83147aae74e9e1151ca206ca591024766bf24fc0
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [WebAssembly][Modules] Import tables in wasm modules
4         https://bugs.webkit.org/show_bug.cgi?id=184738
5
6         Reviewed by JF Bastien.
7
8         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
9         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
10         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
11         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
12         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
13         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
14         * wasm/modules/wasm-imports-wasm-exports.js:
15         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
16         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
17         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
18         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
19
20 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
21
22         [WebAssembly][Modules] Import globals from wasm modules
23         https://bugs.webkit.org/show_bug.cgi?id=184736
24
25         Reviewed by JF Bastien.
26
27         * wasm.yaml:
28         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
29         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
30         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
31         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
32         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
33         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
34         * wasm/modules/wasm-imports-wasm-exports.js:
35         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
36         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
37         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
38         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
39
40 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
41
42         Unreviewed, reland r230697, r230720, and r230724.
43         https://bugs.webkit.org/show_bug.cgi?id=184600
44
45         * wasm.yaml:
46         * wasm/modules/constant.wasm: Added.
47         * wasm/modules/constant.wat: Added.
48         * wasm/modules/default-import-star-error.js: Added.
49         (then):
50         * wasm/modules/default-import-star-error/entry.wasm: Added.
51         * wasm/modules/default-import-star-error/entry.wat: Added.
52         * wasm/modules/default-import-star-error/t0.js: Added.
53         * wasm/modules/default-import-star-error/t1.js: Added.
54         * wasm/modules/default-import-star-error/t2.js: Added.
55         (export.default.Cocoa):
56         * wasm/modules/js-wasm-cycle.js: Added.
57         * wasm/modules/js-wasm-cycle/entry.js: Added.
58         (from.string_appeared_here.export.return42):
59         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
60         * wasm/modules/js-wasm-cycle/sum.wat: Added.
61         * wasm/modules/js-wasm-function-namespace.js: Added.
62         (assert.throws):
63         * wasm/modules/js-wasm-function.js: Added.
64         (assert.throws):
65         * wasm/modules/js-wasm-global-namespace.js: Added.
66         (assert.throws):
67         * wasm/modules/js-wasm-global.js: Added.
68         (assert.throws):
69         * wasm/modules/js-wasm-memory-namespace.js: Added.
70         (assert.throws):
71         * wasm/modules/js-wasm-memory.js: Added.
72         (assert.throws):
73         * wasm/modules/js-wasm-start.js: Added.
74         (then):
75         * wasm/modules/js-wasm-table-namespace.js: Added.
76         (assert.throws):
77         * wasm/modules/js-wasm-table.js: Added.
78         (assert.throws):
79         * wasm/modules/memory.wasm: Added.
80         * wasm/modules/memory.wat: Added.
81         * wasm/modules/run-from-wasm.wasm: Added.
82         * wasm/modules/run-from-wasm.wat: Added.
83         * wasm/modules/run-from-wasm/check.js: Added.
84         (export.check):
85         * wasm/modules/start.wasm: Added.
86         * wasm/modules/start.wat: Added.
87         * wasm/modules/sum.wasm: Added.
88         * wasm/modules/sum.wat: Added.
89         * wasm/modules/table.wasm: Added.
90         * wasm/modules/table.wat: Added.
91         * wasm/modules/wasm-imports-js-exports.js: Added.
92         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
93         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
94         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
95         (export.sum):
96         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
97         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
98         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
99         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
100         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
101         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
102         * wasm/modules/wasm-imports-wasm-exports.js: Added.
103         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
104         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
105         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
106         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
107         * wasm/modules/wasm-js-cycle.js: Added.
108         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
109         * wasm/modules/wasm-js-cycle/entry.wat: Added.
110         * wasm/modules/wasm-js-cycle/sum.js: Added.
111         (from.string_appeared_here.export.sum):
112         * wasm/modules/wasm-wasm-cycle.js: Added.
113         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
114         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
115         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
116         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
117
118 2018-04-17  Commit Queue  <commit-queue@webkit.org>
119
120         Unreviewed, rolling out r230697, r230720, and r230724.
121         https://bugs.webkit.org/show_bug.cgi?id=184717
122
123         These caused multiple failures on the Test262 testers.
124         (Requested by mlewis13 on #webkit).
125
126         Reverted changesets:
127
128         "[WebAssembly][Modules] Prototype wasm import"
129         https://bugs.webkit.org/show_bug.cgi?id=184600
130         https://trac.webkit.org/changeset/230697
131
132         "[WebAssembly][Modules] Implement function import from wasm
133         modules"
134         https://bugs.webkit.org/show_bug.cgi?id=184689
135         https://trac.webkit.org/changeset/230720
136
137         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
138         https://bugs.webkit.org/show_bug.cgi?id=184703
139         https://trac.webkit.org/changeset/230724
140
141 2018-04-17  JF Bastien  <jfbastien@apple.com>
142
143         A put is not an ExistingProperty put when we transition a structure because of an attributes change
144         https://bugs.webkit.org/show_bug.cgi?id=184706
145         <rdar://problem/38871451>
146
147         Reviewed by Saam Barati.
148
149         * stress/put-by-id-direct-strict-transition.js: Added.
150         (const.foo):
151         (j.const.obj.set hello):
152         * stress/put-by-id-direct-transition.js: Added.
153         (const.foo):
154         (j.const.obj.set hello):
155         * stress/put-getter-setter-by-id-strict-transition.js: Added.
156         (const.foo):
157         (j.const.obj.set hello):
158         * stress/put-getter-setter-by-id-transition.js: Added.
159         (const.foo):
160         (j.const.obj.set hello):
161
162 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
163
164         PutStackSinkingPhase should know that KillStack means ConflictingFlush
165         https://bugs.webkit.org/show_bug.cgi?id=184672
166
167         Reviewed by Michael Saboff.
168
169         * stress/sink-put-stack-over-kill-stack.js: Added.
170         (avocado_1):
171         (apricot_0):
172         (__c_0):
173         (banana_2):
174
175 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
176
177         [JSC] Rename runWebAssembly to runWebAssemblySuite
178         https://bugs.webkit.org/show_bug.cgi?id=184703
179
180         Reviewed by JF Bastien.
181
182         And add runWebAssembly as a command to simplely run wasm modules.
183
184         * wasm.yaml:
185
186 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
187
188         [WebAssembly][Modules] Implement function import from wasm modules
189         https://bugs.webkit.org/show_bug.cgi?id=184689
190
191         Reviewed by JF Bastien.
192
193         * wasm.yaml:
194         * wasm/modules/js-wasm-cycle.js: Added.
195         * wasm/modules/js-wasm-cycle/entry.js: Added.
196         (from.string_appeared_here.export.return42):
197         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
198         * wasm/modules/js-wasm-cycle/sum.wat: Added.
199         * wasm/modules/run-from-wasm.wasm: Added.
200         * wasm/modules/run-from-wasm.wat: Added.
201         * wasm/modules/run-from-wasm/check.js: Added.
202         (export.check):
203         * wasm/modules/wasm-imports-js-exports.js: Added.
204         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
205         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
206         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
207         (export.sum):
208         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
209         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
210         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
211         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
212         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
213         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
214         * wasm/modules/wasm-imports-wasm-exports.js: Added.
215         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
216         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
217         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
218         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
219         * wasm/modules/wasm-js-cycle.js: Added.
220         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
221         * wasm/modules/wasm-js-cycle/entry.wat: Added.
222         * wasm/modules/wasm-js-cycle/sum.js: Added.
223         (from.string_appeared_here.export.sum):
224         * wasm/modules/wasm-wasm-cycle.js: Added.
225         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
226         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
227         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
228         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
229
230 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
231
232         [WebAssembly][Modules] Prototype wasm import
233         https://bugs.webkit.org/show_bug.cgi?id=184600
234
235         Reviewed by JF Bastien.
236
237         Add wasm and wat files since module loader want to load wasm files from FS.
238         Currently, importing the other modules from wasm is not supported.
239
240         * wasm.yaml:
241         * wasm/modules/constant.wasm: Added.
242         * wasm/modules/constant.wat: Added.
243         * wasm/modules/js-wasm-function-namespace.js: Added.
244         (assert.throws):
245         * wasm/modules/js-wasm-function.js: Added.
246         (assert.throws):
247         * wasm/modules/js-wasm-global-namespace.js: Added.
248         (assert.throws):
249         * wasm/modules/js-wasm-global.js: Added.
250         (assert.throws):
251         * wasm/modules/js-wasm-memory-namespace.js: Added.
252         (assert.throws):
253         * wasm/modules/js-wasm-memory.js: Added.
254         (assert.throws):
255         * wasm/modules/js-wasm-start.js: Added.
256         (then):
257         * wasm/modules/js-wasm-table-namespace.js: Added.
258         (assert.throws):
259         * wasm/modules/js-wasm-table.js: Added.
260         (assert.throws):
261         * wasm/modules/memory.wasm: Added.
262         * wasm/modules/memory.wat: Added.
263         * wasm/modules/start.wasm: Added.
264         * wasm/modules/start.wat: Added.
265         * wasm/modules/sum.wasm: Added.
266         * wasm/modules/sum.wat: Added.
267         * wasm/modules/table.wasm: Added.
268         * wasm/modules/table.wat: Added.
269
270 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
271
272         Function.prototype.caller shouldn't return generator bodies
273         https://bugs.webkit.org/show_bug.cgi?id=184630
274
275         Reviewed by Yusuke Suzuki.
276
277         * stress/function-caller-async-arrow-function-body.js: Added.
278         * stress/function-caller-async-function-body.js: Added.
279         * stress/function-caller-async-generator-body.js: Added.
280         * stress/function-caller-generator-body.js: Added.
281         * stress/function-caller-generator-method-body.js: Added.
282
283 2018-04-12  Tomas Popela  <tpopela@redhat.com>
284
285         Unreviewed, skip JIT tests if it isn't enabled
286
287         See https://bugs.webkit.org/show_bug.cgi?id=182730.
288
289         * stress/big-int-spec-to-primitive.js:
290         * stress/big-int-spec-to-this.js:
291
292 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
293
294         [ESNext][BigInt] Add support for BigInt in SpeculatedType
295         https://bugs.webkit.org/show_bug.cgi?id=182470
296
297         Reviewed by Saam Barati.
298
299         * stress/big-int-spec-to-primitive.js: Added.
300         * stress/big-int-spec-to-this.js: Added.
301         * stress/big-int-strict-equals-jit.js: Added.
302         * stress/big-int-strict-spec-to-this.js: Added.
303         * stress/big-int-type-of-proven-type.js: Added.
304
305 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
306
307         DFG AI and clobberize should agree with each other
308         https://bugs.webkit.org/show_bug.cgi?id=184440
309
310         Reviewed by Saam Barati.
311         
312         Add tests for all of the bugs I fixed.
313
314         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
315         (foo):
316         * stress/new-typed-array-cse-effects.js: Added.
317         (foo):
318         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
319         (foo.theO):
320         (foo):
321         * stress/string-from-char-code-change-structure-not-dead.js: Added.
322         (foo):
323         (i.valueOf):
324         (weirdValue.valueOf):
325         * stress/string-from-char-code-change-structure.js: Added.
326         (foo):
327         (i.valueOf):
328         (weirdValue.valueOf):
329
330 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
331
332         Fix errant Test262 files CRLF to LF for consistency with the original source
333         https://bugs.webkit.org/show_bug.cgi?id=184425
334
335         Reviewed by Yusuke Suzuki.
336
337         * test262/test/built-ins/Math/acosh/nan-returns.js:
338         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
339         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
340         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
341         * test262/test/built-ins/Math/cbrt/prop-desc.js:
342         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
343         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
344         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
345         * test262/test/built-ins/Math/log2/log2-basicTests.js:
346         * test262/test/built-ins/Math/sign/sign-specialVals.js:
347         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
348         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
349         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
350         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
351
352 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
353
354         Unreviewed, remove incorrect entry in test262.yaml
355         https://bugs.webkit.org/show_bug.cgi?id=184266
356
357         * test262.yaml:
358
359 2018-04-08  Valerie Young  <valerie@bocoup.com>
360
361         [JSC] Update Test262 to April 6 version
362         https://bugs.webkit.org/show_bug.cgi?id=184266
363
364         Rubber stamped by Yusuke Suzuki.
365
366 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
367
368         [JSC] Introduce op_get_by_id_direct
369         https://bugs.webkit.org/show_bug.cgi?id=183970
370
371         Reviewed by Filip Pizlo.
372
373         * stress/generator-prototype-copy.js: Added.
374         (gen):
375         (catch):
376         Adopted JF's tests.
377
378         * stress/generator-type-check.js: Added.
379         (shouldThrow):
380         (foo2):
381         (i.shouldThrow):
382         * stress/get-by-id-direct-getter.js: Added.
383         (shouldBe):
384         (shouldThrow):
385         (obj.get hello):
386         (builtin.createBuiltin):
387         (obj2.get length):
388         * stress/get-by-id-direct.js: Added.
389         (shouldBe):
390         (shouldThrow):
391         (builtin.createBuiltin):
392         * test262.yaml:
393         We fixed long-standing spec compatibility issue.
394         As a result, this patch makes several test262 tests passed!
395
396
397 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
398
399         Unreviewed, annotate test with @skip if $memoryLimited
400         https://bugs.webkit.org/show_bug.cgi?id=183894
401
402         * stress/json-stringified-overflow.js:
403
404 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
405
406         Add svn:eol-style to line-terminator-normalisation-CR.js
407         https://bugs.webkit.org/show_bug.cgi?id=184341
408
409         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
410
411 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
412
413         Unreviewed, remove errant LF from existing test262 test for CR line endings.
414
415         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
416
417 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
418
419         Unreviewed, rolling out r230320.
420
421         Revert fix, as the root cause lies elsewhere.
422
423         Reverted changeset:
424
425         "[test262] Mark line-terminator-normalisation-CR.js as a
426         binary file."
427         https://bugs.webkit.org/show_bug.cgi?id=184341
428         https://trac.webkit.org/changeset/230320
429
430 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
431
432         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
433         https://bugs.webkit.org/show_bug.cgi?id=184341
434
435         Reviewed by Yusuke Suzuki.
436
437         This test is all about CR line endings, but `svn-apply` can't deal with them.
438         Treating the file as binary ensures that its contents never are never shown in a diff.
439
440         * .gitattributes: Added.
441
442 2018-04-05  Robin Morisset  <rmorisset@apple.com>
443
444         Fix testcase (missing try/catch).
445         https://bugs.webkit.org/show_bug.cgi?id=183657
446
447         Unreviewed.
448
449         * stress/large-unshift-splice.js
450
451 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
452
453         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
454         https://bugs.webkit.org/show_bug.cgi?id=184319
455
456         Reviewed by Saam Barati.
457
458         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
459         (foo):
460         (bar):
461         * stress/array-push-nan-to-double-array.js: Added.
462         (foo):
463         (bar):
464
465 2018-04-03  Mark Lam  <mark.lam@apple.com>
466
467         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
468         https://bugs.webkit.org/show_bug.cgi?id=184284
469
470         Reviewed by Saam Barati.
471
472         * stress/js-fixed-array-out-of-memory.js:
473
474 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
475
476         JSC crash in JIT code with for-of loop and Array/Set iterators
477         https://bugs.webkit.org/show_bug.cgi?id=183174
478
479         Reviewed by Saam Barati.
480
481         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
482         (foo):
483         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
484         (f):
485
486 2018-03-30  JF Bastien  <jfbastien@apple.com>
487
488         WebAssembly: support DataView compilation
489         https://bugs.webkit.org/show_bug.cgi?id=183342
490
491         Reviewed by Mark Lam.
492
493         Test WebAssembly compilation using a DataView with offset.
494
495         * wasm/regress/183342.js: Added.
496         (attempt.catch):
497
498 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
499
500         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
501         https://bugs.webkit.org/show_bug.cgi?id=184189
502
503         Reviewed by JF Bastien.
504
505         * stress/load-hole-from-scope-into-live-var.js: Added.
506         (result.eval.try.switch):
507         (catch):
508
509 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
510
511         Unreviewed, rolling out r230102.
512
513         Caused assertion failures on JSC bots.
514
515         Reverted changeset:
516
517         "A stack overflow in the parsing of a builtin (called by
518         createExecutable) cause a crash instead of a catchable js
519         exception"
520         https://bugs.webkit.org/show_bug.cgi?id=184074
521         https://trac.webkit.org/changeset/230102
522
523 2018-03-30  Robin Morisset  <rmorisset@apple.com>
524
525         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
526         https://bugs.webkit.org/show_bug.cgi?id=183812
527
528         Reviewed by Keith Miller.
529
530         * stress/inlining-unreachable-non-tail.js: Added.
531         (foo.):
532         (foo):
533
534 2018-03-30  Robin Morisset  <rmorisset@apple.com>
535
536         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
537         https://bugs.webkit.org/show_bug.cgi?id=184074
538         <rdar://problem/37165897>
539
540         Reviewed by Keith Miller.
541
542         * stress/stack-overflow-while-parsing-builtin.js: Added.
543         (f):
544
545 2018-03-30  Robin Morisset  <rmorisset@apple.com>
546
547         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
548         https://bugs.webkit.org/show_bug.cgi?id=183657
549
550         Reviewed by Keith Miller.
551
552         * stress/large-unshift-splice.js: Added.
553         (make_contig_arr):
554
555 2018-03-28  Robin Morisset  <rmorisset@apple.com>
556
557         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
558         https://bugs.webkit.org/show_bug.cgi?id=183894
559
560         Reviewed by Saam Barati.
561
562         * stress/json-stringified-overflow.js: Added.
563         (catch):
564
565 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
566
567         DFG should know that CreateThis can be effectful
568         https://bugs.webkit.org/show_bug.cgi?id=184013
569
570         Reviewed by Saam Barati.
571
572         * stress/create-this-property-change.js: Added.
573         (Foo):
574         (RealBar):
575         (get if):
576         * stress/create-this-structure-change-without-cse.js: Added.
577         (Foo):
578         (RealBar):
579         (get if):
580         * stress/create-this-structure-change.js: Added.
581         (Foo):
582         (RealBar):
583         (get if):
584
585 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
586
587         [DFG] Introduces fused compare and jump
588         https://bugs.webkit.org/show_bug.cgi?id=177100
589
590         Reviewed by Mark Lam.
591
592         * stress/fused-jeq-slow.js: Added.
593         (shouldBe):
594         (testJEQ):
595         (testJNEQB):
596         (testJEQB):
597         (testJNEQF):
598         (testJEQF):
599         * stress/fused-jeq.js: Added.
600         (shouldBe):
601         (testJEQ):
602         (testJNEQB):
603         (testJEQB):
604         (testJNEQF):
605         (testJEQF):
606         * stress/fused-jstricteq-slow.js: Added.
607         (shouldBe):
608         (testJSTRICTEQ):
609         (testJNSTRICTEQB):
610         (testJSTRICTEQB):
611         (testJNSTRICTEQF):
612         (testJSTRICTEQF):
613         * stress/fused-jstricteq.js: Added.
614         (shouldBe):
615         (testJSTRICTEQ):
616         (testJNSTRICTEQB):
617         (testJSTRICTEQB):
618         (testJNSTRICTEQF):
619         (testJSTRICTEQF):
620
621 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
622
623         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
624         https://bugs.webkit.org/show_bug.cgi?id=183559
625
626         Reviewed by Mark Lam.
627
628         * stress/double-to-string-in-loop-removed.js: Added.
629         (test):
630         * stress/int32-to-string-in-loop-removed.js: Added.
631         (test):
632         * stress/int52-to-string-in-loop-removed.js: Added.
633         (test):
634
635 2018-03-22  Michael Saboff  <msaboff@apple.com>
636
637         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
638         https://bugs.webkit.org/show_bug.cgi?id=183901
639
640         Reviewed by Keith Miller.
641
642         New test.
643
644         * stress/array-reverse-doesnt-clobber.js: Added.
645         (testArrayReverse):
646         (createArrayOfArrays):
647         (createArrayStorage):
648
649 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
650
651         ScopedArguments should do poisoning and index masking
652         https://bugs.webkit.org/show_bug.cgi?id=183863
653
654         Reviewed by Mark Lam.
655         
656         Adds another stress test of scoped arguments.
657
658         * stress/scoped-arguments-test.js: Added.
659         (foo):
660
661 2018-03-20  Saam Barati  <sbarati@apple.com>
662
663         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
664         https://bugs.webkit.org/show_bug.cgi?id=183795
665         <rdar://problem/38298694>
666
667         Reviewed by JF Bastien.
668
669         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
670         (foo):
671         (bar):
672
673 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
674
675         [DFG][FTL] Add vectorLengthHint for NewArray
676         https://bugs.webkit.org/show_bug.cgi?id=183694
677
678         Reviewed by Saam Barati.
679
680         * stress/vector-length-hint-array-constructor.js: Added.
681         (shouldBe):
682         (test):
683         * stress/vector-length-hint-new-array.js: Added.
684         (shouldBe):
685         (test):
686
687 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
688
689         [DFG][FTL] Make ArraySlice(0) code tight
690         https://bugs.webkit.org/show_bug.cgi?id=183590
691
692         Reviewed by Saam Barati.
693
694         * stress/array-slice-with-zero.js: Added.
695         (shouldBe):
696         (test):
697         (test2):
698         * stress/array-slice-zero-args.js: Added.
699         (shouldBe):
700         (test):
701
702 2018-03-14  Caitlin Potter  <caitp@igalia.com>
703
704         [JSC] fix order of evaluation for ClassDefinitionEvaluation
705         https://bugs.webkit.org/show_bug.cgi?id=183523
706
707         Reviewed by Keith Miller.
708
709         Computed property names need to be evaluated in source order during class
710         definition evaluation, as it's observable (and specified to work this way).
711
712         This change improves compatibility with Chromium.
713
714         * stress/class_elements.js: Added.
715         (test):
716         (test.C.prototype.effect):
717         (test.C.effect):
718         (test.C.prototype.get effect):
719         (test.C.prototype.set effect):
720         (test.C):
721
722 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
723
724         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
725         https://bugs.webkit.org/show_bug.cgi?id=183310
726
727         Reviewed by Filip Pizlo.
728
729         * stress/ai-create-this-to-new-object-fire.js: Added.
730         (assert):
731         (test):
732         (func):
733         (check):
734         (test.body.A):
735         (test.body.B):
736         (test.body):
737         * stress/ai-create-this-to-new-object.js: Added.
738         (assert):
739         (test):
740         (func):
741         (check):
742         (test.body.A):
743         (test.body.B):
744         (test.body):
745
746 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
747
748         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
749         https://bugs.webkit.org/show_bug.cgi?id=181848
750
751         Reviewed by Sam Weinig.
752
753         * microbenchmarks/regexp-u-global-es5.js: Added.
754         (fn):
755         * microbenchmarks/regexp-u-global-es6.js: Added.
756         (fn):
757         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
758         (shouldBe):
759         (test):
760         (i.switch):
761         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
762         (shouldBe):
763         (test):
764
765 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
766
767         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
768         https://bugs.webkit.org/show_bug.cgi?id=183334
769
770         Reviewed by Žan Doberšek.
771
772         * stress/var-injection-cache-invalidation.js:
773
774 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
775
776         [ARM] Disable tests that run out of memory
777         https://bugs.webkit.org/show_bug.cgi?id=182699
778
779         Reviewed by Žan Doberšek.
780
781         Skip tests that run of of memory. Do not run
782         modules/module-jit-reachability.js without LLInt to prevent
783         running out of executable memory.
784
785         * modules.yaml:
786         * modules/module-jit-reachability.js:
787         * stress/has-own-property-name-cache-string-keys.js:
788         * stress/has-own-property-name-cache-symbol-keys.js:
789
790 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
791
792         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
793         https://bugs.webkit.org/show_bug.cgi?id=183173
794
795         Reviewed by Saam Barati.
796
797         * stress/async-arrow-function-in-class-heritage.js: Added.
798         (testSyntax):
799         (testSyntaxError):
800         (SyntaxError):
801
802 2018-03-01  Saam Barati  <sbarati@apple.com>
803
804         We need to clear cached structures when having a bad time
805         https://bugs.webkit.org/show_bug.cgi?id=183256
806         <rdar://problem/36245022>
807
808         Reviewed by Mark Lam.
809
810         * stress/having-a-bad-time-with-derived-arrays.js: Added.
811         (assert):
812         (defineSetter):
813         (iterate):
814         (doSlice):
815
816 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
817
818         JSC crash with `import("")`
819         https://bugs.webkit.org/show_bug.cgi?id=183175
820
821         Reviewed by Saam Barati.
822
823         * stress/import-with-empty-string.js: Added.
824
825 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
826
827         Unreviewed, skip FTL tests if FTL is disabled
828         https://bugs.webkit.org/show_bug.cgi?id=183071
829
830         * stress/has-indexed-property-array-storage-ftl.js:
831         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
832
833 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
834
835         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
836         https://bugs.webkit.org/show_bug.cgi?id=182965
837
838         Reviewed by Saam Barati.
839
840         * stress/put-by-val-array-storage.js: Added.
841         (shouldBe):
842         (testArrayStorageInBounds):
843         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
844         (shouldBe):
845         (testInt32.createBuiltin):
846         (set for):
847         * stress/put-by-val-slow-put-array-storage.js: Added.
848         (shouldBe):
849         (testArrayStorageInBounds):
850
851 2018-02-26  Saam Barati  <sbarati@apple.com>
852
853         validateStackAccess should not validate if the offset is within the stack bounds
854         https://bugs.webkit.org/show_bug.cgi?id=183067
855         <rdar://problem/37749988>
856
857         Reviewed by Mark Lam.
858
859         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
860         (assert):
861         (test.a):
862         (test.b):
863         (test):
864
865 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
866
867         Unreviewed, skip FTL tests if FTL is disabled
868         https://bugs.webkit.org/show_bug.cgi?id=183071
869
870         * stress/has-indexed-property-array-storage-ftl.js:
871         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
872
873 2018-02-23  Saam Barati  <sbarati@apple.com>
874
875         Make Number.isInteger an intrinsic
876         https://bugs.webkit.org/show_bug.cgi?id=183088
877
878         Reviewed by JF Bastien.
879
880         * stress/number-is-integer-intrinsic.js: Added.
881
882 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
883
884         WebAssembly: cache memory address / size on instance
885         https://bugs.webkit.org/show_bug.cgi?id=177305
886
887         Reviewed by JF Bastien.
888
889         * wasm/function-tests/memory-reuse.js: Added.
890         (createWasmInstance):
891         (doCheckTrap):
892         (doMemoryGrow):
893         (doCheck):
894         (checkWasmInstancesWithSharedMemory):
895
896 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
897
898         [JSC] Implement $vm.ftlTrue function for FTL testing
899         https://bugs.webkit.org/show_bug.cgi?id=183071
900
901         Reviewed by Mark Lam.
902
903         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
904         (foo):
905         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
906         (foo):
907         * stress/dead-fiat-value-to-int52.js:
908         (foo):
909         * stress/dead-osr-entry-value.js:
910         (foo):
911         * stress/fiat-value-to-int52-then-exit-not-double.js:
912         (foo):
913         * stress/fiat-value-to-int52-then-exit-not-int52.js:
914         (foo):
915         * stress/fiat-value-to-int52-then-fail-to-fold.js:
916         (foo):
917         * stress/fiat-value-to-int52-then-fold.js:
918         (foo):
919         * stress/fiat-value-to-int52.js:
920         (foo):
921         * stress/fold-based-on-int32-proof-mul-branch.js:
922         (foo):
923         * stress/fold-profiled-call-to-call.js:
924         (foo):
925         * stress/fold-to-double-constant-then-exit.js:
926         (foo):
927         * stress/fold-to-int52-constant-then-exit.js:
928         (foo):
929         * stress/fold-to-primitive-in-cfa.js:
930         (foo):
931         * stress/fold-to-primitive-to-identity-in-cfa.js:
932         (foo):
933         * stress/has-indexed-property-array-storage-ftl.js: Added.
934         (shouldBe):
935         (test1):
936         (test2):
937         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
938         (shouldBe):
939         (test1):
940         (test2):
941         * stress/int52-ai-add-then-filter-int32.js:
942         (foo):
943         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
944         (foo):
945         * stress/int52-ai-mul-then-filter-int32.js:
946         (foo):
947         * stress/int52-ai-neg-then-filter-int32.js:
948         (foo):
949         * stress/int52-ai-sub-then-filter-int32.js:
950         (foo):
951         * stress/licm-pre-header-cannot-exit-nested.js:
952         (foo):
953         * stress/licm-pre-header-cannot-exit.js:
954         (foo):
955         * stress/sparse-array-entry-update-144067.js:
956         (useMemoryToTriggerGCs):
957         * stress/test-spec-misc.js:
958         (foo):
959         * stress/tricky-array-bounds-checks.js:
960         (foo):
961
962 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
963
964         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
965         https://bugs.webkit.org/show_bug.cgi?id=182792
966
967         Reviewed by Mark Lam.
968
969         * stress/has-indexed-property-array-storage.js: Added.
970         (shouldBe):
971         (test1):
972         (test2):
973         * stress/has-indexed-property-slow-put-array-storage.js: Added.
974         (shouldBe):
975         (test1):
976         (test2):
977
978 2018-02-20  Saam Barati  <sbarati@apple.com>
979
980         DFG::VarargsForwardingPhase should eliminate getting argument length
981         https://bugs.webkit.org/show_bug.cgi?id=182959
982
983         Reviewed by Keith Miller.
984
985         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
986
987 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
988
989         [FTL] Support ArrayPush for ArrayStorage
990         https://bugs.webkit.org/show_bug.cgi?id=182782
991
992         Reviewed by Saam Barati.
993
994         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
995
996         * stress/array-push-array-storage-beyond-int32.js: Added.
997         (shouldBe):
998         (test):
999         * stress/array-push-array-storage.js: Added.
1000         (shouldBe):
1001         (test):
1002         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1003         (shouldBe):
1004         (test):
1005         * stress/array-push-multiple-storage-continuous.js: Added.
1006         (shouldBe):
1007         (test):
1008
1009 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1010
1011         [FTL] Support ArrayPop for ArrayStorage
1012         https://bugs.webkit.org/show_bug.cgi?id=182783
1013
1014         Reviewed by Saam Barati.
1015
1016         * stress/array-pop-array-storage.js: Added.
1017         (shouldBe):
1018         (test):
1019
1020 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1021
1022         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1023         https://bugs.webkit.org/show_bug.cgi?id=182731
1024
1025         Reviewed by Saam Barati.
1026
1027         * stress/arrayify-array-storage-array.js: Added.
1028         (shouldBe):
1029         (testArrayStorage):
1030         * stress/arrayify-array-storage-non-array.js: Added.
1031         (shouldBe):
1032         (testArrayStorage):
1033         * stress/arrayify-array-storage.js: Added.
1034         (shouldBe):
1035         (testArrayStorage):
1036         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1037         (shouldBe):
1038         (testArrayStorage):
1039         * stress/arrayify-slow-put-array-storage.js: Added.
1040         (shouldBe):
1041         (testArrayStorage):
1042
1043 2018-02-19  Saam Barati  <sbarati@apple.com>
1044
1045         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1046         https://bugs.webkit.org/show_bug.cgi?id=182942
1047         <rdar://problem/37584764>
1048
1049         Reviewed by Mark Lam.
1050
1051         * stress/get-prototype-create-this-effectful.js: Added.
1052
1053 2018-02-16  Saam Barati  <sbarati@apple.com>
1054
1055         Fix bugs from r228411
1056         https://bugs.webkit.org/show_bug.cgi?id=182851
1057         <rdar://problem/37577732>
1058
1059         Reviewed by JF Bastien.
1060
1061         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1062
1063 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1064
1065         Unreviewed, roll out r228366 since it did not progress anything.
1066
1067         * stress/gc-error-stack.js: Removed.
1068         * stress/no-gc-error-stack.js: Removed.
1069
1070 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1071
1072         Many stress tests fail with JIT disabled
1073         https://bugs.webkit.org/show_bug.cgi?id=182730
1074
1075         Reviewed by Saam Barati.
1076
1077         These tests are broken by design if the JIT is disabled - they test
1078         the return value of numberOfDFGCompiles(), which is always set to
1079         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1080
1081         * stress/arith-abs-on-various-types.js:
1082         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1083         * stress/arith-acos-on-various-types.js:
1084         * stress/arith-acosh-on-various-types.js:
1085         * stress/arith-asin-on-various-types.js:
1086         * stress/arith-asinh-on-various-types.js:
1087         * stress/arith-atan-on-various-types.js:
1088         * stress/arith-atanh-on-various-types.js:
1089         * stress/arith-cbrt-on-various-types.js:
1090         * stress/arith-ceil-on-various-types.js:
1091         * stress/arith-clz32-on-various-types.js:
1092         * stress/arith-cos-on-various-types.js:
1093         * stress/arith-cosh-on-various-types.js:
1094         * stress/arith-expm1-on-various-types.js:
1095         * stress/arith-floor-on-various-types.js:
1096         * stress/arith-fround-on-various-types.js:
1097         * stress/arith-log-on-various-types.js:
1098         * stress/arith-log10-on-various-types.js:
1099         * stress/arith-log2-on-various-types.js:
1100         * stress/arith-negate-on-various-types.js:
1101         * stress/arith-round-on-various-types.js:
1102         * stress/arith-sin-on-various-types.js:
1103         * stress/arith-sinh-on-various-types.js:
1104         * stress/arith-sqrt-on-various-types.js:
1105         * stress/arith-tan-on-various-types.js:
1106         * stress/arith-tanh-on-various-types.js:
1107         * stress/arith-trunc-on-various-types.js:
1108         * stress/compare-strict-eq-on-various-types.js:
1109
1110 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1111
1112         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1113
1114         Unreviewed test gardening.
1115
1116         * stress/new-largeish-contiguous-array-with-size.js:
1117
1118 2018-02-14  Saam Barati  <sbarati@apple.com>
1119
1120         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1121         https://bugs.webkit.org/show_bug.cgi?id=182801
1122
1123         Reviewed by Keith Miller.
1124
1125         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1126
1127 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1128
1129         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1130         https://bugs.webkit.org/show_bug.cgi?id=182526
1131
1132         Unreviewed test gardening.
1133
1134         * stress/activation-sink-default-value-tdz-error.js:
1135
1136 2018-02-13  Saam Barati  <sbarati@apple.com>
1137
1138         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1139         https://bugs.webkit.org/show_bug.cgi?id=182755
1140         <rdar://problem/37080864>
1141
1142         Reviewed by Keith Miller.
1143
1144         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1145         (test1.o.get 10005):
1146         (test1):
1147         (test2.o.get 1000):
1148         (test2):
1149
1150 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1151
1152         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1153         https://bugs.webkit.org/show_bug.cgi?id=182717
1154
1155         Reviewed by Yusuke Suzuki.
1156
1157         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1158         literals, to allow template callsite arrays to be collected when the
1159         code containing the tagged template call is collected. This spec change
1160         has received concensus and been ratified.
1161
1162         This change eliminates the eternal map associating template contents
1163         with arrays.
1164
1165         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1166         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1167         * stress/tagged-templates-identity.js:
1168         * stress/template-string-tags-eval.js:
1169         * test262.yaml:
1170
1171 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1172
1173         Support GetArrayLength on ArrayStorage in the FTL
1174         https://bugs.webkit.org/show_bug.cgi?id=182625
1175
1176         Reviewed by Saam Barati.
1177
1178         * stress/array-storage-length.js: Added.
1179         (shouldBe):
1180         (testInBound):
1181         (testUncountable):
1182         (testSlowPutInBound):
1183         (testSlowPutUncountable):
1184         * stress/undecided-length.js: Added.
1185         (shouldBe):
1186         (test2):
1187
1188 2018-02-12  Saam Barati  <sbarati@apple.com>
1189
1190         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1191         https://bugs.webkit.org/show_bug.cgi?id=182706
1192         <rdar://problem/36833681>
1193
1194         Reviewed by Filip Pizlo.
1195
1196         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1197         (effects):
1198         (foo):
1199
1200 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1201
1202         Don't waste memory for error.stack
1203         https://bugs.webkit.org/show_bug.cgi?id=182656
1204
1205         Reviewed by Saam Barati.
1206         
1207         Tests the policy.
1208
1209         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1210         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1211
1212 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1213
1214         [JSC] Update Test262 to Feb 9 version
1215         https://bugs.webkit.org/show_bug.cgi?id=182468
1216
1217         Reviewed by Saam Barati.
1218
1219 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1220
1221         Unreviewed, fix invalid line terminator in old test262 file part 2
1222         https://bugs.webkit.org/show_bug.cgi?id=182468
1223
1224         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1225
1226 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1227
1228         Unreviewed, fix invalid line terminator in old test262 file
1229         https://bugs.webkit.org/show_bug.cgi?id=182468
1230
1231         * test262/test/language/literals/regexp/7.8.5-1.js:
1232
1233 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1234
1235         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1236         https://bugs.webkit.org/show_bug.cgi?id=182440
1237
1238         Reviewed by Darin Adler.
1239
1240         * stress/array-flatmap.js: Added.
1241         (shouldBe):
1242         (shouldBeArray):
1243         (shouldThrow):
1244         (var):
1245         * stress/array-flatten.js: Added.
1246         (shouldBe):
1247         (shouldBeArray):
1248         * test262.yaml:
1249         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1250         (3.flatMap):
1251         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1252
1253 2018-02-06  Keith Miller  <keith_miller@apple.com>
1254
1255         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1256         https://bugs.webkit.org/show_bug.cgi?id=182549
1257         <rdar://problem/36189995>
1258
1259         Reviewed by Saam Barati.
1260
1261         * stress/var-injection-cache-invalidation.js: Added.
1262         (allocateLotsOfThings):
1263         (test):
1264
1265 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1266
1267         Unreviewed, follow up for test262 update
1268         https://bugs.webkit.org/show_bug.cgi?id=182288
1269
1270         * test262.yaml:
1271
1272 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1273
1274         Update test262 to Jan 30 version
1275         https://bugs.webkit.org/show_bug.cgi?id=182288
1276
1277         Unreviewed test gardening.
1278
1279         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1280
1281 2018-02-02  Saam Barati  <sbarati@apple.com>
1282
1283         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1284         https://bugs.webkit.org/show_bug.cgi?id=182368
1285         <rdar://problem/36932466>
1286
1287         Reviewed by Mark Lam.
1288
1289         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1290         (runNearStackLimit.t):
1291         (runNearStackLimit):
1292         (try.runNearStackLimit):
1293         (catch):
1294
1295 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1296
1297         Update test262 to Jan 30 version
1298         https://bugs.webkit.org/show_bug.cgi?id=182288
1299
1300         Rubber stamped by Saam Barati.
1301
1302         This patch updates test262 to the latest one, Jan 30 version.
1303         Since added and changed files are too many, we cannot create ChangeLog.
1304         The following files are changed.
1305
1306         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1307         including some special line terminators (like u2028, u2029).
1308
1309         * test262.yaml:
1310         * test262/test262-Revision.txt:
1311         * test262/*:
1312
1313 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1314
1315         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1316         https://bugs.webkit.org/show_bug.cgi?id=182411
1317
1318         Reviewed by Carlos Alberto Lopez Perez.
1319
1320         This is skipped only on arm memory limited platforms. Until recently
1321         it was not a problem on MIPS as the butterfly was not initialized. But
1322         since r227435, the butterfly is initialized in that test and therefore
1323         memory is allocated, and the test typically takes around 512M, which
1324         means it generally gets OOM-killed on the MIPS buildbot.
1325
1326         * mozilla/mozilla-tests.yaml:
1327
1328 2018-02-01  Mark Lam  <mark.lam@apple.com>
1329
1330         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1331         https://bugs.webkit.org/show_bug.cgi?id=182419
1332         <rdar://problem/37044945>
1333
1334         Reviewed by Saam Barati.
1335
1336         * stress/regress-182419.js: Added.
1337
1338 2018-02-01  Keith Miller  <keith_miller@apple.com>
1339
1340         Fix crashes due to mishandling custom sections.
1341         https://bugs.webkit.org/show_bug.cgi?id=182404
1342         <rdar://problem/36935863>
1343
1344         Reviewed by Saam Barati.
1345
1346         * wasm/Builder.js:
1347         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1348         * wasm/js-api/validate.js:
1349         (assert.truthy):
1350
1351 2018-01-31  Saam Barati  <sbarati@apple.com>
1352
1353         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1354         https://bugs.webkit.org/show_bug.cgi?id=182074
1355         <rdar://problem/36846261>
1356
1357         Reviewed by Mark Lam.
1358
1359         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1360         (assert):
1361         (let.func):
1362         (let.o.foo):
1363         (varFunc):
1364
1365 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1366
1367         Unreviewed, update test262 expects
1368         https://bugs.webkit.org/show_bug.cgi?id=182232
1369
1370         * test262.yaml:
1371
1372 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1373
1374         [JSC] Implement trimStart and trimEnd
1375         https://bugs.webkit.org/show_bug.cgi?id=182233
1376
1377         Reviewed by Mark Lam.
1378
1379         * stress/trim.js: Added.
1380         (shouldBe):
1381         (startTest):
1382         (endTest):
1383         (trimTest):
1384
1385 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1386
1387         [JSC] Relax line terminators in String to make JSON subset of JS
1388         https://bugs.webkit.org/show_bug.cgi?id=182232
1389
1390         Reviewed by Keith Miller.
1391
1392         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1393         * stress/relaxed-line-terminators-in-string.js: Added.
1394         (shouldBe):
1395
1396 2018-01-29  Michael Saboff  <msaboff@apple.com>
1397
1398         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1399         https://bugs.webkit.org/show_bug.cgi?id=182249
1400
1401         Reviewed by Keith Miller.
1402
1403         New regression test.
1404
1405         * stress/compare-clobber-untypeduse.js: Added.
1406
1407 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1408
1409         Unreviewed, rolling out r227725.
1410
1411         This caused internal failures.
1412
1413         Reverted changeset:
1414
1415         "JSC Sampling Profiler: Detect tester and testee when sampling
1416         in RegExp JIT"
1417         https://bugs.webkit.org/show_bug.cgi?id=152729
1418         https://trac.webkit.org/changeset/227725
1419
1420 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1421
1422         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1423         https://bugs.webkit.org/show_bug.cgi?id=152729
1424
1425         Reviewed by Saam Barati.
1426
1427         * stress/sampling-profiler-regexp.js: Added.
1428         (platformSupportsSamplingProfiler.test):
1429         (platformSupportsSamplingProfiler.baz):
1430         (platformSupportsSamplingProfiler):
1431
1432 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1433
1434         [DFG][FTL] WeakMap#set should have DFG node
1435         https://bugs.webkit.org/show_bug.cgi?id=180015
1436
1437         Reviewed by Saam Barati.
1438
1439         * stress/weakmap-set-change-get.js: Added.
1440         (shouldBe):
1441         (test):
1442         * stress/weakmap-set-cse.js: Added.
1443         (shouldBe):
1444         (test):
1445         * stress/weakset-add-change-get.js: Added.
1446         (shouldBe):
1447         * stress/weakset-add-cse.js: Added.
1448         (shouldBe):
1449
1450 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1451
1452         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1453         https://bugs.webkit.org/show_bug.cgi?id=182213
1454
1455         Reviewed by Mark Lam.
1456
1457         * stress/int32-min-to-string.js: Added.
1458         (shouldBe):
1459         (test2):
1460         (test4):
1461         (test8):
1462         (test16):
1463         (test32):
1464         * stress/zero-to-string.js: Added.
1465         (shouldBe):
1466         (test2):
1467         (test4):
1468         (test8):
1469         (test16):
1470         (test32):
1471
1472 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1473
1474         Add more module scope related tests with code evaluation by string
1475         https://bugs.webkit.org/show_bug.cgi?id=181983
1476
1477         Reviewed by Sam Weinig.
1478
1479         Add more module scope related tests. When the original tests are landed,
1480         we do not have browser integration. This patch adds more module scope tests
1481         with dynamically created script evaluation. We add tests with Function
1482         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1483
1484         * modules/scopes-eval.js: Added.
1485         (shouldBe):
1486         * modules/scopes.js:
1487         (shouldBe):
1488
1489 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1490
1491         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1492
1493         * microbenchmarks/array-push-3.js: Removed.
1494         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1495         * microbenchmarks/double-to-int32.js: Removed.
1496         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1497         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1498         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1499         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1500         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1501         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1502         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1503         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1504         * microbenchmarks/map-constant-key.js: Removed.
1505         * microbenchmarks/nested-function-parsing.js: Removed.
1506         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1507         * microbenchmarks/spread-large-array.js: Removed.
1508         * microbenchmarks/string-add-constant-folding.js: Removed.
1509         * microbenchmarks/to-lower-case.js: Removed.
1510         * microbenchmarks/undefined-property-access.js: Removed.
1511         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1512         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1513         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1514         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1515         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1516         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1517         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1518         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1519         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1520         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1521         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1522         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1523         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1524         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1525         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1526         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1527         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1528         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1529
1530 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1531
1532         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1533         https://bugs.webkit.org/show_bug.cgi?id=181739
1534         <rdar://problem/36627662>
1535
1536         Reviewed by Saam Barati.
1537
1538         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1539         (foo):
1540         (bar):
1541
1542 2018-01-22  Michael Saboff  <msaboff@apple.com>
1543
1544         DFG abstract interpreter needs to properly model effects of some Math ops
1545         https://bugs.webkit.org/show_bug.cgi?id=181886
1546
1547         Reviewed by Saam Barati.
1548
1549         New regression test.
1550
1551         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1552         (test):
1553
1554 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1555
1556         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1557         https://bugs.webkit.org/show_bug.cgi?id=181182
1558
1559         Reviewed by Darin Adler.
1560
1561         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1562         * stress/big-int-prototype-to-string-exception.js: Added.
1563         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1564         * stress/number-prototype-to-string-cast-overflow.js: Added.
1565         * stress/number-prototype-to-string-exception.js: Added.
1566         * stress/number-prototype-to-string-wrong-values.js: Added.
1567
1568 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1569
1570         Disable Atomics when SharedArrayBuffer isn’t enabled
1571         https://bugs.webkit.org/show_bug.cgi?id=181572
1572
1573         Unreviewed test gardening.
1574
1575         * test262.yaml: Skip tests that fail after this change.
1576
1577 2018-01-19  Saam Barati  <sbarati@apple.com>
1578
1579         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1580         https://bugs.webkit.org/show_bug.cgi?id=181877
1581         <rdar://problem/36630552>
1582
1583         Reviewed by Mark Lam.
1584
1585         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1586         (runNearStackLimit):
1587         (f1):
1588         (f2):
1589         (f3):
1590         (i.catch):
1591         (i.try.runNearStackLimit):
1592         (catch):
1593
1594 2018-01-19  Saam Barati  <sbarati@apple.com>
1595
1596         Spread's effects are modeled incorrectly both in AI and in Clobberize
1597         https://bugs.webkit.org/show_bug.cgi?id=181867
1598         <rdar://problem/36290415>
1599
1600         Reviewed by Michael Saboff.
1601
1602         * stress/ai-needs-to-model-spreads-effects.js: Added.
1603         (try.p.Symbol.iterator):
1604         (try.go):
1605         (catch):
1606         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1607         (assert):
1608         (foo):
1609         (a.Symbol.iterator):
1610
1611 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1612
1613         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1614         https://bugs.webkit.org/show_bug.cgi?id=181535
1615
1616         * stress/inserted-recovery-with-set-last-index.js:
1617
1618 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1619
1620         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1621         https://bugs.webkit.org/show_bug.cgi?id=181535
1622
1623         Reviewed by Saam Barati.
1624
1625         * stress/inserted-recovery-with-set-last-index.js: Added.
1626         (shouldBe):
1627         (foo):
1628         * stress/materialize-regexp-at-osr-exit.js: Added.
1629         (shouldBe):
1630         (test):
1631         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1632         (shouldBe):
1633         (test):
1634         * stress/materialize-regexp-cyclic-regexp.js: Added.
1635         (shouldBe):
1636         (test):
1637         (i.switch):
1638         * stress/materialize-regexp-cyclic.js: Added.
1639         (shouldBe):
1640         (test):
1641         (i.switch):
1642         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1643         (bar):
1644         (foo):
1645         (test):
1646         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1647         (bar):
1648         (foo):
1649         (test):
1650         * stress/materialize-regexp.js: Added.
1651         (shouldBe):
1652         (test):
1653         * stress/phantom-regexp-regexp-exec.js: Added.
1654         (shouldBe):
1655         (test):
1656         * stress/phantom-regexp-string-match.js: Added.
1657         (shouldBe):
1658         (test):
1659         * stress/regexp-last-index-sinking.js: Added.
1660         (shouldBe):
1661         (test):
1662
1663 2018-01-17  Saam Barati  <sbarati@apple.com>
1664
1665         Disable Atomics when SharedArrayBuffer isn’t enabled
1666         https://bugs.webkit.org/show_bug.cgi?id=181572
1667         <rdar://problem/36553206>
1668
1669         Reviewed by Michael Saboff.
1670
1671         * stress/isLockFree.js:
1672
1673 2018-01-17  Saam Barati  <sbarati@apple.com>
1674
1675         DFG::Node::convertToConstant needs to clear the varargs flags
1676         https://bugs.webkit.org/show_bug.cgi?id=181697
1677         <rdar://problem/36497332>
1678
1679         Reviewed by Yusuke Suzuki.
1680
1681         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1682         (doIndexOf):
1683         (bar):
1684         (i.bar):
1685
1686 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1687
1688         Unreviewed, rolling out r226937.
1689
1690         Tests added with this change are failing due to a missing
1691         exception check.
1692
1693         Reverted changeset:
1694
1695         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1696         double to int32_t"
1697         https://bugs.webkit.org/show_bug.cgi?id=181182
1698         https://trac.webkit.org/changeset/226937
1699
1700 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1701
1702         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1703         https://bugs.webkit.org/show_bug.cgi?id=181182
1704
1705         Reviewed by Darin Adler.
1706
1707         * bigIntTests.yaml:
1708         * stress/big-int-constructor.js:
1709         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1710         (assert):
1711         (assertThrowRangeError):
1712         * stress/number-prototype-to-string-cast-overflow.js: Added.
1713         (assert):
1714         (assertThrowRangeError):
1715
1716 2018-01-12  Saam Barati  <sbarati@apple.com>
1717
1718         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1719         https://bugs.webkit.org/show_bug.cgi?id=181177
1720         <rdar://problem/36205704>
1721
1722         Reviewed by Yusuke Suzuki.
1723
1724         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1725         (runNearStackLimit.t):
1726         (runNearStackLimit):
1727         (test.f):
1728         (test):
1729
1730 2018-01-12  Saam Barati  <sbarati@apple.com>
1731
1732         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1733         https://bugs.webkit.org/show_bug.cgi?id=181562
1734         <rdar://problem/36445624>
1735
1736         Reviewed by Yusuke Suzuki.
1737
1738         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1739         (f):
1740         (foo):
1741
1742 2018-01-11  Saam Barati  <sbarati@apple.com>
1743
1744         When inserting Unreachable in byte code parser we need to flush all the right things
1745         https://bugs.webkit.org/show_bug.cgi?id=181509
1746         <rdar://problem/36423110>
1747
1748         Reviewed by Mark Lam.
1749
1750         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1751
1752 2018-01-11  Saam Barati  <sbarati@apple.com>
1753
1754         JITMathIC code in the FTL is wrong when code gets duplicated
1755         https://bugs.webkit.org/show_bug.cgi?id=181525
1756         <rdar://problem/36351993>
1757
1758         Reviewed by Michael Saboff and Keith Miller.
1759
1760         * stress/allow-math-ic-b3-code-duplication.js: Added.
1761
1762 2018-01-11  Saam Barati  <sbarati@apple.com>
1763
1764         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1765         https://bugs.webkit.org/show_bug.cgi?id=181508
1766
1767         Reviewed by Yusuke Suzuki.
1768
1769         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1770         (assert):
1771         (test1.foo):
1772         (test1):
1773         (test2.foo):
1774         (test2):
1775
1776 2018-01-09  Mark Lam  <mark.lam@apple.com>
1777
1778         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1779         https://bugs.webkit.org/show_bug.cgi?id=181388
1780         <rdar://problem/36349351>
1781
1782         Reviewed by Saam Barati.
1783
1784         * stress/regress-181388.js: Added.
1785
1786 2018-01-08  JF Bastien  <jfbastien@apple.com>
1787
1788         WebAssembly: mask indexed accesses to Table
1789         https://bugs.webkit.org/show_bug.cgi?id=181412
1790         <rdar://problem/36363236>
1791
1792         Reviewed by Saam Barati.
1793
1794         Update error messages.
1795
1796         * wasm/js-api/table.js:
1797         (assert.throws.WebAssembly.Table.prototype.grow):
1798
1799 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1800
1801         Disable SharedArrayBuffer tests missed in r226386.
1802         https://bugs.webkit.org/show_bug.cgi?id=181266
1803
1804         Unreviewed test gardening.
1805
1806         * test262.yaml:
1807
1808 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1809
1810         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1811         https://bugs.webkit.org/show_bug.cgi?id=181321
1812
1813         Reviewed by Saam Barati.
1814
1815         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1816         (shouldBe):
1817         (testFunction):
1818         * test262.yaml:
1819
1820 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1821
1822         Unreviewed, attempt to fix test262 after r226386.
1823
1824         * test262.yaml:
1825
1826 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1827
1828         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1829         https://bugs.webkit.org/show_bug.cgi?id=179911
1830
1831         Reviewed by Saam Barati.
1832
1833         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1834
1835         * stress/map-set-change-get.js: Added.
1836         (shouldBe):
1837         (test):
1838         * stress/map-set-create-bucket.js: Added.
1839         (shouldBe):
1840         (test):
1841         * stress/set-add-create-bucket.js: Added.
1842         (shouldBe):
1843
1844 2018-01-03  Michael Saboff  <msaboff@apple.com>
1845
1846         Disable SharedArrayBuffers from Web API
1847         https://bugs.webkit.org/show_bug.cgi?id=181266
1848
1849         Reviewed by Saam Barati.
1850
1851         Disabled SharedArrayBuffer tests.
1852
1853         * stress/SharedArrayBuffer-opt.js:
1854         * stress/SharedArrayBuffer.js:
1855         * stress/array-buffer-byte-length.js:
1856         * stress/atomics-add-uint32.js:
1857         * stress/atomics-known-int-use.js:
1858         * stress/atomics-neg-zero.js:
1859         * stress/atomics-store-return.js:
1860         * stress/lars-sab-workers.js:
1861         * stress/regress-159779-1.js:
1862         * stress/regress-159779-2.js:
1863         * stress/regress-170473.js:
1864         * test262.yaml:
1865
1866 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1867
1868         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1869         https://bugs.webkit.org/show_bug.cgi?id=181258
1870
1871         Reviewed by Antonio Gomes.
1872
1873         * stress/big-int-constructor-gc.js:
1874         * stress/big-int-constructor-oom.js:
1875
1876 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1877
1878         Inlining of a function that ends in op_unreachable crashes
1879         https://bugs.webkit.org/show_bug.cgi?id=181027
1880
1881         Reviewed by Filip Pizlo.
1882
1883         * stress/inlining-unreachable.js: Added.
1884         (bar):
1885         (baz):
1886         (i.catch):
1887
1888 2018-01-02  Saam Barati  <sbarati@apple.com>
1889
1890         Incorrect assertion inside AccessCase
1891         https://bugs.webkit.org/show_bug.cgi?id=181200
1892         <rdar://problem/35494754>
1893
1894         Reviewed by Yusuke Suzuki.
1895
1896         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1897         (ctor):
1898         (theFunc):
1899         (run):
1900
1901 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1902
1903         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1904         https://bugs.webkit.org/show_bug.cgi?id=175359
1905
1906         Reviewed by Yusuke Suzuki.
1907
1908         * bigIntTests.yaml:
1909         * stress/big-int-as-key.js: Added.
1910         * stress/big-int-constructor-gc.js: Added.
1911         * stress/big-int-constructor-oom.js: Added.
1912         * stress/big-int-constructor-properties.js: Added.
1913         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1914         * stress/big-int-constructor-prototype.js: Added.
1915         * stress/big-int-constructor.js: Added.
1916         * stress/big-int-function-apply.js:
1917         * stress/big-int-length.js: Added.
1918         * stress/big-int-prop-descriptor.js: Added.
1919         * stress/big-int-proto-constructor.js: Added.
1920         * stress/big-int-proto-name.js: Added.
1921         * stress/big-int-prototype-properties.js: Added.
1922         * stress/big-int-prototype-proto.js: Added.
1923         * stress/big-int-prototype-value-of.js: Added.
1924         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1925         * stress/big-int-prototype-to-string-apply.js: Added.
1926         * stress/big-int-to-object.js: Added.
1927         * stress/big-int-to-string.js: Added.
1928
1929 2017-12-28  Saam Barati  <sbarati@apple.com>
1930
1931         Assertion used to determine if something is an async generator is wrong
1932         https://bugs.webkit.org/show_bug.cgi?id=181168
1933         <rdar://problem/35640560>
1934
1935         Reviewed by Yusuke Suzuki.
1936
1937         * stress/async-generator-assertion.js: Added.
1938
1939 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1940
1941         Skip stress/splay-flash-access tests on memory limited platforms
1942         https://bugs.webkit.org/show_bug.cgi?id=181086
1943
1944         Reviewed by Carlos Alberto Lopez Perez.
1945
1946         These tests use about 185M of memory, and occasionally get OOM-killed
1947         on memory limited platforms.
1948
1949         * stress/splay-flash-access-1ms.js:
1950         * stress/splay-flash-access.js:
1951
1952 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1953
1954         Skip slow jsc tests on embedded platforms
1955         https://bugs.webkit.org/show_bug.cgi?id=180937
1956
1957         Reviewed by Carlos Alberto Lopez Perez.
1958
1959         The tests typeProfiler/deltablue-for-of.js and
1960         typeProfiler/getter-richards.js take a very long time in the
1961         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1962         thus always timeout. They should be skipped on these platforms.
1963
1964         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1965         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1966
1967 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1968
1969         [JSC] Do not check isValid() in op_new_regexp
1970         https://bugs.webkit.org/show_bug.cgi?id=180970
1971
1972         Reviewed by Saam Barati.
1973
1974         * stress/regexp-syntax-error-invalid-flags.js: Added.
1975         (shouldThrow):
1976
1977 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1978
1979         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1980         https://bugs.webkit.org/show_bug.cgi?id=180712
1981
1982         Reviewed by Michael Catanzaro.
1983
1984         stress/call-apply-exponential-bytecode-size.js crashes if the
1985         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1986         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1987         should skip the test on other platforms.
1988
1989         * stress/call-apply-exponential-bytecode-size.js:
1990
1991 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1992
1993         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1994         https://bugs.webkit.org/show_bug.cgi?id=179762
1995
1996         Reviewed by Saam Barati.
1997
1998         * stress/call-varargs-double-new-array-buffer.js: Added.
1999         (assert):
2000         (bar):
2001         (foo):
2002         * stress/call-varargs-spread-new-array-buffer.js: Added.
2003         (assert):
2004         (bar):
2005         (foo):
2006         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2007         (assert):
2008         (bar):
2009         (foo):
2010         * stress/forward-varargs-double-new-array-buffer.js: Added.
2011         (assert):
2012         (test.baz):
2013         (test.bar):
2014         (test.foo):
2015         (test):
2016         * stress/new-array-buffer-sinking-osrexit.js: Added.
2017         (target):
2018         (test):
2019         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2020         (shouldBe):
2021         (test):
2022         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2023         (shouldBe):
2024         (target):
2025         (test):
2026         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2027         (assert):
2028         (test1.bar):
2029         (test1.foo):
2030         (test1):
2031         (test2.bar):
2032         (test2.foo):
2033         (test3.baz):
2034         (test3.bar):
2035         (test3.foo):
2036         (test4.baz):
2037         (test4.bar):
2038         (test4.foo):
2039         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2040         (assert):
2041         (test.baz):
2042         (test.bar):
2043         (test.foo):
2044         (test):
2045         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2046         (assert):
2047         (baz):
2048         (bar):
2049         (effects):
2050         (foo):
2051
2052 2017-12-14  Saam Barati  <sbarati@apple.com>
2053
2054         The CleanUp after LICM is erroneously removing a Check
2055         https://bugs.webkit.org/show_bug.cgi?id=180852
2056         <rdar://problem/36063494>
2057
2058         Reviewed by Filip Pizlo.
2059
2060         * stress/dont-run-cleanup-after-licm.js: Added.
2061
2062 2017-12-14  Michael Saboff  <msaboff@apple.com>
2063
2064         REGRESSION (r225695): Repro crash on yahoo login page
2065         https://bugs.webkit.org/show_bug.cgi?id=180761
2066
2067         Reviewed by JF Bastien.
2068
2069         New regression test.
2070
2071         * stress/regress-180761.js: Added.
2072
2073 2017-12-13  Keith Miller  <keith_miller@apple.com>
2074
2075         JSObjects should have a mask for loading indexed properties
2076         https://bugs.webkit.org/show_bug.cgi?id=180768
2077
2078         Reviewed by Mark Lam.
2079
2080         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2081         (test):
2082
2083 2017-12-13  Saam Barati  <sbarati@apple.com>
2084
2085         Arrow functions need their own structure because they have different properties than sloppy functions
2086         https://bugs.webkit.org/show_bug.cgi?id=180779
2087         <rdar://problem/35814591>
2088
2089         Reviewed by Mark Lam.
2090
2091         * stress/arrow-function-needs-its-own-structure.js: Added.
2092         (assert):
2093         (readPrototype):
2094         (noInline.let.f1):
2095         (noInline):
2096
2097 2017-12-13  Saam Barati  <sbarati@apple.com>
2098
2099         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2100         https://bugs.webkit.org/show_bug.cgi?id=163579
2101         <rdar://problem/35455798>
2102
2103         Reviewed by Mark Lam.
2104
2105         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2106         (assert):
2107         (test1):
2108         (i.test1):
2109         (i.test1.C):
2110         (i.test1.async.foo):
2111         (i.test1.foo):
2112         (test2):
2113
2114 2017-12-13  Saam Barati  <sbarati@apple.com>
2115
2116         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2117         https://bugs.webkit.org/show_bug.cgi?id=180734
2118         <rdar://problem/35640547>
2119
2120         Reviewed by Yusuke Suzuki.
2121
2122         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2123         (__isPropertyOfType):
2124         (__getProperties):
2125         (__getObjects):
2126         (__getRandomObject):
2127         (theClass.):
2128         (theClass):
2129         (childClass):
2130         (counter.catch):
2131
2132 2017-12-12  Saam Barati  <sbarati@apple.com>
2133
2134         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2135         https://bugs.webkit.org/show_bug.cgi?id=180725
2136         <rdar://problem/35970511>
2137
2138         Reviewed by Michael Saboff.
2139
2140         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2141         (f1):
2142         (f2):
2143         (let.o2.valueOf):
2144
2145 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2146
2147         [JSC] Implement optimized WeakMap and WeakSet
2148         https://bugs.webkit.org/show_bug.cgi?id=179929
2149
2150         Reviewed by Saam Barati.
2151
2152         * microbenchmarks/weak-map-key.js:
2153         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2154         (assert):
2155         (objectKey):
2156         (let.start.Date.now):
2157         * stress/basic-weakmap.js: Added.
2158         (shouldBe):
2159         (test):
2160         * stress/basic-weakset.js: Added.
2161         (shouldBe):
2162         (test.set new):
2163         * stress/weakmap-cse-set-break.js: Added.
2164         (shouldBe):
2165         (test):
2166         * stress/weakmap-cse.js: Added.
2167         (shouldBe):
2168         (test):
2169         * stress/weakmap-gc.js: Added.
2170         (test):
2171         * stress/weakset-cse-add-break.js: Added.
2172         (shouldBe):
2173         (test.set new):
2174         * stress/weakset-cse.js: Added.
2175         (shouldBe):
2176         (test.set new):
2177         * stress/weakset-gc.js: Added.
2178         (test.set add):
2179         (test.set new):
2180         (test):
2181
2182 2017-12-12  Saam Barati  <sbarati@apple.com>
2183
2184         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2185         https://bugs.webkit.org/show_bug.cgi?id=180723
2186         <rdar://problem/35859726>
2187
2188         Reviewed by JF Bastien.
2189
2190         * stress/get-my-argument-by-val-constant-folding.js: Added.
2191         (test):
2192         (catch):
2193
2194 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2195
2196         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2197         https://bugs.webkit.org/show_bug.cgi?id=179000
2198
2199         Reviewed by Darin Adler and Yusuke Suzuki.
2200
2201         * bigIntTests.yaml: Added.
2202         * stress/big-int-literal-line-terminator.js: Added.
2203         * stress/big-int-literals.js: Added.
2204         * stress/big-int-operations-error.js: Added.
2205         * stress/big-int-type-of.js: Added.
2206         * stress/big-int-white-space-trailing-leading.js: Added.
2207         * stress/big-int-function-apply.js: Added.
2208
2209 2017-12-11  Saam Barati  <sbarati@apple.com>
2210
2211         We need to disableCaching() in ErrorInstance when we materialize properties
2212         https://bugs.webkit.org/show_bug.cgi?id=180343
2213         <rdar://problem/35833002>
2214
2215         Reviewed by Mark Lam.
2216
2217         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2218         (assert):
2219         (makeError):
2220         (storeToStack):
2221         (storeToStackAlreadyMaterialized):
2222
2223 2017-12-05  JF Bastien  <jfbastien@apple.com>
2224
2225         WebAssembly: don't eagerly checksum
2226         https://bugs.webkit.org/show_bug.cgi?id=180441
2227         <rdar://problem/35156628>
2228
2229         Reviewed by Saam Barati.
2230
2231         Checksum is now disabled, so tests only have <?> as the module
2232         name.
2233
2234         * wasm/function-tests/nameSection.js:
2235         * wasm/function-tests/stack-overflow.js:
2236         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2237         (assertOverflows.assertThrows):
2238         (assertOverflows):
2239         * wasm/function-tests/stack-trace.js:
2240
2241 2017-12-04  JF Bastien  <jfbastien@apple.com>
2242
2243         Proxy all functions, except the $ objects
2244         https://bugs.webkit.org/show_bug.cgi?id=180375
2245
2246         Reviewed by Saam Barati.
2247
2248         It looks like this test may have broken some executions because I
2249         call some internal objects. Explicitly ignore objects whose name
2250         starts with "$" because it's a bad idea anyways.
2251
2252         * stress/proxy-all-the-parameters.js:
2253         (generateObjects):
2254         (get throw):
2255
2256 2017-12-04  Saam Barati  <sbarati@apple.com>
2257
2258         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2259         https://bugs.webkit.org/show_bug.cgi?id=180366
2260         <rdar://problem/35685877>
2261
2262         Reviewed by Michael Saboff.
2263
2264         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2265         (theParent):
2266         (test1.base.getParentStaticValue):
2267         (test1.base):
2268         (test1.__v_24888.prototype.set prop):
2269         (test1.__v_24888):
2270         (test2.base.getParentStaticValue):
2271         (test2.base):
2272         (test2.__v_24888.prototype.set prop):
2273         (test2.__v_24888):
2274         (test2):
2275
2276 2017-12-01  JF Bastien  <jfbastien@apple.com>
2277
2278         Try proxying all function arguments
2279         https://bugs.webkit.org/show_bug.cgi?id=180306
2280
2281         Reviewed by Saam Barati.
2282
2283         * stress/proxy-all-the-parameters.js: Added.
2284         (isPropertyOfType):
2285         (getProperties):
2286         (generateObjects):
2287         (getObjects):
2288         (getFunctions):
2289         (get throw):
2290         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2291
2292 2017-12-01  JF Bastien  <jfbastien@apple.com>
2293
2294         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2295         https://bugs.webkit.org/show_bug.cgi?id=180297
2296         <rdar://problem/35745556>
2297
2298         Reviewed by Mark Lam.
2299
2300         * stress/math-exceptions.js: Added.
2301         (get try):
2302         (catch):
2303
2304 2017-12-01  JF Bastien  <jfbastien@apple.com>
2305
2306         JavaScriptCore: add test for weird class static getters
2307         https://bugs.webkit.org/show_bug.cgi?id=180281
2308         <rdar://problem/35592139>
2309
2310         Reviewed by Mark Lam.
2311
2312         I fixed a bug for it in r224927 and didn't add a test. Do so.
2313
2314         * stress/class-static-get-weird.js: Added.
2315         (c.prototype.get name):
2316         (c):
2317         (c.prototype.get arguments):
2318         (c.prototype.get caller):
2319         (c.prototype.get length):
2320
2321 2017-12-01  Saam Barati  <sbarati@apple.com>
2322
2323         Having a bad time needs to handle ArrayClass indexing type as well
2324         https://bugs.webkit.org/show_bug.cgi?id=180274
2325         <rdar://problem/35667869>
2326
2327         Reviewed by Keith Miller and Mark Lam.
2328
2329         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2330         (assert):
2331         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2332         (assert):
2333
2334 2017-12-01  JF Bastien  <jfbastien@apple.com>
2335
2336         WebAssembly: restore cached stack limit after out-call
2337         https://bugs.webkit.org/show_bug.cgi?id=179106
2338         <rdar://problem/35337525>
2339
2340         Reviewed by Saam Barati.
2341
2342         * wasm/function-tests/double-instance.js: Added.
2343         (const.imp.boom):
2344         (const.imp.get callAnother):
2345
2346 2017-11-30  JF Bastien  <jfbastien@apple.com>
2347
2348         WebAssembly: improve stack trace
2349         https://bugs.webkit.org/show_bug.cgi?id=179343
2350
2351         Reviewed by Saam Barati.
2352
2353         Update the tests to follow the new format. Notably, SHA1 module
2354         hash is now included in traces, and stubs are properly identified.
2355
2356         * wasm/assert.js: Add an assertion which matches regular expressions.
2357         * wasm/function-tests/nameSection.js:
2358         * wasm/function-tests/stack-overflow.js:
2359         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2360         (assertOverflows.assertThrows.wasm.1):
2361         (assertOverflows.assertThrows.wasm.0):
2362         (assertOverflows.assertThrows):
2363         (assertOverflows):
2364         * wasm/function-tests/stack-trace.js:
2365         (import.Builder.from.string_appeared_here.assert): Deleted.
2366         * wasm/function-tests/trap-after-cross-instance-call.js:
2367         (wasmFrameCountFromError):
2368         * wasm/function-tests/trap-load-2.js:
2369         (wasmFrameCountFromError):
2370         * wasm/function-tests/trap-load.js:
2371         (wasmFrameCountFromError):
2372
2373 2017-11-30  Mark Lam  <mark.lam@apple.com>
2374
2375         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2376         https://bugs.webkit.org/show_bug.cgi?id=180219
2377         <rdar://problem/35696536>
2378
2379         Reviewed by Filip Pizlo.
2380
2381         * stress/regress-180219.js: Added.
2382
2383 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2384
2385         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2386         https://bugs.webkit.org/show_bug.cgi?id=180190
2387
2388         Reviewed by Mark Lam.
2389
2390         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2391         (shouldBe):
2392         (test1):
2393         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2394         (shouldBe):
2395         (test1):
2396         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2397         (shouldBe):
2398         (test1):
2399         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2400         (shouldBe):
2401         (test1):
2402         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2403         (shouldBe):
2404         (test1):
2405         * stress/operation-in-may-have-negative-int32.js: Added.
2406         (shouldBe):
2407         (test2):
2408         * stress/operation-in-negative-int32-cast.js: Added.
2409         (shouldBe):
2410         (test1):
2411
2412 2017-11-28  JF Bastien  <jfbastien@apple.com>
2413
2414         Strict and sloppy functions shouldn't share structure
2415         https://bugs.webkit.org/show_bug.cgi?id=180103
2416         <rdar://problem/35667847>
2417
2418         Reviewed by Saam Barati.
2419
2420         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2421         because the IC was wrong.
2422         (foo):
2423         (bar):
2424         (baz):
2425         (catch):
2426         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2427         in this patch, but may as well test odd strict mode corner cases.
2428         (bar):
2429         (baz):
2430         (catch):
2431         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2432         (foo):
2433         (bar):
2434         (baz):
2435         (catch):
2436         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2437         next file, but with invalidation of the FunctionExecutable's
2438         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2439         slower path.
2440         (foo):
2441         (bar.const.x):
2442         (bar.const.y):
2443         (bar):
2444         (catch):
2445         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2446         strict nesting works correctly.
2447         (foo):
2448         (bar.baz):
2449         (bar):
2450         * stress/strict-function-structure.js: Added. The test used to
2451         assert in objectProtoFuncHasOwnProperty.
2452         (foo):
2453         (bar):
2454         (baz):
2455         * stress/strict-nested-function-structure.js: Added. Nesting.
2456         (foo):
2457         (bar):
2458         (baz.boo):
2459         (baz):
2460
2461 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2462
2463         The recursive tail call optimisation is wrong on closures
2464         https://bugs.webkit.org/show_bug.cgi?id=179835
2465
2466         Reviewed by Saam Barati.
2467
2468         * stress/closure-recursive-tail-call.js: Added.
2469         (makeClosure):
2470
2471 2017-11-27  JF Bastien  <jfbastien@apple.com>
2472
2473         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2474         https://bugs.webkit.org/show_bug.cgi?id=180051
2475         <rdar://problem/35614371>
2476
2477         Reviewed by Saam Barati.
2478
2479         * stress/rest-parameter-negative.js: Added.
2480         (__f_5484):
2481         (catch):
2482         (__f_5485):
2483         (__v_22598.catch):
2484
2485 2017-11-27  Saam Barati  <sbarati@apple.com>
2486
2487         Spread can escape when CreateRest does not
2488         https://bugs.webkit.org/show_bug.cgi?id=180057
2489         <rdar://problem/35676119>
2490
2491         Reviewed by JF Bastien.
2492
2493         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2494         (assert):
2495         (getProperties):
2496         (theFunc):
2497         (let.obj.valueOf):
2498
2499 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2500
2501         [DFG] Add NormalizeMapKey DFG IR
2502         https://bugs.webkit.org/show_bug.cgi?id=179912
2503
2504         Reviewed by Saam Barati.
2505
2506         * stress/map-untyped-normalize-cse.js: Added.
2507         (shouldBe):
2508         (test):
2509         * stress/map-untyped-normalize.js: Added.
2510         (shouldBe):
2511         (test):
2512         * stress/set-untyped-normalize-cse.js: Added.
2513         (shouldBe):
2514         (set return.set has.set has):
2515         * stress/set-untyped-normalize.js: Added.
2516         (shouldBe):
2517         (set return.set has):
2518
2519 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2520
2521         [FTL] Support DeleteById and DeleteByVal
2522         https://bugs.webkit.org/show_bug.cgi?id=180022
2523
2524         Reviewed by Saam Barati.
2525
2526         * stress/delete-by-id.js: Added.
2527         (shouldBe):
2528         (test1):
2529         (test2):
2530         * stress/delete-by-val-ftl.js: Added.
2531         (shouldBe):
2532         (test1):
2533         (test2):
2534
2535 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [DFG] Introduce {Set,Map,WeakMap}Fields
2538         https://bugs.webkit.org/show_bug.cgi?id=179925
2539
2540         Reviewed by Saam Barati.
2541
2542         * stress/map-set-clobber-map-get.js: Added.
2543         (shouldBe):
2544         (test):
2545         * stress/map-set-does-not-clobber-set-has.js: Added.
2546         (shouldBe):
2547         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2548         (shouldBe):
2549         (test):
2550         * stress/set-add-clobber-set-has.js: Added.
2551         (shouldBe):
2552         * stress/set-add-does-not-clobber-map-get.js: Added.
2553         (shouldBe):
2554
2555 2017-11-24  Mark Lam  <mark.lam@apple.com>
2556
2557         Move unsafe jsc shell test functions to the $vm object.
2558         https://bugs.webkit.org/show_bug.cgi?id=179980
2559
2560         Reviewed by Yusuke Suzuki.
2561
2562         * controlFlowProfiler/driver/driver.js:
2563         * controlFlowProfiler/execution-count.js:
2564         * controlFlowProfiler/if-statement.js:
2565         * controlFlowProfiler/loop-statements.js:
2566         * controlFlowProfiler/switch-statements.js:
2567         * controlFlowProfiler/test-jit.js:
2568         * exceptionFuzz/3d-cube.js:
2569         * exceptionFuzz/date-format-xparb.js:
2570         * exceptionFuzz/earley-boyer.js:
2571         * heapProfiler/basic-edges.js:
2572         * heapProfiler/property-edge-types.js:
2573         * microbenchmarks/try-get-by-id-basic.js:
2574         * microbenchmarks/try-get-by-id-polymorphic.js:
2575         * modules/namespace-object-try-get.js:
2576         * stress/argument-count-bytecode.js:
2577         * stress/argument-intrinsic-basic.js:
2578         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2579         * stress/argument-intrinsic-inlining-with-result-escape.js:
2580         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2581         * stress/argument-intrinsic-inlining-with-vararg.js:
2582         * stress/argument-intrinsic-nested-inlining.js:
2583         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2584         * stress/argument-intrinsic-with-stack-write.js:
2585         * stress/arity-mismatch-get-argument.js:
2586         * stress/array-message-passing.js:
2587         * stress/array-push-with-force-exit.js:
2588         * stress/check-dom-with-signature.js:
2589         * stress/check-sub-class.js:
2590         * stress/compare-eq-incomplete-profile.js:
2591         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2592         * stress/do-eval-virtual-call-correctly.js:
2593         * stress/dom-jit-with-poly-proto.js:
2594         * stress/domjit-exception-ic.js:
2595         * stress/domjit-exception.js:
2596         * stress/domjit-getter-complex-with-incorrect-object.js:
2597         * stress/domjit-getter-complex.js:
2598         * stress/domjit-getter-poly.js:
2599         * stress/domjit-getter-proto.js:
2600         * stress/domjit-getter-super-poly.js:
2601         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2602         * stress/domjit-getter-type-check.js:
2603         * stress/domjit-getter.js:
2604         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2605         * stress/for-in-proxy-target-changed-structure.js:
2606         * stress/for-in-proxy.js:
2607         * stress/generational-opaque-roots.js:
2608         * stress/global-const-redeclaration-setting-2.js:
2609         * stress/global-const-redeclaration-setting-3.js:
2610         * stress/global-const-redeclaration-setting-4.js:
2611         * stress/global-const-redeclaration-setting-5.js:
2612         * stress/global-const-redeclaration-setting.js:
2613         * stress/import-basic.js:
2614         * stress/import-from-eval.js:
2615         * stress/import-reject-with-exception.js:
2616         * stress/import-syntax.js:
2617         * stress/impure-get-own-property-slot-inline-cache.js:
2618         * stress/is-constructor.js:
2619         * stress/istypedarrayview-intrinsic.js:
2620         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2621         * stress/jsc-test-functions-should-be-more-robust.js:
2622         * stress/object-toString-with-proxy.js:
2623         * stress/poly-proto-custom-value-and-accessor.js:
2624         * stress/proxy-inline-cache.js:
2625         * stress/re-execute-error-module.js:
2626         * stress/regress-150532.js:
2627         * stress/regress-156992.js:
2628         * stress/regress-179619.js:
2629         * stress/resources/shadow-chicken-support.js:
2630         * stress/runtime-array.js:
2631         * stress/sampling-profiler-microtasks.js:
2632         * stress/shadow-chicken-enabled.js:
2633         * stress/spread-correct-global-object-on-exception.js:
2634         * stress/super-get-by-id.js:
2635         * stress/tailCallForwardArguments.js:
2636         * stress/to-object-intrinsic-boolean-edge.js:
2637         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2638         * stress/to-object-intrinsic-number-edge.js:
2639         * stress/to-object-intrinsic-object-edge.js:
2640         * stress/to-object-intrinsic-string-edge.js:
2641         * stress/to-object-intrinsic-symbol-edge.js:
2642         * stress/to-object-intrinsic.js:
2643         * stress/try-catch-custom-getter-as-get-by-id.js:
2644         * stress/try-get-by-id-poly-proto.js:
2645         * stress/try-get-by-id-should-spill-registers-dfg.js:
2646         * stress/try-get-by-id.js:
2647         * typeProfiler/arrow-functions.js:
2648         * typeProfiler/basic.js:
2649         * typeProfiler/captured.js:
2650         * typeProfiler/classes.js:
2651         * typeProfiler/dfg-jit-optimizations.js:
2652         * typeProfiler/dictionary-mode.js:
2653         * typeProfiler/es6-block-scoping.js:
2654         * typeProfiler/es6-classes.js:
2655         * typeProfiler/inheritance.js:
2656         * typeProfiler/int52-dfg.js:
2657         * typeProfiler/loop.js:
2658         * typeProfiler/optional-fields.js:
2659         * typeProfiler/overflow.js:
2660         * typeProfiler/return.js:
2661         * typeProfiler/symbol.js:
2662         * typeProfiler/weird-prototype-chain.js:
2663
2664 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2665
2666         [DFG][FTL] Support MapSet / SetAdd intrinsics
2667         https://bugs.webkit.org/show_bug.cgi?id=179858
2668
2669         Reviewed by Saam Barati.
2670
2671         * microbenchmarks/map-has-and-set.js: Added.
2672         (test):
2673         * stress/map-set-check-failure.js: Added.
2674         (shouldBe):
2675         (shouldThrow):
2676         (target):
2677         * stress/map-set-cse.js: Added.
2678         (shouldBe):
2679         (test):
2680         * stress/set-add-check-failure.js: Added.
2681         (shouldBe):
2682         (shouldThrow):
2683         (set shouldThrow):
2684         * stress/set-add-cse.js: Added.
2685         (shouldBe):
2686
2687 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2688
2689         [JSC] Allow poly proto for intrinsic getters
2690         https://bugs.webkit.org/show_bug.cgi?id=179550
2691
2692         Reviewed by Saam Barati.
2693
2694         This change is also tested by existing tests.
2695
2696             1. stress/intrinsic-getter-with-poly-proto.js
2697             2. stress/poly-proto-intrinsic-getter-correctness.js
2698
2699         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2700         (shouldBe):
2701         (makePolyProtoObject.foo.C):
2702         (makePolyProtoObject.foo):
2703         (makePolyProtoObject):
2704         (target):
2705         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2706         (shouldBe):
2707         (makePolyProtoObject.foo.C):
2708         (makePolyProtoObject.foo):
2709         (makePolyProtoObject):
2710         (target):
2711
2712 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2713
2714         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2715         https://bugs.webkit.org/show_bug.cgi?id=179744
2716
2717         Reviewed by Michael Catanzaro.
2718
2719         This test uses too much memory for our buildbots on these platforms
2720         and gets OOM-killed.
2721
2722         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2723         Skip if $memoryLimited and linux.
2724
2725 2017-11-17  JF Bastien  <jfbastien@apple.com>
2726
2727         WebAssembly JS API: throw when a promise can't be created
2728         https://bugs.webkit.org/show_bug.cgi?id=179826
2729         <rdar://problem/35455813>
2730
2731         Reviewed by Mark Lam.
2732
2733         Test WebAssembly.{compile,instantiate} where promise creation
2734         fails because of a stack overflow.
2735
2736         * wasm/js-api/promise-stack-overflow.js: Added.
2737         (const.runNearStackLimit.f.const.t):
2738         (async.testCompile):
2739         (async.testInstantiate):
2740
2741 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2742
2743         Unreviewed, mark regress-178385.js as memory exhausting
2744
2745         * stress/regress-178385.js:
2746
2747 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2748
2749         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2750
2751         Unreviewed test gardening.
2752
2753         * test262.yaml:
2754
2755 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2756
2757         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2758         https://bugs.webkit.org/show_bug.cgi?id=179763
2759         <rdar://problem/35550513>
2760
2761         Reviewed by Keith Miller.
2762
2763         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2764
2765         * stress/tdz-this-in-try-catch.js: Added.
2766         (__v_6388):
2767         (__v_6392):
2768
2769 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2770
2771         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2772         https://bugs.webkit.org/show_bug.cgi?id=179594
2773
2774         Reviewed by Saam Barati.
2775
2776         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2777         (shouldBe):
2778         (args):
2779         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2780         (shouldBe):
2781         (args):
2782
2783 2017-11-14  Saam Barati  <sbarati@apple.com>
2784
2785         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2786         https://bugs.webkit.org/show_bug.cgi?id=179639
2787         <rdar://problem/35513018>
2788
2789         Reviewed by JF Bastien.
2790
2791         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2792         (escape):
2793         (i.func):
2794
2795 2017-11-13  Mark Lam  <mark.lam@apple.com>
2796
2797         Add more overflow check book-keeping for MarkedArgumentBuffer.
2798         https://bugs.webkit.org/show_bug.cgi?id=179634
2799         <rdar://problem/35492517>
2800
2801         Reviewed by Saam Barati.
2802
2803         * stress/regress-179634.js: Added.
2804
2805 2017-11-13  Mark Lam  <mark.lam@apple.com>
2806
2807         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2808         https://bugs.webkit.org/show_bug.cgi?id=179619
2809         <rdar://problem/35492518>
2810
2811         Reviewed by Saam Barati.
2812
2813         * stress/regress-179619.js: Added.
2814
2815 2017-11-12  Mark Lam  <mark.lam@apple.com>
2816
2817         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2818         https://bugs.webkit.org/show_bug.cgi?id=179562
2819         <rdar://problem/35467022>
2820
2821         Reviewed by Saam Barati.
2822
2823         * regress-179562.js: Added.
2824
2825 2017-11-08  Saam Barati  <sbarati@apple.com>
2826
2827         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2828         https://bugs.webkit.org/show_bug.cgi?id=177792
2829
2830         Reviewed by Yusuke Suzuki.
2831
2832         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2833         (assert):
2834         (foo.Foo.prototype.ensureX):
2835         (foo.Foo):
2836         (foo):
2837         (access):
2838
2839 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2840
2841         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2842         https://bugs.webkit.org/show_bug.cgi?id=178592
2843
2844         Unreviewed test gardening.
2845
2846         * test262.yaml:
2847
2848 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2849
2850         Turn recursive tail calls into loops
2851         https://bugs.webkit.org/show_bug.cgi?id=176601
2852
2853         Reviewed by Saam Barati.
2854
2855         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2856
2857         Add some simple test that computes factorial in several ways, and other trivial computations.
2858         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2859         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2860         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2861         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2862
2863         * stress/inline-call-to-recursive-tail-call.js: Added.
2864         (factorial.aux):
2865         (factorial):
2866         (factorial2.aux2):
2867         (factorial2.id):
2868         (factorial2):
2869         (factorial3.aux3):
2870         (factorial3):
2871         (aux4):
2872         (factorial4):
2873         (foo):
2874         (auxBar):
2875         (bar):
2876         (test):
2877
2878 2017-11-07  Mark Lam  <mark.lam@apple.com>
2879
2880         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2881         https://bugs.webkit.org/show_bug.cgi?id=179355
2882         <rdar://problem/35263053>
2883
2884         Reviewed by Saam Barati.
2885
2886         * stress/regress-179355.js: Added.
2887
2888 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2889
2890         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2891         https://bugs.webkit.org/show_bug.cgi?id=144458
2892
2893         Reviewed by Saam Barati.
2894
2895         * microbenchmarks/dfg-internal-function-call.js: Added.
2896         (target):
2897         * microbenchmarks/dfg-internal-function-construct.js: Added.
2898         (target):
2899         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2900         (target):
2901         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2902         (target):
2903         * stress/dfg-internal-function-call.js: Added.
2904         (shouldBe):
2905         (target):
2906         * stress/dfg-internal-function-construct.js: Added.
2907         (shouldBe):
2908         (target):
2909         * stress/internal-function-call.js: Added.
2910         (shouldBe):
2911         * stress/internal-function-construct.js: Added.
2912         (shouldBe):
2913
2914 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2915
2916         [Win] Skip stress/regress-178385.js.
2917         https://bugs.webkit.org/show_bug.cgi?id=179298
2918
2919         Unreviewed test gardening.
2920
2921         * stress/regress-178385.js:
2922
2923 2017-11-03  Keith Miller  <keith_miller@apple.com>
2924
2925         Add test for ic with side effects
2926         https://bugs.webkit.org/show_bug.cgi?id=179268
2927
2928         Reviewed by Saam Barati.
2929
2930         * stress/put-inline-cache-side-effects.js: Added.
2931         (let.i.of.objs.keys):
2932         (f):
2933
2934 2017-11-03  Mark Lam  <mark.lam@apple.com>
2935
2936         CachedCall (and its clients) needs overflow checks.
2937         https://bugs.webkit.org/show_bug.cgi?id=179185
2938
2939         Reviewed by JF Bastien.
2940
2941         * stress/regress-179185.js: Added.
2942
2943 2017-11-02  Michael Saboff  <msaboff@apple.com>
2944
2945         DFG needs to handle code motion of code in for..in loop bodies
2946         https://bugs.webkit.org/show_bug.cgi?id=179212
2947
2948         Reviewed by Keith Miller.
2949
2950         New regression test.
2951
2952         * stress/for-in-side-effects.js: Added.
2953         (getPrototypeOf):
2954         (reset):
2955         (testWithoutFTL.f):
2956         (testWithoutFTL):
2957         (testWithFTL.f):
2958         (testWithFTL):
2959
2960 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2961
2962         AI does not correctly model the clobber case of ArithClz32
2963         https://bugs.webkit.org/show_bug.cgi?id=179188
2964
2965         Reviewed by Michael Saboff.
2966
2967         * stress/arith-clz32-effects.js: Added.
2968         (foo):
2969         (valueOf):
2970
2971 2017-11-01  Michael Saboff  <msaboff@apple.com>
2972
2973         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2974         https://bugs.webkit.org/show_bug.cgi?id=179140
2975
2976         Reviewed by Saam Barati.
2977
2978         New regression test.
2979
2980         * stress/regress-179140.js: Added.
2981         (testWithoutFTL):
2982         (testWithFTL):
2983
2984 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2985
2986         [JSC] Introduce @toObject
2987         https://bugs.webkit.org/show_bug.cgi?id=178726
2988
2989         Reviewed by Saam Barati.
2990
2991         * stress/array-copywithin.js:
2992         (shouldThrow):
2993         * stress/object-constructor-boolean-edge.js: Added.
2994         (shouldBe):
2995         (test):
2996         * stress/object-constructor-global.js: Added.
2997         (shouldBe):
2998         * stress/object-constructor-null-edge.js: Added.
2999         (shouldBe):
3000         (test):
3001         * stress/object-constructor-number-edge.js: Added.
3002         (shouldBe):
3003         (test):
3004         * stress/object-constructor-object-edge.js: Added.
3005         (shouldBe):
3006         (test):
3007         (i.arg):
3008         * stress/object-constructor-string-edge.js: Added.
3009         (shouldBe):
3010         (test):
3011         * stress/object-constructor-symbol-edge.js: Added.
3012         (shouldBe):
3013         (test):
3014         * stress/object-constructor-undefined-edge.js: Added.
3015         (shouldBe):
3016         (test):
3017         * stress/symbol-array-from.js: Added.
3018         (shouldBe):
3019         * stress/to-object-intrinsic-boolean-edge.js: Added.
3020         (shouldBe):
3021         (builtin.createBuiltin):
3022         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3023         (shouldThrow):
3024         * stress/to-object-intrinsic-number-edge.js: Added.
3025         (shouldBe):
3026         (builtin.createBuiltin):
3027         * stress/to-object-intrinsic-object-edge.js: Added.
3028         (shouldBe):
3029         (builtin.createBuiltin):
3030         (i.arg):
3031         * stress/to-object-intrinsic-string-edge.js: Added.
3032         (shouldBe):
3033         (builtin.createBuiltin):
3034         * stress/to-object-intrinsic-symbol-edge.js: Added.
3035         (shouldBe):
3036         (builtin.createBuiltin):
3037         * stress/to-object-intrinsic.js: Added.
3038         (shouldBe):
3039         (shouldThrow):
3040         (builtin.createBuiltin):
3041
3042 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3043
3044         [DFG][FTL] Introduce StringSlice
3045         https://bugs.webkit.org/show_bug.cgi?id=178934
3046
3047         Reviewed by Saam Barati.
3048
3049         * microbenchmarks/string-slice-empty.js: Added.
3050         (slice):
3051         * microbenchmarks/string-slice-one-char.js: Added.
3052         (slice):
3053         * microbenchmarks/string-slice.js: Added.
3054         (slice):
3055
3056 2017-10-26  Michael Saboff  <msaboff@apple.com>
3057
3058         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3059         https://bugs.webkit.org/show_bug.cgi?id=178890
3060
3061         Reviewed by Keith Miller.
3062
3063         New regression test.
3064
3065         * stress/regress-178890.js: Added.
3066
3067 2017-10-26  Mark Lam  <mark.lam@apple.com>
3068
3069         JSRopeString::RopeBuilder::append() should check for overflows.
3070         https://bugs.webkit.org/show_bug.cgi?id=178385
3071         <rdar://problem/35027468>
3072
3073         Reviewed by Saam Barati.
3074
3075         * stress/regress-178385.js: Added.
3076
3077 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3078
3079         Unreviewed, rolling out r223961.
3080
3081         The change that required this has been rolled out.
3082
3083         Reverted changeset:
3084
3085         "Mark test262.yaml/test262/test/language/statements/try/tco-
3086         catch.js as passing."
3087         https://bugs.webkit.org/show_bug.cgi?id=178592
3088         https://trac.webkit.org/changeset/223961
3089
3090 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3091
3092         Unreviewed, rolling out r223691 and r223729.
3093         https://bugs.webkit.org/show_bug.cgi?id=178834
3094
3095         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3096         by rniwa on #webkit).
3097
3098         Reverted changesets:
3099
3100         "Turn recursive tail calls into loops"
3101         https://bugs.webkit.org/show_bug.cgi?id=176601
3102         https://trac.webkit.org/changeset/223691
3103
3104         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3105         comparison is always false due to limited range of data type
3106         [-Wtype-limits]"
3107         https://bugs.webkit.org/show_bug.cgi?id=178543
3108         https://trac.webkit.org/changeset/223729
3109
3110 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3111
3112         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3113         https://bugs.webkit.org/show_bug.cgi?id=178592
3114
3115         Unreviewed test gardening.
3116
3117         * test262.yaml:
3118
3119 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3120
3121         [FTL] Support NewStringObject
3122         https://bugs.webkit.org/show_bug.cgi?id=178737
3123
3124         Reviewed by Saam Barati.
3125
3126         * stress/new-string-object.js: Added.
3127         (shouldBe):
3128         (test):
3129
3130 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3131
3132         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3133         https://bugs.webkit.org/show_bug.cgi?id=178308
3134
3135         Reviewed by Mark Lam.
3136
3137         * test262.yaml:
3138
3139 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3140
3141         [JSC] Use fastJoin in Array#toString
3142         https://bugs.webkit.org/show_bug.cgi?id=178062
3143
3144         Reviewed by Darin Adler.
3145
3146         * microbenchmarks/contiguous-array-to-string.js: Added.
3147         (target):
3148         * microbenchmarks/double-array-to-string.js: Added.
3149         (target):
3150         * microbenchmarks/int32-array-to-string.js: Added.
3151         (target):
3152
3153 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3154
3155         stress/check-string-ident.js is improperly skipped
3156         https://bugs.webkit.org/show_bug.cgi?id=178642
3157
3158         Reviewed by Saam Barati.
3159
3160         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3161         since it enforces the run-jsc-stress-tests script to still set up the
3162         test to run, despite the skip directive that's used before.
3163
3164 2017-10-20  Mark Lam  <mark.lam@apple.com>
3165
3166         Add a test case for r214334.
3167         https://bugs.webkit.org/show_bug.cgi?id=169941
3168         <rdar://problem/31221258>
3169
3170         Reviewed by JF Bastien.
3171
3172         * stress/regress-169941.js: Added.
3173
3174 2017-10-19  JF Bastien  <jfbastien@apple.com>
3175
3176         WebAssembly: no VM / JS version of everything but Instance
3177         https://bugs.webkit.org/show_bug.cgi?id=177473
3178
3179         Reviewed by Filip Pizlo, Saam Barati.
3180
3181         - Exceeding max on memory growth now returns a range error as per
3182         spec. This is a (very minor) breaking change: it used to throw OOM
3183         error. Update the corresponding test.
3184
3185         * wasm/js-api/memory-grow.js:
3186         (assertEq):
3187         * wasm/js-api/table.js:
3188         (assert.throws):
3189
3190 2017-10-19  Mark Lam  <mark.lam@apple.com>
3191
3192         Stringifier::appendStringifiedValue() is missing an exception check.
3193         https://bugs.webkit.org/show_bug.cgi?id=178386
3194         <rdar://problem/35027610>
3195
3196         Reviewed by Saam Barati.
3197
3198         * stress/regress-178386.js: Added.
3199
3200 2017-10-19  Michael Saboff  <msaboff@apple.com>
3201
3202         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3203         https://bugs.webkit.org/show_bug.cgi?id=178521
3204
3205         Reviewed by JF Bastien.
3206
3207         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3208         now passes with the current version (5.0) of the Emoji spec.
3209
3210 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3211
3212         Turn recursive tail calls into loops
3213         https://bugs.webkit.org/show_bug.cgi?id=176601
3214
3215         Reviewed by Saam Barati.
3216
3217         Add some simple test that computes factorial in several ways, and other trivial computations.
3218         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3219         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3220         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3221         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3222
3223         * stress/inline-call-to-recursive-tail-call.js: Added.
3224         (factorial.aux):
3225         (factorial):
3226         (factorial2.aux):
3227         (factorial2.id):
3228         (factorial2):
3229         (factorial3.aux):
3230         (factorial3):
3231         (aux):
3232         (factorial4):
3233         (test):
3234
3235 2017-10-18  Mark Lam  <mark.lam@apple.com>
3236
3237         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3238         https://bugs.webkit.org/show_bug.cgi?id=177600
3239         <rdar://problem/34710985>
3240
3241         Reviewed by Saam Barati.
3242
3243         * stress/regress-177600.js: Added.
3244
3245 2017-10-18  Mark Lam  <mark.lam@apple.com>
3246
3247         The compiler should always register a structure when it adds its transitionWatchPointSet.
3248         https://bugs.webkit.org/show_bug.cgi?id=178420
3249         <rdar://problem/34814024>
3250
3251         Reviewed by Saam Barati and Filip Pizlo.
3252
3253         * stress/regress-178420.js: Added.
3254         (new.Array.10000.map):
3255
3256 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3257
3258         [JSC] __proto__ getter should be fast
3259         https://bugs.webkit.org/show_bug.cgi?id=178067
3260
3261         Reviewed by Saam Barati.
3262
3263         * stress/dfg-object-proto-accessor.js: Added.
3264         (shouldBe):
3265         (shouldThrow):
3266         (target):
3267         * stress/dfg-object-proto-getter.js: Added.
3268         (shouldBe):
3269         (shouldThrow):
3270         (target):
3271         * stress/dfg-object-prototype-of.js: Added.
3272         (shouldBe):
3273         (shouldThrow):
3274         (target):
3275         * stress/dfg-reflect-get-prototype-of.js: Added.
3276         (shouldBe):
3277         (shouldThrow):
3278         (target):
3279         * stress/intrinsic-getter-with-poly-proto.js: Added.
3280         (shouldBe):
3281         (makePolyProtoObject.foo.C):
3282         (makePolyProtoObject.foo):
3283         (makePolyProtoObject):
3284         (target):
3285         * stress/object-get-prototype-of-filtered.js: Added.
3286         (shouldBe):
3287         (shouldThrow):
3288         (target):
3289         (i.Cocoa):
3290         * stress/object-get-prototype-of-mono-proto.js: Added.
3291         (shouldBe):
3292         (makePolyProtoObject.foo.C):
3293         (makePolyProtoObject.foo):
3294         (makePolyProtoObject):
3295         (target):
3296         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3297         (shouldBe):
3298         (makePolyProtoObject.foo.C):
3299         (makePolyProtoObject.foo):
3300         (makePolyProtoObject):
3301         (target):
3302         * stress/object-get-prototype-of-poly-proto.js: Added.
3303         (shouldBe):
3304         (makePolyProtoObject.foo.C):
3305         (makePolyProtoObject.foo):
3306         (makePolyProtoObject):
3307         (target):
3308         * stress/object-proto-getter-filtered.js: Added.
3309         (shouldBe):
3310         (shouldThrow):
3311         (target):
3312         (i.Cocoa):
3313         * stress/object-proto-getter-poly-mono-proto.js: Added.
3314         (shouldBe):
3315         (makePolyProtoObject.foo.C):
3316         (makePolyProtoObject.foo):
3317         (makePolyProtoObject):
3318         (target):
3319         * stress/object-proto-getter-poly-proto.js: Added.
3320         (shouldBe):
3321         (makePolyProtoObject.foo.C):
3322         (makePolyProtoObject.foo):
3323         (makePolyProtoObject):
3324         (target):
3325         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3326         * stress/string-proto.js: Added.
3327         (shouldBe):
3328         (target):
3329
3330 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3331
3332         Unreviewed, rolling out r223523.
3333
3334         A test for this change is failing on debug JSC bots.
3335
3336         Reverted changeset:
3337
3338         "[JSC] __proto__ getter should be fast"
3339         https://bugs.webkit.org/show_bug.cgi?id=178067
3340         https://trac.webkit.org/changeset/223523
3341
3342 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3343
3344         [JSC] __proto__ getter should be fast
3345         https://bugs.webkit.org/show_bug.cgi?id=178067
3346
3347         Reviewed by Saam Barati.
3348
3349         * stress/dfg-object-proto-accessor.js: Added.
3350         (shouldBe):
3351         (shouldThrow):
3352         (target):
3353         * stress/dfg-object-proto-getter.js: Added.
3354         (shouldBe):
3355         (shouldThrow):
3356         (target):
3357         * stress/dfg-object-prototype-of.js: Added.
3358         (shouldBe):
3359         (shouldThrow):
3360         (target):
3361         * stress/dfg-reflect-get-prototype-of.js: Added.
3362         (shouldBe):
3363         (shouldThrow):
3364         (target):
3365         * stress/object-get-prototype-of-filtered.js: Added.
3366         (shouldBe):
3367         (shouldThrow):
3368         (target):
3369         (i.Cocoa):
3370         * stress/object-get-prototype-of-mono-proto.js: Added.
3371         (shouldBe):
3372         (makePolyProtoObject.foo.C):
3373         (makePolyProtoObject.foo):
3374         (makePolyProtoObject):
3375         (target):
3376         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3377         (shouldBe):
3378         (makePolyProtoObject.foo.C):
3379         (makePolyProtoObject.foo):
3380         (makePolyProtoObject):
3381         (target):
3382         * stress/object-get-prototype-of-poly-proto.js: Added.
3383         (shouldBe):
3384         (makePolyProtoObject.foo.C):
3385         (makePolyProtoObject.foo):
3386         (makePolyProtoObject):
3387         (target):
3388         * stress/object-proto-getter-filtered.js: Added.
3389         (shouldBe):
3390         (shouldThrow):
3391         (target):
3392         (i.Cocoa):
3393         * stress/object-proto-getter-poly-mono-proto.js: Added.
3394         (shouldBe):
3395         (makePolyProtoObject.foo.C):
3396         (makePolyProtoObject.foo):
3397         (makePolyProtoObject):
3398         (target):
3399         * stress/object-proto-getter-poly-proto.js: Added.
3400         (shouldBe):
3401         (makePolyProtoObject.foo.C):
3402         (makePolyProtoObject.foo):
3403         (makePolyProtoObject):
3404         (target):
3405         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3406         * stress/string-proto.js: Added.
3407         (shouldBe):
3408         (target):
3409
3410 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3411
3412         Reland "Add Above/Below comparisons for UInt32 patterns"
3413         https://bugs.webkit.org/show_bug.cgi?id=177281
3414
3415         Reviewed by Saam Barati.
3416
3417         * stress/uint32-comparison-jump.js: Added.
3418         (shouldBe):
3419         (above):
3420         (aboveOrEqual):
3421         (below):
3422         (belowOrEqual):
3423         (notAbove):
3424         (notAboveOrEqual):
3425         (notBelow):
3426         (notBelowOrEqual):
3427         * stress/uint32-comparison.js: Added.
3428         (shouldBe):
3429         (above):
3430         (aboveOrEqual):
3431         (below):
3432         (belowOrEqual):
3433         (aboveTest):
3434         (aboveOrEqualTest):
3435         (belowTest):
3436         (belowOrEqualTest):
3437
3438 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3439
3440         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3441         https://bugs.webkit.org/show_bug.cgi?id=178210
3442
3443         Reviewed by Saam Barati.
3444
3445         * wasm/function-tests/trap-from-start-async.js:
3446         (async.StartTrapsAsync):
3447         * wasm/function-tests/trap-from-start.js:
3448         (StartTraps):
3449         * wasm/js-api/web-assembly-function.js:
3450         (assert.eq.Object.getPrototypeOf):
3451         * wasm/js-api/wrapper-function.js:
3452         (return.new.WebAssembly.Module):
3453         (assert.throws.makeInstance): Deleted.
3454         (assert.throws.Bar): Deleted.
3455         (assert.throws): Deleted.
3456
3457 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3458
3459         Enable gigacage on iOS
3460         https://bugs.webkit.org/show_bug.cgi?id=177586
3461
3462         Reviewed by JF Bastien.
3463         
3464         Add tests for when Gigacage gets runtime disabled.
3465
3466         * stress/disable-gigacage-arrays.js: Added.
3467         (foo):
3468         * stress/disable-gigacage-strings.js: Added.
3469         (foo):
3470         * stress/disable-gigacage-typed-arrays.js: Added.
3471         (foo):
3472
3473 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3474
3475         import.meta should not be assignable
3476         https://bugs.webkit.org/show_bug.cgi?id=178202
3477
3478         Reviewed by Saam Barati.
3479
3480         * modules/import-meta-assignment.js: Added.
3481         (shouldThrow):
3482         (SyntaxError.import.meta.can.shouldThrow):
3483
3484 2017-10-11  Saam Barati  <sbarati@apple.com>
3485
3486         Unreviewed. Actually skip certain type profiler tests in debug.
3487
3488         * typeProfiler.yaml:
3489         * typeProfiler/deltablue-for-of.js:
3490         * typeProfiler/getter-richards.js:
3491
3492 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3493
3494         Unreviewed, rolling out r223113 and r223121.
3495         https://bugs.webkit.org/show_bug.cgi?id=178182
3496
3497         Reintroduced 20% regression on Kraken (Requested by rniwa on
3498         #webkit).
3499
3500         Reverted changesets:
3501
3502         "Enable gigacage on iOS"
3503         https://bugs.webkit.org/show_bug.cgi?id=177586
3504         https://trac.webkit.org/changeset/223113
3505
3506         "Use one virtual allocation for all gigacages and their
3507         runways"
3508         https://bugs.webkit.org/show_bug.cgi?id=178050
3509         https://trac.webkit.org/changeset/223121
3510
3511 2017-10-11  Michael Saboff  <msaboff@apple.com>
3512
3513         Disable test262 named capture group tests with direct unicode names and with references before definitions
3514         https://bugs.webkit.org/show_bug.cgi?id=178177
3515
3516         Reviewed by Keith Miller.
3517
3518         Bugs to track fixing these test are:
3519         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3520             "Add support in named capture group identifiers for direct surrogate pairs"
3521         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3522             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3523
3524         * test262.yaml:
3525
3526 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3527
3528         Object properties are undefined in super.call() but not in this.call()
3529         https://bugs.webkit.org/show_bug.cgi?id=177230
3530
3531         Reviewed by Saam Barati.
3532
3533         * stress/super-call-function-subclass.js: Added.
3534         (assert):
3535         (A.prototype.t):
3536         (A):
3537         * stress/super-dot-call-and-apply.js: Added.
3538         (assert):
3539         (A):
3540         (A.prototype.call):
3541         (A.prototype.apply):
3542         (B.prototype.testSuper):
3543         (B):
3544         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3545         (D.prototype.testSuper):
3546         (D):
3547
3548 2017-10-10  Saam Barati  <sbarati@apple.com>
3549
3550         The prototype cache should be aware of the Executable it generates a Structure for
3551         https://bugs.webkit.org/show_bug.cgi?id=177907
3552
3553         Reviewed by Filip Pizlo.
3554
3555         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3556         (assert):
3557         (foo.C):
3558         (foo):
3559         (bar.C):
3560         (bar):
3561         (access):
3562         (makeLongChain):
3563         (accessY):
3564
3565 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3566
3567         `async` should be able to be used as an imported binding name
3568         https://bugs.webkit.org/show_bug.cgi?id=176573
3569
3570         Reviewed by Saam Barati.
3571
3572         * modules/import-default-async.js: Added.
3573         * modules/import-named-async-as.js: Added.
3574         * modules/import-named-async.js: Added.
3575         * modules/import-named-async/target.js: Added.
3576         * modules/import-namespace-async.js: Added.
3577         * test262.yaml:
3578
3579 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3580
3581         Enable gigacage on iOS
3582         https://bugs.webkit.org/show_bug.cgi?id=177586
3583
3584         Reviewed by JF Bastien.
3585         
3586         Add tests for when Gigacage gets runtime disabled.
3587
3588         * stress/disable-gigacage-arrays.js: Added.
3589         (foo):
3590         * stress/disable-gigacage-strings.js: Added.
3591         (foo):
3592         * stress/disable-gigacage-typed-arrays.js: Added.
3593         (foo):
3594
3595 2017-10-09  Michael Saboff  <msaboff@apple.com>
3596
3597         Implement RegExp Unicode property escapes
3598         https://bugs.webkit.org/show_bug.cgi?id=172069
3599
3600         Reviewed by JF Bastien.
3601
3602         Enabled Unicode Property tests.
3603
3604         * test262.yaml:
3605
3606 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3607
3608         Unreviewed, rolling out r223015 and r223025.
3609         https://bugs.webkit.org/show_bug.cgi?id=178093
3610
3611         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3612         #webkit).
3613
3614         Reverted changesets:
3615
3616         "Enable gigacage on iOS"
3617         https://bugs.webkit.org/show_bug.cgi?id=177586
3618         http://trac.webkit.org/changeset/223015
3619
3620         "Unreviewed, disable Gigacage on ARM64 Linux"
3621         https://bugs.webkit.org/show_bug.cgi?id=177586
3622         http://trac.webkit.org/changeset/223025
3623
3624 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3625
3626         Update expectations for test262 tests that pass after r223043.
3627         https://bugs.webkit.org/show_bug.cgi?id=176685
3628
3629         Unreviewed test gardening.
3630
3631         * test262.yaml:
3632
3633 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3634
3635         Unreviewed, rolling out r223022.
3636
3637         This change introduced 18 test262 failures.
3638
3639         Reverted changeset:
3640
3641         "`async` should be able to be used as an imported binding
3642         name"
3643         https://bugs.webkit.org/show_bug.cgi?id=176573
3644         http://trac.webkit.org/changeset/223022
3645
3646 2017-10-09  Saam Barati  <sbarati@apple.com>
3647
3648         3 poly-proto JSC tests timing out on debug after r222827
3649         https://bugs.webkit.org/show_bug.cgi?id=177880
3650         <rdar://problem/34817122>
3651
3652         Unreviewed.
3653
3654         I'm skipping these type profiler tests on debug since they are long running.
3655
3656         * typeProfiler/deltablue-for-of.js:
3657         * typeProfiler/getter-richards.js:
3658
3659 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3660
3661         Safari 10 /11 problem with if (!await get(something)).
3662         https://bugs.webkit.org/show_bug.cgi?id=176685
3663
3664         Reviewed by Saam Barati.
3665
3666         * stress/async-await-basic.js:
3667         (awaitEpression.async):
3668         * stress/async-await-syntax.js:
3669         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3670         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3671
3672 2017-10-08  Saam Barati  <sbarati@apple.com>
3673
3674         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3675
3676         * typeProfiler/deltablue-for-of.js:
3677         * typeProfiler/getter-richards.js:
3678
3679 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3680
3681         `async` should be able to be used as an imported binding name
3682         https://bugs.webkit.org/show_bug.cgi?id=176573
3683
3684         Reviewed by Darin Adler.
3685
3686         * modules/import-default-async.js: Added.
3687         * modules/import-named-async-as.js: Added.
3688         * modules/import-named-async.js: Added.
3689         * modules/import-named-async/target.js: Added.
3690         * modules/import-namespace-async.js: Added.
3691
3692 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3693
3694         Enable gigacage on iOS
3695         https://bugs.webkit.org/show_bug.cgi?id=177586
3696
3697         Reviewed by JF Bastien.
3698         
3699         Add tests for when Gigacage gets runtime disabled.
3700
3701         * stress/disable-gigacage-arrays.js: Added.
3702         (foo):
3703         * stress/disable-gigacage-strings.js: Added.
3704         (foo):
3705         * stress/disable-gigacage-typed-arrays.js: Added.
3706         (foo):
3707
3708 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3709
3710         Unreviewed, rolling out r222791 and r222873.
3711         https://bugs.webkit.org/show_bug.cgi?id=178031
3712
3713         Caused crashes with workers/wasm LayoutTests (Requested by
3714         ryanhaddad on #webkit).
3715
3716         Reverted changesets:
3717
3718         "WebAssembly: no VM / JS version of everything but Instance"
3719         https://bugs.webkit.org/show_bug.cgi?id=177473
3720         http://trac.webkit.org/changeset/222791
3721
3722         "WebAssembly: address no VM / JS follow-ups"
3723         https://bugs.webkit.org/show_bug.cgi?id=177887
3724         http://trac.webkit.org/changeset/222873
3725
3726 2017-10-05  Saam Barati  <sbarati@apple.com>
3727
3728         Make sure all prototypes under poly proto get added into the VM's prototype map
3729         https://bugs.webkit.org/show_bug.cgi?id=177909
3730
3731         Reviewed by Keith Miller.
3732
3733         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3734         (assert):
3735         (foo.C):
3736         (foo):
3737         (set x):
3738
3739 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3740
3741         [JSC] Introduce import.meta
3742         https://bugs.webkit.org/show_bug.cgi?id=177703
3743
3744         Reviewed by Filip Pizlo.
3745
3746         * modules/import-meta-syntax.js: Added.
3747         (shouldThrow):
3748         (shouldNotThrow):
3749         * modules/import-meta.js: Added.
3750         * modules/import-meta/cocoa.js: Added.
3751         * modules/resources/assert.js:
3752         (export.shouldNotThrow):
3753         * stress/import-syntax.js:
3754
3755 2017-10-04  Saam Barati  <sbarati@apple.com>
3756
3757         Make pertinent AccessCases watch the poly proto watchpoint
3758         https://bugs.webkit.org/show_bug.cgi?id=177765
3759
3760         Reviewed by Keith Miller.
3761
3762         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3763         (assert):
3764         (foo.C):
3765         (foo):
3766         (validate):
3767         * stress/poly-proto-clear-stub.js: Added.
3768         (assert):
3769         (foo.C):
3770         (foo):
3771
3772 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3773
3774         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3775
3776         Unreviewed test gardening.
3777
3778         * test262.yaml:
3779
3780 2017-10-04  Saam Barati  <sbarati@apple.com>
3781
3782         3 poly-proto JSC tests timing out on debug after r222827
3783         https://bugs.webkit.org/show_bug.cgi?id=177880
3784
3785         Rubber stamped by Mark Lam.
3786
3787         * microbenchmarks/poly-proto-access.js:
3788         * typeProfiler/deltablue-for-of.js:
3789         * typeProfiler/getter-richards.js:
3790
3791 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3792
3793         Unreviewed, marking tco-catch.js as a failure after test262 update
3794         https://bugs.webkit.org/show_bug.cgi?id=177859
3795
3796         * test262.yaml:
3797
3798 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3799
3800         Unreviewed, marking one async iterator test262 test failed
3801         https://bugs.webkit.org/show_bug.cgi?id=177859
3802
3803         * test262.yaml:
3804
3805 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3806
3807         [Test262] Update Test262 to Oct 4 version
3808         https://bugs.webkit.org/show_bug.cgi?id=177859
3809
3810         Reviewed by Sam Weinig.
3811
3812         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3813         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3814
3815         * test262.yaml:
3816         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3817         (checkSequence):
3818         * test262/harness/typeCoercion.js:
3819         (testCoercibleToIndexZero):
3820         (testCoercibleToIndexOne):
3821         (testCoercibleToIndexFromIndex):
3822         (testNotCoercibleToIndex.testPrimitiveValue):
3823         (testNotCoercibleToInteger):
3824         (testCoercibleToBigIntZero.testPrimitiveValue):
3825         (testCoercibleToBigIntZero):
3826         (testCoercibleToBigIntOne.testPrimitiveValue):
3827         (testCoercibleToBigIntOne):
3828         (testPrimitiveValue):
3829         (testCoercibleToBigIntFromBigInt):
3830         (testNotCoercibleToBigInt.testPrimitiveValue):
3831         (testNotCoercibleToBigInt.testStringValue):
3832         (testNotCoercibleToBigInt):
3833         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3834         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3835         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3836         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3837         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3838         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3839         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3840         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3841         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3842         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3843         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3844         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3845         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3846         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3847         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3848         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3849         (testCoercibleToBigIntZero):
3850         (testCoercibleToBigIntOne):
3851         (testNotCoercibleToBigInt):
3852         (MyError): Deleted.
3853         (valueOf): Deleted.
3854         (toString): Deleted.
3855         (Symbol.toPrimitive): Deleted.
3856         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3857         (testCoercibleToIndexZero):
3858         (testCoercibleToIndexOne):
3859         (testNotCoercibleToIndex):
3860         (MyError): Deleted.
3861         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3862         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3863         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3864         (BigInt.asIntN.valueOf): Deleted.
3865         (BigInt.asIntN.toString): Deleted.
3866         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3867         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3868         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3869         (testCoercibleToBigIntZero):
3870         (testCoercibleToBigIntOne):
3871         (testNotCoercibleToBigInt):
3872         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3873         (testCoercibleToIndexZero):
3874         (testCoercibleToIndexOne):
3875         (testNotCoercibleToIndex):
3876         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3877         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3878         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3879         (bits.valueOf):
3880         (bigint.valueOf):
3881         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3882         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3883         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3884         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3885         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3886         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3887         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3888         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3889         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3890         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3891         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3892         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3893         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3894         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3895         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3896         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3897         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3898         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3899         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3900         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3901         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3902         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3903         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3904         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3905         (replacer):
3906         (BigInt.prototype.toJSON):
3907         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3908         (replacer):
3909         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3910         (BigInt.prototype.toJSON):
3911         * test262/test/built-ins/JSON/stringify/bigint.js:
3912         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3913         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3914         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3915         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3916         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3917         * test262/test/built-ins/Object/proto-from-ctor.js:
3918         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3919         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3920         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3921         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3922         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3923         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3924         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3925         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3926         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3927         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3928         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3929         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3930         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3931         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3932         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3933         * test262/test/built-ins/Proxy/get-fn-realm.js:
3934         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3935         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3936         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3937         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3938         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3939         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3940         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3941         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3942         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3943         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3944         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3945         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3946         (i6.replace):
3947         (i6b.replace):
3948         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3949         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3950         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3951         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3952         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3953         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3954         * test262/test/built-ins/RegExp/u180e.js: Added.
3955         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3956         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3957         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3958         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3959         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3960         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3961         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3962         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3963         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3964         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3965         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3966         * test262/test/built-ins/String/prototype/endsWith/length.js:
3967         * test262/test/built-ins/String/prototype/endsWith/name.js:
3968         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3969         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3970         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3971         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3972         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3973         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3974         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3975         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3976         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3977         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3978         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3979         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3980         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3981         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3982         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3983         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3984         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3985         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3986         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3987         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3988         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3989         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3990         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3991         * test262/test/built-ins/String/prototype/includes/includes.js:
3992         * test262/test/built-ins/String/prototype/includes/length.js:
3993         * test262/test/built-ins/String/prototype/includes/name.js:
3994         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3995         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3996         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3997         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3998         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3999         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4000         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4001         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4002         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4003         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4004         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4005         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4006         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4007         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4008         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4009         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4010         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4011         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4012         * test262/test/built-ins/String/prototype/trim/u180e.js:
4013         * test262/test/built-ins/Symbol/for/cross-realm.js:
4014         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4015         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4016         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4017         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4018         * test262/test/built-ins/Symbol/match/cross-realm.js:
4019         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4020         * test262/test/built-ins/Symbol/search/cross-realm.js:
4021         * test262/test/built-ins/Symbol/species/cross-realm.js:
4022         * test262/test/built-ins/Symbol/split/cross-realm.js:
4023         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4024         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4025         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4026         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4027         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4028         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4029         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4030         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4031         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4032         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4033         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4034         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4035         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4036         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4037         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4038         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4039         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4040         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4041         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4042         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4043         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4044         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4045         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4046         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4047         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4048         * test262/test/language/eval-code/indirect/realm.js:
4049         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4050         (o.get z):
4051         (o.get a):
4052         * test262/test/language/expressions/call/eval-realm-indirect.js:
4053         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4054         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4055         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4056         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4057         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4058         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4059         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4060         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4061         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4062         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4063         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
4064         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
4065         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
4066         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
4067         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
4068         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
4069         * test262/test/language/expressions/less-than/bigint-and-number.js:
4070         * test262/test/language/expressions/new/non-ctor-err-realm.js:
4071         * test262/test/language/expressions/super/realm.js:
4072         * test262/test/language/expressions/tagged-template/cache-realm.js:
4073         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
4074         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
4075         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
4076         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
4077         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
4078         * test262/test/language/literals/string/mongolian-vowel-separator.js:
4079         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
4080         (o.get z):
4081         (o.get a):
4082         * test262/test/language/statements/for-of/iterator-next-reference.js:
4083         (next):
4084         (iterator.next): Deleted.
4085         (x.of.iterable.): Deleted.
4086         (x.of.iterable.get return): Deleted.
4087         (x.of.iterable.iterator.next): Deleted.
4088         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
4089         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
4090         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
4091         * test262/test/language/white-space/mongolian-vowel-separator.js:
4092         * test262/test262-Revision.txt:
4093
4094 2017-10-03  Saam Barati  <sbarati@apple.com>
4095
4096         Implement polymorphic prototypes
4097         https://bugs.webkit.org/show_bug.cgi?id=176391
4098
4099         Reviewed by Filip Pizlo.
4100
4101         * microbenchmarks/poly-proto-access.js: Added.
4102         (assert):
4103         (foo.C):
4104         (foo.C.prototype.get bar):
4105         (foo):
4106         (bar):
4107         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
4108         (assert):
4109         (makePolyProtoObject.foo.C):
4110         (makePolyProtoObject.foo):
4111         (makePolyProtoObject):
4112         (performSet):
4113         * microbenchmarks/poly-proto-setter-speed.js: Added.
4114         (assert):
4115         (makePolyProtoObject.foo.C):
4116         (makePolyProtoObject.foo.C.prototype.set p):
4117         (makePolyProtoObject.foo):
4118         (makePolyProtoObject):
4119         (performSet):
4120         * stress/constructor-with-return.js:
4121         (i.tests.forEach.Constructor):
4122         (i.tests.forEach):
4123         (tests.forEach.Constructor): Deleted.
4124         (tests.forEach): Deleted.
4125         * stress/dom-jit-with-poly-proto.js: Added.
4126         (assert):
4127         (makePolyProtoObject.foo.C):
4128         (makePolyProtoObject.foo):
4129         (makePolyProtoObject):
4130         (validate):
4131         * stress/poly-proto-custom-value-and-accessor.js: Added.
4132         (assert):
4133         (makePolyProtoObject.foo.C):
4134         (makePolyProtoObject.foo):
4135         (makePolyProtoObject):
4136         (items.forEach):
4137         (set get for):
4138         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
4139         (assert):
4140         (makePolyProtoObject.foo.C):
4141         (makePolyProtoObject.foo):
4142         (makePolyProtoObject):
4143         (foo):
4144         * stress/poly-proto-miss.js: Added.
4145         (makePolyProtoInstanceWithNullPrototype.foo.C):
4146         (makePolyProtoInstanceWithNullPrototype.foo):
4147         (makePolyProtoInstanceWithNullPrototype):
4148         (assert):
4149         (validate):
4150         * stress/poly-proto-op-in-caching.js: Added.
4151         (assert):
4152         (makePolyProtoObject.foo.C):
4153         (makePolyProtoObject.foo):
4154         (makePolyProtoObject):
4155         (validate):
4156         (validate2):
4157         * stress/poly-proto-put-transition.js: Added.
4158         (assert):
4159         (makePolyProtoObject.foo.C):
4160         (makePolyProtoObject.foo):
4161         (makePolyProtoObject):
4162         (performSet):
4163         (i.obj.__proto__.set p):
4164         * stress/poly-proto-set-prototype.js: Added.
4165         (assert):
4166         (let.alternateProto.get x):
4167         (let.alternateProto2.get y):
4168         (let.alternateProto2.get x):
4169         (foo.C):
4170         (foo):
4171         (validate):
4172         * stress/poly-proto-setter.js: Added.
4173         (assert):
4174         (makePolyProtoObject.foo.C):
4175         (makePolyProtoObject.foo.C.prototype.set p):
4176         (makePolyProtoObject.foo.C.prototype.get p):
4177         (makePolyProtoObject.foo):
4178         (makePolyProtoObject):
4179         (performSet):
4180         * stress/poly-proto-using-inheritance.js: Added.
4181         (assert):
4182         (foo.C):
4183         (foo.C.prototype.get baz):
4184         (foo):
4185         (bar.C):
4186         (bar):
4187         (validate):
4188         * stress/primitive-poly-proto.js: Added.
4189         (makePolyProtoInstance.foo.C):
4190         (makePolyProtoInstance.foo):
4191         (makePolyProtoInstance):
4192         (assert):
4193         (validate):
4194         * stress/prototype-is-not-js-object.js: Added.
4195         (foo.bar):
4196         (foo):
4197         (assert):
4198         (validate):
4199         * stress/try-get-by-id-poly-proto.js: Added.
4200         (assert):
4201         (makePolyProtoObject.foo.C):
4202         (makePolyProtoObject.foo):
4203         (makePolyProtoObject):
4204         (tryGetByIdText):
4205         (x.__proto__.get bar):
4206         (validate):
4207         * typeProfiler/overflow.js:
4208
4209 2017-10-03  JF Bastien  <jfbastien@apple.com>
4210
4211         WebAssembly: no VM / JS version of everything but Instance
4212         https://bugs.webkit.org/show_bug.cgi?id=177473
4213
4214         Reviewed by Filip Pizlo.
4215
4216         - Exceeding max on memory growth now returns a range error as per
4217         spec. This is a (very minor) breaking change: it used to throw OOM
4218         error. Update the corresponding test.
4219
4220         * wasm/js-api/memory-grow.js:
4221         (assertEq):
4222         * wasm/js-api/table.js:
4223         (assert.throws):
4224
4225 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
4226
4227         Skip JSC test stress/regress-159779-2.js on debug.
4228         https://bugs.webkit.org/show_bug.cgi?id=177204
4229
4230         Unreviewed test gardening.
4231
4232         * stress/regress-159779-2.js:
4233
4234 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
4235
4236         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
4237         https://bugs.webkit.org/show_bug.cgi?id=175642
4238
4239         Reviewed by Darin Adler.
4240
4241         * ChakraCore/test/Function/apply3.baseline-jsc:
4242
4243 2017-10-01  Commit Queue  <commit-queue@webkit.org>
4244
4245         Unreviewed, rolling out r222564.
4246         https://bugs.webkit.org/show_bug.cgi?id=177720
4247
4248         "It regressed JetStream by 2% on iOS caused by a 50%
4249         regression on the bigfib subtest" (Requested by saamyjoon on
4250         #webkit).
4251
4252         Reverted changeset:
4253
4254         "Add Above/Below comparisons for UInt32 patterns"
4255         https://bugs.webkit.org/show_bug.cgi?id=177281
4256         http://trac.webkit.org/changeset/222564
4257
4258 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
4259
4260         [DFG] Support ArrayPush with multiple args
4261         https://bugs.webkit.org/show_bug.cgi?id=175823
4262
4263         Reviewed by Saam Barati.
4264
4265         * microbenchmarks/array-push-0.js: Added.
4266         (arrayPush0):
4267         * microbenchmarks/array-push-1.js: Added.
4268         (arrayPush1):
4269         * microbenchmarks/array-push-2.js: Added.
4270         (arrayPush2):
4271         * microbenchmarks/array-push-3.js: Added.
4272         (arrayPush3):
4273         * stress/array-push-multiple-contiguous.js: Added.
4274         (shouldBe):
4275         (test):
4276         * stress/array-push-multiple-double-nan.js: Added.
4277         (shouldBe):
4278         (test):
4279         * stress/array-push-multiple-double.js: Added.
4280         (shouldBe):
4281         (test):
4282         * stress/array-push-multiple-int32.js: Added.
4283         (shouldBe):
4284         (test):
4285         * stress/array-push-multiple-many-contiguous.js: Added.
4286         (shouldBe):
4287         (test):
4288         * stress/array-push-multiple-many-double.js: Added.
4289         (shouldBe):
4290         (test):
4291         * stress/array-push-multiple-many-int32.js: Added.
4292         (shouldBe):
4293         (test):
4294         * stress/array-push-multiple-many-storage.js: Added.
4295         (shouldBe):
4296         (test):
4297         * stress/array-push-multiple-storage.js: Added.
4298         (shouldBe):
4299         (test):
4300         * stress/array-push-with-force-exit.js: Added.
4301         (target.createBuiltin):
4302
4303 2017-09-29  Saam Barati  <sbarati@apple.com>
4304
4305         Custom GetterSetterAccessCase does not use the correct slotBase when making call
4306         https://bugs.webkit.org/show_bug.cgi?id=177639
4307
4308         Reviewed by Geoffrey Garen.
4309
4310         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
4311         (assert):
4312         (Class):
4313         (items.forEach):
4314         (set get for):
4315
4316 2017-09-29  Commit Queue  <commit-queue@webkit.org>
4317
4318         Unreviewed, rolling out r222563, r222565, and r222581.
4319         https://bugs.webkit.org/show_bug.cgi?id=177675
4320
4321         "It causes a crash when playing youtube videos" (Requested by
4322         saamyjoon on #webkit).
4323
4324         Reverted changesets:
4325
4326         "[DFG] Support ArrayPush with multiple args"
4327         https://bugs.webkit.org/show_bug.cgi?id=175823
4328         http://trac.webkit.org/changeset/222563
4329
4330         "Unreviewed, build fix after r222563"
4331         https://bugs.webkit.org/show_bug.cgi?id=175823
4332         http://trac.webkit.org/changeset/222565
4333
4334         "Unreviewed, fix x86 breaking due to exhausted registers"
4335         https://bugs.webkit.org/show_bug.cgi?id=175823
4336         http://trac.webkit.org/changeset/222581
4337
4338 2017-09-28  Mark Lam  <mark.lam@apple.com>
4339
4340         test262: Unexpected passes after r222617 and r222618.
4341         https://bugs.webkit.org/show_bug.cgi?id=177622
4342         <rdar://problem/34725960>
4343
4344         Reviewed by Saam Barati.
4345
4346         Update test262.yaml for tests that are now passing.
4347
4348         * test262.yaml:
4349
4350 2017-09-27  Michael Saboff  <msaboff@apple.com>
4351
4352         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
4353         https://bugs.webkit.org/show_bug.cgi?id=177570
4354
4355         Reviewed by Filip Pizlo.
4356
4357         New regression test.
4358
4359         * stress/regress-177570.js: Added.
4360
4361 2017-09-28  Michael Saboff  <msaboff@apple.com>
4362
4363         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4364         https://bugs.webkit.org/show_bug.cgi?id=177423
4365
4366         Reviewed by Mark Lam.
4367
4368         Updated regression test.
4369
4370         * stress/regress-177423.js:
4371         (catch):
4372
4373 2017-09-27  Mark Lam  <mark.lam@apple.com>
4374
4375         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
4376         https://bugs.webkit.org/show_bug.cgi?id=177584
4377         <rdar://problem/34463903>
4378
4379         Reviewed by Saam Barati.
4380
4381         * stress/regress-177584.js: Added.
4382         (assertEqual):
4383         (Array.prototype.Symbol.species):
4384
4385 2017-09-27  Saam Barati  <sbarati@apple.com>
4386
4387         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
4388         https://bugs.webkit.org/show_bug.cgi?id=177523
4389
4390         Reviewed by Mark Lam.
4391
4392         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
4393         (assert):
4394         (Test):
4395         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
4396         (addMethods):
4397         (i.Test.prototype.propName):
4398
4399 2017-09-27  Mark Lam  <mark.lam@apple.com>
4400
4401         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
4402         https://bugs.webkit.org/show_bug.cgi?id=177423
4403         <rdar://problem/34621320>
4404
4405         Reviewed by Keith Miller.
4406
4407         * stress/regress-177423.js: Added.
4408
4409 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
4410
4411         Add Above/Below comparisons for UInt32 patterns
4412         https://bugs.webkit.org/show_bug.cgi?id=177281