Add more module scope related tests with code evaluation by string
[WebKit-https.git] / JSTests / ChangeLog
1 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Add more module scope related tests with code evaluation by string
4         https://bugs.webkit.org/show_bug.cgi?id=181983
5
6         Reviewed by Sam Weinig.
7
8         Add more module scope related tests. When the original tests are landed,
9         we do not have browser integration. This patch adds more module scope tests
10         with dynamically created script evaluation. We add tests with Function
11         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
12
13         * modules/scopes-eval.js: Added.
14         (shouldBe):
15         * modules/scopes.js:
16         (shouldBe):
17
18 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
19
20         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
21
22         * microbenchmarks/array-push-3.js: Removed.
23         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
24         * microbenchmarks/double-to-int32.js: Removed.
25         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
26         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
27         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
28         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
29         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
30         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
31         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
32         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
33         * microbenchmarks/map-constant-key.js: Removed.
34         * microbenchmarks/nested-function-parsing.js: Removed.
35         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
36         * microbenchmarks/spread-large-array.js: Removed.
37         * microbenchmarks/string-add-constant-folding.js: Removed.
38         * microbenchmarks/to-lower-case.js: Removed.
39         * microbenchmarks/undefined-property-access.js: Removed.
40         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
41         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
42         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
43         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
44         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
45         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
46         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
47         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
48         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
49         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
50         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
51         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
52         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
53         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
54         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
55         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
56         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
57         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
58
59 2018-01-23  Robin Morisset  <rmorisset@apple.com>
60
61         Update the argument count in DFGByteCodeParser::handleRecursiveCall
62         https://bugs.webkit.org/show_bug.cgi?id=181739
63         <rdar://problem/36627662>
64
65         Reviewed by Saam Barati.
66
67         * stress/recursive-tail-call-with-different-argument-count.js: Added.
68         (foo):
69         (bar):
70
71 2018-01-22  Michael Saboff  <msaboff@apple.com>
72
73         DFG abstract interpreter needs to properly model effects of some Math ops
74         https://bugs.webkit.org/show_bug.cgi?id=181886
75
76         Reviewed by Saam Barati.
77
78         New regression test.
79
80         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
81         (test):
82
83 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
84
85         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
86         https://bugs.webkit.org/show_bug.cgi?id=181182
87
88         Reviewed by Darin Adler.
89
90         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
91         * stress/big-int-prototype-to-string-exception.js: Added.
92         * stress/big-int-prototype-to-string-wrong-values.js: Added.
93         * stress/number-prototype-to-string-cast-overflow.js: Added.
94         * stress/number-prototype-to-string-exception.js: Added.
95         * stress/number-prototype-to-string-wrong-values.js: Added.
96
97 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
98
99         Disable Atomics when SharedArrayBuffer isn’t enabled
100         https://bugs.webkit.org/show_bug.cgi?id=181572
101
102         Unreviewed test gardening.
103
104         * test262.yaml: Skip tests that fail after this change.
105
106 2018-01-19  Saam Barati  <sbarati@apple.com>
107
108         Kill ArithNegate's ArithProfile assert inside BytecodeParser
109         https://bugs.webkit.org/show_bug.cgi?id=181877
110         <rdar://problem/36630552>
111
112         Reviewed by Mark Lam.
113
114         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
115         (runNearStackLimit):
116         (f1):
117         (f2):
118         (f3):
119         (i.catch):
120         (i.try.runNearStackLimit):
121         (catch):
122
123 2018-01-19  Saam Barati  <sbarati@apple.com>
124
125         Spread's effects are modeled incorrectly both in AI and in Clobberize
126         https://bugs.webkit.org/show_bug.cgi?id=181867
127         <rdar://problem/36290415>
128
129         Reviewed by Michael Saboff.
130
131         * stress/ai-needs-to-model-spreads-effects.js: Added.
132         (try.p.Symbol.iterator):
133         (try.go):
134         (catch):
135         * stress/clobberize-needs-to-model-spread-effects.js: Added.
136         (assert):
137         (foo):
138         (a.Symbol.iterator):
139
140 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
141
142         Unreviewed, reduce count of iteration to fix timing out debug JSC test
143         https://bugs.webkit.org/show_bug.cgi?id=181535
144
145         * stress/inserted-recovery-with-set-last-index.js:
146
147 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
148
149         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
150         https://bugs.webkit.org/show_bug.cgi?id=181535
151
152         Reviewed by Saam Barati.
153
154         * stress/inserted-recovery-with-set-last-index.js: Added.
155         (shouldBe):
156         (foo):
157         * stress/materialize-regexp-at-osr-exit.js: Added.
158         (shouldBe):
159         (test):
160         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
161         (shouldBe):
162         (test):
163         * stress/materialize-regexp-cyclic-regexp.js: Added.
164         (shouldBe):
165         (test):
166         (i.switch):
167         * stress/materialize-regexp-cyclic.js: Added.
168         (shouldBe):
169         (test):
170         (i.switch):
171         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
172         (bar):
173         (foo):
174         (test):
175         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
176         (bar):
177         (foo):
178         (test):
179         * stress/materialize-regexp.js: Added.
180         (shouldBe):
181         (test):
182         * stress/phantom-regexp-regexp-exec.js: Added.
183         (shouldBe):
184         (test):
185         * stress/phantom-regexp-string-match.js: Added.
186         (shouldBe):
187         (test):
188         * stress/regexp-last-index-sinking.js: Added.
189         (shouldBe):
190         (test):
191
192 2018-01-17  Saam Barati  <sbarati@apple.com>
193
194         Disable Atomics when SharedArrayBuffer isn’t enabled
195         https://bugs.webkit.org/show_bug.cgi?id=181572
196         <rdar://problem/36553206>
197
198         Reviewed by Michael Saboff.
199
200         * stress/isLockFree.js:
201
202 2018-01-17  Saam Barati  <sbarati@apple.com>
203
204         DFG::Node::convertToConstant needs to clear the varargs flags
205         https://bugs.webkit.org/show_bug.cgi?id=181697
206         <rdar://problem/36497332>
207
208         Reviewed by Yusuke Suzuki.
209
210         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
211         (doIndexOf):
212         (bar):
213         (i.bar):
214
215 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
216
217         Unreviewed, rolling out r226937.
218
219         Tests added with this change are failing due to a missing
220         exception check.
221
222         Reverted changeset:
223
224         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
225         double to int32_t"
226         https://bugs.webkit.org/show_bug.cgi?id=181182
227         https://trac.webkit.org/changeset/226937
228
229 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
230
231         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
232         https://bugs.webkit.org/show_bug.cgi?id=181182
233
234         Reviewed by Darin Adler.
235
236         * bigIntTests.yaml:
237         * stress/big-int-constructor.js:
238         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
239         (assert):
240         (assertThrowRangeError):
241         * stress/number-prototype-to-string-cast-overflow.js: Added.
242         (assert):
243         (assertThrowRangeError):
244
245 2018-01-12  Saam Barati  <sbarati@apple.com>
246
247         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
248         https://bugs.webkit.org/show_bug.cgi?id=181177
249         <rdar://problem/36205704>
250
251         Reviewed by Yusuke Suzuki.
252
253         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
254         (runNearStackLimit.t):
255         (runNearStackLimit):
256         (test.f):
257         (test):
258
259 2018-01-12  Saam Barati  <sbarati@apple.com>
260
261         Each variant of a polymorphic inlined call should be exitOK at the top of the block
262         https://bugs.webkit.org/show_bug.cgi?id=181562
263         <rdar://problem/36445624>
264
265         Reviewed by Yusuke Suzuki.
266
267         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
268         (f):
269         (foo):
270
271 2018-01-11  Saam Barati  <sbarati@apple.com>
272
273         When inserting Unreachable in byte code parser we need to flush all the right things
274         https://bugs.webkit.org/show_bug.cgi?id=181509
275         <rdar://problem/36423110>
276
277         Reviewed by Mark Lam.
278
279         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
280
281 2018-01-11  Saam Barati  <sbarati@apple.com>
282
283         JITMathIC code in the FTL is wrong when code gets duplicated
284         https://bugs.webkit.org/show_bug.cgi?id=181525
285         <rdar://problem/36351993>
286
287         Reviewed by Michael Saboff and Keith Miller.
288
289         * stress/allow-math-ic-b3-code-duplication.js: Added.
290
291 2018-01-11  Saam Barati  <sbarati@apple.com>
292
293         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
294         https://bugs.webkit.org/show_bug.cgi?id=181508
295
296         Reviewed by Yusuke Suzuki.
297
298         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
299         (assert):
300         (test1.foo):
301         (test1):
302         (test2.foo):
303         (test2):
304
305 2018-01-09  Mark Lam  <mark.lam@apple.com>
306
307         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
308         https://bugs.webkit.org/show_bug.cgi?id=181388
309         <rdar://problem/36349351>
310
311         Reviewed by Saam Barati.
312
313         * stress/regress-181388.js: Added.
314
315 2018-01-08  JF Bastien  <jfbastien@apple.com>
316
317         WebAssembly: mask indexed accesses to Table
318         https://bugs.webkit.org/show_bug.cgi?id=181412
319         <rdar://problem/36363236>
320
321         Reviewed by Saam Barati.
322
323         Update error messages.
324
325         * wasm/js-api/table.js:
326         (assert.throws.WebAssembly.Table.prototype.grow):
327
328 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
329
330         Disable SharedArrayBuffer tests missed in r226386.
331         https://bugs.webkit.org/show_bug.cgi?id=181266
332
333         Unreviewed test gardening.
334
335         * test262.yaml:
336
337 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
338
339         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
340         https://bugs.webkit.org/show_bug.cgi?id=181321
341
342         Reviewed by Saam Barati.
343
344         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
345         (shouldBe):
346         (testFunction):
347         * test262.yaml:
348
349 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
350
351         Unreviewed, attempt to fix test262 after r226386.
352
353         * test262.yaml:
354
355 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
356
357         [DFG] Define defs for MapSet/SetAdd to participate in CSE
358         https://bugs.webkit.org/show_bug.cgi?id=179911
359
360         Reviewed by Saam Barati.
361
362         In addition to these tests, map-set-cse.js and set-add-cse.js work.
363
364         * stress/map-set-change-get.js: Added.
365         (shouldBe):
366         (test):
367         * stress/map-set-create-bucket.js: Added.
368         (shouldBe):
369         (test):
370         * stress/set-add-create-bucket.js: Added.
371         (shouldBe):
372
373 2018-01-03  Michael Saboff  <msaboff@apple.com>
374
375         Disable SharedArrayBuffers from Web API
376         https://bugs.webkit.org/show_bug.cgi?id=181266
377
378         Reviewed by Saam Barati.
379
380         Disabled SharedArrayBuffer tests.
381
382         * stress/SharedArrayBuffer-opt.js:
383         * stress/SharedArrayBuffer.js:
384         * stress/array-buffer-byte-length.js:
385         * stress/atomics-add-uint32.js:
386         * stress/atomics-known-int-use.js:
387         * stress/atomics-neg-zero.js:
388         * stress/atomics-store-return.js:
389         * stress/lars-sab-workers.js:
390         * stress/regress-159779-1.js:
391         * stress/regress-159779-2.js:
392         * stress/regress-170473.js:
393         * test262.yaml:
394
395 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
396
397         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
398         https://bugs.webkit.org/show_bug.cgi?id=181258
399
400         Reviewed by Antonio Gomes.
401
402         * stress/big-int-constructor-gc.js:
403         * stress/big-int-constructor-oom.js:
404
405 2018-01-03  Robin Morisset  <rmorisset@apple.com>
406
407         Inlining of a function that ends in op_unreachable crashes
408         https://bugs.webkit.org/show_bug.cgi?id=181027
409
410         Reviewed by Filip Pizlo.
411
412         * stress/inlining-unreachable.js: Added.
413         (bar):
414         (baz):
415         (i.catch):
416
417 2018-01-02  Saam Barati  <sbarati@apple.com>
418
419         Incorrect assertion inside AccessCase
420         https://bugs.webkit.org/show_bug.cgi?id=181200
421         <rdar://problem/35494754>
422
423         Reviewed by Yusuke Suzuki.
424
425         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
426         (ctor):
427         (theFunc):
428         (run):
429
430 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
431
432         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
433         https://bugs.webkit.org/show_bug.cgi?id=175359
434
435         Reviewed by Yusuke Suzuki.
436
437         * bigIntTests.yaml:
438         * stress/big-int-as-key.js: Added.
439         * stress/big-int-constructor-gc.js: Added.
440         * stress/big-int-constructor-oom.js: Added.
441         * stress/big-int-constructor-properties.js: Added.
442         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
443         * stress/big-int-constructor-prototype.js: Added.
444         * stress/big-int-constructor.js: Added.
445         * stress/big-int-function-apply.js:
446         * stress/big-int-length.js: Added.
447         * stress/big-int-prop-descriptor.js: Added.
448         * stress/big-int-proto-constructor.js: Added.
449         * stress/big-int-proto-name.js: Added.
450         * stress/big-int-prototype-properties.js: Added.
451         * stress/big-int-prototype-proto.js: Added.
452         * stress/big-int-prototype-value-of.js: Added.
453         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
454         * stress/big-int-prototype-to-string-apply.js: Added.
455         * stress/big-int-to-object.js: Added.
456         * stress/big-int-to-string.js: Added.
457
458 2017-12-28  Saam Barati  <sbarati@apple.com>
459
460         Assertion used to determine if something is an async generator is wrong
461         https://bugs.webkit.org/show_bug.cgi?id=181168
462         <rdar://problem/35640560>
463
464         Reviewed by Yusuke Suzuki.
465
466         * stress/async-generator-assertion.js: Added.
467
468 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
469
470         Skip stress/splay-flash-access tests on memory limited platforms
471         https://bugs.webkit.org/show_bug.cgi?id=181086
472
473         Reviewed by Carlos Alberto Lopez Perez.
474
475         These tests use about 185M of memory, and occasionally get OOM-killed
476         on memory limited platforms.
477
478         * stress/splay-flash-access-1ms.js:
479         * stress/splay-flash-access.js:
480
481 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
482
483         Skip slow jsc tests on embedded platforms
484         https://bugs.webkit.org/show_bug.cgi?id=180937
485
486         Reviewed by Carlos Alberto Lopez Perez.
487
488         The tests typeProfiler/deltablue-for-of.js and
489         typeProfiler/getter-richards.js take a very long time in the
490         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
491         thus always timeout. They should be skipped on these platforms.
492
493         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
494         * typeProfiler/getter-richards.js: Skip on arm*/mips.
495
496 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
497
498         [JSC] Do not check isValid() in op_new_regexp
499         https://bugs.webkit.org/show_bug.cgi?id=180970
500
501         Reviewed by Saam Barati.
502
503         * stress/regexp-syntax-error-invalid-flags.js: Added.
504         (shouldThrow):
505
506 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
507
508         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
509         https://bugs.webkit.org/show_bug.cgi?id=180712
510
511         Reviewed by Michael Catanzaro.
512
513         stress/call-apply-exponential-bytecode-size.js crashes if the
514         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
515         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
516         should skip the test on other platforms.
517
518         * stress/call-apply-exponential-bytecode-size.js:
519
520 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
521
522         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
523         https://bugs.webkit.org/show_bug.cgi?id=179762
524
525         Reviewed by Saam Barati.
526
527         * stress/call-varargs-double-new-array-buffer.js: Added.
528         (assert):
529         (bar):
530         (foo):
531         * stress/call-varargs-spread-new-array-buffer.js: Added.
532         (assert):
533         (bar):
534         (foo):
535         * stress/call-varargs-spread-new-array-buffer2.js: Added.
536         (assert):
537         (bar):
538         (foo):
539         * stress/forward-varargs-double-new-array-buffer.js: Added.
540         (assert):
541         (test.baz):
542         (test.bar):
543         (test.foo):
544         (test):
545         * stress/new-array-buffer-sinking-osrexit.js: Added.
546         (target):
547         (test):
548         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
549         (shouldBe):
550         (test):
551         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
552         (shouldBe):
553         (target):
554         (test):
555         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
556         (assert):
557         (test1.bar):
558         (test1.foo):
559         (test1):
560         (test2.bar):
561         (test2.foo):
562         (test3.baz):
563         (test3.bar):
564         (test3.foo):
565         (test4.baz):
566         (test4.bar):
567         (test4.foo):
568         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
569         (assert):
570         (test.baz):
571         (test.bar):
572         (test.foo):
573         (test):
574         * stress/phantom-new-array-buffer-osr-exit.js: Added.
575         (assert):
576         (baz):
577         (bar):
578         (effects):
579         (foo):
580
581 2017-12-14  Saam Barati  <sbarati@apple.com>
582
583         The CleanUp after LICM is erroneously removing a Check
584         https://bugs.webkit.org/show_bug.cgi?id=180852
585         <rdar://problem/36063494>
586
587         Reviewed by Filip Pizlo.
588
589         * stress/dont-run-cleanup-after-licm.js: Added.
590
591 2017-12-14  Michael Saboff  <msaboff@apple.com>
592
593         REGRESSION (r225695): Repro crash on yahoo login page
594         https://bugs.webkit.org/show_bug.cgi?id=180761
595
596         Reviewed by JF Bastien.
597
598         New regression test.
599
600         * stress/regress-180761.js: Added.
601
602 2017-12-13  Keith Miller  <keith_miller@apple.com>
603
604         JSObjects should have a mask for loading indexed properties
605         https://bugs.webkit.org/show_bug.cgi?id=180768
606
607         Reviewed by Mark Lam.
608
609         * stress/int16-put-by-val-in-and-out-of-bounds.js:
610         (test):
611
612 2017-12-13  Saam Barati  <sbarati@apple.com>
613
614         Arrow functions need their own structure because they have different properties than sloppy functions
615         https://bugs.webkit.org/show_bug.cgi?id=180779
616         <rdar://problem/35814591>
617
618         Reviewed by Mark Lam.
619
620         * stress/arrow-function-needs-its-own-structure.js: Added.
621         (assert):
622         (readPrototype):
623         (noInline.let.f1):
624         (noInline):
625
626 2017-12-13  Saam Barati  <sbarati@apple.com>
627
628         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
629         https://bugs.webkit.org/show_bug.cgi?id=163579
630         <rdar://problem/35455798>
631
632         Reviewed by Mark Lam.
633
634         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
635         (assert):
636         (test1):
637         (i.test1):
638         (i.test1.C):
639         (i.test1.async.foo):
640         (i.test1.foo):
641         (test2):
642
643 2017-12-13  Saam Barati  <sbarati@apple.com>
644
645         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
646         https://bugs.webkit.org/show_bug.cgi?id=180734
647         <rdar://problem/35640547>
648
649         Reviewed by Yusuke Suzuki.
650
651         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
652         (__isPropertyOfType):
653         (__getProperties):
654         (__getObjects):
655         (__getRandomObject):
656         (theClass.):
657         (theClass):
658         (childClass):
659         (counter.catch):
660
661 2017-12-12  Saam Barati  <sbarati@apple.com>
662
663         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
664         https://bugs.webkit.org/show_bug.cgi?id=180725
665         <rdar://problem/35970511>
666
667         Reviewed by Michael Saboff.
668
669         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
670         (f1):
671         (f2):
672         (let.o2.valueOf):
673
674 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
675
676         [JSC] Implement optimized WeakMap and WeakSet
677         https://bugs.webkit.org/show_bug.cgi?id=179929
678
679         Reviewed by Saam Barati.
680
681         * microbenchmarks/weak-map-key.js:
682         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
683         (assert):
684         (objectKey):
685         (let.start.Date.now):
686         * stress/basic-weakmap.js: Added.
687         (shouldBe):
688         (test):
689         * stress/basic-weakset.js: Added.
690         (shouldBe):
691         (test.set new):
692         * stress/weakmap-cse-set-break.js: Added.
693         (shouldBe):
694         (test):
695         * stress/weakmap-cse.js: Added.
696         (shouldBe):
697         (test):
698         * stress/weakmap-gc.js: Added.
699         (test):
700         * stress/weakset-cse-add-break.js: Added.
701         (shouldBe):
702         (test.set new):
703         * stress/weakset-cse.js: Added.
704         (shouldBe):
705         (test.set new):
706         * stress/weakset-gc.js: Added.
707         (test.set add):
708         (test.set new):
709         (test):
710
711 2017-12-12  Saam Barati  <sbarati@apple.com>
712
713         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
714         https://bugs.webkit.org/show_bug.cgi?id=180723
715         <rdar://problem/35859726>
716
717         Reviewed by JF Bastien.
718
719         * stress/get-my-argument-by-val-constant-folding.js: Added.
720         (test):
721         (catch):
722
723 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
724
725         [ESNext][BigInt] Implement BigInt literals and JSBigInt
726         https://bugs.webkit.org/show_bug.cgi?id=179000
727
728         Reviewed by Darin Adler and Yusuke Suzuki.
729
730         * bigIntTests.yaml: Added.
731         * stress/big-int-literal-line-terminator.js: Added.
732         * stress/big-int-literals.js: Added.
733         * stress/big-int-operations-error.js: Added.
734         * stress/big-int-type-of.js: Added.
735         * stress/big-int-white-space-trailing-leading.js: Added.
736         * stress/big-int-function-apply.js: Added.
737
738 2017-12-11  Saam Barati  <sbarati@apple.com>
739
740         We need to disableCaching() in ErrorInstance when we materialize properties
741         https://bugs.webkit.org/show_bug.cgi?id=180343
742         <rdar://problem/35833002>
743
744         Reviewed by Mark Lam.
745
746         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
747         (assert):
748         (makeError):
749         (storeToStack):
750         (storeToStackAlreadyMaterialized):
751
752 2017-12-05  JF Bastien  <jfbastien@apple.com>
753
754         WebAssembly: don't eagerly checksum
755         https://bugs.webkit.org/show_bug.cgi?id=180441
756         <rdar://problem/35156628>
757
758         Reviewed by Saam Barati.
759
760         Checksum is now disabled, so tests only have <?> as the module
761         name.
762
763         * wasm/function-tests/nameSection.js:
764         * wasm/function-tests/stack-overflow.js:
765         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
766         (assertOverflows.assertThrows):
767         (assertOverflows):
768         * wasm/function-tests/stack-trace.js:
769
770 2017-12-04  JF Bastien  <jfbastien@apple.com>
771
772         Proxy all functions, except the $ objects
773         https://bugs.webkit.org/show_bug.cgi?id=180375
774
775         Reviewed by Saam Barati.
776
777         It looks like this test may have broken some executions because I
778         call some internal objects. Explicitly ignore objects whose name
779         starts with "$" because it's a bad idea anyways.
780
781         * stress/proxy-all-the-parameters.js:
782         (generateObjects):
783         (get throw):
784
785 2017-12-04  Saam Barati  <sbarati@apple.com>
786
787         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
788         https://bugs.webkit.org/show_bug.cgi?id=180366
789         <rdar://problem/35685877>
790
791         Reviewed by Michael Saboff.
792
793         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
794         (theParent):
795         (test1.base.getParentStaticValue):
796         (test1.base):
797         (test1.__v_24888.prototype.set prop):
798         (test1.__v_24888):
799         (test2.base.getParentStaticValue):
800         (test2.base):
801         (test2.__v_24888.prototype.set prop):
802         (test2.__v_24888):
803         (test2):
804
805 2017-12-01  JF Bastien  <jfbastien@apple.com>
806
807         Try proxying all function arguments
808         https://bugs.webkit.org/show_bug.cgi?id=180306
809
810         Reviewed by Saam Barati.
811
812         * stress/proxy-all-the-parameters.js: Added.
813         (isPropertyOfType):
814         (getProperties):
815         (generateObjects):
816         (getObjects):
817         (getFunctions):
818         (get throw):
819         (let.o.of.getObjects.let.f.of.getFunctions.catch):
820
821 2017-12-01  JF Bastien  <jfbastien@apple.com>
822
823         JavaScriptCore: missing exception checks in Math functions that take more than one argument
824         https://bugs.webkit.org/show_bug.cgi?id=180297
825         <rdar://problem/35745556>
826
827         Reviewed by Mark Lam.
828
829         * stress/math-exceptions.js: Added.
830         (get try):
831         (catch):
832
833 2017-12-01  JF Bastien  <jfbastien@apple.com>
834
835         JavaScriptCore: add test for weird class static getters
836         https://bugs.webkit.org/show_bug.cgi?id=180281
837         <rdar://problem/35592139>
838
839         Reviewed by Mark Lam.
840
841         I fixed a bug for it in r224927 and didn't add a test. Do so.
842
843         * stress/class-static-get-weird.js: Added.
844         (c.prototype.get name):
845         (c):
846         (c.prototype.get arguments):
847         (c.prototype.get caller):
848         (c.prototype.get length):
849
850 2017-12-01  Saam Barati  <sbarati@apple.com>
851
852         Having a bad time needs to handle ArrayClass indexing type as well
853         https://bugs.webkit.org/show_bug.cgi?id=180274
854         <rdar://problem/35667869>
855
856         Reviewed by Keith Miller and Mark Lam.
857
858         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
859         (assert):
860         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
861         (assert):
862
863 2017-12-01  JF Bastien  <jfbastien@apple.com>
864
865         WebAssembly: restore cached stack limit after out-call
866         https://bugs.webkit.org/show_bug.cgi?id=179106
867         <rdar://problem/35337525>
868
869         Reviewed by Saam Barati.
870
871         * wasm/function-tests/double-instance.js: Added.
872         (const.imp.boom):
873         (const.imp.get callAnother):
874
875 2017-11-30  JF Bastien  <jfbastien@apple.com>
876
877         WebAssembly: improve stack trace
878         https://bugs.webkit.org/show_bug.cgi?id=179343
879
880         Reviewed by Saam Barati.
881
882         Update the tests to follow the new format. Notably, SHA1 module
883         hash is now included in traces, and stubs are properly identified.
884
885         * wasm/assert.js: Add an assertion which matches regular expressions.
886         * wasm/function-tests/nameSection.js:
887         * wasm/function-tests/stack-overflow.js:
888         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
889         (assertOverflows.assertThrows.wasm.1):
890         (assertOverflows.assertThrows.wasm.0):
891         (assertOverflows.assertThrows):
892         (assertOverflows):
893         * wasm/function-tests/stack-trace.js:
894         (import.Builder.from.string_appeared_here.assert): Deleted.
895         * wasm/function-tests/trap-after-cross-instance-call.js:
896         (wasmFrameCountFromError):
897         * wasm/function-tests/trap-load-2.js:
898         (wasmFrameCountFromError):
899         * wasm/function-tests/trap-load.js:
900         (wasmFrameCountFromError):
901
902 2017-11-30  Mark Lam  <mark.lam@apple.com>
903
904         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
905         https://bugs.webkit.org/show_bug.cgi?id=180219
906         <rdar://problem/35696536>
907
908         Reviewed by Filip Pizlo.
909
910         * stress/regress-180219.js: Added.
911
912 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
913
914         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
915         https://bugs.webkit.org/show_bug.cgi?id=180190
916
917         Reviewed by Mark Lam.
918
919         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
920         (shouldBe):
921         (test1):
922         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
923         (shouldBe):
924         (test1):
925         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
926         (shouldBe):
927         (test1):
928         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
929         (shouldBe):
930         (test1):
931         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
932         (shouldBe):
933         (test1):
934         * stress/operation-in-may-have-negative-int32.js: Added.
935         (shouldBe):
936         (test2):
937         * stress/operation-in-negative-int32-cast.js: Added.
938         (shouldBe):
939         (test1):
940
941 2017-11-28  JF Bastien  <jfbastien@apple.com>
942
943         Strict and sloppy functions shouldn't share structure
944         https://bugs.webkit.org/show_bug.cgi?id=180103
945         <rdar://problem/35667847>
946
947         Reviewed by Saam Barati.
948
949         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
950         because the IC was wrong.
951         (foo):
952         (bar):
953         (baz):
954         (catch):
955         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
956         in this patch, but may as well test odd strict mode corner cases.
957         (bar):
958         (baz):
959         (catch):
960         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
961         (foo):
962         (bar):
963         (baz):
964         (catch):
965         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
966         next file, but with invalidation of the FunctionExecutable's
967         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
968         slower path.
969         (foo):
970         (bar.const.x):
971         (bar.const.y):
972         (bar):
973         (catch):
974         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
975         strict nesting works correctly.
976         (foo):
977         (bar.baz):
978         (bar):
979         * stress/strict-function-structure.js: Added. The test used to
980         assert in objectProtoFuncHasOwnProperty.
981         (foo):
982         (bar):
983         (baz):
984         * stress/strict-nested-function-structure.js: Added. Nesting.
985         (foo):
986         (bar):
987         (baz.boo):
988         (baz):
989
990 2017-11-29  Robin Morisset  <rmorisset@apple.com>
991
992         The recursive tail call optimisation is wrong on closures
993         https://bugs.webkit.org/show_bug.cgi?id=179835
994
995         Reviewed by Saam Barati.
996
997         * stress/closure-recursive-tail-call.js: Added.
998         (makeClosure):
999
1000 2017-11-27  JF Bastien  <jfbastien@apple.com>
1001
1002         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1003         https://bugs.webkit.org/show_bug.cgi?id=180051
1004         <rdar://problem/35614371>
1005
1006         Reviewed by Saam Barati.
1007
1008         * stress/rest-parameter-negative.js: Added.
1009         (__f_5484):
1010         (catch):
1011         (__f_5485):
1012         (__v_22598.catch):
1013
1014 2017-11-27  Saam Barati  <sbarati@apple.com>
1015
1016         Spread can escape when CreateRest does not
1017         https://bugs.webkit.org/show_bug.cgi?id=180057
1018         <rdar://problem/35676119>
1019
1020         Reviewed by JF Bastien.
1021
1022         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1023         (assert):
1024         (getProperties):
1025         (theFunc):
1026         (let.obj.valueOf):
1027
1028 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1029
1030         [DFG] Add NormalizeMapKey DFG IR
1031         https://bugs.webkit.org/show_bug.cgi?id=179912
1032
1033         Reviewed by Saam Barati.
1034
1035         * stress/map-untyped-normalize-cse.js: Added.
1036         (shouldBe):
1037         (test):
1038         * stress/map-untyped-normalize.js: Added.
1039         (shouldBe):
1040         (test):
1041         * stress/set-untyped-normalize-cse.js: Added.
1042         (shouldBe):
1043         (set return.set has.set has):
1044         * stress/set-untyped-normalize.js: Added.
1045         (shouldBe):
1046         (set return.set has):
1047
1048 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1049
1050         [FTL] Support DeleteById and DeleteByVal
1051         https://bugs.webkit.org/show_bug.cgi?id=180022
1052
1053         Reviewed by Saam Barati.
1054
1055         * stress/delete-by-id.js: Added.
1056         (shouldBe):
1057         (test1):
1058         (test2):
1059         * stress/delete-by-val-ftl.js: Added.
1060         (shouldBe):
1061         (test1):
1062         (test2):
1063
1064 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1065
1066         [DFG] Introduce {Set,Map,WeakMap}Fields
1067         https://bugs.webkit.org/show_bug.cgi?id=179925
1068
1069         Reviewed by Saam Barati.
1070
1071         * stress/map-set-clobber-map-get.js: Added.
1072         (shouldBe):
1073         (test):
1074         * stress/map-set-does-not-clobber-set-has.js: Added.
1075         (shouldBe):
1076         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1077         (shouldBe):
1078         (test):
1079         * stress/set-add-clobber-set-has.js: Added.
1080         (shouldBe):
1081         * stress/set-add-does-not-clobber-map-get.js: Added.
1082         (shouldBe):
1083
1084 2017-11-24  Mark Lam  <mark.lam@apple.com>
1085
1086         Move unsafe jsc shell test functions to the $vm object.
1087         https://bugs.webkit.org/show_bug.cgi?id=179980
1088
1089         Reviewed by Yusuke Suzuki.
1090
1091         * controlFlowProfiler/driver/driver.js:
1092         * controlFlowProfiler/execution-count.js:
1093         * controlFlowProfiler/if-statement.js:
1094         * controlFlowProfiler/loop-statements.js:
1095         * controlFlowProfiler/switch-statements.js:
1096         * controlFlowProfiler/test-jit.js:
1097         * exceptionFuzz/3d-cube.js:
1098         * exceptionFuzz/date-format-xparb.js:
1099         * exceptionFuzz/earley-boyer.js:
1100         * heapProfiler/basic-edges.js:
1101         * heapProfiler/property-edge-types.js:
1102         * microbenchmarks/try-get-by-id-basic.js:
1103         * microbenchmarks/try-get-by-id-polymorphic.js:
1104         * modules/namespace-object-try-get.js:
1105         * stress/argument-count-bytecode.js:
1106         * stress/argument-intrinsic-basic.js:
1107         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1108         * stress/argument-intrinsic-inlining-with-result-escape.js:
1109         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1110         * stress/argument-intrinsic-inlining-with-vararg.js:
1111         * stress/argument-intrinsic-nested-inlining.js:
1112         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1113         * stress/argument-intrinsic-with-stack-write.js:
1114         * stress/arity-mismatch-get-argument.js:
1115         * stress/array-message-passing.js:
1116         * stress/array-push-with-force-exit.js:
1117         * stress/check-dom-with-signature.js:
1118         * stress/check-sub-class.js:
1119         * stress/compare-eq-incomplete-profile.js:
1120         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1121         * stress/do-eval-virtual-call-correctly.js:
1122         * stress/dom-jit-with-poly-proto.js:
1123         * stress/domjit-exception-ic.js:
1124         * stress/domjit-exception.js:
1125         * stress/domjit-getter-complex-with-incorrect-object.js:
1126         * stress/domjit-getter-complex.js:
1127         * stress/domjit-getter-poly.js:
1128         * stress/domjit-getter-proto.js:
1129         * stress/domjit-getter-super-poly.js:
1130         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1131         * stress/domjit-getter-type-check.js:
1132         * stress/domjit-getter.js:
1133         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1134         * stress/for-in-proxy-target-changed-structure.js:
1135         * stress/for-in-proxy.js:
1136         * stress/generational-opaque-roots.js:
1137         * stress/global-const-redeclaration-setting-2.js:
1138         * stress/global-const-redeclaration-setting-3.js:
1139         * stress/global-const-redeclaration-setting-4.js:
1140         * stress/global-const-redeclaration-setting-5.js:
1141         * stress/global-const-redeclaration-setting.js:
1142         * stress/import-basic.js:
1143         * stress/import-from-eval.js:
1144         * stress/import-reject-with-exception.js:
1145         * stress/import-syntax.js:
1146         * stress/impure-get-own-property-slot-inline-cache.js:
1147         * stress/is-constructor.js:
1148         * stress/istypedarrayview-intrinsic.js:
1149         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1150         * stress/jsc-test-functions-should-be-more-robust.js:
1151         * stress/object-toString-with-proxy.js:
1152         * stress/poly-proto-custom-value-and-accessor.js:
1153         * stress/proxy-inline-cache.js:
1154         * stress/re-execute-error-module.js:
1155         * stress/regress-150532.js:
1156         * stress/regress-156992.js:
1157         * stress/regress-179619.js:
1158         * stress/resources/shadow-chicken-support.js:
1159         * stress/runtime-array.js:
1160         * stress/sampling-profiler-microtasks.js:
1161         * stress/shadow-chicken-enabled.js:
1162         * stress/spread-correct-global-object-on-exception.js:
1163         * stress/super-get-by-id.js:
1164         * stress/tailCallForwardArguments.js:
1165         * stress/to-object-intrinsic-boolean-edge.js:
1166         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1167         * stress/to-object-intrinsic-number-edge.js:
1168         * stress/to-object-intrinsic-object-edge.js:
1169         * stress/to-object-intrinsic-string-edge.js:
1170         * stress/to-object-intrinsic-symbol-edge.js:
1171         * stress/to-object-intrinsic.js:
1172         * stress/try-catch-custom-getter-as-get-by-id.js:
1173         * stress/try-get-by-id-poly-proto.js:
1174         * stress/try-get-by-id-should-spill-registers-dfg.js:
1175         * stress/try-get-by-id.js:
1176         * typeProfiler/arrow-functions.js:
1177         * typeProfiler/basic.js:
1178         * typeProfiler/captured.js:
1179         * typeProfiler/classes.js:
1180         * typeProfiler/dfg-jit-optimizations.js:
1181         * typeProfiler/dictionary-mode.js:
1182         * typeProfiler/es6-block-scoping.js:
1183         * typeProfiler/es6-classes.js:
1184         * typeProfiler/inheritance.js:
1185         * typeProfiler/int52-dfg.js:
1186         * typeProfiler/loop.js:
1187         * typeProfiler/optional-fields.js:
1188         * typeProfiler/overflow.js:
1189         * typeProfiler/return.js:
1190         * typeProfiler/symbol.js:
1191         * typeProfiler/weird-prototype-chain.js:
1192
1193 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1194
1195         [DFG][FTL] Support MapSet / SetAdd intrinsics
1196         https://bugs.webkit.org/show_bug.cgi?id=179858
1197
1198         Reviewed by Saam Barati.
1199
1200         * microbenchmarks/map-has-and-set.js: Added.
1201         (test):
1202         * stress/map-set-check-failure.js: Added.
1203         (shouldBe):
1204         (shouldThrow):
1205         (target):
1206         * stress/map-set-cse.js: Added.
1207         (shouldBe):
1208         (test):
1209         * stress/set-add-check-failure.js: Added.
1210         (shouldBe):
1211         (shouldThrow):
1212         (set shouldThrow):
1213         * stress/set-add-cse.js: Added.
1214         (shouldBe):
1215
1216 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1217
1218         [JSC] Allow poly proto for intrinsic getters
1219         https://bugs.webkit.org/show_bug.cgi?id=179550
1220
1221         Reviewed by Saam Barati.
1222
1223         This change is also tested by existing tests.
1224
1225             1. stress/intrinsic-getter-with-poly-proto.js
1226             2. stress/poly-proto-intrinsic-getter-correctness.js
1227
1228         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1229         (shouldBe):
1230         (makePolyProtoObject.foo.C):
1231         (makePolyProtoObject.foo):
1232         (makePolyProtoObject):
1233         (target):
1234         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1235         (shouldBe):
1236         (makePolyProtoObject.foo.C):
1237         (makePolyProtoObject.foo):
1238         (makePolyProtoObject):
1239         (target):
1240
1241 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1242
1243         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1244         https://bugs.webkit.org/show_bug.cgi?id=179744
1245
1246         Reviewed by Michael Catanzaro.
1247
1248         This test uses too much memory for our buildbots on these platforms
1249         and gets OOM-killed.
1250
1251         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1252         Skip if $memoryLimited and linux.
1253
1254 2017-11-17  JF Bastien  <jfbastien@apple.com>
1255
1256         WebAssembly JS API: throw when a promise can't be created
1257         https://bugs.webkit.org/show_bug.cgi?id=179826
1258         <rdar://problem/35455813>
1259
1260         Reviewed by Mark Lam.
1261
1262         Test WebAssembly.{compile,instantiate} where promise creation
1263         fails because of a stack overflow.
1264
1265         * wasm/js-api/promise-stack-overflow.js: Added.
1266         (const.runNearStackLimit.f.const.t):
1267         (async.testCompile):
1268         (async.testInstantiate):
1269
1270 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1271
1272         Unreviewed, mark regress-178385.js as memory exhausting
1273
1274         * stress/regress-178385.js:
1275
1276 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1277
1278         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1279
1280         Unreviewed test gardening.
1281
1282         * test262.yaml:
1283
1284 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1285
1286         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1287         https://bugs.webkit.org/show_bug.cgi?id=179763
1288         <rdar://problem/35550513>
1289
1290         Reviewed by Keith Miller.
1291
1292         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1293
1294         * stress/tdz-this-in-try-catch.js: Added.
1295         (__v_6388):
1296         (__v_6392):
1297
1298 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1299
1300         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1301         https://bugs.webkit.org/show_bug.cgi?id=179594
1302
1303         Reviewed by Saam Barati.
1304
1305         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1306         (shouldBe):
1307         (args):
1308         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1309         (shouldBe):
1310         (args):
1311
1312 2017-11-14  Saam Barati  <sbarati@apple.com>
1313
1314         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1315         https://bugs.webkit.org/show_bug.cgi?id=179639
1316         <rdar://problem/35513018>
1317
1318         Reviewed by JF Bastien.
1319
1320         * wasm/function-tests/grow-memory-cause-gc.js: Added.
1321         (escape):
1322         (i.func):
1323
1324 2017-11-13  Mark Lam  <mark.lam@apple.com>
1325
1326         Add more overflow check book-keeping for MarkedArgumentBuffer.
1327         https://bugs.webkit.org/show_bug.cgi?id=179634
1328         <rdar://problem/35492517>
1329
1330         Reviewed by Saam Barati.
1331
1332         * stress/regress-179634.js: Added.
1333
1334 2017-11-13  Mark Lam  <mark.lam@apple.com>
1335
1336         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1337         https://bugs.webkit.org/show_bug.cgi?id=179619
1338         <rdar://problem/35492518>
1339
1340         Reviewed by Saam Barati.
1341
1342         * stress/regress-179619.js: Added.
1343
1344 2017-11-12  Mark Lam  <mark.lam@apple.com>
1345
1346         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1347         https://bugs.webkit.org/show_bug.cgi?id=179562
1348         <rdar://problem/35467022>
1349
1350         Reviewed by Saam Barati.
1351
1352         * regress-179562.js: Added.
1353
1354 2017-11-08  Saam Barati  <sbarati@apple.com>
1355
1356         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1357         https://bugs.webkit.org/show_bug.cgi?id=177792
1358
1359         Reviewed by Yusuke Suzuki.
1360
1361         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
1362         (assert):
1363         (foo.Foo.prototype.ensureX):
1364         (foo.Foo):
1365         (foo):
1366         (access):
1367
1368 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
1369
1370         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1371         https://bugs.webkit.org/show_bug.cgi?id=178592
1372
1373         Unreviewed test gardening.
1374
1375         * test262.yaml:
1376
1377 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1378
1379         Turn recursive tail calls into loops
1380         https://bugs.webkit.org/show_bug.cgi?id=176601
1381
1382         Reviewed by Saam Barati.
1383
1384         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1385
1386         Add some simple test that computes factorial in several ways, and other trivial computations.
1387         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1388         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1389         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1390         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1391
1392         * stress/inline-call-to-recursive-tail-call.js: Added.
1393         (factorial.aux):
1394         (factorial):
1395         (factorial2.aux2):
1396         (factorial2.id):
1397         (factorial2):
1398         (factorial3.aux3):
1399         (factorial3):
1400         (aux4):
1401         (factorial4):
1402         (foo):
1403         (auxBar):
1404         (bar):
1405         (test):
1406
1407 2017-11-07  Mark Lam  <mark.lam@apple.com>
1408
1409         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1410         https://bugs.webkit.org/show_bug.cgi?id=179355
1411         <rdar://problem/35263053>
1412
1413         Reviewed by Saam Barati.
1414
1415         * stress/regress-179355.js: Added.
1416
1417 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1418
1419         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1420         https://bugs.webkit.org/show_bug.cgi?id=144458
1421
1422         Reviewed by Saam Barati.
1423
1424         * microbenchmarks/dfg-internal-function-call.js: Added.
1425         (target):
1426         * microbenchmarks/dfg-internal-function-construct.js: Added.
1427         (target):
1428         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
1429         (target):
1430         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
1431         (target):
1432         * stress/dfg-internal-function-call.js: Added.
1433         (shouldBe):
1434         (target):
1435         * stress/dfg-internal-function-construct.js: Added.
1436         (shouldBe):
1437         (target):
1438         * stress/internal-function-call.js: Added.
1439         (shouldBe):
1440         * stress/internal-function-construct.js: Added.
1441         (shouldBe):
1442
1443 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
1444
1445         [Win] Skip stress/regress-178385.js.
1446         https://bugs.webkit.org/show_bug.cgi?id=179298
1447
1448         Unreviewed test gardening.
1449
1450         * stress/regress-178385.js:
1451
1452 2017-11-03  Keith Miller  <keith_miller@apple.com>
1453
1454         Add test for ic with side effects
1455         https://bugs.webkit.org/show_bug.cgi?id=179268
1456
1457         Reviewed by Saam Barati.
1458
1459         * stress/put-inline-cache-side-effects.js: Added.
1460         (let.i.of.objs.keys):
1461         (f):
1462
1463 2017-11-03  Mark Lam  <mark.lam@apple.com>
1464
1465         CachedCall (and its clients) needs overflow checks.
1466         https://bugs.webkit.org/show_bug.cgi?id=179185
1467
1468         Reviewed by JF Bastien.
1469
1470         * stress/regress-179185.js: Added.
1471
1472 2017-11-02  Michael Saboff  <msaboff@apple.com>
1473
1474         DFG needs to handle code motion of code in for..in loop bodies
1475         https://bugs.webkit.org/show_bug.cgi?id=179212
1476
1477         Reviewed by Keith Miller.
1478
1479         New regression test.
1480
1481         * stress/for-in-side-effects.js: Added.
1482         (getPrototypeOf):
1483         (reset):
1484         (testWithoutFTL.f):
1485         (testWithoutFTL):
1486         (testWithFTL.f):
1487         (testWithFTL):
1488
1489 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1490
1491         AI does not correctly model the clobber case of ArithClz32
1492         https://bugs.webkit.org/show_bug.cgi?id=179188
1493
1494         Reviewed by Michael Saboff.
1495
1496         * stress/arith-clz32-effects.js: Added.
1497         (foo):
1498         (valueOf):
1499
1500 2017-11-01  Michael Saboff  <msaboff@apple.com>
1501
1502         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1503         https://bugs.webkit.org/show_bug.cgi?id=179140
1504
1505         Reviewed by Saam Barati.
1506
1507         New regression test.
1508
1509         * stress/regress-179140.js: Added.
1510         (testWithoutFTL):
1511         (testWithFTL):
1512
1513 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1514
1515         [JSC] Introduce @toObject
1516         https://bugs.webkit.org/show_bug.cgi?id=178726
1517
1518         Reviewed by Saam Barati.
1519
1520         * stress/array-copywithin.js:
1521         (shouldThrow):
1522         * stress/object-constructor-boolean-edge.js: Added.
1523         (shouldBe):
1524         (test):
1525         * stress/object-constructor-global.js: Added.
1526         (shouldBe):
1527         * stress/object-constructor-null-edge.js: Added.
1528         (shouldBe):
1529         (test):
1530         * stress/object-constructor-number-edge.js: Added.
1531         (shouldBe):
1532         (test):
1533         * stress/object-constructor-object-edge.js: Added.
1534         (shouldBe):
1535         (test):
1536         (i.arg):
1537         * stress/object-constructor-string-edge.js: Added.
1538         (shouldBe):
1539         (test):
1540         * stress/object-constructor-symbol-edge.js: Added.
1541         (shouldBe):
1542         (test):
1543         * stress/object-constructor-undefined-edge.js: Added.
1544         (shouldBe):
1545         (test):
1546         * stress/symbol-array-from.js: Added.
1547         (shouldBe):
1548         * stress/to-object-intrinsic-boolean-edge.js: Added.
1549         (shouldBe):
1550         (builtin.createBuiltin):
1551         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
1552         (shouldThrow):
1553         * stress/to-object-intrinsic-number-edge.js: Added.
1554         (shouldBe):
1555         (builtin.createBuiltin):
1556         * stress/to-object-intrinsic-object-edge.js: Added.
1557         (shouldBe):
1558         (builtin.createBuiltin):
1559         (i.arg):
1560         * stress/to-object-intrinsic-string-edge.js: Added.
1561         (shouldBe):
1562         (builtin.createBuiltin):
1563         * stress/to-object-intrinsic-symbol-edge.js: Added.
1564         (shouldBe):
1565         (builtin.createBuiltin):
1566         * stress/to-object-intrinsic.js: Added.
1567         (shouldBe):
1568         (shouldThrow):
1569         (builtin.createBuiltin):
1570
1571 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1572
1573         [DFG][FTL] Introduce StringSlice
1574         https://bugs.webkit.org/show_bug.cgi?id=178934
1575
1576         Reviewed by Saam Barati.
1577
1578         * microbenchmarks/string-slice-empty.js: Added.
1579         (slice):
1580         * microbenchmarks/string-slice-one-char.js: Added.
1581         (slice):
1582         * microbenchmarks/string-slice.js: Added.
1583         (slice):
1584
1585 2017-10-26  Michael Saboff  <msaboff@apple.com>
1586
1587         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1588         https://bugs.webkit.org/show_bug.cgi?id=178890
1589
1590         Reviewed by Keith Miller.
1591
1592         New regression test.
1593
1594         * stress/regress-178890.js: Added.
1595
1596 2017-10-26  Mark Lam  <mark.lam@apple.com>
1597
1598         JSRopeString::RopeBuilder::append() should check for overflows.
1599         https://bugs.webkit.org/show_bug.cgi?id=178385
1600         <rdar://problem/35027468>
1601
1602         Reviewed by Saam Barati.
1603
1604         * stress/regress-178385.js: Added.
1605
1606 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
1607
1608         Unreviewed, rolling out r223961.
1609
1610         The change that required this has been rolled out.
1611
1612         Reverted changeset:
1613
1614         "Mark test262.yaml/test262/test/language/statements/try/tco-
1615         catch.js as passing."
1616         https://bugs.webkit.org/show_bug.cgi?id=178592
1617         https://trac.webkit.org/changeset/223961
1618
1619 2017-10-25  Commit Queue  <commit-queue@webkit.org>
1620
1621         Unreviewed, rolling out r223691 and r223729.
1622         https://bugs.webkit.org/show_bug.cgi?id=178834
1623
1624         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1625         by rniwa on #webkit).
1626
1627         Reverted changesets:
1628
1629         "Turn recursive tail calls into loops"
1630         https://bugs.webkit.org/show_bug.cgi?id=176601
1631         https://trac.webkit.org/changeset/223691
1632
1633         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1634         comparison is always false due to limited range of data type
1635         [-Wtype-limits]"
1636         https://bugs.webkit.org/show_bug.cgi?id=178543
1637         https://trac.webkit.org/changeset/223729
1638
1639 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
1640
1641         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1642         https://bugs.webkit.org/show_bug.cgi?id=178592
1643
1644         Unreviewed test gardening.
1645
1646         * test262.yaml:
1647
1648 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1649
1650         [FTL] Support NewStringObject
1651         https://bugs.webkit.org/show_bug.cgi?id=178737
1652
1653         Reviewed by Saam Barati.
1654
1655         * stress/new-string-object.js: Added.
1656         (shouldBe):
1657         (test):
1658
1659 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1660
1661         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
1662         https://bugs.webkit.org/show_bug.cgi?id=178308
1663
1664         Reviewed by Mark Lam.
1665
1666         * test262.yaml:
1667
1668 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1669
1670         [JSC] Use fastJoin in Array#toString
1671         https://bugs.webkit.org/show_bug.cgi?id=178062
1672
1673         Reviewed by Darin Adler.
1674
1675         * microbenchmarks/contiguous-array-to-string.js: Added.
1676         (target):
1677         * microbenchmarks/double-array-to-string.js: Added.
1678         (target):
1679         * microbenchmarks/int32-array-to-string.js: Added.
1680         (target):
1681
1682 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
1683
1684         stress/check-string-ident.js is improperly skipped
1685         https://bugs.webkit.org/show_bug.cgi?id=178642
1686
1687         Reviewed by Saam Barati.
1688
1689         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
1690         since it enforces the run-jsc-stress-tests script to still set up the
1691         test to run, despite the skip directive that's used before.
1692
1693 2017-10-20  Mark Lam  <mark.lam@apple.com>
1694
1695         Add a test case for r214334.
1696         https://bugs.webkit.org/show_bug.cgi?id=169941
1697         <rdar://problem/31221258>
1698
1699         Reviewed by JF Bastien.
1700
1701         * stress/regress-169941.js: Added.
1702
1703 2017-10-19  JF Bastien  <jfbastien@apple.com>
1704
1705         WebAssembly: no VM / JS version of everything but Instance
1706         https://bugs.webkit.org/show_bug.cgi?id=177473
1707
1708         Reviewed by Filip Pizlo, Saam Barati.
1709
1710         - Exceeding max on memory growth now returns a range error as per
1711         spec. This is a (very minor) breaking change: it used to throw OOM
1712         error. Update the corresponding test.
1713
1714         * wasm/js-api/memory-grow.js:
1715         (assertEq):
1716         * wasm/js-api/table.js:
1717         (assert.throws):
1718
1719 2017-10-19  Mark Lam  <mark.lam@apple.com>
1720
1721         Stringifier::appendStringifiedValue() is missing an exception check.
1722         https://bugs.webkit.org/show_bug.cgi?id=178386
1723         <rdar://problem/35027610>
1724
1725         Reviewed by Saam Barati.
1726
1727         * stress/regress-178386.js: Added.
1728
1729 2017-10-19  Michael Saboff  <msaboff@apple.com>
1730
1731         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
1732         https://bugs.webkit.org/show_bug.cgi?id=178521
1733
1734         Reviewed by JF Bastien.
1735
1736         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
1737         now passes with the current version (5.0) of the Emoji spec.
1738
1739 2017-10-19  Robin Morisset  <rmorisset@apple.com>
1740
1741         Turn recursive tail calls into loops
1742         https://bugs.webkit.org/show_bug.cgi?id=176601
1743
1744         Reviewed by Saam Barati.
1745
1746         Add some simple test that computes factorial in several ways, and other trivial computations.
1747         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1748         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1749         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1750         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1751
1752         * stress/inline-call-to-recursive-tail-call.js: Added.
1753         (factorial.aux):
1754         (factorial):
1755         (factorial2.aux):
1756         (factorial2.id):
1757         (factorial2):
1758         (factorial3.aux):
1759         (factorial3):
1760         (aux):
1761         (factorial4):
1762         (test):
1763
1764 2017-10-18  Mark Lam  <mark.lam@apple.com>
1765
1766         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
1767         https://bugs.webkit.org/show_bug.cgi?id=177600
1768         <rdar://problem/34710985>
1769
1770         Reviewed by Saam Barati.
1771
1772         * stress/regress-177600.js: Added.
1773
1774 2017-10-18  Mark Lam  <mark.lam@apple.com>
1775
1776         The compiler should always register a structure when it adds its transitionWatchPointSet.
1777         https://bugs.webkit.org/show_bug.cgi?id=178420
1778         <rdar://problem/34814024>
1779
1780         Reviewed by Saam Barati and Filip Pizlo.
1781
1782         * stress/regress-178420.js: Added.
1783         (new.Array.10000.map):
1784
1785 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1786
1787         [JSC] __proto__ getter should be fast
1788         https://bugs.webkit.org/show_bug.cgi?id=178067
1789
1790         Reviewed by Saam Barati.
1791
1792         * stress/dfg-object-proto-accessor.js: Added.
1793         (shouldBe):
1794         (shouldThrow):
1795         (target):
1796         * stress/dfg-object-proto-getter.js: Added.
1797         (shouldBe):
1798         (shouldThrow):
1799         (target):
1800         * stress/dfg-object-prototype-of.js: Added.
1801         (shouldBe):
1802         (shouldThrow):
1803         (target):
1804         * stress/dfg-reflect-get-prototype-of.js: Added.
1805         (shouldBe):
1806         (shouldThrow):
1807         (target):
1808         * stress/intrinsic-getter-with-poly-proto.js: Added.
1809         (shouldBe):
1810         (makePolyProtoObject.foo.C):
1811         (makePolyProtoObject.foo):
1812         (makePolyProtoObject):
1813         (target):
1814         * stress/object-get-prototype-of-filtered.js: Added.
1815         (shouldBe):
1816         (shouldThrow):
1817         (target):
1818         (i.Cocoa):
1819         * stress/object-get-prototype-of-mono-proto.js: Added.
1820         (shouldBe):
1821         (makePolyProtoObject.foo.C):
1822         (makePolyProtoObject.foo):
1823         (makePolyProtoObject):
1824         (target):
1825         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
1826         (shouldBe):
1827         (makePolyProtoObject.foo.C):
1828         (makePolyProtoObject.foo):
1829         (makePolyProtoObject):
1830         (target):
1831         * stress/object-get-prototype-of-poly-proto.js: Added.
1832         (shouldBe):
1833         (makePolyProtoObject.foo.C):
1834         (makePolyProtoObject.foo):
1835         (makePolyProtoObject):
1836         (target):
1837         * stress/object-proto-getter-filtered.js: Added.
1838         (shouldBe):
1839         (shouldThrow):
1840         (target):
1841         (i.Cocoa):
1842         * stress/object-proto-getter-poly-mono-proto.js: Added.
1843         (shouldBe):
1844         (makePolyProtoObject.foo.C):
1845         (makePolyProtoObject.foo):
1846         (makePolyProtoObject):
1847         (target):
1848         * stress/object-proto-getter-poly-proto.js: Added.
1849         (shouldBe):
1850         (makePolyProtoObject.foo.C):
1851         (makePolyProtoObject.foo):
1852         (makePolyProtoObject):
1853         (target):
1854         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
1855         * stress/string-proto.js: Added.
1856         (shouldBe):
1857         (target):
1858
1859 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
1860
1861         Unreviewed, rolling out r223523.
1862
1863         A test for this change is failing on debug JSC bots.
1864
1865         Reverted changeset:
1866
1867         "[JSC] __proto__ getter should be fast"
1868         https://bugs.webkit.org/show_bug.cgi?id=178067
1869         https://trac.webkit.org/changeset/223523
1870
1871 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1872
1873         [JSC] __proto__ getter should be fast
1874         https://bugs.webkit.org/show_bug.cgi?id=178067
1875
1876         Reviewed by Saam Barati.
1877
1878         * stress/dfg-object-proto-accessor.js: Added.
1879         (shouldBe):
1880         (shouldThrow):
1881         (target):
1882         * stress/dfg-object-proto-getter.js: Added.
1883         (shouldBe):
1884         (shouldThrow):
1885         (target):
1886         * stress/dfg-object-prototype-of.js: Added.
1887         (shouldBe):
1888         (shouldThrow):
1889         (target):
1890         * stress/dfg-reflect-get-prototype-of.js: Added.
1891         (shouldBe):
1892         (shouldThrow):
1893         (target):
1894         * stress/object-get-prototype-of-filtered.js: Added.
1895         (shouldBe):
1896         (shouldThrow):
1897         (target):
1898         (i.Cocoa):
1899         * stress/object-get-prototype-of-mono-proto.js: Added.
1900         (shouldBe):
1901         (makePolyProtoObject.foo.C):
1902         (makePolyProtoObject.foo):
1903         (makePolyProtoObject):
1904         (target):
1905         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
1906         (shouldBe):
1907         (makePolyProtoObject.foo.C):
1908         (makePolyProtoObject.foo):
1909         (makePolyProtoObject):
1910         (target):
1911         * stress/object-get-prototype-of-poly-proto.js: Added.
1912         (shouldBe):
1913         (makePolyProtoObject.foo.C):
1914         (makePolyProtoObject.foo):
1915         (makePolyProtoObject):
1916         (target):
1917         * stress/object-proto-getter-filtered.js: Added.
1918         (shouldBe):
1919         (shouldThrow):
1920         (target):
1921         (i.Cocoa):
1922         * stress/object-proto-getter-poly-mono-proto.js: Added.
1923         (shouldBe):
1924         (makePolyProtoObject.foo.C):
1925         (makePolyProtoObject.foo):
1926         (makePolyProtoObject):
1927         (target):
1928         * stress/object-proto-getter-poly-proto.js: Added.
1929         (shouldBe):
1930         (makePolyProtoObject.foo.C):
1931         (makePolyProtoObject.foo):
1932         (makePolyProtoObject):
1933         (target):
1934         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
1935         * stress/string-proto.js: Added.
1936         (shouldBe):
1937         (target):
1938
1939 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1940
1941         Reland "Add Above/Below comparisons for UInt32 patterns"
1942         https://bugs.webkit.org/show_bug.cgi?id=177281
1943
1944         Reviewed by Saam Barati.
1945
1946         * stress/uint32-comparison-jump.js: Added.
1947         (shouldBe):
1948         (above):
1949         (aboveOrEqual):
1950         (below):
1951         (belowOrEqual):
1952         (notAbove):
1953         (notAboveOrEqual):
1954         (notBelow):
1955         (notBelowOrEqual):
1956         * stress/uint32-comparison.js: Added.
1957         (shouldBe):
1958         (above):
1959         (aboveOrEqual):
1960         (below):
1961         (belowOrEqual):
1962         (aboveTest):
1963         (aboveOrEqualTest):
1964         (belowTest):
1965         (belowOrEqualTest):
1966
1967 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1968
1969         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
1970         https://bugs.webkit.org/show_bug.cgi?id=178210
1971
1972         Reviewed by Saam Barati.
1973
1974         * wasm/function-tests/trap-from-start-async.js:
1975         (async.StartTrapsAsync):
1976         * wasm/function-tests/trap-from-start.js:
1977         (StartTraps):
1978         * wasm/js-api/web-assembly-function.js:
1979         (assert.eq.Object.getPrototypeOf):
1980         * wasm/js-api/wrapper-function.js:
1981         (return.new.WebAssembly.Module):
1982         (assert.throws.makeInstance): Deleted.
1983         (assert.throws.Bar): Deleted.
1984         (assert.throws): Deleted.
1985
1986 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
1987
1988         Enable gigacage on iOS
1989         https://bugs.webkit.org/show_bug.cgi?id=177586
1990
1991         Reviewed by JF Bastien.
1992         
1993         Add tests for when Gigacage gets runtime disabled.
1994
1995         * stress/disable-gigacage-arrays.js: Added.
1996         (foo):
1997         * stress/disable-gigacage-strings.js: Added.
1998         (foo):
1999         * stress/disable-gigacage-typed-arrays.js: Added.
2000         (foo):
2001
2002 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2003
2004         import.meta should not be assignable
2005         https://bugs.webkit.org/show_bug.cgi?id=178202
2006
2007         Reviewed by Saam Barati.
2008
2009         * modules/import-meta-assignment.js: Added.
2010         (shouldThrow):
2011         (SyntaxError.import.meta.can.shouldThrow):
2012
2013 2017-10-11  Saam Barati  <sbarati@apple.com>
2014
2015         Unreviewed. Actually skip certain type profiler tests in debug.
2016
2017         * typeProfiler.yaml:
2018         * typeProfiler/deltablue-for-of.js:
2019         * typeProfiler/getter-richards.js:
2020
2021 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2022
2023         Unreviewed, rolling out r223113 and r223121.
2024         https://bugs.webkit.org/show_bug.cgi?id=178182
2025
2026         Reintroduced 20% regression on Kraken (Requested by rniwa on
2027         #webkit).
2028
2029         Reverted changesets:
2030
2031         "Enable gigacage on iOS"
2032         https://bugs.webkit.org/show_bug.cgi?id=177586
2033         https://trac.webkit.org/changeset/223113
2034
2035         "Use one virtual allocation for all gigacages and their
2036         runways"
2037         https://bugs.webkit.org/show_bug.cgi?id=178050
2038         https://trac.webkit.org/changeset/223121
2039
2040 2017-10-11  Michael Saboff  <msaboff@apple.com>
2041
2042         Disable test262 named capture group tests with direct unicode names and with references before definitions
2043         https://bugs.webkit.org/show_bug.cgi?id=178177
2044
2045         Reviewed by Keith Miller.
2046
2047         Bugs to track fixing these test are:
2048         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2049             "Add support in named capture group identifiers for direct surrogate pairs"
2050         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2051             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2052
2053         * test262.yaml:
2054
2055 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2056
2057         Object properties are undefined in super.call() but not in this.call()
2058         https://bugs.webkit.org/show_bug.cgi?id=177230
2059
2060         Reviewed by Saam Barati.
2061
2062         * stress/super-call-function-subclass.js: Added.
2063         (assert):
2064         (A.prototype.t):
2065         (A):
2066         * stress/super-dot-call-and-apply.js: Added.
2067         (assert):
2068         (A):
2069         (A.prototype.call):
2070         (A.prototype.apply):
2071         (B.prototype.testSuper):
2072         (B):
2073         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2074         (D.prototype.testSuper):
2075         (D):
2076
2077 2017-10-10  Saam Barati  <sbarati@apple.com>
2078
2079         The prototype cache should be aware of the Executable it generates a Structure for
2080         https://bugs.webkit.org/show_bug.cgi?id=177907
2081
2082         Reviewed by Filip Pizlo.
2083
2084         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2085         (assert):
2086         (foo.C):
2087         (foo):
2088         (bar.C):
2089         (bar):
2090         (access):
2091         (makeLongChain):
2092         (accessY):
2093
2094 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2095
2096         `async` should be able to be used as an imported binding name
2097         https://bugs.webkit.org/show_bug.cgi?id=176573
2098
2099         Reviewed by Saam Barati.
2100
2101         * modules/import-default-async.js: Added.
2102         * modules/import-named-async-as.js: Added.
2103         * modules/import-named-async.js: Added.
2104         * modules/import-named-async/target.js: Added.
2105         * modules/import-namespace-async.js: Added.
2106         * test262.yaml:
2107
2108 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2109
2110         Enable gigacage on iOS
2111         https://bugs.webkit.org/show_bug.cgi?id=177586
2112
2113         Reviewed by JF Bastien.
2114         
2115         Add tests for when Gigacage gets runtime disabled.
2116
2117         * stress/disable-gigacage-arrays.js: Added.
2118         (foo):
2119         * stress/disable-gigacage-strings.js: Added.
2120         (foo):
2121         * stress/disable-gigacage-typed-arrays.js: Added.
2122         (foo):
2123
2124 2017-10-09  Michael Saboff  <msaboff@apple.com>
2125
2126         Implement RegExp Unicode property escapes
2127         https://bugs.webkit.org/show_bug.cgi?id=172069
2128
2129         Reviewed by JF Bastien.
2130
2131         Enabled Unicode Property tests.
2132
2133         * test262.yaml:
2134
2135 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2136
2137         Unreviewed, rolling out r223015 and r223025.
2138         https://bugs.webkit.org/show_bug.cgi?id=178093
2139
2140         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2141         #webkit).
2142
2143         Reverted changesets:
2144
2145         "Enable gigacage on iOS"
2146         https://bugs.webkit.org/show_bug.cgi?id=177586
2147         http://trac.webkit.org/changeset/223015
2148
2149         "Unreviewed, disable Gigacage on ARM64 Linux"
2150         https://bugs.webkit.org/show_bug.cgi?id=177586
2151         http://trac.webkit.org/changeset/223025
2152
2153 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2154
2155         Update expectations for test262 tests that pass after r223043.
2156         https://bugs.webkit.org/show_bug.cgi?id=176685
2157
2158         Unreviewed test gardening.
2159
2160         * test262.yaml:
2161
2162 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2163
2164         Unreviewed, rolling out r223022.
2165
2166         This change introduced 18 test262 failures.
2167
2168         Reverted changeset:
2169
2170         "`async` should be able to be used as an imported binding
2171         name"
2172         https://bugs.webkit.org/show_bug.cgi?id=176573
2173         http://trac.webkit.org/changeset/223022
2174
2175 2017-10-09  Saam Barati  <sbarati@apple.com>
2176
2177         3 poly-proto JSC tests timing out on debug after r222827
2178         https://bugs.webkit.org/show_bug.cgi?id=177880
2179         <rdar://problem/34817122>
2180
2181         Unreviewed.
2182
2183         I'm skipping these type profiler tests on debug since they are long running.
2184
2185         * typeProfiler/deltablue-for-of.js:
2186         * typeProfiler/getter-richards.js:
2187
2188 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2189
2190         Safari 10 /11 problem with if (!await get(something)).
2191         https://bugs.webkit.org/show_bug.cgi?id=176685
2192
2193         Reviewed by Saam Barati.
2194
2195         * stress/async-await-basic.js:
2196         (awaitEpression.async):
2197         * stress/async-await-syntax.js:
2198         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2199         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2200
2201 2017-10-08  Saam Barati  <sbarati@apple.com>
2202
2203         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2204
2205         * typeProfiler/deltablue-for-of.js:
2206         * typeProfiler/getter-richards.js:
2207
2208 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2209
2210         `async` should be able to be used as an imported binding name
2211         https://bugs.webkit.org/show_bug.cgi?id=176573
2212
2213         Reviewed by Darin Adler.
2214
2215         * modules/import-default-async.js: Added.
2216         * modules/import-named-async-as.js: Added.
2217         * modules/import-named-async.js: Added.
2218         * modules/import-named-async/target.js: Added.
2219         * modules/import-namespace-async.js: Added.
2220
2221 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2222
2223         Enable gigacage on iOS
2224         https://bugs.webkit.org/show_bug.cgi?id=177586
2225
2226         Reviewed by JF Bastien.
2227         
2228         Add tests for when Gigacage gets runtime disabled.
2229
2230         * stress/disable-gigacage-arrays.js: Added.
2231         (foo):
2232         * stress/disable-gigacage-strings.js: Added.
2233         (foo):
2234         * stress/disable-gigacage-typed-arrays.js: Added.
2235         (foo):
2236
2237 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2238
2239         Unreviewed, rolling out r222791 and r222873.
2240         https://bugs.webkit.org/show_bug.cgi?id=178031
2241
2242         Caused crashes with workers/wasm LayoutTests (Requested by
2243         ryanhaddad on #webkit).
2244
2245         Reverted changesets:
2246
2247         "WebAssembly: no VM / JS version of everything but Instance"
2248         https://bugs.webkit.org/show_bug.cgi?id=177473
2249         http://trac.webkit.org/changeset/222791
2250
2251         "WebAssembly: address no VM / JS follow-ups"
2252         https://bugs.webkit.org/show_bug.cgi?id=177887
2253         http://trac.webkit.org/changeset/222873
2254
2255 2017-10-05  Saam Barati  <sbarati@apple.com>
2256
2257         Make sure all prototypes under poly proto get added into the VM's prototype map
2258         https://bugs.webkit.org/show_bug.cgi?id=177909
2259
2260         Reviewed by Keith Miller.
2261
2262         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2263         (assert):
2264         (foo.C):
2265         (foo):
2266         (set x):
2267
2268 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2269
2270         [JSC] Introduce import.meta
2271         https://bugs.webkit.org/show_bug.cgi?id=177703
2272
2273         Reviewed by Filip Pizlo.
2274
2275         * modules/import-meta-syntax.js: Added.
2276         (shouldThrow):
2277         (shouldNotThrow):
2278         * modules/import-meta.js: Added.
2279         * modules/import-meta/cocoa.js: Added.
2280         * modules/resources/assert.js:
2281         (export.shouldNotThrow):
2282         * stress/import-syntax.js:
2283
2284 2017-10-04  Saam Barati  <sbarati@apple.com>
2285
2286         Make pertinent AccessCases watch the poly proto watchpoint
2287         https://bugs.webkit.org/show_bug.cgi?id=177765
2288
2289         Reviewed by Keith Miller.
2290
2291         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2292         (assert):
2293         (foo.C):
2294         (foo):
2295         (validate):
2296         * stress/poly-proto-clear-stub.js: Added.
2297         (assert):
2298         (foo.C):
2299         (foo):
2300
2301 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2302
2303         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2304
2305         Unreviewed test gardening.
2306
2307         * test262.yaml:
2308
2309 2017-10-04  Saam Barati  <sbarati@apple.com>
2310
2311         3 poly-proto JSC tests timing out on debug after r222827
2312         https://bugs.webkit.org/show_bug.cgi?id=177880
2313
2314         Rubber stamped by Mark Lam.
2315
2316         * microbenchmarks/poly-proto-access.js:
2317         * typeProfiler/deltablue-for-of.js:
2318         * typeProfiler/getter-richards.js:
2319
2320 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
2321
2322         Unreviewed, marking tco-catch.js as a failure after test262 update
2323         https://bugs.webkit.org/show_bug.cgi?id=177859
2324
2325         * test262.yaml:
2326
2327 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2328
2329         Unreviewed, marking one async iterator test262 test failed
2330         https://bugs.webkit.org/show_bug.cgi?id=177859
2331
2332         * test262.yaml:
2333
2334 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2335
2336         [Test262] Update Test262 to Oct 4 version
2337         https://bugs.webkit.org/show_bug.cgi?id=177859
2338
2339         Reviewed by Sam Weinig.
2340
2341         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
2342         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
2343
2344         * test262.yaml:
2345         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
2346         (checkSequence):
2347         * test262/harness/typeCoercion.js:
2348         (testCoercibleToIndexZero):
2349         (testCoercibleToIndexOne):
2350         (testCoercibleToIndexFromIndex):
2351         (testNotCoercibleToIndex.testPrimitiveValue):
2352         (testNotCoercibleToInteger):
2353         (testCoercibleToBigIntZero.testPrimitiveValue):
2354         (testCoercibleToBigIntZero):
2355         (testCoercibleToBigIntOne.testPrimitiveValue):
2356         (testCoercibleToBigIntOne):
2357         (testPrimitiveValue):
2358         (testCoercibleToBigIntFromBigInt):
2359         (testNotCoercibleToBigInt.testPrimitiveValue):
2360         (testNotCoercibleToBigInt.testStringValue):
2361         (testNotCoercibleToBigInt):
2362         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
2363         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
2364         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
2365         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
2366         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
2367         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
2368         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
2369         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
2370         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
2371         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
2372         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
2373         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
2374         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
2375         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
2376         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
2377         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
2378         (testCoercibleToBigIntZero):
2379         (testCoercibleToBigIntOne):
2380         (testNotCoercibleToBigInt):
2381         (MyError): Deleted.
2382         (valueOf): Deleted.
2383         (toString): Deleted.
2384         (Symbol.toPrimitive): Deleted.
2385         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
2386         (testCoercibleToIndexZero):
2387         (testCoercibleToIndexOne):
2388         (testNotCoercibleToIndex):
2389         (MyError): Deleted.
2390         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
2391         (assert.sameValue.BigInt.asIntN.toString): Deleted.
2392         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
2393         (BigInt.asIntN.valueOf): Deleted.
2394         (BigInt.asIntN.toString): Deleted.
2395         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
2396         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
2397         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
2398         (testCoercibleToBigIntZero):
2399         (testCoercibleToBigIntOne):
2400         (testNotCoercibleToBigInt):
2401         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
2402         (testCoercibleToIndexZero):
2403         (testCoercibleToIndexOne):
2404         (testNotCoercibleToIndex):
2405         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
2406         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
2407         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
2408         (bits.valueOf):
2409         (bigint.valueOf):
2410         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
2411         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
2412         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
2413         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
2414         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
2415         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
2416         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
2417         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
2418         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
2419         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
2420         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
2421         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
2422         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
2423         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
2424         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
2425         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
2426         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
2427         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
2428         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
2429         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
2430         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
2431         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
2432         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
2433         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
2434         (replacer):
2435         (BigInt.prototype.toJSON):
2436         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
2437         (replacer):
2438         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
2439         (BigInt.prototype.toJSON):
2440         * test262/test/built-ins/JSON/stringify/bigint.js:
2441         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
2442         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
2443         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
2444         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
2445         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
2446         * test262/test/built-ins/Object/proto-from-ctor.js:
2447         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
2448         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
2449         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
2450         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
2451         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
2452         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
2453         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
2454         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
2455         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
2456         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
2457         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
2458         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
2459         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
2460         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
2461         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
2462         * test262/test/built-ins/Proxy/get-fn-realm.js:
2463         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
2464         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
2465         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
2466         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
2467         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
2468         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
2469         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
2470         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
2471         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
2472         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
2473         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
2474         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
2475         (i6.replace):
2476         (i6b.replace):
2477         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
2478         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
2479         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
2480         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
2481         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
2482         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
2483         * test262/test/built-ins/RegExp/u180e.js: Added.
2484         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
2485         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
2486         * test262/test/built-ins/String/proto-from-ctor-realm.js:
2487         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
2488         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
2489         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
2490         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
2491         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
2492         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
2493         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
2494         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
2495         * test262/test/built-ins/String/prototype/endsWith/length.js:
2496         * test262/test/built-ins/String/prototype/endsWith/name.js:
2497         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
2498         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
2499         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
2500         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
2501         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
2502         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
2503         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
2504         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
2505         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
2506         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
2507         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
2508         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
2509         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
2510         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
2511         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
2512         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
2513         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
2514         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
2515         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
2516         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
2517         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
2518         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
2519         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
2520         * test262/test/built-ins/String/prototype/includes/includes.js:
2521         * test262/test/built-ins/String/prototype/includes/length.js:
2522         * test262/test/built-ins/String/prototype/includes/name.js:
2523         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
2524         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
2525         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
2526         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
2527         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
2528         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
2529         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
2530         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
2531         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
2532         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
2533         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
2534         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
2535         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
2536         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
2537         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
2538         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
2539         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
2540         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
2541         * test262/test/built-ins/String/prototype/trim/u180e.js:
2542         * test262/test/built-ins/Symbol/for/cross-realm.js:
2543         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
2544         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
2545         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
2546         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
2547         * test262/test/built-ins/Symbol/match/cross-realm.js:
2548         * test262/test/built-ins/Symbol/replace/cross-realm.js:
2549         * test262/test/built-ins/Symbol/search/cross-realm.js:
2550         * test262/test/built-ins/Symbol/species/cross-realm.js:
2551         * test262/test/built-ins/Symbol/split/cross-realm.js:
2552         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
2553         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
2554         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
2555         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
2556         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
2557         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
2558         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
2559         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
2560         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
2561         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
2562         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
2563         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
2564         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
2565         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
2566         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
2567         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
2568         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
2569         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
2570         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
2571         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
2572         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
2573         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
2574         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
2575         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
2576         * test262/test/language/comments/mongolian-vowel-separator-single.js:
2577         * test262/test/language/eval-code/indirect/realm.js:
2578         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
2579         (o.get z):
2580         (o.get a):
2581         * test262/test/language/expressions/call/eval-realm-indirect.js:
2582         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
2583         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
2584         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
2585         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
2586         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
2587         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
2588         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
2589         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
2590         * test262/test/language/expressions/greater-than/bigint-and-number.js:
2591         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
2592         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
2593         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
2594         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
2595         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
2596         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
2597         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
2598         * test262/test/language/expressions/less-than/bigint-and-number.js:
2599         * test262/test/language/expressions/new/non-ctor-err-realm.js:
2600         * test262/test/language/expressions/super/realm.js:
2601         * test262/test/language/expressions/tagged-template/cache-realm.js:
2602         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
2603         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
2604         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
2605         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
2606         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
2607         * test262/test/language/literals/string/mongolian-vowel-separator.js:
2608         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
2609         (o.get z):
2610         (o.get a):
2611         * test262/test/language/statements/for-of/iterator-next-reference.js:
2612         (next):
2613         (iterator.next): Deleted.
2614         (x.of.iterable.): Deleted.
2615         (x.of.iterable.get return): Deleted.
2616         (x.of.iterable.iterator.next): Deleted.
2617         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
2618         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
2619         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
2620         * test262/test/language/white-space/mongolian-vowel-separator.js:
2621         * test262/test262-Revision.txt:
2622
2623 2017-10-03  Saam Barati  <sbarati@apple.com>
2624
2625         Implement polymorphic prototypes
2626         https://bugs.webkit.org/show_bug.cgi?id=176391
2627
2628         Reviewed by Filip Pizlo.
2629
2630         * microbenchmarks/poly-proto-access.js: Added.
2631         (assert):
2632         (foo.C):
2633         (foo.C.prototype.get bar):
2634         (foo):
2635         (bar):
2636         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
2637         (assert):
2638         (makePolyProtoObject.foo.C):
2639         (makePolyProtoObject.foo):
2640         (makePolyProtoObject):
2641         (performSet):
2642         * microbenchmarks/poly-proto-setter-speed.js: Added.
2643         (assert):
2644         (makePolyProtoObject.foo.C):
2645         (makePolyProtoObject.foo.C.prototype.set p):
2646         (makePolyProtoObject.foo):
2647         (makePolyProtoObject):
2648         (performSet):
2649         * stress/constructor-with-return.js:
2650         (i.tests.forEach.Constructor):
2651         (i.tests.forEach):
2652         (tests.forEach.Constructor): Deleted.
2653         (tests.forEach): Deleted.
2654         * stress/dom-jit-with-poly-proto.js: Added.
2655         (assert):
2656         (makePolyProtoObject.foo.C):
2657         (makePolyProtoObject.foo):
2658         (makePolyProtoObject):
2659         (validate):
2660         * stress/poly-proto-custom-value-and-accessor.js: Added.
2661         (assert):
2662         (makePolyProtoObject.foo.C):
2663         (makePolyProtoObject.foo):
2664         (makePolyProtoObject):
2665         (items.forEach):
2666         (set get for):
2667         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
2668         (assert):
2669         (makePolyProtoObject.foo.C):
2670         (makePolyProtoObject.foo):
2671         (makePolyProtoObject):
2672         (foo):
2673         * stress/poly-proto-miss.js: Added.
2674         (makePolyProtoInstanceWithNullPrototype.foo.C):
2675         (makePolyProtoInstanceWithNullPrototype.foo):
2676         (makePolyProtoInstanceWithNullPrototype):
2677         (assert):
2678         (validate):
2679         * stress/poly-proto-op-in-caching.js: Added.
2680         (assert):
2681         (makePolyProtoObject.foo.C):
2682         (makePolyProtoObject.foo):
2683         (makePolyProtoObject):
2684         (validate):
2685         (validate2):
2686         * stress/poly-proto-put-transition.js: Added.
2687         (assert):
2688         (makePolyProtoObject.foo.C):
2689         (makePolyProtoObject.foo):
2690         (makePolyProtoObject):
2691         (performSet):
2692         (i.obj.__proto__.set p):
2693         * stress/poly-proto-set-prototype.js: Added.
2694         (assert):
2695         (let.alternateProto.get x):
2696         (let.alternateProto2.get y):
2697         (let.alternateProto2.get x):
2698         (foo.C):
2699         (foo):
2700         (validate):
2701         * stress/poly-proto-setter.js: Added.
2702         (assert):
2703         (makePolyProtoObject.foo.C):
2704         (makePolyProtoObject.foo.C.prototype.set p):
2705         (makePolyProtoObject.foo.C.prototype.get p):
2706         (makePolyProtoObject.foo):
2707         (makePolyProtoObject):
2708         (performSet):
2709         * stress/poly-proto-using-inheritance.js: Added.
2710         (assert):
2711         (foo.C):
2712         (foo.C.prototype.get baz):
2713         (foo):
2714         (bar.C):
2715         (bar):
2716         (validate):
2717         * stress/primitive-poly-proto.js: Added.
2718         (makePolyProtoInstance.foo.C):
2719         (makePolyProtoInstance.foo):
2720         (makePolyProtoInstance):
2721         (assert):
2722         (validate):
2723         * stress/prototype-is-not-js-object.js: Added.
2724         (foo.bar):
2725         (foo):
2726         (assert):
2727         (validate):
2728         * stress/try-get-by-id-poly-proto.js: Added.
2729         (assert):
2730         (makePolyProtoObject.foo.C):
2731         (makePolyProtoObject.foo):
2732         (makePolyProtoObject):
2733         (tryGetByIdText):
2734         (x.__proto__.get bar):
2735         (validate):
2736         * typeProfiler/overflow.js:
2737
2738 2017-10-03  JF Bastien  <jfbastien@apple.com>
2739
2740         WebAssembly: no VM / JS version of everything but Instance
2741         https://bugs.webkit.org/show_bug.cgi?id=177473
2742
2743         Reviewed by Filip Pizlo.
2744
2745         - Exceeding max on memory growth now returns a range error as per
2746         spec. This is a (very minor) breaking change: it used to throw OOM
2747         error. Update the corresponding test.
2748
2749         * wasm/js-api/memory-grow.js:
2750         (assertEq):
2751         * wasm/js-api/table.js:
2752         (assert.throws):
2753
2754 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
2755
2756         Skip JSC test stress/regress-159779-2.js on debug.
2757         https://bugs.webkit.org/show_bug.cgi?id=177204
2758
2759         Unreviewed test gardening.
2760
2761         * stress/regress-159779-2.js:
2762
2763 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
2764
2765         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
2766         https://bugs.webkit.org/show_bug.cgi?id=175642
2767
2768         Reviewed by Darin Adler.
2769
2770         * ChakraCore/test/Function/apply3.baseline-jsc:
2771
2772 2017-10-01  Commit Queue  <commit-queue@webkit.org>
2773
2774         Unreviewed, rolling out r222564.
2775         https://bugs.webkit.org/show_bug.cgi?id=177720
2776
2777         "It regressed JetStream by 2% on iOS caused by a 50%
2778         regression on the bigfib subtest" (Requested by saamyjoon on
2779         #webkit).
2780
2781         Reverted changeset:
2782
2783         "Add Above/Below comparisons for UInt32 patterns"
2784         https://bugs.webkit.org/show_bug.cgi?id=177281
2785         http://trac.webkit.org/changeset/222564
2786
2787 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2788
2789         [DFG] Support ArrayPush with multiple args
2790         https://bugs.webkit.org/show_bug.cgi?id=175823
2791
2792         Reviewed by Saam Barati.
2793
2794         * microbenchmarks/array-push-0.js: Added.
2795         (arrayPush0):
2796         * microbenchmarks/array-push-1.js: Added.
2797         (arrayPush1):
2798         * microbenchmarks/array-push-2.js: Added.
2799         (arrayPush2):
2800         * microbenchmarks/array-push-3.js: Added.
2801         (arrayPush3):
2802         * stress/array-push-multiple-contiguous.js: Added.
2803         (shouldBe):
2804         (test):
2805         * stress/array-push-multiple-double-nan.js: Added.
2806         (shouldBe):
2807         (test):
2808         * stress/array-push-multiple-double.js: Added.
2809         (shouldBe):
2810         (test):
2811         * stress/array-push-multiple-int32.js: Added.
2812         (shouldBe):
2813         (test):
2814         * stress/array-push-multiple-many-contiguous.js: Added.
2815         (shouldBe):
2816         (test):
2817         * stress/array-push-multiple-many-double.js: Added.
2818         (shouldBe):
2819         (test):
2820         * stress/array-push-multiple-many-int32.js: Added.
2821         (shouldBe):
2822         (test):
2823         * stress/array-push-multiple-many-storage.js: Added.
2824         (shouldBe):
2825         (test):
2826         * stress/array-push-multiple-storage.js: Added.
2827         (shouldBe):
2828         (test):
2829         * stress/array-push-with-force-exit.js: Added.
2830         (target.createBuiltin):
2831
2832 2017-09-29  Saam Barati  <sbarati@apple.com>
2833
2834         Custom GetterSetterAccessCase does not use the correct slotBase when making call
2835         https://bugs.webkit.org/show_bug.cgi?id=177639
2836
2837         Reviewed by Geoffrey Garen.
2838
2839         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
2840         (assert):
2841         (Class):
2842         (items.forEach):
2843         (set get for):
2844
2845 2017-09-29  Commit Queue  <commit-queue@webkit.org>
2846
2847         Unreviewed, rolling out r222563, r222565, and r222581.
2848         https://bugs.webkit.org/show_bug.cgi?id=177675
2849
2850         "It causes a crash when playing youtube videos" (Requested by
2851         saamyjoon on #webkit).
2852
2853         Reverted changesets:
2854
2855         "[DFG] Support ArrayPush with multiple args"
2856         https://bugs.webkit.org/show_bug.cgi?id=175823
2857         http://trac.webkit.org/changeset/222563
2858
2859         "Unreviewed, build fix after r222563"
2860         https://bugs.webkit.org/show_bug.cgi?id=175823
2861         http://trac.webkit.org/changeset/222565
2862
2863         "Unreviewed, fix x86 breaking due to exhausted registers"
2864         https://bugs.webkit.org/show_bug.cgi?id=175823
2865         http://trac.webkit.org/changeset/222581
2866
2867 2017-09-28  Mark Lam  <mark.lam@apple.com>
2868
2869         test262: Unexpected passes after r222617 and r222618.
2870         https://bugs.webkit.org/show_bug.cgi?id=177622
2871         <rdar://problem/34725960>
2872
2873         Reviewed by Saam Barati.
2874
2875         Update test262.yaml for tests that are now passing.
2876
2877         * test262.yaml:
2878
2879 2017-09-27  Michael Saboff  <msaboff@apple.com>
2880
2881         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
2882         https://bugs.webkit.org/show_bug.cgi?id=177570
2883
2884         Reviewed by Filip Pizlo.
2885
2886         New regression test.
2887
2888         * stress/regress-177570.js: Added.
2889
2890 2017-09-28  Michael Saboff  <msaboff@apple.com>
2891
2892         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
2893         https://bugs.webkit.org/show_bug.cgi?id=177423
2894
2895         Reviewed by Mark Lam.
2896
2897         Updated regression test.
2898
2899         * stress/regress-177423.js:
2900         (catch):
2901
2902 2017-09-27  Mark Lam  <mark.lam@apple.com>
2903
2904         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
2905         https://bugs.webkit.org/show_bug.cgi?id=177584
2906         <rdar://problem/34463903>
2907
2908         Reviewed by Saam Barati.
2909
2910         * stress/regress-177584.js: Added.
2911         (assertEqual):
2912         (Array.prototype.Symbol.species):
2913
2914 2017-09-27  Saam Barati  <sbarati@apple.com>
2915
2916         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
2917         https://bugs.webkit.org/show_bug.cgi?id=177523
2918
2919         Reviewed by Mark Lam.
2920
2921         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
2922         (assert):
2923         (Test):
2924         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
2925         (addMethods):
2926         (i.Test.prototype.propName):
2927
2928 2017-09-27  Mark Lam  <mark.lam@apple.com>
2929
2930         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
2931         https://bugs.webkit.org/show_bug.cgi?id=177423
2932         <rdar://problem/34621320>
2933
2934         Reviewed by Keith Miller.
2935
2936         * stress/regress-177423.js: Added.
2937
2938 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2939
2940         Add Above/Below comparisons for UInt32 patterns
2941         https://bugs.webkit.org/show_bug.cgi?id=177281
2942
2943         Reviewed by Saam Barati.
2944
2945         * stress/uint32-comparison-jump.js: Added.
2946         (shouldBe):
2947         (above):
2948         (aboveOrEqual):
2949         (below):
2950         (belowOrEqual):
2951         (notAbove):
2952         (notAboveOrEqual):
2953         (notBelow):
2954         (notBelowOrEqual):
2955         * stress/uint32-comparison.js: Added.
2956         (shouldBe):
2957         (above):
2958         (aboveOrEqual):
2959         (below):
2960         (belowOrEqual):
2961         (aboveTest):
2962         (aboveOrEqualTest):
2963         (belowTest):
2964         (belowOrEqualTest):
2965
2966 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2967
2968         [DFG] Support ArrayPush with multiple args
2969         https://bugs.webkit.org/show_bug.cgi?id=175823
2970
2971         Reviewed by Saam Barati.
2972
2973         * microbenchmarks/array-push-0.js: Added.
2974         (arrayPush0):
2975         * microbenchmarks/array-push-1.js: Added.
2976         (arrayPush1):
2977         * microbenchmarks/array-push-2.js: Added.
2978         (arrayPush2):
2979         * microbenchmarks/array-push-3.js: Added.
2980         (arrayPush3):
2981         * stress/array-push-multiple-contiguous.js: Added.
2982         (shouldBe):
2983         (test):
2984         * stress/array-push-multiple-double-nan.js: Added.
2985         (shouldBe):
2986         (test):
2987         * stress/array-push-multiple-double.js: Added.
2988         (shouldBe):
2989         (test):
2990         * stress/array-push-multiple-int32.js: Added.
2991         (shouldBe):
2992         (test):
2993         * stress/array-push-multiple-many-contiguous.js: Added.
2994         (shouldBe):
2995         (test):
2996         * stress/array-push-multiple-many-double.js: Added.
2997         (shouldBe):
2998         (test):
2999         * stress/array-push-multiple-many-int32.js: Added.
3000         (shouldBe):
3001         (test):
3002         * stress/array-push-multiple-many-storage.js: Added.
3003         (shouldBe):
3004         (test):
3005         * stress/array-push-multiple-storage.js: Added.
3006         (shouldBe):
3007         (test):
3008
3009 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3010
3011         Unreviewed, rolling out r222518.
3012         https://bugs.webkit.org/show_bug.cgi?id=177507
3013
3014         Break the High Sierra build (Requested by yusukesuzuki on
3015         #webkit).
3016
3017         Reverted changeset:
3018
3019         "Add Above/Below comparisons for UInt32 patterns"
3020         https://bugs.webkit.org/show_bug.cgi?id=177281
3021         http://trac.webkit.org/changeset/222518
3022
3023 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3024
3025         Add Above/Below comparisons for UInt32 patterns
3026         https://bugs.webkit.org/show_bug.cgi?id=177281
3027
3028         Reviewed by Saam Barati.
3029
3030         * stress/uint32-comparison-jump.js: Added.
3031         (shouldBe):
3032         (above):
3033         (aboveOrEqual):
3034         (below):
3035         (belowOrEqual):
3036         (notAbove):
3037         (notAboveOrEqual):
3038         (notBelow):
3039         (notBelowOrEqual):
3040         * stress/uint32-comparison.js: Added.
3041         (shouldBe):
3042         (above):
3043         (aboveOrEqual):
3044         (below):
3045         (belowOrEqual):
3046         (aboveTest):
3047         (aboveOrEqualTest):
3048         (belowTest):
3049         (belowOrEqualTest):
3050
3051 2017-09-23  Keith Miller  <keith_miller@apple.com>
3052
3053         Fix infinite looping test262 test
3054         https://bugs.webkit.org/show_bug.cgi?id=177412
3055
3056         Reviewed by Yusuke Suzuki.
3057
3058         This test was poorly designed since failing it would cause the vm
3059         to inifinite loop. I've fixed it locally and will fix it on github pending
3060         the results of next weeks tc39 meeting.
3061
3062         * test262.yaml:
3063         * test262/test/language/statements/for-of/iterator-next-reference.js:
3064
3065 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
3066
3067         test262: $.agent became $262.agent in test262 update
3068         https://bugs.webkit.org/show_bug.cgi?id=177407
3069
3070         Reviewed by Yusuke Suzuki.
3071
3072         * test262.yaml:
3073         ~320 tests pass now that we correctly make $262 available.
3074
3075 2017-09-22  Keith Miller  <keith_miller@apple.com>
3076
3077         Speculatively change iteration protocall to use the same next function
3078         https://bugs.webkit.org/show_bug.cgi?id=175653
3079
3080         Reviewed by Saam Barati.
3081
3082         Change test to match the new iteration behavior.
3083
3084         * stress/spread-optimized-properly.js:
3085
3086 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3087
3088         [DFG][FTL] Profile array vector length for array allocation
3089         https://bugs.webkit.org/show_bug.cgi?id=177051
3090
3091         Reviewed by Saam Barati.
3092
3093         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3094         (target):
3095
3096 2017-09-22  Commit Queue  <commit-queue@webkit.org>
3097
3098         Unreviewed, rolling out r222380.
3099         https://bugs.webkit.org/show_bug.cgi?id=177352
3100
3101         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
3102         #webkit).
3103
3104         Reverted changeset:
3105
3106         "[DFG][FTL] Profile array vector length for array allocation"
3107         https://bugs.webkit.org/show_bug.cgi?id=177051
3108         http://trac.webkit.org/changeset/222380
3109
3110 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3111
3112         [DFG][FTL] Profile array vector length for array allocation
3113         https://bugs.webkit.org/show_bug.cgi?id=177051
3114
3115         Reviewed by Saam Barati.
3116
3117         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3118         (target):
3119
3120 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
3121
3122         Skip new hanging test262 tests.
3123         https://bugs.webkit.org/show_bug.cgi?id=177326
3124
3125         Unreviewed test gardening.
3126
3127         * test262.yaml:
3128
3129 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
3130
3131         Mark 6 test262 tests as passing.
3132         https://bugs.webkit.org/show_bug.cgi?id=177307
3133
3134         Unreviewed test gardening.
3135
3136         * test262.yaml:
3137
3138 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3139
3140         Unreviewed follow-up to r222311.
3141
3142         * test262/harness/sta.js:
3143         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
3144         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
3145         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
3146         * test262/test/built-ins/Array/from/elements-added-after.js:
3147         * test262/test/built-ins/Array/from/elements-deleted-after.js:
3148         * test262/test/built-ins/Array/from/elements-updated-after.js:
3149         * test262/test/built-ins/Array/from/from-array.js:
3150         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
3151         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
3152         * test262/test/built-ins/Array/from/source-array-boundary.js:
3153         * test262/test/built-ins/Array/from/source-object-constructor.js:
3154         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
3155         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
3156         * test262/test/built-ins/Array/from/source-object-length.js:
3157         * test262/test/built-ins/Array/from/source-object-missing.js:
3158         * test262/test/built-ins/Array/from/source-object-without.js:
3159         * test262/test/built-ins/Array/from/this-null.js:
3160         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
3161         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
3162         * test262/test/language/literals/numeric/7.8.3-1gs.js:
3163         * test262/test/language/literals/numeric/7.8.3-2gs.js:
3164         * test262/test/language/literals/numeric/7.8.3-3gs.js:
3165         * test262/test/language/literals/regexp/7.8.5-1gs.js:
3166         * test262/test/language/literals/string/7.8.4-1gs.js:
3167         Fix some files that I failed to update when I applied my patch.
3168
3169 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3170
3171         Update test262 tests
3172         https://bugs.webkit.org/show_bug.cgi?id=177220
3173
3174         Reviewed by Saam Barati and Yusuke Suzuki.
3175
3176         * test262.yaml:
3177         * test262/test262-Revision.txt:
3178         New rebaselined expectations for all tests.
3179
3180         * test262/*:
3181         Updated.
3182
3183 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3184
3185         [DFG] Remove ToThis more aggressively
3186         https://bugs.webkit.org/show_bug.cgi?id=177056
3187
3188         Reviewed by Saam Barati.
3189
3190         * stress/generator-with-this-strict.js: Added.
3191         (shouldBe):
3192         (generator):
3193         (target):
3194         * stress/generator-with-this.js: Added.
3195         (shouldBe):
3196         (generator):
3197         (target):
3198
3199 2017-09-17  Michael Saboff  <msaboff@apple.com>
3200
3201         https://bugs.webkit.org/show_bug.cgi?id=177038
3202         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
3203
3204         Reviewed by JF Bastien.
3205
3206         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
3207         as it dies using too much memory.
3208
3209 2017-09-15  Saam Barati  <sbarati@apple.com>
3210
3211         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
3212         https://bugs.webkit.org/show_bug.cgi?id=176981
3213
3214         Reviewed by Yusuke Suzuki.
3215
3216         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
3217         (assert):
3218         (verify):
3219         (func):
3220         (const.bar.createBuiltin):
3221
3222 2017-09-14  Saam Barati  <sbarati@apple.com>
3223
3224         It should be valid to exit before each set when doing arity fixup when inlining
3225         https://bugs.webkit.org/show_bug.cgi?id=176948
3226
3227         Reviewed by Keith Miller.
3228
3229         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
3230         (baz):
3231         (bar):
3232         (foo):
3233
3234 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3235
3236         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
3237         https://bugs.webkit.org/show_bug.cgi?id=176867
3238
3239         Reviewed by Sam Weinig.
3240
3241         * microbenchmarks/object-get-own-property-symbols.js: Added.
3242         (test):
3243
3244 2017-09-13  Mark Lam  <mark.lam@apple.com>
3245
3246         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
3247         https://bugs.webkit.org/show_bug.cgi?id=176888
3248         <rdar://problem/34381832>
3249
3250         Not reviewed.
3251
3252         * stress/op_mod-ConstVar.js:
3253         * stress/op_mod-VarConst.js:
3254         * stress/op_mod-VarVar.js:
3255
3256 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
3257
3258         Skip 3 op_mod tests on Debug JSC bots.
3259         https://bugs.webkit.org/show_bug.cgi?id=176630
3260
3261         Unreviewed test gardening.
3262
3263         * stress/op_mod-ConstVar.js:
3264         * stress/op_mod-VarConst.js:
3265         * stress/op_mod-VarVar.js:
3266
3267 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3268
3269         [JSC] Fix Array allocation in Object.keys
3270         https://bugs.webkit.org/show_bug.cgi?id=176826
3271
3272         Reviewed by Saam Barati.
3273
3274         * stress/object-own-property-keys.js: Added.
3275         (shouldBe):
3276
3277 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3278
3279         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3280         https://bugs.webkit.org/show_bug.cgi?id=176010
3281
3282         Reviewed by Filip Pizlo.
3283
3284         * microbenchmarks/weak-map-key.js: Added.
3285         (assert):
3286         (objectKey):
3287         (let.start.Date.now):
3288
3289 2017-09-12  Mark Lam  <mark.lam@apple.com>
3290
3291         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
3292         https://bugs.webkit.org/show_bug.cgi?id=176630
3293
3294         Reviewed by JF Bastien.
3295
3296         Debug builds are just slow, and these tests do a lot.  They pass when I run them
3297         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
3298         a speculative fix for the bots that are seeing these fail.
3299
3300         I also undid the skipping of the op_mod tests for debug builds.
3301
3302         * stress/op_div-ConstVar.js:
3303         * stress/op_div-VarConst.js:
3304         * stress/op_div-VarVar.js:
3305         * stress/op_mod-ConstVar.js:
3306         * stress/op_mod-VarConst.js:
3307         * stress/op_mod-VarVar.js:
3308
3309 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
3310
3311         Skip stress/value-to-boolean.js on Debug bots.
3312         https://bugs.webkit.org/show_bug.cgi?id=176787
3313
3314         Unreviewed test gardening.
3315
3316         * stress/value-to-boolean.js:
3317
3318 2017-09-11  Mark Lam  <mark.lam@apple.com>
3319
3320         Change test expectation for test262/test/language/statements/try/tco-catch.js
3321         https://bugs.webkit.org/show_bug.cgi?id=176749
3322
3323         Rubber stamped by Keith Miller.
3324
3325         It's been failing since at least r221821.  I'm changing the test expectation to
3326         fail to green the bots while I investigate some more.
3327
3328         * test262.yaml:
3329
3330 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
3331
3332         Unreviewed, rolling out r221854.
3333
3334         The test added with this change fails on 32-bit JSC bots.
3335
3336         Reverted changeset:
3337
3338         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
3339         https://bugs.webkit.org/show_bug.cgi?id=176010
3340         http://trac.webkit.org/changeset/221854
3341
3342 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3343
3344         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3345         https://bugs.webkit.org/show_bug.cgi?id=176010
3346
3347         Reviewed by Filip Pizlo.
3348
3349         * microbenchmarks/weak-map-key.js: Added.
3350         (assert):
3351         (objectKey):
3352         (let.start.Date.now):
3353
3354 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3355
3356         [JSC] Optimize Object.keys by using careful array allocation
3357         https://bugs.webkit.org/show_bug.cgi?id=176654
3358
3359         Reviewed by Darin Adler.
3360
3361         * microbenchmarks/object-keys.js: Added.
3362         (test):
3363
3364 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
3365
3366         Error should compute .stack and friends lazily
3367         https://bugs.webkit.org/show_bug.cgi?id=176645
3368
3369         Reviewed by Saam Barati.
3370
3371         * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
3372         * microbenchmarks/new-error.js: Added.
3373         * microbenchmarks/throw.js: Added.
3374
3375 2017-09-09  Mark Lam  <mark.lam@apple.com>
3376
3377         [Re-landing] Use JIT probes for DFG OSR exit.
3378         https://bugs.webkit.org/show_bug.cgi?id=175144
3379         <rdar://problem/33437050>
3380
3381         Not reviewed.  Original patch reviewed by Saam Barati.
3382
3383         Disable these tests for debug builds because they run too slow with the new OSR exit.
3384
3385         * stress/op_mod-ConstVar.js:
3386         * stress/op_mod-VarConst.js:
3387         * stress/op_mod-VarVar.js:
3388
3389 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3390
3391         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3392         https://bugs.webkit.org/show_bug.cgi?id=176300
3393
3394         Reviewed by Saam Barati.
3395
3396         * stress/new-array-with-size-div.js: Added.
3397         (shouldBe):
3398         (test):
3399         (i.i):
3400
3401 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3402
3403         [DFG] PutByVal with Array::Generic is too generic
3404         https://bugs.webkit.org/show_bug.cgi?id=176345
3405
3406         Reviewed by Filip Pizlo.
3407
3408         * stress/object-assign-symbols.js: Added.
3409         (shouldBe):
3410         (test):
3411         * stress/object-assign.js: Added.
3412         (shouldBe):
3413         (test):
3414         (i.shouldBe.JSON.stringify.test):
3415
3416 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3417
3418         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
3419         https://bugs.webkit.org/show_bug.cgi?id=176590
3420
3421         Reviewed by Saam Barati.
3422
3423         * microbenchmarks/object-iterate-symbols.js: Added.
3424         (test):
3425         * microbenchmarks/object-iterate.js: Added.
3426         (test):
3427         * stress/object-iterate-symbols.js: Added.
3428         (shouldBe):
3429         (test):
3430         * stress/object-iterate.js: Added.
3431         (shouldBe):
3432         (test):
3433
3434 2017-09-07  Per Arne Vollan  <pvollan@apple.com>
3435
3436         [Win32] 10 JSC stress tests are failing.
3437         https://bugs.webkit.org/show_bug.cgi?id=176538
3438
3439         Reviewed by Mark Lam.
3440
3441         Skip tests on Windows to make the bots green.
3442
3443         * ChakraCore.yaml:
3444         * stress/date-relaxed.js:
3445
3446 2017-09-06  Mark Lam  <mark.lam@apple.com>
3447
3448         constructGenericTypedArrayViewWithArguments() is missing an exception check.
3449         https://bugs.webkit.org/show_bug.cgi?id=176485
3450         <rdar://problem/33898874>
3451
3452         Reviewed by Keith Miller.
3453
3454         * stress/regress-176485.js: Added.
3455
3456 2017-09-05  Saam Barati  <sbarati@apple.com>
3457
3458         isNotCellSpeculation is wrong with respect to SpecEmpty
3459         https://bugs.webkit.org/show_bug.cgi?id=176429
3460
3461         Reviewed by Michael Saboff.
3462
3463         * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
3464         (Foo):
3465
3466 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3467
3468         test262: Completion values for control flow do not match the spec
3469         https://bugs.webkit.org/show_bug.cgi?id=171265
3470
3471         Reviewed by Saam Barati.
3472
3473         * stress/completion-value.js:
3474         Condensed test for completion values in top level statements.
3475
3476         * stress/super-get-by-id.js:
3477         ClassDeclaration when evaled no longer produce values. Convert
3478         these to ClassExpressions so they produce the class value.
3479         
3480         * ChakraCore/test/GlobalFunctions/evalreturns3.baseline-jsc:
3481         This is a progression for currect spec behavior.
3482
3483         * mozilla/mozilla-tests.yaml:
3484         This test is now outdated, so mark it as failing for that reason.
3485
3486         * test262.yaml:
3487         Passing all "cptn" completion value tests.
3488
3489 2017-09-04  Saam Barati  <sbarati@apple.com>
3490
3491         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
3492         https://bugs.webkit.org/show_bug.cgi?id=176317
3493
3494         Reviewed by Keith Miller.
3495
3496         * stress/dont-crash-when-hoist-check-structure-on-tdz.js: Added.
3497         (Foo):
3498
3499 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3500
3501         [DFG][FTL] Efficiently execute number#toString()
3502         https://bugs.webkit.org/show_bug.cgi?id=170007
3503
3504         Reviewed by Keith Miller.
3505
3506         * microbenchmarks/number-to-string-strength-reduction.js: Added.
3507         (test):
3508         * microbenchmarks/number-to-string-with-radix-10.js: Added.
3509         (test):
3510         * microbenchmarks/number-to-string-with-radix-cse.js: Added.
3511         (test):
3512         * microbenchmarks/number-to-string-with-radix.js: Added.
3513         (test):
3514         * stress/number-to-string-strength-reduction.js: Added.
3515         (shouldBe):
3516         (test):
3517         * stress/number-to-string-with-radix-10.js: Added.
3518         (shouldBe):
3519         (test):
3520         * stress/number-to-string-with-radix-cse.js: Added.
3521         (shouldBe):
3522         (test):
3523         * stress/number-to-string-with-radix-invalid.js: Added.
3524         (shouldThrow):
3525         * stress/number-to-string-with-radix-watchpoint.js: Added.
3526         (shouldBe):
3527         (test):
3528         (i.i.1e3.Number.prototype.toString):
3529         * stress/number-to-string-with-radix.js: Added.
3530         (shouldBe):
3531         (test):
3532
3533 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3534
3535         [DFG] Relax arity requirement
3536         https://bugs.webkit.org/show_bug.cgi?id=175523
3537
3538         Reviewed by Saam Barati.
3539
3540         * stress/arity-mismatch-arguments-length.js: Added.
3541         (shouldBe):
3542         (test1):
3543         (test):
3544         * stress/arity-mismatch-get-argument.js: Added.
3545         (shouldBe):
3546         (builtin.createBuiltin):
3547         (test):
3548         * stress/arity-mismatch-inlining-extra-slots.js: Added.
3549         (shouldBe):
3550         (inlineTarget):
3551         (test):
3552         * stress/arity-mismatch-inlining.js: Added.
3553         (shouldBe):
3554         (inlineTarget):
3555         (test):
3556         * stress/arity-mismatch-rest.js: Added.
3557         (shouldBe):
3558         (test2):
3559         (test1):
3560         (test):
3561
3562 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3563
3564         [JSC] Fix "name" and "length" of Proxy revoke function
3565         https://bugs.webkit.org/show_bug.cgi?id=176155
3566
3567         Reviewed by Mark Lam.
3568
3569         * test262.yaml:
3570
3571 2017-08-31  Saam Barati  <sbarati@apple.com>
3572
3573         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
3574         https://bugs.webkit.org/show_bug.cgi?id=176206
3575
3576         Reviewed by Keith Miller.
3577
3578         * stress/compare-semantic-origin-op-negate-method-of-getting-a-value-profile.js: Added.
3579         (a):
3580         (b):
3581         (foo):
3582
3583 2017-08-31  Ryan Haddad  <ryanhaddad@apple.com>
3584
3585         Skip two slow JSC tests after r221422.
3586
3587         Unreviewed test gardening.
3588
3589         * stress/regexp-prototype-match-on-too-long-rope.js:
3590         * stress/regexp-prototype-test-on-too-long-rope.js:
3591
3592 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
3593
3594         Unreviewed, skipping slow tests.
3595         
3596         These tests are now timing out. They would have always been slow. The timeouts are probably because OOMs
3597         work differently now.
3598
3599         * stress/regexp-prototype-exec-on-too-long-rope.js:
3600         * stress/string-prototype-charCodeAt-on-too-long-rope.js:
3601
3602 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3603
3604         [JSC] Use reifying system for "name" property of builtin JSFunction
3605         https://bugs.webkit.org/show_bug.cgi?id=175260
3606
3607         Reviewed by Saam Barati.
3608
3609         * stress/accessors-get-set-prefix.js:
3610         * stress/builtin-function-name.js: Added.
3611         (shouldBe):
3612         (shouldThrow):
3613         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
3614         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
3615         * stress/private-name-as-anonymous-builtin.js: Added.
3616         (shouldBe):
3617         (NotPromise):
3618
3619 2017-08-30  Saam Barati  <sbarati@apple.com>
3620
3621         Unreviewed. Make test stop printing.
3622
3623         * microbenchmarks/fake-iterators-that-throw-when-finished.js:
3624
3625 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
3626
3627         Unreviewed, rolling out r221327.
3628
3629         This change caused test262 failures.
3630
3631         Reverted changeset:
3632
3633         "[JSC] Use reifying system for "name" property of builtin
3634         JSFunction"
3635         https://bugs.webkit.org/show_bug.cgi?id=175260
3636         http://trac.webkit.org/changeset/221327
3637
3638 2017-08-30  Saam Barati  <sbarati@apple.com>
3639
3640         semicolon is being interpreted as an = in the LiteralParser
3641         https://bugs.webkit.org/show_bug.cgi?id=176114
3642
3643         Reviewed by Oliver Hunt.
3644
3645         * stress/jsonp-literal-parser-semicolon-is-not-assignment.js: Added.
3646         * stress/resources/literal-parser-test-case.js: Added.
3647
3648 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
3649
3650         [ESNext] Async iteration - Implement async iteration statement: for-await-of
3651         https://bugs.webkit.org/show_bug.cgi?id=166698
3652
3653         Reviewed by Yusuke Suzuki.
3654
3655         * stress/async-iteration-for-await-of-syntax.js: Added.
3656         (assert):
3657         (checkSyntax):
3658         (checkSyntaxError):
3659         (checkSimpleAsyncGeneratorSloppyMode):
3660         (checkSimpleAsyncGeneratorStrictMode):
3661         (checkNestedAsyncGenerators):
3662         (checkSimpleAsyncGeneratorSyntaxErrorInStrictMode):
3663         * stress/async-iteration-for-await-of.js: Added.
3664         (assert):
3665         (async.foo):
3666         (async.boo):
3667         (const.boo.async):
3668
3669 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3670
3671         [JSC] Use reifying system for "name" property of builtin JSFunction
3672         https://bugs.webkit.org/show_bug.cgi?id=175260
3673
3674         Reviewed by Saam Barati.
3675
3676         * stress/accessors-get-set-prefix.js:
3677         * stress/builtin-function-name.js: Added.
3678         (shouldBe):
3679         (shouldThrow):
3680         (shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
3681         (shouldBe.JSON.stringify.Object.getOwnPropertyNames.Array.prototype.filter.sort):
3682
3683 2017-08-25  Saam Barati  <sbarati@apple.com>
3684
3685         Support compiling catch in the DFG
3686         https://bugs.webkit.org/show_bug.cgi?id=174590
3687         <rdar://problem/34047845>
3688
3689         Reviewed by Filip Pizlo.
3690
3691         * microbenchmarks/delta-blue-try-catch.js: Added.
3692         (exception):
3693         (value):
3694         (OrderedCollection):
3695         (OrderedCollection.prototype.add):
3696         (OrderedCollection.prototype.at):
3697         (OrderedCollection.prototype.size):
3698         (OrderedCollection.prototype.removeFirst):
3699         (OrderedCollection.prototype.remove):
3700         (Strength):
3701         (Strength.stronger):
3702         (Strength.weaker):
3703         (Strength.weakestOf):
3704         (Strength.strongest):
3705         (Strength.prototype.nextWeaker):
3706         (Constraint):
3707         (Constraint.prototype.addConstraint):
3708         (Constraint.prototype.satisfy):
3709         (Constraint.prototype.destroyConstraint):
3710         (Constraint.prototype.isInput):
3711         (UnaryConstraint):
3712         (UnaryConstraint.prototype.addToGraph):
3713         (UnaryConstraint.prototype.chooseMethod):
3714         (UnaryConstraint.prototype.isSatisfied):
3715         (UnaryConstraint.prototype.markInputs):
3716         (UnaryConstraint.prototype.output):
3717         (UnaryConstraint.prototype.recalculate):
3718         (UnaryConstraint.prototype.markUnsatisfied):
3719         (UnaryConstraint.prototype.inputsKnown):
3720         (UnaryConstraint.prototype.removeFromGraph):
3721         (StayConstraint):
3722         (StayConstraint.prototype.execute):