[WebAssembly][Modules] Prototype wasm import
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [WebAssembly][Modules] Prototype wasm import
4         https://bugs.webkit.org/show_bug.cgi?id=184600
5
6         Reviewed by JF Bastien.
7
8         Add wasm and wat files since module loader want to load wasm files from FS.
9         Currently, importing the other modules from wasm is not supported.
10
11         * wasm.yaml:
12         * wasm/modules/constant.wasm: Added.
13         * wasm/modules/constant.wat: Added.
14         * wasm/modules/js-wasm-function-namespace.js: Added.
15         (assert.throws):
16         * wasm/modules/js-wasm-function.js: Added.
17         (assert.throws):
18         * wasm/modules/js-wasm-global-namespace.js: Added.
19         (assert.throws):
20         * wasm/modules/js-wasm-global.js: Added.
21         (assert.throws):
22         * wasm/modules/js-wasm-memory-namespace.js: Added.
23         (assert.throws):
24         * wasm/modules/js-wasm-memory.js: Added.
25         (assert.throws):
26         * wasm/modules/js-wasm-start.js: Added.
27         (then):
28         * wasm/modules/js-wasm-table-namespace.js: Added.
29         (assert.throws):
30         * wasm/modules/js-wasm-table.js: Added.
31         (assert.throws):
32         * wasm/modules/memory.wasm: Added.
33         * wasm/modules/memory.wat: Added.
34         * wasm/modules/start.wasm: Added.
35         * wasm/modules/start.wat: Added.
36         * wasm/modules/sum.wasm: Added.
37         * wasm/modules/sum.wat: Added.
38         * wasm/modules/table.wasm: Added.
39         * wasm/modules/table.wat: Added.
40
41 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
42
43         Function.prototype.caller shouldn't return generator bodies
44         https://bugs.webkit.org/show_bug.cgi?id=184630
45
46         Reviewed by Yusuke Suzuki.
47
48         * stress/function-caller-async-arrow-function-body.js: Added.
49         * stress/function-caller-async-function-body.js: Added.
50         * stress/function-caller-async-generator-body.js: Added.
51         * stress/function-caller-generator-body.js: Added.
52         * stress/function-caller-generator-method-body.js: Added.
53
54 2018-04-12  Tomas Popela  <tpopela@redhat.com>
55
56         Unreviewed, skip JIT tests if it isn't enabled
57
58         See https://bugs.webkit.org/show_bug.cgi?id=182730.
59
60         * stress/big-int-spec-to-primitive.js:
61         * stress/big-int-spec-to-this.js:
62
63 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
64
65         [ESNext][BigInt] Add support for BigInt in SpeculatedType
66         https://bugs.webkit.org/show_bug.cgi?id=182470
67
68         Reviewed by Saam Barati.
69
70         * stress/big-int-spec-to-primitive.js: Added.
71         * stress/big-int-spec-to-this.js: Added.
72         * stress/big-int-strict-equals-jit.js: Added.
73         * stress/big-int-strict-spec-to-this.js: Added.
74         * stress/big-int-type-of-proven-type.js: Added.
75
76 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
77
78         DFG AI and clobberize should agree with each other
79         https://bugs.webkit.org/show_bug.cgi?id=184440
80
81         Reviewed by Saam Barati.
82         
83         Add tests for all of the bugs I fixed.
84
85         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
86         (foo):
87         * stress/new-typed-array-cse-effects.js: Added.
88         (foo):
89         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
90         (foo.theO):
91         (foo):
92         * stress/string-from-char-code-change-structure-not-dead.js: Added.
93         (foo):
94         (i.valueOf):
95         (weirdValue.valueOf):
96         * stress/string-from-char-code-change-structure.js: Added.
97         (foo):
98         (i.valueOf):
99         (weirdValue.valueOf):
100
101 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
102
103         Fix errant Test262 files CRLF to LF for consistency with the original source
104         https://bugs.webkit.org/show_bug.cgi?id=184425
105
106         Reviewed by Yusuke Suzuki.
107
108         * test262/test/built-ins/Math/acosh/nan-returns.js:
109         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
110         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
111         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
112         * test262/test/built-ins/Math/cbrt/prop-desc.js:
113         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
114         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
115         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
116         * test262/test/built-ins/Math/log2/log2-basicTests.js:
117         * test262/test/built-ins/Math/sign/sign-specialVals.js:
118         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
119         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
120         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
121         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
122
123 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
124
125         Unreviewed, remove incorrect entry in test262.yaml
126         https://bugs.webkit.org/show_bug.cgi?id=184266
127
128         * test262.yaml:
129
130 2018-04-08  Valerie Young  <valerie@bocoup.com>
131
132         [JSC] Update Test262 to April 6 version
133         https://bugs.webkit.org/show_bug.cgi?id=184266
134
135         Rubber stamped by Yusuke Suzuki.
136
137 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
138
139         [JSC] Introduce op_get_by_id_direct
140         https://bugs.webkit.org/show_bug.cgi?id=183970
141
142         Reviewed by Filip Pizlo.
143
144         * stress/generator-prototype-copy.js: Added.
145         (gen):
146         (catch):
147         Adopted JF's tests.
148
149         * stress/generator-type-check.js: Added.
150         (shouldThrow):
151         (foo2):
152         (i.shouldThrow):
153         * stress/get-by-id-direct-getter.js: Added.
154         (shouldBe):
155         (shouldThrow):
156         (obj.get hello):
157         (builtin.createBuiltin):
158         (obj2.get length):
159         * stress/get-by-id-direct.js: Added.
160         (shouldBe):
161         (shouldThrow):
162         (builtin.createBuiltin):
163         * test262.yaml:
164         We fixed long-standing spec compatibility issue.
165         As a result, this patch makes several test262 tests passed!
166
167
168 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
169
170         Unreviewed, annotate test with @skip if $memoryLimited
171         https://bugs.webkit.org/show_bug.cgi?id=183894
172
173         * stress/json-stringified-overflow.js:
174
175 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
176
177         Add svn:eol-style to line-terminator-normalisation-CR.js
178         https://bugs.webkit.org/show_bug.cgi?id=184341
179
180         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
181
182 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
183
184         Unreviewed, remove errant LF from existing test262 test for CR line endings.
185
186         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
187
188 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
189
190         Unreviewed, rolling out r230320.
191
192         Revert fix, as the root cause lies elsewhere.
193
194         Reverted changeset:
195
196         "[test262] Mark line-terminator-normalisation-CR.js as a
197         binary file."
198         https://bugs.webkit.org/show_bug.cgi?id=184341
199         https://trac.webkit.org/changeset/230320
200
201 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
202
203         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
204         https://bugs.webkit.org/show_bug.cgi?id=184341
205
206         Reviewed by Yusuke Suzuki.
207
208         This test is all about CR line endings, but `svn-apply` can't deal with them.
209         Treating the file as binary ensures that its contents never are never shown in a diff.
210
211         * .gitattributes: Added.
212
213 2018-04-05  Robin Morisset  <rmorisset@apple.com>
214
215         Fix testcase (missing try/catch).
216         https://bugs.webkit.org/show_bug.cgi?id=183657
217
218         Unreviewed.
219
220         * stress/large-unshift-splice.js
221
222 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
223
224         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
225         https://bugs.webkit.org/show_bug.cgi?id=184319
226
227         Reviewed by Saam Barati.
228
229         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
230         (foo):
231         (bar):
232         * stress/array-push-nan-to-double-array.js: Added.
233         (foo):
234         (bar):
235
236 2018-04-03  Mark Lam  <mark.lam@apple.com>
237
238         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
239         https://bugs.webkit.org/show_bug.cgi?id=184284
240
241         Reviewed by Saam Barati.
242
243         * stress/js-fixed-array-out-of-memory.js:
244
245 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
246
247         JSC crash in JIT code with for-of loop and Array/Set iterators
248         https://bugs.webkit.org/show_bug.cgi?id=183174
249
250         Reviewed by Saam Barati.
251
252         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
253         (foo):
254         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
255         (f):
256
257 2018-03-30  JF Bastien  <jfbastien@apple.com>
258
259         WebAssembly: support DataView compilation
260         https://bugs.webkit.org/show_bug.cgi?id=183342
261
262         Reviewed by Mark Lam.
263
264         Test WebAssembly compilation using a DataView with offset.
265
266         * wasm/regress/183342.js: Added.
267         (attempt.catch):
268
269 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
270
271         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
272         https://bugs.webkit.org/show_bug.cgi?id=184189
273
274         Reviewed by JF Bastien.
275
276         * stress/load-hole-from-scope-into-live-var.js: Added.
277         (result.eval.try.switch):
278         (catch):
279
280 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
281
282         Unreviewed, rolling out r230102.
283
284         Caused assertion failures on JSC bots.
285
286         Reverted changeset:
287
288         "A stack overflow in the parsing of a builtin (called by
289         createExecutable) cause a crash instead of a catchable js
290         exception"
291         https://bugs.webkit.org/show_bug.cgi?id=184074
292         https://trac.webkit.org/changeset/230102
293
294 2018-03-30  Robin Morisset  <rmorisset@apple.com>
295
296         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
297         https://bugs.webkit.org/show_bug.cgi?id=183812
298
299         Reviewed by Keith Miller.
300
301         * stress/inlining-unreachable-non-tail.js: Added.
302         (foo.):
303         (foo):
304
305 2018-03-30  Robin Morisset  <rmorisset@apple.com>
306
307         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
308         https://bugs.webkit.org/show_bug.cgi?id=184074
309         <rdar://problem/37165897>
310
311         Reviewed by Keith Miller.
312
313         * stress/stack-overflow-while-parsing-builtin.js: Added.
314         (f):
315
316 2018-03-30  Robin Morisset  <rmorisset@apple.com>
317
318         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
319         https://bugs.webkit.org/show_bug.cgi?id=183657
320
321         Reviewed by Keith Miller.
322
323         * stress/large-unshift-splice.js: Added.
324         (make_contig_arr):
325
326 2018-03-28  Robin Morisset  <rmorisset@apple.com>
327
328         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
329         https://bugs.webkit.org/show_bug.cgi?id=183894
330
331         Reviewed by Saam Barati.
332
333         * stress/json-stringified-overflow.js: Added.
334         (catch):
335
336 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
337
338         DFG should know that CreateThis can be effectful
339         https://bugs.webkit.org/show_bug.cgi?id=184013
340
341         Reviewed by Saam Barati.
342
343         * stress/create-this-property-change.js: Added.
344         (Foo):
345         (RealBar):
346         (get if):
347         * stress/create-this-structure-change-without-cse.js: Added.
348         (Foo):
349         (RealBar):
350         (get if):
351         * stress/create-this-structure-change.js: Added.
352         (Foo):
353         (RealBar):
354         (get if):
355
356 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
357
358         [DFG] Introduces fused compare and jump
359         https://bugs.webkit.org/show_bug.cgi?id=177100
360
361         Reviewed by Mark Lam.
362
363         * stress/fused-jeq-slow.js: Added.
364         (shouldBe):
365         (testJEQ):
366         (testJNEQB):
367         (testJEQB):
368         (testJNEQF):
369         (testJEQF):
370         * stress/fused-jeq.js: Added.
371         (shouldBe):
372         (testJEQ):
373         (testJNEQB):
374         (testJEQB):
375         (testJNEQF):
376         (testJEQF):
377         * stress/fused-jstricteq-slow.js: Added.
378         (shouldBe):
379         (testJSTRICTEQ):
380         (testJNSTRICTEQB):
381         (testJSTRICTEQB):
382         (testJNSTRICTEQF):
383         (testJSTRICTEQF):
384         * stress/fused-jstricteq.js: Added.
385         (shouldBe):
386         (testJSTRICTEQ):
387         (testJNSTRICTEQB):
388         (testJSTRICTEQB):
389         (testJNSTRICTEQF):
390         (testJSTRICTEQF):
391
392 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
393
394         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
395         https://bugs.webkit.org/show_bug.cgi?id=183559
396
397         Reviewed by Mark Lam.
398
399         * stress/double-to-string-in-loop-removed.js: Added.
400         (test):
401         * stress/int32-to-string-in-loop-removed.js: Added.
402         (test):
403         * stress/int52-to-string-in-loop-removed.js: Added.
404         (test):
405
406 2018-03-22  Michael Saboff  <msaboff@apple.com>
407
408         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
409         https://bugs.webkit.org/show_bug.cgi?id=183901
410
411         Reviewed by Keith Miller.
412
413         New test.
414
415         * stress/array-reverse-doesnt-clobber.js: Added.
416         (testArrayReverse):
417         (createArrayOfArrays):
418         (createArrayStorage):
419
420 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
421
422         ScopedArguments should do poisoning and index masking
423         https://bugs.webkit.org/show_bug.cgi?id=183863
424
425         Reviewed by Mark Lam.
426         
427         Adds another stress test of scoped arguments.
428
429         * stress/scoped-arguments-test.js: Added.
430         (foo):
431
432 2018-03-20  Saam Barati  <sbarati@apple.com>
433
434         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
435         https://bugs.webkit.org/show_bug.cgi?id=183795
436         <rdar://problem/38298694>
437
438         Reviewed by JF Bastien.
439
440         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
441         (foo):
442         (bar):
443
444 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
445
446         [DFG][FTL] Add vectorLengthHint for NewArray
447         https://bugs.webkit.org/show_bug.cgi?id=183694
448
449         Reviewed by Saam Barati.
450
451         * stress/vector-length-hint-array-constructor.js: Added.
452         (shouldBe):
453         (test):
454         * stress/vector-length-hint-new-array.js: Added.
455         (shouldBe):
456         (test):
457
458 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
459
460         [DFG][FTL] Make ArraySlice(0) code tight
461         https://bugs.webkit.org/show_bug.cgi?id=183590
462
463         Reviewed by Saam Barati.
464
465         * stress/array-slice-with-zero.js: Added.
466         (shouldBe):
467         (test):
468         (test2):
469         * stress/array-slice-zero-args.js: Added.
470         (shouldBe):
471         (test):
472
473 2018-03-14  Caitlin Potter  <caitp@igalia.com>
474
475         [JSC] fix order of evaluation for ClassDefinitionEvaluation
476         https://bugs.webkit.org/show_bug.cgi?id=183523
477
478         Reviewed by Keith Miller.
479
480         Computed property names need to be evaluated in source order during class
481         definition evaluation, as it's observable (and specified to work this way).
482
483         This change improves compatibility with Chromium.
484
485         * stress/class_elements.js: Added.
486         (test):
487         (test.C.prototype.effect):
488         (test.C.effect):
489         (test.C.prototype.get effect):
490         (test.C.prototype.set effect):
491         (test.C):
492
493 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
494
495         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
496         https://bugs.webkit.org/show_bug.cgi?id=183310
497
498         Reviewed by Filip Pizlo.
499
500         * stress/ai-create-this-to-new-object-fire.js: Added.
501         (assert):
502         (test):
503         (func):
504         (check):
505         (test.body.A):
506         (test.body.B):
507         (test.body):
508         * stress/ai-create-this-to-new-object.js: Added.
509         (assert):
510         (test):
511         (func):
512         (check):
513         (test.body.A):
514         (test.body.B):
515         (test.body):
516
517 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
518
519         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
520         https://bugs.webkit.org/show_bug.cgi?id=181848
521
522         Reviewed by Sam Weinig.
523
524         * microbenchmarks/regexp-u-global-es5.js: Added.
525         (fn):
526         * microbenchmarks/regexp-u-global-es6.js: Added.
527         (fn):
528         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
529         (shouldBe):
530         (test):
531         (i.switch):
532         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
533         (shouldBe):
534         (test):
535
536 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
537
538         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
539         https://bugs.webkit.org/show_bug.cgi?id=183334
540
541         Reviewed by Žan Doberšek.
542
543         * stress/var-injection-cache-invalidation.js:
544
545 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
546
547         [ARM] Disable tests that run out of memory
548         https://bugs.webkit.org/show_bug.cgi?id=182699
549
550         Reviewed by Žan Doberšek.
551
552         Skip tests that run of of memory. Do not run
553         modules/module-jit-reachability.js without LLInt to prevent
554         running out of executable memory.
555
556         * modules.yaml:
557         * modules/module-jit-reachability.js:
558         * stress/has-own-property-name-cache-string-keys.js:
559         * stress/has-own-property-name-cache-symbol-keys.js:
560
561 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
562
563         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
564         https://bugs.webkit.org/show_bug.cgi?id=183173
565
566         Reviewed by Saam Barati.
567
568         * stress/async-arrow-function-in-class-heritage.js: Added.
569         (testSyntax):
570         (testSyntaxError):
571         (SyntaxError):
572
573 2018-03-01  Saam Barati  <sbarati@apple.com>
574
575         We need to clear cached structures when having a bad time
576         https://bugs.webkit.org/show_bug.cgi?id=183256
577         <rdar://problem/36245022>
578
579         Reviewed by Mark Lam.
580
581         * stress/having-a-bad-time-with-derived-arrays.js: Added.
582         (assert):
583         (defineSetter):
584         (iterate):
585         (doSlice):
586
587 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
588
589         JSC crash with `import("")`
590         https://bugs.webkit.org/show_bug.cgi?id=183175
591
592         Reviewed by Saam Barati.
593
594         * stress/import-with-empty-string.js: Added.
595
596 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
597
598         Unreviewed, skip FTL tests if FTL is disabled
599         https://bugs.webkit.org/show_bug.cgi?id=183071
600
601         * stress/has-indexed-property-array-storage-ftl.js:
602         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
603
604 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
605
606         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
607         https://bugs.webkit.org/show_bug.cgi?id=182965
608
609         Reviewed by Saam Barati.
610
611         * stress/put-by-val-array-storage.js: Added.
612         (shouldBe):
613         (testArrayStorageInBounds):
614         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
615         (shouldBe):
616         (testInt32.createBuiltin):
617         (set for):
618         * stress/put-by-val-slow-put-array-storage.js: Added.
619         (shouldBe):
620         (testArrayStorageInBounds):
621
622 2018-02-26  Saam Barati  <sbarati@apple.com>
623
624         validateStackAccess should not validate if the offset is within the stack bounds
625         https://bugs.webkit.org/show_bug.cgi?id=183067
626         <rdar://problem/37749988>
627
628         Reviewed by Mark Lam.
629
630         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
631         (assert):
632         (test.a):
633         (test.b):
634         (test):
635
636 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
637
638         Unreviewed, skip FTL tests if FTL is disabled
639         https://bugs.webkit.org/show_bug.cgi?id=183071
640
641         * stress/has-indexed-property-array-storage-ftl.js:
642         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
643
644 2018-02-23  Saam Barati  <sbarati@apple.com>
645
646         Make Number.isInteger an intrinsic
647         https://bugs.webkit.org/show_bug.cgi?id=183088
648
649         Reviewed by JF Bastien.
650
651         * stress/number-is-integer-intrinsic.js: Added.
652
653 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
654
655         WebAssembly: cache memory address / size on instance
656         https://bugs.webkit.org/show_bug.cgi?id=177305
657
658         Reviewed by JF Bastien.
659
660         * wasm/function-tests/memory-reuse.js: Added.
661         (createWasmInstance):
662         (doCheckTrap):
663         (doMemoryGrow):
664         (doCheck):
665         (checkWasmInstancesWithSharedMemory):
666
667 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
668
669         [JSC] Implement $vm.ftlTrue function for FTL testing
670         https://bugs.webkit.org/show_bug.cgi?id=183071
671
672         Reviewed by Mark Lam.
673
674         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
675         (foo):
676         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
677         (foo):
678         * stress/dead-fiat-value-to-int52.js:
679         (foo):
680         * stress/dead-osr-entry-value.js:
681         (foo):
682         * stress/fiat-value-to-int52-then-exit-not-double.js:
683         (foo):
684         * stress/fiat-value-to-int52-then-exit-not-int52.js:
685         (foo):
686         * stress/fiat-value-to-int52-then-fail-to-fold.js:
687         (foo):
688         * stress/fiat-value-to-int52-then-fold.js:
689         (foo):
690         * stress/fiat-value-to-int52.js:
691         (foo):
692         * stress/fold-based-on-int32-proof-mul-branch.js:
693         (foo):
694         * stress/fold-profiled-call-to-call.js:
695         (foo):
696         * stress/fold-to-double-constant-then-exit.js:
697         (foo):
698         * stress/fold-to-int52-constant-then-exit.js:
699         (foo):
700         * stress/fold-to-primitive-in-cfa.js:
701         (foo):
702         * stress/fold-to-primitive-to-identity-in-cfa.js:
703         (foo):
704         * stress/has-indexed-property-array-storage-ftl.js: Added.
705         (shouldBe):
706         (test1):
707         (test2):
708         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
709         (shouldBe):
710         (test1):
711         (test2):
712         * stress/int52-ai-add-then-filter-int32.js:
713         (foo):
714         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
715         (foo):
716         * stress/int52-ai-mul-then-filter-int32.js:
717         (foo):
718         * stress/int52-ai-neg-then-filter-int32.js:
719         (foo):
720         * stress/int52-ai-sub-then-filter-int32.js:
721         (foo):
722         * stress/licm-pre-header-cannot-exit-nested.js:
723         (foo):
724         * stress/licm-pre-header-cannot-exit.js:
725         (foo):
726         * stress/sparse-array-entry-update-144067.js:
727         (useMemoryToTriggerGCs):
728         * stress/test-spec-misc.js:
729         (foo):
730         * stress/tricky-array-bounds-checks.js:
731         (foo):
732
733 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
734
735         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
736         https://bugs.webkit.org/show_bug.cgi?id=182792
737
738         Reviewed by Mark Lam.
739
740         * stress/has-indexed-property-array-storage.js: Added.
741         (shouldBe):
742         (test1):
743         (test2):
744         * stress/has-indexed-property-slow-put-array-storage.js: Added.
745         (shouldBe):
746         (test1):
747         (test2):
748
749 2018-02-20  Saam Barati  <sbarati@apple.com>
750
751         DFG::VarargsForwardingPhase should eliminate getting argument length
752         https://bugs.webkit.org/show_bug.cgi?id=182959
753
754         Reviewed by Keith Miller.
755
756         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
757
758 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
759
760         [FTL] Support ArrayPush for ArrayStorage
761         https://bugs.webkit.org/show_bug.cgi?id=182782
762
763         Reviewed by Saam Barati.
764
765         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
766
767         * stress/array-push-array-storage-beyond-int32.js: Added.
768         (shouldBe):
769         (test):
770         * stress/array-push-array-storage.js: Added.
771         (shouldBe):
772         (test):
773         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
774         (shouldBe):
775         (test):
776         * stress/array-push-multiple-storage-continuous.js: Added.
777         (shouldBe):
778         (test):
779
780 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
781
782         [FTL] Support ArrayPop for ArrayStorage
783         https://bugs.webkit.org/show_bug.cgi?id=182783
784
785         Reviewed by Saam Barati.
786
787         * stress/array-pop-array-storage.js: Added.
788         (shouldBe):
789         (test):
790
791 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
792
793         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
794         https://bugs.webkit.org/show_bug.cgi?id=182731
795
796         Reviewed by Saam Barati.
797
798         * stress/arrayify-array-storage-array.js: Added.
799         (shouldBe):
800         (testArrayStorage):
801         * stress/arrayify-array-storage-non-array.js: Added.
802         (shouldBe):
803         (testArrayStorage):
804         * stress/arrayify-array-storage.js: Added.
805         (shouldBe):
806         (testArrayStorage):
807         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
808         (shouldBe):
809         (testArrayStorage):
810         * stress/arrayify-slow-put-array-storage.js: Added.
811         (shouldBe):
812         (testArrayStorage):
813
814 2018-02-19  Saam Barati  <sbarati@apple.com>
815
816         Don't use JSFunction's allocation profile when getting the prototype can be effectful
817         https://bugs.webkit.org/show_bug.cgi?id=182942
818         <rdar://problem/37584764>
819
820         Reviewed by Mark Lam.
821
822         * stress/get-prototype-create-this-effectful.js: Added.
823
824 2018-02-16  Saam Barati  <sbarati@apple.com>
825
826         Fix bugs from r228411
827         https://bugs.webkit.org/show_bug.cgi?id=182851
828         <rdar://problem/37577732>
829
830         Reviewed by JF Bastien.
831
832         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
833
834 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
835
836         Unreviewed, roll out r228366 since it did not progress anything.
837
838         * stress/gc-error-stack.js: Removed.
839         * stress/no-gc-error-stack.js: Removed.
840
841 2018-02-15  Tomas Popela  <tpopela@redhat.com>
842
843         Many stress tests fail with JIT disabled
844         https://bugs.webkit.org/show_bug.cgi?id=182730
845
846         Reviewed by Saam Barati.
847
848         These tests are broken by design if the JIT is disabled - they test
849         the return value of numberOfDFGCompiles(), which is always set to
850         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
851
852         * stress/arith-abs-on-various-types.js:
853         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
854         * stress/arith-acos-on-various-types.js:
855         * stress/arith-acosh-on-various-types.js:
856         * stress/arith-asin-on-various-types.js:
857         * stress/arith-asinh-on-various-types.js:
858         * stress/arith-atan-on-various-types.js:
859         * stress/arith-atanh-on-various-types.js:
860         * stress/arith-cbrt-on-various-types.js:
861         * stress/arith-ceil-on-various-types.js:
862         * stress/arith-clz32-on-various-types.js:
863         * stress/arith-cos-on-various-types.js:
864         * stress/arith-cosh-on-various-types.js:
865         * stress/arith-expm1-on-various-types.js:
866         * stress/arith-floor-on-various-types.js:
867         * stress/arith-fround-on-various-types.js:
868         * stress/arith-log-on-various-types.js:
869         * stress/arith-log10-on-various-types.js:
870         * stress/arith-log2-on-various-types.js:
871         * stress/arith-negate-on-various-types.js:
872         * stress/arith-round-on-various-types.js:
873         * stress/arith-sin-on-various-types.js:
874         * stress/arith-sinh-on-various-types.js:
875         * stress/arith-sqrt-on-various-types.js:
876         * stress/arith-tan-on-various-types.js:
877         * stress/arith-tanh-on-various-types.js:
878         * stress/arith-trunc-on-various-types.js:
879         * stress/compare-strict-eq-on-various-types.js:
880
881 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
882
883         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
884
885         Unreviewed test gardening.
886
887         * stress/new-largeish-contiguous-array-with-size.js:
888
889 2018-02-14  Saam Barati  <sbarati@apple.com>
890
891         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
892         https://bugs.webkit.org/show_bug.cgi?id=182801
893
894         Reviewed by Keith Miller.
895
896         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
897
898 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
899
900         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
901         https://bugs.webkit.org/show_bug.cgi?id=182526
902
903         Unreviewed test gardening.
904
905         * stress/activation-sink-default-value-tdz-error.js:
906
907 2018-02-13  Saam Barati  <sbarati@apple.com>
908
909         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
910         https://bugs.webkit.org/show_bug.cgi?id=182755
911         <rdar://problem/37080864>
912
913         Reviewed by Keith Miller.
914
915         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
916         (test1.o.get 10005):
917         (test1):
918         (test2.o.get 1000):
919         (test2):
920
921 2018-02-13  Caitlin Potter  <caitp@igalia.com>
922
923         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
924         https://bugs.webkit.org/show_bug.cgi?id=182717
925
926         Reviewed by Yusuke Suzuki.
927
928         https://github.com/tc39/ecma262/pull/890 imposes a change to template
929         literals, to allow template callsite arrays to be collected when the
930         code containing the tagged template call is collected. This spec change
931         has received concensus and been ratified.
932
933         This change eliminates the eternal map associating template contents
934         with arrays.
935
936         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
937         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
938         * stress/tagged-templates-identity.js:
939         * stress/template-string-tags-eval.js:
940         * test262.yaml:
941
942 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
943
944         Support GetArrayLength on ArrayStorage in the FTL
945         https://bugs.webkit.org/show_bug.cgi?id=182625
946
947         Reviewed by Saam Barati.
948
949         * stress/array-storage-length.js: Added.
950         (shouldBe):
951         (testInBound):
952         (testUncountable):
953         (testSlowPutInBound):
954         (testSlowPutUncountable):
955         * stress/undecided-length.js: Added.
956         (shouldBe):
957         (test2):
958
959 2018-02-12  Saam Barati  <sbarati@apple.com>
960
961         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
962         https://bugs.webkit.org/show_bug.cgi?id=182706
963         <rdar://problem/36833681>
964
965         Reviewed by Filip Pizlo.
966
967         * stress/get-array-length-phantom-new-array-buffer.js: Added.
968         (effects):
969         (foo):
970
971 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
972
973         Don't waste memory for error.stack
974         https://bugs.webkit.org/show_bug.cgi?id=182656
975
976         Reviewed by Saam Barati.
977         
978         Tests the policy.
979
980         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
981         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
982
983 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
984
985         [JSC] Update Test262 to Feb 9 version
986         https://bugs.webkit.org/show_bug.cgi?id=182468
987
988         Reviewed by Saam Barati.
989
990 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
991
992         Unreviewed, fix invalid line terminator in old test262 file part 2
993         https://bugs.webkit.org/show_bug.cgi?id=182468
994
995         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
996
997 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
998
999         Unreviewed, fix invalid line terminator in old test262 file
1000         https://bugs.webkit.org/show_bug.cgi?id=182468
1001
1002         * test262/test/language/literals/regexp/7.8.5-1.js:
1003
1004 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1005
1006         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1007         https://bugs.webkit.org/show_bug.cgi?id=182440
1008
1009         Reviewed by Darin Adler.
1010
1011         * stress/array-flatmap.js: Added.
1012         (shouldBe):
1013         (shouldBeArray):
1014         (shouldThrow):
1015         (var):
1016         * stress/array-flatten.js: Added.
1017         (shouldBe):
1018         (shouldBeArray):
1019         * test262.yaml:
1020         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1021         (3.flatMap):
1022         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1023
1024 2018-02-06  Keith Miller  <keith_miller@apple.com>
1025
1026         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1027         https://bugs.webkit.org/show_bug.cgi?id=182549
1028         <rdar://problem/36189995>
1029
1030         Reviewed by Saam Barati.
1031
1032         * stress/var-injection-cache-invalidation.js: Added.
1033         (allocateLotsOfThings):
1034         (test):
1035
1036 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1037
1038         Unreviewed, follow up for test262 update
1039         https://bugs.webkit.org/show_bug.cgi?id=182288
1040
1041         * test262.yaml:
1042
1043 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1044
1045         Update test262 to Jan 30 version
1046         https://bugs.webkit.org/show_bug.cgi?id=182288
1047
1048         Unreviewed test gardening.
1049
1050         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1051
1052 2018-02-02  Saam Barati  <sbarati@apple.com>
1053
1054         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1055         https://bugs.webkit.org/show_bug.cgi?id=182368
1056         <rdar://problem/36932466>
1057
1058         Reviewed by Mark Lam.
1059
1060         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1061         (runNearStackLimit.t):
1062         (runNearStackLimit):
1063         (try.runNearStackLimit):
1064         (catch):
1065
1066 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1067
1068         Update test262 to Jan 30 version
1069         https://bugs.webkit.org/show_bug.cgi?id=182288
1070
1071         Rubber stamped by Saam Barati.
1072
1073         This patch updates test262 to the latest one, Jan 30 version.
1074         Since added and changed files are too many, we cannot create ChangeLog.
1075         The following files are changed.
1076
1077         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1078         including some special line terminators (like u2028, u2029).
1079
1080         * test262.yaml:
1081         * test262/test262-Revision.txt:
1082         * test262/*:
1083
1084 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1085
1086         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1087         https://bugs.webkit.org/show_bug.cgi?id=182411
1088
1089         Reviewed by Carlos Alberto Lopez Perez.
1090
1091         This is skipped only on arm memory limited platforms. Until recently
1092         it was not a problem on MIPS as the butterfly was not initialized. But
1093         since r227435, the butterfly is initialized in that test and therefore
1094         memory is allocated, and the test typically takes around 512M, which
1095         means it generally gets OOM-killed on the MIPS buildbot.
1096
1097         * mozilla/mozilla-tests.yaml:
1098
1099 2018-02-01  Mark Lam  <mark.lam@apple.com>
1100
1101         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1102         https://bugs.webkit.org/show_bug.cgi?id=182419
1103         <rdar://problem/37044945>
1104
1105         Reviewed by Saam Barati.
1106
1107         * stress/regress-182419.js: Added.
1108
1109 2018-02-01  Keith Miller  <keith_miller@apple.com>
1110
1111         Fix crashes due to mishandling custom sections.
1112         https://bugs.webkit.org/show_bug.cgi?id=182404
1113         <rdar://problem/36935863>
1114
1115         Reviewed by Saam Barati.
1116
1117         * wasm/Builder.js:
1118         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1119         * wasm/js-api/validate.js:
1120         (assert.truthy):
1121
1122 2018-01-31  Saam Barati  <sbarati@apple.com>
1123
1124         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1125         https://bugs.webkit.org/show_bug.cgi?id=182074
1126         <rdar://problem/36846261>
1127
1128         Reviewed by Mark Lam.
1129
1130         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1131         (assert):
1132         (let.func):
1133         (let.o.foo):
1134         (varFunc):
1135
1136 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1137
1138         Unreviewed, update test262 expects
1139         https://bugs.webkit.org/show_bug.cgi?id=182232
1140
1141         * test262.yaml:
1142
1143 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1144
1145         [JSC] Implement trimStart and trimEnd
1146         https://bugs.webkit.org/show_bug.cgi?id=182233
1147
1148         Reviewed by Mark Lam.
1149
1150         * stress/trim.js: Added.
1151         (shouldBe):
1152         (startTest):
1153         (endTest):
1154         (trimTest):
1155
1156 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1157
1158         [JSC] Relax line terminators in String to make JSON subset of JS
1159         https://bugs.webkit.org/show_bug.cgi?id=182232
1160
1161         Reviewed by Keith Miller.
1162
1163         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1164         * stress/relaxed-line-terminators-in-string.js: Added.
1165         (shouldBe):
1166
1167 2018-01-29  Michael Saboff  <msaboff@apple.com>
1168
1169         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1170         https://bugs.webkit.org/show_bug.cgi?id=182249
1171
1172         Reviewed by Keith Miller.
1173
1174         New regression test.
1175
1176         * stress/compare-clobber-untypeduse.js: Added.
1177
1178 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1179
1180         Unreviewed, rolling out r227725.
1181
1182         This caused internal failures.
1183
1184         Reverted changeset:
1185
1186         "JSC Sampling Profiler: Detect tester and testee when sampling
1187         in RegExp JIT"
1188         https://bugs.webkit.org/show_bug.cgi?id=152729
1189         https://trac.webkit.org/changeset/227725
1190
1191 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1192
1193         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1194         https://bugs.webkit.org/show_bug.cgi?id=152729
1195
1196         Reviewed by Saam Barati.
1197
1198         * stress/sampling-profiler-regexp.js: Added.
1199         (platformSupportsSamplingProfiler.test):
1200         (platformSupportsSamplingProfiler.baz):
1201         (platformSupportsSamplingProfiler):
1202
1203 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1204
1205         [DFG][FTL] WeakMap#set should have DFG node
1206         https://bugs.webkit.org/show_bug.cgi?id=180015
1207
1208         Reviewed by Saam Barati.
1209
1210         * stress/weakmap-set-change-get.js: Added.
1211         (shouldBe):
1212         (test):
1213         * stress/weakmap-set-cse.js: Added.
1214         (shouldBe):
1215         (test):
1216         * stress/weakset-add-change-get.js: Added.
1217         (shouldBe):
1218         * stress/weakset-add-cse.js: Added.
1219         (shouldBe):
1220
1221 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1222
1223         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1224         https://bugs.webkit.org/show_bug.cgi?id=182213
1225
1226         Reviewed by Mark Lam.
1227
1228         * stress/int32-min-to-string.js: Added.
1229         (shouldBe):
1230         (test2):
1231         (test4):
1232         (test8):
1233         (test16):
1234         (test32):
1235         * stress/zero-to-string.js: Added.
1236         (shouldBe):
1237         (test2):
1238         (test4):
1239         (test8):
1240         (test16):
1241         (test32):
1242
1243 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1244
1245         Add more module scope related tests with code evaluation by string
1246         https://bugs.webkit.org/show_bug.cgi?id=181983
1247
1248         Reviewed by Sam Weinig.
1249
1250         Add more module scope related tests. When the original tests are landed,
1251         we do not have browser integration. This patch adds more module scope tests
1252         with dynamically created script evaluation. We add tests with Function
1253         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1254
1255         * modules/scopes-eval.js: Added.
1256         (shouldBe):
1257         * modules/scopes.js:
1258         (shouldBe):
1259
1260 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1261
1262         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1263
1264         * microbenchmarks/array-push-3.js: Removed.
1265         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1266         * microbenchmarks/double-to-int32.js: Removed.
1267         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1268         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1269         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1270         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1271         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1272         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1273         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1274         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1275         * microbenchmarks/map-constant-key.js: Removed.
1276         * microbenchmarks/nested-function-parsing.js: Removed.
1277         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1278         * microbenchmarks/spread-large-array.js: Removed.
1279         * microbenchmarks/string-add-constant-folding.js: Removed.
1280         * microbenchmarks/to-lower-case.js: Removed.
1281         * microbenchmarks/undefined-property-access.js: Removed.
1282         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1283         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1284         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1285         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1286         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1287         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1288         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1289         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1290         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1291         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1292         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1293         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1294         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1295         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1296         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1297         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1298         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1299         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1300
1301 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1302
1303         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1304         https://bugs.webkit.org/show_bug.cgi?id=181739
1305         <rdar://problem/36627662>
1306
1307         Reviewed by Saam Barati.
1308
1309         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1310         (foo):
1311         (bar):
1312
1313 2018-01-22  Michael Saboff  <msaboff@apple.com>
1314
1315         DFG abstract interpreter needs to properly model effects of some Math ops
1316         https://bugs.webkit.org/show_bug.cgi?id=181886
1317
1318         Reviewed by Saam Barati.
1319
1320         New regression test.
1321
1322         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1323         (test):
1324
1325 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1326
1327         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1328         https://bugs.webkit.org/show_bug.cgi?id=181182
1329
1330         Reviewed by Darin Adler.
1331
1332         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1333         * stress/big-int-prototype-to-string-exception.js: Added.
1334         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1335         * stress/number-prototype-to-string-cast-overflow.js: Added.
1336         * stress/number-prototype-to-string-exception.js: Added.
1337         * stress/number-prototype-to-string-wrong-values.js: Added.
1338
1339 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1340
1341         Disable Atomics when SharedArrayBuffer isn’t enabled
1342         https://bugs.webkit.org/show_bug.cgi?id=181572
1343
1344         Unreviewed test gardening.
1345
1346         * test262.yaml: Skip tests that fail after this change.
1347
1348 2018-01-19  Saam Barati  <sbarati@apple.com>
1349
1350         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1351         https://bugs.webkit.org/show_bug.cgi?id=181877
1352         <rdar://problem/36630552>
1353
1354         Reviewed by Mark Lam.
1355
1356         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1357         (runNearStackLimit):
1358         (f1):
1359         (f2):
1360         (f3):
1361         (i.catch):
1362         (i.try.runNearStackLimit):
1363         (catch):
1364
1365 2018-01-19  Saam Barati  <sbarati@apple.com>
1366
1367         Spread's effects are modeled incorrectly both in AI and in Clobberize
1368         https://bugs.webkit.org/show_bug.cgi?id=181867
1369         <rdar://problem/36290415>
1370
1371         Reviewed by Michael Saboff.
1372
1373         * stress/ai-needs-to-model-spreads-effects.js: Added.
1374         (try.p.Symbol.iterator):
1375         (try.go):
1376         (catch):
1377         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1378         (assert):
1379         (foo):
1380         (a.Symbol.iterator):
1381
1382 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1383
1384         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1385         https://bugs.webkit.org/show_bug.cgi?id=181535
1386
1387         * stress/inserted-recovery-with-set-last-index.js:
1388
1389 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1390
1391         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1392         https://bugs.webkit.org/show_bug.cgi?id=181535
1393
1394         Reviewed by Saam Barati.
1395
1396         * stress/inserted-recovery-with-set-last-index.js: Added.
1397         (shouldBe):
1398         (foo):
1399         * stress/materialize-regexp-at-osr-exit.js: Added.
1400         (shouldBe):
1401         (test):
1402         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1403         (shouldBe):
1404         (test):
1405         * stress/materialize-regexp-cyclic-regexp.js: Added.
1406         (shouldBe):
1407         (test):
1408         (i.switch):
1409         * stress/materialize-regexp-cyclic.js: Added.
1410         (shouldBe):
1411         (test):
1412         (i.switch):
1413         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1414         (bar):
1415         (foo):
1416         (test):
1417         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1418         (bar):
1419         (foo):
1420         (test):
1421         * stress/materialize-regexp.js: Added.
1422         (shouldBe):
1423         (test):
1424         * stress/phantom-regexp-regexp-exec.js: Added.
1425         (shouldBe):
1426         (test):
1427         * stress/phantom-regexp-string-match.js: Added.
1428         (shouldBe):
1429         (test):
1430         * stress/regexp-last-index-sinking.js: Added.
1431         (shouldBe):
1432         (test):
1433
1434 2018-01-17  Saam Barati  <sbarati@apple.com>
1435
1436         Disable Atomics when SharedArrayBuffer isn’t enabled
1437         https://bugs.webkit.org/show_bug.cgi?id=181572
1438         <rdar://problem/36553206>
1439
1440         Reviewed by Michael Saboff.
1441
1442         * stress/isLockFree.js:
1443
1444 2018-01-17  Saam Barati  <sbarati@apple.com>
1445
1446         DFG::Node::convertToConstant needs to clear the varargs flags
1447         https://bugs.webkit.org/show_bug.cgi?id=181697
1448         <rdar://problem/36497332>
1449
1450         Reviewed by Yusuke Suzuki.
1451
1452         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1453         (doIndexOf):
1454         (bar):
1455         (i.bar):
1456
1457 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1458
1459         Unreviewed, rolling out r226937.
1460
1461         Tests added with this change are failing due to a missing
1462         exception check.
1463
1464         Reverted changeset:
1465
1466         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1467         double to int32_t"
1468         https://bugs.webkit.org/show_bug.cgi?id=181182
1469         https://trac.webkit.org/changeset/226937
1470
1471 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1472
1473         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1474         https://bugs.webkit.org/show_bug.cgi?id=181182
1475
1476         Reviewed by Darin Adler.
1477
1478         * bigIntTests.yaml:
1479         * stress/big-int-constructor.js:
1480         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1481         (assert):
1482         (assertThrowRangeError):
1483         * stress/number-prototype-to-string-cast-overflow.js: Added.
1484         (assert):
1485         (assertThrowRangeError):
1486
1487 2018-01-12  Saam Barati  <sbarati@apple.com>
1488
1489         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1490         https://bugs.webkit.org/show_bug.cgi?id=181177
1491         <rdar://problem/36205704>
1492
1493         Reviewed by Yusuke Suzuki.
1494
1495         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1496         (runNearStackLimit.t):
1497         (runNearStackLimit):
1498         (test.f):
1499         (test):
1500
1501 2018-01-12  Saam Barati  <sbarati@apple.com>
1502
1503         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1504         https://bugs.webkit.org/show_bug.cgi?id=181562
1505         <rdar://problem/36445624>
1506
1507         Reviewed by Yusuke Suzuki.
1508
1509         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1510         (f):
1511         (foo):
1512
1513 2018-01-11  Saam Barati  <sbarati@apple.com>
1514
1515         When inserting Unreachable in byte code parser we need to flush all the right things
1516         https://bugs.webkit.org/show_bug.cgi?id=181509
1517         <rdar://problem/36423110>
1518
1519         Reviewed by Mark Lam.
1520
1521         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1522
1523 2018-01-11  Saam Barati  <sbarati@apple.com>
1524
1525         JITMathIC code in the FTL is wrong when code gets duplicated
1526         https://bugs.webkit.org/show_bug.cgi?id=181525
1527         <rdar://problem/36351993>
1528
1529         Reviewed by Michael Saboff and Keith Miller.
1530
1531         * stress/allow-math-ic-b3-code-duplication.js: Added.
1532
1533 2018-01-11  Saam Barati  <sbarati@apple.com>
1534
1535         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1536         https://bugs.webkit.org/show_bug.cgi?id=181508
1537
1538         Reviewed by Yusuke Suzuki.
1539
1540         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1541         (assert):
1542         (test1.foo):
1543         (test1):
1544         (test2.foo):
1545         (test2):
1546
1547 2018-01-09  Mark Lam  <mark.lam@apple.com>
1548
1549         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1550         https://bugs.webkit.org/show_bug.cgi?id=181388
1551         <rdar://problem/36349351>
1552
1553         Reviewed by Saam Barati.
1554
1555         * stress/regress-181388.js: Added.
1556
1557 2018-01-08  JF Bastien  <jfbastien@apple.com>
1558
1559         WebAssembly: mask indexed accesses to Table
1560         https://bugs.webkit.org/show_bug.cgi?id=181412
1561         <rdar://problem/36363236>
1562
1563         Reviewed by Saam Barati.
1564
1565         Update error messages.
1566
1567         * wasm/js-api/table.js:
1568         (assert.throws.WebAssembly.Table.prototype.grow):
1569
1570 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1571
1572         Disable SharedArrayBuffer tests missed in r226386.
1573         https://bugs.webkit.org/show_bug.cgi?id=181266
1574
1575         Unreviewed test gardening.
1576
1577         * test262.yaml:
1578
1579 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1580
1581         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1582         https://bugs.webkit.org/show_bug.cgi?id=181321
1583
1584         Reviewed by Saam Barati.
1585
1586         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1587         (shouldBe):
1588         (testFunction):
1589         * test262.yaml:
1590
1591 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1592
1593         Unreviewed, attempt to fix test262 after r226386.
1594
1595         * test262.yaml:
1596
1597 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1598
1599         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1600         https://bugs.webkit.org/show_bug.cgi?id=179911
1601
1602         Reviewed by Saam Barati.
1603
1604         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1605
1606         * stress/map-set-change-get.js: Added.
1607         (shouldBe):
1608         (test):
1609         * stress/map-set-create-bucket.js: Added.
1610         (shouldBe):
1611         (test):
1612         * stress/set-add-create-bucket.js: Added.
1613         (shouldBe):
1614
1615 2018-01-03  Michael Saboff  <msaboff@apple.com>
1616
1617         Disable SharedArrayBuffers from Web API
1618         https://bugs.webkit.org/show_bug.cgi?id=181266
1619
1620         Reviewed by Saam Barati.
1621
1622         Disabled SharedArrayBuffer tests.
1623
1624         * stress/SharedArrayBuffer-opt.js:
1625         * stress/SharedArrayBuffer.js:
1626         * stress/array-buffer-byte-length.js:
1627         * stress/atomics-add-uint32.js:
1628         * stress/atomics-known-int-use.js:
1629         * stress/atomics-neg-zero.js:
1630         * stress/atomics-store-return.js:
1631         * stress/lars-sab-workers.js:
1632         * stress/regress-159779-1.js:
1633         * stress/regress-159779-2.js:
1634         * stress/regress-170473.js:
1635         * test262.yaml:
1636
1637 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1638
1639         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1640         https://bugs.webkit.org/show_bug.cgi?id=181258
1641
1642         Reviewed by Antonio Gomes.
1643
1644         * stress/big-int-constructor-gc.js:
1645         * stress/big-int-constructor-oom.js:
1646
1647 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1648
1649         Inlining of a function that ends in op_unreachable crashes
1650         https://bugs.webkit.org/show_bug.cgi?id=181027
1651
1652         Reviewed by Filip Pizlo.
1653
1654         * stress/inlining-unreachable.js: Added.
1655         (bar):
1656         (baz):
1657         (i.catch):
1658
1659 2018-01-02  Saam Barati  <sbarati@apple.com>
1660
1661         Incorrect assertion inside AccessCase
1662         https://bugs.webkit.org/show_bug.cgi?id=181200
1663         <rdar://problem/35494754>
1664
1665         Reviewed by Yusuke Suzuki.
1666
1667         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1668         (ctor):
1669         (theFunc):
1670         (run):
1671
1672 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1673
1674         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1675         https://bugs.webkit.org/show_bug.cgi?id=175359
1676
1677         Reviewed by Yusuke Suzuki.
1678
1679         * bigIntTests.yaml:
1680         * stress/big-int-as-key.js: Added.
1681         * stress/big-int-constructor-gc.js: Added.
1682         * stress/big-int-constructor-oom.js: Added.
1683         * stress/big-int-constructor-properties.js: Added.
1684         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1685         * stress/big-int-constructor-prototype.js: Added.
1686         * stress/big-int-constructor.js: Added.
1687         * stress/big-int-function-apply.js:
1688         * stress/big-int-length.js: Added.
1689         * stress/big-int-prop-descriptor.js: Added.
1690         * stress/big-int-proto-constructor.js: Added.
1691         * stress/big-int-proto-name.js: Added.
1692         * stress/big-int-prototype-properties.js: Added.
1693         * stress/big-int-prototype-proto.js: Added.
1694         * stress/big-int-prototype-value-of.js: Added.
1695         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1696         * stress/big-int-prototype-to-string-apply.js: Added.
1697         * stress/big-int-to-object.js: Added.
1698         * stress/big-int-to-string.js: Added.
1699
1700 2017-12-28  Saam Barati  <sbarati@apple.com>
1701
1702         Assertion used to determine if something is an async generator is wrong
1703         https://bugs.webkit.org/show_bug.cgi?id=181168
1704         <rdar://problem/35640560>
1705
1706         Reviewed by Yusuke Suzuki.
1707
1708         * stress/async-generator-assertion.js: Added.
1709
1710 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1711
1712         Skip stress/splay-flash-access tests on memory limited platforms
1713         https://bugs.webkit.org/show_bug.cgi?id=181086
1714
1715         Reviewed by Carlos Alberto Lopez Perez.
1716
1717         These tests use about 185M of memory, and occasionally get OOM-killed
1718         on memory limited platforms.
1719
1720         * stress/splay-flash-access-1ms.js:
1721         * stress/splay-flash-access.js:
1722
1723 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1724
1725         Skip slow jsc tests on embedded platforms
1726         https://bugs.webkit.org/show_bug.cgi?id=180937
1727
1728         Reviewed by Carlos Alberto Lopez Perez.
1729
1730         The tests typeProfiler/deltablue-for-of.js and
1731         typeProfiler/getter-richards.js take a very long time in the
1732         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1733         thus always timeout. They should be skipped on these platforms.
1734
1735         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1736         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1737
1738 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1739
1740         [JSC] Do not check isValid() in op_new_regexp
1741         https://bugs.webkit.org/show_bug.cgi?id=180970
1742
1743         Reviewed by Saam Barati.
1744
1745         * stress/regexp-syntax-error-invalid-flags.js: Added.
1746         (shouldThrow):
1747
1748 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1749
1750         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1751         https://bugs.webkit.org/show_bug.cgi?id=180712
1752
1753         Reviewed by Michael Catanzaro.
1754
1755         stress/call-apply-exponential-bytecode-size.js crashes if the
1756         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1757         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1758         should skip the test on other platforms.
1759
1760         * stress/call-apply-exponential-bytecode-size.js:
1761
1762 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1763
1764         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1765         https://bugs.webkit.org/show_bug.cgi?id=179762
1766
1767         Reviewed by Saam Barati.
1768
1769         * stress/call-varargs-double-new-array-buffer.js: Added.
1770         (assert):
1771         (bar):
1772         (foo):
1773         * stress/call-varargs-spread-new-array-buffer.js: Added.
1774         (assert):
1775         (bar):
1776         (foo):
1777         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1778         (assert):
1779         (bar):
1780         (foo):
1781         * stress/forward-varargs-double-new-array-buffer.js: Added.
1782         (assert):
1783         (test.baz):
1784         (test.bar):
1785         (test.foo):
1786         (test):
1787         * stress/new-array-buffer-sinking-osrexit.js: Added.
1788         (target):
1789         (test):
1790         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1791         (shouldBe):
1792         (test):
1793         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1794         (shouldBe):
1795         (target):
1796         (test):
1797         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1798         (assert):
1799         (test1.bar):
1800         (test1.foo):
1801         (test1):
1802         (test2.bar):
1803         (test2.foo):
1804         (test3.baz):
1805         (test3.bar):
1806         (test3.foo):
1807         (test4.baz):
1808         (test4.bar):
1809         (test4.foo):
1810         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1811         (assert):
1812         (test.baz):
1813         (test.bar):
1814         (test.foo):
1815         (test):
1816         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1817         (assert):
1818         (baz):
1819         (bar):
1820         (effects):
1821         (foo):
1822
1823 2017-12-14  Saam Barati  <sbarati@apple.com>
1824
1825         The CleanUp after LICM is erroneously removing a Check
1826         https://bugs.webkit.org/show_bug.cgi?id=180852
1827         <rdar://problem/36063494>
1828
1829         Reviewed by Filip Pizlo.
1830
1831         * stress/dont-run-cleanup-after-licm.js: Added.
1832
1833 2017-12-14  Michael Saboff  <msaboff@apple.com>
1834
1835         REGRESSION (r225695): Repro crash on yahoo login page
1836         https://bugs.webkit.org/show_bug.cgi?id=180761
1837
1838         Reviewed by JF Bastien.
1839
1840         New regression test.
1841
1842         * stress/regress-180761.js: Added.
1843
1844 2017-12-13  Keith Miller  <keith_miller@apple.com>
1845
1846         JSObjects should have a mask for loading indexed properties
1847         https://bugs.webkit.org/show_bug.cgi?id=180768
1848
1849         Reviewed by Mark Lam.
1850
1851         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1852         (test):
1853
1854 2017-12-13  Saam Barati  <sbarati@apple.com>
1855
1856         Arrow functions need their own structure because they have different properties than sloppy functions
1857         https://bugs.webkit.org/show_bug.cgi?id=180779
1858         <rdar://problem/35814591>
1859
1860         Reviewed by Mark Lam.
1861
1862         * stress/arrow-function-needs-its-own-structure.js: Added.
1863         (assert):
1864         (readPrototype):
1865         (noInline.let.f1):
1866         (noInline):
1867
1868 2017-12-13  Saam Barati  <sbarati@apple.com>
1869
1870         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1871         https://bugs.webkit.org/show_bug.cgi?id=163579
1872         <rdar://problem/35455798>
1873
1874         Reviewed by Mark Lam.
1875
1876         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1877         (assert):
1878         (test1):
1879         (i.test1):
1880         (i.test1.C):
1881         (i.test1.async.foo):
1882         (i.test1.foo):
1883         (test2):
1884
1885 2017-12-13  Saam Barati  <sbarati@apple.com>
1886
1887         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1888         https://bugs.webkit.org/show_bug.cgi?id=180734
1889         <rdar://problem/35640547>
1890
1891         Reviewed by Yusuke Suzuki.
1892
1893         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1894         (__isPropertyOfType):
1895         (__getProperties):
1896         (__getObjects):
1897         (__getRandomObject):
1898         (theClass.):
1899         (theClass):
1900         (childClass):
1901         (counter.catch):
1902
1903 2017-12-12  Saam Barati  <sbarati@apple.com>
1904
1905         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1906         https://bugs.webkit.org/show_bug.cgi?id=180725
1907         <rdar://problem/35970511>
1908
1909         Reviewed by Michael Saboff.
1910
1911         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1912         (f1):
1913         (f2):
1914         (let.o2.valueOf):
1915
1916 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1917
1918         [JSC] Implement optimized WeakMap and WeakSet
1919         https://bugs.webkit.org/show_bug.cgi?id=179929
1920
1921         Reviewed by Saam Barati.
1922
1923         * microbenchmarks/weak-map-key.js:
1924         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1925         (assert):
1926         (objectKey):
1927         (let.start.Date.now):
1928         * stress/basic-weakmap.js: Added.
1929         (shouldBe):
1930         (test):
1931         * stress/basic-weakset.js: Added.
1932         (shouldBe):
1933         (test.set new):
1934         * stress/weakmap-cse-set-break.js: Added.
1935         (shouldBe):
1936         (test):
1937         * stress/weakmap-cse.js: Added.
1938         (shouldBe):
1939         (test):
1940         * stress/weakmap-gc.js: Added.
1941         (test):
1942         * stress/weakset-cse-add-break.js: Added.
1943         (shouldBe):
1944         (test.set new):
1945         * stress/weakset-cse.js: Added.
1946         (shouldBe):
1947         (test.set new):
1948         * stress/weakset-gc.js: Added.
1949         (test.set add):
1950         (test.set new):
1951         (test):
1952
1953 2017-12-12  Saam Barati  <sbarati@apple.com>
1954
1955         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1956         https://bugs.webkit.org/show_bug.cgi?id=180723
1957         <rdar://problem/35859726>
1958
1959         Reviewed by JF Bastien.
1960
1961         * stress/get-my-argument-by-val-constant-folding.js: Added.
1962         (test):
1963         (catch):
1964
1965 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1966
1967         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1968         https://bugs.webkit.org/show_bug.cgi?id=179000
1969
1970         Reviewed by Darin Adler and Yusuke Suzuki.
1971
1972         * bigIntTests.yaml: Added.
1973         * stress/big-int-literal-line-terminator.js: Added.
1974         * stress/big-int-literals.js: Added.
1975         * stress/big-int-operations-error.js: Added.
1976         * stress/big-int-type-of.js: Added.
1977         * stress/big-int-white-space-trailing-leading.js: Added.
1978         * stress/big-int-function-apply.js: Added.
1979
1980 2017-12-11  Saam Barati  <sbarati@apple.com>
1981
1982         We need to disableCaching() in ErrorInstance when we materialize properties
1983         https://bugs.webkit.org/show_bug.cgi?id=180343
1984         <rdar://problem/35833002>
1985
1986         Reviewed by Mark Lam.
1987
1988         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1989         (assert):
1990         (makeError):
1991         (storeToStack):
1992         (storeToStackAlreadyMaterialized):
1993
1994 2017-12-05  JF Bastien  <jfbastien@apple.com>
1995
1996         WebAssembly: don't eagerly checksum
1997         https://bugs.webkit.org/show_bug.cgi?id=180441
1998         <rdar://problem/35156628>
1999
2000         Reviewed by Saam Barati.
2001
2002         Checksum is now disabled, so tests only have <?> as the module
2003         name.
2004
2005         * wasm/function-tests/nameSection.js:
2006         * wasm/function-tests/stack-overflow.js:
2007         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2008         (assertOverflows.assertThrows):
2009         (assertOverflows):
2010         * wasm/function-tests/stack-trace.js:
2011
2012 2017-12-04  JF Bastien  <jfbastien@apple.com>
2013
2014         Proxy all functions, except the $ objects
2015         https://bugs.webkit.org/show_bug.cgi?id=180375
2016
2017         Reviewed by Saam Barati.
2018
2019         It looks like this test may have broken some executions because I
2020         call some internal objects. Explicitly ignore objects whose name
2021         starts with "$" because it's a bad idea anyways.
2022
2023         * stress/proxy-all-the-parameters.js:
2024         (generateObjects):
2025         (get throw):
2026
2027 2017-12-04  Saam Barati  <sbarati@apple.com>
2028
2029         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2030         https://bugs.webkit.org/show_bug.cgi?id=180366
2031         <rdar://problem/35685877>
2032
2033         Reviewed by Michael Saboff.
2034
2035         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2036         (theParent):
2037         (test1.base.getParentStaticValue):
2038         (test1.base):
2039         (test1.__v_24888.prototype.set prop):
2040         (test1.__v_24888):
2041         (test2.base.getParentStaticValue):
2042         (test2.base):
2043         (test2.__v_24888.prototype.set prop):
2044         (test2.__v_24888):
2045         (test2):
2046
2047 2017-12-01  JF Bastien  <jfbastien@apple.com>
2048
2049         Try proxying all function arguments
2050         https://bugs.webkit.org/show_bug.cgi?id=180306
2051
2052         Reviewed by Saam Barati.
2053
2054         * stress/proxy-all-the-parameters.js: Added.
2055         (isPropertyOfType):
2056         (getProperties):
2057         (generateObjects):
2058         (getObjects):
2059         (getFunctions):
2060         (get throw):
2061         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2062
2063 2017-12-01  JF Bastien  <jfbastien@apple.com>
2064
2065         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2066         https://bugs.webkit.org/show_bug.cgi?id=180297
2067         <rdar://problem/35745556>
2068
2069         Reviewed by Mark Lam.
2070
2071         * stress/math-exceptions.js: Added.
2072         (get try):
2073         (catch):
2074
2075 2017-12-01  JF Bastien  <jfbastien@apple.com>
2076
2077         JavaScriptCore: add test for weird class static getters
2078         https://bugs.webkit.org/show_bug.cgi?id=180281
2079         <rdar://problem/35592139>
2080
2081         Reviewed by Mark Lam.
2082
2083         I fixed a bug for it in r224927 and didn't add a test. Do so.
2084
2085         * stress/class-static-get-weird.js: Added.
2086         (c.prototype.get name):
2087         (c):
2088         (c.prototype.get arguments):
2089         (c.prototype.get caller):
2090         (c.prototype.get length):
2091
2092 2017-12-01  Saam Barati  <sbarati@apple.com>
2093
2094         Having a bad time needs to handle ArrayClass indexing type as well
2095         https://bugs.webkit.org/show_bug.cgi?id=180274
2096         <rdar://problem/35667869>
2097
2098         Reviewed by Keith Miller and Mark Lam.
2099
2100         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2101         (assert):
2102         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2103         (assert):
2104
2105 2017-12-01  JF Bastien  <jfbastien@apple.com>
2106
2107         WebAssembly: restore cached stack limit after out-call
2108         https://bugs.webkit.org/show_bug.cgi?id=179106
2109         <rdar://problem/35337525>
2110
2111         Reviewed by Saam Barati.
2112
2113         * wasm/function-tests/double-instance.js: Added.
2114         (const.imp.boom):
2115         (const.imp.get callAnother):
2116
2117 2017-11-30  JF Bastien  <jfbastien@apple.com>
2118
2119         WebAssembly: improve stack trace
2120         https://bugs.webkit.org/show_bug.cgi?id=179343
2121
2122         Reviewed by Saam Barati.
2123
2124         Update the tests to follow the new format. Notably, SHA1 module
2125         hash is now included in traces, and stubs are properly identified.
2126
2127         * wasm/assert.js: Add an assertion which matches regular expressions.
2128         * wasm/function-tests/nameSection.js:
2129         * wasm/function-tests/stack-overflow.js:
2130         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2131         (assertOverflows.assertThrows.wasm.1):
2132         (assertOverflows.assertThrows.wasm.0):
2133         (assertOverflows.assertThrows):
2134         (assertOverflows):
2135         * wasm/function-tests/stack-trace.js:
2136         (import.Builder.from.string_appeared_here.assert): Deleted.
2137         * wasm/function-tests/trap-after-cross-instance-call.js:
2138         (wasmFrameCountFromError):
2139         * wasm/function-tests/trap-load-2.js:
2140         (wasmFrameCountFromError):
2141         * wasm/function-tests/trap-load.js:
2142         (wasmFrameCountFromError):
2143
2144 2017-11-30  Mark Lam  <mark.lam@apple.com>
2145
2146         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2147         https://bugs.webkit.org/show_bug.cgi?id=180219
2148         <rdar://problem/35696536>
2149
2150         Reviewed by Filip Pizlo.
2151
2152         * stress/regress-180219.js: Added.
2153
2154 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2155
2156         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2157         https://bugs.webkit.org/show_bug.cgi?id=180190
2158
2159         Reviewed by Mark Lam.
2160
2161         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2162         (shouldBe):
2163         (test1):
2164         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2165         (shouldBe):
2166         (test1):
2167         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2168         (shouldBe):
2169         (test1):
2170         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2171         (shouldBe):
2172         (test1):
2173         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2174         (shouldBe):
2175         (test1):
2176         * stress/operation-in-may-have-negative-int32.js: Added.
2177         (shouldBe):
2178         (test2):
2179         * stress/operation-in-negative-int32-cast.js: Added.
2180         (shouldBe):
2181         (test1):
2182
2183 2017-11-28  JF Bastien  <jfbastien@apple.com>
2184
2185         Strict and sloppy functions shouldn't share structure
2186         https://bugs.webkit.org/show_bug.cgi?id=180103
2187         <rdar://problem/35667847>
2188
2189         Reviewed by Saam Barati.
2190
2191         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2192         because the IC was wrong.
2193         (foo):
2194         (bar):
2195         (baz):
2196         (catch):
2197         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2198         in this patch, but may as well test odd strict mode corner cases.
2199         (bar):
2200         (baz):
2201         (catch):
2202         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2203         (foo):
2204         (bar):
2205         (baz):
2206         (catch):
2207         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2208         next file, but with invalidation of the FunctionExecutable's
2209         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2210         slower path.
2211         (foo):
2212         (bar.const.x):
2213         (bar.const.y):
2214         (bar):
2215         (catch):
2216         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2217         strict nesting works correctly.
2218         (foo):
2219         (bar.baz):
2220         (bar):
2221         * stress/strict-function-structure.js: Added. The test used to
2222         assert in objectProtoFuncHasOwnProperty.
2223         (foo):
2224         (bar):
2225         (baz):
2226         * stress/strict-nested-function-structure.js: Added. Nesting.
2227         (foo):
2228         (bar):
2229         (baz.boo):
2230         (baz):
2231
2232 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2233
2234         The recursive tail call optimisation is wrong on closures
2235         https://bugs.webkit.org/show_bug.cgi?id=179835
2236
2237         Reviewed by Saam Barati.
2238
2239         * stress/closure-recursive-tail-call.js: Added.
2240         (makeClosure):
2241
2242 2017-11-27  JF Bastien  <jfbastien@apple.com>
2243
2244         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2245         https://bugs.webkit.org/show_bug.cgi?id=180051
2246         <rdar://problem/35614371>
2247
2248         Reviewed by Saam Barati.
2249
2250         * stress/rest-parameter-negative.js: Added.
2251         (__f_5484):
2252         (catch):
2253         (__f_5485):
2254         (__v_22598.catch):
2255
2256 2017-11-27  Saam Barati  <sbarati@apple.com>
2257
2258         Spread can escape when CreateRest does not
2259         https://bugs.webkit.org/show_bug.cgi?id=180057
2260         <rdar://problem/35676119>
2261
2262         Reviewed by JF Bastien.
2263
2264         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2265         (assert):
2266         (getProperties):
2267         (theFunc):
2268         (let.obj.valueOf):
2269
2270 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2271
2272         [DFG] Add NormalizeMapKey DFG IR
2273         https://bugs.webkit.org/show_bug.cgi?id=179912
2274
2275         Reviewed by Saam Barati.
2276
2277         * stress/map-untyped-normalize-cse.js: Added.
2278         (shouldBe):
2279         (test):
2280         * stress/map-untyped-normalize.js: Added.
2281         (shouldBe):
2282         (test):
2283         * stress/set-untyped-normalize-cse.js: Added.
2284         (shouldBe):
2285         (set return.set has.set has):
2286         * stress/set-untyped-normalize.js: Added.
2287         (shouldBe):
2288         (set return.set has):
2289
2290 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2291
2292         [FTL] Support DeleteById and DeleteByVal
2293         https://bugs.webkit.org/show_bug.cgi?id=180022
2294
2295         Reviewed by Saam Barati.
2296
2297         * stress/delete-by-id.js: Added.
2298         (shouldBe):
2299         (test1):
2300         (test2):
2301         * stress/delete-by-val-ftl.js: Added.
2302         (shouldBe):
2303         (test1):
2304         (test2):
2305
2306 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2307
2308         [DFG] Introduce {Set,Map,WeakMap}Fields
2309         https://bugs.webkit.org/show_bug.cgi?id=179925
2310
2311         Reviewed by Saam Barati.
2312
2313         * stress/map-set-clobber-map-get.js: Added.
2314         (shouldBe):
2315         (test):
2316         * stress/map-set-does-not-clobber-set-has.js: Added.
2317         (shouldBe):
2318         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2319         (shouldBe):
2320         (test):
2321         * stress/set-add-clobber-set-has.js: Added.
2322         (shouldBe):
2323         * stress/set-add-does-not-clobber-map-get.js: Added.
2324         (shouldBe):
2325
2326 2017-11-24  Mark Lam  <mark.lam@apple.com>
2327
2328         Move unsafe jsc shell test functions to the $vm object.
2329         https://bugs.webkit.org/show_bug.cgi?id=179980
2330
2331         Reviewed by Yusuke Suzuki.
2332
2333         * controlFlowProfiler/driver/driver.js:
2334         * controlFlowProfiler/execution-count.js:
2335         * controlFlowProfiler/if-statement.js:
2336         * controlFlowProfiler/loop-statements.js:
2337         * controlFlowProfiler/switch-statements.js:
2338         * controlFlowProfiler/test-jit.js:
2339         * exceptionFuzz/3d-cube.js:
2340         * exceptionFuzz/date-format-xparb.js:
2341         * exceptionFuzz/earley-boyer.js:
2342         * heapProfiler/basic-edges.js:
2343         * heapProfiler/property-edge-types.js:
2344         * microbenchmarks/try-get-by-id-basic.js:
2345         * microbenchmarks/try-get-by-id-polymorphic.js:
2346         * modules/namespace-object-try-get.js:
2347         * stress/argument-count-bytecode.js:
2348         * stress/argument-intrinsic-basic.js:
2349         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2350         * stress/argument-intrinsic-inlining-with-result-escape.js:
2351         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2352         * stress/argument-intrinsic-inlining-with-vararg.js:
2353         * stress/argument-intrinsic-nested-inlining.js:
2354         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2355         * stress/argument-intrinsic-with-stack-write.js:
2356         * stress/arity-mismatch-get-argument.js:
2357         * stress/array-message-passing.js:
2358         * stress/array-push-with-force-exit.js:
2359         * stress/check-dom-with-signature.js:
2360         * stress/check-sub-class.js:
2361         * stress/compare-eq-incomplete-profile.js:
2362         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2363         * stress/do-eval-virtual-call-correctly.js:
2364         * stress/dom-jit-with-poly-proto.js:
2365         * stress/domjit-exception-ic.js:
2366         * stress/domjit-exception.js:
2367         * stress/domjit-getter-complex-with-incorrect-object.js:
2368         * stress/domjit-getter-complex.js:
2369         * stress/domjit-getter-poly.js:
2370         * stress/domjit-getter-proto.js:
2371         * stress/domjit-getter-super-poly.js:
2372         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2373         * stress/domjit-getter-type-check.js:
2374         * stress/domjit-getter.js:
2375         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2376         * stress/for-in-proxy-target-changed-structure.js:
2377         * stress/for-in-proxy.js:
2378         * stress/generational-opaque-roots.js:
2379         * stress/global-const-redeclaration-setting-2.js:
2380         * stress/global-const-redeclaration-setting-3.js:
2381         * stress/global-const-redeclaration-setting-4.js:
2382         * stress/global-const-redeclaration-setting-5.js:
2383         * stress/global-const-redeclaration-setting.js:
2384         * stress/import-basic.js:
2385         * stress/import-from-eval.js:
2386         * stress/import-reject-with-exception.js:
2387         * stress/import-syntax.js:
2388         * stress/impure-get-own-property-slot-inline-cache.js:
2389         * stress/is-constructor.js:
2390         * stress/istypedarrayview-intrinsic.js:
2391         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2392         * stress/jsc-test-functions-should-be-more-robust.js:
2393         * stress/object-toString-with-proxy.js:
2394         * stress/poly-proto-custom-value-and-accessor.js:
2395         * stress/proxy-inline-cache.js:
2396         * stress/re-execute-error-module.js:
2397         * stress/regress-150532.js:
2398         * stress/regress-156992.js:
2399         * stress/regress-179619.js:
2400         * stress/resources/shadow-chicken-support.js:
2401         * stress/runtime-array.js:
2402         * stress/sampling-profiler-microtasks.js:
2403         * stress/shadow-chicken-enabled.js:
2404         * stress/spread-correct-global-object-on-exception.js:
2405         * stress/super-get-by-id.js:
2406         * stress/tailCallForwardArguments.js:
2407         * stress/to-object-intrinsic-boolean-edge.js:
2408         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2409         * stress/to-object-intrinsic-number-edge.js:
2410         * stress/to-object-intrinsic-object-edge.js:
2411         * stress/to-object-intrinsic-string-edge.js:
2412         * stress/to-object-intrinsic-symbol-edge.js:
2413         * stress/to-object-intrinsic.js:
2414         * stress/try-catch-custom-getter-as-get-by-id.js:
2415         * stress/try-get-by-id-poly-proto.js:
2416         * stress/try-get-by-id-should-spill-registers-dfg.js:
2417         * stress/try-get-by-id.js:
2418         * typeProfiler/arrow-functions.js:
2419         * typeProfiler/basic.js:
2420         * typeProfiler/captured.js:
2421         * typeProfiler/classes.js:
2422         * typeProfiler/dfg-jit-optimizations.js:
2423         * typeProfiler/dictionary-mode.js:
2424         * typeProfiler/es6-block-scoping.js:
2425         * typeProfiler/es6-classes.js:
2426         * typeProfiler/inheritance.js:
2427         * typeProfiler/int52-dfg.js:
2428         * typeProfiler/loop.js:
2429         * typeProfiler/optional-fields.js:
2430         * typeProfiler/overflow.js:
2431         * typeProfiler/return.js:
2432         * typeProfiler/symbol.js:
2433         * typeProfiler/weird-prototype-chain.js:
2434
2435 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2436
2437         [DFG][FTL] Support MapSet / SetAdd intrinsics
2438         https://bugs.webkit.org/show_bug.cgi?id=179858
2439
2440         Reviewed by Saam Barati.
2441
2442         * microbenchmarks/map-has-and-set.js: Added.
2443         (test):
2444         * stress/map-set-check-failure.js: Added.
2445         (shouldBe):
2446         (shouldThrow):
2447         (target):
2448         * stress/map-set-cse.js: Added.
2449         (shouldBe):
2450         (test):
2451         * stress/set-add-check-failure.js: Added.
2452         (shouldBe):
2453         (shouldThrow):
2454         (set shouldThrow):
2455         * stress/set-add-cse.js: Added.
2456         (shouldBe):
2457
2458 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2459
2460         [JSC] Allow poly proto for intrinsic getters
2461         https://bugs.webkit.org/show_bug.cgi?id=179550
2462
2463         Reviewed by Saam Barati.
2464
2465         This change is also tested by existing tests.
2466
2467             1. stress/intrinsic-getter-with-poly-proto.js
2468             2. stress/poly-proto-intrinsic-getter-correctness.js
2469
2470         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2471         (shouldBe):
2472         (makePolyProtoObject.foo.C):
2473         (makePolyProtoObject.foo):
2474         (makePolyProtoObject):
2475         (target):
2476         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2477         (shouldBe):
2478         (makePolyProtoObject.foo.C):
2479         (makePolyProtoObject.foo):
2480         (makePolyProtoObject):
2481         (target):
2482
2483 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2484
2485         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2486         https://bugs.webkit.org/show_bug.cgi?id=179744
2487
2488         Reviewed by Michael Catanzaro.
2489
2490         This test uses too much memory for our buildbots on these platforms
2491         and gets OOM-killed.
2492
2493         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2494         Skip if $memoryLimited and linux.
2495
2496 2017-11-17  JF Bastien  <jfbastien@apple.com>
2497
2498         WebAssembly JS API: throw when a promise can't be created
2499         https://bugs.webkit.org/show_bug.cgi?id=179826
2500         <rdar://problem/35455813>
2501
2502         Reviewed by Mark Lam.
2503
2504         Test WebAssembly.{compile,instantiate} where promise creation
2505         fails because of a stack overflow.
2506
2507         * wasm/js-api/promise-stack-overflow.js: Added.
2508         (const.runNearStackLimit.f.const.t):
2509         (async.testCompile):
2510         (async.testInstantiate):
2511
2512 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2513
2514         Unreviewed, mark regress-178385.js as memory exhausting
2515
2516         * stress/regress-178385.js:
2517
2518 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2519
2520         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2521
2522         Unreviewed test gardening.
2523
2524         * test262.yaml:
2525
2526 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2527
2528         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2529         https://bugs.webkit.org/show_bug.cgi?id=179763
2530         <rdar://problem/35550513>
2531
2532         Reviewed by Keith Miller.
2533
2534         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2535
2536         * stress/tdz-this-in-try-catch.js: Added.
2537         (__v_6388):
2538         (__v_6392):
2539
2540 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2541
2542         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2543         https://bugs.webkit.org/show_bug.cgi?id=179594
2544
2545         Reviewed by Saam Barati.
2546
2547         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2548         (shouldBe):
2549         (args):
2550         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2551         (shouldBe):
2552         (args):
2553
2554 2017-11-14  Saam Barati  <sbarati@apple.com>
2555
2556         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2557         https://bugs.webkit.org/show_bug.cgi?id=179639
2558         <rdar://problem/35513018>
2559
2560         Reviewed by JF Bastien.
2561
2562         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2563         (escape):
2564         (i.func):
2565
2566 2017-11-13  Mark Lam  <mark.lam@apple.com>
2567
2568         Add more overflow check book-keeping for MarkedArgumentBuffer.
2569         https://bugs.webkit.org/show_bug.cgi?id=179634
2570         <rdar://problem/35492517>
2571
2572         Reviewed by Saam Barati.
2573
2574         * stress/regress-179634.js: Added.
2575
2576 2017-11-13  Mark Lam  <mark.lam@apple.com>
2577
2578         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2579         https://bugs.webkit.org/show_bug.cgi?id=179619
2580         <rdar://problem/35492518>
2581
2582         Reviewed by Saam Barati.
2583
2584         * stress/regress-179619.js: Added.
2585
2586 2017-11-12  Mark Lam  <mark.lam@apple.com>
2587
2588         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2589         https://bugs.webkit.org/show_bug.cgi?id=179562
2590         <rdar://problem/35467022>
2591
2592         Reviewed by Saam Barati.
2593
2594         * regress-179562.js: Added.
2595
2596 2017-11-08  Saam Barati  <sbarati@apple.com>
2597
2598         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2599         https://bugs.webkit.org/show_bug.cgi?id=177792
2600
2601         Reviewed by Yusuke Suzuki.
2602
2603         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2604         (assert):
2605         (foo.Foo.prototype.ensureX):
2606         (foo.Foo):
2607         (foo):
2608         (access):
2609
2610 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2611
2612         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2613         https://bugs.webkit.org/show_bug.cgi?id=178592
2614
2615         Unreviewed test gardening.
2616
2617         * test262.yaml:
2618
2619 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2620
2621         Turn recursive tail calls into loops
2622         https://bugs.webkit.org/show_bug.cgi?id=176601
2623
2624         Reviewed by Saam Barati.
2625
2626         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2627
2628         Add some simple test that computes factorial in several ways, and other trivial computations.
2629         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2630         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2631         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2632         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2633
2634         * stress/inline-call-to-recursive-tail-call.js: Added.
2635         (factorial.aux):
2636         (factorial):
2637         (factorial2.aux2):
2638         (factorial2.id):
2639         (factorial2):
2640         (factorial3.aux3):
2641         (factorial3):
2642         (aux4):
2643         (factorial4):
2644         (foo):
2645         (auxBar):
2646         (bar):
2647         (test):
2648
2649 2017-11-07  Mark Lam  <mark.lam@apple.com>
2650
2651         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2652         https://bugs.webkit.org/show_bug.cgi?id=179355
2653         <rdar://problem/35263053>
2654
2655         Reviewed by Saam Barati.
2656
2657         * stress/regress-179355.js: Added.
2658
2659 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2660
2661         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2662         https://bugs.webkit.org/show_bug.cgi?id=144458
2663
2664         Reviewed by Saam Barati.
2665
2666         * microbenchmarks/dfg-internal-function-call.js: Added.
2667         (target):
2668         * microbenchmarks/dfg-internal-function-construct.js: Added.
2669         (target):
2670         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2671         (target):
2672         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2673         (target):
2674         * stress/dfg-internal-function-call.js: Added.
2675         (shouldBe):
2676         (target):
2677         * stress/dfg-internal-function-construct.js: Added.
2678         (shouldBe):
2679         (target):
2680         * stress/internal-function-call.js: Added.
2681         (shouldBe):
2682         * stress/internal-function-construct.js: Added.
2683         (shouldBe):
2684
2685 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2686
2687         [Win] Skip stress/regress-178385.js.
2688         https://bugs.webkit.org/show_bug.cgi?id=179298
2689
2690         Unreviewed test gardening.
2691
2692         * stress/regress-178385.js:
2693
2694 2017-11-03  Keith Miller  <keith_miller@apple.com>
2695
2696         Add test for ic with side effects
2697         https://bugs.webkit.org/show_bug.cgi?id=179268
2698
2699         Reviewed by Saam Barati.
2700
2701         * stress/put-inline-cache-side-effects.js: Added.
2702         (let.i.of.objs.keys):
2703         (f):
2704
2705 2017-11-03  Mark Lam  <mark.lam@apple.com>
2706
2707         CachedCall (and its clients) needs overflow checks.
2708         https://bugs.webkit.org/show_bug.cgi?id=179185
2709
2710         Reviewed by JF Bastien.
2711
2712         * stress/regress-179185.js: Added.
2713
2714 2017-11-02  Michael Saboff  <msaboff@apple.com>
2715
2716         DFG needs to handle code motion of code in for..in loop bodies
2717         https://bugs.webkit.org/show_bug.cgi?id=179212
2718
2719         Reviewed by Keith Miller.
2720
2721         New regression test.
2722
2723         * stress/for-in-side-effects.js: Added.
2724         (getPrototypeOf):
2725         (reset):
2726         (testWithoutFTL.f):
2727         (testWithoutFTL):
2728         (testWithFTL.f):
2729         (testWithFTL):
2730
2731 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2732
2733         AI does not correctly model the clobber case of ArithClz32
2734         https://bugs.webkit.org/show_bug.cgi?id=179188
2735
2736         Reviewed by Michael Saboff.
2737
2738         * stress/arith-clz32-effects.js: Added.
2739         (foo):
2740         (valueOf):
2741
2742 2017-11-01  Michael Saboff  <msaboff@apple.com>
2743
2744         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2745         https://bugs.webkit.org/show_bug.cgi?id=179140
2746
2747         Reviewed by Saam Barati.
2748
2749         New regression test.
2750
2751         * stress/regress-179140.js: Added.
2752         (testWithoutFTL):
2753         (testWithFTL):
2754
2755 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2756
2757         [JSC] Introduce @toObject
2758         https://bugs.webkit.org/show_bug.cgi?id=178726
2759
2760         Reviewed by Saam Barati.
2761
2762         * stress/array-copywithin.js:
2763         (shouldThrow):
2764         * stress/object-constructor-boolean-edge.js: Added.
2765         (shouldBe):
2766         (test):
2767         * stress/object-constructor-global.js: Added.
2768         (shouldBe):
2769         * stress/object-constructor-null-edge.js: Added.
2770         (shouldBe):
2771         (test):
2772         * stress/object-constructor-number-edge.js: Added.
2773         (shouldBe):
2774         (test):
2775         * stress/object-constructor-object-edge.js: Added.
2776         (shouldBe):
2777         (test):
2778         (i.arg):
2779         * stress/object-constructor-string-edge.js: Added.
2780         (shouldBe):
2781         (test):
2782         * stress/object-constructor-symbol-edge.js: Added.
2783         (shouldBe):
2784         (test):
2785         * stress/object-constructor-undefined-edge.js: Added.
2786         (shouldBe):
2787         (test):
2788         * stress/symbol-array-from.js: Added.
2789         (shouldBe):
2790         * stress/to-object-intrinsic-boolean-edge.js: Added.
2791         (shouldBe):
2792         (builtin.createBuiltin):
2793         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2794         (shouldThrow):
2795         * stress/to-object-intrinsic-number-edge.js: Added.
2796         (shouldBe):
2797         (builtin.createBuiltin):
2798         * stress/to-object-intrinsic-object-edge.js: Added.
2799         (shouldBe):
2800         (builtin.createBuiltin):
2801         (i.arg):
2802         * stress/to-object-intrinsic-string-edge.js: Added.
2803         (shouldBe):
2804         (builtin.createBuiltin):
2805         * stress/to-object-intrinsic-symbol-edge.js: Added.
2806         (shouldBe):
2807         (builtin.createBuiltin):
2808         * stress/to-object-intrinsic.js: Added.
2809         (shouldBe):
2810         (shouldThrow):
2811         (builtin.createBuiltin):
2812
2813 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2814
2815         [DFG][FTL] Introduce StringSlice
2816         https://bugs.webkit.org/show_bug.cgi?id=178934
2817
2818         Reviewed by Saam Barati.
2819
2820         * microbenchmarks/string-slice-empty.js: Added.
2821         (slice):
2822         * microbenchmarks/string-slice-one-char.js: Added.
2823         (slice):
2824         * microbenchmarks/string-slice.js: Added.
2825         (slice):
2826
2827 2017-10-26  Michael Saboff  <msaboff@apple.com>
2828
2829         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2830         https://bugs.webkit.org/show_bug.cgi?id=178890
2831
2832         Reviewed by Keith Miller.
2833
2834         New regression test.
2835
2836         * stress/regress-178890.js: Added.
2837
2838 2017-10-26  Mark Lam  <mark.lam@apple.com>
2839
2840         JSRopeString::RopeBuilder::append() should check for overflows.
2841         https://bugs.webkit.org/show_bug.cgi?id=178385
2842         <rdar://problem/35027468>
2843
2844         Reviewed by Saam Barati.
2845
2846         * stress/regress-178385.js: Added.
2847
2848 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2849
2850         Unreviewed, rolling out r223961.
2851
2852         The change that required this has been rolled out.
2853
2854         Reverted changeset:
2855
2856         "Mark test262.yaml/test262/test/language/statements/try/tco-
2857         catch.js as passing."
2858         https://bugs.webkit.org/show_bug.cgi?id=178592
2859         https://trac.webkit.org/changeset/223961
2860
2861 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2862
2863         Unreviewed, rolling out r223691 and r223729.
2864         https://bugs.webkit.org/show_bug.cgi?id=178834
2865
2866         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2867         by rniwa on #webkit).
2868
2869         Reverted changesets:
2870
2871         "Turn recursive tail calls into loops"
2872         https://bugs.webkit.org/show_bug.cgi?id=176601
2873         https://trac.webkit.org/changeset/223691
2874
2875         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2876         comparison is always false due to limited range of data type
2877         [-Wtype-limits]"
2878         https://bugs.webkit.org/show_bug.cgi?id=178543
2879         https://trac.webkit.org/changeset/223729
2880
2881 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2882
2883         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2884         https://bugs.webkit.org/show_bug.cgi?id=178592
2885
2886         Unreviewed test gardening.
2887
2888         * test262.yaml:
2889
2890 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2891
2892         [FTL] Support NewStringObject
2893         https://bugs.webkit.org/show_bug.cgi?id=178737
2894
2895         Reviewed by Saam Barati.
2896
2897         * stress/new-string-object.js: Added.
2898         (shouldBe):
2899         (test):
2900
2901 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2902
2903         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2904         https://bugs.webkit.org/show_bug.cgi?id=178308
2905
2906         Reviewed by Mark Lam.
2907
2908         * test262.yaml:
2909
2910 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2911
2912         [JSC] Use fastJoin in Array#toString
2913         https://bugs.webkit.org/show_bug.cgi?id=178062
2914
2915         Reviewed by Darin Adler.
2916
2917         * microbenchmarks/contiguous-array-to-string.js: Added.
2918         (target):
2919         * microbenchmarks/double-array-to-string.js: Added.
2920         (target):
2921         * microbenchmarks/int32-array-to-string.js: Added.
2922         (target):
2923
2924 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2925
2926         stress/check-string-ident.js is improperly skipped
2927         https://bugs.webkit.org/show_bug.cgi?id=178642
2928
2929         Reviewed by Saam Barati.
2930
2931         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2932         since it enforces the run-jsc-stress-tests script to still set up the
2933         test to run, despite the skip directive that's used before.
2934
2935 2017-10-20  Mark Lam  <mark.lam@apple.com>
2936
2937         Add a test case for r214334.
2938         https://bugs.webkit.org/show_bug.cgi?id=169941
2939         <rdar://problem/31221258>
2940
2941         Reviewed by JF Bastien.
2942
2943         * stress/regress-169941.js: Added.
2944
2945 2017-10-19  JF Bastien  <jfbastien@apple.com>
2946
2947         WebAssembly: no VM / JS version of everything but Instance
2948         https://bugs.webkit.org/show_bug.cgi?id=177473
2949
2950         Reviewed by Filip Pizlo, Saam Barati.
2951
2952         - Exceeding max on memory growth now returns a range error as per
2953         spec. This is a (very minor) breaking change: it used to throw OOM
2954         error. Update the corresponding test.
2955
2956         * wasm/js-api/memory-grow.js:
2957         (assertEq):
2958         * wasm/js-api/table.js:
2959         (assert.throws):
2960
2961 2017-10-19  Mark Lam  <mark.lam@apple.com>
2962
2963         Stringifier::appendStringifiedValue() is missing an exception check.
2964         https://bugs.webkit.org/show_bug.cgi?id=178386
2965         <rdar://problem/35027610>
2966
2967         Reviewed by Saam Barati.
2968
2969         * stress/regress-178386.js: Added.
2970
2971 2017-10-19  Michael Saboff  <msaboff@apple.com>
2972
2973         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2974         https://bugs.webkit.org/show_bug.cgi?id=178521
2975
2976         Reviewed by JF Bastien.
2977
2978         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2979         now passes with the current version (5.0) of the Emoji spec.
2980
2981 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2982
2983         Turn recursive tail calls into loops
2984         https://bugs.webkit.org/show_bug.cgi?id=176601
2985
2986         Reviewed by Saam Barati.
2987
2988         Add some simple test that computes factorial in several ways, and other trivial computations.
2989         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2990         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2991         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2992         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2993
2994         * stress/inline-call-to-recursive-tail-call.js: Added.
2995         (factorial.aux):
2996         (factorial):
2997         (factorial2.aux):
2998         (factorial2.id):
2999         (factorial2):
3000         (factorial3.aux):
3001         (factorial3):
3002         (aux):
3003         (factorial4):
3004         (test):
3005
3006 2017-10-18  Mark Lam  <mark.lam@apple.com>
3007
3008         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3009         https://bugs.webkit.org/show_bug.cgi?id=177600
3010         <rdar://problem/34710985>
3011
3012         Reviewed by Saam Barati.
3013
3014         * stress/regress-177600.js: Added.
3015
3016 2017-10-18  Mark Lam  <mark.lam@apple.com>
3017
3018         The compiler should always register a structure when it adds its transitionWatchPointSet.
3019         https://bugs.webkit.org/show_bug.cgi?id=178420
3020         <rdar://problem/34814024>
3021
3022         Reviewed by Saam Barati and Filip Pizlo.
3023
3024         * stress/regress-178420.js: Added.
3025         (new.Array.10000.map):
3026
3027 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3028
3029         [JSC] __proto__ getter should be fast
3030         https://bugs.webkit.org/show_bug.cgi?id=178067
3031
3032         Reviewed by Saam Barati.
3033
3034         * stress/dfg-object-proto-accessor.js: Added.
3035         (shouldBe):
3036         (shouldThrow):
3037         (target):
3038         * stress/dfg-object-proto-getter.js: Added.
3039         (shouldBe):
3040         (shouldThrow):
3041         (target):
3042         * stress/dfg-object-prototype-of.js: Added.
3043         (shouldBe):
3044         (shouldThrow):
3045         (target):
3046         * stress/dfg-reflect-get-prototype-of.js: Added.
3047         (shouldBe):
3048         (shouldThrow):
3049         (target):
3050         * stress/intrinsic-getter-with-poly-proto.js: Added.
3051         (shouldBe):
3052         (makePolyProtoObject.foo.C):
3053         (makePolyProtoObject.foo):
3054         (makePolyProtoObject):
3055         (target):
3056         * stress/object-get-prototype-of-filtered.js: Added.
3057         (shouldBe):
3058         (shouldThrow):
3059         (target):
3060         (i.Cocoa):
3061         * stress/object-get-prototype-of-mono-proto.js: Added.
3062         (shouldBe):
3063         (makePolyProtoObject.foo.C):
3064         (makePolyProtoObject.foo):
3065         (makePolyProtoObject):
3066         (target):
3067         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3068         (shouldBe):
3069         (makePolyProtoObject.foo.C):
3070         (makePolyProtoObject.foo):
3071         (makePolyProtoObject):
3072         (target):
3073         * stress/object-get-prototype-of-poly-proto.js: Added.
3074         (shouldBe):
3075         (makePolyProtoObject.foo.C):
3076         (makePolyProtoObject.foo):
3077         (makePolyProtoObject):
3078         (target):
3079         * stress/object-proto-getter-filtered.js: Added.
3080         (shouldBe):
3081         (shouldThrow):
3082         (target):
3083         (i.Cocoa):
3084         * stress/object-proto-getter-poly-mono-proto.js: Added.
3085         (shouldBe):
3086         (makePolyProtoObject.foo.C):
3087         (makePolyProtoObject.foo):
3088         (makePolyProtoObject):
3089         (target):
3090         * stress/object-proto-getter-poly-proto.js: Added.
3091         (shouldBe):
3092         (makePolyProtoObject.foo.C):
3093         (makePolyProtoObject.foo):
3094         (makePolyProtoObject):
3095         (target):
3096         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3097         * stress/string-proto.js: Added.
3098         (shouldBe):
3099         (target):
3100
3101 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3102
3103         Unreviewed, rolling out r223523.
3104
3105         A test for this change is failing on debug JSC bots.
3106
3107         Reverted changeset:
3108
3109         "[JSC] __proto__ getter should be fast"
3110         https://bugs.webkit.org/show_bug.cgi?id=178067
3111         https://trac.webkit.org/changeset/223523
3112
3113 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3114
3115         [JSC] __proto__ getter should be fast
3116         https://bugs.webkit.org/show_bug.cgi?id=178067
3117
3118         Reviewed by Saam Barati.
3119
3120         * stress/dfg-object-proto-accessor.js: Added.
3121         (shouldBe):
3122         (shouldThrow):
3123         (target):
3124         * stress/dfg-object-proto-getter.js: Added.
3125         (shouldBe):
3126         (shouldThrow):
3127         (target):
3128         * stress/dfg-object-prototype-of.js: Added.
3129         (shouldBe):
3130         (shouldThrow):
3131         (target):
3132         * stress/dfg-reflect-get-prototype-of.js: Added.
3133         (shouldBe):
3134         (shouldThrow):
3135         (target):
3136         * stress/object-get-prototype-of-filtered.js: Added.
3137         (shouldBe):
3138         (shouldThrow):
3139         (target):
3140         (i.Cocoa):
3141         * stress/object-get-prototype-of-mono-proto.js: Added.
3142         (shouldBe):
3143         (makePolyProtoObject.foo.C):
3144         (makePolyProtoObject.foo):
3145         (makePolyProtoObject):
3146         (target):
3147         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3148         (shouldBe):
3149         (makePolyProtoObject.foo.C):
3150         (makePolyProtoObject.foo):
3151         (makePolyProtoObject):
3152         (target):
3153         * stress/object-get-prototype-of-poly-proto.js: Added.
3154         (shouldBe):
3155         (makePolyProtoObject.foo.C):
3156         (makePolyProtoObject.foo):
3157         (makePolyProtoObject):
3158         (target):
3159         * stress/object-proto-getter-filtered.js: Added.
3160         (shouldBe):
3161         (shouldThrow):
3162         (target):
3163         (i.Cocoa):
3164         * stress/object-proto-getter-poly-mono-proto.js: Added.
3165         (shouldBe):
3166         (makePolyProtoObject.foo.C):
3167         (makePolyProtoObject.foo):
3168         (makePolyProtoObject):
3169         (target):
3170         * stress/object-proto-getter-poly-proto.js: Added.
3171         (shouldBe):
3172         (makePolyProtoObject.foo.C):
3173         (makePolyProtoObject.foo):
3174         (makePolyProtoObject):
3175         (target):
3176         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3177         * stress/string-proto.js: Added.
3178         (shouldBe):
3179         (target):
3180
3181 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3182
3183         Reland "Add Above/Below comparisons for UInt32 patterns"
3184         https://bugs.webkit.org/show_bug.cgi?id=177281
3185
3186         Reviewed by Saam Barati.
3187
3188         * stress/uint32-comparison-jump.js: Added.
3189         (shouldBe):
3190         (above):
3191         (aboveOrEqual):
3192         (below):
3193         (belowOrEqual):
3194         (notAbove):
3195         (notAboveOrEqual):
3196         (notBelow):
3197         (notBelowOrEqual):
3198         * stress/uint32-comparison.js: Added.
3199         (shouldBe):
3200         (above):
3201         (aboveOrEqual):
3202         (below):
3203         (belowOrEqual):
3204         (aboveTest):
3205         (aboveOrEqualTest):
3206         (belowTest):
3207         (belowOrEqualTest):
3208
3209 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3212         https://bugs.webkit.org/show_bug.cgi?id=178210
3213
3214         Reviewed by Saam Barati.
3215
3216         * wasm/function-tests/trap-from-start-async.js:
3217         (async.StartTrapsAsync):
3218         * wasm/function-tests/trap-from-start.js:
3219         (StartTraps):
3220         * wasm/js-api/web-assembly-function.js:
3221         (assert.eq.Object.getPrototypeOf):
3222         * wasm/js-api/wrapper-function.js:
3223         (return.new.WebAssembly.Module):
3224         (assert.throws.makeInstance): Deleted.
3225         (assert.throws.Bar): Deleted.
3226         (assert.throws): Deleted.
3227
3228 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3229
3230         Enable gigacage on iOS
3231         https://bugs.webkit.org/show_bug.cgi?id=177586
3232
3233         Reviewed by JF Bastien.
3234         
3235         Add tests for when Gigacage gets runtime disabled.
3236
3237         * stress/disable-gigacage-arrays.js: Added.
3238         (foo):
3239         * stress/disable-gigacage-strings.js: Added.
3240         (foo):
3241         * stress/disable-gigacage-typed-arrays.js: Added.
3242         (foo):
3243
3244 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3245
3246         import.meta should not be assignable
3247         https://bugs.webkit.org/show_bug.cgi?id=178202
3248
3249         Reviewed by Saam Barati.
3250
3251         * modules/import-meta-assignment.js: Added.
3252         (shouldThrow):
3253         (SyntaxError.import.meta.can.shouldThrow):
3254
3255 2017-10-11  Saam Barati  <sbarati@apple.com>
3256
3257         Unreviewed. Actually skip certain type profiler tests in debug.
3258
3259         * typeProfiler.yaml:
3260         * typeProfiler/deltablue-for-of.js:
3261         * typeProfiler/getter-richards.js:
3262
3263 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3264
3265         Unreviewed, rolling out r223113 and r223121.
3266         https://bugs.webkit.org/show_bug.cgi?id=178182
3267
3268         Reintroduced 20% regression on Kraken (Requested by rniwa on
3269         #webkit).
3270
3271         Reverted changesets:
3272
3273         "Enable gigacage on iOS"
3274         https://bugs.webkit.org/show_bug.cgi?id=177586
3275         https://trac.webkit.org/changeset/223113
3276
3277         "Use one virtual allocation for all gigacages and their
3278         runways"
3279         https://bugs.webkit.org/show_bug.cgi?id=178050
3280         https://trac.webkit.org/changeset/223121
3281
3282 2017-10-11  Michael Saboff  <msaboff@apple.com>
3283
3284         Disable test262 named capture group tests with direct unicode names and with references before definitions
3285         https://bugs.webkit.org/show_bug.cgi?id=178177
3286
3287         Reviewed by Keith Miller.
3288
3289         Bugs to track fixing these test are:
3290         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3291             "Add support in named capture group identifiers for direct surrogate pairs"
3292         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3293             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3294
3295         * test262.yaml:
3296
3297 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3298
3299         Object properties are undefined in super.call() but not in this.call()
3300         https://bugs.webkit.org/show_bug.cgi?id=177230
3301
3302         Reviewed by Saam Barati.
3303
3304         * stress/super-call-function-subclass.js: Added.
3305         (assert):
3306         (A.prototype.t):
3307         (A):
3308         * stress/super-dot-call-and-apply.js: Added.
3309         (assert):
3310         (A):
3311         (A.prototype.call):
3312         (A.prototype.apply):
3313         (B.prototype.testSuper):
3314         (B):
3315         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3316         (D.prototype.testSuper):
3317         (D):
3318
3319 2017-10-10  Saam Barati  <sbarati@apple.com>
3320
3321         The prototype cache should be aware of the Executable it generates a Structure for
3322         https://bugs.webkit.org/show_bug.cgi?id=177907
3323
3324         Reviewed by Filip Pizlo.
3325
3326         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3327         (assert):
3328         (foo.C):
3329         (foo):
3330         (bar.C):
3331         (bar):
3332         (access):
3333         (makeLongChain):
3334         (accessY):
3335
3336 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3337
3338         `async` should be able to be used as an imported binding name
3339         https://bugs.webkit.org/show_bug.cgi?id=176573
3340
3341         Reviewed by Saam Barati.
3342
3343         * modules/import-default-async.js: Added.
3344         * modules/import-named-async-as.js: Added.
3345         * modules/import-named-async.js: Added.
3346         * modules/import-named-async/target.js: Added.
3347         * modules/import-namespace-async.js: Added.
3348         * test262.yaml:
3349
3350 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3351
3352         Enable gigacage on iOS
3353         https://bugs.webkit.org/show_bug.cgi?id=177586
3354
3355         Reviewed by JF Bastien.
3356         
3357         Add tests for when Gigacage gets runtime disabled.
3358
3359         * stress/disable-gigacage-arrays.js: Added.
3360         (foo):
3361         * stress/disable-gigacage-strings.js: Added.
3362         (foo):
3363         * stress/disable-gigacage-typed-arrays.js: Added.
3364         (foo):
3365
3366 2017-10-09  Michael Saboff  <msaboff@apple.com>
3367
3368         Implement RegExp Unicode property escapes
3369         https://bugs.webkit.org/show_bug.cgi?id=172069
3370
3371         Reviewed by JF Bastien.
3372
3373         Enabled Unicode Property tests.
3374
3375         * test262.yaml:
3376
3377 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3378
3379         Unreviewed, rolling out r223015 and r223025.
3380         https://bugs.webkit.org/show_bug.cgi?id=178093
3381
3382         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3383         #webkit).
3384
3385         Reverted changesets:
3386
3387         "Enable gigacage on iOS"
3388         https://bugs.webkit.org/show_bug.cgi?id=177586
3389         http://trac.webkit.org/changeset/223015
3390
3391         "Unreviewed, disable Gigacage on ARM64 Linux"
3392         https://bugs.webkit.org/show_bug.cgi?id=177586
3393         http://trac.webkit.org/changeset/223025
3394
3395 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3396
3397         Update expectations for test262 tests that pass after r223043.
3398         https://bugs.webkit.org/show_bug.cgi?id=176685
3399
3400         Unreviewed test gardening.
3401
3402         * test262.yaml:
3403
3404 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3405
3406         Unreviewed, rolling out r223022.
3407
3408         This change introduced 18 test262 failures.
3409
3410         Reverted changeset:
3411
3412         "`async` should be able to be used as an imported binding
3413         name"
3414         https://bugs.webkit.org/show_bug.cgi?id=176573
3415         http://trac.webkit.org/changeset/223022
3416
3417 2017-10-09  Saam Barati  <sbarati@apple.com>
3418
3419         3 poly-proto JSC tests timing out on debug after r222827
3420         https://bugs.webkit.org/show_bug.cgi?id=177880
3421         <rdar://problem/34817122>
3422
3423         Unreviewed.
3424
3425         I'm skipping these type profiler tests on debug since they are long running.
3426
3427         * typeProfiler/deltablue-for-of.js:
3428         * typeProfiler/getter-richards.js:
3429
3430 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3431
3432         Safari 10 /11 problem with if (!await get(something)).
3433         https://bugs.webkit.org/show_bug.cgi?id=176685
3434
3435         Reviewed by Saam Barati.
3436
3437         * stress/async-await-basic.js:
3438         (awaitEpression.async):
3439         * stress/async-await-syntax.js:
3440         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3441         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3442
3443 2017-10-08  Saam Barati  <sbarati@apple.com>
3444
3445         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3446
3447         * typeProfiler/deltablue-for-of.js:
3448         * typeProfiler/getter-richards.js:
3449
3450 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3451
3452         `async` should be able to be used as an imported binding name
3453         https://bugs.webkit.org/show_bug.cgi?id=176573
3454
3455         Reviewed by Darin Adler.
3456
3457         * modules/import-default-async.js: Added.
3458         * modules/import-named-async-as.js: Added.
3459         * modules/import-named-async.js: Added.
3460         * modules/import-named-async/target.js: Added.
3461         * modules/import-namespace-async.js: Added.
3462
3463 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3464
3465         Enable gigacage on iOS
3466         https://bugs.webkit.org/show_bug.cgi?id=177586
3467
3468         Reviewed by JF Bastien.
3469         
3470         Add tests for when Gigacage gets runtime disabled.
3471
3472         * stress/disable-gigacage-arrays.js: Added.
3473         (foo):
3474         * stress/disable-gigacage-strings.js: Added.
3475         (foo):
3476         * stress/disable-gigacage-typed-arrays.js: Added.
3477         (foo):
3478
3479 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3480
3481         Unreviewed, rolling out r222791 and r222873.
3482         https://bugs.webkit.org/show_bug.cgi?id=178031
3483
3484         Caused crashes with workers/wasm LayoutTests (Requested by
3485         ryanhaddad on #webkit).
3486
3487         Reverted changesets:
3488
3489         "WebAssembly: no VM / JS version of everything but Instance"
3490         https://bugs.webkit.org/show_bug.cgi?id=177473
3491         http://trac.webkit.org/changeset/222791
3492
3493         "WebAssembly: address no VM / JS follow-ups"
3494         https://bugs.webkit.org/show_bug.cgi?id=177887
3495         http://trac.webkit.org/changeset/222873
3496
3497 2017-10-05  Saam Barati  <sbarati@apple.com>
3498
3499         Make sure all prototypes under poly proto get added into the VM's prototype map
3500         https://bugs.webkit.org/show_bug.cgi?id=177909
3501
3502         Reviewed by Keith Miller.
3503
3504         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3505         (assert):
3506         (foo.C):
3507         (foo):
3508         (set x):
3509
3510 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3511
3512         [JSC] Introduce import.meta
3513         https://bugs.webkit.org/show_bug.cgi?id=177703
3514
3515         Reviewed by Filip Pizlo.
3516
3517         * modules/import-meta-syntax.js: Added.
3518         (shouldThrow):
3519         (shouldNotThrow):
3520         * modules/import-meta.js: Added.
3521         * modules/import-meta/cocoa.js: Added.
3522         * modules/resources/assert.js:
3523         (export.shouldNotThrow):
3524         * stress/import-syntax.js:
3525
3526 2017-10-04  Saam Barati  <sbarati@apple.com>
3527
3528         Make pertinent AccessCases watch the poly proto watchpoint
3529         https://bugs.webkit.org/show_bug.cgi?id=177765
3530
3531         Reviewed by Keith Miller.
3532
3533         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3534         (assert):
3535         (foo.C):
3536         (foo):
3537         (validate):
3538         * stress/poly-proto-clear-stub.js: Added.
3539         (assert):
3540         (foo.C):
3541         (foo):
3542
3543 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3544
3545         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3546
3547         Unreviewed test gardening.
3548
3549         * test262.yaml:
3550
3551 2017-10-04  Saam Barati  <sbarati@apple.com>
3552
3553         3 poly-proto JSC tests timing out on debug after r222827
3554         https://bugs.webkit.org/show_bug.cgi?id=177880
3555
3556         Rubber stamped by Mark Lam.
3557
3558         * microbenchmarks/poly-proto-access.js:
3559         * typeProfiler/deltablue-for-of.js:
3560         * typeProfiler/getter-richards.js:
3561
3562 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3563
3564         Unreviewed, marking tco-catch.js as a failure after test262 update
3565         https://bugs.webkit.org/show_bug.cgi?id=177859
3566
3567         * test262.yaml:
3568
3569 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3570
3571         Unreviewed, marking one async iterator test262 test failed
3572         https://bugs.webkit.org/show_bug.cgi?id=177859
3573
3574         * test262.yaml:
3575
3576 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3577
3578         [Test262] Update Test262 to Oct 4 version
3579         https://bugs.webkit.org/show_bug.cgi?id=177859
3580
3581         Reviewed by Sam Weinig.
3582
3583         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3584         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3585
3586         * test262.yaml:
3587         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3588         (checkSequence):
3589         * test262/harness/typeCoercion.js:
3590         (testCoercibleToIndexZero):
3591         (testCoercibleToIndexOne):
3592         (testCoercibleToIndexFromIndex):
3593         (testNotCoercibleToIndex.testPrimitiveValue):
3594         (testNotCoercibleToInteger):
3595         (testCoercibleToBigIntZero.testPrimitiveValue):
3596         (testCoercibleToBigIntZero):
3597         (testCoercibleToBigIntOne.testPrimitiveValue):
3598         (testCoercibleToBigIntOne):
3599         (testPrimitiveValue):
3600         (testCoercibleToBigIntFromBigInt):
3601         (testNotCoercibleToBigInt.testPrimitiveValue):
3602         (testNotCoercibleToBigInt.testStringValue):
3603         (testNotCoercibleToBigInt):
3604         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3605         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3606         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3607         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3608         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3609         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3610         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3611         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3612         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3613         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3614         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3615         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3616         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3617         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3618         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3619         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3620         (testCoercibleToBigIntZero):
3621         (testCoercibleToBigIntOne):
3622         (testNotCoercibleToBigInt):
3623         (MyError): Deleted.
3624         (valueOf): Deleted.
3625         (toString): Deleted.
3626         (Symbol.toPrimitive): Deleted.
3627         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3628         (testCoercibleToIndexZero):
3629         (testCoercibleToIndexOne):
3630         (testNotCoercibleToIndex):
3631         (MyError): Deleted.
3632         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3633         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3634         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3635         (BigInt.asIntN.valueOf): Deleted.
3636         (BigInt.asIntN.toString): Deleted.
3637         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3638         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3639         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3640         (testCoercibleToBigIntZero):
3641         (testCoercibleToBigIntOne):
3642         (testNotCoercibleToBigInt):
3643         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3644         (testCoercibleToIndexZero):
3645         (testCoercibleToIndexOne):
3646         (testNotCoercibleToIndex):
3647         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3648         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3649         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3650         (bits.valueOf):
3651         (bigint.valueOf):
3652         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3653         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3654         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3655         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3656         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3657         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3658         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3659         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3660         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3661         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3662         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3663         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3664         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3665         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3666         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3667         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3668         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3669         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3670         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3671         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3672         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3673         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3674         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3675         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3676         (replacer):
3677         (BigInt.prototype.toJSON):
3678         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3679         (replacer):
3680         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3681         (BigInt.prototype.toJSON):
3682         * test262/test/built-ins/JSON/stringify/bigint.js:
3683         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3684         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3685         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3686         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3687         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3688         * test262/test/built-ins/Object/proto-from-ctor.js:
3689         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3690         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3691         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3692         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3693         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3694         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3695         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3696         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3697         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3698         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3699         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3700         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3701         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3702         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3703         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3704         * test262/test/built-ins/Proxy/get-fn-realm.js:
3705         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3706         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3707         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3708         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3709         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3710         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3711         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3712         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3713         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3714         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3715         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3716         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3717         (i6.replace):
3718         (i6b.replace):
3719         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3720         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3721         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3722         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3723         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3724         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3725         * test262/test/built-ins/RegExp/u180e.js: Added.
3726         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3727         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3728         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3729         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3730         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3731         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3732         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3733         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3734         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3735         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3736         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3737         * test262/test/built-ins/String/prototype/endsWith/length.js:
3738         * test262/test/built-ins/String/prototype/endsWith/name.js:
3739         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3740         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3741         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3742         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3743         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3744         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3745         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3746         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js: