Update test262 to Jan 30 version
[WebKit-https.git] / JSTests / ChangeLog
1 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Update test262 to Jan 30 version
4         https://bugs.webkit.org/show_bug.cgi?id=182288
5
6         Unreviewed test gardening.
7
8         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
9
10 2018-02-02  Saam Barati  <sbarati@apple.com>
11
12         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
13         https://bugs.webkit.org/show_bug.cgi?id=182368
14         <rdar://problem/36932466>
15
16         Reviewed by Mark Lam.
17
18         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
19         (runNearStackLimit.t):
20         (runNearStackLimit):
21         (try.runNearStackLimit):
22         (catch):
23
24 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
25
26         Update test262 to Jan 30 version
27         https://bugs.webkit.org/show_bug.cgi?id=182288
28
29         Rubber stamped by Saam Barati.
30
31         This patch updates test262 to the latest one, Jan 30 version.
32         Since added and changed files are too many, we cannot create ChangeLog.
33         The following files are changed.
34
35         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
36         including some special line terminators (like u2028, u2029).
37
38         * test262.yaml:
39         * test262/test262-Revision.txt:
40         * test262/*:
41
42 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
43
44         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
45         https://bugs.webkit.org/show_bug.cgi?id=182411
46
47         Reviewed by Carlos Alberto Lopez Perez.
48
49         This is skipped only on arm memory limited platforms. Until recently
50         it was not a problem on MIPS as the butterfly was not initialized. But
51         since r227435, the butterfly is initialized in that test and therefore
52         memory is allocated, and the test typically takes around 512M, which
53         means it generally gets OOM-killed on the MIPS buildbot.
54
55         * mozilla/mozilla-tests.yaml:
56
57 2018-02-01  Mark Lam  <mark.lam@apple.com>
58
59         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
60         https://bugs.webkit.org/show_bug.cgi?id=182419
61         <rdar://problem/37044945>
62
63         Reviewed by Saam Barati.
64
65         * stress/regress-182419.js: Added.
66
67 2018-02-01  Keith Miller  <keith_miller@apple.com>
68
69         Fix crashes due to mishandling custom sections.
70         https://bugs.webkit.org/show_bug.cgi?id=182404
71         <rdar://problem/36935863>
72
73         Reviewed by Saam Barati.
74
75         * wasm/Builder.js:
76         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
77         * wasm/js-api/validate.js:
78         (assert.truthy):
79
80 2018-01-31  Saam Barati  <sbarati@apple.com>
81
82         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
83         https://bugs.webkit.org/show_bug.cgi?id=182074
84         <rdar://problem/36846261>
85
86         Reviewed by Mark Lam.
87
88         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
89         (assert):
90         (let.func):
91         (let.o.foo):
92         (varFunc):
93
94 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
95
96         Unreviewed, update test262 expects
97         https://bugs.webkit.org/show_bug.cgi?id=182232
98
99         * test262.yaml:
100
101 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
102
103         [JSC] Implement trimStart and trimEnd
104         https://bugs.webkit.org/show_bug.cgi?id=182233
105
106         Reviewed by Mark Lam.
107
108         * stress/trim.js: Added.
109         (shouldBe):
110         (startTest):
111         (endTest):
112         (trimTest):
113
114 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
115
116         [JSC] Relax line terminators in String to make JSON subset of JS
117         https://bugs.webkit.org/show_bug.cgi?id=182232
118
119         Reviewed by Keith Miller.
120
121         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
122         * stress/relaxed-line-terminators-in-string.js: Added.
123         (shouldBe):
124
125 2018-01-29  Michael Saboff  <msaboff@apple.com>
126
127         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
128         https://bugs.webkit.org/show_bug.cgi?id=182249
129
130         Reviewed by Keith Miller.
131
132         New regression test.
133
134         * stress/compare-clobber-untypeduse.js: Added.
135
136 2018-01-29  Matt Lewis  <jlewis3@apple.com>
137
138         Unreviewed, rolling out r227725.
139
140         This caused internal failures.
141
142         Reverted changeset:
143
144         "JSC Sampling Profiler: Detect tester and testee when sampling
145         in RegExp JIT"
146         https://bugs.webkit.org/show_bug.cgi?id=152729
147         https://trac.webkit.org/changeset/227725
148
149 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
150
151         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
152         https://bugs.webkit.org/show_bug.cgi?id=152729
153
154         Reviewed by Saam Barati.
155
156         * stress/sampling-profiler-regexp.js: Added.
157         (platformSupportsSamplingProfiler.test):
158         (platformSupportsSamplingProfiler.baz):
159         (platformSupportsSamplingProfiler):
160
161 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
162
163         [DFG][FTL] WeakMap#set should have DFG node
164         https://bugs.webkit.org/show_bug.cgi?id=180015
165
166         Reviewed by Saam Barati.
167
168         * stress/weakmap-set-change-get.js: Added.
169         (shouldBe):
170         (test):
171         * stress/weakmap-set-cse.js: Added.
172         (shouldBe):
173         (test):
174         * stress/weakset-add-change-get.js: Added.
175         (shouldBe):
176         * stress/weakset-add-cse.js: Added.
177         (shouldBe):
178
179 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
180
181         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
182         https://bugs.webkit.org/show_bug.cgi?id=182213
183
184         Reviewed by Mark Lam.
185
186         * stress/int32-min-to-string.js: Added.
187         (shouldBe):
188         (test2):
189         (test4):
190         (test8):
191         (test16):
192         (test32):
193         * stress/zero-to-string.js: Added.
194         (shouldBe):
195         (test2):
196         (test4):
197         (test8):
198         (test16):
199         (test32):
200
201 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
202
203         Add more module scope related tests with code evaluation by string
204         https://bugs.webkit.org/show_bug.cgi?id=181983
205
206         Reviewed by Sam Weinig.
207
208         Add more module scope related tests. When the original tests are landed,
209         we do not have browser integration. This patch adds more module scope tests
210         with dynamically created script evaluation. We add tests with Function
211         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
212
213         * modules/scopes-eval.js: Added.
214         (shouldBe):
215         * modules/scopes.js:
216         (shouldBe):
217
218 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
219
220         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
221
222         * microbenchmarks/array-push-3.js: Removed.
223         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
224         * microbenchmarks/double-to-int32.js: Removed.
225         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
226         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
227         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
228         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
229         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
230         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
231         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
232         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
233         * microbenchmarks/map-constant-key.js: Removed.
234         * microbenchmarks/nested-function-parsing.js: Removed.
235         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
236         * microbenchmarks/spread-large-array.js: Removed.
237         * microbenchmarks/string-add-constant-folding.js: Removed.
238         * microbenchmarks/to-lower-case.js: Removed.
239         * microbenchmarks/undefined-property-access.js: Removed.
240         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
241         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
242         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
243         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
244         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
245         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
246         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
247         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
248         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
249         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
250         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
251         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
252         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
253         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
254         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
255         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
256         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
257         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
258
259 2018-01-23  Robin Morisset  <rmorisset@apple.com>
260
261         Update the argument count in DFGByteCodeParser::handleRecursiveCall
262         https://bugs.webkit.org/show_bug.cgi?id=181739
263         <rdar://problem/36627662>
264
265         Reviewed by Saam Barati.
266
267         * stress/recursive-tail-call-with-different-argument-count.js: Added.
268         (foo):
269         (bar):
270
271 2018-01-22  Michael Saboff  <msaboff@apple.com>
272
273         DFG abstract interpreter needs to properly model effects of some Math ops
274         https://bugs.webkit.org/show_bug.cgi?id=181886
275
276         Reviewed by Saam Barati.
277
278         New regression test.
279
280         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
281         (test):
282
283 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
284
285         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
286         https://bugs.webkit.org/show_bug.cgi?id=181182
287
288         Reviewed by Darin Adler.
289
290         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
291         * stress/big-int-prototype-to-string-exception.js: Added.
292         * stress/big-int-prototype-to-string-wrong-values.js: Added.
293         * stress/number-prototype-to-string-cast-overflow.js: Added.
294         * stress/number-prototype-to-string-exception.js: Added.
295         * stress/number-prototype-to-string-wrong-values.js: Added.
296
297 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
298
299         Disable Atomics when SharedArrayBuffer isn’t enabled
300         https://bugs.webkit.org/show_bug.cgi?id=181572
301
302         Unreviewed test gardening.
303
304         * test262.yaml: Skip tests that fail after this change.
305
306 2018-01-19  Saam Barati  <sbarati@apple.com>
307
308         Kill ArithNegate's ArithProfile assert inside BytecodeParser
309         https://bugs.webkit.org/show_bug.cgi?id=181877
310         <rdar://problem/36630552>
311
312         Reviewed by Mark Lam.
313
314         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
315         (runNearStackLimit):
316         (f1):
317         (f2):
318         (f3):
319         (i.catch):
320         (i.try.runNearStackLimit):
321         (catch):
322
323 2018-01-19  Saam Barati  <sbarati@apple.com>
324
325         Spread's effects are modeled incorrectly both in AI and in Clobberize
326         https://bugs.webkit.org/show_bug.cgi?id=181867
327         <rdar://problem/36290415>
328
329         Reviewed by Michael Saboff.
330
331         * stress/ai-needs-to-model-spreads-effects.js: Added.
332         (try.p.Symbol.iterator):
333         (try.go):
334         (catch):
335         * stress/clobberize-needs-to-model-spread-effects.js: Added.
336         (assert):
337         (foo):
338         (a.Symbol.iterator):
339
340 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
341
342         Unreviewed, reduce count of iteration to fix timing out debug JSC test
343         https://bugs.webkit.org/show_bug.cgi?id=181535
344
345         * stress/inserted-recovery-with-set-last-index.js:
346
347 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
348
349         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
350         https://bugs.webkit.org/show_bug.cgi?id=181535
351
352         Reviewed by Saam Barati.
353
354         * stress/inserted-recovery-with-set-last-index.js: Added.
355         (shouldBe):
356         (foo):
357         * stress/materialize-regexp-at-osr-exit.js: Added.
358         (shouldBe):
359         (test):
360         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
361         (shouldBe):
362         (test):
363         * stress/materialize-regexp-cyclic-regexp.js: Added.
364         (shouldBe):
365         (test):
366         (i.switch):
367         * stress/materialize-regexp-cyclic.js: Added.
368         (shouldBe):
369         (test):
370         (i.switch):
371         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
372         (bar):
373         (foo):
374         (test):
375         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
376         (bar):
377         (foo):
378         (test):
379         * stress/materialize-regexp.js: Added.
380         (shouldBe):
381         (test):
382         * stress/phantom-regexp-regexp-exec.js: Added.
383         (shouldBe):
384         (test):
385         * stress/phantom-regexp-string-match.js: Added.
386         (shouldBe):
387         (test):
388         * stress/regexp-last-index-sinking.js: Added.
389         (shouldBe):
390         (test):
391
392 2018-01-17  Saam Barati  <sbarati@apple.com>
393
394         Disable Atomics when SharedArrayBuffer isn’t enabled
395         https://bugs.webkit.org/show_bug.cgi?id=181572
396         <rdar://problem/36553206>
397
398         Reviewed by Michael Saboff.
399
400         * stress/isLockFree.js:
401
402 2018-01-17  Saam Barati  <sbarati@apple.com>
403
404         DFG::Node::convertToConstant needs to clear the varargs flags
405         https://bugs.webkit.org/show_bug.cgi?id=181697
406         <rdar://problem/36497332>
407
408         Reviewed by Yusuke Suzuki.
409
410         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
411         (doIndexOf):
412         (bar):
413         (i.bar):
414
415 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
416
417         Unreviewed, rolling out r226937.
418
419         Tests added with this change are failing due to a missing
420         exception check.
421
422         Reverted changeset:
423
424         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
425         double to int32_t"
426         https://bugs.webkit.org/show_bug.cgi?id=181182
427         https://trac.webkit.org/changeset/226937
428
429 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
430
431         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
432         https://bugs.webkit.org/show_bug.cgi?id=181182
433
434         Reviewed by Darin Adler.
435
436         * bigIntTests.yaml:
437         * stress/big-int-constructor.js:
438         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
439         (assert):
440         (assertThrowRangeError):
441         * stress/number-prototype-to-string-cast-overflow.js: Added.
442         (assert):
443         (assertThrowRangeError):
444
445 2018-01-12  Saam Barati  <sbarati@apple.com>
446
447         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
448         https://bugs.webkit.org/show_bug.cgi?id=181177
449         <rdar://problem/36205704>
450
451         Reviewed by Yusuke Suzuki.
452
453         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
454         (runNearStackLimit.t):
455         (runNearStackLimit):
456         (test.f):
457         (test):
458
459 2018-01-12  Saam Barati  <sbarati@apple.com>
460
461         Each variant of a polymorphic inlined call should be exitOK at the top of the block
462         https://bugs.webkit.org/show_bug.cgi?id=181562
463         <rdar://problem/36445624>
464
465         Reviewed by Yusuke Suzuki.
466
467         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
468         (f):
469         (foo):
470
471 2018-01-11  Saam Barati  <sbarati@apple.com>
472
473         When inserting Unreachable in byte code parser we need to flush all the right things
474         https://bugs.webkit.org/show_bug.cgi?id=181509
475         <rdar://problem/36423110>
476
477         Reviewed by Mark Lam.
478
479         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
480
481 2018-01-11  Saam Barati  <sbarati@apple.com>
482
483         JITMathIC code in the FTL is wrong when code gets duplicated
484         https://bugs.webkit.org/show_bug.cgi?id=181525
485         <rdar://problem/36351993>
486
487         Reviewed by Michael Saboff and Keith Miller.
488
489         * stress/allow-math-ic-b3-code-duplication.js: Added.
490
491 2018-01-11  Saam Barati  <sbarati@apple.com>
492
493         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
494         https://bugs.webkit.org/show_bug.cgi?id=181508
495
496         Reviewed by Yusuke Suzuki.
497
498         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
499         (assert):
500         (test1.foo):
501         (test1):
502         (test2.foo):
503         (test2):
504
505 2018-01-09  Mark Lam  <mark.lam@apple.com>
506
507         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
508         https://bugs.webkit.org/show_bug.cgi?id=181388
509         <rdar://problem/36349351>
510
511         Reviewed by Saam Barati.
512
513         * stress/regress-181388.js: Added.
514
515 2018-01-08  JF Bastien  <jfbastien@apple.com>
516
517         WebAssembly: mask indexed accesses to Table
518         https://bugs.webkit.org/show_bug.cgi?id=181412
519         <rdar://problem/36363236>
520
521         Reviewed by Saam Barati.
522
523         Update error messages.
524
525         * wasm/js-api/table.js:
526         (assert.throws.WebAssembly.Table.prototype.grow):
527
528 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
529
530         Disable SharedArrayBuffer tests missed in r226386.
531         https://bugs.webkit.org/show_bug.cgi?id=181266
532
533         Unreviewed test gardening.
534
535         * test262.yaml:
536
537 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
538
539         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
540         https://bugs.webkit.org/show_bug.cgi?id=181321
541
542         Reviewed by Saam Barati.
543
544         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
545         (shouldBe):
546         (testFunction):
547         * test262.yaml:
548
549 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
550
551         Unreviewed, attempt to fix test262 after r226386.
552
553         * test262.yaml:
554
555 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
556
557         [DFG] Define defs for MapSet/SetAdd to participate in CSE
558         https://bugs.webkit.org/show_bug.cgi?id=179911
559
560         Reviewed by Saam Barati.
561
562         In addition to these tests, map-set-cse.js and set-add-cse.js work.
563
564         * stress/map-set-change-get.js: Added.
565         (shouldBe):
566         (test):
567         * stress/map-set-create-bucket.js: Added.
568         (shouldBe):
569         (test):
570         * stress/set-add-create-bucket.js: Added.
571         (shouldBe):
572
573 2018-01-03  Michael Saboff  <msaboff@apple.com>
574
575         Disable SharedArrayBuffers from Web API
576         https://bugs.webkit.org/show_bug.cgi?id=181266
577
578         Reviewed by Saam Barati.
579
580         Disabled SharedArrayBuffer tests.
581
582         * stress/SharedArrayBuffer-opt.js:
583         * stress/SharedArrayBuffer.js:
584         * stress/array-buffer-byte-length.js:
585         * stress/atomics-add-uint32.js:
586         * stress/atomics-known-int-use.js:
587         * stress/atomics-neg-zero.js:
588         * stress/atomics-store-return.js:
589         * stress/lars-sab-workers.js:
590         * stress/regress-159779-1.js:
591         * stress/regress-159779-2.js:
592         * stress/regress-170473.js:
593         * test262.yaml:
594
595 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
596
597         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
598         https://bugs.webkit.org/show_bug.cgi?id=181258
599
600         Reviewed by Antonio Gomes.
601
602         * stress/big-int-constructor-gc.js:
603         * stress/big-int-constructor-oom.js:
604
605 2018-01-03  Robin Morisset  <rmorisset@apple.com>
606
607         Inlining of a function that ends in op_unreachable crashes
608         https://bugs.webkit.org/show_bug.cgi?id=181027
609
610         Reviewed by Filip Pizlo.
611
612         * stress/inlining-unreachable.js: Added.
613         (bar):
614         (baz):
615         (i.catch):
616
617 2018-01-02  Saam Barati  <sbarati@apple.com>
618
619         Incorrect assertion inside AccessCase
620         https://bugs.webkit.org/show_bug.cgi?id=181200
621         <rdar://problem/35494754>
622
623         Reviewed by Yusuke Suzuki.
624
625         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
626         (ctor):
627         (theFunc):
628         (run):
629
630 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
631
632         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
633         https://bugs.webkit.org/show_bug.cgi?id=175359
634
635         Reviewed by Yusuke Suzuki.
636
637         * bigIntTests.yaml:
638         * stress/big-int-as-key.js: Added.
639         * stress/big-int-constructor-gc.js: Added.
640         * stress/big-int-constructor-oom.js: Added.
641         * stress/big-int-constructor-properties.js: Added.
642         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
643         * stress/big-int-constructor-prototype.js: Added.
644         * stress/big-int-constructor.js: Added.
645         * stress/big-int-function-apply.js:
646         * stress/big-int-length.js: Added.
647         * stress/big-int-prop-descriptor.js: Added.
648         * stress/big-int-proto-constructor.js: Added.
649         * stress/big-int-proto-name.js: Added.
650         * stress/big-int-prototype-properties.js: Added.
651         * stress/big-int-prototype-proto.js: Added.
652         * stress/big-int-prototype-value-of.js: Added.
653         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
654         * stress/big-int-prototype-to-string-apply.js: Added.
655         * stress/big-int-to-object.js: Added.
656         * stress/big-int-to-string.js: Added.
657
658 2017-12-28  Saam Barati  <sbarati@apple.com>
659
660         Assertion used to determine if something is an async generator is wrong
661         https://bugs.webkit.org/show_bug.cgi?id=181168
662         <rdar://problem/35640560>
663
664         Reviewed by Yusuke Suzuki.
665
666         * stress/async-generator-assertion.js: Added.
667
668 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
669
670         Skip stress/splay-flash-access tests on memory limited platforms
671         https://bugs.webkit.org/show_bug.cgi?id=181086
672
673         Reviewed by Carlos Alberto Lopez Perez.
674
675         These tests use about 185M of memory, and occasionally get OOM-killed
676         on memory limited platforms.
677
678         * stress/splay-flash-access-1ms.js:
679         * stress/splay-flash-access.js:
680
681 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
682
683         Skip slow jsc tests on embedded platforms
684         https://bugs.webkit.org/show_bug.cgi?id=180937
685
686         Reviewed by Carlos Alberto Lopez Perez.
687
688         The tests typeProfiler/deltablue-for-of.js and
689         typeProfiler/getter-richards.js take a very long time in the
690         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
691         thus always timeout. They should be skipped on these platforms.
692
693         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
694         * typeProfiler/getter-richards.js: Skip on arm*/mips.
695
696 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
697
698         [JSC] Do not check isValid() in op_new_regexp
699         https://bugs.webkit.org/show_bug.cgi?id=180970
700
701         Reviewed by Saam Barati.
702
703         * stress/regexp-syntax-error-invalid-flags.js: Added.
704         (shouldThrow):
705
706 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
707
708         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
709         https://bugs.webkit.org/show_bug.cgi?id=180712
710
711         Reviewed by Michael Catanzaro.
712
713         stress/call-apply-exponential-bytecode-size.js crashes if the
714         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
715         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
716         should skip the test on other platforms.
717
718         * stress/call-apply-exponential-bytecode-size.js:
719
720 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
721
722         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
723         https://bugs.webkit.org/show_bug.cgi?id=179762
724
725         Reviewed by Saam Barati.
726
727         * stress/call-varargs-double-new-array-buffer.js: Added.
728         (assert):
729         (bar):
730         (foo):
731         * stress/call-varargs-spread-new-array-buffer.js: Added.
732         (assert):
733         (bar):
734         (foo):
735         * stress/call-varargs-spread-new-array-buffer2.js: Added.
736         (assert):
737         (bar):
738         (foo):
739         * stress/forward-varargs-double-new-array-buffer.js: Added.
740         (assert):
741         (test.baz):
742         (test.bar):
743         (test.foo):
744         (test):
745         * stress/new-array-buffer-sinking-osrexit.js: Added.
746         (target):
747         (test):
748         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
749         (shouldBe):
750         (test):
751         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
752         (shouldBe):
753         (target):
754         (test):
755         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
756         (assert):
757         (test1.bar):
758         (test1.foo):
759         (test1):
760         (test2.bar):
761         (test2.foo):
762         (test3.baz):
763         (test3.bar):
764         (test3.foo):
765         (test4.baz):
766         (test4.bar):
767         (test4.foo):
768         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
769         (assert):
770         (test.baz):
771         (test.bar):
772         (test.foo):
773         (test):
774         * stress/phantom-new-array-buffer-osr-exit.js: Added.
775         (assert):
776         (baz):
777         (bar):
778         (effects):
779         (foo):
780
781 2017-12-14  Saam Barati  <sbarati@apple.com>
782
783         The CleanUp after LICM is erroneously removing a Check
784         https://bugs.webkit.org/show_bug.cgi?id=180852
785         <rdar://problem/36063494>
786
787         Reviewed by Filip Pizlo.
788
789         * stress/dont-run-cleanup-after-licm.js: Added.
790
791 2017-12-14  Michael Saboff  <msaboff@apple.com>
792
793         REGRESSION (r225695): Repro crash on yahoo login page
794         https://bugs.webkit.org/show_bug.cgi?id=180761
795
796         Reviewed by JF Bastien.
797
798         New regression test.
799
800         * stress/regress-180761.js: Added.
801
802 2017-12-13  Keith Miller  <keith_miller@apple.com>
803
804         JSObjects should have a mask for loading indexed properties
805         https://bugs.webkit.org/show_bug.cgi?id=180768
806
807         Reviewed by Mark Lam.
808
809         * stress/int16-put-by-val-in-and-out-of-bounds.js:
810         (test):
811
812 2017-12-13  Saam Barati  <sbarati@apple.com>
813
814         Arrow functions need their own structure because they have different properties than sloppy functions
815         https://bugs.webkit.org/show_bug.cgi?id=180779
816         <rdar://problem/35814591>
817
818         Reviewed by Mark Lam.
819
820         * stress/arrow-function-needs-its-own-structure.js: Added.
821         (assert):
822         (readPrototype):
823         (noInline.let.f1):
824         (noInline):
825
826 2017-12-13  Saam Barati  <sbarati@apple.com>
827
828         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
829         https://bugs.webkit.org/show_bug.cgi?id=163579
830         <rdar://problem/35455798>
831
832         Reviewed by Mark Lam.
833
834         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
835         (assert):
836         (test1):
837         (i.test1):
838         (i.test1.C):
839         (i.test1.async.foo):
840         (i.test1.foo):
841         (test2):
842
843 2017-12-13  Saam Barati  <sbarati@apple.com>
844
845         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
846         https://bugs.webkit.org/show_bug.cgi?id=180734
847         <rdar://problem/35640547>
848
849         Reviewed by Yusuke Suzuki.
850
851         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
852         (__isPropertyOfType):
853         (__getProperties):
854         (__getObjects):
855         (__getRandomObject):
856         (theClass.):
857         (theClass):
858         (childClass):
859         (counter.catch):
860
861 2017-12-12  Saam Barati  <sbarati@apple.com>
862
863         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
864         https://bugs.webkit.org/show_bug.cgi?id=180725
865         <rdar://problem/35970511>
866
867         Reviewed by Michael Saboff.
868
869         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
870         (f1):
871         (f2):
872         (let.o2.valueOf):
873
874 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
875
876         [JSC] Implement optimized WeakMap and WeakSet
877         https://bugs.webkit.org/show_bug.cgi?id=179929
878
879         Reviewed by Saam Barati.
880
881         * microbenchmarks/weak-map-key.js:
882         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
883         (assert):
884         (objectKey):
885         (let.start.Date.now):
886         * stress/basic-weakmap.js: Added.
887         (shouldBe):
888         (test):
889         * stress/basic-weakset.js: Added.
890         (shouldBe):
891         (test.set new):
892         * stress/weakmap-cse-set-break.js: Added.
893         (shouldBe):
894         (test):
895         * stress/weakmap-cse.js: Added.
896         (shouldBe):
897         (test):
898         * stress/weakmap-gc.js: Added.
899         (test):
900         * stress/weakset-cse-add-break.js: Added.
901         (shouldBe):
902         (test.set new):
903         * stress/weakset-cse.js: Added.
904         (shouldBe):
905         (test.set new):
906         * stress/weakset-gc.js: Added.
907         (test.set add):
908         (test.set new):
909         (test):
910
911 2017-12-12  Saam Barati  <sbarati@apple.com>
912
913         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
914         https://bugs.webkit.org/show_bug.cgi?id=180723
915         <rdar://problem/35859726>
916
917         Reviewed by JF Bastien.
918
919         * stress/get-my-argument-by-val-constant-folding.js: Added.
920         (test):
921         (catch):
922
923 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
924
925         [ESNext][BigInt] Implement BigInt literals and JSBigInt
926         https://bugs.webkit.org/show_bug.cgi?id=179000
927
928         Reviewed by Darin Adler and Yusuke Suzuki.
929
930         * bigIntTests.yaml: Added.
931         * stress/big-int-literal-line-terminator.js: Added.
932         * stress/big-int-literals.js: Added.
933         * stress/big-int-operations-error.js: Added.
934         * stress/big-int-type-of.js: Added.
935         * stress/big-int-white-space-trailing-leading.js: Added.
936         * stress/big-int-function-apply.js: Added.
937
938 2017-12-11  Saam Barati  <sbarati@apple.com>
939
940         We need to disableCaching() in ErrorInstance when we materialize properties
941         https://bugs.webkit.org/show_bug.cgi?id=180343
942         <rdar://problem/35833002>
943
944         Reviewed by Mark Lam.
945
946         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
947         (assert):
948         (makeError):
949         (storeToStack):
950         (storeToStackAlreadyMaterialized):
951
952 2017-12-05  JF Bastien  <jfbastien@apple.com>
953
954         WebAssembly: don't eagerly checksum
955         https://bugs.webkit.org/show_bug.cgi?id=180441
956         <rdar://problem/35156628>
957
958         Reviewed by Saam Barati.
959
960         Checksum is now disabled, so tests only have <?> as the module
961         name.
962
963         * wasm/function-tests/nameSection.js:
964         * wasm/function-tests/stack-overflow.js:
965         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
966         (assertOverflows.assertThrows):
967         (assertOverflows):
968         * wasm/function-tests/stack-trace.js:
969
970 2017-12-04  JF Bastien  <jfbastien@apple.com>
971
972         Proxy all functions, except the $ objects
973         https://bugs.webkit.org/show_bug.cgi?id=180375
974
975         Reviewed by Saam Barati.
976
977         It looks like this test may have broken some executions because I
978         call some internal objects. Explicitly ignore objects whose name
979         starts with "$" because it's a bad idea anyways.
980
981         * stress/proxy-all-the-parameters.js:
982         (generateObjects):
983         (get throw):
984
985 2017-12-04  Saam Barati  <sbarati@apple.com>
986
987         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
988         https://bugs.webkit.org/show_bug.cgi?id=180366
989         <rdar://problem/35685877>
990
991         Reviewed by Michael Saboff.
992
993         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
994         (theParent):
995         (test1.base.getParentStaticValue):
996         (test1.base):
997         (test1.__v_24888.prototype.set prop):
998         (test1.__v_24888):
999         (test2.base.getParentStaticValue):
1000         (test2.base):
1001         (test2.__v_24888.prototype.set prop):
1002         (test2.__v_24888):
1003         (test2):
1004
1005 2017-12-01  JF Bastien  <jfbastien@apple.com>
1006
1007         Try proxying all function arguments
1008         https://bugs.webkit.org/show_bug.cgi?id=180306
1009
1010         Reviewed by Saam Barati.
1011
1012         * stress/proxy-all-the-parameters.js: Added.
1013         (isPropertyOfType):
1014         (getProperties):
1015         (generateObjects):
1016         (getObjects):
1017         (getFunctions):
1018         (get throw):
1019         (let.o.of.getObjects.let.f.of.getFunctions.catch):
1020
1021 2017-12-01  JF Bastien  <jfbastien@apple.com>
1022
1023         JavaScriptCore: missing exception checks in Math functions that take more than one argument
1024         https://bugs.webkit.org/show_bug.cgi?id=180297
1025         <rdar://problem/35745556>
1026
1027         Reviewed by Mark Lam.
1028
1029         * stress/math-exceptions.js: Added.
1030         (get try):
1031         (catch):
1032
1033 2017-12-01  JF Bastien  <jfbastien@apple.com>
1034
1035         JavaScriptCore: add test for weird class static getters
1036         https://bugs.webkit.org/show_bug.cgi?id=180281
1037         <rdar://problem/35592139>
1038
1039         Reviewed by Mark Lam.
1040
1041         I fixed a bug for it in r224927 and didn't add a test. Do so.
1042
1043         * stress/class-static-get-weird.js: Added.
1044         (c.prototype.get name):
1045         (c):
1046         (c.prototype.get arguments):
1047         (c.prototype.get caller):
1048         (c.prototype.get length):
1049
1050 2017-12-01  Saam Barati  <sbarati@apple.com>
1051
1052         Having a bad time needs to handle ArrayClass indexing type as well
1053         https://bugs.webkit.org/show_bug.cgi?id=180274
1054         <rdar://problem/35667869>
1055
1056         Reviewed by Keith Miller and Mark Lam.
1057
1058         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
1059         (assert):
1060         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
1061         (assert):
1062
1063 2017-12-01  JF Bastien  <jfbastien@apple.com>
1064
1065         WebAssembly: restore cached stack limit after out-call
1066         https://bugs.webkit.org/show_bug.cgi?id=179106
1067         <rdar://problem/35337525>
1068
1069         Reviewed by Saam Barati.
1070
1071         * wasm/function-tests/double-instance.js: Added.
1072         (const.imp.boom):
1073         (const.imp.get callAnother):
1074
1075 2017-11-30  JF Bastien  <jfbastien@apple.com>
1076
1077         WebAssembly: improve stack trace
1078         https://bugs.webkit.org/show_bug.cgi?id=179343
1079
1080         Reviewed by Saam Barati.
1081
1082         Update the tests to follow the new format. Notably, SHA1 module
1083         hash is now included in traces, and stubs are properly identified.
1084
1085         * wasm/assert.js: Add an assertion which matches regular expressions.
1086         * wasm/function-tests/nameSection.js:
1087         * wasm/function-tests/stack-overflow.js:
1088         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1089         (assertOverflows.assertThrows.wasm.1):
1090         (assertOverflows.assertThrows.wasm.0):
1091         (assertOverflows.assertThrows):
1092         (assertOverflows):
1093         * wasm/function-tests/stack-trace.js:
1094         (import.Builder.from.string_appeared_here.assert): Deleted.
1095         * wasm/function-tests/trap-after-cross-instance-call.js:
1096         (wasmFrameCountFromError):
1097         * wasm/function-tests/trap-load-2.js:
1098         (wasmFrameCountFromError):
1099         * wasm/function-tests/trap-load.js:
1100         (wasmFrameCountFromError):
1101
1102 2017-11-30  Mark Lam  <mark.lam@apple.com>
1103
1104         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1105         https://bugs.webkit.org/show_bug.cgi?id=180219
1106         <rdar://problem/35696536>
1107
1108         Reviewed by Filip Pizlo.
1109
1110         * stress/regress-180219.js: Added.
1111
1112 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1113
1114         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1115         https://bugs.webkit.org/show_bug.cgi?id=180190
1116
1117         Reviewed by Mark Lam.
1118
1119         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
1120         (shouldBe):
1121         (test1):
1122         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
1123         (shouldBe):
1124         (test1):
1125         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
1126         (shouldBe):
1127         (test1):
1128         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
1129         (shouldBe):
1130         (test1):
1131         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
1132         (shouldBe):
1133         (test1):
1134         * stress/operation-in-may-have-negative-int32.js: Added.
1135         (shouldBe):
1136         (test2):
1137         * stress/operation-in-negative-int32-cast.js: Added.
1138         (shouldBe):
1139         (test1):
1140
1141 2017-11-28  JF Bastien  <jfbastien@apple.com>
1142
1143         Strict and sloppy functions shouldn't share structure
1144         https://bugs.webkit.org/show_bug.cgi?id=180103
1145         <rdar://problem/35667847>
1146
1147         Reviewed by Saam Barati.
1148
1149         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
1150         because the IC was wrong.
1151         (foo):
1152         (bar):
1153         (baz):
1154         (catch):
1155         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
1156         in this patch, but may as well test odd strict mode corner cases.
1157         (bar):
1158         (baz):
1159         (catch):
1160         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
1161         (foo):
1162         (bar):
1163         (baz):
1164         (catch):
1165         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
1166         next file, but with invalidation of the FunctionExecutable's
1167         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
1168         slower path.
1169         (foo):
1170         (bar.const.x):
1171         (bar.const.y):
1172         (bar):
1173         (catch):
1174         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
1175         strict nesting works correctly.
1176         (foo):
1177         (bar.baz):
1178         (bar):
1179         * stress/strict-function-structure.js: Added. The test used to
1180         assert in objectProtoFuncHasOwnProperty.
1181         (foo):
1182         (bar):
1183         (baz):
1184         * stress/strict-nested-function-structure.js: Added. Nesting.
1185         (foo):
1186         (bar):
1187         (baz.boo):
1188         (baz):
1189
1190 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1191
1192         The recursive tail call optimisation is wrong on closures
1193         https://bugs.webkit.org/show_bug.cgi?id=179835
1194
1195         Reviewed by Saam Barati.
1196
1197         * stress/closure-recursive-tail-call.js: Added.
1198         (makeClosure):
1199
1200 2017-11-27  JF Bastien  <jfbastien@apple.com>
1201
1202         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1203         https://bugs.webkit.org/show_bug.cgi?id=180051
1204         <rdar://problem/35614371>
1205
1206         Reviewed by Saam Barati.
1207
1208         * stress/rest-parameter-negative.js: Added.
1209         (__f_5484):
1210         (catch):
1211         (__f_5485):
1212         (__v_22598.catch):
1213
1214 2017-11-27  Saam Barati  <sbarati@apple.com>
1215
1216         Spread can escape when CreateRest does not
1217         https://bugs.webkit.org/show_bug.cgi?id=180057
1218         <rdar://problem/35676119>
1219
1220         Reviewed by JF Bastien.
1221
1222         * stress/spread-escapes-but-create-rest-does-not.js: Added.
1223         (assert):
1224         (getProperties):
1225         (theFunc):
1226         (let.obj.valueOf):
1227
1228 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1229
1230         [DFG] Add NormalizeMapKey DFG IR
1231         https://bugs.webkit.org/show_bug.cgi?id=179912
1232
1233         Reviewed by Saam Barati.
1234
1235         * stress/map-untyped-normalize-cse.js: Added.
1236         (shouldBe):
1237         (test):
1238         * stress/map-untyped-normalize.js: Added.
1239         (shouldBe):
1240         (test):
1241         * stress/set-untyped-normalize-cse.js: Added.
1242         (shouldBe):
1243         (set return.set has.set has):
1244         * stress/set-untyped-normalize.js: Added.
1245         (shouldBe):
1246         (set return.set has):
1247
1248 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1249
1250         [FTL] Support DeleteById and DeleteByVal
1251         https://bugs.webkit.org/show_bug.cgi?id=180022
1252
1253         Reviewed by Saam Barati.
1254
1255         * stress/delete-by-id.js: Added.
1256         (shouldBe):
1257         (test1):
1258         (test2):
1259         * stress/delete-by-val-ftl.js: Added.
1260         (shouldBe):
1261         (test1):
1262         (test2):
1263
1264 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1265
1266         [DFG] Introduce {Set,Map,WeakMap}Fields
1267         https://bugs.webkit.org/show_bug.cgi?id=179925
1268
1269         Reviewed by Saam Barati.
1270
1271         * stress/map-set-clobber-map-get.js: Added.
1272         (shouldBe):
1273         (test):
1274         * stress/map-set-does-not-clobber-set-has.js: Added.
1275         (shouldBe):
1276         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
1277         (shouldBe):
1278         (test):
1279         * stress/set-add-clobber-set-has.js: Added.
1280         (shouldBe):
1281         * stress/set-add-does-not-clobber-map-get.js: Added.
1282         (shouldBe):
1283
1284 2017-11-24  Mark Lam  <mark.lam@apple.com>
1285
1286         Move unsafe jsc shell test functions to the $vm object.
1287         https://bugs.webkit.org/show_bug.cgi?id=179980
1288
1289         Reviewed by Yusuke Suzuki.
1290
1291         * controlFlowProfiler/driver/driver.js:
1292         * controlFlowProfiler/execution-count.js:
1293         * controlFlowProfiler/if-statement.js:
1294         * controlFlowProfiler/loop-statements.js:
1295         * controlFlowProfiler/switch-statements.js:
1296         * controlFlowProfiler/test-jit.js:
1297         * exceptionFuzz/3d-cube.js:
1298         * exceptionFuzz/date-format-xparb.js:
1299         * exceptionFuzz/earley-boyer.js:
1300         * heapProfiler/basic-edges.js:
1301         * heapProfiler/property-edge-types.js:
1302         * microbenchmarks/try-get-by-id-basic.js:
1303         * microbenchmarks/try-get-by-id-polymorphic.js:
1304         * modules/namespace-object-try-get.js:
1305         * stress/argument-count-bytecode.js:
1306         * stress/argument-intrinsic-basic.js:
1307         * stress/argument-intrinsic-inlining-use-caller-arg.js:
1308         * stress/argument-intrinsic-inlining-with-result-escape.js:
1309         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
1310         * stress/argument-intrinsic-inlining-with-vararg.js:
1311         * stress/argument-intrinsic-nested-inlining.js:
1312         * stress/argument-intrinsic-not-convert-to-get-argument.js:
1313         * stress/argument-intrinsic-with-stack-write.js:
1314         * stress/arity-mismatch-get-argument.js:
1315         * stress/array-message-passing.js:
1316         * stress/array-push-with-force-exit.js:
1317         * stress/check-dom-with-signature.js:
1318         * stress/check-sub-class.js:
1319         * stress/compare-eq-incomplete-profile.js:
1320         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
1321         * stress/do-eval-virtual-call-correctly.js:
1322         * stress/dom-jit-with-poly-proto.js:
1323         * stress/domjit-exception-ic.js:
1324         * stress/domjit-exception.js:
1325         * stress/domjit-getter-complex-with-incorrect-object.js:
1326         * stress/domjit-getter-complex.js:
1327         * stress/domjit-getter-poly.js:
1328         * stress/domjit-getter-proto.js:
1329         * stress/domjit-getter-super-poly.js:
1330         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
1331         * stress/domjit-getter-type-check.js:
1332         * stress/domjit-getter.js:
1333         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
1334         * stress/for-in-proxy-target-changed-structure.js:
1335         * stress/for-in-proxy.js:
1336         * stress/generational-opaque-roots.js:
1337         * stress/global-const-redeclaration-setting-2.js:
1338         * stress/global-const-redeclaration-setting-3.js:
1339         * stress/global-const-redeclaration-setting-4.js:
1340         * stress/global-const-redeclaration-setting-5.js:
1341         * stress/global-const-redeclaration-setting.js:
1342         * stress/import-basic.js:
1343         * stress/import-from-eval.js:
1344         * stress/import-reject-with-exception.js:
1345         * stress/import-syntax.js:
1346         * stress/impure-get-own-property-slot-inline-cache.js:
1347         * stress/is-constructor.js:
1348         * stress/istypedarrayview-intrinsic.js:
1349         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
1350         * stress/jsc-test-functions-should-be-more-robust.js:
1351         * stress/object-toString-with-proxy.js:
1352         * stress/poly-proto-custom-value-and-accessor.js:
1353         * stress/proxy-inline-cache.js:
1354         * stress/re-execute-error-module.js:
1355         * stress/regress-150532.js:
1356         * stress/regress-156992.js:
1357         * stress/regress-179619.js:
1358         * stress/resources/shadow-chicken-support.js:
1359         * stress/runtime-array.js:
1360         * stress/sampling-profiler-microtasks.js:
1361         * stress/shadow-chicken-enabled.js:
1362         * stress/spread-correct-global-object-on-exception.js:
1363         * stress/super-get-by-id.js:
1364         * stress/tailCallForwardArguments.js:
1365         * stress/to-object-intrinsic-boolean-edge.js:
1366         * stress/to-object-intrinsic-null-or-undefined-edge.js:
1367         * stress/to-object-intrinsic-number-edge.js:
1368         * stress/to-object-intrinsic-object-edge.js:
1369         * stress/to-object-intrinsic-string-edge.js:
1370         * stress/to-object-intrinsic-symbol-edge.js:
1371         * stress/to-object-intrinsic.js:
1372         * stress/try-catch-custom-getter-as-get-by-id.js:
1373         * stress/try-get-by-id-poly-proto.js:
1374         * stress/try-get-by-id-should-spill-registers-dfg.js:
1375         * stress/try-get-by-id.js:
1376         * typeProfiler/arrow-functions.js:
1377         * typeProfiler/basic.js:
1378         * typeProfiler/captured.js:
1379         * typeProfiler/classes.js:
1380         * typeProfiler/dfg-jit-optimizations.js:
1381         * typeProfiler/dictionary-mode.js:
1382         * typeProfiler/es6-block-scoping.js:
1383         * typeProfiler/es6-classes.js:
1384         * typeProfiler/inheritance.js:
1385         * typeProfiler/int52-dfg.js:
1386         * typeProfiler/loop.js:
1387         * typeProfiler/optional-fields.js:
1388         * typeProfiler/overflow.js:
1389         * typeProfiler/return.js:
1390         * typeProfiler/symbol.js:
1391         * typeProfiler/weird-prototype-chain.js:
1392
1393 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1394
1395         [DFG][FTL] Support MapSet / SetAdd intrinsics
1396         https://bugs.webkit.org/show_bug.cgi?id=179858
1397
1398         Reviewed by Saam Barati.
1399
1400         * microbenchmarks/map-has-and-set.js: Added.
1401         (test):
1402         * stress/map-set-check-failure.js: Added.
1403         (shouldBe):
1404         (shouldThrow):
1405         (target):
1406         * stress/map-set-cse.js: Added.
1407         (shouldBe):
1408         (test):
1409         * stress/set-add-check-failure.js: Added.
1410         (shouldBe):
1411         (shouldThrow):
1412         (set shouldThrow):
1413         * stress/set-add-cse.js: Added.
1414         (shouldBe):
1415
1416 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1417
1418         [JSC] Allow poly proto for intrinsic getters
1419         https://bugs.webkit.org/show_bug.cgi?id=179550
1420
1421         Reviewed by Saam Barati.
1422
1423         This change is also tested by existing tests.
1424
1425             1. stress/intrinsic-getter-with-poly-proto.js
1426             2. stress/poly-proto-intrinsic-getter-correctness.js
1427
1428         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
1429         (shouldBe):
1430         (makePolyProtoObject.foo.C):
1431         (makePolyProtoObject.foo):
1432         (makePolyProtoObject):
1433         (target):
1434         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
1435         (shouldBe):
1436         (makePolyProtoObject.foo.C):
1437         (makePolyProtoObject.foo):
1438         (makePolyProtoObject):
1439         (target):
1440
1441 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
1442
1443         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
1444         https://bugs.webkit.org/show_bug.cgi?id=179744
1445
1446         Reviewed by Michael Catanzaro.
1447
1448         This test uses too much memory for our buildbots on these platforms
1449         and gets OOM-killed.
1450
1451         * stress/unshiftCountSlowCase-correct-postCapacity.js:
1452         Skip if $memoryLimited and linux.
1453
1454 2017-11-17  JF Bastien  <jfbastien@apple.com>
1455
1456         WebAssembly JS API: throw when a promise can't be created
1457         https://bugs.webkit.org/show_bug.cgi?id=179826
1458         <rdar://problem/35455813>
1459
1460         Reviewed by Mark Lam.
1461
1462         Test WebAssembly.{compile,instantiate} where promise creation
1463         fails because of a stack overflow.
1464
1465         * wasm/js-api/promise-stack-overflow.js: Added.
1466         (const.runNearStackLimit.f.const.t):
1467         (async.testCompile):
1468         (async.testInstantiate):
1469
1470 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1471
1472         Unreviewed, mark regress-178385.js as memory exhausting
1473
1474         * stress/regress-178385.js:
1475
1476 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
1477
1478         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
1479
1480         Unreviewed test gardening.
1481
1482         * test262.yaml:
1483
1484 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1485
1486         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1487         https://bugs.webkit.org/show_bug.cgi?id=179763
1488         <rdar://problem/35550513>
1489
1490         Reviewed by Keith Miller.
1491
1492         Just adding a slightly cleaned-up version of the original fuzzer-found test.
1493
1494         * stress/tdz-this-in-try-catch.js: Added.
1495         (__v_6388):
1496         (__v_6392):
1497
1498 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1499
1500         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1501         https://bugs.webkit.org/show_bug.cgi?id=179594
1502
1503         Reviewed by Saam Barati.
1504
1505         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
1506         (shouldBe):
1507         (args):
1508         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
1509         (shouldBe):
1510         (args):
1511
1512 2017-11-14  Saam Barati  <sbarati@apple.com>
1513
1514         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1515         https://bugs.webkit.org/show_bug.cgi?id=179639
1516         <rdar://problem/35513018>
1517
1518         Reviewed by JF Bastien.
1519
1520         * wasm/function-tests/grow-memory-cause-gc.js: Added.
1521         (escape):
1522         (i.func):
1523
1524 2017-11-13  Mark Lam  <mark.lam@apple.com>
1525
1526         Add more overflow check book-keeping for MarkedArgumentBuffer.
1527         https://bugs.webkit.org/show_bug.cgi?id=179634
1528         <rdar://problem/35492517>
1529
1530         Reviewed by Saam Barati.
1531
1532         * stress/regress-179634.js: Added.
1533
1534 2017-11-13  Mark Lam  <mark.lam@apple.com>
1535
1536         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1537         https://bugs.webkit.org/show_bug.cgi?id=179619
1538         <rdar://problem/35492518>
1539
1540         Reviewed by Saam Barati.
1541
1542         * stress/regress-179619.js: Added.
1543
1544 2017-11-12  Mark Lam  <mark.lam@apple.com>
1545
1546         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1547         https://bugs.webkit.org/show_bug.cgi?id=179562
1548         <rdar://problem/35467022>
1549
1550         Reviewed by Saam Barati.
1551
1552         * regress-179562.js: Added.
1553
1554 2017-11-08  Saam Barati  <sbarati@apple.com>
1555
1556         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1557         https://bugs.webkit.org/show_bug.cgi?id=177792
1558
1559         Reviewed by Yusuke Suzuki.
1560
1561         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
1562         (assert):
1563         (foo.Foo.prototype.ensureX):
1564         (foo.Foo):
1565         (foo):
1566         (access):
1567
1568 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
1569
1570         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1571         https://bugs.webkit.org/show_bug.cgi?id=178592
1572
1573         Unreviewed test gardening.
1574
1575         * test262.yaml:
1576
1577 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1578
1579         Turn recursive tail calls into loops
1580         https://bugs.webkit.org/show_bug.cgi?id=176601
1581
1582         Reviewed by Saam Barati.
1583
1584         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1585
1586         Add some simple test that computes factorial in several ways, and other trivial computations.
1587         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1588         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1589         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1590         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1591
1592         * stress/inline-call-to-recursive-tail-call.js: Added.
1593         (factorial.aux):
1594         (factorial):
1595         (factorial2.aux2):
1596         (factorial2.id):
1597         (factorial2):
1598         (factorial3.aux3):
1599         (factorial3):
1600         (aux4):
1601         (factorial4):
1602         (foo):
1603         (auxBar):
1604         (bar):
1605         (test):
1606
1607 2017-11-07  Mark Lam  <mark.lam@apple.com>
1608
1609         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1610         https://bugs.webkit.org/show_bug.cgi?id=179355
1611         <rdar://problem/35263053>
1612
1613         Reviewed by Saam Barati.
1614
1615         * stress/regress-179355.js: Added.
1616
1617 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1618
1619         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1620         https://bugs.webkit.org/show_bug.cgi?id=144458
1621
1622         Reviewed by Saam Barati.
1623
1624         * microbenchmarks/dfg-internal-function-call.js: Added.
1625         (target):
1626         * microbenchmarks/dfg-internal-function-construct.js: Added.
1627         (target):
1628         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
1629         (target):
1630         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
1631         (target):
1632         * stress/dfg-internal-function-call.js: Added.
1633         (shouldBe):
1634         (target):
1635         * stress/dfg-internal-function-construct.js: Added.
1636         (shouldBe):
1637         (target):
1638         * stress/internal-function-call.js: Added.
1639         (shouldBe):
1640         * stress/internal-function-construct.js: Added.
1641         (shouldBe):
1642
1643 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
1644
1645         [Win] Skip stress/regress-178385.js.
1646         https://bugs.webkit.org/show_bug.cgi?id=179298
1647
1648         Unreviewed test gardening.
1649
1650         * stress/regress-178385.js:
1651
1652 2017-11-03  Keith Miller  <keith_miller@apple.com>
1653
1654         Add test for ic with side effects
1655         https://bugs.webkit.org/show_bug.cgi?id=179268
1656
1657         Reviewed by Saam Barati.
1658
1659         * stress/put-inline-cache-side-effects.js: Added.
1660         (let.i.of.objs.keys):
1661         (f):
1662
1663 2017-11-03  Mark Lam  <mark.lam@apple.com>
1664
1665         CachedCall (and its clients) needs overflow checks.
1666         https://bugs.webkit.org/show_bug.cgi?id=179185
1667
1668         Reviewed by JF Bastien.
1669
1670         * stress/regress-179185.js: Added.
1671
1672 2017-11-02  Michael Saboff  <msaboff@apple.com>
1673
1674         DFG needs to handle code motion of code in for..in loop bodies
1675         https://bugs.webkit.org/show_bug.cgi?id=179212
1676
1677         Reviewed by Keith Miller.
1678
1679         New regression test.
1680
1681         * stress/for-in-side-effects.js: Added.
1682         (getPrototypeOf):
1683         (reset):
1684         (testWithoutFTL.f):
1685         (testWithoutFTL):
1686         (testWithFTL.f):
1687         (testWithFTL):
1688
1689 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1690
1691         AI does not correctly model the clobber case of ArithClz32
1692         https://bugs.webkit.org/show_bug.cgi?id=179188
1693
1694         Reviewed by Michael Saboff.
1695
1696         * stress/arith-clz32-effects.js: Added.
1697         (foo):
1698         (valueOf):
1699
1700 2017-11-01  Michael Saboff  <msaboff@apple.com>
1701
1702         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1703         https://bugs.webkit.org/show_bug.cgi?id=179140
1704
1705         Reviewed by Saam Barati.
1706
1707         New regression test.
1708
1709         * stress/regress-179140.js: Added.
1710         (testWithoutFTL):
1711         (testWithFTL):
1712
1713 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1714
1715         [JSC] Introduce @toObject
1716         https://bugs.webkit.org/show_bug.cgi?id=178726
1717
1718         Reviewed by Saam Barati.
1719
1720         * stress/array-copywithin.js:
1721         (shouldThrow):
1722         * stress/object-constructor-boolean-edge.js: Added.
1723         (shouldBe):
1724         (test):
1725         * stress/object-constructor-global.js: Added.
1726         (shouldBe):
1727         * stress/object-constructor-null-edge.js: Added.
1728         (shouldBe):
1729         (test):
1730         * stress/object-constructor-number-edge.js: Added.
1731         (shouldBe):
1732         (test):
1733         * stress/object-constructor-object-edge.js: Added.
1734         (shouldBe):
1735         (test):
1736         (i.arg):
1737         * stress/object-constructor-string-edge.js: Added.
1738         (shouldBe):
1739         (test):
1740         * stress/object-constructor-symbol-edge.js: Added.
1741         (shouldBe):
1742         (test):
1743         * stress/object-constructor-undefined-edge.js: Added.
1744         (shouldBe):
1745         (test):
1746         * stress/symbol-array-from.js: Added.
1747         (shouldBe):
1748         * stress/to-object-intrinsic-boolean-edge.js: Added.
1749         (shouldBe):
1750         (builtin.createBuiltin):
1751         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
1752         (shouldThrow):
1753         * stress/to-object-intrinsic-number-edge.js: Added.
1754         (shouldBe):
1755         (builtin.createBuiltin):
1756         * stress/to-object-intrinsic-object-edge.js: Added.
1757         (shouldBe):
1758         (builtin.createBuiltin):
1759         (i.arg):
1760         * stress/to-object-intrinsic-string-edge.js: Added.
1761         (shouldBe):
1762         (builtin.createBuiltin):
1763         * stress/to-object-intrinsic-symbol-edge.js: Added.
1764         (shouldBe):
1765         (builtin.createBuiltin):
1766         * stress/to-object-intrinsic.js: Added.
1767         (shouldBe):
1768         (shouldThrow):
1769         (builtin.createBuiltin):
1770
1771 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1772
1773         [DFG][FTL] Introduce StringSlice
1774         https://bugs.webkit.org/show_bug.cgi?id=178934
1775
1776         Reviewed by Saam Barati.
1777
1778         * microbenchmarks/string-slice-empty.js: Added.
1779         (slice):
1780         * microbenchmarks/string-slice-one-char.js: Added.
1781         (slice):
1782         * microbenchmarks/string-slice.js: Added.
1783         (slice):
1784
1785 2017-10-26  Michael Saboff  <msaboff@apple.com>
1786
1787         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1788         https://bugs.webkit.org/show_bug.cgi?id=178890
1789
1790         Reviewed by Keith Miller.
1791
1792         New regression test.
1793
1794         * stress/regress-178890.js: Added.
1795
1796 2017-10-26  Mark Lam  <mark.lam@apple.com>
1797
1798         JSRopeString::RopeBuilder::append() should check for overflows.
1799         https://bugs.webkit.org/show_bug.cgi?id=178385
1800         <rdar://problem/35027468>
1801
1802         Reviewed by Saam Barati.
1803
1804         * stress/regress-178385.js: Added.
1805
1806 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
1807
1808         Unreviewed, rolling out r223961.
1809
1810         The change that required this has been rolled out.
1811
1812         Reverted changeset:
1813
1814         "Mark test262.yaml/test262/test/language/statements/try/tco-
1815         catch.js as passing."
1816         https://bugs.webkit.org/show_bug.cgi?id=178592
1817         https://trac.webkit.org/changeset/223961
1818
1819 2017-10-25  Commit Queue  <commit-queue@webkit.org>
1820
1821         Unreviewed, rolling out r223691 and r223729.
1822         https://bugs.webkit.org/show_bug.cgi?id=178834
1823
1824         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1825         by rniwa on #webkit).
1826
1827         Reverted changesets:
1828
1829         "Turn recursive tail calls into loops"
1830         https://bugs.webkit.org/show_bug.cgi?id=176601
1831         https://trac.webkit.org/changeset/223691
1832
1833         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1834         comparison is always false due to limited range of data type
1835         [-Wtype-limits]"
1836         https://bugs.webkit.org/show_bug.cgi?id=178543
1837         https://trac.webkit.org/changeset/223729
1838
1839 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
1840
1841         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
1842         https://bugs.webkit.org/show_bug.cgi?id=178592
1843
1844         Unreviewed test gardening.
1845
1846         * test262.yaml:
1847
1848 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1849
1850         [FTL] Support NewStringObject
1851         https://bugs.webkit.org/show_bug.cgi?id=178737
1852
1853         Reviewed by Saam Barati.
1854
1855         * stress/new-string-object.js: Added.
1856         (shouldBe):
1857         (test):
1858
1859 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1860
1861         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
1862         https://bugs.webkit.org/show_bug.cgi?id=178308
1863
1864         Reviewed by Mark Lam.
1865
1866         * test262.yaml:
1867
1868 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1869
1870         [JSC] Use fastJoin in Array#toString
1871         https://bugs.webkit.org/show_bug.cgi?id=178062
1872
1873         Reviewed by Darin Adler.
1874
1875         * microbenchmarks/contiguous-array-to-string.js: Added.
1876         (target):
1877         * microbenchmarks/double-array-to-string.js: Added.
1878         (target):
1879         * microbenchmarks/int32-array-to-string.js: Added.
1880         (target):
1881
1882 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
1883
1884         stress/check-string-ident.js is improperly skipped
1885         https://bugs.webkit.org/show_bug.cgi?id=178642
1886
1887         Reviewed by Saam Barati.
1888
1889         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
1890         since it enforces the run-jsc-stress-tests script to still set up the
1891         test to run, despite the skip directive that's used before.
1892
1893 2017-10-20  Mark Lam  <mark.lam@apple.com>
1894
1895         Add a test case for r214334.
1896         https://bugs.webkit.org/show_bug.cgi?id=169941
1897         <rdar://problem/31221258>
1898
1899         Reviewed by JF Bastien.
1900
1901         * stress/regress-169941.js: Added.
1902
1903 2017-10-19  JF Bastien  <jfbastien@apple.com>
1904
1905         WebAssembly: no VM / JS version of everything but Instance
1906         https://bugs.webkit.org/show_bug.cgi?id=177473
1907
1908         Reviewed by Filip Pizlo, Saam Barati.
1909
1910         - Exceeding max on memory growth now returns a range error as per
1911         spec. This is a (very minor) breaking change: it used to throw OOM
1912         error. Update the corresponding test.
1913
1914         * wasm/js-api/memory-grow.js:
1915         (assertEq):
1916         * wasm/js-api/table.js:
1917         (assert.throws):
1918
1919 2017-10-19  Mark Lam  <mark.lam@apple.com>
1920
1921         Stringifier::appendStringifiedValue() is missing an exception check.
1922         https://bugs.webkit.org/show_bug.cgi?id=178386
1923         <rdar://problem/35027610>
1924
1925         Reviewed by Saam Barati.
1926
1927         * stress/regress-178386.js: Added.
1928
1929 2017-10-19  Michael Saboff  <msaboff@apple.com>
1930
1931         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
1932         https://bugs.webkit.org/show_bug.cgi?id=178521
1933
1934         Reviewed by JF Bastien.
1935
1936         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
1937         now passes with the current version (5.0) of the Emoji spec.
1938
1939 2017-10-19  Robin Morisset  <rmorisset@apple.com>
1940
1941         Turn recursive tail calls into loops
1942         https://bugs.webkit.org/show_bug.cgi?id=176601
1943
1944         Reviewed by Saam Barati.
1945
1946         Add some simple test that computes factorial in several ways, and other trivial computations.
1947         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
1948         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
1949         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
1950         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
1951
1952         * stress/inline-call-to-recursive-tail-call.js: Added.
1953         (factorial.aux):
1954         (factorial):
1955         (factorial2.aux):
1956         (factorial2.id):
1957         (factorial2):
1958         (factorial3.aux):
1959         (factorial3):
1960         (aux):
1961         (factorial4):
1962         (test):
1963
1964 2017-10-18  Mark Lam  <mark.lam@apple.com>
1965
1966         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
1967         https://bugs.webkit.org/show_bug.cgi?id=177600
1968         <rdar://problem/34710985>
1969
1970         Reviewed by Saam Barati.
1971
1972         * stress/regress-177600.js: Added.
1973
1974 2017-10-18  Mark Lam  <mark.lam@apple.com>
1975
1976         The compiler should always register a structure when it adds its transitionWatchPointSet.
1977         https://bugs.webkit.org/show_bug.cgi?id=178420
1978         <rdar://problem/34814024>
1979
1980         Reviewed by Saam Barati and Filip Pizlo.
1981
1982         * stress/regress-178420.js: Added.
1983         (new.Array.10000.map):
1984
1985 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1986
1987         [JSC] __proto__ getter should be fast
1988         https://bugs.webkit.org/show_bug.cgi?id=178067
1989
1990         Reviewed by Saam Barati.
1991
1992         * stress/dfg-object-proto-accessor.js: Added.
1993         (shouldBe):
1994         (shouldThrow):
1995         (target):
1996         * stress/dfg-object-proto-getter.js: Added.
1997         (shouldBe):
1998         (shouldThrow):
1999         (target):
2000         * stress/dfg-object-prototype-of.js: Added.
2001         (shouldBe):
2002         (shouldThrow):
2003         (target):
2004         * stress/dfg-reflect-get-prototype-of.js: Added.
2005         (shouldBe):
2006         (shouldThrow):
2007         (target):
2008         * stress/intrinsic-getter-with-poly-proto.js: Added.
2009         (shouldBe):
2010         (makePolyProtoObject.foo.C):
2011         (makePolyProtoObject.foo):
2012         (makePolyProtoObject):
2013         (target):
2014         * stress/object-get-prototype-of-filtered.js: Added.
2015         (shouldBe):
2016         (shouldThrow):
2017         (target):
2018         (i.Cocoa):
2019         * stress/object-get-prototype-of-mono-proto.js: Added.
2020         (shouldBe):
2021         (makePolyProtoObject.foo.C):
2022         (makePolyProtoObject.foo):
2023         (makePolyProtoObject):
2024         (target):
2025         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2026         (shouldBe):
2027         (makePolyProtoObject.foo.C):
2028         (makePolyProtoObject.foo):
2029         (makePolyProtoObject):
2030         (target):
2031         * stress/object-get-prototype-of-poly-proto.js: Added.
2032         (shouldBe):
2033         (makePolyProtoObject.foo.C):
2034         (makePolyProtoObject.foo):
2035         (makePolyProtoObject):
2036         (target):
2037         * stress/object-proto-getter-filtered.js: Added.
2038         (shouldBe):
2039         (shouldThrow):
2040         (target):
2041         (i.Cocoa):
2042         * stress/object-proto-getter-poly-mono-proto.js: Added.
2043         (shouldBe):
2044         (makePolyProtoObject.foo.C):
2045         (makePolyProtoObject.foo):
2046         (makePolyProtoObject):
2047         (target):
2048         * stress/object-proto-getter-poly-proto.js: Added.
2049         (shouldBe):
2050         (makePolyProtoObject.foo.C):
2051         (makePolyProtoObject.foo):
2052         (makePolyProtoObject):
2053         (target):
2054         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2055         * stress/string-proto.js: Added.
2056         (shouldBe):
2057         (target):
2058
2059 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
2060
2061         Unreviewed, rolling out r223523.
2062
2063         A test for this change is failing on debug JSC bots.
2064
2065         Reverted changeset:
2066
2067         "[JSC] __proto__ getter should be fast"
2068         https://bugs.webkit.org/show_bug.cgi?id=178067
2069         https://trac.webkit.org/changeset/223523
2070
2071 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2072
2073         [JSC] __proto__ getter should be fast
2074         https://bugs.webkit.org/show_bug.cgi?id=178067
2075
2076         Reviewed by Saam Barati.
2077
2078         * stress/dfg-object-proto-accessor.js: Added.
2079         (shouldBe):
2080         (shouldThrow):
2081         (target):
2082         * stress/dfg-object-proto-getter.js: Added.
2083         (shouldBe):
2084         (shouldThrow):
2085         (target):
2086         * stress/dfg-object-prototype-of.js: Added.
2087         (shouldBe):
2088         (shouldThrow):
2089         (target):
2090         * stress/dfg-reflect-get-prototype-of.js: Added.
2091         (shouldBe):
2092         (shouldThrow):
2093         (target):
2094         * stress/object-get-prototype-of-filtered.js: Added.
2095         (shouldBe):
2096         (shouldThrow):
2097         (target):
2098         (i.Cocoa):
2099         * stress/object-get-prototype-of-mono-proto.js: Added.
2100         (shouldBe):
2101         (makePolyProtoObject.foo.C):
2102         (makePolyProtoObject.foo):
2103         (makePolyProtoObject):
2104         (target):
2105         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
2106         (shouldBe):
2107         (makePolyProtoObject.foo.C):
2108         (makePolyProtoObject.foo):
2109         (makePolyProtoObject):
2110         (target):
2111         * stress/object-get-prototype-of-poly-proto.js: Added.
2112         (shouldBe):
2113         (makePolyProtoObject.foo.C):
2114         (makePolyProtoObject.foo):
2115         (makePolyProtoObject):
2116         (target):
2117         * stress/object-proto-getter-filtered.js: Added.
2118         (shouldBe):
2119         (shouldThrow):
2120         (target):
2121         (i.Cocoa):
2122         * stress/object-proto-getter-poly-mono-proto.js: Added.
2123         (shouldBe):
2124         (makePolyProtoObject.foo.C):
2125         (makePolyProtoObject.foo):
2126         (makePolyProtoObject):
2127         (target):
2128         * stress/object-proto-getter-poly-proto.js: Added.
2129         (shouldBe):
2130         (makePolyProtoObject.foo.C):
2131         (makePolyProtoObject.foo):
2132         (makePolyProtoObject):
2133         (target):
2134         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
2135         * stress/string-proto.js: Added.
2136         (shouldBe):
2137         (target):
2138
2139 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2140
2141         Reland "Add Above/Below comparisons for UInt32 patterns"
2142         https://bugs.webkit.org/show_bug.cgi?id=177281
2143
2144         Reviewed by Saam Barati.
2145
2146         * stress/uint32-comparison-jump.js: Added.
2147         (shouldBe):
2148         (above):
2149         (aboveOrEqual):
2150         (below):
2151         (belowOrEqual):
2152         (notAbove):
2153         (notAboveOrEqual):
2154         (notBelow):
2155         (notBelowOrEqual):
2156         * stress/uint32-comparison.js: Added.
2157         (shouldBe):
2158         (above):
2159         (aboveOrEqual):
2160         (below):
2161         (belowOrEqual):
2162         (aboveTest):
2163         (aboveOrEqualTest):
2164         (belowTest):
2165         (belowOrEqualTest):
2166
2167 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2168
2169         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
2170         https://bugs.webkit.org/show_bug.cgi?id=178210
2171
2172         Reviewed by Saam Barati.
2173
2174         * wasm/function-tests/trap-from-start-async.js:
2175         (async.StartTrapsAsync):
2176         * wasm/function-tests/trap-from-start.js:
2177         (StartTraps):
2178         * wasm/js-api/web-assembly-function.js:
2179         (assert.eq.Object.getPrototypeOf):
2180         * wasm/js-api/wrapper-function.js:
2181         (return.new.WebAssembly.Module):
2182         (assert.throws.makeInstance): Deleted.
2183         (assert.throws.Bar): Deleted.
2184         (assert.throws): Deleted.
2185
2186 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2187
2188         Enable gigacage on iOS
2189         https://bugs.webkit.org/show_bug.cgi?id=177586
2190
2191         Reviewed by JF Bastien.
2192         
2193         Add tests for when Gigacage gets runtime disabled.
2194
2195         * stress/disable-gigacage-arrays.js: Added.
2196         (foo):
2197         * stress/disable-gigacage-strings.js: Added.
2198         (foo):
2199         * stress/disable-gigacage-typed-arrays.js: Added.
2200         (foo):
2201
2202 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2203
2204         import.meta should not be assignable
2205         https://bugs.webkit.org/show_bug.cgi?id=178202
2206
2207         Reviewed by Saam Barati.
2208
2209         * modules/import-meta-assignment.js: Added.
2210         (shouldThrow):
2211         (SyntaxError.import.meta.can.shouldThrow):
2212
2213 2017-10-11  Saam Barati  <sbarati@apple.com>
2214
2215         Unreviewed. Actually skip certain type profiler tests in debug.
2216
2217         * typeProfiler.yaml:
2218         * typeProfiler/deltablue-for-of.js:
2219         * typeProfiler/getter-richards.js:
2220
2221 2017-10-11  Commit Queue  <commit-queue@webkit.org>
2222
2223         Unreviewed, rolling out r223113 and r223121.
2224         https://bugs.webkit.org/show_bug.cgi?id=178182
2225
2226         Reintroduced 20% regression on Kraken (Requested by rniwa on
2227         #webkit).
2228
2229         Reverted changesets:
2230
2231         "Enable gigacage on iOS"
2232         https://bugs.webkit.org/show_bug.cgi?id=177586
2233         https://trac.webkit.org/changeset/223113
2234
2235         "Use one virtual allocation for all gigacages and their
2236         runways"
2237         https://bugs.webkit.org/show_bug.cgi?id=178050
2238         https://trac.webkit.org/changeset/223121
2239
2240 2017-10-11  Michael Saboff  <msaboff@apple.com>
2241
2242         Disable test262 named capture group tests with direct unicode names and with references before definitions
2243         https://bugs.webkit.org/show_bug.cgi?id=178177
2244
2245         Reviewed by Keith Miller.
2246
2247         Bugs to track fixing these test are:
2248         https://bugs.webkit.org/show_bug.cgi?id=178174 -
2249             "Add support in named capture group identifiers for direct surrogate pairs"
2250         https://bugs.webkit.org/show_bug.cgi?id=178175 -
2251             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
2252
2253         * test262.yaml:
2254
2255 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
2256
2257         Object properties are undefined in super.call() but not in this.call()
2258         https://bugs.webkit.org/show_bug.cgi?id=177230
2259
2260         Reviewed by Saam Barati.
2261
2262         * stress/super-call-function-subclass.js: Added.
2263         (assert):
2264         (A.prototype.t):
2265         (A):
2266         * stress/super-dot-call-and-apply.js: Added.
2267         (assert):
2268         (A):
2269         (A.prototype.call):
2270         (A.prototype.apply):
2271         (B.prototype.testSuper):
2272         (B):
2273         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
2274         (D.prototype.testSuper):
2275         (D):
2276
2277 2017-10-10  Saam Barati  <sbarati@apple.com>
2278
2279         The prototype cache should be aware of the Executable it generates a Structure for
2280         https://bugs.webkit.org/show_bug.cgi?id=177907
2281
2282         Reviewed by Filip Pizlo.
2283
2284         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
2285         (assert):
2286         (foo.C):
2287         (foo):
2288         (bar.C):
2289         (bar):
2290         (access):
2291         (makeLongChain):
2292         (accessY):
2293
2294 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2295
2296         `async` should be able to be used as an imported binding name
2297         https://bugs.webkit.org/show_bug.cgi?id=176573
2298
2299         Reviewed by Saam Barati.
2300
2301         * modules/import-default-async.js: Added.
2302         * modules/import-named-async-as.js: Added.
2303         * modules/import-named-async.js: Added.
2304         * modules/import-named-async/target.js: Added.
2305         * modules/import-namespace-async.js: Added.
2306         * test262.yaml:
2307
2308 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2309
2310         Enable gigacage on iOS
2311         https://bugs.webkit.org/show_bug.cgi?id=177586
2312
2313         Reviewed by JF Bastien.
2314         
2315         Add tests for when Gigacage gets runtime disabled.
2316
2317         * stress/disable-gigacage-arrays.js: Added.
2318         (foo):
2319         * stress/disable-gigacage-strings.js: Added.
2320         (foo):
2321         * stress/disable-gigacage-typed-arrays.js: Added.
2322         (foo):
2323
2324 2017-10-09  Michael Saboff  <msaboff@apple.com>
2325
2326         Implement RegExp Unicode property escapes
2327         https://bugs.webkit.org/show_bug.cgi?id=172069
2328
2329         Reviewed by JF Bastien.
2330
2331         Enabled Unicode Property tests.
2332
2333         * test262.yaml:
2334
2335 2017-10-09  Commit Queue  <commit-queue@webkit.org>
2336
2337         Unreviewed, rolling out r223015 and r223025.
2338         https://bugs.webkit.org/show_bug.cgi?id=178093
2339
2340         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
2341         #webkit).
2342
2343         Reverted changesets:
2344
2345         "Enable gigacage on iOS"
2346         https://bugs.webkit.org/show_bug.cgi?id=177586
2347         http://trac.webkit.org/changeset/223015
2348
2349         "Unreviewed, disable Gigacage on ARM64 Linux"
2350         https://bugs.webkit.org/show_bug.cgi?id=177586
2351         http://trac.webkit.org/changeset/223025
2352
2353 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2354
2355         Update expectations for test262 tests that pass after r223043.
2356         https://bugs.webkit.org/show_bug.cgi?id=176685
2357
2358         Unreviewed test gardening.
2359
2360         * test262.yaml:
2361
2362 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
2363
2364         Unreviewed, rolling out r223022.
2365
2366         This change introduced 18 test262 failures.
2367
2368         Reverted changeset:
2369
2370         "`async` should be able to be used as an imported binding
2371         name"
2372         https://bugs.webkit.org/show_bug.cgi?id=176573
2373         http://trac.webkit.org/changeset/223022
2374
2375 2017-10-09  Saam Barati  <sbarati@apple.com>
2376
2377         3 poly-proto JSC tests timing out on debug after r222827
2378         https://bugs.webkit.org/show_bug.cgi?id=177880
2379         <rdar://problem/34817122>
2380
2381         Unreviewed.
2382
2383         I'm skipping these type profiler tests on debug since they are long running.
2384
2385         * typeProfiler/deltablue-for-of.js:
2386         * typeProfiler/getter-richards.js:
2387
2388 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2389
2390         Safari 10 /11 problem with if (!await get(something)).
2391         https://bugs.webkit.org/show_bug.cgi?id=176685
2392
2393         Reviewed by Saam Barati.
2394
2395         * stress/async-await-basic.js:
2396         (awaitEpression.async):
2397         * stress/async-await-syntax.js:
2398         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
2399         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
2400
2401 2017-10-08  Saam Barati  <sbarati@apple.com>
2402
2403         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
2404
2405         * typeProfiler/deltablue-for-of.js:
2406         * typeProfiler/getter-richards.js:
2407
2408 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2409
2410         `async` should be able to be used as an imported binding name
2411         https://bugs.webkit.org/show_bug.cgi?id=176573
2412
2413         Reviewed by Darin Adler.
2414
2415         * modules/import-default-async.js: Added.
2416         * modules/import-named-async-as.js: Added.
2417         * modules/import-named-async.js: Added.
2418         * modules/import-named-async/target.js: Added.
2419         * modules/import-namespace-async.js: Added.
2420
2421 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
2422
2423         Enable gigacage on iOS
2424         https://bugs.webkit.org/show_bug.cgi?id=177586
2425
2426         Reviewed by JF Bastien.
2427         
2428         Add tests for when Gigacage gets runtime disabled.
2429
2430         * stress/disable-gigacage-arrays.js: Added.
2431         (foo):
2432         * stress/disable-gigacage-strings.js: Added.
2433         (foo):
2434         * stress/disable-gigacage-typed-arrays.js: Added.
2435         (foo):
2436
2437 2017-10-06  Commit Queue  <commit-queue@webkit.org>
2438
2439         Unreviewed, rolling out r222791 and r222873.
2440         https://bugs.webkit.org/show_bug.cgi?id=178031
2441
2442         Caused crashes with workers/wasm LayoutTests (Requested by
2443         ryanhaddad on #webkit).
2444
2445         Reverted changesets:
2446
2447         "WebAssembly: no VM / JS version of everything but Instance"
2448         https://bugs.webkit.org/show_bug.cgi?id=177473
2449         http://trac.webkit.org/changeset/222791
2450
2451         "WebAssembly: address no VM / JS follow-ups"
2452         https://bugs.webkit.org/show_bug.cgi?id=177887
2453         http://trac.webkit.org/changeset/222873
2454
2455 2017-10-05  Saam Barati  <sbarati@apple.com>
2456
2457         Make sure all prototypes under poly proto get added into the VM's prototype map
2458         https://bugs.webkit.org/show_bug.cgi?id=177909
2459
2460         Reviewed by Keith Miller.
2461
2462         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
2463         (assert):
2464         (foo.C):
2465         (foo):
2466         (set x):
2467
2468 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2469
2470         [JSC] Introduce import.meta
2471         https://bugs.webkit.org/show_bug.cgi?id=177703
2472
2473         Reviewed by Filip Pizlo.
2474
2475         * modules/import-meta-syntax.js: Added.
2476         (shouldThrow):
2477         (shouldNotThrow):
2478         * modules/import-meta.js: Added.
2479         * modules/import-meta/cocoa.js: Added.
2480         * modules/resources/assert.js:
2481         (export.shouldNotThrow):
2482         * stress/import-syntax.js:
2483
2484 2017-10-04  Saam Barati  <sbarati@apple.com>
2485
2486         Make pertinent AccessCases watch the poly proto watchpoint
2487         https://bugs.webkit.org/show_bug.cgi?id=177765
2488
2489         Reviewed by Keith Miller.
2490
2491         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
2492         (assert):
2493         (foo.C):
2494         (foo):
2495         (validate):
2496         * stress/poly-proto-clear-stub.js: Added.
2497         (assert):
2498         (foo.C):
2499         (foo):
2500
2501 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
2502
2503         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
2504
2505         Unreviewed test gardening.
2506
2507         * test262.yaml:
2508
2509 2017-10-04  Saam Barati  <sbarati@apple.com>
2510
2511         3 poly-proto JSC tests timing out on debug after r222827
2512         https://bugs.webkit.org/show_bug.cgi?id=177880
2513
2514         Rubber stamped by Mark Lam.
2515
2516         * microbenchmarks/poly-proto-access.js:
2517         * typeProfiler/deltablue-for-of.js:
2518         * typeProfiler/getter-richards.js:
2519
2520 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
2521
2522         Unreviewed, marking tco-catch.js as a failure after test262 update
2523         https://bugs.webkit.org/show_bug.cgi?id=177859
2524
2525         * test262.yaml:
2526
2527 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2528
2529         Unreviewed, marking one async iterator test262 test failed
2530         https://bugs.webkit.org/show_bug.cgi?id=177859
2531
2532         * test262.yaml:
2533
2534 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2535
2536         [Test262] Update Test262 to Oct 4 version
2537         https://bugs.webkit.org/show_bug.cgi?id=177859
2538
2539         Reviewed by Sam Weinig.
2540
2541         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
2542         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
2543
2544         * test262.yaml:
2545         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
2546         (checkSequence):
2547         * test262/harness/typeCoercion.js:
2548         (testCoercibleToIndexZero):
2549         (testCoercibleToIndexOne):
2550         (testCoercibleToIndexFromIndex):
2551         (testNotCoercibleToIndex.testPrimitiveValue):
2552         (testNotCoercibleToInteger):
2553         (testCoercibleToBigIntZero.testPrimitiveValue):
2554         (testCoercibleToBigIntZero):
2555         (testCoercibleToBigIntOne.testPrimitiveValue):
2556         (testCoercibleToBigIntOne):
2557         (testPrimitiveValue):
2558         (testCoercibleToBigIntFromBigInt):
2559         (testNotCoercibleToBigInt.testPrimitiveValue):
2560         (testNotCoercibleToBigInt.testStringValue):
2561         (testNotCoercibleToBigInt):
2562         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
2563         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
2564         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
2565         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
2566         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
2567         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
2568         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
2569         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
2570         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
2571         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
2572         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
2573         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
2574         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
2575         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
2576         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
2577         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
2578         (testCoercibleToBigIntZero):
2579         (testCoercibleToBigIntOne):
2580         (testNotCoercibleToBigInt):
2581         (MyError): Deleted.
2582         (valueOf): Deleted.
2583         (toString): Deleted.
2584         (Symbol.toPrimitive): Deleted.
2585         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
2586         (testCoercibleToIndexZero):
2587         (testCoercibleToIndexOne):
2588         (testNotCoercibleToIndex):
2589         (MyError): Deleted.
2590         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
2591         (assert.sameValue.BigInt.asIntN.toString): Deleted.
2592         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
2593         (BigInt.asIntN.valueOf): Deleted.
2594         (BigInt.asIntN.toString): Deleted.
2595         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
2596         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
2597         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
2598         (testCoercibleToBigIntZero):
2599         (testCoercibleToBigIntOne):
2600         (testNotCoercibleToBigInt):
2601         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
2602         (testCoercibleToIndexZero):
2603         (testCoercibleToIndexOne):
2604         (testNotCoercibleToIndex):
2605         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
2606         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
2607         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
2608         (bits.valueOf):
2609         (bigint.valueOf):
2610         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
2611         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
2612         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
2613         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
2614         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
2615         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
2616         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
2617         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
2618         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
2619         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
2620         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
2621         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
2622         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
2623         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
2624         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
2625         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
2626         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
2627         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
2628         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
2629         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
2630         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
2631         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
2632         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
2633         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
2634         (replacer):
2635         (BigInt.prototype.toJSON):
2636         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
2637         (replacer):
2638         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
2639         (BigInt.prototype.toJSON):
2640         * test262/test/built-ins/JSON/stringify/bigint.js:
2641         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
2642         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
2643         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
2644         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
2645         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
2646         * test262/test/built-ins/Object/proto-from-ctor.js:
2647         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
2648         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
2649         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
2650         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
2651         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
2652         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
2653         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
2654         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
2655         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
2656         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
2657         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
2658         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
2659         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
2660         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
2661         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
2662         * test262/test/built-ins/Proxy/get-fn-realm.js:
2663         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
2664         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
2665         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
2666         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
2667         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
2668         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
2669         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
2670         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
2671         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
2672         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
2673         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
2674         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
2675         (i6.replace):
2676         (i6b.replace):
2677         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
2678         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
2679         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
2680         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
2681         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
2682         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
2683         * test262/test/built-ins/RegExp/u180e.js: Added.
2684         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
2685         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
2686         * test262/test/built-ins/String/proto-from-ctor-realm.js:
2687         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
2688         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
2689         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
2690         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
2691         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
2692         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
2693         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
2694         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
2695         * test262/test/built-ins/String/prototype/endsWith/length.js:
2696         * test262/test/built-ins/String/prototype/endsWith/name.js:
2697         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
2698         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
2699         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
2700         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
2701         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
2702         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
2703         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
2704         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
2705         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
2706         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
2707         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
2708         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
2709         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
2710         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
2711         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
2712         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
2713         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
2714         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
2715         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
2716         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
2717         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
2718         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
2719         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
2720         * test262/test/built-ins/String/prototype/includes/includes.js:
2721         * test262/test/built-ins/String/prototype/includes/length.js:
2722         * test262/test/built-ins/String/prototype/includes/name.js:
2723         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
2724         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
2725         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
2726         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
2727         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
2728         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
2729         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
2730         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
2731         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
2732         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
2733         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
2734         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
2735         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
2736         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
2737         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
2738         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
2739         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
2740         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
2741         * test262/test/built-ins/String/prototype/trim/u180e.js:
2742         * test262/test/built-ins/Symbol/for/cross-realm.js:
2743         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
2744         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
2745         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
2746         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
2747         * test262/test/built-ins/Symbol/match/cross-realm.js:
2748         * test262/test/built-ins/Symbol/replace/cross-realm.js:
2749         * test262/test/built-ins/Symbol/search/cross-realm.js:
2750         * test262/test/built-ins/Symbol/species/cross-realm.js:
2751         * test262/test/built-ins/Symbol/split/cross-realm.js:
2752         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
2753         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
2754         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
2755         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
2756         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
2757         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
2758         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
2759         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
2760         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
2761         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
2762         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
2763         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
2764         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
2765         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
2766         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
2767         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
2768         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
2769         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
2770         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
2771         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
2772         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
2773         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
2774         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
2775         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
2776         * test262/test/language/comments/mongolian-vowel-separator-single.js:
2777         * test262/test/language/eval-code/indirect/realm.js:
2778         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
2779         (o.get z):
2780         (o.get a):
2781         * test262/test/language/expressions/call/eval-realm-indirect.js:
2782         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
2783         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
2784         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
2785         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
2786         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
2787         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
2788         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
2789         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
2790         * test262/test/language/expressions/greater-than/bigint-and-number.js:
2791         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
2792         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
2793         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
2794         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
2795         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
2796         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
2797         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
2798         * test262/test/language/expressions/less-than/bigint-and-number.js:
2799         * test262/test/language/expressions/new/non-ctor-err-realm.js:
2800         * test262/test/language/expressions/super/realm.js:
2801         * test262/test/language/expressions/tagged-template/cache-realm.js:
2802         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
2803         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
2804         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
2805         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
2806         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
2807         * test262/test/language/literals/string/mongolian-vowel-separator.js:
2808         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
2809         (o.get z):
2810         (o.get a):
2811         * test262/test/language/statements/for-of/iterator-next-reference.js:
2812         (next):
2813         (iterator.next): Deleted.
2814         (x.of.iterable.): Deleted.
2815         (x.of.iterable.get return): Deleted.
2816         (x.of.iterable.iterator.next): Deleted.
2817         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
2818         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
2819         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
2820         * test262/test/language/white-space/mongolian-vowel-separator.js:
2821         * test262/test262-Revision.txt:
2822
2823 2017-10-03  Saam Barati  <sbarati@apple.com>
2824
2825         Implement polymorphic prototypes
2826         https://bugs.webkit.org/show_bug.cgi?id=176391
2827
2828         Reviewed by Filip Pizlo.
2829
2830         * microbenchmarks/poly-proto-access.js: Added.
2831         (assert):
2832         (foo.C):
2833         (foo.C.prototype.get bar):
2834         (foo):
2835         (bar):
2836         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
2837         (assert):
2838         (makePolyProtoObject.foo.C):
2839         (makePolyProtoObject.foo):
2840         (makePolyProtoObject):
2841         (performSet):
2842         * microbenchmarks/poly-proto-setter-speed.js: Added.
2843         (assert):
2844         (makePolyProtoObject.foo.C):
2845         (makePolyProtoObject.foo.C.prototype.set p):
2846         (makePolyProtoObject.foo):
2847         (makePolyProtoObject):
2848         (performSet):
2849         * stress/constructor-with-return.js:
2850         (i.tests.forEach.Constructor):
2851         (i.tests.forEach):
2852         (tests.forEach.Constructor): Deleted.
2853         (tests.forEach): Deleted.
2854         * stress/dom-jit-with-poly-proto.js: Added.
2855         (assert):
2856         (makePolyProtoObject.foo.C):
2857         (makePolyProtoObject.foo):
2858         (makePolyProtoObject):
2859         (validate):
2860         * stress/poly-proto-custom-value-and-accessor.js: Added.
2861         (assert):
2862         (makePolyProtoObject.foo.C):
2863         (makePolyProtoObject.foo):
2864         (makePolyProtoObject):
2865         (items.forEach):
2866         (set get for):
2867         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
2868         (assert):
2869         (makePolyProtoObject.foo.C):
2870         (makePolyProtoObject.foo):
2871         (makePolyProtoObject):
2872         (foo):
2873         * stress/poly-proto-miss.js: Added.
2874         (makePolyProtoInstanceWithNullPrototype.foo.C):
2875         (makePolyProtoInstanceWithNullPrototype.foo):
2876         (makePolyProtoInstanceWithNullPrototype):
2877         (assert):
2878         (validate):
2879         * stress/poly-proto-op-in-caching.js: Added.
2880         (assert):
2881         (makePolyProtoObject.foo.C):
2882         (makePolyProtoObject.foo):
2883         (makePolyProtoObject):
2884         (validate):
2885         (validate2):
2886         * stress/poly-proto-put-transition.js: Added.
2887         (assert):
2888         (makePolyProtoObject.foo.C):
2889         (makePolyProtoObject.foo):
2890         (makePolyProtoObject):
2891         (performSet):
2892         (i.obj.__proto__.set p):
2893         * stress/poly-proto-set-prototype.js: Added.
2894         (assert):
2895         (let.alternateProto.get x):
2896         (let.alternateProto2.get y):
2897         (let.alternateProto2.get x):
2898         (foo.C):
2899         (foo):
2900         (validate):
2901         * stress/poly-proto-setter.js: Added.
2902         (assert):
2903         (makePolyProtoObject.foo.C):
2904         (makePolyProtoObject.foo.C.prototype.set p):
2905         (makePolyProtoObject.foo.C.prototype.get p):
2906         (makePolyProtoObject.foo):
2907         (makePolyProtoObject):
2908         (performSet):
2909         * stress/poly-proto-using-inheritance.js: Added.
2910         (assert):
2911         (foo.C):
2912         (foo.C.prototype.get baz):
2913         (foo):
2914         (bar.C):
2915         (bar):
2916         (validate):
2917         * stress/primitive-poly-proto.js: Added.
2918         (makePolyProtoInstance.foo.C):
2919         (makePolyProtoInstance.foo):
2920         (makePolyProtoInstance):
2921         (assert):
2922         (validate):
2923         * stress/prototype-is-not-js-object.js: Added.
2924         (foo.bar):
2925         (foo):
2926         (assert):
2927         (validate):
2928         * stress/try-get-by-id-poly-proto.js: Added.
2929         (assert):
2930         (makePolyProtoObject.foo.C):
2931         (makePolyProtoObject.foo):
2932         (makePolyProtoObject):
2933         (tryGetByIdText):
2934         (x.__proto__.get bar):
2935         (validate):
2936         * typeProfiler/overflow.js:
2937
2938 2017-10-03  JF Bastien  <jfbastien@apple.com>
2939
2940         WebAssembly: no VM / JS version of everything but Instance
2941         https://bugs.webkit.org/show_bug.cgi?id=177473
2942
2943         Reviewed by Filip Pizlo.
2944
2945         - Exceeding max on memory growth now returns a range error as per
2946         spec. This is a (very minor) breaking change: it used to throw OOM
2947         error. Update the corresponding test.
2948
2949         * wasm/js-api/memory-grow.js:
2950         (assertEq):
2951         * wasm/js-api/table.js:
2952         (assert.throws):
2953
2954 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
2955
2956         Skip JSC test stress/regress-159779-2.js on debug.
2957         https://bugs.webkit.org/show_bug.cgi?id=177204
2958
2959         Unreviewed test gardening.
2960
2961         * stress/regress-159779-2.js:
2962
2963 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
2964
2965         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
2966         https://bugs.webkit.org/show_bug.cgi?id=175642
2967
2968         Reviewed by Darin Adler.
2969
2970         * ChakraCore/test/Function/apply3.baseline-jsc:
2971
2972 2017-10-01  Commit Queue  <commit-queue@webkit.org>
2973
2974         Unreviewed, rolling out r222564.
2975         https://bugs.webkit.org/show_bug.cgi?id=177720
2976
2977         "It regressed JetStream by 2% on iOS caused by a 50%
2978         regression on the bigfib subtest" (Requested by saamyjoon on
2979         #webkit).
2980
2981         Reverted changeset:
2982
2983         "Add Above/Below comparisons for UInt32 patterns"
2984         https://bugs.webkit.org/show_bug.cgi?id=177281
2985         http://trac.webkit.org/changeset/222564
2986
2987 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2988
2989         [DFG] Support ArrayPush with multiple args
2990         https://bugs.webkit.org/show_bug.cgi?id=175823
2991
2992         Reviewed by Saam Barati.
2993
2994         * microbenchmarks/array-push-0.js: Added.
2995         (arrayPush0):
2996         * microbenchmarks/array-push-1.js: Added.
2997         (arrayPush1):
2998         * microbenchmarks/array-push-2.js: Added.
2999         (arrayPush2):
3000         * microbenchmarks/array-push-3.js: Added.
3001         (arrayPush3):
3002         * stress/array-push-multiple-contiguous.js: Added.
3003         (shouldBe):
3004         (test):
3005         * stress/array-push-multiple-double-nan.js: Added.
3006         (shouldBe):
3007         (test):
3008         * stress/array-push-multiple-double.js: Added.
3009         (shouldBe):
3010         (test):
3011         * stress/array-push-multiple-int32.js: Added.
3012         (shouldBe):
3013         (test):
3014         * stress/array-push-multiple-many-contiguous.js: Added.
3015         (shouldBe):
3016         (test):
3017         * stress/array-push-multiple-many-double.js: Added.
3018         (shouldBe):
3019         (test):
3020         * stress/array-push-multiple-many-int32.js: Added.
3021         (shouldBe):
3022         (test):
3023         * stress/array-push-multiple-many-storage.js: Added.
3024         (shouldBe):
3025         (test):
3026         * stress/array-push-multiple-storage.js: Added.
3027         (shouldBe):
3028         (test):
3029         * stress/array-push-with-force-exit.js: Added.
3030         (target.createBuiltin):
3031
3032 2017-09-29  Saam Barati  <sbarati@apple.com>
3033
3034         Custom GetterSetterAccessCase does not use the correct slotBase when making call
3035         https://bugs.webkit.org/show_bug.cgi?id=177639
3036
3037         Reviewed by Geoffrey Garen.
3038
3039         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
3040         (assert):
3041         (Class):
3042         (items.forEach):
3043         (set get for):
3044
3045 2017-09-29  Commit Queue  <commit-queue@webkit.org>
3046
3047         Unreviewed, rolling out r222563, r222565, and r222581.
3048         https://bugs.webkit.org/show_bug.cgi?id=177675
3049
3050         "It causes a crash when playing youtube videos" (Requested by
3051         saamyjoon on #webkit).
3052
3053         Reverted changesets:
3054
3055         "[DFG] Support ArrayPush with multiple args"
3056         https://bugs.webkit.org/show_bug.cgi?id=175823
3057         http://trac.webkit.org/changeset/222563
3058
3059         "Unreviewed, build fix after r222563"
3060         https://bugs.webkit.org/show_bug.cgi?id=175823
3061         http://trac.webkit.org/changeset/222565
3062
3063         "Unreviewed, fix x86 breaking due to exhausted registers"
3064         https://bugs.webkit.org/show_bug.cgi?id=175823
3065         http://trac.webkit.org/changeset/222581
3066
3067 2017-09-28  Mark Lam  <mark.lam@apple.com>
3068
3069         test262: Unexpected passes after r222617 and r222618.
3070         https://bugs.webkit.org/show_bug.cgi?id=177622
3071         <rdar://problem/34725960>
3072
3073         Reviewed by Saam Barati.
3074
3075         Update test262.yaml for tests that are now passing.
3076
3077         * test262.yaml:
3078
3079 2017-09-27  Michael Saboff  <msaboff@apple.com>
3080
3081         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
3082         https://bugs.webkit.org/show_bug.cgi?id=177570
3083
3084         Reviewed by Filip Pizlo.
3085
3086         New regression test.
3087
3088         * stress/regress-177570.js: Added.
3089
3090 2017-09-28  Michael Saboff  <msaboff@apple.com>
3091
3092         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
3093         https://bugs.webkit.org/show_bug.cgi?id=177423
3094
3095         Reviewed by Mark Lam.
3096
3097         Updated regression test.
3098
3099         * stress/regress-177423.js:
3100         (catch):
3101
3102 2017-09-27  Mark Lam  <mark.lam@apple.com>
3103
3104         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
3105         https://bugs.webkit.org/show_bug.cgi?id=177584
3106         <rdar://problem/34463903>
3107
3108         Reviewed by Saam Barati.
3109
3110         * stress/regress-177584.js: Added.
3111         (assertEqual):
3112         (Array.prototype.Symbol.species):
3113
3114 2017-09-27  Saam Barati  <sbarati@apple.com>
3115
3116         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
3117         https://bugs.webkit.org/show_bug.cgi?id=177523
3118
3119         Reviewed by Mark Lam.
3120
3121         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
3122         (assert):
3123         (Test):
3124         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
3125         (addMethods):
3126         (i.Test.prototype.propName):
3127
3128 2017-09-27  Mark Lam  <mark.lam@apple.com>
3129
3130         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
3131         https://bugs.webkit.org/show_bug.cgi?id=177423
3132         <rdar://problem/34621320>
3133
3134         Reviewed by Keith Miller.
3135
3136         * stress/regress-177423.js: Added.
3137
3138 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3139
3140         Add Above/Below comparisons for UInt32 patterns
3141         https://bugs.webkit.org/show_bug.cgi?id=177281
3142
3143         Reviewed by Saam Barati.
3144
3145         * stress/uint32-comparison-jump.js: Added.
3146         (shouldBe):
3147         (above):
3148         (aboveOrEqual):
3149         (below):
3150         (belowOrEqual):
3151         (notAbove):
3152         (notAboveOrEqual):
3153         (notBelow):
3154         (notBelowOrEqual):
3155         * stress/uint32-comparison.js: Added.
3156         (shouldBe):
3157         (above):
3158         (aboveOrEqual):
3159         (below):
3160         (belowOrEqual):
3161         (aboveTest):
3162         (aboveOrEqualTest):
3163         (belowTest):
3164         (belowOrEqualTest):
3165
3166 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3167
3168         [DFG] Support ArrayPush with multiple args
3169         https://bugs.webkit.org/show_bug.cgi?id=175823
3170
3171         Reviewed by Saam Barati.
3172
3173         * microbenchmarks/array-push-0.js: Added.
3174         (arrayPush0):
3175         * microbenchmarks/array-push-1.js: Added.
3176         (arrayPush1):
3177         * microbenchmarks/array-push-2.js: Added.
3178         (arrayPush2):
3179         * microbenchmarks/array-push-3.js: Added.
3180         (arrayPush3):
3181         * stress/array-push-multiple-contiguous.js: Added.
3182         (shouldBe):
3183         (test):
3184         * stress/array-push-multiple-double-nan.js: Added.
3185         (shouldBe):
3186         (test):
3187         * stress/array-push-multiple-double.js: Added.
3188         (shouldBe):
3189         (test):
3190         * stress/array-push-multiple-int32.js: Added.
3191         (shouldBe):
3192         (test):
3193         * stress/array-push-multiple-many-contiguous.js: Added.
3194         (shouldBe):
3195         (test):
3196         * stress/array-push-multiple-many-double.js: Added.
3197         (shouldBe):
3198         (test):
3199         * stress/array-push-multiple-many-int32.js: Added.
3200         (shouldBe):
3201         (test):
3202         * stress/array-push-multiple-many-storage.js: Added.
3203         (shouldBe):
3204         (test):
3205         * stress/array-push-multiple-storage.js: Added.
3206         (shouldBe):
3207         (test):
3208
3209 2017-09-26  Commit Queue  <commit-queue@webkit.org>
3210
3211         Unreviewed, rolling out r222518.
3212         https://bugs.webkit.org/show_bug.cgi?id=177507
3213
3214         Break the High Sierra build (Requested by yusukesuzuki on
3215         #webkit).
3216
3217         Reverted changeset:
3218
3219         "Add Above/Below comparisons for UInt32 patterns"
3220         https://bugs.webkit.org/show_bug.cgi?id=177281
3221         http://trac.webkit.org/changeset/222518
3222
3223 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3224
3225         Add Above/Below comparisons for UInt32 patterns
3226         https://bugs.webkit.org/show_bug.cgi?id=177281
3227
3228         Reviewed by Saam Barati.
3229
3230         * stress/uint32-comparison-jump.js: Added.
3231         (shouldBe):
3232         (above):
3233         (aboveOrEqual):
3234         (below):
3235         (belowOrEqual):
3236         (notAbove):
3237         (notAboveOrEqual):
3238         (notBelow):
3239         (notBelowOrEqual):
3240         * stress/uint32-comparison.js: Added.
3241         (shouldBe):
3242         (above):
3243         (aboveOrEqual):
3244         (below):
3245         (belowOrEqual):
3246         (aboveTest):
3247         (aboveOrEqualTest):
3248         (belowTest):
3249         (belowOrEqualTest):
3250
3251 2017-09-23  Keith Miller  <keith_miller@apple.com>
3252
3253         Fix infinite looping test262 test
3254         https://bugs.webkit.org/show_bug.cgi?id=177412
3255
3256         Reviewed by Yusuke Suzuki.
3257
3258         This test was poorly designed since failing it would cause the vm
3259         to inifinite loop. I've fixed it locally and will fix it on github pending
3260         the results of next weeks tc39 meeting.
3261
3262         * test262.yaml:
3263         * test262/test/language/statements/for-of/iterator-next-reference.js:
3264
3265 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
3266
3267         test262: $.agent became $262.agent in test262 update
3268         https://bugs.webkit.org/show_bug.cgi?id=177407
3269
3270         Reviewed by Yusuke Suzuki.
3271
3272         * test262.yaml:
3273         ~320 tests pass now that we correctly make $262 available.
3274
3275 2017-09-22  Keith Miller  <keith_miller@apple.com>
3276
3277         Speculatively change iteration protocall to use the same next function
3278         https://bugs.webkit.org/show_bug.cgi?id=175653
3279
3280         Reviewed by Saam Barati.
3281
3282         Change test to match the new iteration behavior.
3283
3284         * stress/spread-optimized-properly.js:
3285
3286 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3287
3288         [DFG][FTL] Profile array vector length for array allocation
3289         https://bugs.webkit.org/show_bug.cgi?id=177051
3290
3291         Reviewed by Saam Barati.
3292
3293         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3294         (target):
3295
3296 2017-09-22  Commit Queue  <commit-queue@webkit.org>
3297
3298         Unreviewed, rolling out r222380.
3299         https://bugs.webkit.org/show_bug.cgi?id=177352
3300
3301         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
3302         #webkit).
3303
3304         Reverted changeset:
3305
3306         "[DFG][FTL] Profile array vector length for array allocation"
3307         https://bugs.webkit.org/show_bug.cgi?id=177051
3308         http://trac.webkit.org/changeset/222380
3309
3310 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3311
3312         [DFG][FTL] Profile array vector length for array allocation
3313         https://bugs.webkit.org/show_bug.cgi?id=177051
3314
3315         Reviewed by Saam Barati.
3316
3317         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
3318         (target):
3319
3320 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
3321
3322         Skip new hanging test262 tests.
3323         https://bugs.webkit.org/show_bug.cgi?id=177326
3324
3325         Unreviewed test gardening.
3326
3327         * test262.yaml:
3328
3329 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
3330
3331         Mark 6 test262 tests as passing.
3332         https://bugs.webkit.org/show_bug.cgi?id=177307
3333
3334         Unreviewed test gardening.
3335
3336         * test262.yaml:
3337
3338 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3339
3340         Unreviewed follow-up to r222311.
3341
3342         * test262/harness/sta.js:
3343         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
3344         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
3345         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
3346         * test262/test/built-ins/Array/from/elements-added-after.js:
3347         * test262/test/built-ins/Array/from/elements-deleted-after.js:
3348         * test262/test/built-ins/Array/from/elements-updated-after.js:
3349         * test262/test/built-ins/Array/from/from-array.js:
3350         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
3351         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
3352         * test262/test/built-ins/Array/from/source-array-boundary.js:
3353         * test262/test/built-ins/Array/from/source-object-constructor.js:
3354         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
3355         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
3356         * test262/test/built-ins/Array/from/source-object-length.js:
3357         * test262/test/built-ins/Array/from/source-object-missing.js:
3358         * test262/test/built-ins/Array/from/source-object-without.js:
3359         * test262/test/built-ins/Array/from/this-null.js:
3360         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
3361         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
3362         * test262/test/language/literals/numeric/7.8.3-1gs.js:
3363         * test262/test/language/literals/numeric/7.8.3-2gs.js:
3364         * test262/test/language/literals/numeric/7.8.3-3gs.js:
3365         * test262/test/language/literals/regexp/7.8.5-1gs.js:
3366         * test262/test/language/literals/string/7.8.4-1gs.js:
3367         Fix some files that I failed to update when I applied my patch.
3368
3369 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
3370
3371         Update test262 tests
3372         https://bugs.webkit.org/show_bug.cgi?id=177220
3373
3374         Reviewed by Saam Barati and Yusuke Suzuki.
3375
3376         * test262.yaml:
3377         * test262/test262-Revision.txt:
3378         New rebaselined expectations for all tests.
3379
3380         * test262/*:
3381         Updated.
3382
3383 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
3384
3385         [DFG] Remove ToThis more aggressively
3386         https://bugs.webkit.org/show_bug.cgi?id=177056
3387
3388         Reviewed by Saam Barati.
3389
3390         * stress/generator-with-this-strict.js: Added.
3391         (shouldBe):
3392         (generator):
3393         (target):
3394         * stress/generator-with-this.js: Added.
3395         (shouldBe):
3396         (generator):
3397         (target):
3398
3399 2017-09-17  Michael Saboff  <msaboff@apple.com>
3400
3401         https://bugs.webkit.org/show_bug.cgi?id=177038
3402         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
3403
3404         Reviewed by JF Bastien.
3405
3406         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
3407         as it dies using too much memory.
3408
3409 2017-09-15  Saam Barati  <sbarati@apple.com>
3410
3411         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
3412         https://bugs.webkit.org/show_bug.cgi?id=176981
3413
3414         Reviewed by Yusuke Suzuki.
3415
3416         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
3417         (assert):
3418         (verify):
3419         (func):
3420         (const.bar.createBuiltin):
3421
3422 2017-09-14  Saam Barati  <sbarati@apple.com>
3423
3424         It should be valid to exit before each set when doing arity fixup when inlining
3425         https://bugs.webkit.org/show_bug.cgi?id=176948
3426
3427         Reviewed by Keith Miller.
3428
3429         * stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.
3430         (baz):
3431         (bar):
3432         (foo):
3433
3434 2017-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3435
3436         [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
3437         https://bugs.webkit.org/show_bug.cgi?id=176867
3438
3439         Reviewed by Sam Weinig.
3440
3441         * microbenchmarks/object-get-own-property-symbols.js: Added.
3442         (test):
3443
3444 2017-09-13  Mark Lam  <mark.lam@apple.com>
3445
3446         Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
3447         https://bugs.webkit.org/show_bug.cgi?id=176888
3448         <rdar://problem/34381832>
3449
3450         Not reviewed.
3451
3452         * stress/op_mod-ConstVar.js:
3453         * stress/op_mod-VarConst.js:
3454         * stress/op_mod-VarVar.js:
3455
3456 2017-09-13  Ryan Haddad  <ryanhaddad@apple.com>
3457
3458         Skip 3 op_mod tests on Debug JSC bots.
3459         https://bugs.webkit.org/show_bug.cgi?id=176630
3460
3461         Unreviewed test gardening.
3462
3463         * stress/op_mod-ConstVar.js:
3464         * stress/op_mod-VarConst.js:
3465         * stress/op_mod-VarVar.js:
3466
3467 2017-09-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3468
3469         [JSC] Fix Array allocation in Object.keys
3470         https://bugs.webkit.org/show_bug.cgi?id=176826
3471
3472         Reviewed by Saam Barati.
3473
3474         * stress/object-own-property-keys.js: Added.
3475         (shouldBe):
3476
3477 2017-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3478
3479         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3480         https://bugs.webkit.org/show_bug.cgi?id=176010
3481
3482         Reviewed by Filip Pizlo.
3483
3484         * microbenchmarks/weak-map-key.js: Added.
3485         (assert):
3486         (objectKey):
3487         (let.start.Date.now):
3488
3489 2017-09-12  Mark Lam  <mark.lam@apple.com>
3490
3491         REGRESSION: 3 stress/op_mod (and op_div) tests timing out on Debug JSC bots.
3492         https://bugs.webkit.org/show_bug.cgi?id=176630
3493
3494         Reviewed by JF Bastien.
3495
3496         Debug builds are just slow, and these tests do a lot.  They pass when I run them
3497         locally on my MacBook Pro.  So, I'm bumping their timing multiplier to 2.0x as
3498         a speculative fix for the bots that are seeing these fail.
3499
3500         I also undid the skipping of the op_mod tests for debug builds.
3501
3502         * stress/op_div-ConstVar.js:
3503         * stress/op_div-VarConst.js:
3504         * stress/op_div-VarVar.js:
3505         * stress/op_mod-ConstVar.js:
3506         * stress/op_mod-VarConst.js:
3507         * stress/op_mod-VarVar.js:
3508
3509 2017-09-12  Ryan Haddad  <ryanhaddad@apple.com>
3510
3511         Skip stress/value-to-boolean.js on Debug bots.
3512         https://bugs.webkit.org/show_bug.cgi?id=176787
3513
3514         Unreviewed test gardening.
3515
3516         * stress/value-to-boolean.js:
3517
3518 2017-09-11  Mark Lam  <mark.lam@apple.com>
3519
3520         Change test expectation for test262/test/language/statements/try/tco-catch.js
3521         https://bugs.webkit.org/show_bug.cgi?id=176749
3522
3523         Rubber stamped by Keith Miller.
3524
3525         It's been failing since at least r221821.  I'm changing the test expectation to
3526         fail to green the bots while I investigate some more.
3527
3528         * test262.yaml:
3529
3530 2017-09-11  Ryan Haddad  <ryanhaddad@apple.com>
3531
3532         Unreviewed, rolling out r221854.
3533
3534         The test added with this change fails on 32-bit JSC bots.
3535
3536         Reverted changeset:
3537
3538         "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
3539         https://bugs.webkit.org/show_bug.cgi?id=176010
3540         http://trac.webkit.org/changeset/221854
3541
3542 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3543
3544         [DFG] Optimize WeakMap::get by adding intrinsic and fixup
3545         https://bugs.webkit.org/show_bug.cgi?id=176010
3546
3547         Reviewed by Filip Pizlo.
3548
3549         * microbenchmarks/weak-map-key.js: Added.
3550         (assert):
3551         (objectKey):
3552         (let.start.Date.now):
3553
3554 2017-09-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3555
3556         [JSC] Optimize Object.keys by using careful array allocation
3557         https://bugs.webkit.org/show_bug.cgi?id=176654
3558
3559         Reviewed by Darin Adler.
3560
3561         * microbenchmarks/object-keys.js: Added.
3562         (test):
3563
3564 2017-09-09  Filip Pizlo  <fpizlo@apple.com>
3565
3566         Error should compute .stack and friends lazily
3567         https://bugs.webkit.org/show_bug.cgi?id=176645
3568
3569         Reviewed by Saam Barati.
3570
3571         * ChakraCore.yaml: Skip test that was testing non-standard behavior of these fields.
3572         * microbenchmarks/new-error.js: Added.
3573         * microbenchmarks/throw.js: Added.
3574
3575 2017-09-09  Mark Lam  <mark.lam@apple.com>
3576
3577         [Re-landing] Use JIT probes for DFG OSR exit.
3578         https://bugs.webkit.org/show_bug.cgi?id=175144
3579         <rdar://problem/33437050>
3580
3581         Not reviewed.  Original patch reviewed by Saam Barati.
3582
3583         Disable these tests for debug builds because they run too slow with the new OSR exit.
3584
3585         * stress/op_mod-ConstVar.js:
3586         * stress/op_mod-VarConst.js:
3587         * stress/op_mod-VarVar.js:
3588
3589 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3590
3591         [DFG] NewArrayWithSize(size)'s size does not care negative zero
3592         https://bugs.webkit.org/show_bug.cgi?id=176300
3593
3594         Reviewed by Saam Barati.
3595
3596         * stress/new-array-with-size-div.js: Added.
3597         (shouldBe):
3598         (test):
3599         (i.i):
3600
3601 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3602
3603         [DFG] PutByVal with Array::Generic is too generic
3604         https://bugs.webkit.org/show_bug.cgi?id=176345
3605
3606         Reviewed by Filip Pizlo.
3607
3608         * stress/object-assign-symbols.js: Added.
3609         (shouldBe):
3610         (test):
3611         * stress/object-assign.js: Added.
3612         (shouldBe):
3613         (test):
3614         (i.shouldBe.JSON.stringify.test):
3615
3616 2017-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3617
3618         [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
3619         https://bugs.webkit.org/show_bug.cgi?id=176590
3620
3621         Reviewed by Saam Barati.
3622
3623         * microbenchmarks/object-iterate-symbols.js: Added.
3624         (test):
3625         * microbenchmarks/object-iterate.js: Added.
3626         (test):
3627         * stress/object-iterate-symbols.js: Added.
3628         (shouldBe):
3629         (test):
3630         * stress/object-iterate.js: Added.
3631         (shouldBe):
3632         (test):
3633
3634 2017-09-07  Per Arne Vollan  <pvollan@apple.com>
3635
3636         [Win32] 10 JSC stress tests are failing.
3637         https://bugs.webkit.org/show_bug.cgi?id=176538
3638
3639         Reviewed by Mark Lam.
3640
3641         Skip tests on Windows to make the bots green.
3642
3643         * ChakraCore.yaml:
3644         * stress/date-relaxed.js:
3645
3646 2017-09-06  Mark Lam  <mark.lam@apple.com>
3647
3648         constructGenericTypedArrayViewWithArguments() is missing an exception check.
3649         https://bugs.webkit.org/show_bug.cgi?id=176485
3650         <rdar://problem/33898874>
3651
3652         Reviewed by Keith Miller.
3653
3654         * stress/regress-176485.js: Added.
3655
3656 2017-09-05  Saam Barati  <sbarati@apple.com>
3657
3658         isNotCellSpeculation is wrong with respect to SpecEmpty
3659         https://bugs.webkit.org/show_bug.cgi?id=176429
3660
3661         Reviewed by Michael Saboff.
3662
3663         * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
3664         (Foo):
3665
3666 2017-09-05  Joseph Pecoraro  <pecoraro@apple.com>
3667
3668         test262: Completion values for control flow do not match the spec
3669         https://bugs.webkit.org/show_bug.cgi?id=171265
3670
3671         Reviewed by Saam Barati.
3672
3673         * stress/completion-value.js:
3674         Condensed test for completion values in top level statements.
3675
3676         * stress/super-get-by-id.js:
3677         ClassDeclaration when evaled no longer produce values. Convert
3678         these to ClassExpressions so they produce the class value.
3679         
3680         * ChakraCore/test/GlobalFunctions/evalreturns3.baseline-jsc:
3681         This is a progression for currect spec behavior.
3682
3683         * mozilla/mozilla-tests.yaml:
3684         This test is now outdated, so mark it as failing for that reason.
3685
3686         * test262.yaml:
3687         Passing all "cptn" completion value tests.
3688
3689 2017-09-04  Saam Barati  <sbarati@apple.com>
3690
3691         typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
3692         https://bugs.webkit.org/show_bug.cgi?id=176317
3693
3694         Reviewed by Keith Miller.
3695
3696         * stress/dont-crash-when-hoist-check-structure-on-tdz.js: Added.
3697         (Foo):
3698
3699 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3700
3701         [DFG][FTL] Efficiently execute number#toString()
3702         https://bugs.webkit.org/show_bug.cgi?id=170007
3703
3704         Reviewed by Keith Miller.
3705
3706         * microbenchmarks/number-to-string-strength-reduction.js: Added.
3707         (test):
3708         * microbenchmarks/number-to-string-with-radix-10.js: Added.
3709         (test):
3710         * microbenchmarks/number-to-string-with-radix-cse.js: Added.
3711         (test):
3712         * microbenchmarks/number-to-string-with-radix.js: Added.
3713         (test):
3714         * stress/number-to-string-strength-reduction.js: Added.
3715         (shouldBe):
3716         (test):
3717         * stress/number-to-string-with-radix-10.js: Added.
3718         (shouldBe):
3719         (test):
3720         * stress/number-to-string-with-radix-cse.js: Added.
3721         (shouldBe):
3722         (test):
3723         * stress/number-to-string-with-radix-invalid.js: Added.