foo):
3340         (makePolyProtoObject):
3341         (validate):
3342         * stress/poly-proto-custom-value-and-accessor.js: Added.
3343         (assert):
3344         (makePolyProtoObject.foo.C):
3345         (makePolyProtoObject.foo):
3346         (makePolyProtoObject):
3347         (items.forEach):
3348         (set get for):
3349         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3350         (assert):
3351         (makePolyProtoObject.foo.C):
3352         (makePolyProtoObject.foo):
3353         (makePolyProtoObject):
3354         (foo):
3355         * stress/poly-proto-miss.js: Added.
3356         (makePolyProtoInstanceWithNullPrototype.foo.C):
3357         (makePolyProtoInstanceWithNullPrototype.foo):
3358         (makePolyProtoInstanceWithNullPrototype):
3359         (assert):
3360         (validate):
3361         * stress/poly-proto-op-in-caching.js: Added.
3362         (assert):
3363         (makePolyProtoObject.foo.C):
3364         (makePolyProtoObject.foo):
3365         (makePolyProtoObject):
3366         (validate):
3367         (validate2):
3368         * stress/poly-proto-put-transition.js: Added.
3369         (assert):
3370         (makePolyProtoObject.foo.C):
3371         (makePolyProtoObject.foo):
3372         (makePolyProtoObject):
3373         (performSet):
3374         (i.obj.__proto__.set p):
3375         * stress/poly-proto-set-prototype.js: Added.
3376         (assert):
3377         (let.alternateProto.get x):
3378         (let.alternateProto2.get y):
3379         (let.alternateProto2.get x):
3380         (foo.C):
3381         (foo):
3382         (validate):
3383         * stress/poly-proto-setter.js: Added.
3384         (assert):
3385         (makePolyProtoObject.foo.C):
3386         (makePolyProtoObject.foo.C.prototype.set p):
3387         (makePolyProtoObject.foo.C.prototype.get p):
3388         (makePolyProtoObject.foo):
3389         (makePolyProtoObject):
3390         (performSet):
3391         * stress/poly-proto-using-inheritance.js: Added.
3392         (assert):
3393         (foo.C):
3394         (foo.C.prototype.get baz):
3395         (foo):
3396         (bar.C):
3397         (bar):
3398         (validate):
3399         * stress/primitive-poly-proto.js: Added.
3400         (makePolyProtoInstance.foo.C):
3401         (makePolyProtoInstance.foo):
3402         (makePolyProtoInstance):
3403         (assert):
3404         (validate):
3405         * stress/prototype-is-not-js-object.js: Added.
3406         (foo.bar):
3407         (foo):
3408         (assert):
3409         (validate):
3410         * stress/try-get-by-id-poly-proto.js: Added.
3411         (assert):
3412         (makePolyProtoObject.foo.C):
3413         (makePolyProtoObject.foo):
3414         (makePolyProtoObject):
3415         (tryGetByIdText):
3416         (x.__proto__.get bar):
3417         (validate):
3418         * typeProfiler/overflow.js:
3419
3420 2017-10-03  JF Bastien  <jfbastien@apple.com>
3421
3422         WebAssembly: no VM / JS version of everything but Instance
3423         https://bugs.webkit.org/show_bug.cgi?id=177473
3424
3425         Reviewed by Filip Pizlo.
3426
3427         - Exceeding max on memory growth now returns a range error as per
3428         spec. This is a (very minor) breaking change: it used to throw OOM
3429         error. Update the corresponding test.
3430
3431         * wasm/js-api/memory-grow.js:
3432         (assertEq):
3433         * wasm/js-api/table.js:
3434         (assert.throws):
3435
3436 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3437
3438         Skip JSC test stress/regress-159779-2.js on debug.
3439         https://bugs.webkit.org/show_bug.cgi?id=177204
3440
3441         Unreviewed test gardening.
3442
3443         * stress/regress-159779-2.js:
3444
3445 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3446
3447         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3448         https://bugs.webkit.org/show_bug.cgi?id=175642
3449
3450         Reviewed by Darin Adler.
3451
3452         * ChakraCore/test/Function/apply3.baseline-jsc:
3453
3454 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3455
3456         Unreviewed, rolling out r222564.
3457         https://bugs.webkit.org/show_bug.cgi?id=177720
3458
3459         "It regressed JetStream by 2% on iOS caused by a 50%
3460         regression on the bigfib subtest" (Requested by saamyjoon on
3461         #webkit).
3462
3463         Reverted changeset:
3464
3465         "Add Above/Below comparisons for UInt32 patterns"
3466         https://bugs.webkit.org/show_bug.cgi?id=177281
3467         http://trac.webkit.org/changeset/222564
3468
3469 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3470
3471         [DFG] Support ArrayPush with multiple args
3472         https://bugs.webkit.org/show_bug.cgi?id=175823
3473
3474         Reviewed by Saam Barati.
3475
3476         * microbenchmarks/array-push-0.js: Added.
3477         (arrayPush0):
3478         * microbenchmarks/array-push-1.js: Added.
3479         (arrayPush1):
3480         * microbenchmarks/array-push-2.js: Added.
3481         (arrayPush2):
3482         * microbenchmarks/array-push-3.js: Added.
3483         (arrayPush3):
3484         * stress/array-push-multiple-contiguous.js: Added.
3485         (shouldBe):
3486         (test):
3487         * stress/array-push-multiple-double-nan.js: Added.
3488         (shouldBe):
3489         (test):
3490         * stress/array-push-multiple-double.js: Added.
3491         (shouldBe):
3492         (test):
3493         * stress/array-push-multiple-int32.js: Added.
3494         (shouldBe):
3495         (test):
3496         * stress/array-push-multiple-many-contiguous.js: Added.
3497         (shouldBe):
3498         (test):
3499         * stress/array-push-multiple-many-double.js: Added.
3500         (shouldBe):
3501         (test):
3502         * stress/array-push-multiple-many-int32.js: Added.
3503         (shouldBe):
3504         (test):
3505         * stress/array-push-multiple-many-storage.js: Added.
3506         (shouldBe):
3507         (test):
3508         * stress/array-push-multiple-storage.js: Added.
3509         (shouldBe):
3510         (test):
3511         * stress/array-push-with-force-exit.js: Added.
3512         (target.createBuiltin):
3513
3514 2017-09-29  Saam Barati  <sbarati@apple.com>
3515
3516         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3517         https://bugs.webkit.org/show_bug.cgi?id=177639
3518
3519         Reviewed by Geoffrey Garen.
3520
3521         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3522         (assert):
3523         (Class):
3524         (items.forEach):
3525         (set get for):
3526
3527 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3528
3529         Unreviewed, rolling out r222563, r222565, and r222581.
3530         https://bugs.webkit.org/show_bug.cgi?id=177675
3531
3532         "It causes a crash when playing youtube videos" (Requested by
3533         saamyjoon on #webkit).
3534
3535         Reverted changesets:
3536
3537         "[DFG] Support ArrayPush with multiple args"
3538         https://bugs.webkit.org/show_bug.cgi?id=175823
3539         http://trac.webkit.org/changeset/222563
3540
3541         "Unreviewed, build fix after r222563"
3542         https://bugs.webkit.org/show_bug.cgi?id=175823
3543         http://trac.webkit.org/changeset/222565
3544
3545         "Unreviewed, fix x86 breaking due to exhausted registers"
3546         https://bugs.webkit.org/show_bug.cgi?id=175823
3547         http://trac.webkit.org/changeset/222581
3548
3549 2017-09-28  Mark Lam  <mark.lam@apple.com>
3550
3551         test262: Unexpected passes after r222617 and r222618.
3552         https://bugs.webkit.org/show_bug.cgi?id=177622
3553         <rdar://problem/34725960>
3554
3555         Reviewed by Saam Barati.
3556
3557         Update test262.yaml for tests that are now passing.
3558
3559         * test262.yaml:
3560
3561 2017-09-27  Michael Saboff  <msaboff@apple.com>
3562
3563         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3564         https://bugs.webkit.org/show_bug.cgi?id=177570
3565
3566         Reviewed by Filip Pizlo.
3567
3568         New regression test.
3569
3570         * stress/regress-177570.js: Added.
3571
3572 2017-09-28  Michael Saboff  <msaboff@apple.com>
3573
3574         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3575         https://bugs.webkit.org/show_bug.cgi?id=177423
3576
3577         Reviewed by Mark Lam.
3578
3579         Updated regression test.
3580
3581         * stress/regress-177423.js:
3582         (catch):
3583
3584 2017-09-27  Mark Lam  <mark.lam@apple.com>
3585
3586         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3587         https://bugs.webkit.org/show_bug.cgi?id=177584
3588         <rdar://problem/34463903>
3589
3590         Reviewed by Saam Barati.
3591
3592         * stress/regress-177584.js: Added.
3593         (assertEqual):
3594         (Array.prototype.Symbol.species):
3595
3596 2017-09-27  Saam Barati  <sbarati@apple.com>
3597
3598         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3599         https://bugs.webkit.org/show_bug.cgi?id=177523
3600
3601         Reviewed by Mark Lam.
3602
3603         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3604         (assert):
3605         (Test):
3606         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3607         (addMethods):
3608         (i.Test.prototype.propName):
3609
3610 2017-09-27  Mark Lam  <mark.lam@apple.com>
3611
3612         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3613         https://bugs.webkit.org/show_bug.cgi?id=177423
3614         <rdar://problem/34621320>
3615
3616         Reviewed by Keith Miller.
3617
3618         * stress/regress-177423.js: Added.
3619
3620 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3621
3622         Add Above/Below comparisons for UInt32 patterns
3623         https://bugs.webkit.org/show_bug.cgi?id=177281
3624
3625         Reviewed by Saam Barati.
3626
3627         * stress/uint32-comparison-jump.js: Added.
3628         (shouldBe):
3629         (above):
3630         (aboveOrEqual):
3631         (below):
3632         (belowOrEqual):
3633         (notAbove):
3634         (notAboveOrEqual):
3635         (notBelow):
3636         (notBelowOrEqual):
3637         * stress/uint32-comparison.js: Added.
3638         (shouldBe):
3639         (above):
3640         (aboveOrEqual):
3641         (below):
3642         (belowOrEqual):
3643         (aboveTest):
3644         (aboveOrEqualTest):
3645         (belowTest):
3646         (belowOrEqualTest):
3647
3648 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3649
3650         [DFG] Support ArrayPush with multiple args
3651         https://bugs.webkit.org/show_bug.cgi?id=175823
3652
3653         Reviewed by Saam Barati.
3654
3655         * microbenchmarks/array-push-0.js: Added.
3656         (arrayPush0):
3657         * microbenchmarks/array-push-1.js: Added.
3658         (arrayPush1):
3659         * microbenchmarks/array-push-2.js: Added.
3660         (arrayPush2):
3661         * microbenchmarks/array-push-3.js: Added.
3662         (arrayPush3):
3663         * stress/array-push-multiple-contiguous.js: Added.
3664         (shouldBe):
3665         (test):
3666         * stress/array-push-multiple-double-nan.js: Added.
3667         (shouldBe):
3668         (test):
3669         * stress/array-push-multiple-double.js: Added.
3670         (shouldBe):
3671         (test):
3672         * stress/array-push-multiple-int32.js: Added.
3673         (shouldBe):
3674         (test):
3675         * stress/array-push-multiple-many-contiguous.js: Added.
3676         (shouldBe):
3677         (test):
3678         * stress/array-push-multiple-many-double.js: Added.
3679         (shouldBe):
3680         (test):
3681         * stress/array-push-multiple-many-int32.js: Added.
3682         (shouldBe):
3683         (test):
3684         * stress/array-push-multiple-many-storage.js: Added.
3685         (shouldBe):
3686         (test):
3687         * stress/array-push-multiple-storage.js: Added.
3688         (shouldBe):
3689         (test):
3690
3691 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3692
3693         Unreviewed, rolling out r222518.
3694         https://bugs.webkit.org/show_bug.cgi?id=177507
3695
3696         Break the High Sierra build (Requested by yusukesuzuki on
3697         #webkit).
3698
3699         Reverted changeset:
3700
3701         "Add Above/Below comparisons for UInt32 patterns"
3702         https://bugs.webkit.org/show_bug.cgi?id=177281
3703         http://trac.webkit.org/changeset/222518
3704
3705 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3706
3707         Add Above/Below comparisons for UInt32 patterns
3708         https://bugs.webkit.org/show_bug.cgi?id=177281
3709
3710         Reviewed by Saam Barati.
3711
3712         * stress/uint32-comparison-jump.js: Added.
3713         (shouldBe):
3714         (above):
3715         (aboveOrEqual):
3716         (below):
3717         (belowOrEqual):
3718         (notAbove):
3719         (notAboveOrEqual):
3720         (notBelow):
3721         (notBelowOrEqual):
3722         * stress/uint32-comparison.js: Added.
3723         (shouldBe):
3724         (above):
3725         (aboveOrEqual):
3726         (below):
3727         (belowOrEqual):
3728         (aboveTest):
3729         (aboveOrEqualTest):
3730         (belowTest):
3731         (belowOrEqualTest):
3732
3733 2017-09-23  Keith Miller  <keith_miller@apple.com>
3734
3735         Fix infinite looping test262 test
3736         https://bugs.webkit.org/show_bug.cgi?id=177412
3737
3738         Reviewed by Yusuke Suzuki.
3739
3740         This test was poorly designed since failing it would cause the vm
3741         to inifinite loop. I've fixed it locally and will fix it on github pending
3742         the results of next weeks tc39 meeting.
3743
3744         * test262.yaml:
3745         * test262/test/language/statements/for-of/iterator-next-reference.js:
3746
3747 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
3748
3749         test262: $.agent became $262.agent in test262 update
3750         https://bugs.webkit.org/show_bug.cgi?id=177407
3751
3752         Reviewed by Yusuke Suzuki.
3753
3754         * test262.yaml:
3755         ~320 tests pass now that we correctly make $262 available.
3756
3757 2017-09-22  Keith Miller  <keith_miller@apple.com>
3758
3759         Speculatively change iteration protocall to use the same next function
3760         https://bugs.webkit.org/show_bug.cgi?id=175653
3761
3762         Reviewed by Saam Barati.
3763
3764         Change test to match the new iteration behavior.
3765
3766         * stress/spread-optimized-properly.js:
3767
3768 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3769
3770         [DFG][FTL] Profile array vector length for array allocation
3771         https://bugs.webkit.org/show_bug.cgi?id=177051
3772
3773         Reviewed by Saam Barati.
3774
3775         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3776         (target):
3777
3778 2017-09-22  Commit Queue  <commit-queue@webkit.org>
3779
3780         Unreviewed, rolling out r222380.
3781         https://bugs.webkit.org/show_bug.cgi?id=177352
3782
3783         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
3784         #webkit).
3785
3786         Reverted changeset:
3787
3788         "[DFG][FTL] Profile array vector length for array allocation"
3789         https://bugs.webkit.org/show_bug.cgi?id=177051
3790         http://trac.webkit.org/changeset/222380
3791
3792 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3793
3794         [DFG][FTL] Profile array vector length for array allocation
3795         https://bugs.webkit.org/show_bug.cgi?id=177051
3796
3797         Reviewed by Saam Barati.
3798
3799         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3800         (target):
3801
3802 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
3803
3804         Skip new hanging test262 tests.
3805         https://bugs.webkit.org/show_bug.cgi?id=177326
3806
3807         Unreviewed test gardening.
3808
3809         * test262.yaml:
3810
3811 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
3812
3813         Mark 6 test262 tests as passing.
3814         https://bugs.webkit.org/show_bug.cgi?id=177307
3815
3816         Unreviewed test gardening.
3817
3818         * test262.yaml:
3819
3820 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3821
3822         Unreviewed follow-up to r222311.
3823
3824         * test262/harness/sta.js:
3825         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
3826         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
3827         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
3828         * test262/test/built-ins/Array/from/elements-added-after.js:
3829         * test262/test/built-ins/Array/from/elements-deleted-after.js:
3830         * test262/test/built-ins/Array/from/elements-updated-after.js:
3831         * test262/test/built-ins/Array/from/from-array.js:
3832         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
3833         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
3834         * test262/test/built-ins/Array/from/source-array-boundary.js:
3835         * test262/test/built-ins/Array/from/source-object-constructor.js:
3836         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
3837         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
3838         * test262/test/built-ins/Array/from/source-object-length.js:
3839         * test262/test/built-ins/Array/from/source-object-missing.js:
3840         * test262/test/built-ins/Array/from/source-object-without.js:
3841         * test262/test/built-ins/Array/from/this-null.js:
3842         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
3843         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
3844         * test262/test/language/literals/numeric/7.8.3-1gs.js:
3845         * test262/test/language/literals/numeric/7.8.3-2gs.js:
3846         * test262/test/language/literals/numeric/7.8.3-3gs.js:
3847         * test262/test/language/literals/regexp/7.8.5-1gs.js:
3848         * test262/test/language/literals/string/7.8.4-1gs.js:
3849         Fix some files that I failed to update when I applied my patch.
3850
3851 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3852
3853         Update test262 tests
3854         https://bugs.webkit.org/show_bug.cgi?id=177220
3855
3856         Reviewed by Saam Barati and Yusuke Suzuki.
3857
3858         * test262.yaml:
3859         * test262/test262-Revision.txt:
3860         New rebaselined expectations for all tests.
3861
3862         * test262/*:
3863         Updated.
3864
3865 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3866
3867         [DFG] Remove ToThis more aggressively
3868         https://bugs.webkit.org/show_bug.cgi?id=177056
3869
3870         Reviewed by Saam Barati.
3871
3872         * stress/generator-with-this-strict.js: Added.
3873         (shouldBe):
3874         (generator):
3875         (target):
3876         * stress/generator-with-this.js: Added.
3877         (shouldBe):
3878         (generator):
3879         (target):
3880
3881 2017-09-17  Michael Saboff  <msaboff@apple.com>
3882
3883         https://bugs.webkit.org/show_bug.cgi?id=177038
3884         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
3885
3886         Reviewed by JF Bastien.
3887
3888         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
3889         as it dies using too much memory.
3890
3891 2017-09-15  Saam Barati  <sbarati@apple.com>
3892
3893         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
3894         https://bugs.webkit.org/show_bug.cgi?id=176981
3895
3896         Reviewed by Yusuke Suzuki.
3897
3898         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
3899         (assert):
3900         (verify):
3901         (func):
3902         (const.bar.createBuiltin):
3903
3904 2017-09-14  Saam Barati  <sbarati@apple.com>
3905
3906         It should be valid to exit before each set when doing arity fixup when inlining
3907         https://bugs.webkit.org/show_bug.cgi?id=176948
3908
3909         Reviewed by Keith Miller.
3910
3911         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
3912         (baz):
3913         (bar):
3914         (foo):
3915
3916 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3917
3918         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
3919         https://bugs.webkit.org/show_bug.cgi?id=176867
3920
3921         Reviewed by Sam Weinig.
3922
3923         * microbenchmarks/object-get-own-property-symbols.js: Added.
3924         (test):
3925
3926 2017-09-13  Mark Lam  <mark.lam@apple.com>
3927
3928         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
3929         https://bugs.webkit.org/show_bug.cgi?id=176888
3930         <rdar://problem/34381832>
3931
3932         Not reviewed.
3933
3934         * stress/op_mod-ConstVar.js:
3935         * stress/op_mod-VarConst.js:
3936         * stress/op_mod-VarVar.js:
3937
3938 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
3939
3940         Skip 3 op_mod tests on Debug JSC bots.
3941         https://bugs.webkit.org/show_bug.cgi?id=176630
3942
3943         Unreviewed test gardening.
3944
3945         * stress/op_mod-ConstVar.js:
3946         * stress/op_mod-VarConst.js:
3947         * stress/op_mod-VarVar.js:
3948
3949 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3950
3951         [JSC] Fix Array allocation in Object.keys
3952         https://bugs.webkit.org/show_bug.cgi?id=176826
3953
3954         Reviewed by Saam Barati.
3955
3956         * stress/object-own-property-keys.js: Added.
3957         (shouldBe):
3958
3959 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3960
3961         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3962         https://bugs.webkit.org/show_bug.cgi?id=176010
3963
3964         Reviewed by Filip Pizlo.
3965
3966         * microbenchmarks/weak-map-key.js: Added.
3967         (assert):
3968         (objectKey):
3969         (let.start.Date.now):
3970
3971 2017-09-12  Mark Lam  <mark.lam@apple.com>
3972
3973         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
3974         https://bugs.webkit.org/show_bug.cgi?id=176630
3975
3976         Reviewed by JF Bastien.
3977
3978         Debug builds are just slow, and these tests do a lot.  They pass when I run them
3979         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
3980         a speculative fix for the bots that are seeing these fail.
3981
3982         I also undid the skipping of the op_mod tests for debug builds.
3983
3984         * stress/op_div-ConstVar.js:
3985         * stress/op_div-VarConst.js:
3986         * stress/op_div-VarVar.js:
3987         * stress/op_mod-ConstVar.js:
3988         * stress/op_mod-VarConst.js:
3989         * stress/op_mod-VarVar.js:
3990
3991 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
3992
3993         Skip stress/value-to-boolean.js on Debug bots.
3994         https://bugs.webkit.org/show_bug.cgi?id=176787
3995
3996         Unreviewed test gardening.
3997
3998         * stress/value-to-boolean.js:
3999
4000 2017-09-11  Mark Lam  <mark.lam@apple.com>
4001
4002         Change test expectation for test262/test/language/statements/try/tco-catch.js
4003         https://bugs.webkit.org/show_bug.cgi?id=176749
4004
4005         Rubber stamped by Keith Miller.
4006
4007         It's been failing since at least r221821.  I'm changing the test expectation to
4008         fail to green the bots while I investigate some more.
4009
4010         * test262.yaml:
4011
4012 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
4013
4014         Unreviewed, rolling out r221854.
4015
4016         The test added with this change fails on 32-bit JSC bots.
4017
4018         Reverted changeset:
4019
4020         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
4021         https://bugs.webkit.org/show_bug.cgi?id=176010
4022         http://trac.webkit.org/changeset/221854
4023
4024 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
4025
4026         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
4027         https://bugs.webkit.org/show_bug.cgi?id=176010
4028
4029         Reviewed by Filip Pizlo.
4030
4031         * microbenchmarks/weak-map-key.js: Added.
4032         (assert):
4033         (objectKey):
4034         (let.start.Date.now):
4035
4036 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
4037
4038         [JSC] Optimize Object.keys by using careful array allocation
4039         https://bugs.webkit.org/show_bug.cgi?id=176654
4040
4041         Reviewed by Darin Adler.
4042
4043         * microbenchmarks/object-keys.js: Added.
4044         (test):
4045
4046 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
4047
4048         Error should compute .stack and friends lazily
4049         https://bugs.webkit.org/show_bug.cgi?id=176645
4050
4051         Reviewed by Saam Barati.
4052
4053         * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
4054         * microbenchmarks/new-error.js: Added.
4055         * microbenchmarks/throw.js: Added.
4056
4057 2017-09-09  Mark Lam  <mark.lam@apple.com>
4058
4059         [Re-landing] Use JIT probes for DFG OSR exit.
4060         https://bugs.webkit.org/show_bug.cgi?id=175144
4061         <rdar://problem/33437050>
4062
4063         Not reviewed.  Original patch reviewed by Saam Barati.
4064
4065         Disable these tests for debug builds because they run too slow with the new OSR exit.
4066
4067         * stress/op_mod-ConstVar.js:
4068         * stress/op_mod-VarConst.js:
4069         * stress/op_mod-VarVar.js:
4070
4071 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
4072
4073         [DFG] NewArrayWithSize(size)'s size does not care negative zero
4074         https://bugs.webkit.org/show_bug.cgi?id=176300
4075
4076         Reviewed by Saam Barati.
4077
4078         * stress/new-array-with-size-div.js: Added.
4079         (shouldBe):
4080         (test):
4081         (i.i):
4082
4083 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
4084
4085         [DFG] PutByVal with Array::Generic is too generic
4086         https://bugs.webkit.org/show_bug.cgi?id=176345
4087
4088         Reviewed by Filip Pizlo.
4089
4090         * stress/object-assign-symbols.js: Added.
4091         (shouldBe):
4092         (test):
4093         * stress/object-assign.js: Added.
4094         (shouldBe):
4095         (test):
4096         (i.shouldBe.JSON.stringify.test):
4097
4098 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
4099
4100         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
4101         https://bugs.webkit.org/show_bug.cgi?id=176590
4102
4103         Reviewed by Saam Barati.
4104
4105         * microbenchmarks/object-iterate-symbols.js: Added.
4106         (test):
4107         * microbenchmarks/object-iterate.js: Added.
4108         (test):
4109         * stress/object-iterate-symbols.js: Added.
4110         (shouldBe):
4111         (test):
4112         * stress/object-iterate.js: Added.
4113         (shouldBe):
4114         (test):
4115
4116 2017-09-07  Per Arne Vollan  <pvollan@apple.com>
4117
4118         [Win32] 10 JSC stress tests are failing.
4119         https://bugs.webkit.org/show_bug.cgi?id=176538
4120
4121         Reviewed by Mark Lam.
4122
4123         Skip tests on Windows to make the bots green.
4124
4125         * ChakraCore.yaml:
4126         * stress/date-relaxed.js:
4127
4128 2017-09-06  Mark Lam  <mark.lam@apple.com>
4129
4130         constructGenericTypedArrayViewWithArguments() is missing an exception check.
4131         https://bugs.webkit.org/show_bug.cgi?id=176485
4132         <rdar://problem/33898874>
4133
4134         Reviewed by Keith Miller.
4135
4136         * stress/regress-176485.js: Added.
4137
4138 2017-09-05  Saam Barati  <sbarati@apple.com>
4139
4140         isNotCellSpeculation is wrong with respect to SpecEmpty
4141         https://bugs.webkit.org/show_bug.cgi?id=176429
4142
4143         Reviewed by Michael Saboff.
4144
4145         * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
4146         (Foo):
4147
4148 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
4149
4150         test262: Completion values for control flow do not match the spec
4151         https://bugs.webkit.org/show_bug.cgi?id=171265
4152
4153         Reviewed by Saam Barati.
4154
4155         * stress/completion-value.js:
4156         Condensed test for completion values in top level statements.
4157
4158         * stress/super-get-by-id.js:
4159         ClassDeclaration when evaled no longer produce values. Convert
4160         these to ClassExpressions so they produce the class value.
4161         
4162         * ChakraCore/test/GlobalFunctions/evalreturns3.baseline-jsc:
4163         This is a progression for currect spec behavior.
4164
4165         * mozilla/mozilla-tests.yaml:
4166         This test is now outdated, so mark it as failing for that reason.
4167
4168         * test262.yaml:
4169         Passing all "cptn" completion value tests.
4170
4171 2017-09-04  Saam Barati  <sbarati@apple.com>
4172
4173         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
4174         https://bugs.webkit.org/show_bug.cgi?id=176317
4175
4176         Reviewed by Keith Miller.
4177
4178         * stress/dont-crash-when-hoist-check-structure-on-tdz.js: Added.
4179         (Foo):
4180
4181 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
4182
4183         [DFG][FTL] Efficiently execute number#toString()
4184         https://bugs.webkit.org/show_bug.cgi?id=170007
4185
4186         Reviewed by Keith Miller.
4187
4188         * microbenchmarks/number-to-string-strength-reduction.js: Added.
4189         (test):
4190         * microbenchmarks/number-to-string-with-radix-10.js: Added.
4191         (test):
4192         * microbenchmarks/number-to-string-with-radix-cse.js: Added.
4193         (test):
4194         * microbenchmarks/number-to-string-with-radix.js: Added.
4195         (test):
4196         * stress/number-to-string-strength-reduction.js: Added.
4197         (shouldBe):
4198         (test):
4199         * stress/number-to-string-with-radix-10.js: Added.
4200         (shouldBe):
4201         (test):
4202         * stress/number-to-string-with-radix-cse.js: Added.
4203         (shouldBe):
4204         (test):
4205         * stress/number-to-string-with-radix-invalid.js: Added.
4206         (shouldThrow):
4207         * stress/number-to-string-with-radix-watchpoint.js: Added.
4208         (shouldBe):
4209         (test):
4210         (i.i.1e3.Number.prototype.toString):
4211         * stress/number-to-string-with-radix.js: Added.
4212         (shouldBe):
4213         (test):
4214
4215 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
4216
4217         [DFG] Relax arity requirement
4218         https://bugs.webkit.org/show_bug.cgi?id=175523
4219
4220         Reviewed by Saam Barati.
4221
4222         * stress/arity-mismatch-arguments-length.js: Added.
4223         (shouldBe):
4224         (test1):
4225         (test):
4226         * stress/arity-mismatch-get-argument.js: Added.
4227         (shouldBe):
4228         (builtin.createBuiltin):
4229         (test):
4230         * stress/arity-mismatch-inlining-extra-slots.js: Added.
4231         (shouldBe):
4232         (inlineTarget):
4233         (test):
4234         * stress/arity-mismatch-inlining.js: Added.
4235         (shouldBe):
4236         (inlineTarget):
4237         (test):
4238         * stress/arity-mismatch-rest.js: Added.
4239         (shouldBe):
4240         (test2):
4241         (test1):
4242         (test):
4243
4244 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
4245
4246         [JSC] Fix "name" and "length" of Proxy revoke function
4247         https://bugs.webkit.org/show_bug.cgi?id=176155
4248
4249         Reviewed by Mark Lam.
4250
4251         * test262.yaml:
4252
4253 2017-08-31  Saam Barati  <sbarati@apple.com>
4254
4255         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
4256         https://bugs.webkit.org/show_bug.cgi?id=176206
4257
4258         Reviewed by Keith Miller.
4259
4260         * stress/compare-semantic-origin-op-negate-method-of-getting-a-value-profile.js: Added.
4261         (a):
4262         (b):
4263         (foo):
4264
4265 2017-08-31  Ryan Haddad  <ryanhaddad@apple.com>
4266
4267         Skip two slow JSC tests after r221422.
4268
4269         Unreviewed test gardening.
4270
4271         * stress/regexp-prototype-match-on-too-long-rope.js:
4272         * stress/regexp-prototype-test-on-too-long-rope.js:
4273
4274 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
4275
4276         Unreviewed, skipping slow tests.
4277         
4278         These tests are now timing out. They would have always been slow. The timeouts are probably because OOMs
4279         work differently now.
4280
4281         * stress/regexp-prototype-exec-on-too-long-rope.js:
4282         * stress/string-prototype-charCodeAt-on-too-long-rope.js:
4283
4284 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
4285
4286         [JSC] Use reifying system for "name" property of builtin JSFunction
4287         https://bugs.webkit.org/show_bug.cgi?id=175260
4288
4289         Reviewed by Saam Barati.
4290
4291         * stress/accessors-get-set-prefix.js:
4292         * stress/builtin-function-name.js: Added.
4293         (shouldBe):
4294         (shouldThrow):
4295         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
4296         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
4297         * stress/private-name-as-anonymous-builtin.js: Added.
4298         (shouldBe):
4299         (NotPromise):
4300
4301 2017-08-30  Saam Barati  <sbarati@apple.com>
4302
4303         Unreviewed. Make test stop printing.
4304
4305         * microbenchmarks/fake-iterators-that-throw-when-finished.js:
4306
4307 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
4308
4309         Unreviewed, rolling out r221327.
4310
4311         This change caused test262 failures.
4312
4313         Reverted changeset:
4314
4315         "[JSC] Use reifying system for "name" property of builtin
4316         JSFunction"
4317         https://bugs.webkit.org/show_bug.cgi?id=175260
4318         http://trac.webkit.org/changeset/221327
4319
4320 2017-08-30  Saam Barati  <sbarati@apple.com>
4321
4322         semicolon is being interpreted as an = in the LiteralParser
4323         https://bugs.webkit.org/show_bug.cgi?id=176114
4324
4325         Reviewed by Oliver Hunt.
4326
4327         * stress/jsonp-literal-parser-semicolon-is-not-assignment.js: Added.
4328         * stress/resources/literal-parser-test-case.js: Added.
4329
4330 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
4331
4332         [ESNext] Async iteration - Implement async iteration statement: for-await-of
4333         https://bugs.webkit.org/show_bug.cgi?id=166698
4334
4335         Reviewed by Yusuke Suzuki.
4336
4337         * stress/async-iteration-for-await-of-syntax.js: Added.
4338         (assert):
4339         (checkSyntax):
4340         (checkSyntaxError):
4341         (checkSimpleAsyncGeneratorSloppyMode):
4342         (checkSimpleAsyncGeneratorStrictMode):
4343         (checkNestedAsyncGenerators):
4344         (checkSimpleAsyncGeneratorSyntaxErrorInStrictMode):
4345         * stress/async-iteration-for-await-of.js: Added.
4346         (assert):
4347         (async.foo):
4348         (async.boo):
4349         (const.boo.async):
4350
4351 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
4352
4353         [JSC] Use reifying system for "name" property of builtin JSFunction
4354         https://bugs.webkit.org/show_bug.cgi?id=175260
4355
4356         Reviewed by Saam Barati.
4357
4358         * stress/accessors-get-set-prefix.js:
4359         * stress/builtin-function-name.js: Added.
4360         (shouldBe):
4361         (shouldThrow):
4362         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
4363         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
4364
4365 2017-08-25  Saam Barati  <sbarati@apple.com>
4366
4367         Support compiling catch in the DFG
4368         https://bugs.webkit.org/show_bug.cgi?id=174590
4369         <rdar://problem/34047845>
4370
4371         Reviewed by Filip Pizlo.
4372
4373         * microbenchmarks/delta-blue-try-catch.js: Added.
4374         (exception):
4375         (value):
4376         (OrderedCollection):
4377         (OrderedCollection.prototype.add):
4378         (OrderedCollection.prototype.at):
4379         (OrderedCollection.prototype.size):
4380         (OrderedCollection.prototype.removeFirst):
4381         (OrderedCollection.prototype.remove):
4382         (Strength):
4383         (Strength.stronger):
4384         (Strength.weaker):
4385         (Strength.weakestOf):
4386         (Strength.strongest):
4387         (Strength.prototype.nextWeaker):
4388         (Constraint):
4389         (Constraint.prototype.addConstraint):
4390         (Constraint.prototype.satisfy):
4391         (Constraint.prototype.destroyConstraint):
4392         (Constraint.prototype.isInput):
4393         (UnaryConstraint):
4394         (UnaryConstraint.prototype.addToGraph):
4395         (UnaryConstraint.prototype.chooseMethod):
4396         (UnaryConstraint.prototype.isSatisfied):
4397         (UnaryConstraint.prototype.markInputs):
4398         (UnaryConstraint.prototype.output):
4399         (UnaryConstraint.prototype.recalculate):
4400         (UnaryConstraint.prototype.markUnsatisfied):
4401         (UnaryConstraint.prototype.inputsKnown):
4402         (UnaryConstraint.prototype.removeFromGraph):
4403         (StayConstraint):
4404         (StayConstraint.prototype.execute):
4405         (EditConstraint.prototype.isInput):
4406         (EditConstraint.prototype.execute):
4407         (BinaryConstraint):
4408         (BinaryConstraint.prototype.chooseMethod):
4409         (BinaryConstraint.prototype.addToGraph):
4410         (BinaryConstraint.prototype.isSatisfied):
4411         (BinaryConstraint.prototype.markInputs):
4412         (BinaryConstraint.prototype.input):
4413         (BinaryConstraint.prototype.output):
4414         (BinaryConstraint.prototype.recalculate):
4415         (BinaryConstraint.prototype.markUnsatisfied):
4416         (BinaryConstraint.prototype.inputsKnown):
4417         (BinaryConstraint.prototype.removeFromGraph):
4418         (ScaleConstraint):
4419         (ScaleConstraint.prototype.addToGraph):
4420         (ScaleConstraint.prototype.removeFromGraph):
4421         (ScaleConstraint.prototype.markInputs):
4422         (ScaleConstraint.prototype.execute):
4423         (ScaleConstraint.prototype.recalculate):
4424         (EqualityConstraint):
4425         (EqualityConstraint.prototype.execute):
4426         (Variable):
4427         (Variable.prototype.addConstraint):
4428         (Variable.prototype.removeConstraint):
4429         (Planner):
4430         (Planner.prototype.incrementalAdd):
4431         (Planner.prototype.incrementalRemove):