Add SetCallee as DFG-Operation
[WebKit-https.git] / JSTests / ChangeLog
1 2018-05-01  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         Add SetCallee as DFG-Operation
4         https://bugs.webkit.org/show_bug.cgi?id=184582
5
6         Reviewed by Filip Pizlo.
7
8         Added test that runs into infinite loop without updating the callee and
9         therefore emitting SetCallee in DFG for recursive tail calls.
10
11         * stress/closure-recursive-tail-call-infinite-loop.js: Added.
12         (Foo):
13         (second):
14         (first):
15         (return.closure):
16         (createClosure):
17
18 2018-04-30  Saam Barati  <sbarati@apple.com>
19
20         ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
21         https://bugs.webkit.org/show_bug.cgi?id=185149
22         <rdar://problem/39455917>
23
24         Reviewed by Filip Pizlo.
25
26         * stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.
27
28 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
29
30         LICM shouldn't hoist nodes if hoisted nodes exited in that code block
31         https://bugs.webkit.org/show_bug.cgi?id=185126
32
33         Reviewed by Saam Barati.
34         
35         I found this bug by accident when I was writing this test for something else.
36         
37         This change also speeds up other benchmarks of this case that we already had. They are all called
38         the licm-dragons tests.
39
40         * microbenchmarks/licm-dragons-two-structures.js: Added.
41         (foo):
42
43 2018-04-29  Commit Queue  <commit-queue@webkit.org>
44
45         Unreviewed, rolling out r231137.
46         https://bugs.webkit.org/show_bug.cgi?id=185118
47
48         It is breaking Test262 language/expressions/multiplication
49         /order-of-evaluation.js (Requested by caiolima on #webkit).
50
51         Reverted changeset:
52
53         "[ESNext][BigInt] Implement support for "*" operation"
54         https://bugs.webkit.org/show_bug.cgi?id=183721
55         https://trac.webkit.org/changeset/231137
56
57 2018-04-28  Saam Barati  <sbarati@apple.com>
58
59         We don't model regexp effects properly
60         https://bugs.webkit.org/show_bug.cgi?id=185059
61         <rdar://problem/39736150>
62
63         Reviewed by Filip Pizlo.
64
65         * stress/regexp-exec-test-effectful-last-index.js: Added.
66         (assert):
67         (foo):
68         (i.regexLastIndex.toString):
69         (bar):
70
71 2018-04-28  Rick Waldron  <waldron.rick@gmail.com>
72
73         Token misspelled "tocken" in error message string
74         https://bugs.webkit.org/show_bug.cgi?id=185030
75
76         Reviewed by Saam Barati.
77
78         * ChakraCore/test/Basics/IdsWithEscapes.baseline-jsc: Fix typo "tocken" => "token"
79         * stress/destructuring-assignment-syntax.js: Fix typo "tocken" => "token"
80         * stress/error-messages-for-in-operator-should-not-crash.js: Fix typo "tocken" => "token"
81         * stress/reserved-word-with-escape.js: Fix typo "tocken" => "token"
82         (testSyntaxError.String.raw.v):
83         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
84         (testSyntaxError.String.raw.a):
85
86 2018-04-28  Caio Lima  <ticaiolima@gmail.com>
87
88         [ESNext][BigInt] Implement support for "*" operation
89         https://bugs.webkit.org/show_bug.cgi?id=183721
90
91         Reviewed by Saam Barati.
92
93         * bigIntTests.yaml:
94         * stress/big-int-mul-jit.js: Added.
95         * stress/big-int-mul-to-primitive-precedence.js: Added.
96         * stress/big-int-mul-to-primitive.js: Added.
97         * stress/big-int-mul-type-error.js: Added.
98         * stress/big-int-mul-wrapped-value.js: Added.
99         * stress/big-int-multiplication.js: Added.
100         * stress/big-int-multiply-memory-stress.js: Added.
101
102 2018-04-28  Commit Queue  <commit-queue@webkit.org>
103
104         Unreviewed, rolling out r231131.
105         https://bugs.webkit.org/show_bug.cgi?id=185112
106
107         It is breaking Debug build due to unchecked exception
108         (Requested by caiolima on #webkit).
109
110         Reverted changeset:
111
112         "[ESNext][BigInt] Implement support for "*" operation"
113         https://bugs.webkit.org/show_bug.cgi?id=183721
114         https://trac.webkit.org/changeset/231131
115
116 2018-04-27  Caio Lima  <ticaiolima@gmail.com>
117
118         [ESNext][BigInt] Implement support for "*" operation
119         https://bugs.webkit.org/show_bug.cgi?id=183721
120
121         Reviewed by Saam Barati.
122
123         * bigIntTests.yaml:
124         * stress/big-int-mul-jit.js: Added.
125         * stress/big-int-mul-to-primitive-precedence.js: Added.
126         * stress/big-int-mul-to-primitive.js: Added.
127         * stress/big-int-mul-type-error.js: Added.
128         * stress/big-int-mul-wrapped-value.js: Added.
129         * stress/big-int-multiplication.js: Added.
130         * stress/big-int-multiply-memory-stress.js: Added.
131
132 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
133
134         Unreviewed, rolling out r231086.
135
136         Caused JSC test failures due to an unchecked exception.
137
138         Reverted changeset:
139
140         "[ESNext][BigInt] Implement support for "*" operation"
141         https://bugs.webkit.org/show_bug.cgi?id=183721
142         https://trac.webkit.org/changeset/231086
143
144 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
145
146         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
147
148         * test262.yaml: Mark tests as passing.
149
150 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
151
152         [ESNext][BigInt] Implement support for "*" operation
153         https://bugs.webkit.org/show_bug.cgi?id=183721
154
155         Reviewed by Saam Barati.
156
157         * bigIntTests.yaml:
158         * stress/big-int-mul-jit.js: Added.
159         * stress/big-int-mul-to-primitive-precedence.js: Added.
160         * stress/big-int-mul-to-primitive.js: Added.
161         * stress/big-int-mul-type-error.js: Added.
162         * stress/big-int-mul-wrapped-value.js: Added.
163         * stress/big-int-multiplication.js: Added.
164         * stress/big-int-multiply-memory-stress.js: Added.
165
166 2018-04-25  Robin Morisset  <rmorisset@apple.com>
167
168         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
169         https://bugs.webkit.org/show_bug.cgi?id=184773
170         <rdar://problem/37773612>
171
172         Reviewed by Filip Pizlo.
173
174         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
175         so I decided to add it to the stress tests nonetheless.
176
177         * stress/create-rest-while-having-a-bad-time.js: Added.
178         (f):
179         (g):
180         (h):
181
182 2018-04-25  Keith Miller  <keith_miller@apple.com>
183
184         Add missing scope release to functionProtoFuncToString
185         https://bugs.webkit.org/show_bug.cgi?id=184995
186
187         Reviewed by Saam Barati.
188
189         * stress/function-toString-arrow.js: Added.
190         (async):
191
192 2018-04-24  Keith Miller  <keith_miller@apple.com>
193
194         fromCharCode is missing some exception checks
195         https://bugs.webkit.org/show_bug.cgi?id=184952
196
197         Reviewed by Saam Barati.
198
199         * stress/fromCharCode-exception-check.js: Added.
200         (get catch):
201
202 2018-04-24  Mark Lam  <mark.lam@apple.com>
203
204         Gardening: test fix after r230863.
205         https://bugs.webkit.org/show_bug.cgi?id=184846
206         <rdar://problem/39390672>
207
208         Not reviewed.
209
210         * stress/json-stringified-overflow-2.js:
211         (catch):
212         * stress/json-stringified-overflow.js:
213         (catch):
214
215 2018-04-20  JF Bastien  <jfbastien@apple.com>
216
217         Handle more JSON stringify OOM
218         https://bugs.webkit.org/show_bug.cgi?id=184846
219         <rdar://problem/39390672>
220
221         Reviewed by Mark Lam.
222
223         * stress/json-stringified-overflow-2.js: Added. Same as the one
224         below, but with a bigger input which will trigger a different code
225         path.
226         (catch):
227         * stress/json-stringified-overflow.js: Modify the test to only
228         catch OOM on stringification. not on string creation.
229
230 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
231
232         [WebAssembly][Modules] Import tables in wasm modules
233         https://bugs.webkit.org/show_bug.cgi?id=184738
234
235         Reviewed by JF Bastien.
236
237         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
238         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
239         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
240         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
241         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
242         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
243         * wasm/modules/wasm-imports-wasm-exports.js:
244         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
245         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
246         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
247         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
248
249 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
250
251         [WebAssembly][Modules] Import globals from wasm modules
252         https://bugs.webkit.org/show_bug.cgi?id=184736
253
254         Reviewed by JF Bastien.
255
256         * wasm.yaml:
257         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
258         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
259         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
260         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
261         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
262         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
263         * wasm/modules/wasm-imports-wasm-exports.js:
264         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
265         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
266         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
267         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
268
269 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
270
271         Unreviewed, reland r230697, r230720, and r230724.
272         https://bugs.webkit.org/show_bug.cgi?id=184600
273
274         * wasm.yaml:
275         * wasm/modules/constant.wasm: Added.
276         * wasm/modules/constant.wat: Added.
277         * wasm/modules/default-import-star-error.js: Added.
278         (then):
279         * wasm/modules/default-import-star-error/entry.wasm: Added.
280         * wasm/modules/default-import-star-error/entry.wat: Added.
281         * wasm/modules/default-import-star-error/t0.js: Added.
282         * wasm/modules/default-import-star-error/t1.js: Added.
283         * wasm/modules/default-import-star-error/t2.js: Added.
284         (export.default.Cocoa):
285         * wasm/modules/js-wasm-cycle.js: Added.
286         * wasm/modules/js-wasm-cycle/entry.js: Added.
287         (from.string_appeared_here.export.return42):
288         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
289         * wasm/modules/js-wasm-cycle/sum.wat: Added.
290         * wasm/modules/js-wasm-function-namespace.js: Added.
291         (assert.throws):
292         * wasm/modules/js-wasm-function.js: Added.
293         (assert.throws):
294         * wasm/modules/js-wasm-global-namespace.js: Added.
295         (assert.throws):
296         * wasm/modules/js-wasm-global.js: Added.
297         (assert.throws):
298         * wasm/modules/js-wasm-memory-namespace.js: Added.
299         (assert.throws):
300         * wasm/modules/js-wasm-memory.js: Added.
301         (assert.throws):
302         * wasm/modules/js-wasm-start.js: Added.
303         (then):
304         * wasm/modules/js-wasm-table-namespace.js: Added.
305         (assert.throws):
306         * wasm/modules/js-wasm-table.js: Added.
307         (assert.throws):
308         * wasm/modules/memory.wasm: Added.
309         * wasm/modules/memory.wat: Added.
310         * wasm/modules/run-from-wasm.wasm: Added.
311         * wasm/modules/run-from-wasm.wat: Added.
312         * wasm/modules/run-from-wasm/check.js: Added.
313         (export.check):
314         * wasm/modules/start.wasm: Added.
315         * wasm/modules/start.wat: Added.
316         * wasm/modules/sum.wasm: Added.
317         * wasm/modules/sum.wat: Added.
318         * wasm/modules/table.wasm: Added.
319         * wasm/modules/table.wat: Added.
320         * wasm/modules/wasm-imports-js-exports.js: Added.
321         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
322         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
323         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
324         (export.sum):
325         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
326         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
327         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
328         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
329         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
330         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
331         * wasm/modules/wasm-imports-wasm-exports.js: Added.
332         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
333         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
334         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
335         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
336         * wasm/modules/wasm-js-cycle.js: Added.
337         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
338         * wasm/modules/wasm-js-cycle/entry.wat: Added.
339         * wasm/modules/wasm-js-cycle/sum.js: Added.
340         (from.string_appeared_here.export.sum):
341         * wasm/modules/wasm-wasm-cycle.js: Added.
342         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
343         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
344         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
345         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
346
347 2018-04-17  Commit Queue  <commit-queue@webkit.org>
348
349         Unreviewed, rolling out r230697, r230720, and r230724.
350         https://bugs.webkit.org/show_bug.cgi?id=184717
351
352         These caused multiple failures on the Test262 testers.
353         (Requested by mlewis13 on #webkit).
354
355         Reverted changesets:
356
357         "[WebAssembly][Modules] Prototype wasm import"
358         https://bugs.webkit.org/show_bug.cgi?id=184600
359         https://trac.webkit.org/changeset/230697
360
361         "[WebAssembly][Modules] Implement function import from wasm
362         modules"
363         https://bugs.webkit.org/show_bug.cgi?id=184689
364         https://trac.webkit.org/changeset/230720
365
366         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
367         https://bugs.webkit.org/show_bug.cgi?id=184703
368         https://trac.webkit.org/changeset/230724
369
370 2018-04-17  JF Bastien  <jfbastien@apple.com>
371
372         A put is not an ExistingProperty put when we transition a structure because of an attributes change
373         https://bugs.webkit.org/show_bug.cgi?id=184706
374         <rdar://problem/38871451>
375
376         Reviewed by Saam Barati.
377
378         * stress/put-by-id-direct-strict-transition.js: Added.
379         (const.foo):
380         (j.const.obj.set hello):
381         * stress/put-by-id-direct-transition.js: Added.
382         (const.foo):
383         (j.const.obj.set hello):
384         * stress/put-getter-setter-by-id-strict-transition.js: Added.
385         (const.foo):
386         (j.const.obj.set hello):
387         * stress/put-getter-setter-by-id-transition.js: Added.
388         (const.foo):
389         (j.const.obj.set hello):
390
391 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
392
393         PutStackSinkingPhase should know that KillStack means ConflictingFlush
394         https://bugs.webkit.org/show_bug.cgi?id=184672
395
396         Reviewed by Michael Saboff.
397
398         * stress/sink-put-stack-over-kill-stack.js: Added.
399         (avocado_1):
400         (apricot_0):
401         (__c_0):
402         (banana_2):
403
404 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
405
406         [JSC] Rename runWebAssembly to runWebAssemblySuite
407         https://bugs.webkit.org/show_bug.cgi?id=184703
408
409         Reviewed by JF Bastien.
410
411         And add runWebAssembly as a command to simplely run wasm modules.
412
413         * wasm.yaml:
414
415 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
416
417         [WebAssembly][Modules] Implement function import from wasm modules
418         https://bugs.webkit.org/show_bug.cgi?id=184689
419
420         Reviewed by JF Bastien.
421
422         * wasm.yaml:
423         * wasm/modules/js-wasm-cycle.js: Added.
424         * wasm/modules/js-wasm-cycle/entry.js: Added.
425         (from.string_appeared_here.export.return42):
426         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
427         * wasm/modules/js-wasm-cycle/sum.wat: Added.
428         * wasm/modules/run-from-wasm.wasm: Added.
429         * wasm/modules/run-from-wasm.wat: Added.
430         * wasm/modules/run-from-wasm/check.js: Added.
431         (export.check):
432         * wasm/modules/wasm-imports-js-exports.js: Added.
433         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
434         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
435         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
436         (export.sum):
437         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
438         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
439         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
440         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
441         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
442         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
443         * wasm/modules/wasm-imports-wasm-exports.js: Added.
444         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
445         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
446         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
447         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
448         * wasm/modules/wasm-js-cycle.js: Added.
449         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
450         * wasm/modules/wasm-js-cycle/entry.wat: Added.
451         * wasm/modules/wasm-js-cycle/sum.js: Added.
452         (from.string_appeared_here.export.sum):
453         * wasm/modules/wasm-wasm-cycle.js: Added.
454         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
455         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
456         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
457         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
458
459 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
460
461         [WebAssembly][Modules] Prototype wasm import
462         https://bugs.webkit.org/show_bug.cgi?id=184600
463
464         Reviewed by JF Bastien.
465
466         Add wasm and wat files since module loader want to load wasm files from FS.
467         Currently, importing the other modules from wasm is not supported.
468
469         * wasm.yaml:
470         * wasm/modules/constant.wasm: Added.
471         * wasm/modules/constant.wat: Added.
472         * wasm/modules/js-wasm-function-namespace.js: Added.
473         (assert.throws):
474         * wasm/modules/js-wasm-function.js: Added.
475         (assert.throws):
476         * wasm/modules/js-wasm-global-namespace.js: Added.
477         (assert.throws):
478         * wasm/modules/js-wasm-global.js: Added.
479         (assert.throws):
480         * wasm/modules/js-wasm-memory-namespace.js: Added.
481         (assert.throws):
482         * wasm/modules/js-wasm-memory.js: Added.
483         (assert.throws):
484         * wasm/modules/js-wasm-start.js: Added.
485         (then):
486         * wasm/modules/js-wasm-table-namespace.js: Added.
487         (assert.throws):
488         * wasm/modules/js-wasm-table.js: Added.
489         (assert.throws):
490         * wasm/modules/memory.wasm: Added.
491         * wasm/modules/memory.wat: Added.
492         * wasm/modules/start.wasm: Added.
493         * wasm/modules/start.wat: Added.
494         * wasm/modules/sum.wasm: Added.
495         * wasm/modules/sum.wat: Added.
496         * wasm/modules/table.wasm: Added.
497         * wasm/modules/table.wat: Added.
498
499 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
500
501         Function.prototype.caller shouldn't return generator bodies
502         https://bugs.webkit.org/show_bug.cgi?id=184630
503
504         Reviewed by Yusuke Suzuki.
505
506         * stress/function-caller-async-arrow-function-body.js: Added.
507         * stress/function-caller-async-function-body.js: Added.
508         * stress/function-caller-async-generator-body.js: Added.
509         * stress/function-caller-generator-body.js: Added.
510         * stress/function-caller-generator-method-body.js: Added.
511
512 2018-04-12  Tomas Popela  <tpopela@redhat.com>
513
514         Unreviewed, skip JIT tests if it isn't enabled
515
516         See https://bugs.webkit.org/show_bug.cgi?id=182730.
517
518         * stress/big-int-spec-to-primitive.js:
519         * stress/big-int-spec-to-this.js:
520
521 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
522
523         [ESNext][BigInt] Add support for BigInt in SpeculatedType
524         https://bugs.webkit.org/show_bug.cgi?id=182470
525
526         Reviewed by Saam Barati.
527
528         * stress/big-int-spec-to-primitive.js: Added.
529         * stress/big-int-spec-to-this.js: Added.
530         * stress/big-int-strict-equals-jit.js: Added.
531         * stress/big-int-strict-spec-to-this.js: Added.
532         * stress/big-int-type-of-proven-type.js: Added.
533
534 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
535
536         DFG AI and clobberize should agree with each other
537         https://bugs.webkit.org/show_bug.cgi?id=184440
538
539         Reviewed by Saam Barati.
540         
541         Add tests for all of the bugs I fixed.
542
543         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
544         (foo):
545         * stress/new-typed-array-cse-effects.js: Added.
546         (foo):
547         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
548         (foo.theO):
549         (foo):
550         * stress/string-from-char-code-change-structure-not-dead.js: Added.
551         (foo):
552         (i.valueOf):
553         (weirdValue.valueOf):
554         * stress/string-from-char-code-change-structure.js: Added.
555         (foo):
556         (i.valueOf):
557         (weirdValue.valueOf):
558
559 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
560
561         Fix errant Test262 files CRLF to LF for consistency with the original source
562         https://bugs.webkit.org/show_bug.cgi?id=184425
563
564         Reviewed by Yusuke Suzuki.
565
566         * test262/test/built-ins/Math/acosh/nan-returns.js:
567         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
568         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
569         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
570         * test262/test/built-ins/Math/cbrt/prop-desc.js:
571         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
572         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
573         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
574         * test262/test/built-ins/Math/log2/log2-basicTests.js:
575         * test262/test/built-ins/Math/sign/sign-specialVals.js:
576         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
577         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
578         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
579         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
580
581 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
582
583         Unreviewed, remove incorrect entry in test262.yaml
584         https://bugs.webkit.org/show_bug.cgi?id=184266
585
586         * test262.yaml:
587
588 2018-04-08  Valerie Young  <valerie@bocoup.com>
589
590         [JSC] Update Test262 to April 6 version
591         https://bugs.webkit.org/show_bug.cgi?id=184266
592
593         Rubber stamped by Yusuke Suzuki.
594
595 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
596
597         [JSC] Introduce op_get_by_id_direct
598         https://bugs.webkit.org/show_bug.cgi?id=183970
599
600         Reviewed by Filip Pizlo.
601
602         * stress/generator-prototype-copy.js: Added.
603         (gen):
604         (catch):
605         Adopted JF's tests.
606
607         * stress/generator-type-check.js: Added.
608         (shouldThrow):
609         (foo2):
610         (i.shouldThrow):
611         * stress/get-by-id-direct-getter.js: Added.
612         (shouldBe):
613         (shouldThrow):
614         (obj.get hello):
615         (builtin.createBuiltin):
616         (obj2.get length):
617         * stress/get-by-id-direct.js: Added.
618         (shouldBe):
619         (shouldThrow):
620         (builtin.createBuiltin):
621         * test262.yaml:
622         We fixed long-standing spec compatibility issue.
623         As a result, this patch makes several test262 tests passed!
624
625
626 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
627
628         Unreviewed, annotate test with @skip if $memoryLimited
629         https://bugs.webkit.org/show_bug.cgi?id=183894
630
631         * stress/json-stringified-overflow.js:
632
633 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
634
635         Add svn:eol-style to line-terminator-normalisation-CR.js
636         https://bugs.webkit.org/show_bug.cgi?id=184341
637
638         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
639
640 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
641
642         Unreviewed, remove errant LF from existing test262 test for CR line endings.
643
644         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
645
646 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
647
648         Unreviewed, rolling out r230320.
649
650         Revert fix, as the root cause lies elsewhere.
651
652         Reverted changeset:
653
654         "[test262] Mark line-terminator-normalisation-CR.js as a
655         binary file."
656         https://bugs.webkit.org/show_bug.cgi?id=184341
657         https://trac.webkit.org/changeset/230320
658
659 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
660
661         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
662         https://bugs.webkit.org/show_bug.cgi?id=184341
663
664         Reviewed by Yusuke Suzuki.
665
666         This test is all about CR line endings, but `svn-apply` can't deal with them.
667         Treating the file as binary ensures that its contents never are never shown in a diff.
668
669         * .gitattributes: Added.
670
671 2018-04-05  Robin Morisset  <rmorisset@apple.com>
672
673         Fix testcase (missing try/catch).
674         https://bugs.webkit.org/show_bug.cgi?id=183657
675
676         Unreviewed.
677
678         * stress/large-unshift-splice.js
679
680 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
681
682         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
683         https://bugs.webkit.org/show_bug.cgi?id=184319
684
685         Reviewed by Saam Barati.
686
687         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
688         (foo):
689         (bar):
690         * stress/array-push-nan-to-double-array.js: Added.
691         (foo):
692         (bar):
693
694 2018-04-03  Mark Lam  <mark.lam@apple.com>
695
696         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
697         https://bugs.webkit.org/show_bug.cgi?id=184284
698
699         Reviewed by Saam Barati.
700
701         * stress/js-fixed-array-out-of-memory.js:
702
703 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
704
705         JSC crash in JIT code with for-of loop and Array/Set iterators
706         https://bugs.webkit.org/show_bug.cgi?id=183174
707
708         Reviewed by Saam Barati.
709
710         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
711         (foo):
712         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
713         (f):
714
715 2018-03-30  JF Bastien  <jfbastien@apple.com>
716
717         WebAssembly: support DataView compilation
718         https://bugs.webkit.org/show_bug.cgi?id=183342
719
720         Reviewed by Mark Lam.
721
722         Test WebAssembly compilation using a DataView with offset.
723
724         * wasm/regress/183342.js: Added.
725         (attempt.catch):
726
727 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
728
729         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
730         https://bugs.webkit.org/show_bug.cgi?id=184189
731
732         Reviewed by JF Bastien.
733
734         * stress/load-hole-from-scope-into-live-var.js: Added.
735         (result.eval.try.switch):
736         (catch):
737
738 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
739
740         Unreviewed, rolling out r230102.
741
742         Caused assertion failures on JSC bots.
743
744         Reverted changeset:
745
746         "A stack overflow in the parsing of a builtin (called by
747         createExecutable) cause a crash instead of a catchable js
748         exception"
749         https://bugs.webkit.org/show_bug.cgi?id=184074
750         https://trac.webkit.org/changeset/230102
751
752 2018-03-30  Robin Morisset  <rmorisset@apple.com>
753
754         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
755         https://bugs.webkit.org/show_bug.cgi?id=183812
756
757         Reviewed by Keith Miller.
758
759         * stress/inlining-unreachable-non-tail.js: Added.
760         (foo.):
761         (foo):
762
763 2018-03-30  Robin Morisset  <rmorisset@apple.com>
764
765         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
766         https://bugs.webkit.org/show_bug.cgi?id=184074
767         <rdar://problem/37165897>
768
769         Reviewed by Keith Miller.
770
771         * stress/stack-overflow-while-parsing-builtin.js: Added.
772         (f):
773
774 2018-03-30  Robin Morisset  <rmorisset@apple.com>
775
776         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
777         https://bugs.webkit.org/show_bug.cgi?id=183657
778
779         Reviewed by Keith Miller.
780
781         * stress/large-unshift-splice.js: Added.
782         (make_contig_arr):
783
784 2018-03-28  Robin Morisset  <rmorisset@apple.com>
785
786         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
787         https://bugs.webkit.org/show_bug.cgi?id=183894
788
789         Reviewed by Saam Barati.
790
791         * stress/json-stringified-overflow.js: Added.
792         (catch):
793
794 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
795
796         DFG should know that CreateThis can be effectful
797         https://bugs.webkit.org/show_bug.cgi?id=184013
798
799         Reviewed by Saam Barati.
800
801         * stress/create-this-property-change.js: Added.
802         (Foo):
803         (RealBar):
804         (get if):
805         * stress/create-this-structure-change-without-cse.js: Added.
806         (Foo):
807         (RealBar):
808         (get if):
809         * stress/create-this-structure-change.js: Added.
810         (Foo):
811         (RealBar):
812         (get if):
813
814 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
815
816         [DFG] Introduces fused compare and jump
817         https://bugs.webkit.org/show_bug.cgi?id=177100
818
819         Reviewed by Mark Lam.
820
821         * stress/fused-jeq-slow.js: Added.
822         (shouldBe):
823         (testJEQ):
824         (testJNEQB):
825         (testJEQB):
826         (testJNEQF):
827         (testJEQF):
828         * stress/fused-jeq.js: Added.
829         (shouldBe):
830         (testJEQ):
831         (testJNEQB):
832         (testJEQB):
833         (testJNEQF):
834         (testJEQF):
835         * stress/fused-jstricteq-slow.js: Added.
836         (shouldBe):
837         (testJSTRICTEQ):
838         (testJNSTRICTEQB):
839         (testJSTRICTEQB):
840         (testJNSTRICTEQF):
841         (testJSTRICTEQF):
842         * stress/fused-jstricteq.js: Added.
843         (shouldBe):
844         (testJSTRICTEQ):
845         (testJNSTRICTEQB):
846         (testJSTRICTEQB):
847         (testJNSTRICTEQF):
848         (testJSTRICTEQF):
849
850 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
851
852         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
853         https://bugs.webkit.org/show_bug.cgi?id=183559
854
855         Reviewed by Mark Lam.
856
857         * stress/double-to-string-in-loop-removed.js: Added.
858         (test):
859         * stress/int32-to-string-in-loop-removed.js: Added.
860         (test):
861         * stress/int52-to-string-in-loop-removed.js: Added.
862         (test):
863
864 2018-03-22  Michael Saboff  <msaboff@apple.com>
865
866         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
867         https://bugs.webkit.org/show_bug.cgi?id=183901
868
869         Reviewed by Keith Miller.
870
871         New test.
872
873         * stress/array-reverse-doesnt-clobber.js: Added.
874         (testArrayReverse):
875         (createArrayOfArrays):
876         (createArrayStorage):
877
878 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
879
880         ScopedArguments should do poisoning and index masking
881         https://bugs.webkit.org/show_bug.cgi?id=183863
882
883         Reviewed by Mark Lam.
884         
885         Adds another stress test of scoped arguments.
886
887         * stress/scoped-arguments-test.js: Added.
888         (foo):
889
890 2018-03-20  Saam Barati  <sbarati@apple.com>
891
892         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
893         https://bugs.webkit.org/show_bug.cgi?id=183795
894         <rdar://problem/38298694>
895
896         Reviewed by JF Bastien.
897
898         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
899         (foo):
900         (bar):
901
902 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
903
904         [DFG][FTL] Add vectorLengthHint for NewArray
905         https://bugs.webkit.org/show_bug.cgi?id=183694
906
907         Reviewed by Saam Barati.
908
909         * stress/vector-length-hint-array-constructor.js: Added.
910         (shouldBe):
911         (test):
912         * stress/vector-length-hint-new-array.js: Added.
913         (shouldBe):
914         (test):
915
916 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
917
918         [DFG][FTL] Make ArraySlice(0) code tight
919         https://bugs.webkit.org/show_bug.cgi?id=183590
920
921         Reviewed by Saam Barati.
922
923         * stress/array-slice-with-zero.js: Added.
924         (shouldBe):
925         (test):
926         (test2):
927         * stress/array-slice-zero-args.js: Added.
928         (shouldBe):
929         (test):
930
931 2018-03-14  Caitlin Potter  <caitp@igalia.com>
932
933         [JSC] fix order of evaluation for ClassDefinitionEvaluation
934         https://bugs.webkit.org/show_bug.cgi?id=183523
935
936         Reviewed by Keith Miller.
937
938         Computed property names need to be evaluated in source order during class
939         definition evaluation, as it's observable (and specified to work this way).
940
941         This change improves compatibility with Chromium.
942
943         * stress/class_elements.js: Added.
944         (test):
945         (test.C.prototype.effect):
946         (test.C.effect):
947         (test.C.prototype.get effect):
948         (test.C.prototype.set effect):
949         (test.C):
950
951 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
952
953         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
954         https://bugs.webkit.org/show_bug.cgi?id=183310
955
956         Reviewed by Filip Pizlo.
957
958         * stress/ai-create-this-to-new-object-fire.js: Added.
959         (assert):
960         (test):
961         (func):
962         (check):
963         (test.body.A):
964         (test.body.B):
965         (test.body):
966         * stress/ai-create-this-to-new-object.js: Added.
967         (assert):
968         (test):
969         (func):
970         (check):
971         (test.body.A):
972         (test.body.B):
973         (test.body):
974
975 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
976
977         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
978         https://bugs.webkit.org/show_bug.cgi?id=181848
979
980         Reviewed by Sam Weinig.
981
982         * microbenchmarks/regexp-u-global-es5.js: Added.
983         (fn):
984         * microbenchmarks/regexp-u-global-es6.js: Added.
985         (fn):
986         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
987         (shouldBe):
988         (test):
989         (i.switch):
990         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
991         (shouldBe):
992         (test):
993
994 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
995
996         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
997         https://bugs.webkit.org/show_bug.cgi?id=183334
998
999         Reviewed by Žan Doberšek.
1000
1001         * stress/var-injection-cache-invalidation.js:
1002
1003 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
1004
1005         [ARM] Disable tests that run out of memory
1006         https://bugs.webkit.org/show_bug.cgi?id=182699
1007
1008         Reviewed by Žan Doberšek.
1009
1010         Skip tests that run of of memory. Do not run
1011         modules/module-jit-reachability.js without LLInt to prevent
1012         running out of executable memory.
1013
1014         * modules.yaml:
1015         * modules/module-jit-reachability.js:
1016         * stress/has-own-property-name-cache-string-keys.js:
1017         * stress/has-own-property-name-cache-symbol-keys.js:
1018
1019 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1020
1021         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
1022         https://bugs.webkit.org/show_bug.cgi?id=183173
1023
1024         Reviewed by Saam Barati.
1025
1026         * stress/async-arrow-function-in-class-heritage.js: Added.
1027         (testSyntax):
1028         (testSyntaxError):
1029         (SyntaxError):
1030
1031 2018-03-01  Saam Barati  <sbarati@apple.com>
1032
1033         We need to clear cached structures when having a bad time
1034         https://bugs.webkit.org/show_bug.cgi?id=183256
1035         <rdar://problem/36245022>
1036
1037         Reviewed by Mark Lam.
1038
1039         * stress/having-a-bad-time-with-derived-arrays.js: Added.
1040         (assert):
1041         (defineSetter):
1042         (iterate):
1043         (doSlice):
1044
1045 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1046
1047         JSC crash with `import("")`
1048         https://bugs.webkit.org/show_bug.cgi?id=183175
1049
1050         Reviewed by Saam Barati.
1051
1052         * stress/import-with-empty-string.js: Added.
1053
1054 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1055
1056         Unreviewed, skip FTL tests if FTL is disabled
1057         https://bugs.webkit.org/show_bug.cgi?id=183071
1058
1059         * stress/has-indexed-property-array-storage-ftl.js:
1060         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1061
1062 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1063
1064         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
1065         https://bugs.webkit.org/show_bug.cgi?id=182965
1066
1067         Reviewed by Saam Barati.
1068
1069         * stress/put-by-val-array-storage.js: Added.
1070         (shouldBe):
1071         (testArrayStorageInBounds):
1072         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
1073         (shouldBe):
1074         (testInt32.createBuiltin):
1075         (set for):
1076         * stress/put-by-val-slow-put-array-storage.js: Added.
1077         (shouldBe):
1078         (testArrayStorageInBounds):
1079
1080 2018-02-26  Saam Barati  <sbarati@apple.com>
1081
1082         validateStackAccess should not validate if the offset is within the stack bounds
1083         https://bugs.webkit.org/show_bug.cgi?id=183067
1084         <rdar://problem/37749988>
1085
1086         Reviewed by Mark Lam.
1087
1088         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
1089         (assert):
1090         (test.a):
1091         (test.b):
1092         (test):
1093
1094 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1095
1096         Unreviewed, skip FTL tests if FTL is disabled
1097         https://bugs.webkit.org/show_bug.cgi?id=183071
1098
1099         * stress/has-indexed-property-array-storage-ftl.js:
1100         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
1101
1102 2018-02-23  Saam Barati  <sbarati@apple.com>
1103
1104         Make Number.isInteger an intrinsic
1105         https://bugs.webkit.org/show_bug.cgi?id=183088
1106
1107         Reviewed by JF Bastien.
1108
1109         * stress/number-is-integer-intrinsic.js: Added.
1110
1111 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
1112
1113         WebAssembly: cache memory address / size on instance
1114         https://bugs.webkit.org/show_bug.cgi?id=177305
1115
1116         Reviewed by JF Bastien.
1117
1118         * wasm/function-tests/memory-reuse.js: Added.
1119         (createWasmInstance):
1120         (doCheckTrap):
1121         (doMemoryGrow):
1122         (doCheck):
1123         (checkWasmInstancesWithSharedMemory):
1124
1125 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1126
1127         [JSC] Implement $vm.ftlTrue function for FTL testing
1128         https://bugs.webkit.org/show_bug.cgi?id=183071
1129
1130         Reviewed by Mark Lam.
1131
1132         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
1133         (foo):
1134         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
1135         (foo):
1136         * stress/dead-fiat-value-to-int52.js:
1137         (foo):
1138         * stress/dead-osr-entry-value.js:
1139         (foo):
1140         * stress/fiat-value-to-int52-then-exit-not-double.js:
1141         (foo):
1142         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1143         (foo):
1144         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1145         (foo):
1146         * stress/fiat-value-to-int52-then-fold.js:
1147         (foo):
1148         * stress/fiat-value-to-int52.js:
1149         (foo):
1150         * stress/fold-based-on-int32-proof-mul-branch.js:
1151         (foo):
1152         * stress/fold-profiled-call-to-call.js:
1153         (foo):
1154         * stress/fold-to-double-constant-then-exit.js:
1155         (foo):
1156         * stress/fold-to-int52-constant-then-exit.js:
1157         (foo):
1158         * stress/fold-to-primitive-in-cfa.js:
1159         (foo):
1160         * stress/fold-to-primitive-to-identity-in-cfa.js:
1161         (foo):
1162         * stress/has-indexed-property-array-storage-ftl.js: Added.
1163         (shouldBe):
1164         (test1):
1165         (test2):
1166         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1167         (shouldBe):
1168         (test1):
1169         (test2):
1170         * stress/int52-ai-add-then-filter-int32.js:
1171         (foo):
1172         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1173         (foo):
1174         * stress/int52-ai-mul-then-filter-int32.js:
1175         (foo):
1176         * stress/int52-ai-neg-then-filter-int32.js:
1177         (foo):
1178         * stress/int52-ai-sub-then-filter-int32.js:
1179         (foo):
1180         * stress/licm-pre-header-cannot-exit-nested.js:
1181         (foo):
1182         * stress/licm-pre-header-cannot-exit.js:
1183         (foo):
1184         * stress/sparse-array-entry-update-144067.js:
1185         (useMemoryToTriggerGCs):
1186         * stress/test-spec-misc.js:
1187         (foo):
1188         * stress/tricky-array-bounds-checks.js:
1189         (foo):
1190
1191 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1192
1193         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1194         https://bugs.webkit.org/show_bug.cgi?id=182792
1195
1196         Reviewed by Mark Lam.
1197
1198         * stress/has-indexed-property-array-storage.js: Added.
1199         (shouldBe):
1200         (test1):
1201         (test2):
1202         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1203         (shouldBe):
1204         (test1):
1205         (test2):
1206
1207 2018-02-20  Saam Barati  <sbarati@apple.com>
1208
1209         DFG::VarargsForwardingPhase should eliminate getting argument length
1210         https://bugs.webkit.org/show_bug.cgi?id=182959
1211
1212         Reviewed by Keith Miller.
1213
1214         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1215
1216 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1217
1218         [FTL] Support ArrayPush for ArrayStorage
1219         https://bugs.webkit.org/show_bug.cgi?id=182782
1220
1221         Reviewed by Saam Barati.
1222
1223         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1224
1225         * stress/array-push-array-storage-beyond-int32.js: Added.
1226         (shouldBe):
1227         (test):
1228         * stress/array-push-array-storage.js: Added.
1229         (shouldBe):
1230         (test):
1231         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1232         (shouldBe):
1233         (test):
1234         * stress/array-push-multiple-storage-continuous.js: Added.
1235         (shouldBe):
1236         (test):
1237
1238 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1239
1240         [FTL] Support ArrayPop for ArrayStorage
1241         https://bugs.webkit.org/show_bug.cgi?id=182783
1242
1243         Reviewed by Saam Barati.
1244
1245         * stress/array-pop-array-storage.js: Added.
1246         (shouldBe):
1247         (test):
1248
1249 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1250
1251         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1252         https://bugs.webkit.org/show_bug.cgi?id=182731
1253
1254         Reviewed by Saam Barati.
1255
1256         * stress/arrayify-array-storage-array.js: Added.
1257         (shouldBe):
1258         (testArrayStorage):
1259         * stress/arrayify-array-storage-non-array.js: Added.
1260         (shouldBe):
1261         (testArrayStorage):
1262         * stress/arrayify-array-storage.js: Added.
1263         (shouldBe):
1264         (testArrayStorage):
1265         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1266         (shouldBe):
1267         (testArrayStorage):
1268         * stress/arrayify-slow-put-array-storage.js: Added.
1269         (shouldBe):
1270         (testArrayStorage):
1271
1272 2018-02-19  Saam Barati  <sbarati@apple.com>
1273
1274         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1275         https://bugs.webkit.org/show_bug.cgi?id=182942
1276         <rdar://problem/37584764>
1277
1278         Reviewed by Mark Lam.
1279
1280         * stress/get-prototype-create-this-effectful.js: Added.
1281
1282 2018-02-16  Saam Barati  <sbarati@apple.com>
1283
1284         Fix bugs from r228411
1285         https://bugs.webkit.org/show_bug.cgi?id=182851
1286         <rdar://problem/37577732>
1287
1288         Reviewed by JF Bastien.
1289
1290         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1291
1292 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1293
1294         Unreviewed, roll out r228366 since it did not progress anything.
1295
1296         * stress/gc-error-stack.js: Removed.
1297         * stress/no-gc-error-stack.js: Removed.
1298
1299 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1300
1301         Many stress tests fail with JIT disabled
1302         https://bugs.webkit.org/show_bug.cgi?id=182730
1303
1304         Reviewed by Saam Barati.
1305
1306         These tests are broken by design if the JIT is disabled - they test
1307         the return value of numberOfDFGCompiles(), which is always set to
1308         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1309
1310         * stress/arith-abs-on-various-types.js:
1311         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1312         * stress/arith-acos-on-various-types.js:
1313         * stress/arith-acosh-on-various-types.js:
1314         * stress/arith-asin-on-various-types.js:
1315         * stress/arith-asinh-on-various-types.js:
1316         * stress/arith-atan-on-various-types.js:
1317         * stress/arith-atanh-on-various-types.js:
1318         * stress/arith-cbrt-on-various-types.js:
1319         * stress/arith-ceil-on-various-types.js:
1320         * stress/arith-clz32-on-various-types.js:
1321         * stress/arith-cos-on-various-types.js:
1322         * stress/arith-cosh-on-various-types.js:
1323         * stress/arith-expm1-on-various-types.js:
1324         * stress/arith-floor-on-various-types.js:
1325         * stress/arith-fround-on-various-types.js:
1326         * stress/arith-log-on-various-types.js:
1327         * stress/arith-log10-on-various-types.js:
1328         * stress/arith-log2-on-various-types.js:
1329         * stress/arith-negate-on-various-types.js:
1330         * stress/arith-round-on-various-types.js:
1331         * stress/arith-sin-on-various-types.js:
1332         * stress/arith-sinh-on-various-types.js:
1333         * stress/arith-sqrt-on-various-types.js:
1334         * stress/arith-tan-on-various-types.js:
1335         * stress/arith-tanh-on-various-types.js:
1336         * stress/arith-trunc-on-various-types.js:
1337         * stress/compare-strict-eq-on-various-types.js:
1338
1339 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1340
1341         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1342
1343         Unreviewed test gardening.
1344
1345         * stress/new-largeish-contiguous-array-with-size.js:
1346
1347 2018-02-14  Saam Barati  <sbarati@apple.com>
1348
1349         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1350         https://bugs.webkit.org/show_bug.cgi?id=182801
1351
1352         Reviewed by Keith Miller.
1353
1354         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1355
1356 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1357
1358         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1359         https://bugs.webkit.org/show_bug.cgi?id=182526
1360
1361         Unreviewed test gardening.
1362
1363         * stress/activation-sink-default-value-tdz-error.js:
1364
1365 2018-02-13  Saam Barati  <sbarati@apple.com>
1366
1367         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1368         https://bugs.webkit.org/show_bug.cgi?id=182755
1369         <rdar://problem/37080864>
1370
1371         Reviewed by Keith Miller.
1372
1373         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1374         (test1.o.get 10005):
1375         (test1):
1376         (test2.o.get 1000):
1377         (test2):
1378
1379 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1380
1381         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1382         https://bugs.webkit.org/show_bug.cgi?id=182717
1383
1384         Reviewed by Yusuke Suzuki.
1385
1386         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1387         literals, to allow template callsite arrays to be collected when the
1388         code containing the tagged template call is collected. This spec change
1389         has received concensus and been ratified.
1390
1391         This change eliminates the eternal map associating template contents
1392         with arrays.
1393
1394         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1395         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1396         * stress/tagged-templates-identity.js:
1397         * stress/template-string-tags-eval.js:
1398         * test262.yaml:
1399
1400 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1401
1402         Support GetArrayLength on ArrayStorage in the FTL
1403         https://bugs.webkit.org/show_bug.cgi?id=182625
1404
1405         Reviewed by Saam Barati.
1406
1407         * stress/array-storage-length.js: Added.
1408         (shouldBe):
1409         (testInBound):
1410         (testUncountable):
1411         (testSlowPutInBound):
1412         (testSlowPutUncountable):
1413         * stress/undecided-length.js: Added.
1414         (shouldBe):
1415         (test2):
1416
1417 2018-02-12  Saam Barati  <sbarati@apple.com>
1418
1419         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1420         https://bugs.webkit.org/show_bug.cgi?id=182706
1421         <rdar://problem/36833681>
1422
1423         Reviewed by Filip Pizlo.
1424
1425         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1426         (effects):
1427         (foo):
1428
1429 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1430
1431         Don't waste memory for error.stack
1432         https://bugs.webkit.org/show_bug.cgi?id=182656
1433
1434         Reviewed by Saam Barati.
1435         
1436         Tests the policy.
1437
1438         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1439         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1440
1441 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1442
1443         [JSC] Update Test262 to Feb 9 version
1444         https://bugs.webkit.org/show_bug.cgi?id=182468
1445
1446         Reviewed by Saam Barati.
1447
1448 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1449
1450         Unreviewed, fix invalid line terminator in old test262 file part 2
1451         https://bugs.webkit.org/show_bug.cgi?id=182468
1452
1453         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1454
1455 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1456
1457         Unreviewed, fix invalid line terminator in old test262 file
1458         https://bugs.webkit.org/show_bug.cgi?id=182468
1459
1460         * test262/test/language/literals/regexp/7.8.5-1.js:
1461
1462 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1463
1464         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1465         https://bugs.webkit.org/show_bug.cgi?id=182440
1466
1467         Reviewed by Darin Adler.
1468
1469         * stress/array-flatmap.js: Added.
1470         (shouldBe):
1471         (shouldBeArray):
1472         (shouldThrow):
1473         (var):
1474         * stress/array-flatten.js: Added.
1475         (shouldBe):
1476         (shouldBeArray):
1477         * test262.yaml:
1478         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1479         (3.flatMap):
1480         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1481
1482 2018-02-06  Keith Miller  <keith_miller@apple.com>
1483
1484         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1485         https://bugs.webkit.org/show_bug.cgi?id=182549
1486         <rdar://problem/36189995>
1487
1488         Reviewed by Saam Barati.
1489
1490         * stress/var-injection-cache-invalidation.js: Added.
1491         (allocateLotsOfThings):
1492         (test):
1493
1494 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1495
1496         Unreviewed, follow up for test262 update
1497         https://bugs.webkit.org/show_bug.cgi?id=182288
1498
1499         * test262.yaml:
1500
1501 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1502
1503         Update test262 to Jan 30 version
1504         https://bugs.webkit.org/show_bug.cgi?id=182288
1505
1506         Unreviewed test gardening.
1507
1508         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1509
1510 2018-02-02  Saam Barati  <sbarati@apple.com>
1511
1512         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1513         https://bugs.webkit.org/show_bug.cgi?id=182368
1514         <rdar://problem/36932466>
1515
1516         Reviewed by Mark Lam.
1517
1518         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1519         (runNearStackLimit.t):
1520         (runNearStackLimit):
1521         (try.runNearStackLimit):
1522         (catch):
1523
1524 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1525
1526         Update test262 to Jan 30 version
1527         https://bugs.webkit.org/show_bug.cgi?id=182288
1528
1529         Rubber stamped by Saam Barati.
1530
1531         This patch updates test262 to the latest one, Jan 30 version.
1532         Since added and changed files are too many, we cannot create ChangeLog.
1533         The following files are changed.
1534
1535         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1536         including some special line terminators (like u2028, u2029).
1537
1538         * test262.yaml:
1539         * test262/test262-Revision.txt:
1540         * test262/*:
1541
1542 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1543
1544         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1545         https://bugs.webkit.org/show_bug.cgi?id=182411
1546
1547         Reviewed by Carlos Alberto Lopez Perez.
1548
1549         This is skipped only on arm memory limited platforms. Until recently
1550         it was not a problem on MIPS as the butterfly was not initialized. But
1551         since r227435, the butterfly is initialized in that test and therefore
1552         memory is allocated, and the test typically takes around 512M, which
1553         means it generally gets OOM-killed on the MIPS buildbot.
1554
1555         * mozilla/mozilla-tests.yaml:
1556
1557 2018-02-01  Mark Lam  <mark.lam@apple.com>
1558
1559         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1560         https://bugs.webkit.org/show_bug.cgi?id=182419
1561         <rdar://problem/37044945>
1562
1563         Reviewed by Saam Barati.
1564
1565         * stress/regress-182419.js: Added.
1566
1567 2018-02-01  Keith Miller  <keith_miller@apple.com>
1568
1569         Fix crashes due to mishandling custom sections.
1570         https://bugs.webkit.org/show_bug.cgi?id=182404
1571         <rdar://problem/36935863>
1572
1573         Reviewed by Saam Barati.
1574
1575         * wasm/Builder.js:
1576         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1577         * wasm/js-api/validate.js:
1578         (assert.truthy):
1579
1580 2018-01-31  Saam Barati  <sbarati@apple.com>
1581
1582         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1583         https://bugs.webkit.org/show_bug.cgi?id=182074
1584         <rdar://problem/36846261>
1585
1586         Reviewed by Mark Lam.
1587
1588         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1589         (assert):
1590         (let.func):
1591         (let.o.foo):
1592         (varFunc):
1593
1594 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1595
1596         Unreviewed, update test262 expects
1597         https://bugs.webkit.org/show_bug.cgi?id=182232
1598
1599         * test262.yaml:
1600
1601 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1602
1603         [JSC] Implement trimStart and trimEnd
1604         https://bugs.webkit.org/show_bug.cgi?id=182233
1605
1606         Reviewed by Mark Lam.
1607
1608         * stress/trim.js: Added.
1609         (shouldBe):
1610         (startTest):
1611         (endTest):
1612         (trimTest):
1613
1614 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1615
1616         [JSC] Relax line terminators in String to make JSON subset of JS
1617         https://bugs.webkit.org/show_bug.cgi?id=182232
1618
1619         Reviewed by Keith Miller.
1620
1621         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1622         * stress/relaxed-line-terminators-in-string.js: Added.
1623         (shouldBe):
1624
1625 2018-01-29  Michael Saboff  <msaboff@apple.com>
1626
1627         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1628         https://bugs.webkit.org/show_bug.cgi?id=182249
1629
1630         Reviewed by Keith Miller.
1631
1632         New regression test.
1633
1634         * stress/compare-clobber-untypeduse.js: Added.
1635
1636 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1637
1638         Unreviewed, rolling out r227725.
1639
1640         This caused internal failures.
1641
1642         Reverted changeset:
1643
1644         "JSC Sampling Profiler: Detect tester and testee when sampling
1645         in RegExp JIT"
1646         https://bugs.webkit.org/show_bug.cgi?id=152729
1647         https://trac.webkit.org/changeset/227725
1648
1649 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1650
1651         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1652         https://bugs.webkit.org/show_bug.cgi?id=152729
1653
1654         Reviewed by Saam Barati.
1655
1656         * stress/sampling-profiler-regexp.js: Added.
1657         (platformSupportsSamplingProfiler.test):
1658         (platformSupportsSamplingProfiler.baz):
1659         (platformSupportsSamplingProfiler):
1660
1661 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1662
1663         [DFG][FTL] WeakMap#set should have DFG node
1664         https://bugs.webkit.org/show_bug.cgi?id=180015
1665
1666         Reviewed by Saam Barati.
1667
1668         * stress/weakmap-set-change-get.js: Added.
1669         (shouldBe):
1670         (test):
1671         * stress/weakmap-set-cse.js: Added.
1672         (shouldBe):
1673         (test):
1674         * stress/weakset-add-change-get.js: Added.
1675         (shouldBe):
1676         * stress/weakset-add-cse.js: Added.
1677         (shouldBe):
1678
1679 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1680
1681         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1682         https://bugs.webkit.org/show_bug.cgi?id=182213
1683
1684         Reviewed by Mark Lam.
1685
1686         * stress/int32-min-to-string.js: Added.
1687         (shouldBe):
1688         (test2):
1689         (test4):
1690         (test8):
1691         (test16):
1692         (test32):
1693         * stress/zero-to-string.js: Added.
1694         (shouldBe):
1695         (test2):
1696         (test4):
1697         (test8):
1698         (test16):
1699         (test32):
1700
1701 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1702
1703         Add more module scope related tests with code evaluation by string
1704         https://bugs.webkit.org/show_bug.cgi?id=181983
1705
1706         Reviewed by Sam Weinig.
1707
1708         Add more module scope related tests. When the original tests are landed,
1709         we do not have browser integration. This patch adds more module scope tests
1710         with dynamically created script evaluation. We add tests with Function
1711         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1712
1713         * modules/scopes-eval.js: Added.
1714         (shouldBe):
1715         * modules/scopes.js:
1716         (shouldBe):
1717
1718 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1719
1720         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1721
1722         * microbenchmarks/array-push-3.js: Removed.
1723         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1724         * microbenchmarks/double-to-int32.js: Removed.
1725         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1726         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1727         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1728         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1729         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1730         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1731         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1732         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1733         * microbenchmarks/map-constant-key.js: Removed.
1734         * microbenchmarks/nested-function-parsing.js: Removed.
1735         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1736         * microbenchmarks/spread-large-array.js: Removed.
1737         * microbenchmarks/string-add-constant-folding.js: Removed.
1738         * microbenchmarks/to-lower-case.js: Removed.
1739         * microbenchmarks/undefined-property-access.js: Removed.
1740         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1741         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1742         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1743         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1744         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1745         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1746         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1747         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1748         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1749         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1750         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1751         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1752         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1753         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1754         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1755         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1756         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1757         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1758
1759 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1760
1761         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1762         https://bugs.webkit.org/show_bug.cgi?id=181739
1763         <rdar://problem/36627662>
1764
1765         Reviewed by Saam Barati.
1766
1767         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1768         (foo):
1769         (bar):
1770
1771 2018-01-22  Michael Saboff  <msaboff@apple.com>
1772
1773         DFG abstract interpreter needs to properly model effects of some Math ops
1774         https://bugs.webkit.org/show_bug.cgi?id=181886
1775
1776         Reviewed by Saam Barati.
1777
1778         New regression test.
1779
1780         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1781         (test):
1782
1783 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1784
1785         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1786         https://bugs.webkit.org/show_bug.cgi?id=181182
1787
1788         Reviewed by Darin Adler.
1789
1790         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1791         * stress/big-int-prototype-to-string-exception.js: Added.
1792         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1793         * stress/number-prototype-to-string-cast-overflow.js: Added.
1794         * stress/number-prototype-to-string-exception.js: Added.
1795         * stress/number-prototype-to-string-wrong-values.js: Added.
1796
1797 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1798
1799         Disable Atomics when SharedArrayBuffer isn’t enabled
1800         https://bugs.webkit.org/show_bug.cgi?id=181572
1801
1802         Unreviewed test gardening.
1803
1804         * test262.yaml: Skip tests that fail after this change.
1805
1806 2018-01-19  Saam Barati  <sbarati@apple.com>
1807
1808         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1809         https://bugs.webkit.org/show_bug.cgi?id=181877
1810         <rdar://problem/36630552>
1811
1812         Reviewed by Mark Lam.
1813
1814         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1815         (runNearStackLimit):
1816         (f1):
1817         (f2):
1818         (f3):
1819         (i.catch):
1820         (i.try.runNearStackLimit):
1821         (catch):
1822
1823 2018-01-19  Saam Barati  <sbarati@apple.com>
1824
1825         Spread's effects are modeled incorrectly both in AI and in Clobberize
1826         https://bugs.webkit.org/show_bug.cgi?id=181867
1827         <rdar://problem/36290415>
1828
1829         Reviewed by Michael Saboff.
1830
1831         * stress/ai-needs-to-model-spreads-effects.js: Added.
1832         (try.p.Symbol.iterator):
1833         (try.go):
1834         (catch):
1835         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1836         (assert):
1837         (foo):
1838         (a.Symbol.iterator):
1839
1840 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1841
1842         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1843         https://bugs.webkit.org/show_bug.cgi?id=181535
1844
1845         * stress/inserted-recovery-with-set-last-index.js:
1846
1847 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1848
1849         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1850         https://bugs.webkit.org/show_bug.cgi?id=181535
1851
1852         Reviewed by Saam Barati.
1853
1854         * stress/inserted-recovery-with-set-last-index.js: Added.
1855         (shouldBe):
1856         (foo):
1857         * stress/materialize-regexp-at-osr-exit.js: Added.
1858         (shouldBe):
1859         (test):
1860         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1861         (shouldBe):
1862         (test):
1863         * stress/materialize-regexp-cyclic-regexp.js: Added.
1864         (shouldBe):
1865         (test):
1866         (i.switch):
1867         * stress/materialize-regexp-cyclic.js: Added.
1868         (shouldBe):
1869         (test):
1870         (i.switch):
1871         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1872         (bar):
1873         (foo):
1874         (test):
1875         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1876         (bar):
1877         (foo):
1878         (test):
1879         * stress/materialize-regexp.js: Added.
1880         (shouldBe):
1881         (test):
1882         * stress/phantom-regexp-regexp-exec.js: Added.
1883         (shouldBe):
1884         (test):
1885         * stress/phantom-regexp-string-match.js: Added.
1886         (shouldBe):
1887         (test):
1888         * stress/regexp-last-index-sinking.js: Added.
1889         (shouldBe):
1890         (test):
1891
1892 2018-01-17  Saam Barati  <sbarati@apple.com>
1893
1894         Disable Atomics when SharedArrayBuffer isn’t enabled
1895         https://bugs.webkit.org/show_bug.cgi?id=181572
1896         <rdar://problem/36553206>
1897
1898         Reviewed by Michael Saboff.
1899
1900         * stress/isLockFree.js:
1901
1902 2018-01-17  Saam Barati  <sbarati@apple.com>
1903
1904         DFG::Node::convertToConstant needs to clear the varargs flags
1905         https://bugs.webkit.org/show_bug.cgi?id=181697
1906         <rdar://problem/36497332>
1907
1908         Reviewed by Yusuke Suzuki.
1909
1910         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1911         (doIndexOf):
1912         (bar):
1913         (i.bar):
1914
1915 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1916
1917         Unreviewed, rolling out r226937.
1918
1919         Tests added with this change are failing due to a missing
1920         exception check.
1921
1922         Reverted changeset:
1923
1924         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1925         double to int32_t"
1926         https://bugs.webkit.org/show_bug.cgi?id=181182
1927         https://trac.webkit.org/changeset/226937
1928
1929 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1930
1931         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1932         https://bugs.webkit.org/show_bug.cgi?id=181182
1933
1934         Reviewed by Darin Adler.
1935
1936         * bigIntTests.yaml:
1937         * stress/big-int-constructor.js:
1938         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1939         (assert):
1940         (assertThrowRangeError):
1941         * stress/number-prototype-to-string-cast-overflow.js: Added.
1942         (assert):
1943         (assertThrowRangeError):
1944
1945 2018-01-12  Saam Barati  <sbarati@apple.com>
1946
1947         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1948         https://bugs.webkit.org/show_bug.cgi?id=181177
1949         <rdar://problem/36205704>
1950
1951         Reviewed by Yusuke Suzuki.
1952
1953         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1954         (runNearStackLimit.t):
1955         (runNearStackLimit):
1956         (test.f):
1957         (test):
1958
1959 2018-01-12  Saam Barati  <sbarati@apple.com>
1960
1961         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1962         https://bugs.webkit.org/show_bug.cgi?id=181562
1963         <rdar://problem/36445624>
1964
1965         Reviewed by Yusuke Suzuki.
1966
1967         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1968         (f):
1969         (foo):
1970
1971 2018-01-11  Saam Barati  <sbarati@apple.com>
1972
1973         When inserting Unreachable in byte code parser we need to flush all the right things
1974         https://bugs.webkit.org/show_bug.cgi?id=181509
1975         <rdar://problem/36423110>
1976
1977         Reviewed by Mark Lam.
1978
1979         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1980
1981 2018-01-11  Saam Barati  <sbarati@apple.com>
1982
1983         JITMathIC code in the FTL is wrong when code gets duplicated
1984         https://bugs.webkit.org/show_bug.cgi?id=181525
1985         <rdar://problem/36351993>
1986
1987         Reviewed by Michael Saboff and Keith Miller.
1988
1989         * stress/allow-math-ic-b3-code-duplication.js: Added.
1990
1991 2018-01-11  Saam Barati  <sbarati@apple.com>
1992
1993         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1994         https://bugs.webkit.org/show_bug.cgi?id=181508
1995
1996         Reviewed by Yusuke Suzuki.
1997
1998         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1999         (assert):
2000         (test1.foo):
2001         (test1):
2002         (test2.foo):
2003         (test2):
2004
2005 2018-01-09  Mark Lam  <mark.lam@apple.com>
2006
2007         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
2008         https://bugs.webkit.org/show_bug.cgi?id=181388
2009         <rdar://problem/36349351>
2010
2011         Reviewed by Saam Barati.
2012
2013         * stress/regress-181388.js: Added.
2014
2015 2018-01-08  JF Bastien  <jfbastien@apple.com>
2016
2017         WebAssembly: mask indexed accesses to Table
2018         https://bugs.webkit.org/show_bug.cgi?id=181412
2019         <rdar://problem/36363236>
2020
2021         Reviewed by Saam Barati.
2022
2023         Update error messages.
2024
2025         * wasm/js-api/table.js:
2026         (assert.throws.WebAssembly.Table.prototype.grow):
2027
2028 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
2029
2030         Disable SharedArrayBuffer tests missed in r226386.
2031         https://bugs.webkit.org/show_bug.cgi?id=181266
2032
2033         Unreviewed test gardening.
2034
2035         * test262.yaml:
2036
2037 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2038
2039         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
2040         https://bugs.webkit.org/show_bug.cgi?id=181321
2041
2042         Reviewed by Saam Barati.
2043
2044         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
2045         (shouldBe):
2046         (testFunction):
2047         * test262.yaml:
2048
2049 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
2050
2051         Unreviewed, attempt to fix test262 after r226386.
2052
2053         * test262.yaml:
2054
2055 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2056
2057         [DFG] Define defs for MapSet/SetAdd to participate in CSE
2058         https://bugs.webkit.org/show_bug.cgi?id=179911
2059
2060         Reviewed by Saam Barati.
2061
2062         In addition to these tests, map-set-cse.js and set-add-cse.js work.
2063
2064         * stress/map-set-change-get.js: Added.
2065         (shouldBe):
2066         (test):
2067         * stress/map-set-create-bucket.js: Added.
2068         (shouldBe):
2069         (test):
2070         * stress/set-add-create-bucket.js: Added.
2071         (shouldBe):
2072
2073 2018-01-03  Michael Saboff  <msaboff@apple.com>
2074
2075         Disable SharedArrayBuffers from Web API
2076         https://bugs.webkit.org/show_bug.cgi?id=181266
2077
2078         Reviewed by Saam Barati.
2079
2080         Disabled SharedArrayBuffer tests.
2081
2082         * stress/SharedArrayBuffer-opt.js:
2083         * stress/SharedArrayBuffer.js:
2084         * stress/array-buffer-byte-length.js:
2085         * stress/atomics-add-uint32.js:
2086         * stress/atomics-known-int-use.js:
2087         * stress/atomics-neg-zero.js:
2088         * stress/atomics-store-return.js:
2089         * stress/lars-sab-workers.js:
2090         * stress/regress-159779-1.js:
2091         * stress/regress-159779-2.js:
2092         * stress/regress-170473.js:
2093         * test262.yaml:
2094
2095 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
2096
2097         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
2098         https://bugs.webkit.org/show_bug.cgi?id=181258
2099
2100         Reviewed by Antonio Gomes.
2101
2102         * stress/big-int-constructor-gc.js:
2103         * stress/big-int-constructor-oom.js:
2104
2105 2018-01-03  Robin Morisset  <rmorisset@apple.com>
2106
2107         Inlining of a function that ends in op_unreachable crashes
2108         https://bugs.webkit.org/show_bug.cgi?id=181027
2109
2110         Reviewed by Filip Pizlo.
2111
2112         * stress/inlining-unreachable.js: Added.
2113         (bar):
2114         (baz):
2115         (i.catch):
2116
2117 2018-01-02  Saam Barati  <sbarati@apple.com>
2118
2119         Incorrect assertion inside AccessCase
2120         https://bugs.webkit.org/show_bug.cgi?id=181200
2121         <rdar://problem/35494754>
2122
2123         Reviewed by Yusuke Suzuki.
2124
2125         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
2126         (ctor):
2127         (theFunc):
2128         (run):
2129
2130 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
2131
2132         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
2133         https://bugs.webkit.org/show_bug.cgi?id=175359
2134
2135         Reviewed by Yusuke Suzuki.
2136
2137         * bigIntTests.yaml:
2138         * stress/big-int-as-key.js: Added.
2139         * stress/big-int-constructor-gc.js: Added.
2140         * stress/big-int-constructor-oom.js: Added.
2141         * stress/big-int-constructor-properties.js: Added.
2142         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2143         * stress/big-int-constructor-prototype.js: Added.
2144         * stress/big-int-constructor.js: Added.
2145         * stress/big-int-function-apply.js:
2146         * stress/big-int-length.js: Added.
2147         * stress/big-int-prop-descriptor.js: Added.
2148         * stress/big-int-proto-constructor.js: Added.
2149         * stress/big-int-proto-name.js: Added.
2150         * stress/big-int-prototype-properties.js: Added.
2151         * stress/big-int-prototype-proto.js: Added.
2152         * stress/big-int-prototype-value-of.js: Added.
2153         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2154         * stress/big-int-prototype-to-string-apply.js: Added.
2155         * stress/big-int-to-object.js: Added.
2156         * stress/big-int-to-string.js: Added.
2157
2158 2017-12-28  Saam Barati  <sbarati@apple.com>
2159
2160         Assertion used to determine if something is an async generator is wrong
2161         https://bugs.webkit.org/show_bug.cgi?id=181168
2162         <rdar://problem/35640560>
2163
2164         Reviewed by Yusuke Suzuki.
2165
2166         * stress/async-generator-assertion.js: Added.
2167
2168 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2169
2170         Skip stress/splay-flash-access tests on memory limited platforms
2171         https://bugs.webkit.org/show_bug.cgi?id=181086
2172
2173         Reviewed by Carlos Alberto Lopez Perez.
2174
2175         These tests use about 185M of memory, and occasionally get OOM-killed
2176         on memory limited platforms.
2177
2178         * stress/splay-flash-access-1ms.js:
2179         * stress/splay-flash-access.js:
2180
2181 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2182
2183         Skip slow jsc tests on embedded platforms
2184         https://bugs.webkit.org/show_bug.cgi?id=180937
2185
2186         Reviewed by Carlos Alberto Lopez Perez.
2187
2188         The tests typeProfiler/deltablue-for-of.js and
2189         typeProfiler/getter-richards.js take a very long time in the
2190         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2191         thus always timeout. They should be skipped on these platforms.
2192
2193         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2194         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2195
2196 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2197
2198         [JSC] Do not check isValid() in op_new_regexp
2199         https://bugs.webkit.org/show_bug.cgi?id=180970
2200
2201         Reviewed by Saam Barati.
2202
2203         * stress/regexp-syntax-error-invalid-flags.js: Added.
2204         (shouldThrow):
2205
2206 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2207
2208         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2209         https://bugs.webkit.org/show_bug.cgi?id=180712
2210
2211         Reviewed by Michael Catanzaro.
2212
2213         stress/call-apply-exponential-bytecode-size.js crashes if the
2214         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2215         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2216         should skip the test on other platforms.
2217
2218         * stress/call-apply-exponential-bytecode-size.js:
2219
2220 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2221
2222         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2223         https://bugs.webkit.org/show_bug.cgi?id=179762
2224
2225         Reviewed by Saam Barati.
2226
2227         * stress/call-varargs-double-new-array-buffer.js: Added.
2228         (assert):
2229         (bar):
2230         (foo):
2231         * stress/call-varargs-spread-new-array-buffer.js: Added.
2232         (assert):
2233         (bar):
2234         (foo):
2235         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2236         (assert):
2237         (bar):
2238         (foo):
2239         * stress/forward-varargs-double-new-array-buffer.js: Added.
2240         (assert):
2241         (test.baz):
2242         (test.bar):
2243         (test.foo):
2244         (test):
2245         * stress/new-array-buffer-sinking-osrexit.js: Added.
2246         (target):
2247         (test):
2248         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2249         (shouldBe):
2250         (test):
2251         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2252         (shouldBe):
2253         (target):
2254         (test):
2255         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2256         (assert):
2257         (test1.bar):
2258         (test1.foo):
2259         (test1):
2260         (test2.bar):
2261         (test2.foo):
2262         (test3.baz):
2263         (test3.bar):
2264         (test3.foo):
2265         (test4.baz):
2266         (test4.bar):
2267         (test4.foo):
2268         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2269         (assert):
2270         (test.baz):
2271         (test.bar):
2272         (test.foo):
2273         (test):
2274         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2275         (assert):
2276         (baz):
2277         (bar):
2278         (effects):
2279         (foo):
2280
2281 2017-12-14  Saam Barati  <sbarati@apple.com>
2282
2283         The CleanUp after LICM is erroneously removing a Check
2284         https://bugs.webkit.org/show_bug.cgi?id=180852
2285         <rdar://problem/36063494>
2286
2287         Reviewed by Filip Pizlo.
2288
2289         * stress/dont-run-cleanup-after-licm.js: Added.
2290
2291 2017-12-14  Michael Saboff  <msaboff@apple.com>
2292
2293         REGRESSION (r225695): Repro crash on yahoo login page
2294         https://bugs.webkit.org/show_bug.cgi?id=180761
2295
2296         Reviewed by JF Bastien.
2297
2298         New regression test.
2299
2300         * stress/regress-180761.js: Added.
2301
2302 2017-12-13  Keith Miller  <keith_miller@apple.com>
2303
2304         JSObjects should have a mask for loading indexed properties
2305         https://bugs.webkit.org/show_bug.cgi?id=180768
2306
2307         Reviewed by Mark Lam.
2308
2309         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2310         (test):
2311
2312 2017-12-13  Saam Barati  <sbarati@apple.com>
2313
2314         Arrow functions need their own structure because they have different properties than sloppy functions
2315         https://bugs.webkit.org/show_bug.cgi?id=180779
2316         <rdar://problem/35814591>
2317
2318         Reviewed by Mark Lam.
2319
2320         * stress/arrow-function-needs-its-own-structure.js: Added.
2321         (assert):
2322         (readPrototype):
2323         (noInline.let.f1):
2324         (noInline):
2325
2326 2017-12-13  Saam Barati  <sbarati@apple.com>
2327
2328         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2329         https://bugs.webkit.org/show_bug.cgi?id=163579
2330         <rdar://problem/35455798>
2331
2332         Reviewed by Mark Lam.
2333
2334         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2335         (assert):
2336         (test1):
2337         (i.test1):
2338         (i.test1.C):
2339         (i.test1.async.foo):
2340         (i.test1.foo):
2341         (test2):
2342
2343 2017-12-13  Saam Barati  <sbarati@apple.com>
2344
2345         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2346         https://bugs.webkit.org/show_bug.cgi?id=180734
2347         <rdar://problem/35640547>
2348
2349         Reviewed by Yusuke Suzuki.
2350
2351         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2352         (__isPropertyOfType):
2353         (__getProperties):
2354         (__getObjects):
2355         (__getRandomObject):
2356         (theClass.):
2357         (theClass):
2358         (childClass):
2359         (counter.catch):
2360
2361 2017-12-12  Saam Barati  <sbarati@apple.com>
2362
2363         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2364         https://bugs.webkit.org/show_bug.cgi?id=180725
2365         <rdar://problem/35970511>
2366
2367         Reviewed by Michael Saboff.
2368
2369         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2370         (f1):
2371         (f2):
2372         (let.o2.valueOf):
2373
2374 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2375
2376         [JSC] Implement optimized WeakMap and WeakSet
2377         https://bugs.webkit.org/show_bug.cgi?id=179929
2378
2379         Reviewed by Saam Barati.
2380
2381         * microbenchmarks/weak-map-key.js:
2382         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2383         (assert):
2384         (objectKey):
2385         (let.start.Date.now):
2386         * stress/basic-weakmap.js: Added.
2387         (shouldBe):
2388         (test):
2389         * stress/basic-weakset.js: Added.
2390         (shouldBe):
2391         (test.set new):
2392         * stress/weakmap-cse-set-break.js: Added.
2393         (shouldBe):
2394         (test):
2395         * stress/weakmap-cse.js: Added.
2396         (shouldBe):
2397         (test):
2398         * stress/weakmap-gc.js: Added.
2399         (test):
2400         * stress/weakset-cse-add-break.js: Added.
2401         (shouldBe):
2402         (test.set new):
2403         * stress/weakset-cse.js: Added.
2404         (shouldBe):
2405         (test.set new):
2406         * stress/weakset-gc.js: Added.
2407         (test.set add):
2408         (test.set new):
2409         (test):
2410
2411 2017-12-12  Saam Barati  <sbarati@apple.com>
2412
2413         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2414         https://bugs.webkit.org/show_bug.cgi?id=180723
2415         <rdar://problem/35859726>
2416
2417         Reviewed by JF Bastien.
2418
2419         * stress/get-my-argument-by-val-constant-folding.js: Added.
2420         (test):
2421         (catch):
2422
2423 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2424
2425         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2426         https://bugs.webkit.org/show_bug.cgi?id=179000
2427
2428         Reviewed by Darin Adler and Yusuke Suzuki.
2429
2430         * bigIntTests.yaml: Added.
2431         * stress/big-int-literal-line-terminator.js: Added.
2432         * stress/big-int-literals.js: Added.
2433         * stress/big-int-operations-error.js: Added.
2434         * stress/big-int-type-of.js: Added.
2435         * stress/big-int-white-space-trailing-leading.js: Added.
2436         * stress/big-int-function-apply.js: Added.
2437
2438 2017-12-11  Saam Barati  <sbarati@apple.com>
2439
2440         We need to disableCaching() in ErrorInstance when we materialize properties
2441         https://bugs.webkit.org/show_bug.cgi?id=180343
2442         <rdar://problem/35833002>
2443
2444         Reviewed by Mark Lam.
2445
2446         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2447         (assert):
2448         (makeError):
2449         (storeToStack):
2450         (storeToStackAlreadyMaterialized):
2451
2452 2017-12-05  JF Bastien  <jfbastien@apple.com>
2453
2454         WebAssembly: don't eagerly checksum
2455         https://bugs.webkit.org/show_bug.cgi?id=180441
2456         <rdar://problem/35156628>
2457
2458         Reviewed by Saam Barati.
2459
2460         Checksum is now disabled, so tests only have <?> as the module
2461         name.
2462
2463         * wasm/function-tests/nameSection.js:
2464         * wasm/function-tests/stack-overflow.js:
2465         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2466         (assertOverflows.assertThrows):
2467         (assertOverflows):
2468         * wasm/function-tests/stack-trace.js:
2469
2470 2017-12-04  JF Bastien  <jfbastien@apple.com>
2471
2472         Proxy all functions, except the $ objects
2473         https://bugs.webkit.org/show_bug.cgi?id=180375
2474
2475         Reviewed by Saam Barati.
2476
2477         It looks like this test may have broken some executions because I
2478         call some internal objects. Explicitly ignore objects whose name
2479         starts with "$" because it's a bad idea anyways.
2480
2481         * stress/proxy-all-the-parameters.js:
2482         (generateObjects):
2483         (get throw):
2484
2485 2017-12-04  Saam Barati  <sbarati@apple.com>
2486
2487         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2488         https://bugs.webkit.org/show_bug.cgi?id=180366
2489         <rdar://problem/35685877>
2490
2491         Reviewed by Michael Saboff.
2492
2493         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2494         (theParent):
2495         (test1.base.getParentStaticValue):
2496         (test1.base):
2497         (test1.__v_24888.prototype.set prop):
2498         (test1.__v_24888):
2499         (test2.base.getParentStaticValue):
2500         (test2.base):
2501         (test2.__v_24888.prototype.set prop):
2502         (test2.__v_24888):
2503         (test2):
2504
2505 2017-12-01  JF Bastien  <jfbastien@apple.com>
2506
2507         Try proxying all function arguments
2508         https://bugs.webkit.org/show_bug.cgi?id=180306
2509
2510         Reviewed by Saam Barati.
2511
2512         * stress/proxy-all-the-parameters.js: Added.
2513         (isPropertyOfType):
2514         (getProperties):
2515         (generateObjects):
2516         (getObjects):
2517         (getFunctions):
2518         (get throw):
2519         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2520
2521 2017-12-01  JF Bastien  <jfbastien@apple.com>
2522
2523         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2524         https://bugs.webkit.org/show_bug.cgi?id=180297
2525         <rdar://problem/35745556>
2526
2527         Reviewed by Mark Lam.
2528
2529         * stress/math-exceptions.js: Added.
2530         (get try):
2531         (catch):
2532
2533 2017-12-01  JF Bastien  <jfbastien@apple.com>
2534
2535         JavaScriptCore: add test for weird class static getters
2536         https://bugs.webkit.org/show_bug.cgi?id=180281
2537         <rdar://problem/35592139>
2538
2539         Reviewed by Mark Lam.
2540
2541         I fixed a bug for it in r224927 and didn't add a test. Do so.
2542
2543         * stress/class-static-get-weird.js: Added.
2544         (c.prototype.get name):
2545         (c):
2546         (c.prototype.get arguments):
2547         (c.prototype.get caller):
2548         (c.prototype.get length):
2549
2550 2017-12-01  Saam Barati  <sbarati@apple.com>
2551
2552         Having a bad time needs to handle ArrayClass indexing type as well
2553         https://bugs.webkit.org/show_bug.cgi?id=180274
2554         <rdar://problem/35667869>
2555
2556         Reviewed by Keith Miller and Mark Lam.
2557
2558         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2559         (assert):
2560         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2561         (assert):
2562
2563 2017-12-01  JF Bastien  <jfbastien@apple.com>
2564
2565         WebAssembly: restore cached stack limit after out-call
2566         https://bugs.webkit.org/show_bug.cgi?id=179106
2567         <rdar://problem/35337525>
2568
2569         Reviewed by Saam Barati.
2570
2571         * wasm/function-tests/double-instance.js: Added.
2572         (const.imp.boom):
2573         (const.imp.get callAnother):
2574
2575 2017-11-30  JF Bastien  <jfbastien@apple.com>
2576
2577         WebAssembly: improve stack trace
2578         https://bugs.webkit.org/show_bug.cgi?id=179343
2579
2580         Reviewed by Saam Barati.
2581
2582         Update the tests to follow the new format. Notably, SHA1 module
2583         hash is now included in traces, and stubs are properly identified.
2584
2585         * wasm/assert.js: Add an assertion which matches regular expressions.
2586         * wasm/function-tests/nameSection.js:
2587         * wasm/function-tests/stack-overflow.js:
2588         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2589         (assertOverflows.assertThrows.wasm.1):
2590         (assertOverflows.assertThrows.wasm.0):
2591         (assertOverflows.assertThrows):
2592         (assertOverflows):
2593         * wasm/function-tests/stack-trace.js:
2594         (import.Builder.from.string_appeared_here.assert): Deleted.
2595         * wasm/function-tests/trap-after-cross-instance-call.js:
2596         (wasmFrameCountFromError):
2597         * wasm/function-tests/trap-load-2.js:
2598         (wasmFrameCountFromError):
2599         * wasm/function-tests/trap-load.js:
2600         (wasmFrameCountFromError):
2601
2602 2017-11-30  Mark Lam  <mark.lam@apple.com>
2603
2604         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2605         https://bugs.webkit.org/show_bug.cgi?id=180219
2606         <rdar://problem/35696536>
2607
2608         Reviewed by Filip Pizlo.
2609
2610         * stress/regress-180219.js: Added.
2611
2612 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2613
2614         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2615         https://bugs.webkit.org/show_bug.cgi?id=180190
2616
2617         Reviewed by Mark Lam.
2618
2619         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2620         (shouldBe):
2621         (test1):
2622         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2623         (shouldBe):
2624         (test1):
2625         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2626         (shouldBe):
2627         (test1):
2628         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2629         (shouldBe):
2630         (test1):
2631         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2632         (shouldBe):
2633         (test1):
2634         * stress/operation-in-may-have-negative-int32.js: Added.
2635         (shouldBe):
2636         (test2):
2637         * stress/operation-in-negative-int32-cast.js: Added.
2638         (shouldBe):
2639         (test1):
2640
2641 2017-11-28  JF Bastien  <jfbastien@apple.com>
2642
2643         Strict and sloppy functions shouldn't share structure
2644         https://bugs.webkit.org/show_bug.cgi?id=180103
2645         <rdar://problem/35667847>
2646
2647         Reviewed by Saam Barati.
2648
2649         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2650         because the IC was wrong.
2651         (foo):
2652         (bar):
2653         (baz):
2654         (catch):
2655         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2656         in this patch, but may as well test odd strict mode corner cases.
2657         (bar):
2658         (baz):
2659         (catch):
2660         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2661         (foo):
2662         (bar):
2663         (baz):
2664         (catch):
2665         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2666         next file, but with invalidation of the FunctionExecutable's
2667         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2668         slower path.
2669         (foo):
2670         (bar.const.x):
2671         (bar.const.y):
2672         (bar):
2673         (catch):
2674         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2675         strict nesting works correctly.
2676         (foo):
2677         (bar.baz):
2678         (bar):
2679         * stress/strict-function-structure.js: Added. The test used to
2680         assert in objectProtoFuncHasOwnProperty.
2681         (foo):
2682         (bar):
2683         (baz):
2684         * stress/strict-nested-function-structure.js: Added. Nesting.
2685         (foo):
2686         (bar):
2687         (baz.boo):
2688         (baz):
2689
2690 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2691
2692         The recursive tail call optimisation is wrong on closures
2693         https://bugs.webkit.org/show_bug.cgi?id=179835
2694
2695         Reviewed by Saam Barati.
2696
2697         * stress/closure-recursive-tail-call.js: Added.
2698         (makeClosure):
2699
2700 2017-11-27  JF Bastien  <jfbastien@apple.com>
2701
2702         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2703         https://bugs.webkit.org/show_bug.cgi?id=180051
2704         <rdar://problem/35614371>
2705
2706         Reviewed by Saam Barati.
2707
2708         * stress/rest-parameter-negative.js: Added.
2709         (__f_5484):
2710         (catch):
2711         (__f_5485):
2712         (__v_22598.catch):
2713
2714 2017-11-27  Saam Barati  <sbarati@apple.com>
2715
2716         Spread can escape when CreateRest does not
2717         https://bugs.webkit.org/show_bug.cgi?id=180057
2718         <rdar://problem/35676119>
2719
2720         Reviewed by JF Bastien.
2721
2722         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2723         (assert):
2724         (getProperties):
2725         (theFunc):
2726         (let.obj.valueOf):
2727
2728 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2729
2730         [DFG] Add NormalizeMapKey DFG IR
2731         https://bugs.webkit.org/show_bug.cgi?id=179912
2732
2733         Reviewed by Saam Barati.
2734
2735         * stress/map-untyped-normalize-cse.js: Added.
2736         (shouldBe):
2737         (test):
2738         * stress/map-untyped-normalize.js: Added.
2739         (shouldBe):
2740         (test):
2741         * stress/set-untyped-normalize-cse.js: Added.
2742         (shouldBe):
2743         (set return.set has.set has):
2744         * stress/set-untyped-normalize.js: Added.
2745         (shouldBe):
2746         (set return.set has):
2747
2748 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2749
2750         [FTL] Support DeleteById and DeleteByVal
2751         https://bugs.webkit.org/show_bug.cgi?id=180022
2752
2753         Reviewed by Saam Barati.
2754
2755         * stress/delete-by-id.js: Added.
2756         (shouldBe):
2757         (test1):
2758         (test2):
2759         * stress/delete-by-val-ftl.js: Added.
2760         (shouldBe):
2761         (test1):
2762         (test2):
2763
2764 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2765
2766         [DFG] Introduce {Set,Map,WeakMap}Fields
2767         https://bugs.webkit.org/show_bug.cgi?id=179925
2768
2769         Reviewed by Saam Barati.
2770
2771         * stress/map-set-clobber-map-get.js: Added.
2772         (shouldBe):
2773         (test):
2774         * stress/map-set-does-not-clobber-set-has.js: Added.
2775         (shouldBe):
2776         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2777         (shouldBe):
2778         (test):
2779         * stress/set-add-clobber-set-has.js: Added.
2780         (shouldBe):
2781         * stress/set-add-does-not-clobber-map-get.js: Added.
2782         (shouldBe):
2783
2784 2017-11-24  Mark Lam  <mark.lam@apple.com>
2785
2786         Move unsafe jsc shell test functions to the $vm object.
2787         https://bugs.webkit.org/show_bug.cgi?id=179980
2788
2789         Reviewed by Yusuke Suzuki.
2790
2791         * controlFlowProfiler/driver/driver.js:
2792         * controlFlowProfiler/execution-count.js:
2793         * controlFlowProfiler/if-statement.js:
2794         * controlFlowProfiler/loop-statements.js:
2795         * controlFlowProfiler/switch-statements.js:
2796         * controlFlowProfiler/test-jit.js:
2797         * exceptionFuzz/3d-cube.js:
2798         * exceptionFuzz/date-format-xparb.js:
2799         * exceptionFuzz/earley-boyer.js:
2800         * heapProfiler/basic-edges.js:
2801         * heapProfiler/property-edge-types.js:
2802         * microbenchmarks/try-get-by-id-basic.js:
2803         * microbenchmarks/try-get-by-id-polymorphic.js:
2804         * modules/namespace-object-try-get.js:
2805         * stress/argument-count-bytecode.js:
2806         * stress/argument-intrinsic-basic.js:
2807         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2808         * stress/argument-intrinsic-inlining-with-result-escape.js:
2809         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2810         * stress/argument-intrinsic-inlining-with-vararg.js:
2811         * stress/argument-intrinsic-nested-inlining.js:
2812         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2813         * stress/argument-intrinsic-with-stack-write.js:
2814         * stress/arity-mismatch-get-argument.js:
2815         * stress/array-message-passing.js:
2816         * stress/array-push-with-force-exit.js:
2817         * stress/check-dom-with-signature.js:
2818         * stress/check-sub-class.js:
2819         * stress/compare-eq-incomplete-profile.js:
2820         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2821         * stress/do-eval-virtual-call-correctly.js:
2822         * stress/dom-jit-with-poly-proto.js:
2823         * stress/domjit-exception-ic.js:
2824         * stress/domjit-exception.js:
2825         * stress/domjit-getter-complex-with-incorrect-object.js:
2826         * stress/domjit-getter-complex.js:
2827         * stress/domjit-getter-poly.js:
2828         * stress/domjit-getter-proto.js:
2829         * stress/domjit-getter-super-poly.js:
2830         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2831         * stress/domjit-getter-type-check.js:
2832         * stress/domjit-getter.js:
2833         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2834         * stress/for-in-proxy-target-changed-structure.js:
2835         * stress/for-in-proxy.js:
2836         * stress/generational-opaque-roots.js:
2837         * stress/global-const-redeclaration-setting-2.js:
2838         * stress/global-const-redeclaration-setting-3.js:
2839         * stress/global-const-redeclaration-setting-4.js:
2840         * stress/global-const-redeclaration-setting-5.js:
2841         * stress/global-const-redeclaration-setting.js:
2842         * stress/import-basic.js:
2843         * stress/import-from-eval.js:
2844         * stress/import-reject-with-exception.js:
2845         * stress/import-syntax.js:
2846         * stress/impure-get-own-property-slot-inline-cache.js:
2847         * stress/is-constructor.js:
2848         * stress/istypedarrayview-intrinsic.js:
2849         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2850         * stress/jsc-test-functions-should-be-more-robust.js:
2851         * stress/object-toString-with-proxy.js:
2852         * stress/poly-proto-custom-value-and-accessor.js:
2853         * stress/proxy-inline-cache.js:
2854         * stress/re-execute-error-module.js:
2855         * stress/regress-150532.js:
2856         * stress/regress-156992.js:
2857         * stress/regress-179619.js:
2858         * stress/resources/shadow-chicken-support.js:
2859         * stress/runtime-array.js:
2860         * stress/sampling-profiler-microtasks.js:
2861         * stress/shadow-chicken-enabled.js:
2862         * stress/spread-correct-global-object-on-exception.js:
2863         * stress/super-get-by-id.js:
2864         * stress/tailCallForwardArguments.js:
2865         * stress/to-object-intrinsic-boolean-edge.js:
2866         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2867         * stress/to-object-intrinsic-number-edge.js:
2868         * stress/to-object-intrinsic-object-edge.js:
2869         * stress/to-object-intrinsic-string-edge.js:
2870         * stress/to-object-intrinsic-symbol-edge.js:
2871         * stress/to-object-intrinsic.js:
2872         * stress/try-catch-custom-getter-as-get-by-id.js:
2873         * stress/try-get-by-id-poly-proto.js:
2874         * stress/try-get-by-id-should-spill-registers-dfg.js:
2875         * stress/try-get-by-id.js:
2876         * typeProfiler/arrow-functions.js:
2877         * typeProfiler/basic.js:
2878         * typeProfiler/captured.js:
2879         * typeProfiler/classes.js:
2880         * typeProfiler/dfg-jit-optimizations.js:
2881         * typeProfiler/dictionary-mode.js:
2882         * typeProfiler/es6-block-scoping.js:
2883         * typeProfiler/es6-classes.js:
2884         * typeProfiler/inheritance.js:
2885         * typeProfiler/int52-dfg.js:
2886         * typeProfiler/loop.js:
2887         * typeProfiler/optional-fields.js:
2888         * typeProfiler/overflow.js:
2889         * typeProfiler/return.js:
2890         * typeProfiler/symbol.js:
2891         * typeProfiler/weird-prototype-chain.js:
2892
2893 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2894
2895         [DFG][FTL] Support MapSet / SetAdd intrinsics
2896         https://bugs.webkit.org/show_bug.cgi?id=179858
2897
2898         Reviewed by Saam Barati.
2899
2900         * microbenchmarks/map-has-and-set.js: Added.
2901         (test):
2902         * stress/map-set-check-failure.js: Added.
2903         (shouldBe):
2904         (shouldThrow):
2905         (target):
2906         * stress/map-set-cse.js: Added.
2907         (shouldBe):
2908         (test):
2909         * stress/set-add-check-failure.js: Added.
2910         (shouldBe):
2911         (shouldThrow):
2912         (set shouldThrow):
2913         * stress/set-add-cse.js: Added.
2914         (shouldBe):
2915
2916 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2917
2918         [JSC] Allow poly proto for intrinsic getters
2919         https://bugs.webkit.org/show_bug.cgi?id=179550
2920
2921         Reviewed by Saam Barati.
2922
2923         This change is also tested by existing tests.
2924
2925             1. stress/intrinsic-getter-with-poly-proto.js
2926             2. stress/poly-proto-intrinsic-getter-correctness.js
2927
2928         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2929         (shouldBe):
2930         (makePolyProtoObject.foo.C):
2931         (makePolyProtoObject.foo):
2932         (makePolyProtoObject):
2933         (target):
2934         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2935         (shouldBe):
2936         (makePolyProtoObject.foo.C):
2937         (makePolyProtoObject.foo):
2938         (makePolyProtoObject):
2939         (target):
2940
2941 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2942
2943         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2944         https://bugs.webkit.org/show_bug.cgi?id=179744
2945
2946         Reviewed by Michael Catanzaro.
2947
2948         This test uses too much memory for our buildbots on these platforms
2949         and gets OOM-killed.
2950
2951         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2952         Skip if $memoryLimited and linux.
2953
2954 2017-11-17  JF Bastien  <jfbastien@apple.com>
2955
2956         WebAssembly JS API: throw when a promise can't be created
2957         https://bugs.webkit.org/show_bug.cgi?id=179826
2958         <rdar://problem/35455813>
2959
2960         Reviewed by Mark Lam.
2961
2962         Test WebAssembly.{compile,instantiate} where promise creation
2963         fails because of a stack overflow.
2964
2965         * wasm/js-api/promise-stack-overflow.js: Added.
2966         (const.runNearStackLimit.f.const.t):
2967         (async.testCompile):
2968         (async.testInstantiate):
2969
2970 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2971
2972         Unreviewed, mark regress-178385.js as memory exhausting
2973
2974         * stress/regress-178385.js:
2975
2976 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2977
2978         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2979
2980         Unreviewed test gardening.
2981
2982         * test262.yaml:
2983
2984 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2985
2986         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2987         https://bugs.webkit.org/show_bug.cgi?id=179763
2988         <rdar://problem/35550513>
2989
2990         Reviewed by Keith Miller.
2991
2992         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2993
2994         * stress/tdz-this-in-try-catch.js: Added.
2995         (__v_6388):
2996         (__v_6392):
2997
2998 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2999
3000         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3001         https://bugs.webkit.org/show_bug.cgi?id=179594
3002
3003         Reviewed by Saam Barati.
3004
3005         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
3006         (shouldBe):
3007         (args):
3008         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
3009         (shouldBe):
3010         (args):
3011
3012 2017-11-14  Saam Barati  <sbarati@apple.com>
3013
3014         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3015         https://bugs.webkit.org/show_bug.cgi?id=179639
3016         <rdar://problem/35513018>
3017
3018         Reviewed by JF Bastien.
3019
3020         * wasm/function-tests/grow-memory-cause-gc.js: Added.
3021         (escape):
3022         (i.func):
3023
3024 2017-11-13  Mark Lam  <mark.lam@apple.com>
3025
3026         Add more overflow check book-keeping for MarkedArgumentBuffer.
3027         https://bugs.webkit.org/show_bug.cgi?id=179634
3028         <rdar://problem/35492517>
3029
3030         Reviewed by Saam Barati.
3031
3032         * stress/regress-179634.js: Added.
3033
3034 2017-11-13  Mark Lam  <mark.lam@apple.com>
3035
3036         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3037         https://bugs.webkit.org/show_bug.cgi?id=179619
3038         <rdar://problem/35492518>
3039
3040         Reviewed by Saam Barati.
3041
3042         * stress/regress-179619.js: Added.
3043
3044 2017-11-12  Mark Lam  <mark.lam@apple.com>
3045
3046         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3047         https://bugs.webkit.org/show_bug.cgi?id=179562
3048         <rdar://problem/35467022>
3049
3050         Reviewed by Saam Barati.
3051
3052         * regress-179562.js: Added.
3053
3054 2017-11-08  Saam Barati  <sbarati@apple.com>
3055
3056         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3057         https://bugs.webkit.org/show_bug.cgi?id=177792
3058
3059         Reviewed by Yusuke Suzuki.
3060
3061         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
3062         (assert):
3063         (foo.Foo.prototype.ensureX):
3064         (foo.Foo):
3065         (foo):
3066         (access):
3067
3068 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
3069
3070         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3071         https://bugs.webkit.org/show_bug.cgi?id=178592
3072
3073         Unreviewed test gardening.
3074
3075         * test262.yaml:
3076
3077 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3078
3079         Turn recursive tail calls into loops
3080         https://bugs.webkit.org/show_bug.cgi?id=176601
3081
3082         Reviewed by Saam Barati.
3083
3084         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3085
3086         Add some simple test that computes factorial in several ways, and other trivial computations.
3087         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3088         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3089         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3090         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3091
3092         * stress/inline-call-to-recursive-tail-call.js: Added.
3093         (factorial.aux):
3094         (factorial):
3095         (factorial2.aux2):
3096         (factorial2.id):
3097         (factorial2):
3098         (factorial3.aux3):
3099         (factorial3):
3100         (aux4):
3101         (factorial4):
3102         (foo):
3103         (auxBar):
3104         (bar):
3105         (test):
3106
3107 2017-11-07  Mark Lam  <mark.lam@apple.com>
3108
3109         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
3110         https://bugs.webkit.org/show_bug.cgi?id=179355
3111         <rdar://problem/35263053>
3112
3113         Reviewed by Saam Barati.
3114
3115         * stress/regress-179355.js: Added.
3116
3117 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3118
3119         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3120         https://bugs.webkit.org/show_bug.cgi?id=144458
3121
3122         Reviewed by Saam Barati.
3123
3124         * microbenchmarks/dfg-internal-function-call.js: Added.
3125         (target):
3126         * microbenchmarks/dfg-internal-function-construct.js: Added.
3127         (target):
3128         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
3129         (target):
3130         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
3131         (target):
3132         * stress/dfg-internal-function-call.js: Added.
3133         (shouldBe):
3134         (target):
3135         * stress/dfg-internal-function-construct.js: Added.
3136         (shouldBe):
3137         (target):
3138         * stress/internal-function-call.js: Added.
3139         (shouldBe):
3140         * stress/internal-function-construct.js: Added.
3141         (shouldBe):
3142
3143 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3144
3145         [Win] Skip stress/regress-178385.js.
3146         https://bugs.webkit.org/show_bug.cgi?id=179298
3147
3148         Unreviewed test gardening.
3149
3150         * stress/regress-178385.js:
3151
3152 2017-11-03  Keith Miller  <keith_miller@apple.com>
3153
3154         Add test for ic with side effects
3155         https://bugs.webkit.org/show_bug.cgi?id=179268
3156
3157         Reviewed by Saam Barati.
3158
3159         * stress/put-inline-cache-side-effects.js: Added.
3160         (let.i.of.objs.keys):
3161         (f):
3162
3163 2017-11-03  Mark Lam  <mark.lam@apple.com>
3164
3165         CachedCall (and its clients) needs overflow checks.
3166         https://bugs.webkit.org/show_bug.cgi?id=179185
3167
3168         Reviewed by JF Bastien.
3169
3170         * stress/regress-179185.js: Added.
3171
3172 2017-11-02  Michael Saboff  <msaboff@apple.com>
3173
3174         DFG needs to handle code motion of code in for..in loop bodies
3175         https://bugs.webkit.org/show_bug.cgi?id=179212
3176
3177         Reviewed by Keith Miller.
3178
3179         New regression test.
3180
3181         * stress/for-in-side-effects.js: Added.
3182         (getPrototypeOf):
3183         (reset):
3184         (testWithoutFTL.f):
3185         (testWithoutFTL):
3186         (testWithFTL.f):
3187         (testWithFTL):
3188
3189 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3190
3191         AI does not correctly model the clobber case of ArithClz32
3192         https://bugs.webkit.org/show_bug.cgi?id=179188
3193
3194         Reviewed by Michael Saboff.
3195
3196         * stress/arith-clz32-effects.js: Added.
3197         (foo):
3198         (valueOf):
3199
3200 2017-11-01  Michael Saboff  <msaboff@apple.com>
3201
3202         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3203         https://bugs.webkit.org/show_bug.cgi?id=179140
3204
3205         Reviewed by Saam Barati.
3206
3207         New regression test.
3208
3209         * stress/regress-179140.js: Added.
3210         (testWithoutFTL):
3211         (testWithFTL):
3212
3213 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3214
3215         [JSC] Introduce @toObject
3216         https://bugs.webkit.org/show_bug.cgi?id=178726
3217
3218         Reviewed by Saam Barati.
3219
3220         * stress/array-copywithin.js:
3221         (shouldThrow):
3222         * stress/object-constructor-boolean-edge.js: Added.
3223         (shouldBe):
3224         (test):
3225         * stress/object-constructor-global.js: Added.
3226         (shouldBe):
3227         * stress/object-constructor-null-edge.js: Added.
3228         (shouldBe):
3229         (test):
3230         * stress/object-constructor-number-edge.js: Added.
3231         (shouldBe):
3232         (test):
3233         * stress/object-constructor-object-edge.js: Added.
3234         (shouldBe):
3235         (test):
3236         (i.arg):
3237         * stress/object-constructor-string-edge.js: Added.
3238         (shouldBe):
3239         (test):
3240         * stress/object-constructor-symbol-edge.js: Added.
3241         (shouldBe):
3242         (test):
3243         * stress/object-constructor-undefined-edge.js: Added.
3244         (shouldBe):
3245         (test):
3246         * stress/symbol-array-from.js: Added.
3247         (shouldBe):
3248         * stress/to-object-intrinsic-boolean-edge.js: Added.
3249         (shouldBe):
3250         (builtin.createBuiltin):
3251         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3252         (shouldThrow):
3253         * stress/to-object-intrinsic-number-edge.js: Added.
3254         (shouldBe):
3255         (builtin.createBuiltin):
3256         * stress/to-object-intrinsic-object-edge.js: Added.
3257         (shouldBe):
3258         (builtin.createBuiltin):
3259         (i.arg):
3260         * stress/to-object-intrinsic-string-edge.js: Added.
3261         (shouldBe):
3262         (builtin.createBuiltin):
3263         * stress/to-object-intrinsic-symbol-edge.js: Added.
3264         (shouldBe):
3265         (builtin.createBuiltin):
3266         * stress/to-object-intrinsic.js: Added.
3267         (shouldBe):
3268         (shouldThrow):
3269         (builtin.createBuiltin):
3270
3271 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3272
3273         [DFG][FTL] Introduce StringSlice
3274         https://bugs.webkit.org/show_bug.cgi?id=178934
3275
3276         Reviewed by Saam Barati.
3277
3278         * microbenchmarks/string-slice-empty.js: Added.
3279         (slice):
3280         * microbenchmarks/string-slice-one-char.js: Added.
3281         (slice):
3282         * microbenchmarks/string-slice.js: Added.
3283         (slice):
3284
3285 2017-10-26  Michael Saboff  <msaboff@apple.com>
3286
3287         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3288         https://bugs.webkit.org/show_bug.cgi?id=178890
3289
3290         Reviewed by Keith Miller.
3291
3292         New regression test.
3293
3294         * stress/regress-178890.js: Added.
3295
3296 2017-10-26  Mark Lam  <mark.lam@apple.com>
3297
3298         JSRopeString::RopeBuilder::append() should check for overflows.
3299         https://bugs.webkit.org/show_bug.cgi?id=178385
3300         <rdar://problem/35027468>
3301
3302         Reviewed by Saam Barati.
3303
3304         * stress/regress-178385.js: Added.
3305
3306 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3307
3308         Unreviewed, rolling out r223961.
3309
3310         The change that required this has been rolled out.
3311
3312         Reverted changeset:
3313
3314         "Mark test262.yaml/test262/test/language/statements/try/tco-
3315         catch.js as passing."
3316         https://bugs.webkit.org/show_bug.cgi?id=178592
3317         https://trac.webkit.org/changeset/223961
3318
3319 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3320
3321         Unreviewed, rolling out r223691 and r223729.
3322         https://bugs.webkit.org/show_bug.cgi?id=178834
3323
3324         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3325         by rniwa on #webkit).
3326
3327         Reverted changesets:
3328
3329         "Turn recursive tail calls into loops"
3330         https://bugs.webkit.org/show_bug.cgi?id=176601
3331         https://trac.webkit.org/changeset/223691
3332
3333         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3334         comparison is always false due to limited range of data type
3335         [-Wtype-limits]"
3336         https://bugs.webkit.org/show_bug.cgi?id=178543
3337         https://trac.webkit.org/changeset/223729
3338
3339 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3340
3341         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3342         https://bugs.webkit.org/show_bug.cgi?id=178592
3343
3344         Unreviewed test gardening.
3345
3346         * test262.yaml:
3347
3348 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3349
3350         [FTL] Support NewStringObject
3351         https://bugs.webkit.org/show_bug.cgi?id=178737
3352
3353         Reviewed by Saam Barati.
3354
3355         * stress/new-string-object.js: Added.
3356         (shouldBe):
3357         (test):
3358
3359 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3360
3361         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3362         https://bugs.webkit.org/show_bug.cgi?id=178308
3363
3364         Reviewed by Mark Lam.
3365
3366         * test262.yaml:
3367
3368 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3369
3370         [JSC] Use fastJoin in Array#toString
3371         https://bugs.webkit.org/show_bug.cgi?id=178062
3372
3373         Reviewed by Darin Adler.
3374
3375         * microbenchmarks/contiguous-array-to-string.js: Added.
3376         (target):
3377         * microbenchmarks/double-array-to-string.js: Added.
3378         (target):
3379         * microbenchmarks/int32-array-to-string.js: Added.
3380         (target):
3381
3382 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3383
3384         stress/check-string-ident.js is improperly skipped
3385         https://bugs.webkit.org/show_bug.cgi?id=178642
3386
3387         Reviewed by Saam Barati.
3388
3389         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3390         since it enforces the run-jsc-stress-tests script to still set up the
3391         test to run, despite the skip directive that's used before.
3392
3393 2017-10-20  Mark Lam  <mark.lam@apple.com>
3394
3395         Add a test case for r214334.
3396         https://bugs.webkit.org/show_bug.cgi?id=169941
3397         <rdar://problem/31221258>
3398
3399         Reviewed by JF Bastien.
3400
3401         * stress/regress-169941.js: Added.
3402
3403 2017-10-19  JF Bastien  <jfbastien@apple.com>
3404
3405         WebAssembly: no VM / JS version of everything but Instance
3406         https://bugs.webkit.org/show_bug.cgi?id=177473
3407
3408         Reviewed by Filip Pizlo, Saam Barati.
3409
3410         - Exceeding max on memory growth now returns a range error as per
3411         spec. This is a (very minor) breaking change: it used to throw OOM
3412         error. Update the corresponding test.
3413
3414         * wasm/js-api/memory-grow.js:
3415         (assertEq):
3416         * wasm/js-api/table.js:
3417         (assert.throws):
3418
3419 2017-10-19  Mark Lam  <mark.lam@apple.com>
3420
3421         Stringifier::appendStringifiedValue() is missing an exception check.
3422         https://bugs.webkit.org/show_bug.cgi?id=178386
3423         <rdar://problem/35027610>
3424
3425         Reviewed by Saam Barati.
3426
3427         * stress/regress-178386.js: Added.
3428
3429 2017-10-19  Michael Saboff  <msaboff@apple.com>
3430
3431         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3432         https://bugs.webkit.org/show_bug.cgi?id=178521
3433
3434         Reviewed by JF Bastien.
3435
3436         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3437         now passes with the current version (5.0) of the Emoji spec.
3438
3439 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3440
3441         Turn recursive tail calls into loops
3442         https://bugs.webkit.org/show_bug.cgi?id=176601
3443
3444         Reviewed by Saam Barati.
3445
3446         Add some simple test that computes factorial in several ways, and other trivial computations.
3447         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3448         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3449         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3450         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3451
3452         * stress/inline-call-to-recursive-tail-call.js: Added.
3453         (factorial.aux):
3454         (factorial):
3455         (factorial2.aux):
3456         (factorial2.id):
3457         (factorial2):
3458         (factorial3.aux):
3459         (factorial3):
3460         (aux):
3461         (factorial4):
3462         (test):
3463
3464 2017-10-18  Mark Lam  <mark.lam@apple.com>
3465
3466         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3467         https://bugs.webkit.org/show_bug.cgi?id=177600
3468         <rdar://problem/34710985>
3469
3470         Reviewed by Saam Barati.
3471
3472         * stress/regress-177600.js: Added.
3473
3474 2017-10-18  Mark Lam  <mark.lam@apple.com>
3475
3476         The compiler should always register a structure when it adds its transitionWatchPointSet.
3477         https://bugs.webkit.org/show_bug.cgi?id=178420
3478         <rdar://problem/34814024>
3479
3480         Reviewed by Saam Barati and Filip Pizlo.
3481
3482         * stress/regress-178420.js: Added.
3483         (new.Array.10000.map):
3484
3485 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3486
3487         [JSC] __proto__ getter should be fast
3488         https://bugs.webkit.org/show_bug.cgi?id=178067
3489
3490         Reviewed by Saam Barati.
3491
3492         * stress/dfg-object-proto-accessor.js: Added.
3493         (shouldBe):
3494         (shouldThrow):
3495         (target):
3496         * stress/dfg-object-proto-getter.js: Added.
3497         (shouldBe):
3498         (shouldThrow):
3499         (target):
3500         * stress/dfg-object-prototype-of.js: Added.
3501         (shouldBe):
3502         (shouldThrow):
3503         (target):
3504         * stress/dfg-reflect-get-prototype-of.js: Added.
3505         (shouldBe):
3506         (shouldThrow):
3507         (target):
3508         * stress/intrinsic-getter-with-poly-proto.js: Added.
3509         (shouldBe):
3510         (makePolyProtoObject.foo.C):
3511         (makePolyProtoObject.foo):
3512         (makePolyProtoObject):
3513         (target):
3514         * stress/object-get-prototype-of-filtered.js: Added.
3515         (shouldBe):
3516         (shouldThrow):
3517         (target):
3518         (i.Cocoa):
3519         * stress/object-get-prototype-of-mono-proto.js: Added.
3520         (shouldBe):
3521         (makePolyProtoObject.foo.C):
3522         (makePolyProtoObject.foo):
3523         (makePolyProtoObject):
3524         (target):
3525         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3526         (shouldBe):
3527         (makePolyProtoObject.foo.C):
3528         (makePolyProtoObject.foo):
3529         (makePolyProtoObject):
3530         (target):
3531         * stress/object-get-prototype-of-poly-proto.js: Added.
3532         (shouldBe):
3533         (makePolyProtoObject.foo.C):
3534         (makePolyProtoObject.foo):
3535         (makePolyProtoObject):
3536         (target):
3537         * stress/object-proto-getter-filtered.js: Added.
3538         (shouldBe):
3539         (shouldThrow):
3540         (target):
3541         (i.Cocoa):
3542         * stress/object-proto-getter-poly-mono-proto.js: Added.
3543         (shouldBe):
3544         (makePolyProtoObject.foo.C):
3545         (makePolyProtoObject.foo):
3546         (makePolyProtoObject):
3547         (target):
3548         * stress/object-proto-getter-poly-proto.js: Added.
3549         (shouldBe):
3550         (makePolyProtoObject.foo.C):
3551         (makePolyProtoObject.foo):
3552         (makePolyProtoObject):
3553         (target):
3554         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3555         * stress/string-proto.js: Added.
3556         (shouldBe):
3557         (target):
3558
3559 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3560
3561         Unreviewed, rolling out r223523.
3562
3563         A test for this change is failing on debug JSC bots.
3564
3565         Reverted changeset:
3566
3567         "[JSC] __proto__ getter should be fast"
3568         https://bugs.webkit.org/show_bug.cgi?id=178067
3569         https://trac.webkit.org/changeset/223523
3570
3571 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3572
3573         [JSC] __proto__ getter should be fast
3574         https://bugs.webkit.org/show_bug.cgi?id=178067
3575
3576         Reviewed by Saam Barati.
3577
3578         * stress/dfg-object-proto-accessor.js: Added.
3579         (shouldBe):
3580         (shouldThrow):
3581         (target):
3582         * stress/dfg-object-proto-getter.js: Added.
3583         (shouldBe):
3584         (shouldThrow):
3585         (target):
3586         * stress/dfg-object-prototype-of.js: Added.
3587         (shouldBe):
3588         (shouldThrow):
3589         (target):
3590         * stress/dfg-reflect-get-prototype-of.js: Added.
3591         (shouldBe):
3592         (shouldThrow):
3593         (target):
3594         * stress/object-get-prototype-of-filtered.js: Added.
3595         (shouldBe):
3596         (shouldThrow):
3597         (target):
3598         (i.Cocoa):
3599         * stress/object-get-prototype-of-mono-proto.js: Added.
3600         (shouldBe):
3601         (makePolyProtoObject.foo.C):
3602         (makePolyProtoObject.foo):
3603         (makePolyProtoObject):
3604         (target):
3605         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3606         (shouldBe):
3607         (makePolyProtoObject.foo.C):
3608         (makePolyProtoObject.foo):
3609         (makePolyProtoObject):
3610         (target):
3611         * stress/object-get-prototype-of-poly-proto.js: Added.
3612         (shouldBe):
3613         (makePolyProtoObject.foo.C):
3614         (makePolyProtoObject.foo):
3615         (makePolyProtoObject):
3616         (target):
3617         * stress/object-proto-getter-filtered.js: Added.
3618         (shouldBe):
3619         (shouldThrow):
3620         (target):
3621         (i.Cocoa):
3622         * stress/object-proto-getter-poly-mono-proto.js: Added.
3623         (shouldBe):
3624         (makePolyProtoObject.foo.C):
3625         (makePolyProtoObject.foo):
3626         (makePolyProtoObject):
3627         (target):
3628         * stress/object-proto-getter-poly-proto.js: Added.
3629         (shouldBe):
3630         (makePolyProtoObject.foo.C):
3631         (makePolyProtoObject.foo):
3632         (makePolyProtoObject):
3633         (target):
3634         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3635         * stress/string-proto.js: Added.
3636         (shouldBe):
3637         (target):
3638
3639 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3640
3641         Reland "Add Above/Below comparisons for UInt32 patterns"
3642         https://bugs.webkit.org/show_bug.cgi?id=177281
3643
3644         Reviewed by Saam Barati.
3645
3646         * stress/uint32-comparison-jump.js: Added.
3647         (shouldBe):
3648         (above):
3649         (aboveOrEqual):
3650         (below):
3651         (belowOrEqual):
3652         (notAbove):
3653         (notAboveOrEqual):
3654         (notBelow):
3655         (notBelowOrEqual):
3656         * stress/uint32-comparison.js: Added.
3657         (shouldBe):
3658         (above):
3659         (aboveOrEqual):
3660         (below):
3661         (belowOrEqual):
3662         (aboveTest):
3663         (aboveOrEqualTest):
3664         (belowTest):
3665         (belowOrEqualTest):
3666
3667 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3668
3669         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3670         https://bugs.webkit.org/show_bug.cgi?id=178210
3671
3672         Reviewed by Saam Barati.
3673
3674         * wasm/function-tests/trap-from-start-async.js:
3675         (async.StartTrapsAsync):
3676         * wasm/function-tests/trap-from-start.js:
3677         (StartTraps):
3678         * wasm/js-api/web-assembly-function.js:
3679         (assert.eq.Object.getPrototypeOf):
3680         * wasm/js-api/wrapper-function.js:
3681         (return.new.WebAssembly.Module):
3682         (assert.throws.makeInstance): Deleted.
3683         (assert.throws.Bar): Deleted.
3684         (assert.throws): Deleted.
3685
3686 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3687
3688         Enable gigacage on iOS
3689         https://bugs.webkit.org/show_bug.cgi?id=177586
3690
3691         Reviewed by JF Bastien.
3692         
3693         Add tests for when Gigacage gets runtime disabled.
3694
3695         * stress/disable-gigacage-arrays.js: Added.
3696         (foo):
3697         * stress/disable-gigacage-strings.js: Added.
3698         (foo):
3699         * stress/disable-gigacage-typed-arrays.js: Added.
3700         (foo):
3701
3702 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3703
3704         import.meta should not be assignable
3705         https://bugs.webkit.org/show_bug.cgi?id=178202
3706
3707         Reviewed by Saam Barati.
3708
3709         * modules/import-meta-assignment.js: Added.
3710         (shouldThrow):
3711         (SyntaxError.import.meta.can.shouldThrow):
3712
3713 2017-10-11  Saam Barati  <sbarati@apple.com>
3714
3715         Unreviewed. Actually skip certain type profiler tests in debug.
3716
3717         * typeProfiler.yaml:
3718         * typeProfiler/deltablue-for-of.js:
3719         * typeProfiler/getter-richards.js:
3720
3721 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3722
3723         Unreviewed, rolling out r223113 and r223121.
3724         https://bugs.webkit.org/show_bug.cgi?id=178182
3725
3726         Reintroduced 20% regression on Kraken (Requested by rniwa on
3727         #webkit).
3728
3729         Reverted changesets:
3730
3731         "Enable gigacage on iOS"
3732         https://bugs.webkit.org/show_bug.cgi?id=177586
3733         https://trac.webkit.org/changeset/223113
3734
3735         "Use one virtual allocation for all gigacages and their
3736         runways"
3737         https://bugs.webkit.org/show_bug.cgi?id=178050
3738         https://trac.webkit.org/changeset/223121
3739
3740 2017-10-11  Michael Saboff  <msaboff@apple.com>
3741
3742         Disable test262 named capture group tests with direct unicode names and with references before definitions
3743         https://bugs.webkit.org/show_bug.cgi?id=178177
3744
3745         Reviewed by Keith Miller.
3746
3747         Bugs to track fixing these test are:
3748         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3749             "Add support in named capture group identifiers for direct surrogate pairs"
3750         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3751             "Test262 failure with Named Capture Groups - using a reference b