Unreviewed, skip JIT tests if it isn't enabled
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-12  Tomas Popela  <tpopela@redhat.com>
2
3         Unreviewed, skip JIT tests if it isn't enabled
4
5         See https://bugs.webkit.org/show_bug.cgi?id=182730.
6
7         * stress/big-int-spec-to-primitive.js:
8         * stress/big-int-spec-to-this.js:
9
10 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
11
12         [ESNext][BigInt] Add support for BigInt in SpeculatedType
13         https://bugs.webkit.org/show_bug.cgi?id=182470
14
15         Reviewed by Saam Barati.
16
17         * stress/big-int-spec-to-primitive.js: Added.
18         * stress/big-int-spec-to-this.js: Added.
19         * stress/big-int-strict-equals-jit.js: Added.
20         * stress/big-int-strict-spec-to-this.js: Added.
21         * stress/big-int-type-of-proven-type.js: Added.
22
23 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
24
25         DFG AI and clobberize should agree with each other
26         https://bugs.webkit.org/show_bug.cgi?id=184440
27
28         Reviewed by Saam Barati.
29         
30         Add tests for all of the bugs I fixed.
31
32         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
33         (foo):
34         * stress/new-typed-array-cse-effects.js: Added.
35         (foo):
36         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
37         (foo.theO):
38         (foo):
39         * stress/string-from-char-code-change-structure-not-dead.js: Added.
40         (foo):
41         (i.valueOf):
42         (weirdValue.valueOf):
43         * stress/string-from-char-code-change-structure.js: Added.
44         (foo):
45         (i.valueOf):
46         (weirdValue.valueOf):
47
48 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
49
50         Fix errant Test262 files CRLF to LF for consistency with the original source
51         https://bugs.webkit.org/show_bug.cgi?id=184425
52
53         Reviewed by Yusuke Suzuki.
54
55         * test262/test/built-ins/Math/acosh/nan-returns.js:
56         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
57         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
58         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
59         * test262/test/built-ins/Math/cbrt/prop-desc.js:
60         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
61         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
62         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
63         * test262/test/built-ins/Math/log2/log2-basicTests.js:
64         * test262/test/built-ins/Math/sign/sign-specialVals.js:
65         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
66         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
67         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
68         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
69
70 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
71
72         Unreviewed, remove incorrect entry in test262.yaml
73         https://bugs.webkit.org/show_bug.cgi?id=184266
74
75         * test262.yaml:
76
77 2018-04-08  Valerie Young  <valerie@bocoup.com>
78
79         [JSC] Update Test262 to April 6 version
80         https://bugs.webkit.org/show_bug.cgi?id=184266
81
82         Rubber stamped by Yusuke Suzuki.
83
84 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
85
86         [JSC] Introduce op_get_by_id_direct
87         https://bugs.webkit.org/show_bug.cgi?id=183970
88
89         Reviewed by Filip Pizlo.
90
91         * stress/generator-prototype-copy.js: Added.
92         (gen):
93         (catch):
94         Adopted JF's tests.
95
96         * stress/generator-type-check.js: Added.
97         (shouldThrow):
98         (foo2):
99         (i.shouldThrow):
100         * stress/get-by-id-direct-getter.js: Added.
101         (shouldBe):
102         (shouldThrow):
103         (obj.get hello):
104         (builtin.createBuiltin):
105         (obj2.get length):
106         * stress/get-by-id-direct.js: Added.
107         (shouldBe):
108         (shouldThrow):
109         (builtin.createBuiltin):
110         * test262.yaml:
111         We fixed long-standing spec compatibility issue.
112         As a result, this patch makes several test262 tests passed!
113
114
115 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
116
117         Unreviewed, annotate test with @skip if $memoryLimited
118         https://bugs.webkit.org/show_bug.cgi?id=183894
119
120         * stress/json-stringified-overflow.js:
121
122 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
123
124         Add svn:eol-style to line-terminator-normalisation-CR.js
125         https://bugs.webkit.org/show_bug.cgi?id=184341
126
127         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
128
129 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
130
131         Unreviewed, remove errant LF from existing test262 test for CR line endings.
132
133         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
134
135 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
136
137         Unreviewed, rolling out r230320.
138
139         Revert fix, as the root cause lies elsewhere.
140
141         Reverted changeset:
142
143         "[test262] Mark line-terminator-normalisation-CR.js as a
144         binary file."
145         https://bugs.webkit.org/show_bug.cgi?id=184341
146         https://trac.webkit.org/changeset/230320
147
148 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
149
150         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
151         https://bugs.webkit.org/show_bug.cgi?id=184341
152
153         Reviewed by Yusuke Suzuki.
154
155         This test is all about CR line endings, but `svn-apply` can't deal with them.
156         Treating the file as binary ensures that its contents never are never shown in a diff.
157
158         * .gitattributes: Added.
159
160 2018-04-05  Robin Morisset  <rmorisset@apple.com>
161
162         Fix testcase (missing try/catch).
163         https://bugs.webkit.org/show_bug.cgi?id=183657
164
165         Unreviewed.
166
167         * stress/large-unshift-splice.js
168
169 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
170
171         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
172         https://bugs.webkit.org/show_bug.cgi?id=184319
173
174         Reviewed by Saam Barati.
175
176         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
177         (foo):
178         (bar):
179         * stress/array-push-nan-to-double-array.js: Added.
180         (foo):
181         (bar):
182
183 2018-04-03  Mark Lam  <mark.lam@apple.com>
184
185         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
186         https://bugs.webkit.org/show_bug.cgi?id=184284
187
188         Reviewed by Saam Barati.
189
190         * stress/js-fixed-array-out-of-memory.js:
191
192 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
193
194         JSC crash in JIT code with for-of loop and Array/Set iterators
195         https://bugs.webkit.org/show_bug.cgi?id=183174
196
197         Reviewed by Saam Barati.
198
199         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
200         (foo):
201         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
202         (f):
203
204 2018-03-30  JF Bastien  <jfbastien@apple.com>
205
206         WebAssembly: support DataView compilation
207         https://bugs.webkit.org/show_bug.cgi?id=183342
208
209         Reviewed by Mark Lam.
210
211         Test WebAssembly compilation using a DataView with offset.
212
213         * wasm/regress/183342.js: Added.
214         (attempt.catch):
215
216 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
217
218         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
219         https://bugs.webkit.org/show_bug.cgi?id=184189
220
221         Reviewed by JF Bastien.
222
223         * stress/load-hole-from-scope-into-live-var.js: Added.
224         (result.eval.try.switch):
225         (catch):
226
227 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
228
229         Unreviewed, rolling out r230102.
230
231         Caused assertion failures on JSC bots.
232
233         Reverted changeset:
234
235         "A stack overflow in the parsing of a builtin (called by
236         createExecutable) cause a crash instead of a catchable js
237         exception"
238         https://bugs.webkit.org/show_bug.cgi?id=184074
239         https://trac.webkit.org/changeset/230102
240
241 2018-03-30  Robin Morisset  <rmorisset@apple.com>
242
243         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
244         https://bugs.webkit.org/show_bug.cgi?id=183812
245
246         Reviewed by Keith Miller.
247
248         * stress/inlining-unreachable-non-tail.js: Added.
249         (foo.):
250         (foo):
251
252 2018-03-30  Robin Morisset  <rmorisset@apple.com>
253
254         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
255         https://bugs.webkit.org/show_bug.cgi?id=184074
256         <rdar://problem/37165897>
257
258         Reviewed by Keith Miller.
259
260         * stress/stack-overflow-while-parsing-builtin.js: Added.
261         (f):
262
263 2018-03-30  Robin Morisset  <rmorisset@apple.com>
264
265         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
266         https://bugs.webkit.org/show_bug.cgi?id=183657
267
268         Reviewed by Keith Miller.
269
270         * stress/large-unshift-splice.js: Added.
271         (make_contig_arr):
272
273 2018-03-28  Robin Morisset  <rmorisset@apple.com>
274
275         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
276         https://bugs.webkit.org/show_bug.cgi?id=183894
277
278         Reviewed by Saam Barati.
279
280         * stress/json-stringified-overflow.js: Added.
281         (catch):
282
283 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
284
285         DFG should know that CreateThis can be effectful
286         https://bugs.webkit.org/show_bug.cgi?id=184013
287
288         Reviewed by Saam Barati.
289
290         * stress/create-this-property-change.js: Added.
291         (Foo):
292         (RealBar):
293         (get if):
294         * stress/create-this-structure-change-without-cse.js: Added.
295         (Foo):
296         (RealBar):
297         (get if):
298         * stress/create-this-structure-change.js: Added.
299         (Foo):
300         (RealBar):
301         (get if):
302
303 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
304
305         [DFG] Introduces fused compare and jump
306         https://bugs.webkit.org/show_bug.cgi?id=177100
307
308         Reviewed by Mark Lam.
309
310         * stress/fused-jeq-slow.js: Added.
311         (shouldBe):
312         (testJEQ):
313         (testJNEQB):
314         (testJEQB):
315         (testJNEQF):
316         (testJEQF):
317         * stress/fused-jeq.js: Added.
318         (shouldBe):
319         (testJEQ):
320         (testJNEQB):
321         (testJEQB):
322         (testJNEQF):
323         (testJEQF):
324         * stress/fused-jstricteq-slow.js: Added.
325         (shouldBe):
326         (testJSTRICTEQ):
327         (testJNSTRICTEQB):
328         (testJSTRICTEQB):
329         (testJNSTRICTEQF):
330         (testJSTRICTEQF):
331         * stress/fused-jstricteq.js: Added.
332         (shouldBe):
333         (testJSTRICTEQ):
334         (testJNSTRICTEQB):
335         (testJSTRICTEQB):
336         (testJNSTRICTEQF):
337         (testJSTRICTEQF):
338
339 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
340
341         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
342         https://bugs.webkit.org/show_bug.cgi?id=183559
343
344         Reviewed by Mark Lam.
345
346         * stress/double-to-string-in-loop-removed.js: Added.
347         (test):
348         * stress/int32-to-string-in-loop-removed.js: Added.
349         (test):
350         * stress/int52-to-string-in-loop-removed.js: Added.
351         (test):
352
353 2018-03-22  Michael Saboff  <msaboff@apple.com>
354
355         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
356         https://bugs.webkit.org/show_bug.cgi?id=183901
357
358         Reviewed by Keith Miller.
359
360         New test.
361
362         * stress/array-reverse-doesnt-clobber.js: Added.
363         (testArrayReverse):
364         (createArrayOfArrays):
365         (createArrayStorage):
366
367 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
368
369         ScopedArguments should do poisoning and index masking
370         https://bugs.webkit.org/show_bug.cgi?id=183863
371
372         Reviewed by Mark Lam.
373         
374         Adds another stress test of scoped arguments.
375
376         * stress/scoped-arguments-test.js: Added.
377         (foo):
378
379 2018-03-20  Saam Barati  <sbarati@apple.com>
380
381         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
382         https://bugs.webkit.org/show_bug.cgi?id=183795
383         <rdar://problem/38298694>
384
385         Reviewed by JF Bastien.
386
387         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
388         (foo):
389         (bar):
390
391 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
392
393         [DFG][FTL] Add vectorLengthHint for NewArray
394         https://bugs.webkit.org/show_bug.cgi?id=183694
395
396         Reviewed by Saam Barati.
397
398         * stress/vector-length-hint-array-constructor.js: Added.
399         (shouldBe):
400         (test):
401         * stress/vector-length-hint-new-array.js: Added.
402         (shouldBe):
403         (test):
404
405 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
406
407         [DFG][FTL] Make ArraySlice(0) code tight
408         https://bugs.webkit.org/show_bug.cgi?id=183590
409
410         Reviewed by Saam Barati.
411
412         * stress/array-slice-with-zero.js: Added.
413         (shouldBe):
414         (test):
415         (test2):
416         * stress/array-slice-zero-args.js: Added.
417         (shouldBe):
418         (test):
419
420 2018-03-14  Caitlin Potter  <caitp@igalia.com>
421
422         [JSC] fix order of evaluation for ClassDefinitionEvaluation
423         https://bugs.webkit.org/show_bug.cgi?id=183523
424
425         Reviewed by Keith Miller.
426
427         Computed property names need to be evaluated in source order during class
428         definition evaluation, as it's observable (and specified to work this way).
429
430         This change improves compatibility with Chromium.
431
432         * stress/class_elements.js: Added.
433         (test):
434         (test.C.prototype.effect):
435         (test.C.effect):
436         (test.C.prototype.get effect):
437         (test.C.prototype.set effect):
438         (test.C):
439
440 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
441
442         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
443         https://bugs.webkit.org/show_bug.cgi?id=183310
444
445         Reviewed by Filip Pizlo.
446
447         * stress/ai-create-this-to-new-object-fire.js: Added.
448         (assert):
449         (test):
450         (func):
451         (check):
452         (test.body.A):
453         (test.body.B):
454         (test.body):
455         * stress/ai-create-this-to-new-object.js: Added.
456         (assert):
457         (test):
458         (func):
459         (check):
460         (test.body.A):
461         (test.body.B):
462         (test.body):
463
464 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
465
466         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
467         https://bugs.webkit.org/show_bug.cgi?id=181848
468
469         Reviewed by Sam Weinig.
470
471         * microbenchmarks/regexp-u-global-es5.js: Added.
472         (fn):
473         * microbenchmarks/regexp-u-global-es6.js: Added.
474         (fn):
475         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
476         (shouldBe):
477         (test):
478         (i.switch):
479         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
480         (shouldBe):
481         (test):
482
483 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
484
485         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
486         https://bugs.webkit.org/show_bug.cgi?id=183334
487
488         Reviewed by Žan Doberšek.
489
490         * stress/var-injection-cache-invalidation.js:
491
492 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
493
494         [ARM] Disable tests that run out of memory
495         https://bugs.webkit.org/show_bug.cgi?id=182699
496
497         Reviewed by Žan Doberšek.
498
499         Skip tests that run of of memory. Do not run
500         modules/module-jit-reachability.js without LLInt to prevent
501         running out of executable memory.
502
503         * modules.yaml:
504         * modules/module-jit-reachability.js:
505         * stress/has-own-property-name-cache-string-keys.js:
506         * stress/has-own-property-name-cache-symbol-keys.js:
507
508 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
509
510         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
511         https://bugs.webkit.org/show_bug.cgi?id=183173
512
513         Reviewed by Saam Barati.
514
515         * stress/async-arrow-function-in-class-heritage.js: Added.
516         (testSyntax):
517         (testSyntaxError):
518         (SyntaxError):
519
520 2018-03-01  Saam Barati  <sbarati@apple.com>
521
522         We need to clear cached structures when having a bad time
523         https://bugs.webkit.org/show_bug.cgi?id=183256
524         <rdar://problem/36245022>
525
526         Reviewed by Mark Lam.
527
528         * stress/having-a-bad-time-with-derived-arrays.js: Added.
529         (assert):
530         (defineSetter):
531         (iterate):
532         (doSlice):
533
534 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
535
536         JSC crash with `import("")`
537         https://bugs.webkit.org/show_bug.cgi?id=183175
538
539         Reviewed by Saam Barati.
540
541         * stress/import-with-empty-string.js: Added.
542
543 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
544
545         Unreviewed, skip FTL tests if FTL is disabled
546         https://bugs.webkit.org/show_bug.cgi?id=183071
547
548         * stress/has-indexed-property-array-storage-ftl.js:
549         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
550
551 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
552
553         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
554         https://bugs.webkit.org/show_bug.cgi?id=182965
555
556         Reviewed by Saam Barati.
557
558         * stress/put-by-val-array-storage.js: Added.
559         (shouldBe):
560         (testArrayStorageInBounds):
561         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
562         (shouldBe):
563         (testInt32.createBuiltin):
564         (set for):
565         * stress/put-by-val-slow-put-array-storage.js: Added.
566         (shouldBe):
567         (testArrayStorageInBounds):
568
569 2018-02-26  Saam Barati  <sbarati@apple.com>
570
571         validateStackAccess should not validate if the offset is within the stack bounds
572         https://bugs.webkit.org/show_bug.cgi?id=183067
573         <rdar://problem/37749988>
574
575         Reviewed by Mark Lam.
576
577         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
578         (assert):
579         (test.a):
580         (test.b):
581         (test):
582
583 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
584
585         Unreviewed, skip FTL tests if FTL is disabled
586         https://bugs.webkit.org/show_bug.cgi?id=183071
587
588         * stress/has-indexed-property-array-storage-ftl.js:
589         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
590
591 2018-02-23  Saam Barati  <sbarati@apple.com>
592
593         Make Number.isInteger an intrinsic
594         https://bugs.webkit.org/show_bug.cgi?id=183088
595
596         Reviewed by JF Bastien.
597
598         * stress/number-is-integer-intrinsic.js: Added.
599
600 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
601
602         WebAssembly: cache memory address / size on instance
603         https://bugs.webkit.org/show_bug.cgi?id=177305
604
605         Reviewed by JF Bastien.
606
607         * wasm/function-tests/memory-reuse.js: Added.
608         (createWasmInstance):
609         (doCheckTrap):
610         (doMemoryGrow):
611         (doCheck):
612         (checkWasmInstancesWithSharedMemory):
613
614 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
615
616         [JSC] Implement $vm.ftlTrue function for FTL testing
617         https://bugs.webkit.org/show_bug.cgi?id=183071
618
619         Reviewed by Mark Lam.
620
621         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
622         (foo):
623         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
624         (foo):
625         * stress/dead-fiat-value-to-int52.js:
626         (foo):
627         * stress/dead-osr-entry-value.js:
628         (foo):
629         * stress/fiat-value-to-int52-then-exit-not-double.js:
630         (foo):
631         * stress/fiat-value-to-int52-then-exit-not-int52.js:
632         (foo):
633         * stress/fiat-value-to-int52-then-fail-to-fold.js:
634         (foo):
635         * stress/fiat-value-to-int52-then-fold.js:
636         (foo):
637         * stress/fiat-value-to-int52.js:
638         (foo):
639         * stress/fold-based-on-int32-proof-mul-branch.js:
640         (foo):
641         * stress/fold-profiled-call-to-call.js:
642         (foo):
643         * stress/fold-to-double-constant-then-exit.js:
644         (foo):
645         * stress/fold-to-int52-constant-then-exit.js:
646         (foo):
647         * stress/fold-to-primitive-in-cfa.js:
648         (foo):
649         * stress/fold-to-primitive-to-identity-in-cfa.js:
650         (foo):
651         * stress/has-indexed-property-array-storage-ftl.js: Added.
652         (shouldBe):
653         (test1):
654         (test2):
655         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
656         (shouldBe):
657         (test1):
658         (test2):
659         * stress/int52-ai-add-then-filter-int32.js:
660         (foo):
661         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
662         (foo):
663         * stress/int52-ai-mul-then-filter-int32.js:
664         (foo):
665         * stress/int52-ai-neg-then-filter-int32.js:
666         (foo):
667         * stress/int52-ai-sub-then-filter-int32.js:
668         (foo):
669         * stress/licm-pre-header-cannot-exit-nested.js:
670         (foo):
671         * stress/licm-pre-header-cannot-exit.js:
672         (foo):
673         * stress/sparse-array-entry-update-144067.js:
674         (useMemoryToTriggerGCs):
675         * stress/test-spec-misc.js:
676         (foo):
677         * stress/tricky-array-bounds-checks.js:
678         (foo):
679
680 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
681
682         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
683         https://bugs.webkit.org/show_bug.cgi?id=182792
684
685         Reviewed by Mark Lam.
686
687         * stress/has-indexed-property-array-storage.js: Added.
688         (shouldBe):
689         (test1):
690         (test2):
691         * stress/has-indexed-property-slow-put-array-storage.js: Added.
692         (shouldBe):
693         (test1):
694         (test2):
695
696 2018-02-20  Saam Barati  <sbarati@apple.com>
697
698         DFG::VarargsForwardingPhase should eliminate getting argument length
699         https://bugs.webkit.org/show_bug.cgi?id=182959
700
701         Reviewed by Keith Miller.
702
703         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
704
705 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
706
707         [FTL] Support ArrayPush for ArrayStorage
708         https://bugs.webkit.org/show_bug.cgi?id=182782
709
710         Reviewed by Saam Barati.
711
712         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
713
714         * stress/array-push-array-storage-beyond-int32.js: Added.
715         (shouldBe):
716         (test):
717         * stress/array-push-array-storage.js: Added.
718         (shouldBe):
719         (test):
720         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
721         (shouldBe):
722         (test):
723         * stress/array-push-multiple-storage-continuous.js: Added.
724         (shouldBe):
725         (test):
726
727 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
728
729         [FTL] Support ArrayPop for ArrayStorage
730         https://bugs.webkit.org/show_bug.cgi?id=182783
731
732         Reviewed by Saam Barati.
733
734         * stress/array-pop-array-storage.js: Added.
735         (shouldBe):
736         (test):
737
738 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
739
740         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
741         https://bugs.webkit.org/show_bug.cgi?id=182731
742
743         Reviewed by Saam Barati.
744
745         * stress/arrayify-array-storage-array.js: Added.
746         (shouldBe):
747         (testArrayStorage):
748         * stress/arrayify-array-storage-non-array.js: Added.
749         (shouldBe):
750         (testArrayStorage):
751         * stress/arrayify-array-storage.js: Added.
752         (shouldBe):
753         (testArrayStorage):
754         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
755         (shouldBe):
756         (testArrayStorage):
757         * stress/arrayify-slow-put-array-storage.js: Added.
758         (shouldBe):
759         (testArrayStorage):
760
761 2018-02-19  Saam Barati  <sbarati@apple.com>
762
763         Don't use JSFunction's allocation profile when getting the prototype can be effectful
764         https://bugs.webkit.org/show_bug.cgi?id=182942
765         <rdar://problem/37584764>
766
767         Reviewed by Mark Lam.
768
769         * stress/get-prototype-create-this-effectful.js: Added.
770
771 2018-02-16  Saam Barati  <sbarati@apple.com>
772
773         Fix bugs from r228411
774         https://bugs.webkit.org/show_bug.cgi?id=182851
775         <rdar://problem/37577732>
776
777         Reviewed by JF Bastien.
778
779         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
780
781 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
782
783         Unreviewed, roll out r228366 since it did not progress anything.
784
785         * stress/gc-error-stack.js: Removed.
786         * stress/no-gc-error-stack.js: Removed.
787
788 2018-02-15  Tomas Popela  <tpopela@redhat.com>
789
790         Many stress tests fail with JIT disabled
791         https://bugs.webkit.org/show_bug.cgi?id=182730
792
793         Reviewed by Saam Barati.
794
795         These tests are broken by design if the JIT is disabled - they test
796         the return value of numberOfDFGCompiles(), which is always set to
797         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
798
799         * stress/arith-abs-on-various-types.js:
800         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
801         * stress/arith-acos-on-various-types.js:
802         * stress/arith-acosh-on-various-types.js:
803         * stress/arith-asin-on-various-types.js:
804         * stress/arith-asinh-on-various-types.js:
805         * stress/arith-atan-on-various-types.js:
806         * stress/arith-atanh-on-various-types.js:
807         * stress/arith-cbrt-on-various-types.js:
808         * stress/arith-ceil-on-various-types.js:
809         * stress/arith-clz32-on-various-types.js:
810         * stress/arith-cos-on-various-types.js:
811         * stress/arith-cosh-on-various-types.js:
812         * stress/arith-expm1-on-various-types.js:
813         * stress/arith-floor-on-various-types.js:
814         * stress/arith-fround-on-various-types.js:
815         * stress/arith-log-on-various-types.js:
816         * stress/arith-log10-on-various-types.js:
817         * stress/arith-log2-on-various-types.js:
818         * stress/arith-negate-on-various-types.js:
819         * stress/arith-round-on-various-types.js:
820         * stress/arith-sin-on-various-types.js:
821         * stress/arith-sinh-on-various-types.js:
822         * stress/arith-sqrt-on-various-types.js:
823         * stress/arith-tan-on-various-types.js:
824         * stress/arith-tanh-on-various-types.js:
825         * stress/arith-trunc-on-various-types.js:
826         * stress/compare-strict-eq-on-various-types.js:
827
828 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
829
830         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
831
832         Unreviewed test gardening.
833
834         * stress/new-largeish-contiguous-array-with-size.js:
835
836 2018-02-14  Saam Barati  <sbarati@apple.com>
837
838         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
839         https://bugs.webkit.org/show_bug.cgi?id=182801
840
841         Reviewed by Keith Miller.
842
843         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
844
845 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
846
847         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
848         https://bugs.webkit.org/show_bug.cgi?id=182526
849
850         Unreviewed test gardening.
851
852         * stress/activation-sink-default-value-tdz-error.js:
853
854 2018-02-13  Saam Barati  <sbarati@apple.com>
855
856         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
857         https://bugs.webkit.org/show_bug.cgi?id=182755
858         <rdar://problem/37080864>
859
860         Reviewed by Keith Miller.
861
862         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
863         (test1.o.get 10005):
864         (test1):
865         (test2.o.get 1000):
866         (test2):
867
868 2018-02-13  Caitlin Potter  <caitp@igalia.com>
869
870         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
871         https://bugs.webkit.org/show_bug.cgi?id=182717
872
873         Reviewed by Yusuke Suzuki.
874
875         https://github.com/tc39/ecma262/pull/890 imposes a change to template
876         literals, to allow template callsite arrays to be collected when the
877         code containing the tagged template call is collected. This spec change
878         has received concensus and been ratified.
879
880         This change eliminates the eternal map associating template contents
881         with arrays.
882
883         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
884         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
885         * stress/tagged-templates-identity.js:
886         * stress/template-string-tags-eval.js:
887         * test262.yaml:
888
889 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
890
891         Support GetArrayLength on ArrayStorage in the FTL
892         https://bugs.webkit.org/show_bug.cgi?id=182625
893
894         Reviewed by Saam Barati.
895
896         * stress/array-storage-length.js: Added.
897         (shouldBe):
898         (testInBound):
899         (testUncountable):
900         (testSlowPutInBound):
901         (testSlowPutUncountable):
902         * stress/undecided-length.js: Added.
903         (shouldBe):
904         (test2):
905
906 2018-02-12  Saam Barati  <sbarati@apple.com>
907
908         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
909         https://bugs.webkit.org/show_bug.cgi?id=182706
910         <rdar://problem/36833681>
911
912         Reviewed by Filip Pizlo.
913
914         * stress/get-array-length-phantom-new-array-buffer.js: Added.
915         (effects):
916         (foo):
917
918 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
919
920         Don't waste memory for error.stack
921         https://bugs.webkit.org/show_bug.cgi?id=182656
922
923         Reviewed by Saam Barati.
924         
925         Tests the policy.
926
927         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
928         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
929
930 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
931
932         [JSC] Update Test262 to Feb 9 version
933         https://bugs.webkit.org/show_bug.cgi?id=182468
934
935         Reviewed by Saam Barati.
936
937 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
938
939         Unreviewed, fix invalid line terminator in old test262 file part 2
940         https://bugs.webkit.org/show_bug.cgi?id=182468
941
942         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
943
944 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
945
946         Unreviewed, fix invalid line terminator in old test262 file
947         https://bugs.webkit.org/show_bug.cgi?id=182468
948
949         * test262/test/language/literals/regexp/7.8.5-1.js:
950
951 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
952
953         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
954         https://bugs.webkit.org/show_bug.cgi?id=182440
955
956         Reviewed by Darin Adler.
957
958         * stress/array-flatmap.js: Added.
959         (shouldBe):
960         (shouldBeArray):
961         (shouldThrow):
962         (var):
963         * stress/array-flatten.js: Added.
964         (shouldBe):
965         (shouldBeArray):
966         * test262.yaml:
967         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
968         (3.flatMap):
969         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
970
971 2018-02-06  Keith Miller  <keith_miller@apple.com>
972
973         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
974         https://bugs.webkit.org/show_bug.cgi?id=182549
975         <rdar://problem/36189995>
976
977         Reviewed by Saam Barati.
978
979         * stress/var-injection-cache-invalidation.js: Added.
980         (allocateLotsOfThings):
981         (test):
982
983 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
984
985         Unreviewed, follow up for test262 update
986         https://bugs.webkit.org/show_bug.cgi?id=182288
987
988         * test262.yaml:
989
990 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
991
992         Update test262 to Jan 30 version
993         https://bugs.webkit.org/show_bug.cgi?id=182288
994
995         Unreviewed test gardening.
996
997         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
998
999 2018-02-02  Saam Barati  <sbarati@apple.com>
1000
1001         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1002         https://bugs.webkit.org/show_bug.cgi?id=182368
1003         <rdar://problem/36932466>
1004
1005         Reviewed by Mark Lam.
1006
1007         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1008         (runNearStackLimit.t):
1009         (runNearStackLimit):
1010         (try.runNearStackLimit):
1011         (catch):
1012
1013 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1014
1015         Update test262 to Jan 30 version
1016         https://bugs.webkit.org/show_bug.cgi?id=182288
1017
1018         Rubber stamped by Saam Barati.
1019
1020         This patch updates test262 to the latest one, Jan 30 version.
1021         Since added and changed files are too many, we cannot create ChangeLog.
1022         The following files are changed.
1023
1024         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1025         including some special line terminators (like u2028, u2029).
1026
1027         * test262.yaml:
1028         * test262/test262-Revision.txt:
1029         * test262/*:
1030
1031 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1032
1033         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1034         https://bugs.webkit.org/show_bug.cgi?id=182411
1035
1036         Reviewed by Carlos Alberto Lopez Perez.
1037
1038         This is skipped only on arm memory limited platforms. Until recently
1039         it was not a problem on MIPS as the butterfly was not initialized. But
1040         since r227435, the butterfly is initialized in that test and therefore
1041         memory is allocated, and the test typically takes around 512M, which
1042         means it generally gets OOM-killed on the MIPS buildbot.
1043
1044         * mozilla/mozilla-tests.yaml:
1045
1046 2018-02-01  Mark Lam  <mark.lam@apple.com>
1047
1048         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1049         https://bugs.webkit.org/show_bug.cgi?id=182419
1050         <rdar://problem/37044945>
1051
1052         Reviewed by Saam Barati.
1053
1054         * stress/regress-182419.js: Added.
1055
1056 2018-02-01  Keith Miller  <keith_miller@apple.com>
1057
1058         Fix crashes due to mishandling custom sections.
1059         https://bugs.webkit.org/show_bug.cgi?id=182404
1060         <rdar://problem/36935863>
1061
1062         Reviewed by Saam Barati.
1063
1064         * wasm/Builder.js:
1065         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1066         * wasm/js-api/validate.js:
1067         (assert.truthy):
1068
1069 2018-01-31  Saam Barati  <sbarati@apple.com>
1070
1071         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1072         https://bugs.webkit.org/show_bug.cgi?id=182074
1073         <rdar://problem/36846261>
1074
1075         Reviewed by Mark Lam.
1076
1077         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1078         (assert):
1079         (let.func):
1080         (let.o.foo):
1081         (varFunc):
1082
1083 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1084
1085         Unreviewed, update test262 expects
1086         https://bugs.webkit.org/show_bug.cgi?id=182232
1087
1088         * test262.yaml:
1089
1090 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1091
1092         [JSC] Implement trimStart and trimEnd
1093         https://bugs.webkit.org/show_bug.cgi?id=182233
1094
1095         Reviewed by Mark Lam.
1096
1097         * stress/trim.js: Added.
1098         (shouldBe):
1099         (startTest):
1100         (endTest):
1101         (trimTest):
1102
1103 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1104
1105         [JSC] Relax line terminators in String to make JSON subset of JS
1106         https://bugs.webkit.org/show_bug.cgi?id=182232
1107
1108         Reviewed by Keith Miller.
1109
1110         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1111         * stress/relaxed-line-terminators-in-string.js: Added.
1112         (shouldBe):
1113
1114 2018-01-29  Michael Saboff  <msaboff@apple.com>
1115
1116         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1117         https://bugs.webkit.org/show_bug.cgi?id=182249
1118
1119         Reviewed by Keith Miller.
1120
1121         New regression test.
1122
1123         * stress/compare-clobber-untypeduse.js: Added.
1124
1125 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1126
1127         Unreviewed, rolling out r227725.
1128
1129         This caused internal failures.
1130
1131         Reverted changeset:
1132
1133         "JSC Sampling Profiler: Detect tester and testee when sampling
1134         in RegExp JIT"
1135         https://bugs.webkit.org/show_bug.cgi?id=152729
1136         https://trac.webkit.org/changeset/227725
1137
1138 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1139
1140         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1141         https://bugs.webkit.org/show_bug.cgi?id=152729
1142
1143         Reviewed by Saam Barati.
1144
1145         * stress/sampling-profiler-regexp.js: Added.
1146         (platformSupportsSamplingProfiler.test):
1147         (platformSupportsSamplingProfiler.baz):
1148         (platformSupportsSamplingProfiler):
1149
1150 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1151
1152         [DFG][FTL] WeakMap#set should have DFG node
1153         https://bugs.webkit.org/show_bug.cgi?id=180015
1154
1155         Reviewed by Saam Barati.
1156
1157         * stress/weakmap-set-change-get.js: Added.
1158         (shouldBe):
1159         (test):
1160         * stress/weakmap-set-cse.js: Added.
1161         (shouldBe):
1162         (test):
1163         * stress/weakset-add-change-get.js: Added.
1164         (shouldBe):
1165         * stress/weakset-add-cse.js: Added.
1166         (shouldBe):
1167
1168 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1169
1170         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1171         https://bugs.webkit.org/show_bug.cgi?id=182213
1172
1173         Reviewed by Mark Lam.
1174
1175         * stress/int32-min-to-string.js: Added.
1176         (shouldBe):
1177         (test2):
1178         (test4):
1179         (test8):
1180         (test16):
1181         (test32):
1182         * stress/zero-to-string.js: Added.
1183         (shouldBe):
1184         (test2):
1185         (test4):
1186         (test8):
1187         (test16):
1188         (test32):
1189
1190 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1191
1192         Add more module scope related tests with code evaluation by string
1193         https://bugs.webkit.org/show_bug.cgi?id=181983
1194
1195         Reviewed by Sam Weinig.
1196
1197         Add more module scope related tests. When the original tests are landed,
1198         we do not have browser integration. This patch adds more module scope tests
1199         with dynamically created script evaluation. We add tests with Function
1200         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1201
1202         * modules/scopes-eval.js: Added.
1203         (shouldBe):
1204         * modules/scopes.js:
1205         (shouldBe):
1206
1207 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1208
1209         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1210
1211         * microbenchmarks/array-push-3.js: Removed.
1212         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1213         * microbenchmarks/double-to-int32.js: Removed.
1214         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1215         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1216         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1217         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1218         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1219         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1220         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1221         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1222         * microbenchmarks/map-constant-key.js: Removed.
1223         * microbenchmarks/nested-function-parsing.js: Removed.
1224         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1225         * microbenchmarks/spread-large-array.js: Removed.
1226         * microbenchmarks/string-add-constant-folding.js: Removed.
1227         * microbenchmarks/to-lower-case.js: Removed.
1228         * microbenchmarks/undefined-property-access.js: Removed.
1229         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1230         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1231         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1232         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1233         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1234         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1235         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1236         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1237         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1238         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1239         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1240         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1241         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1242         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1243         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1244         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1245         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1246         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1247
1248 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1249
1250         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1251         https://bugs.webkit.org/show_bug.cgi?id=181739
1252         <rdar://problem/36627662>
1253
1254         Reviewed by Saam Barati.
1255
1256         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1257         (foo):
1258         (bar):
1259
1260 2018-01-22  Michael Saboff  <msaboff@apple.com>
1261
1262         DFG abstract interpreter needs to properly model effects of some Math ops
1263         https://bugs.webkit.org/show_bug.cgi?id=181886
1264
1265         Reviewed by Saam Barati.
1266
1267         New regression test.
1268
1269         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1270         (test):
1271
1272 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1273
1274         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1275         https://bugs.webkit.org/show_bug.cgi?id=181182
1276
1277         Reviewed by Darin Adler.
1278
1279         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1280         * stress/big-int-prototype-to-string-exception.js: Added.
1281         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1282         * stress/number-prototype-to-string-cast-overflow.js: Added.
1283         * stress/number-prototype-to-string-exception.js: Added.
1284         * stress/number-prototype-to-string-wrong-values.js: Added.
1285
1286 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1287
1288         Disable Atomics when SharedArrayBuffer isn’t enabled
1289         https://bugs.webkit.org/show_bug.cgi?id=181572
1290
1291         Unreviewed test gardening.
1292
1293         * test262.yaml: Skip tests that fail after this change.
1294
1295 2018-01-19  Saam Barati  <sbarati@apple.com>
1296
1297         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1298         https://bugs.webkit.org/show_bug.cgi?id=181877
1299         <rdar://problem/36630552>
1300
1301         Reviewed by Mark Lam.
1302
1303         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1304         (runNearStackLimit):
1305         (f1):
1306         (f2):
1307         (f3):
1308         (i.catch):
1309         (i.try.runNearStackLimit):
1310         (catch):
1311
1312 2018-01-19  Saam Barati  <sbarati@apple.com>
1313
1314         Spread's effects are modeled incorrectly both in AI and in Clobberize
1315         https://bugs.webkit.org/show_bug.cgi?id=181867
1316         <rdar://problem/36290415>
1317
1318         Reviewed by Michael Saboff.
1319
1320         * stress/ai-needs-to-model-spreads-effects.js: Added.
1321         (try.p.Symbol.iterator):
1322         (try.go):
1323         (catch):
1324         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1325         (assert):
1326         (foo):
1327         (a.Symbol.iterator):
1328
1329 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1330
1331         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1332         https://bugs.webkit.org/show_bug.cgi?id=181535
1333
1334         * stress/inserted-recovery-with-set-last-index.js:
1335
1336 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1337
1338         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1339         https://bugs.webkit.org/show_bug.cgi?id=181535
1340
1341         Reviewed by Saam Barati.
1342
1343         * stress/inserted-recovery-with-set-last-index.js: Added.
1344         (shouldBe):
1345         (foo):
1346         * stress/materialize-regexp-at-osr-exit.js: Added.
1347         (shouldBe):
1348         (test):
1349         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1350         (shouldBe):
1351         (test):
1352         * stress/materialize-regexp-cyclic-regexp.js: Added.
1353         (shouldBe):
1354         (test):
1355         (i.switch):
1356         * stress/materialize-regexp-cyclic.js: Added.
1357         (shouldBe):
1358         (test):
1359         (i.switch):
1360         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1361         (bar):
1362         (foo):
1363         (test):
1364         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1365         (bar):
1366         (foo):
1367         (test):
1368         * stress/materialize-regexp.js: Added.
1369         (shouldBe):
1370         (test):
1371         * stress/phantom-regexp-regexp-exec.js: Added.
1372         (shouldBe):
1373         (test):
1374         * stress/phantom-regexp-string-match.js: Added.
1375         (shouldBe):
1376         (test):
1377         * stress/regexp-last-index-sinking.js: Added.
1378         (shouldBe):
1379         (test):
1380
1381 2018-01-17  Saam Barati  <sbarati@apple.com>
1382
1383         Disable Atomics when SharedArrayBuffer isn’t enabled
1384         https://bugs.webkit.org/show_bug.cgi?id=181572
1385         <rdar://problem/36553206>
1386
1387         Reviewed by Michael Saboff.
1388
1389         * stress/isLockFree.js:
1390
1391 2018-01-17  Saam Barati  <sbarati@apple.com>
1392
1393         DFG::Node::convertToConstant needs to clear the varargs flags
1394         https://bugs.webkit.org/show_bug.cgi?id=181697
1395         <rdar://problem/36497332>
1396
1397         Reviewed by Yusuke Suzuki.
1398
1399         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1400         (doIndexOf):
1401         (bar):
1402         (i.bar):
1403
1404 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1405
1406         Unreviewed, rolling out r226937.
1407
1408         Tests added with this change are failing due to a missing
1409         exception check.
1410
1411         Reverted changeset:
1412
1413         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1414         double to int32_t"
1415         https://bugs.webkit.org/show_bug.cgi?id=181182
1416         https://trac.webkit.org/changeset/226937
1417
1418 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1419
1420         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1421         https://bugs.webkit.org/show_bug.cgi?id=181182
1422
1423         Reviewed by Darin Adler.
1424
1425         * bigIntTests.yaml:
1426         * stress/big-int-constructor.js:
1427         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1428         (assert):
1429         (assertThrowRangeError):
1430         * stress/number-prototype-to-string-cast-overflow.js: Added.
1431         (assert):
1432         (assertThrowRangeError):
1433
1434 2018-01-12  Saam Barati  <sbarati@apple.com>
1435
1436         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1437         https://bugs.webkit.org/show_bug.cgi?id=181177
1438         <rdar://problem/36205704>
1439
1440         Reviewed by Yusuke Suzuki.
1441
1442         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1443         (runNearStackLimit.t):
1444         (runNearStackLimit):
1445         (test.f):
1446         (test):
1447
1448 2018-01-12  Saam Barati  <sbarati@apple.com>
1449
1450         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1451         https://bugs.webkit.org/show_bug.cgi?id=181562
1452         <rdar://problem/36445624>
1453
1454         Reviewed by Yusuke Suzuki.
1455
1456         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1457         (f):
1458         (foo):
1459
1460 2018-01-11  Saam Barati  <sbarati@apple.com>
1461
1462         When inserting Unreachable in byte code parser we need to flush all the right things
1463         https://bugs.webkit.org/show_bug.cgi?id=181509
1464         <rdar://problem/36423110>
1465
1466         Reviewed by Mark Lam.
1467
1468         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1469
1470 2018-01-11  Saam Barati  <sbarati@apple.com>
1471
1472         JITMathIC code in the FTL is wrong when code gets duplicated
1473         https://bugs.webkit.org/show_bug.cgi?id=181525
1474         <rdar://problem/36351993>
1475
1476         Reviewed by Michael Saboff and Keith Miller.
1477
1478         * stress/allow-math-ic-b3-code-duplication.js: Added.
1479
1480 2018-01-11  Saam Barati  <sbarati@apple.com>
1481
1482         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1483         https://bugs.webkit.org/show_bug.cgi?id=181508
1484
1485         Reviewed by Yusuke Suzuki.
1486
1487         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1488         (assert):
1489         (test1.foo):
1490         (test1):
1491         (test2.foo):
1492         (test2):
1493
1494 2018-01-09  Mark Lam  <mark.lam@apple.com>
1495
1496         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1497         https://bugs.webkit.org/show_bug.cgi?id=181388
1498         <rdar://problem/36349351>
1499
1500         Reviewed by Saam Barati.
1501
1502         * stress/regress-181388.js: Added.
1503
1504 2018-01-08  JF Bastien  <jfbastien@apple.com>
1505
1506         WebAssembly: mask indexed accesses to Table
1507         https://bugs.webkit.org/show_bug.cgi?id=181412
1508         <rdar://problem/36363236>
1509
1510         Reviewed by Saam Barati.
1511
1512         Update error messages.
1513
1514         * wasm/js-api/table.js:
1515         (assert.throws.WebAssembly.Table.prototype.grow):
1516
1517 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1518
1519         Disable SharedArrayBuffer tests missed in r226386.
1520         https://bugs.webkit.org/show_bug.cgi?id=181266
1521
1522         Unreviewed test gardening.
1523
1524         * test262.yaml:
1525
1526 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1527
1528         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1529         https://bugs.webkit.org/show_bug.cgi?id=181321
1530
1531         Reviewed by Saam Barati.
1532
1533         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1534         (shouldBe):
1535         (testFunction):
1536         * test262.yaml:
1537
1538 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1539
1540         Unreviewed, attempt to fix test262 after r226386.
1541
1542         * test262.yaml:
1543
1544 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1545
1546         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1547         https://bugs.webkit.org/show_bug.cgi?id=179911
1548
1549         Reviewed by Saam Barati.
1550
1551         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1552
1553         * stress/map-set-change-get.js: Added.
1554         (shouldBe):
1555         (test):
1556         * stress/map-set-create-bucket.js: Added.
1557         (shouldBe):
1558         (test):
1559         * stress/set-add-create-bucket.js: Added.
1560         (shouldBe):
1561
1562 2018-01-03  Michael Saboff  <msaboff@apple.com>
1563
1564         Disable SharedArrayBuffers from Web API
1565         https://bugs.webkit.org/show_bug.cgi?id=181266
1566
1567         Reviewed by Saam Barati.
1568
1569         Disabled SharedArrayBuffer tests.
1570
1571         * stress/SharedArrayBuffer-opt.js:
1572         * stress/SharedArrayBuffer.js:
1573         * stress/array-buffer-byte-length.js:
1574         * stress/atomics-add-uint32.js:
1575         * stress/atomics-known-int-use.js:
1576         * stress/atomics-neg-zero.js:
1577         * stress/atomics-store-return.js:
1578         * stress/lars-sab-workers.js:
1579         * stress/regress-159779-1.js:
1580         * stress/regress-159779-2.js:
1581         * stress/regress-170473.js:
1582         * test262.yaml:
1583
1584 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1585
1586         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1587         https://bugs.webkit.org/show_bug.cgi?id=181258
1588
1589         Reviewed by Antonio Gomes.
1590
1591         * stress/big-int-constructor-gc.js:
1592         * stress/big-int-constructor-oom.js:
1593
1594 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1595
1596         Inlining of a function that ends in op_unreachable crashes
1597         https://bugs.webkit.org/show_bug.cgi?id=181027
1598
1599         Reviewed by Filip Pizlo.
1600
1601         * stress/inlining-unreachable.js: Added.
1602         (bar):
1603         (baz):
1604         (i.catch):
1605
1606 2018-01-02  Saam Barati  <sbarati@apple.com>
1607
1608         Incorrect assertion inside AccessCase
1609         https://bugs.webkit.org/show_bug.cgi?id=181200
1610         <rdar://problem/35494754>
1611
1612         Reviewed by Yusuke Suzuki.
1613
1614         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1615         (ctor):
1616         (theFunc):
1617         (run):
1618
1619 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1620
1621         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1622         https://bugs.webkit.org/show_bug.cgi?id=175359
1623
1624         Reviewed by Yusuke Suzuki.
1625
1626         * bigIntTests.yaml:
1627         * stress/big-int-as-key.js: Added.
1628         * stress/big-int-constructor-gc.js: Added.
1629         * stress/big-int-constructor-oom.js: Added.
1630         * stress/big-int-constructor-properties.js: Added.
1631         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1632         * stress/big-int-constructor-prototype.js: Added.
1633         * stress/big-int-constructor.js: Added.
1634         * stress/big-int-function-apply.js:
1635         * stress/big-int-length.js: Added.
1636         * stress/big-int-prop-descriptor.js: Added.
1637         * stress/big-int-proto-constructor.js: Added.
1638         * stress/big-int-proto-name.js: Added.
1639         * stress/big-int-prototype-properties.js: Added.
1640         * stress/big-int-prototype-proto.js: Added.
1641         * stress/big-int-prototype-value-of.js: Added.
1642         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1643         * stress/big-int-prototype-to-string-apply.js: Added.
1644         * stress/big-int-to-object.js: Added.
1645         * stress/big-int-to-string.js: Added.
1646
1647 2017-12-28  Saam Barati  <sbarati@apple.com>
1648
1649         Assertion used to determine if something is an async generator is wrong
1650         https://bugs.webkit.org/show_bug.cgi?id=181168
1651         <rdar://problem/35640560>
1652
1653         Reviewed by Yusuke Suzuki.
1654
1655         * stress/async-generator-assertion.js: Added.
1656
1657 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1658
1659         Skip stress/splay-flash-access tests on memory limited platforms
1660         https://bugs.webkit.org/show_bug.cgi?id=181086
1661
1662         Reviewed by Carlos Alberto Lopez Perez.
1663
1664         These tests use about 185M of memory, and occasionally get OOM-killed
1665         on memory limited platforms.
1666
1667         * stress/splay-flash-access-1ms.js:
1668         * stress/splay-flash-access.js:
1669
1670 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1671
1672         Skip slow jsc tests on embedded platforms
1673         https://bugs.webkit.org/show_bug.cgi?id=180937
1674
1675         Reviewed by Carlos Alberto Lopez Perez.
1676
1677         The tests typeProfiler/deltablue-for-of.js and
1678         typeProfiler/getter-richards.js take a very long time in the
1679         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1680         thus always timeout. They should be skipped on these platforms.
1681
1682         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1683         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1684
1685 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1686
1687         [JSC] Do not check isValid() in op_new_regexp
1688         https://bugs.webkit.org/show_bug.cgi?id=180970
1689
1690         Reviewed by Saam Barati.
1691
1692         * stress/regexp-syntax-error-invalid-flags.js: Added.
1693         (shouldThrow):
1694
1695 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1696
1697         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1698         https://bugs.webkit.org/show_bug.cgi?id=180712
1699
1700         Reviewed by Michael Catanzaro.
1701
1702         stress/call-apply-exponential-bytecode-size.js crashes if the
1703         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1704         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1705         should skip the test on other platforms.
1706
1707         * stress/call-apply-exponential-bytecode-size.js:
1708
1709 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1710
1711         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1712         https://bugs.webkit.org/show_bug.cgi?id=179762
1713
1714         Reviewed by Saam Barati.
1715
1716         * stress/call-varargs-double-new-array-buffer.js: Added.
1717         (assert):
1718         (bar):
1719         (foo):
1720         * stress/call-varargs-spread-new-array-buffer.js: Added.
1721         (assert):
1722         (bar):
1723         (foo):
1724         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1725         (assert):
1726         (bar):
1727         (foo):
1728         * stress/forward-varargs-double-new-array-buffer.js: Added.
1729         (assert):
1730         (test.baz):
1731         (test.bar):
1732         (test.foo):
1733         (test):
1734         * stress/new-array-buffer-sinking-osrexit.js: Added.
1735         (target):
1736         (test):
1737         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1738         (shouldBe):
1739         (test):
1740         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1741         (shouldBe):
1742         (target):
1743         (test):
1744         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1745         (assert):
1746         (test1.bar):
1747         (test1.foo):
1748         (test1):
1749         (test2.bar):
1750         (test2.foo):
1751         (test3.baz):
1752         (test3.bar):
1753         (test3.foo):
1754         (test4.baz):
1755         (test4.bar):
1756         (test4.foo):
1757         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1758         (assert):
1759         (test.baz):
1760         (test.bar):
1761         (test.foo):
1762         (test):
1763         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1764         (assert):
1765         (baz):
1766         (bar):
1767         (effects):
1768         (foo):
1769
1770 2017-12-14  Saam Barati  <sbarati@apple.com>
1771
1772         The CleanUp after LICM is erroneously removing a Check
1773         https://bugs.webkit.org/show_bug.cgi?id=180852
1774         <rdar://problem/36063494>
1775
1776         Reviewed by Filip Pizlo.
1777
1778         * stress/dont-run-cleanup-after-licm.js: Added.
1779
1780 2017-12-14  Michael Saboff  <msaboff@apple.com>
1781
1782         REGRESSION (r225695): Repro crash on yahoo login page
1783         https://bugs.webkit.org/show_bug.cgi?id=180761
1784
1785         Reviewed by JF Bastien.
1786
1787         New regression test.
1788
1789         * stress/regress-180761.js: Added.
1790
1791 2017-12-13  Keith Miller  <keith_miller@apple.com>
1792
1793         JSObjects should have a mask for loading indexed properties
1794         https://bugs.webkit.org/show_bug.cgi?id=180768
1795
1796         Reviewed by Mark Lam.
1797
1798         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1799         (test):
1800
1801 2017-12-13  Saam Barati  <sbarati@apple.com>
1802
1803         Arrow functions need their own structure because they have different properties than sloppy functions
1804         https://bugs.webkit.org/show_bug.cgi?id=180779
1805         <rdar://problem/35814591>
1806
1807         Reviewed by Mark Lam.
1808
1809         * stress/arrow-function-needs-its-own-structure.js: Added.
1810         (assert):
1811         (readPrototype):
1812         (noInline.let.f1):
1813         (noInline):
1814
1815 2017-12-13  Saam Barati  <sbarati@apple.com>
1816
1817         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1818         https://bugs.webkit.org/show_bug.cgi?id=163579
1819         <rdar://problem/35455798>
1820
1821         Reviewed by Mark Lam.
1822
1823         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1824         (assert):
1825         (test1):
1826         (i.test1):
1827         (i.test1.C):
1828         (i.test1.async.foo):
1829         (i.test1.foo):
1830         (test2):
1831
1832 2017-12-13  Saam Barati  <sbarati@apple.com>
1833
1834         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1835         https://bugs.webkit.org/show_bug.cgi?id=180734
1836         <rdar://problem/35640547>
1837
1838         Reviewed by Yusuke Suzuki.
1839
1840         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1841         (__isPropertyOfType):
1842         (__getProperties):
1843         (__getObjects):
1844         (__getRandomObject):
1845         (theClass.):
1846         (theClass):
1847         (childClass):
1848         (counter.catch):
1849
1850 2017-12-12  Saam Barati  <sbarati@apple.com>
1851
1852         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1853         https://bugs.webkit.org/show_bug.cgi?id=180725
1854         <rdar://problem/35970511>
1855
1856         Reviewed by Michael Saboff.
1857
1858         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1859         (f1):
1860         (f2):
1861         (let.o2.valueOf):
1862
1863 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1864
1865         [JSC] Implement optimized WeakMap and WeakSet
1866         https://bugs.webkit.org/show_bug.cgi?id=179929
1867
1868         Reviewed by Saam Barati.
1869
1870         * microbenchmarks/weak-map-key.js:
1871         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1872         (assert):
1873         (objectKey):
1874         (let.start.Date.now):
1875         * stress/basic-weakmap.js: Added.
1876         (shouldBe):
1877         (test):
1878         * stress/basic-weakset.js: Added.
1879         (shouldBe):
1880         (test.set new):
1881         * stress/weakmap-cse-set-break.js: Added.
1882         (shouldBe):
1883         (test):
1884         * stress/weakmap-cse.js: Added.
1885         (shouldBe):
1886         (test):
1887         * stress/weakmap-gc.js: Added.
1888         (test):
1889         * stress/weakset-cse-add-break.js: Added.
1890         (shouldBe):
1891         (test.set new):
1892         * stress/weakset-cse.js: Added.
1893         (shouldBe):
1894         (test.set new):
1895         * stress/weakset-gc.js: Added.
1896         (test.set add):
1897         (test.set new):
1898         (test):
1899
1900 2017-12-12  Saam Barati  <sbarati@apple.com>
1901
1902         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1903         https://bugs.webkit.org/show_bug.cgi?id=180723
1904         <rdar://problem/35859726>
1905
1906         Reviewed by JF Bastien.
1907
1908         * stress/get-my-argument-by-val-constant-folding.js: Added.
1909         (test):
1910         (catch):
1911
1912 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1913
1914         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1915         https://bugs.webkit.org/show_bug.cgi?id=179000
1916
1917         Reviewed by Darin Adler and Yusuke Suzuki.
1918
1919         * bigIntTests.yaml: Added.
1920         * stress/big-int-literal-line-terminator.js: Added.
1921         * stress/big-int-literals.js: Added.
1922         * stress/big-int-operations-error.js: Added.
1923         * stress/big-int-type-of.js: Added.
1924         * stress/big-int-white-space-trailing-leading.js: Added.
1925         * stress/big-int-function-apply.js: Added.
1926
1927 2017-12-11  Saam Barati  <sbarati@apple.com>
1928
1929         We need to disableCaching() in ErrorInstance when we materialize properties
1930         https://bugs.webkit.org/show_bug.cgi?id=180343
1931         <rdar://problem/35833002>
1932
1933         Reviewed by Mark Lam.
1934
1935         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1936         (assert):
1937         (makeError):
1938         (storeToStack):
1939         (storeToStackAlreadyMaterialized):
1940
1941 2017-12-05  JF Bastien  <jfbastien@apple.com>
1942
1943         WebAssembly: don't eagerly checksum
1944         https://bugs.webkit.org/show_bug.cgi?id=180441
1945         <rdar://problem/35156628>
1946
1947         Reviewed by Saam Barati.
1948
1949         Checksum is now disabled, so tests only have <?> as the module
1950         name.
1951
1952         * wasm/function-tests/nameSection.js:
1953         * wasm/function-tests/stack-overflow.js:
1954         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1955         (assertOverflows.assertThrows):
1956         (assertOverflows):
1957         * wasm/function-tests/stack-trace.js:
1958
1959 2017-12-04  JF Bastien  <jfbastien@apple.com>
1960
1961         Proxy all functions, except the $ objects
1962         https://bugs.webkit.org/show_bug.cgi?id=180375
1963
1964         Reviewed by Saam Barati.
1965
1966         It looks like this test may have broken some executions because I
1967         call some internal objects. Explicitly ignore objects whose name
1968         starts with "$" because it's a bad idea anyways.
1969
1970         * stress/proxy-all-the-parameters.js:
1971         (generateObjects):
1972         (get throw):
1973
1974 2017-12-04  Saam Barati  <sbarati@apple.com>
1975
1976         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1977         https://bugs.webkit.org/show_bug.cgi?id=180366
1978         <rdar://problem/35685877>
1979
1980         Reviewed by Michael Saboff.
1981
1982         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1983         (theParent):
1984         (test1.base.getParentStaticValue):
1985         (test1.base):
1986         (test1.__v_24888.prototype.set prop):
1987         (test1.__v_24888):
1988         (test2.base.getParentStaticValue):
1989         (test2.base):
1990         (test2.__v_24888.prototype.set prop):
1991         (test2.__v_24888):
1992         (test2):
1993
1994 2017-12-01  JF Bastien  <jfbastien@apple.com>
1995
1996         Try proxying all function arguments
1997         https://bugs.webkit.org/show_bug.cgi?id=180306
1998
1999         Reviewed by Saam Barati.
2000
2001         * stress/proxy-all-the-parameters.js: Added.
2002         (isPropertyOfType):
2003         (getProperties):
2004         (generateObjects):
2005         (getObjects):
2006         (getFunctions):
2007         (get throw):
2008         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2009
2010 2017-12-01  JF Bastien  <jfbastien@apple.com>
2011
2012         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2013         https://bugs.webkit.org/show_bug.cgi?id=180297
2014         <rdar://problem/35745556>
2015
2016         Reviewed by Mark Lam.
2017
2018         * stress/math-exceptions.js: Added.
2019         (get try):
2020         (catch):
2021
2022 2017-12-01  JF Bastien  <jfbastien@apple.com>
2023
2024         JavaScriptCore: add test for weird class static getters
2025         https://bugs.webkit.org/show_bug.cgi?id=180281
2026         <rdar://problem/35592139>
2027
2028         Reviewed by Mark Lam.
2029
2030         I fixed a bug for it in r224927 and didn't add a test. Do so.
2031
2032         * stress/class-static-get-weird.js: Added.
2033         (c.prototype.get name):
2034         (c):
2035         (c.prototype.get arguments):
2036         (c.prototype.get caller):
2037         (c.prototype.get length):
2038
2039 2017-12-01  Saam Barati  <sbarati@apple.com>
2040
2041         Having a bad time needs to handle ArrayClass indexing type as well
2042         https://bugs.webkit.org/show_bug.cgi?id=180274
2043         <rdar://problem/35667869>
2044
2045         Reviewed by Keith Miller and Mark Lam.
2046
2047         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2048         (assert):
2049         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2050         (assert):
2051
2052 2017-12-01  JF Bastien  <jfbastien@apple.com>
2053
2054         WebAssembly: restore cached stack limit after out-call
2055         https://bugs.webkit.org/show_bug.cgi?id=179106
2056         <rdar://problem/35337525>
2057
2058         Reviewed by Saam Barati.
2059
2060         * wasm/function-tests/double-instance.js: Added.
2061         (const.imp.boom):
2062         (const.imp.get callAnother):
2063
2064 2017-11-30  JF Bastien  <jfbastien@apple.com>
2065
2066         WebAssembly: improve stack trace
2067         https://bugs.webkit.org/show_bug.cgi?id=179343
2068
2069         Reviewed by Saam Barati.
2070
2071         Update the tests to follow the new format. Notably, SHA1 module
2072         hash is now included in traces, and stubs are properly identified.
2073
2074         * wasm/assert.js: Add an assertion which matches regular expressions.
2075         * wasm/function-tests/nameSection.js:
2076         * wasm/function-tests/stack-overflow.js:
2077         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2078         (assertOverflows.assertThrows.wasm.1):
2079         (assertOverflows.assertThrows.wasm.0):
2080         (assertOverflows.assertThrows):
2081         (assertOverflows):
2082         * wasm/function-tests/stack-trace.js:
2083         (import.Builder.from.string_appeared_here.assert): Deleted.
2084         * wasm/function-tests/trap-after-cross-instance-call.js:
2085         (wasmFrameCountFromError):
2086         * wasm/function-tests/trap-load-2.js:
2087         (wasmFrameCountFromError):
2088         * wasm/function-tests/trap-load.js:
2089         (wasmFrameCountFromError):
2090
2091 2017-11-30  Mark Lam  <mark.lam@apple.com>
2092
2093         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2094         https://bugs.webkit.org/show_bug.cgi?id=180219
2095         <rdar://problem/35696536>
2096
2097         Reviewed by Filip Pizlo.
2098
2099         * stress/regress-180219.js: Added.
2100
2101 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2102
2103         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2104         https://bugs.webkit.org/show_bug.cgi?id=180190
2105
2106         Reviewed by Mark Lam.
2107
2108         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2109         (shouldBe):
2110         (test1):
2111         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2112         (shouldBe):
2113         (test1):
2114         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2115         (shouldBe):
2116         (test1):
2117         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2118         (shouldBe):
2119         (test1):
2120         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2121         (shouldBe):
2122         (test1):
2123         * stress/operation-in-may-have-negative-int32.js: Added.
2124         (shouldBe):
2125         (test2):
2126         * stress/operation-in-negative-int32-cast.js: Added.
2127         (shouldBe):
2128         (test1):
2129
2130 2017-11-28  JF Bastien  <jfbastien@apple.com>
2131
2132         Strict and sloppy functions shouldn't share structure
2133         https://bugs.webkit.org/show_bug.cgi?id=180103
2134         <rdar://problem/35667847>
2135
2136         Reviewed by Saam Barati.
2137
2138         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2139         because the IC was wrong.
2140         (foo):
2141         (bar):
2142         (baz):
2143         (catch):
2144         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2145         in this patch, but may as well test odd strict mode corner cases.
2146         (bar):
2147         (baz):
2148         (catch):
2149         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2150         (foo):
2151         (bar):
2152         (baz):
2153         (catch):
2154         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2155         next file, but with invalidation of the FunctionExecutable's
2156         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2157         slower path.
2158         (foo):
2159         (bar.const.x):
2160         (bar.const.y):
2161         (bar):
2162         (catch):
2163         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2164         strict nesting works correctly.
2165         (foo):
2166         (bar.baz):
2167         (bar):
2168         * stress/strict-function-structure.js: Added. The test used to
2169         assert in objectProtoFuncHasOwnProperty.
2170         (foo):
2171         (bar):
2172         (baz):
2173         * stress/strict-nested-function-structure.js: Added. Nesting.
2174         (foo):
2175         (bar):
2176         (baz.boo):
2177         (baz):
2178
2179 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2180
2181         The recursive tail call optimisation is wrong on closures
2182         https://bugs.webkit.org/show_bug.cgi?id=179835
2183
2184         Reviewed by Saam Barati.
2185
2186         * stress/closure-recursive-tail-call.js: Added.
2187         (makeClosure):
2188
2189 2017-11-27  JF Bastien  <jfbastien@apple.com>
2190
2191         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2192         https://bugs.webkit.org/show_bug.cgi?id=180051
2193         <rdar://problem/35614371>
2194
2195         Reviewed by Saam Barati.
2196
2197         * stress/rest-parameter-negative.js: Added.
2198         (__f_5484):
2199         (catch):
2200         (__f_5485):
2201         (__v_22598.catch):
2202
2203 2017-11-27  Saam Barati  <sbarati@apple.com>
2204
2205         Spread can escape when CreateRest does not
2206         https://bugs.webkit.org/show_bug.cgi?id=180057
2207         <rdar://problem/35676119>
2208
2209         Reviewed by JF Bastien.
2210
2211         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2212         (assert):
2213         (getProperties):
2214         (theFunc):
2215         (let.obj.valueOf):
2216
2217 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2218
2219         [DFG] Add NormalizeMapKey DFG IR
2220         https://bugs.webkit.org/show_bug.cgi?id=179912
2221
2222         Reviewed by Saam Barati.
2223
2224         * stress/map-untyped-normalize-cse.js: Added.
2225         (shouldBe):
2226         (test):
2227         * stress/map-untyped-normalize.js: Added.
2228         (shouldBe):
2229         (test):
2230         * stress/set-untyped-normalize-cse.js: Added.
2231         (shouldBe):
2232         (set return.set has.set has):
2233         * stress/set-untyped-normalize.js: Added.
2234         (shouldBe):
2235         (set return.set has):
2236
2237 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2238
2239         [FTL] Support DeleteById and DeleteByVal
2240         https://bugs.webkit.org/show_bug.cgi?id=180022
2241
2242         Reviewed by Saam Barati.
2243
2244         * stress/delete-by-id.js: Added.
2245         (shouldBe):
2246         (test1):
2247         (test2):
2248         * stress/delete-by-val-ftl.js: Added.
2249         (shouldBe):
2250         (test1):
2251         (test2):
2252
2253 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2254
2255         [DFG] Introduce {Set,Map,WeakMap}Fields
2256         https://bugs.webkit.org/show_bug.cgi?id=179925
2257
2258         Reviewed by Saam Barati.
2259
2260         * stress/map-set-clobber-map-get.js: Added.
2261         (shouldBe):
2262         (test):
2263         * stress/map-set-does-not-clobber-set-has.js: Added.
2264         (shouldBe):
2265         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2266         (shouldBe):
2267         (test):
2268         * stress/set-add-clobber-set-has.js: Added.
2269         (shouldBe):
2270         * stress/set-add-does-not-clobber-map-get.js: Added.
2271         (shouldBe):
2272
2273 2017-11-24  Mark Lam  <mark.lam@apple.com>
2274
2275         Move unsafe jsc shell test functions to the $vm object.
2276         https://bugs.webkit.org/show_bug.cgi?id=179980
2277
2278         Reviewed by Yusuke Suzuki.
2279
2280         * controlFlowProfiler/driver/driver.js:
2281         * controlFlowProfiler/execution-count.js:
2282         * controlFlowProfiler/if-statement.js:
2283         * controlFlowProfiler/loop-statements.js:
2284         * controlFlowProfiler/switch-statements.js:
2285         * controlFlowProfiler/test-jit.js:
2286         * exceptionFuzz/3d-cube.js:
2287         * exceptionFuzz/date-format-xparb.js:
2288         * exceptionFuzz/earley-boyer.js:
2289         * heapProfiler/basic-edges.js:
2290         * heapProfiler/property-edge-types.js:
2291         * microbenchmarks/try-get-by-id-basic.js:
2292         * microbenchmarks/try-get-by-id-polymorphic.js:
2293         * modules/namespace-object-try-get.js:
2294         * stress/argument-count-bytecode.js:
2295         * stress/argument-intrinsic-basic.js:
2296         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2297         * stress/argument-intrinsic-inlining-with-result-escape.js:
2298         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2299         * stress/argument-intrinsic-inlining-with-vararg.js:
2300         * stress/argument-intrinsic-nested-inlining.js:
2301         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2302         * stress/argument-intrinsic-with-stack-write.js:
2303         * stress/arity-mismatch-get-argument.js:
2304         * stress/array-message-passing.js:
2305         * stress/array-push-with-force-exit.js:
2306         * stress/check-dom-with-signature.js:
2307         * stress/check-sub-class.js:
2308         * stress/compare-eq-incomplete-profile.js:
2309         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2310         * stress/do-eval-virtual-call-correctly.js:
2311         * stress/dom-jit-with-poly-proto.js:
2312         * stress/domjit-exception-ic.js:
2313         * stress/domjit-exception.js:
2314         * stress/domjit-getter-complex-with-incorrect-object.js:
2315         * stress/domjit-getter-complex.js:
2316         * stress/domjit-getter-poly.js:
2317         * stress/domjit-getter-proto.js:
2318         * stress/domjit-getter-super-poly.js:
2319         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2320         * stress/domjit-getter-type-check.js:
2321         * stress/domjit-getter.js:
2322         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2323         * stress/for-in-proxy-target-changed-structure.js:
2324         * stress/for-in-proxy.js:
2325         * stress/generational-opaque-roots.js:
2326         * stress/global-const-redeclaration-setting-2.js:
2327         * stress/global-const-redeclaration-setting-3.js:
2328         * stress/global-const-redeclaration-setting-4.js:
2329         * stress/global-const-redeclaration-setting-5.js:
2330         * stress/global-const-redeclaration-setting.js:
2331         * stress/import-basic.js:
2332         * stress/import-from-eval.js:
2333         * stress/import-reject-with-exception.js:
2334         * stress/import-syntax.js:
2335         * stress/impure-get-own-property-slot-inline-cache.js:
2336         * stress/is-constructor.js:
2337         * stress/istypedarrayview-intrinsic.js:
2338         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2339         * stress/jsc-test-functions-should-be-more-robust.js:
2340         * stress/object-toString-with-proxy.js:
2341         * stress/poly-proto-custom-value-and-accessor.js:
2342         * stress/proxy-inline-cache.js:
2343         * stress/re-execute-error-module.js:
2344         * stress/regress-150532.js:
2345         * stress/regress-156992.js:
2346         * stress/regress-179619.js:
2347         * stress/resources/shadow-chicken-support.js:
2348         * stress/runtime-array.js:
2349         * stress/sampling-profiler-microtasks.js:
2350         * stress/shadow-chicken-enabled.js:
2351         * stress/spread-correct-global-object-on-exception.js:
2352         * stress/super-get-by-id.js:
2353         * stress/tailCallForwardArguments.js:
2354         * stress/to-object-intrinsic-boolean-edge.js:
2355         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2356         * stress/to-object-intrinsic-number-edge.js:
2357         * stress/to-object-intrinsic-object-edge.js:
2358         * stress/to-object-intrinsic-string-edge.js:
2359         * stress/to-object-intrinsic-symbol-edge.js:
2360         * stress/to-object-intrinsic.js:
2361         * stress/try-catch-custom-getter-as-get-by-id.js:
2362         * stress/try-get-by-id-poly-proto.js:
2363         * stress/try-get-by-id-should-spill-registers-dfg.js:
2364         * stress/try-get-by-id.js:
2365         * typeProfiler/arrow-functions.js:
2366         * typeProfiler/basic.js:
2367         * typeProfiler/captured.js:
2368         * typeProfiler/classes.js:
2369         * typeProfiler/dfg-jit-optimizations.js:
2370         * typeProfiler/dictionary-mode.js:
2371         * typeProfiler/es6-block-scoping.js:
2372         * typeProfiler/es6-classes.js:
2373         * typeProfiler/inheritance.js:
2374         * typeProfiler/int52-dfg.js:
2375         * typeProfiler/loop.js:
2376         * typeProfiler/optional-fields.js:
2377         * typeProfiler/overflow.js:
2378         * typeProfiler/return.js:
2379         * typeProfiler/symbol.js:
2380         * typeProfiler/weird-prototype-chain.js:
2381
2382 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2383
2384         [DFG][FTL] Support MapSet / SetAdd intrinsics
2385         https://bugs.webkit.org/show_bug.cgi?id=179858
2386
2387         Reviewed by Saam Barati.
2388
2389         * microbenchmarks/map-has-and-set.js: Added.
2390         (test):
2391         * stress/map-set-check-failure.js: Added.
2392         (shouldBe):
2393         (shouldThrow):
2394         (target):
2395         * stress/map-set-cse.js: Added.
2396         (shouldBe):
2397         (test):
2398         * stress/set-add-check-failure.js: Added.
2399         (shouldBe):
2400         (shouldThrow):
2401         (set shouldThrow):
2402         * stress/set-add-cse.js: Added.
2403         (shouldBe):
2404
2405 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2406
2407         [JSC] Allow poly proto for intrinsic getters
2408         https://bugs.webkit.org/show_bug.cgi?id=179550
2409
2410         Reviewed by Saam Barati.
2411
2412         This change is also tested by existing tests.
2413
2414             1. stress/intrinsic-getter-with-poly-proto.js
2415             2. stress/poly-proto-intrinsic-getter-correctness.js
2416
2417         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2418         (shouldBe):
2419         (makePolyProtoObject.foo.C):
2420         (makePolyProtoObject.foo):
2421         (makePolyProtoObject):
2422         (target):
2423         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2424         (shouldBe):
2425         (makePolyProtoObject.foo.C):
2426         (makePolyProtoObject.foo):
2427         (makePolyProtoObject):
2428         (target):
2429
2430 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2431
2432         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2433         https://bugs.webkit.org/show_bug.cgi?id=179744
2434
2435         Reviewed by Michael Catanzaro.
2436
2437         This test uses too much memory for our buildbots on these platforms
2438         and gets OOM-killed.
2439
2440         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2441         Skip if $memoryLimited and linux.
2442
2443 2017-11-17  JF Bastien  <jfbastien@apple.com>
2444
2445         WebAssembly JS API: throw when a promise can't be created
2446         https://bugs.webkit.org/show_bug.cgi?id=179826
2447         <rdar://problem/35455813>
2448
2449         Reviewed by Mark Lam.
2450
2451         Test WebAssembly.{compile,instantiate} where promise creation
2452         fails because of a stack overflow.
2453
2454         * wasm/js-api/promise-stack-overflow.js: Added.
2455         (const.runNearStackLimit.f.const.t):
2456         (async.testCompile):
2457         (async.testInstantiate):
2458
2459 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2460
2461         Unreviewed, mark regress-178385.js as memory exhausting
2462
2463         * stress/regress-178385.js:
2464
2465 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2466
2467         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2468
2469         Unreviewed test gardening.
2470
2471         * test262.yaml:
2472
2473 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2474
2475         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2476         https://bugs.webkit.org/show_bug.cgi?id=179763
2477         <rdar://problem/35550513>
2478
2479         Reviewed by Keith Miller.
2480
2481         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2482
2483         * stress/tdz-this-in-try-catch.js: Added.
2484         (__v_6388):
2485         (__v_6392):
2486
2487 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2488
2489         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2490         https://bugs.webkit.org/show_bug.cgi?id=179594
2491
2492         Reviewed by Saam Barati.
2493
2494         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2495         (shouldBe):
2496         (args):
2497         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2498         (shouldBe):
2499         (args):
2500
2501 2017-11-14  Saam Barati  <sbarati@apple.com>
2502
2503         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2504         https://bugs.webkit.org/show_bug.cgi?id=179639
2505         <rdar://problem/35513018>
2506
2507         Reviewed by JF Bastien.
2508
2509         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2510         (escape):
2511         (i.func):
2512
2513 2017-11-13  Mark Lam  <mark.lam@apple.com>
2514
2515         Add more overflow check book-keeping for MarkedArgumentBuffer.
2516         https://bugs.webkit.org/show_bug.cgi?id=179634
2517         <rdar://problem/35492517>
2518
2519         Reviewed by Saam Barati.
2520
2521         * stress/regress-179634.js: Added.
2522
2523 2017-11-13  Mark Lam  <mark.lam@apple.com>
2524
2525         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2526         https://bugs.webkit.org/show_bug.cgi?id=179619
2527         <rdar://problem/35492518>
2528
2529         Reviewed by Saam Barati.
2530
2531         * stress/regress-179619.js: Added.
2532
2533 2017-11-12  Mark Lam  <mark.lam@apple.com>
2534
2535         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2536         https://bugs.webkit.org/show_bug.cgi?id=179562
2537         <rdar://problem/35467022>
2538
2539         Reviewed by Saam Barati.
2540
2541         * regress-179562.js: Added.
2542
2543 2017-11-08  Saam Barati  <sbarati@apple.com>
2544
2545         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2546         https://bugs.webkit.org/show_bug.cgi?id=177792
2547
2548         Reviewed by Yusuke Suzuki.
2549
2550         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2551         (assert):
2552         (foo.Foo.prototype.ensureX):
2553         (foo.Foo):
2554         (foo):
2555         (access):
2556
2557 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2558
2559         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2560         https://bugs.webkit.org/show_bug.cgi?id=178592
2561
2562         Unreviewed test gardening.
2563
2564         * test262.yaml:
2565
2566 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2567
2568         Turn recursive tail calls into loops
2569         https://bugs.webkit.org/show_bug.cgi?id=176601
2570
2571         Reviewed by Saam Barati.
2572
2573         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2574
2575         Add some simple test that computes factorial in several ways, and other trivial computations.
2576         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2577         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2578         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2579         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2580
2581         * stress/inline-call-to-recursive-tail-call.js: Added.
2582         (factorial.aux):
2583         (factorial):
2584         (factorial2.aux2):
2585         (factorial2.id):
2586         (factorial2):
2587         (factorial3.aux3):
2588         (factorial3):
2589         (aux4):
2590         (factorial4):
2591         (foo):
2592         (auxBar):
2593         (bar):
2594         (test):
2595
2596 2017-11-07  Mark Lam  <mark.lam@apple.com>
2597
2598         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2599         https://bugs.webkit.org/show_bug.cgi?id=179355
2600         <rdar://problem/35263053>
2601
2602         Reviewed by Saam Barati.
2603
2604         * stress/regress-179355.js: Added.
2605
2606 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2607
2608         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2609         https://bugs.webkit.org/show_bug.cgi?id=144458
2610
2611         Reviewed by Saam Barati.
2612
2613         * microbenchmarks/dfg-internal-function-call.js: Added.
2614         (target):
2615         * microbenchmarks/dfg-internal-function-construct.js: Added.
2616         (target):
2617         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2618         (target):
2619         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2620         (target):
2621         * stress/dfg-internal-function-call.js: Added.
2622         (shouldBe):
2623         (target):
2624         * stress/dfg-internal-function-construct.js: Added.
2625         (shouldBe):
2626         (target):
2627         * stress/internal-function-call.js: Added.
2628         (shouldBe):
2629         * stress/internal-function-construct.js: Added.
2630         (shouldBe):
2631
2632 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2633
2634         [Win] Skip stress/regress-178385.js.
2635         https://bugs.webkit.org/show_bug.cgi?id=179298
2636
2637         Unreviewed test gardening.
2638
2639         * stress/regress-178385.js:
2640
2641 2017-11-03  Keith Miller  <keith_miller@apple.com>
2642
2643         Add test for ic with side effects
2644         https://bugs.webkit.org/show_bug.cgi?id=179268
2645
2646         Reviewed by Saam Barati.
2647
2648         * stress/put-inline-cache-side-effects.js: Added.
2649         (let.i.of.objs.keys):
2650         (f):
2651
2652 2017-11-03  Mark Lam  <mark.lam@apple.com>
2653
2654         CachedCall (and its clients) needs overflow checks.
2655         https://bugs.webkit.org/show_bug.cgi?id=179185
2656
2657         Reviewed by JF Bastien.
2658
2659         * stress/regress-179185.js: Added.
2660
2661 2017-11-02  Michael Saboff  <msaboff@apple.com>
2662
2663         DFG needs to handle code motion of code in for..in loop bodies
2664         https://bugs.webkit.org/show_bug.cgi?id=179212
2665
2666         Reviewed by Keith Miller.
2667
2668         New regression test.
2669
2670         * stress/for-in-side-effects.js: Added.
2671         (getPrototypeOf):
2672         (reset):
2673         (testWithoutFTL.f):
2674         (testWithoutFTL):
2675         (testWithFTL.f):
2676         (testWithFTL):
2677
2678 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2679
2680         AI does not correctly model the clobber case of ArithClz32
2681         https://bugs.webkit.org/show_bug.cgi?id=179188
2682
2683         Reviewed by Michael Saboff.
2684
2685         * stress/arith-clz32-effects.js: Added.
2686         (foo):
2687         (valueOf):
2688
2689 2017-11-01  Michael Saboff  <msaboff@apple.com>
2690
2691         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2692         https://bugs.webkit.org/show_bug.cgi?id=179140
2693
2694         Reviewed by Saam Barati.
2695
2696         New regression test.
2697
2698         * stress/regress-179140.js: Added.
2699         (testWithoutFTL):
2700         (testWithFTL):
2701
2702 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2703
2704         [JSC] Introduce @toObject
2705         https://bugs.webkit.org/show_bug.cgi?id=178726
2706
2707         Reviewed by Saam Barati.
2708
2709         * stress/array-copywithin.js:
2710         (shouldThrow):
2711         * stress/object-constructor-boolean-edge.js: Added.
2712         (shouldBe):
2713         (test):
2714         * stress/object-constructor-global.js: Added.
2715         (shouldBe):
2716         * stress/object-constructor-null-edge.js: Added.
2717         (shouldBe):
2718         (test):
2719         * stress/object-constructor-number-edge.js: Added.
2720         (shouldBe):
2721         (test):
2722         * stress/object-constructor-object-edge.js: Added.
2723         (shouldBe):
2724         (test):
2725         (i.arg):
2726         * stress/object-constructor-string-edge.js: Added.
2727         (shouldBe):
2728         (test):
2729         * stress/object-constructor-symbol-edge.js: Added.
2730         (shouldBe):
2731         (test):
2732         * stress/object-constructor-undefined-edge.js: Added.
2733         (shouldBe):
2734         (test):
2735         * stress/symbol-array-from.js: Added.
2736         (shouldBe):
2737         * stress/to-object-intrinsic-boolean-edge.js: Added.
2738         (shouldBe):
2739         (builtin.createBuiltin):
2740         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2741         (shouldThrow):
2742         * stress/to-object-intrinsic-number-edge.js: Added.
2743         (shouldBe):
2744         (builtin.createBuiltin):
2745         * stress/to-object-intrinsic-object-edge.js: Added.
2746         (shouldBe):
2747         (builtin.createBuiltin):
2748         (i.arg):
2749         * stress/to-object-intrinsic-string-edge.js: Added.
2750         (shouldBe):
2751         (builtin.createBuiltin):
2752         * stress/to-object-intrinsic-symbol-edge.js: Added.
2753         (shouldBe):
2754         (builtin.createBuiltin):
2755         * stress/to-object-intrinsic.js: Added.
2756         (shouldBe):
2757         (shouldThrow):
2758         (builtin.createBuiltin):
2759
2760 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2761
2762         [DFG][FTL] Introduce StringSlice
2763         https://bugs.webkit.org/show_bug.cgi?id=178934
2764
2765         Reviewed by Saam Barati.
2766
2767         * microbenchmarks/string-slice-empty.js: Added.
2768         (slice):
2769         * microbenchmarks/string-slice-one-char.js: Added.
2770         (slice):
2771         * microbenchmarks/string-slice.js: Added.
2772         (slice):
2773
2774 2017-10-26  Michael Saboff  <msaboff@apple.com>
2775
2776         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2777         https://bugs.webkit.org/show_bug.cgi?id=178890
2778
2779         Reviewed by Keith Miller.
2780
2781         New regression test.
2782
2783         * stress/regress-178890.js: Added.
2784
2785 2017-10-26  Mark Lam  <mark.lam@apple.com>
2786
2787         JSRopeString::RopeBuilder::append() should check for overflows.
2788         https://bugs.webkit.org/show_bug.cgi?id=178385
2789         <rdar://problem/35027468>
2790
2791         Reviewed by Saam Barati.
2792
2793         * stress/regress-178385.js: Added.
2794
2795 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2796
2797         Unreviewed, rolling out r223961.
2798
2799         The change that required this has been rolled out.
2800
2801         Reverted changeset:
2802
2803         "Mark test262.yaml/test262/test/language/statements/try/tco-
2804         catch.js as passing."
2805         https://bugs.webkit.org/show_bug.cgi?id=178592
2806         https://trac.webkit.org/changeset/223961
2807
2808 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2809
2810         Unreviewed, rolling out r223691 and r223729.
2811         https://bugs.webkit.org/show_bug.cgi?id=178834
2812
2813         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2814         by rniwa on #webkit).
2815
2816         Reverted changesets:
2817
2818         "Turn recursive tail calls into loops"
2819         https://bugs.webkit.org/show_bug.cgi?id=176601
2820         https://trac.webkit.org/changeset/223691
2821
2822         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2823         comparison is always false due to limited range of data type
2824         [-Wtype-limits]"
2825         https://bugs.webkit.org/show_bug.cgi?id=178543
2826         https://trac.webkit.org/changeset/223729
2827
2828 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2829
2830         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2831         https://bugs.webkit.org/show_bug.cgi?id=178592
2832
2833         Unreviewed test gardening.
2834
2835         * test262.yaml:
2836
2837 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2838
2839         [FTL] Support NewStringObject
2840         https://bugs.webkit.org/show_bug.cgi?id=178737
2841
2842         Reviewed by Saam Barati.
2843
2844         * stress/new-string-object.js: Added.
2845         (shouldBe):
2846         (test):
2847
2848 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2849
2850         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2851         https://bugs.webkit.org/show_bug.cgi?id=178308
2852
2853         Reviewed by Mark Lam.
2854
2855         * test262.yaml:
2856
2857 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2858
2859         [JSC] Use fastJoin in Array#toString
2860         https://bugs.webkit.org/show_bug.cgi?id=178062
2861
2862         Reviewed by Darin Adler.
2863
2864         * microbenchmarks/contiguous-array-to-string.js: Added.
2865         (target):
2866         * microbenchmarks/double-array-to-string.js: Added.
2867         (target):
2868         * microbenchmarks/int32-array-to-string.js: Added.
2869         (target):
2870
2871 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2872
2873         stress/check-string-ident.js is improperly skipped
2874         https://bugs.webkit.org/show_bug.cgi?id=178642
2875
2876         Reviewed by Saam Barati.
2877
2878         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2879         since it enforces the run-jsc-stress-tests script to still set up the
2880         test to run, despite the skip directive that's used before.
2881
2882 2017-10-20  Mark Lam  <mark.lam@apple.com>
2883
2884         Add a test case for r214334.
2885         https://bugs.webkit.org/show_bug.cgi?id=169941
2886         <rdar://problem/31221258>
2887
2888         Reviewed by JF Bastien.
2889
2890         * stress/regress-169941.js: Added.
2891
2892 2017-10-19  JF Bastien  <jfbastien@apple.com>
2893
2894         WebAssembly: no VM / JS version of everything but Instance
2895         https://bugs.webkit.org/show_bug.cgi?id=177473
2896
2897         Reviewed by Filip Pizlo, Saam Barati.
2898
2899         - Exceeding max on memory growth now returns a range error as per
2900         spec. This is a (very minor) breaking change: it used to throw OOM
2901         error. Update the corresponding test.
2902
2903         * wasm/js-api/memory-grow.js:
2904         (assertEq):
2905         * wasm/js-api/table.js:
2906         (assert.throws):
2907
2908 2017-10-19  Mark Lam  <mark.lam@apple.com>
2909
2910         Stringifier::appendStringifiedValue() is missing an exception check.
2911         https://bugs.webkit.org/show_bug.cgi?id=178386
2912         <rdar://problem/35027610>
2913
2914         Reviewed by Saam Barati.
2915
2916         * stress/regress-178386.js: Added.
2917
2918 2017-10-19  Michael Saboff  <msaboff@apple.com>
2919
2920         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2921         https://bugs.webkit.org/show_bug.cgi?id=178521
2922
2923         Reviewed by JF Bastien.
2924
2925         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2926         now passes with the current version (5.0) of the Emoji spec.
2927
2928 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2929
2930         Turn recursive tail calls into loops
2931         https://bugs.webkit.org/show_bug.cgi?id=176601
2932
2933         Reviewed by Saam Barati.
2934
2935         Add some simple test that computes factorial in several ways, and other trivial computations.
2936         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2937         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2938         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2939         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2940
2941         * stress/inline-call-to-recursive-tail-call.js: Added.
2942         (factorial.aux):
2943         (factorial):
2944         (factorial2.aux):
2945         (factorial2.id):
2946         (factorial2):
2947         (factorial3.aux):
2948         (factorial3):
2949         (aux):
2950         (factorial4):
2951         (test):
2952
2953 2017-10-18  Mark Lam  <mark.lam@apple.com>
2954
2955         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2956         https://bugs.webkit.org/show_bug.cgi?id=177600
2957         <rdar://problem/34710985>
2958
2959         Reviewed by Saam Barati.
2960
2961         * stress/regress-177600.js: Added.
2962
2963 2017-10-18  Mark Lam  <mark.lam@apple.com>
2964
2965         The compiler should always register a structure when it adds its transitionWatchPointSet.
2966         https://bugs.webkit.org/show_bug.cgi?id=178420
2967         <rdar://problem/34814024>
2968
2969         Reviewed by Saam Barati and Filip Pizlo.
2970
2971         * stress/regress-178420.js: Added.
2972         (new.Array.10000.map):
2973
2974 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2975
2976         [JSC] __proto__ getter should be fast
2977         https://bugs.webkit.org/show_bug.cgi?id=178067
2978
2979         Reviewed by Saam Barati.
2980
2981         * stress/dfg-object-proto-accessor.js: Added.
2982         (shouldBe):
2983         (shouldThrow):
2984         (target):
2985         * stress/dfg-object-proto-getter.js: Added.
2986         (shouldBe):
2987         (shouldThrow):
2988         (target):
2989         * stress/dfg-object-prototype-of.js: Added.
2990         (shouldBe):
2991         (shouldThrow):
2992         (target):
2993         * stress/dfg-reflect-get-prototype-of.js: Added.
2994         (shouldBe):
2995         (shouldThrow):
2996         (target):
2997         * stress/intrinsic-getter-with-poly-proto.js: Added.
2998         (shouldBe):
2999         (makePolyProtoObject.foo.C):
3000         (makePolyProtoObject.foo):
3001         (makePolyProtoObject):
3002         (target):
3003         * stress/object-get-prototype-of-filtered.js: Added.
3004         (shouldBe):
3005         (shouldThrow):
3006         (target):
3007         (i.Cocoa):
3008         * stress/object-get-prototype-of-mono-proto.js: Added.
3009         (shouldBe):
3010         (makePolyProtoObject.foo.C):
3011         (makePolyProtoObject.foo):
3012         (makePolyProtoObject):
3013         (target):
3014         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3015         (shouldBe):
3016         (makePolyProtoObject.foo.C):
3017         (makePolyProtoObject.foo):
3018         (makePolyProtoObject):
3019         (target):
3020         * stress/object-get-prototype-of-poly-proto.js: Added.
3021         (shouldBe):
3022         (makePolyProtoObject.foo.C):
3023         (makePolyProtoObject.foo):
3024         (makePolyProtoObject):
3025         (target):
3026         * stress/object-proto-getter-filtered.js: Added.
3027         (shouldBe):
3028         (shouldThrow):
3029         (target):
3030         (i.Cocoa):
3031         * stress/object-proto-getter-poly-mono-proto.js: Added.
3032         (shouldBe):
3033         (makePolyProtoObject.foo.C):
3034         (makePolyProtoObject.foo):
3035         (makePolyProtoObject):
3036         (target):
3037         * stress/object-proto-getter-poly-proto.js: Added.
3038         (shouldBe):
3039         (makePolyProtoObject.foo.C):
3040         (makePolyProtoObject.foo):
3041         (makePolyProtoObject):
3042         (target):
3043         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3044         * stress/string-proto.js: Added.
3045         (shouldBe):
3046         (target):
3047
3048 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3049
3050         Unreviewed, rolling out r223523.
3051
3052         A test for this change is failing on debug JSC bots.
3053
3054         Reverted changeset:
3055
3056         "[JSC] __proto__ getter should be fast"
3057         https://bugs.webkit.org/show_bug.cgi?id=178067
3058         https://trac.webkit.org/changeset/223523
3059
3060 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3061
3062         [JSC] __proto__ getter should be fast
3063         https://bugs.webkit.org/show_bug.cgi?id=178067
3064
3065         Reviewed by Saam Barati.
3066
3067         * stress/dfg-object-proto-accessor.js: Added.
3068         (shouldBe):
3069         (shouldThrow):
3070         (target):
3071         * stress/dfg-object-proto-getter.js: Added.
3072         (shouldBe):
3073         (shouldThrow):
3074         (target):
3075         * stress/dfg-object-prototype-of.js: Added.
3076         (shouldBe):
3077         (shouldThrow):
3078         (target):
3079         * stress/dfg-reflect-get-prototype-of.js: Added.
3080         (shouldBe):
3081         (shouldThrow):
3082         (target):
3083         * stress/object-get-prototype-of-filtered.js: Added.
3084         (shouldBe):
3085         (shouldThrow):
3086         (target):
3087         (i.Cocoa):
3088         * stress/object-get-prototype-of-mono-proto.js: Added.
3089         (shouldBe):
3090         (makePolyProtoObject.foo.C):
3091         (makePolyProtoObject.foo):
3092         (makePolyProtoObject):
3093         (target):
3094         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3095         (shouldBe):
3096         (makePolyProtoObject.foo.C):
3097         (makePolyProtoObject.foo):
3098         (makePolyProtoObject):
3099         (target):
3100         * stress/object-get-prototype-of-poly-proto.js: Added.
3101         (shouldBe):
3102         (makePolyProtoObject.foo.C):
3103         (makePolyProtoObject.foo):
3104         (makePolyProtoObject):
3105         (target):
3106         * stress/object-proto-getter-filtered.js: Added.
3107         (shouldBe):
3108         (shouldThrow):
3109         (target):
3110         (i.Cocoa):
3111         * stress/object-proto-getter-poly-mono-proto.js: Added.
3112         (shouldBe):
3113         (makePolyProtoObject.foo.C):
3114         (makePolyProtoObject.foo):
3115         (makePolyProtoObject):
3116         (target):
3117         * stress/object-proto-getter-poly-proto.js: Added.
3118         (shouldBe):
3119         (makePolyProtoObject.foo.C):
3120         (makePolyProtoObject.foo):
3121         (makePolyProtoObject):
3122         (target):
3123         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3124         * stress/string-proto.js: Added.
3125         (shouldBe):
3126         (target):
3127
3128 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3129
3130         Reland "Add Above/Below comparisons for UInt32 patterns"
3131         https://bugs.webkit.org/show_bug.cgi?id=177281
3132
3133         Reviewed by Saam Barati.
3134
3135         * stress/uint32-comparison-jump.js: Added.
3136         (shouldBe):
3137         (above):
3138         (aboveOrEqual):
3139         (below):
3140         (belowOrEqual):
3141         (notAbove):
3142         (notAboveOrEqual):
3143         (notBelow):
3144         (notBelowOrEqual):
3145         * stress/uint32-comparison.js: Added.
3146         (shouldBe):
3147         (above):
3148         (aboveOrEqual):
3149         (below):
3150         (belowOrEqual):
3151         (aboveTest):
3152         (aboveOrEqualTest):
3153         (belowTest):
3154         (belowOrEqualTest):
3155
3156 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3157
3158         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3159         https://bugs.webkit.org/show_bug.cgi?id=178210
3160
3161         Reviewed by Saam Barati.
3162
3163         * wasm/function-tests/trap-from-start-async.js:
3164         (async.StartTrapsAsync):
3165         * wasm/function-tests/trap-from-start.js:
3166         (StartTraps):
3167         * wasm/js-api/web-assembly-function.js:
3168         (assert.eq.Object.getPrototypeOf):
3169         * wasm/js-api/wrapper-function.js:
3170         (return.new.WebAssembly.Module):
3171         (assert.throws.makeInstance): Deleted.
3172         (assert.throws.Bar): Deleted.
3173         (assert.throws): Deleted.
3174
3175 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3176
3177         Enable gigacage on iOS
3178         https://bugs.webkit.org/show_bug.cgi?id=177586
3179
3180         Reviewed by JF Bastien.
3181         
3182         Add tests for when Gigacage gets runtime disabled.
3183
3184         * stress/disable-gigacage-arrays.js: Added.
3185         (foo):
3186         * stress/disable-gigacage-strings.js: Added.
3187         (foo):
3188         * stress/disable-gigacage-typed-arrays.js: Added.
3189         (foo):
3190
3191 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3192
3193         import.meta should not be assignable
3194         https://bugs.webkit.org/show_bug.cgi?id=178202
3195
3196         Reviewed by Saam Barati.
3197
3198         * modules/import-meta-assignment.js: Added.
3199         (shouldThrow):
3200         (SyntaxError.import.meta.can.shouldThrow):
3201
3202 2017-10-11  Saam Barati  <sbarati@apple.com>
3203
3204         Unreviewed. Actually skip certain type profiler tests in debug.
3205
3206         * typeProfiler.yaml:
3207         * typeProfiler/deltablue-for-of.js:
3208         * typeProfiler/getter-richards.js:
3209
3210 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3211
3212         Unreviewed, rolling out r223113 and r223121.
3213         https://bugs.webkit.org/show_bug.cgi?id=178182
3214
3215         Reintroduced 20% regression on Kraken (Requested by rniwa on
3216         #webkit).
3217
3218         Reverted changesets:
3219
3220         "Enable gigacage on iOS"
3221         https://bugs.webkit.org/show_bug.cgi?id=177586
3222         https://trac.webkit.org/changeset/223113
3223
3224         "Use one virtual allocation for all gigacages and their
3225         runways"
3226         https://bugs.webkit.org/show_bug.cgi?id=178050
3227         https://trac.webkit.org/changeset/223121
3228
3229 2017-10-11  Michael Saboff  <msaboff@apple.com>
3230
3231         Disable test262 named capture group tests with direct unicode names and with references before definitions
3232         https://bugs.webkit.org/show_bug.cgi?id=178177
3233
3234         Reviewed by Keith Miller.
3235
3236         Bugs to track fixing these test are:
3237         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3238             "Add support in named capture group identifiers for direct surrogate pairs"
3239         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3240             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3241
3242         * test262.yaml:
3243
3244 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3245
3246         Object properties are undefined in super.call() but not in this.call()
3247         https://bugs.webkit.org/show_bug.cgi?id=177230
3248
3249         Reviewed by Saam Barati.
3250
3251         * stress/super-call-function-subclass.js: Added.
3252         (assert):
3253         (A.prototype.t):
3254         (A):
3255         * stress/super-dot-call-and-apply.js: Added.
3256         (assert):
3257         (A):
3258         (A.prototype.call):
3259         (A.prototype.apply):
3260         (B.prototype.testSuper):
3261         (B):
3262         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3263         (D.prototype.testSuper):
3264         (D):
3265
3266 2017-10-10  Saam Barati  <sbarati@apple.com>
3267
3268         The prototype cache should be aware of the Executable it generates a Structure for
3269         https://bugs.webkit.org/show_bug.cgi?id=177907
3270
3271         Reviewed by Filip Pizlo.
3272
3273         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3274         (assert):
3275         (foo.C):
3276         (foo):
3277         (bar.C):
3278         (bar):
3279         (access):
3280         (makeLongChain):
3281         (accessY):
3282
3283 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3284
3285         `async` should be able to be used as an imported binding name
3286         https://bugs.webkit.org/show_bug.cgi?id=176573
3287
3288         Reviewed by Saam Barati.
3289
3290         * modules/import-default-async.js: Added.
3291         * modules/import-named-async-as.js: Added.
3292         * modules/import-named-async.js: Added.
3293         * modules/import-named-async/target.js: Added.
3294         * modules/import-namespace-async.js: Added.
3295         * test262.yaml:
3296
3297 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3298
3299         Enable gigacage on iOS
3300         https://bugs.webkit.org/show_bug.cgi?id=177586
3301
3302         Reviewed by JF Bastien.
3303         
3304         Add tests for when Gigacage gets runtime disabled.
3305
3306         * stress/disable-gigacage-arrays.js: Added.
3307         (foo):
3308         * stress/disable-gigacage-strings.js: Added.
3309         (foo):
3310         * stress/disable-gigacage-typed-arrays.js: Added.
3311         (foo):
3312
3313 2017-10-09  Michael Saboff  <msaboff@apple.com>
3314
3315         Implement RegExp Unicode property escapes
3316         https://bugs.webkit.org/show_bug.cgi?id=172069
3317
3318         Reviewed by JF Bastien.
3319
3320         Enabled Unicode Property tests.
3321
3322         * test262.yaml:
3323
3324 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3325
3326         Unreviewed, rolling out r223015 and r223025.
3327         https://bugs.webkit.org/show_bug.cgi?id=178093
3328
3329         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3330         #webkit).
3331
3332         Reverted changesets:
3333
3334         "Enable gigacage on iOS"
3335         https://bugs.webkit.org/show_bug.cgi?id=177586
3336         http://trac.webkit.org/changeset/223015
3337
3338         "Unreviewed, disable Gigacage on ARM64 Linux"
3339         https://bugs.webkit.org/show_bug.cgi?id=177586
3340         http://trac.webkit.org/changeset/223025
3341
3342 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3343
3344         Update expectations for test262 tests that pass after r223043.
3345         https://bugs.webkit.org/show_bug.cgi?id=176685
3346
3347         Unreviewed test gardening.
3348
3349         * test262.yaml:
3350
3351 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3352
3353         Unreviewed, rolling out r223022.
3354
3355         This change introduced 18 test262 failures.
3356
3357         Reverted changeset:
3358
3359         "`async` should be able to be used as an imported binding
3360         name"
3361         https://bugs.webkit.org/show_bug.cgi?id=176573
3362         http://trac.webkit.org/changeset/223022
3363
3364 2017-10-09  Saam Barati  <sbarati@apple.com>
3365
3366         3 poly-proto JSC tests timing out on debug after r222827
3367         https://bugs.webkit.org/show_bug.cgi?id=177880
3368         <rdar://problem/34817122>
3369
3370         Unreviewed.
3371
3372         I'm skipping these type profiler tests on debug since they are long running.
3373
3374         * typeProfiler/deltablue-for-of.js:
3375         * typeProfiler/getter-richards.js:
3376
3377 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3378
3379         Safari 10 /11 problem with if (!await get(something)).
3380         https://bugs.webkit.org/show_bug.cgi?id=176685
3381
3382         Reviewed by Saam Barati.
3383
3384         * stress/async-await-basic.js:
3385         (awaitEpression.async):
3386         * stress/async-await-syntax.js:
3387         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3388         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3389
3390 2017-10-08  Saam Barati  <sbarati@apple.com>
3391
3392         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3393
3394         * typeProfiler/deltablue-for-of.js:
3395         * typeProfiler/getter-richards.js:
3396
3397 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3398
3399         `async` should be able to be used as an imported binding name
3400         https://bugs.webkit.org/show_bug.cgi?id=176573
3401
3402         Reviewed by Darin Adler.
3403
3404         * modules/import-default-async.js: Added.
3405         * modules/import-named-async-as.js: Added.
3406         * modules/import-named-async.js: Added.
3407         * modules/import-named-async/target.js: Added.
3408         * modules/import-namespace-async.js: Added.
3409
3410 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3411
3412         Enable gigacage on iOS
3413         https://bugs.webkit.org/show_bug.cgi?id=177586
3414
3415         Reviewed by JF Bastien.
3416         
3417         Add tests for when Gigacage gets runtime disabled.
3418
3419         * stress/disable-gigacage-arrays.js: Added.
3420         (foo):
3421         * stress/disable-gigacage-strings.js: Added.
3422         (foo):
3423         * stress/disable-gigacage-typed-arrays.js: Added.
3424         (foo):
3425
3426 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3427
3428         Unreviewed, rolling out r222791 and r222873.
3429         https://bugs.webkit.org/show_bug.cgi?id=178031
3430
3431         Caused crashes with workers/wasm LayoutTests (Requested by
3432         ryanhaddad on #webkit).
3433
3434         Reverted changesets:
3435
3436         "WebAssembly: no VM / JS version of everything but Instance"
3437         https://bugs.webkit.org/show_bug.cgi?id=177473
3438         http://trac.webkit.org/changeset/222791
3439
3440         "WebAssembly: address no VM / JS follow-ups"
3441         https://bugs.webkit.org/show_bug.cgi?id=177887
3442         http://trac.webkit.org/changeset/222873
3443
3444 2017-10-05  Saam Barati  <sbarati@apple.com>
3445
3446         Make sure all prototypes under poly proto get added into the VM's prototype map
3447         https://bugs.webkit.org/show_bug.cgi?id=177909
3448
3449         Reviewed by Keith Miller.
3450
3451         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3452         (assert):
3453         (foo.C):
3454         (foo):
3455         (set x):
3456
3457 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3458
3459         [JSC] Introduce import.meta
3460         https://bugs.webkit.org/show_bug.cgi?id=177703
3461
3462         Reviewed by Filip Pizlo.
3463
3464         * modules/import-meta-syntax.js: Added.
3465         (shouldThrow):
3466         (shouldNotThrow):
3467         * modules/import-meta.js: Added.
3468         * modules/import-meta/cocoa.js: Added.
3469         * modules/resources/assert.js:
3470         (export.shouldNotThrow):
3471         * stress/import-syntax.js:
3472
3473 2017-10-04  Saam Barati  <sbarati@apple.com>
3474
3475         Make pertinent AccessCases watch the poly proto watchpoint
3476         https://bugs.webkit.org/show_bug.cgi?id=177765
3477
3478         Reviewed by Keith Miller.
3479
3480         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3481         (assert):
3482         (foo.C):
3483         (foo):
3484         (validate):
3485         * stress/poly-proto-clear-stub.js: Added.
3486         (assert):
3487         (foo.C):
3488         (foo):
3489
3490 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3491
3492         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3493
3494         Unreviewed test gardening.
3495
3496         * test262.yaml:
3497
3498 2017-10-04  Saam Barati  <sbarati@apple.com>
3499
3500         3 poly-proto JSC tests timing out on debug after r222827
3501         https://bugs.webkit.org/show_bug.cgi?id=177880
3502
3503         Rubber stamped by Mark Lam.
3504
3505         * microbenchmarks/poly-proto-access.js:
3506         * typeProfiler/deltablue-for-of.js:
3507         * typeProfiler/getter-richards.js:
3508
3509 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3510
3511         Unreviewed, marking tco-catch.js as a failure after test262 update
3512         https://bugs.webkit.org/show_bug.cgi?id=177859
3513
3514         * test262.yaml:
3515
3516 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3517
3518         Unreviewed, marking one async iterator test262 test failed
3519         https://bugs.webkit.org/show_bug.cgi?id=177859
3520
3521         * test262.yaml:
3522
3523 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3524
3525         [Test262] Update Test262 to Oct 4 version
3526         https://bugs.webkit.org/show_bug.cgi?id=177859
3527
3528         Reviewed by Sam Weinig.
3529
3530         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3531         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3532
3533         * test262.yaml:
3534         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3535         (checkSequence):
3536         * test262/harness/typeCoercion.js:
3537         (testCoercibleToIndexZero):
3538         (testCoercibleToIndexOne):
3539         (testCoercibleToIndexFromIndex):
3540         (testNotCoercibleToIndex.testPrimitiveValue):
3541         (testNotCoercibleToInteger):
3542         (testCoercibleToBigIntZero.testPrimitiveValue):
3543         (testCoercibleToBigIntZero):
3544         (testCoercibleToBigIntOne.testPrimitiveValue):
3545         (testCoercibleToBigIntOne):
3546         (testPrimitiveValue):
3547         (testCoercibleToBigIntFromBigInt):
3548         (testNotCoercibleToBigInt.testPrimitiveValue):
3549         (testNotCoercibleToBigInt.testStringValue):
3550         (testNotCoercibleToBigInt):
3551         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3552         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3553         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3554         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3555         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3556         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3557         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3558         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3559         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3560         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3561         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3562         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3563         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3564         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3565         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3566         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3567         (testCoercibleToBigIntZero):
3568         (testCoercibleToBigIntOne):
3569         (testNotCoercibleToBigInt):
3570         (MyError): Deleted.
3571         (valueOf): Deleted.
3572         (toString): Deleted.
3573         (Symbol.toPrimitive): Deleted.
3574         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3575         (testCoercibleToIndexZero):
3576         (testCoercibleToIndexOne):
3577         (testNotCoercibleToIndex):
3578         (MyError): Deleted.
3579         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3580         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3581         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3582         (BigInt.asIntN.valueOf): Deleted.
3583         (BigInt.asIntN.toString): Deleted.
3584         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3585         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3586         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3587         (testCoercibleToBigIntZero):
3588         (testCoercibleToBigIntOne):
3589         (testNotCoercibleToBigInt):
3590         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3591         (testCoercibleToIndexZero):
3592         (testCoercibleToIndexOne):
3593         (testNotCoercibleToIndex):
3594         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3595         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3596         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3597         (bits.valueOf):
3598         (bigint.valueOf):
3599         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3600         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3601         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3602         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3603         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3604         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3605         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3606         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3607         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3608         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3609         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3610         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3611         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3612         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3613         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3614         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3615         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3616         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3617         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3618         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3619         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3620         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3621         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3622         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3623         (replacer):
3624         (BigInt.prototype.toJSON):
3625         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3626         (replacer):
3627         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3628         (BigInt.prototype.toJSON):
3629         * test262/test/built-ins/JSON/stringify/bigint.js:
3630         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3631         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3632         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3633         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3634         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3635         * test262/test/built-ins/Object/proto-from-ctor.js:
3636         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3637         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3638         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3639         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3640         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3641         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3642         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3643         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3644         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3645         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3646         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3647         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3648         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3649         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3650         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3651         * test262/test/built-ins/Proxy/get-fn-realm.js:
3652         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3653         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3654         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3655         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3656         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3657         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3658         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3659         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3660         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3661         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3662         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3663         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3664         (i6.replace):
3665         (i6b.replace):
3666         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3667         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3668         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3669         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3670         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3671         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3672         * test262/test/built-ins/RegExp/u180e.js: Added.
3673         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3674         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3675         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3676         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3677         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3678         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3679         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3680         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3681         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3682         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3683         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3684         * test262/test/built-ins/String/prototype/endsWith/length.js:
3685         * test262/test/built-ins/String/prototype/endsWith/name.js:
3686         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3687         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3688         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3689         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3690         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3691         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3692         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3693         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3694         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3695         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3696         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3697         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3698         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3699         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3700         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3701         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3702         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3703         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3704         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3705         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3706         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3707         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3708         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3709         * test262/test/built-ins/String/prototype/includes/includes.js:
3710         * test262/test/built-ins/String/prototype/includes/length.js:
3711         * test262/test/built-ins/String/prototype/includes/name.js:
3712         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3713         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3714         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3715         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3716         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3717         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3718         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3719         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3720         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3721         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3722         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3723         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3724         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3725         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3726         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3727         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3728         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3729         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3730         * test262/test/built-ins/String/prototype/trim/u180e.js:
3731         * test262/test/built-ins/Symbol/for/cross-realm.js:
3732         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3733         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3734         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3735         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3736         * test262/test/built-ins/Symbol/match/cross-realm.js:
3737         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3738         * test262/test/built-ins/Symbol/search/cross-realm.js:
3739         * test262/test/built-ins/Symbol/species/cross-realm.js:
3740         * test262/test/built-ins/Symbol/split/cross-realm.js:
3741         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3742         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3743         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3744         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3745         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3746         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3747         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3748         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3749         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3750         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3751         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3752         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3753         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3754         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3755         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3756         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3757         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3758         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3759         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3760         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3761         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3762         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3763         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3764         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3765         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3766         * test262/test/language/eval-code/indirect/realm.js:
3767         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3768         (o.get z):
3769         (o.get a):
3770         * test262/test/language/expressions/call/eval-realm-indirect.js:
3771         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3772         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3773         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3774         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3775         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3776         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3777         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3778         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3779         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3780         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3781         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3782         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3783         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3784         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3785         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3786         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3787         * test262/test/language/expressions/less-than/bigint-and-number.js:
3788         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3789         * test262/test/language/expressions/super/realm.js:
3790         * test262/test/language/expressions/tagged-template/cache-realm.js:
3791         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3792         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3793         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3794         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3795         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3796         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3797         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3798         (o.get z):
3799         (o.get a):
3800         * test262/test/language/statements/for-of/iterator-next-reference.js:
3801         (next):
3802         (iterator.next): Deleted.
3803         (x.of.iterable.): Deleted.
3804         (x.of.iterable.get return): Deleted.
3805         (x.of.iterable.iterator.next): Deleted.
3806         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3807         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3808         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3809         * test262/test/language/white-space/mongolian-vowel-separator.js:
3810         * test262/test262-Revision.txt:
3811
3812 2017-10-03  Saam Barati  <sbarati@apple.com>
3813
3814         Implement polymorphic prototypes
3815         https://bugs.webkit.org/show_bug.cgi?id=176391
3816
3817         Reviewed by Filip Pizlo.
3818
3819         * microbenchmarks/poly-proto-access.js: Added.
3820         (assert):
3821         (foo.C):
3822         (foo.C.prototype.get bar):
3823         (foo):
3824         (bar):
3825         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3826         (assert):
3827         (makePolyProtoObject.foo.C):
3828         (makePolyProtoObject.foo):
3829         (makePolyProtoObject):
3830         (performSet):
3831         * microbenchmarks/poly-proto-setter-speed.js: Added.
3832         (assert):
3833         (makePolyProtoObject.foo.C):
3834         (makePolyProtoObject.foo.C.prototype.set p):
3835         (makePolyProtoObject.foo):
3836         (makePolyProtoObject):
3837         (performSet):
3838         * stress/constructor-with-return.js:
3839         (i.tests.forEach.Constructor):
3840         (i.tests.forEach):
3841         (tests.forEach.Constructor): Deleted.
3842         (tests.forEach): Deleted.
3843         * stress/dom-jit-with-poly-proto.js: Added.
3844         (assert):
3845         (makePolyProtoObject.foo.C):
3846         (makePolyProtoObject.foo):
3847         (makePolyProtoObject):
3848         (validate):
3849         * stress/poly-proto-custom-value-and-accessor.js: Added.
3850         (assert):
3851         (makePolyProtoObject.foo.C):
3852         (makePolyProtoObject.foo):
3853         (makePolyProtoObject):
3854         (items.forEach):
3855         (set get for):
3856         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3857         (assert):
3858         (makePolyProtoObject.foo.C):
3859         (makePolyProtoObject.foo):
3860         (makePolyProtoObject):
3861         (foo):
3862         * stress/poly-proto-miss.js: Added.
3863         (makePolyProtoInstanceWithNullPrototype.foo.C):
3864         (makePolyProtoInstanceWithNullPrototype.foo):
3865         (makePolyProtoInstanceWithNullPrototype):
3866         (assert):
3867         (validate):
3868         * stress/poly-proto-op-in-caching.js: Added.
3869         (assert):
3870         (makePolyProtoObject.foo.C):
3871         (makePolyProtoObject.foo):
3872         (makePolyProtoObject):
3873         (validate):
3874         (validate2):
3875         * stress/poly-proto-put-transition.js: Added.
3876         (assert):
3877         (makePolyProtoObject.foo.C):
3878         (makePolyProtoObject.foo):
3879         (makePolyProtoObject):
3880         (performSet):
3881         (i.obj.__proto__.set p):
3882         * stress/poly-proto-set-prototype.js: Added.
3883         (assert):
3884         (let.alternateProto.get x):
3885         (let.alternateProto2.get y):
3886         (let.alternateProto2.get x):
3887         (foo.C):
3888         (foo):
3889         (validate):
3890         * stress/poly-proto-setter.js: Added.
3891         (assert):
3892         (makePolyProtoObject.foo.C):
3893         (makePolyProtoObject.foo.C.prototype.set p):
3894         (makePolyProtoObject.foo.C.prototype.get p):
3895         (makePolyProtoObject.foo):
3896         (makePolyProtoObject):
3897         (performSet):
3898         * stress/poly-proto-using-inheritance.js: Added.
3899         (assert):
3900         (foo.C):
3901         (foo.C.prototype.get baz):
3902         (foo):
3903         (bar.C):
3904         (bar):
3905         (validate):
3906         * stress/primitive-poly-proto.js: Added.
3907         (makePolyProtoInstance.foo.C):
3908         (makePolyProtoInstance.foo):
3909         (makePolyProtoInstance):
3910         (assert):
3911         (validate):
3912         * stress/prototype-is-not-js-object.js: Added.
3913         (foo.bar):
3914         (foo):
3915         (assert):
3916         (validate):
3917         * stress/try-get-by-id-poly-proto.js: Added.
3918         (assert):
3919         (makePolyProtoObject.foo.C):
3920         (makePolyProtoObject.foo):
3921         (makePolyProtoObject):
3922         (tryGetByIdText):
3923         (x.__proto__.get bar):
3924         (validate):
3925         * typeProfiler/overflow.js:
3926
3927 2017-10-03  JF Bastien  <jfbastien@apple.com>
3928
3929         WebAssembly: no VM / JS version of everything but Instance
3930         https://bugs.webkit.org/show_bug.cgi?id=177473
3931
3932         Reviewed by Filip Pizlo.
3933
3934         - Exceeding max on memory growth now returns a range error as per
3935         spec. This is a (very minor) breaking change: it used to throw OOM
3936         error. Update the corresponding test.
3937
3938         * wasm/js-api/memory-grow.js:
3939         (assertEq):
3940         * wasm/js-api/table.js:
3941         (assert.throws):
3942
3943 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3944
3945         Skip JSC test stress/regress-159779-2.js on debug.
3946         https://bugs.webkit.org/show_bug.cgi?id=177204
3947
3948         Unreviewed test gardening.
3949
3950         * stress/regress-159779-2.js:
3951
3952 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3953
3954         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3955         https://bugs.webkit.org/show_bug.cgi?id=175642
3956
3957         Reviewed by Darin Adler.
3958
3959         * ChakraCore/test/Function/apply3.baseline-jsc:
3960
3961 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3962
3963         Unreviewed, rolling out r222564.
3964         https://bugs.webkit.org/show_bug.cgi?id=177720
3965
3966         "It regressed JetStream by 2% on iOS caused by a 50%
3967         regression on the bigfib subtest" (Requested by saamyjoon on
3968         #webkit).
3969
3970         Reverted changeset:
3971
3972         "Add Above/Below comparisons for UInt32 patterns"
3973         https://bugs.webkit.org/show_bug.cgi?id=177281
3974         http://trac.webkit.org/changeset/222564
3975
3976 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3977
3978         [DFG] Support ArrayPush with multiple args
3979         https://bugs.webkit.org/show_bug.cgi?id=175823
3980
3981         Reviewed by Saam Barati.
3982
3983         * microbenchmarks/array-push-0.js: Added.
3984         (arrayPush0):
3985         * microbenchmarks/array-push-1.js: Added.
3986         (arrayPush1):
3987         * microbenchmarks/array-push-2.js: Added.
3988         (arrayPush2):
3989         * microbenchmarks/array-push-3.js: Added.
3990         (arrayPush3):
3991         * stress/array-push-multiple-contiguous.js: Added.
3992         (shouldBe):
3993         (test):
3994         * stress/array-push-multiple-double-nan.js: Added.
3995         (shouldBe):
3996         (test):
3997         * stress/array-push-multiple-double.js: Added.
3998         (shouldBe):
3999         (test):
4000         * stress/array-push-multiple-int32.js: Added.
4001         (shouldBe):
4002         (test):
4003         * stress/array-push-multiple-many-contiguous.js: Added.
4004         (shouldBe):
4005         (test):
4006         * stress/array-push-multiple-many-double.js: Added.
4007         (shouldBe):
4008         (test):
4009         * stress/array-push-multiple-many-int32.js: Added.
4010         (shouldBe):
4011         (test):
4012         * stress/array-push-multiple-many-storage.js: Added.
4013         (shouldBe):
4014         (test):
4015         * stress/array-push-multiple-storage.js: Added.
4016         (shouldBe):
4017         (test):
4018         * stress/array-push-with-force-exit.js: Added.
4019         (target.createBuiltin):
4020
4021 2017-09-29  Saam Barati  <sbarati@apple.com>
4022
4023         Custom GetterSetterAccessCase does not use the correct slotBase when making call
4024         https://bugs.webkit.org/show_bug.cgi?id=177639
4025
4026         Reviewed by Geoffrey Garen.
4027
4028         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
4029         (assert):
4030         (Class):
4031         (items.forEach):
4032         (set get for):
4033
4034 2017-09-29  Commit Queue  <commit-queue@webkit.org>
4035
4036         Unreviewed, rolling out r222563, r222565, and r222581.
4037         https://bugs.webkit.org/show_bug.cgi?id=177675
4038
4039         "It causes a crash when playing youtube videos" (Requested by
4040         saamyjoon on #webkit).
4041
4042         Reverted changesets:
4043
4044         "[DFG] Support ArrayPush with multiple args"
4045         https://bugs.webkit.org/show_bug.cgi?id=175823
4046         http://trac.webkit.org/changeset/222563
4047
4048         "Unreviewed, build fix after r222563"
4049         https://bugs.webkit.org/show_bug.cgi?id=175823
4050         http://trac.webkit.org/changeset/222565
4051
4052         "Unreviewed, fix x86 breaking due to exhausted registers"
4053         https://bugs.webkit.org/show_bug.cgi?id=175823
4054         http://trac.webkit.org/changeset/222581
4055
4056 2017-09-28  Mark Lam  <mark.lam@apple.com>
4057
4058         test262: Unexpected passes after r222617 and r222618.
4059         https://bugs.webkit.org/show_bug.cgi?id=177622
4060         <rdar://problem/34725960>
4061
4062         Reviewed by Saam Barati.
4063
4064         Update test262.yaml for tests that are now passing.
4065
4066         * test262.yaml:
4067
4068 2017-09-27  Michael Saboff  <msaboff@apple.com>
4069
4070         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
4071         https://bugs.webkit.org/show_bug.cgi?id=177570
4072
4073         Reviewed by Filip Pizlo.
4074
4075         New regression test.
4076
4077         * stress/regress-177570.js: Added.
4078
4079 2017-09-28  Michael Saboff  <msaboff@apple.com>
4080
4081         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4082         https://bugs.webkit.org/show_bug.cgi?id=177423
4083
4084         Reviewed by Mark Lam.
4085
4086         Updated regression test.
4087
4088         * stress/regress-177423.js:
4089         (catch):
4090
4091 2017-09-27  Mark Lam  <mark.lam@apple.com>
4092
4093         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
4094         https://bugs.webkit.org/show_bug.cgi?id=177584
4095         <rdar://problem/34463903>
4096
4097         Reviewed by Saam Barati.
4098
4099         * stress/regress-177584.js: Added.
4100         (assertEqual):
4101         (Array.prototype.Symbol.species):
4102
4103 2017-09-27  Saam Barati  <sbarati@apple.com>
4104
4105         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
4106         https://bugs.webkit.org/show_bug.cgi?id=177523
4107
4108         Reviewed by Mark Lam.
4109
4110         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
4111         (assert):
4112         (Test):
4113         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
4114         (addMethods):
4115         (i.Test.prototype.propName):
4116
4117 2017-09-27  Mark Lam  <mark.lam@apple.com>
4118
4119         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
4120         https://bugs.webkit.org/show_bug.cgi?id=177423
4121         <rdar://problem/34621320>
4122
4123         Reviewed by Keith Miller.
4124
4125         * stress/regress-177423.js: Added.
4126
4127 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
4128
4129         Add Above/Below comparisons for UInt32 patterns
4130         https://bugs.webkit.org/show_bug.cgi?id=177281
4131
4132         Reviewed by Saam Barati.
4133
4134         * stress/uint32-comparison-jump.js: Added.
4135         (shouldBe):
4136         (above):
4137         (aboveOrEqual):
4138         (below):
4139         (belowOrEqual):
4140         (notAbove):
4141         (notAboveOrEqual):
4142         (notBelow):
4143         (notBelowOrEqual):
4144         * stress/uint32-comparison.js: Added.
4145         (shouldBe):
4146         (above):
4147         (aboveOrEqual):
4148         (below):
4149         (belowOrEqual):
4150         (aboveTest):
4151         (aboveOrEqualTest):
4152         (belowTest):
4153         (belowOrEqualTest):
4154
4155 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
4156
4157         [DFG] Support ArrayPush with multiple args
4158         https://bugs.webkit.org/show_bug.cgi?id=175823
4159
4160         Reviewed by Saam Barati.
4161
4162         * microbenchmarks/array-push-0.js: Added.
4163         (arrayPush0):
4164         * microbenchmarks/array-push-1.js: Added.
4165         (arrayPush1):
4166         * microbenchmarks/array-push-2.js: Added.
4167         (arrayPush2):
4168         * microbenchmarks/array-push-3.js: Added.
4169         (arrayPush3):
4170         * stress/array-push-multiple-contiguous.js: Added.
4171         (shouldBe):
4172         (test):
4173         * stress/array-push-multiple-double-nan.js: Added.
4174         (shouldBe):
4175         (test):
4176         * stress/array-push-multiple-double.js: Added.
4177         (shouldBe):
4178         (test):
4179         * stress/array-push-multiple-int32.js: Added.
4180         (shouldBe):
4181         (test):
4182         * stress/array-push-multiple-many-contiguous.js: Added.
4183         (shouldBe):
4184         (test):
4185         * stress/array-push-multiple-many-double.js: Added.
4186         (shouldBe):
4187         (test):
4188         * stress/array-push-multiple-many-int32.js: Added.
4189         (shouldBe):
4190         (test):
4191         * stress/array-push-multiple-many-storage.js: Added.
4192         (shouldBe):
4193         (test):
4194         * stress/array-push-multiple-storage.js: Added.
4195         (shouldBe):
4196         (test):
4197
4198 2017-09-26  Commit Queue  <commit-queue@webkit.org>
4199
4200         Unreviewed, rolling out r222518.
4201         https://bugs.webkit.org/show_bug.cgi?id=177507
4202
4203         Break the High Sierra build (Requested by yusukesuzuki on
4204         #webkit).
4205
4206         Reverted changeset:
4207
4208         "Add Above/Below comparisons for UInt32 patterns"
4209         https://bugs.webkit.org/show_bug.cgi?id=177281
4210         http://trac.webkit.org/changeset/222518
4211
4212 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
4213
4214         Add Above/Below comparisons for UInt32 patterns
4215         https://bugs.webkit.org/show_bug.cgi?id=177281
4216
4217         Reviewed by Saam Barati.
4218
4219         * stress/uint32-comparison-jump.js: Added.
4220         (shouldBe):
4221         (above):
4222         (aboveOrEqual):
4223         (below):
4224         (belowOrEqual):
4225         (notAbove):
4226         (notAboveOrEqual):
4227         (notBelow):
4228         (notBelowOrEqual):
4229         * stress/uint32-comparison.js: Added.
4230         (shouldBe):
4231         (above):
4232         (aboveOrEqual):
4233         (below):
4234         (belowOrEqual):
4235         (aboveTest):
4236         (aboveOrEqualTest):
4237         (belowTest):
4238         (belowOrEqualTest):
4239
4240 2017-09-23  Keith Miller  <keith_miller@apple.com>
4241
4242         Fix infinite looping test262 test
4243         https://bugs.webkit.org/show_bug.cgi?id=177412
4244
4245         Reviewed by Yusuke Suzuki.
4246
4247         This test was poorly designed since failing it would cause the vm
4248         to inifinite loop. I've fixed it locally and will fix it on github pending
4249         the results of next weeks tc39 meeting.
4250
4251         * test262.yaml:
4252         * test262/test/language/statements/for-of/iterator-next-reference.js:
4253
4254 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
4255
4256         test262: $.agent became $262.agent in test262 update
4257         https://bugs.webkit.org/show_bug.cgi?id=177407
4258
4259         Reviewed by Yusuke Suzuki.
4260
4261         * test262.yaml:
4262         ~320 tests pass now that we correctly make $262 available.
4263
4264 2017-09-22  Keith Miller  <keith_miller@apple.com>
4265
4266         Speculatively change iteration protocall to use the same next function
4267         https://bugs.webkit.org/show_bug.cgi?id=175653
4268
4269         Reviewed by Saam Barati.
4270
4271         Change test to match the new iteration behavior.
4272
4273         * stress/spread-optimized-properly.js:
4274
4275 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
4276
4277         [DFG][FTL] Profile array vector length for array allocation
4278         https://bugs.webkit.org/show_bug.cgi?id=177051
4279
4280         Reviewed by Saam Barati.
4281
4282         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4283         (target):
4284
4285 2017-09-22  Commit Queue  <commit-queue@webkit.org>
4286
4287         Unreviewed, rolling out r222380.
4288         https://bugs.webkit.org/show_bug.cgi?id=177352
4289
4290         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
4291         #webkit).
4292
4293         Reverted changeset:
4294
4295         "[DFG][FTL] Profile array vector length for array allocation"
4296         https://bugs.webkit.org/show_bug.cgi?id=177051
4297         http://trac.webkit.org/changeset/222380
4298
4299 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
4300
4301         [DFG][FTL] Profile array vector length for array allocation
4302         https://bugs.webkit.org/show_bug.cgi?id=177051
4303
4304         Reviewed by Saam Barati.
4305
4306         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4307         (target):
4308
4309 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
4310
4311         Skip new hanging test262 tests.
4312         https://bugs.webkit.org/show_bug.cgi?id=177326
4313
4314         Unreviewed test gardening.
4315
4316         * test262.yaml:
4317
4318 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
4319
4320         Mark 6 test262 tests as passing.
4321         https://bugs.webkit.org/show_bug.cgi?id=177307
4322
4323         Unreviewed test gardening.
4324
4325         * test262.yaml:
4326
4327 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
4328
4329         Unreviewed follow-up to r222311.
4330
4331         * test262/harness/sta.js:
4332         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
4333         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
4334         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
4335         * test262/test/built-ins/Array/from/elements-added-after.js:
4336         * test262/test/built-ins/Array/from/elements-deleted-after.js:
4337         * test262/test/built-ins/Array/from/elements-updated-after.js:
4338         * test262/test/built-ins/Array/from/from-array.js:
4339         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
4340         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
4341         * test262/test/built-ins/Array/from/source-array-boundary.js:
4342         * test262/test/built-ins/Array/from/source-object-constructor.js:
4343         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
4344         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
4345         * test262/test/built-ins/Array/from/source-object-length.js:
4346         * test262/test/built-ins/Array/from/source-object-missing.js:
4347         * test262/test/built-ins/Array/from/source-object-without.js:
4348         * test262/test/built-ins/Array/from/this-null.js:
4349         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
4350         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
4351         * test262/test/language/literals/numeric/7.8.3-1gs.js:
4352         * test262/test/language/literals/numeric/7.8.3-2gs.js:
4353         * test262/test/language/literals/numeric/7.8.3-3gs.js:
4354         * test262/test/language/literals/regexp/7.8.5-1gs.js:
4355         * test262/test/language/literals/string/7.8.4-1gs.js:
4356         Fix some files that I failed to update when I applied my patch.
4357
4358 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
4359
4360         Update test262 tests
4361         https://bugs.webkit.org/show_bug.cgi?id=177220
4362
4363         Reviewed by Saam Barati and Yusuke Suzuki.
4364
4365         * test262.yaml:
4366         * test262/test262-Revision.txt:
4367         New rebaselined expectations for all tests.
4368
4369         * test262/*:
4370         Updated.
4371
4372 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
4373
4374         [DFG] Remove ToThis more aggressively
4375         https://bugs.webkit.org/show_bug.cgi?id=177056
4376
4377         Reviewed by Saam Barati.
4378
4379         * stress/generator-with-this-strict.js: Added.
4380         (shouldBe):
4381         (generator):
4382         (target):
4383         * stress/generator-with-this.js: Added.
4384         (shouldBe):
4385         (generator):
4386         (target):
4387
4388 2017-09-17  Michael Saboff  <msaboff@apple.com>
4389
4390         https://bugs.webkit.org/show_bug.cgi?id=177038
4391         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
4392
4393         Reviewed by JF Bastien.
4394
4395         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
4396         as it dies using too much memory.
4397
4398 2017-09-15  Saam Barati  <sbarati@apple.com>
4399
4400         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
4401         https://bugs.webkit.org/show_bug.cgi?id=176981
4402
4403         Reviewed by Yusuke Suzuki.
4404
4405         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
4406         (assert):
4407         (verify):
4408         (func):
4409         (