Handle more JSON stringify OOM
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-20  JF Bastien  <jfbastien@apple.com>
2
3         Handle more JSON stringify OOM
4         https://bugs.webkit.org/show_bug.cgi?id=184846
5         <rdar://problem/39390672>
6
7         Reviewed by Mark Lam.
8
9         * stress/json-stringified-overflow-2.js: Added. Same as the one
10         below, but with a bigger input which will trigger a different code
11         path.
12         (catch):
13         * stress/json-stringified-overflow.js: Modify the test to only
14         catch OOM on stringification. not on string creation.
15
16 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
17
18         [WebAssembly][Modules] Import tables in wasm modules
19         https://bugs.webkit.org/show_bug.cgi?id=184738
20
21         Reviewed by JF Bastien.
22
23         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
24         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
25         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
26         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
27         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
28         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
29         * wasm/modules/wasm-imports-wasm-exports.js:
30         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
31         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
32         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
33         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
34
35 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
36
37         [WebAssembly][Modules] Import globals from wasm modules
38         https://bugs.webkit.org/show_bug.cgi?id=184736
39
40         Reviewed by JF Bastien.
41
42         * wasm.yaml:
43         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
44         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
45         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
46         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
47         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
48         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
49         * wasm/modules/wasm-imports-wasm-exports.js:
50         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
51         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
52         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
53         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
54
55 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
56
57         Unreviewed, reland r230697, r230720, and r230724.
58         https://bugs.webkit.org/show_bug.cgi?id=184600
59
60         * wasm.yaml:
61         * wasm/modules/constant.wasm: Added.
62         * wasm/modules/constant.wat: Added.
63         * wasm/modules/default-import-star-error.js: Added.
64         (then):
65         * wasm/modules/default-import-star-error/entry.wasm: Added.
66         * wasm/modules/default-import-star-error/entry.wat: Added.
67         * wasm/modules/default-import-star-error/t0.js: Added.
68         * wasm/modules/default-import-star-error/t1.js: Added.
69         * wasm/modules/default-import-star-error/t2.js: Added.
70         (export.default.Cocoa):
71         * wasm/modules/js-wasm-cycle.js: Added.
72         * wasm/modules/js-wasm-cycle/entry.js: Added.
73         (from.string_appeared_here.export.return42):
74         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
75         * wasm/modules/js-wasm-cycle/sum.wat: Added.
76         * wasm/modules/js-wasm-function-namespace.js: Added.
77         (assert.throws):
78         * wasm/modules/js-wasm-function.js: Added.
79         (assert.throws):
80         * wasm/modules/js-wasm-global-namespace.js: Added.
81         (assert.throws):
82         * wasm/modules/js-wasm-global.js: Added.
83         (assert.throws):
84         * wasm/modules/js-wasm-memory-namespace.js: Added.
85         (assert.throws):
86         * wasm/modules/js-wasm-memory.js: Added.
87         (assert.throws):
88         * wasm/modules/js-wasm-start.js: Added.
89         (then):
90         * wasm/modules/js-wasm-table-namespace.js: Added.
91         (assert.throws):
92         * wasm/modules/js-wasm-table.js: Added.
93         (assert.throws):
94         * wasm/modules/memory.wasm: Added.
95         * wasm/modules/memory.wat: Added.
96         * wasm/modules/run-from-wasm.wasm: Added.
97         * wasm/modules/run-from-wasm.wat: Added.
98         * wasm/modules/run-from-wasm/check.js: Added.
99         (export.check):
100         * wasm/modules/start.wasm: Added.
101         * wasm/modules/start.wat: Added.
102         * wasm/modules/sum.wasm: Added.
103         * wasm/modules/sum.wat: Added.
104         * wasm/modules/table.wasm: Added.
105         * wasm/modules/table.wat: Added.
106         * wasm/modules/wasm-imports-js-exports.js: Added.
107         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
108         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
109         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
110         (export.sum):
111         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
112         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
113         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
114         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
115         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
116         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
117         * wasm/modules/wasm-imports-wasm-exports.js: Added.
118         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
119         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
120         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
121         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
122         * wasm/modules/wasm-js-cycle.js: Added.
123         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
124         * wasm/modules/wasm-js-cycle/entry.wat: Added.
125         * wasm/modules/wasm-js-cycle/sum.js: Added.
126         (from.string_appeared_here.export.sum):
127         * wasm/modules/wasm-wasm-cycle.js: Added.
128         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
129         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
130         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
131         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
132
133 2018-04-17  Commit Queue  <commit-queue@webkit.org>
134
135         Unreviewed, rolling out r230697, r230720, and r230724.
136         https://bugs.webkit.org/show_bug.cgi?id=184717
137
138         These caused multiple failures on the Test262 testers.
139         (Requested by mlewis13 on #webkit).
140
141         Reverted changesets:
142
143         "[WebAssembly][Modules] Prototype wasm import"
144         https://bugs.webkit.org/show_bug.cgi?id=184600
145         https://trac.webkit.org/changeset/230697
146
147         "[WebAssembly][Modules] Implement function import from wasm
148         modules"
149         https://bugs.webkit.org/show_bug.cgi?id=184689
150         https://trac.webkit.org/changeset/230720
151
152         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
153         https://bugs.webkit.org/show_bug.cgi?id=184703
154         https://trac.webkit.org/changeset/230724
155
156 2018-04-17  JF Bastien  <jfbastien@apple.com>
157
158         A put is not an ExistingProperty put when we transition a structure because of an attributes change
159         https://bugs.webkit.org/show_bug.cgi?id=184706
160         <rdar://problem/38871451>
161
162         Reviewed by Saam Barati.
163
164         * stress/put-by-id-direct-strict-transition.js: Added.
165         (const.foo):
166         (j.const.obj.set hello):
167         * stress/put-by-id-direct-transition.js: Added.
168         (const.foo):
169         (j.const.obj.set hello):
170         * stress/put-getter-setter-by-id-strict-transition.js: Added.
171         (const.foo):
172         (j.const.obj.set hello):
173         * stress/put-getter-setter-by-id-transition.js: Added.
174         (const.foo):
175         (j.const.obj.set hello):
176
177 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
178
179         PutStackSinkingPhase should know that KillStack means ConflictingFlush
180         https://bugs.webkit.org/show_bug.cgi?id=184672
181
182         Reviewed by Michael Saboff.
183
184         * stress/sink-put-stack-over-kill-stack.js: Added.
185         (avocado_1):
186         (apricot_0):
187         (__c_0):
188         (banana_2):
189
190 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
191
192         [JSC] Rename runWebAssembly to runWebAssemblySuite
193         https://bugs.webkit.org/show_bug.cgi?id=184703
194
195         Reviewed by JF Bastien.
196
197         And add runWebAssembly as a command to simplely run wasm modules.
198
199         * wasm.yaml:
200
201 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
202
203         [WebAssembly][Modules] Implement function import from wasm modules
204         https://bugs.webkit.org/show_bug.cgi?id=184689
205
206         Reviewed by JF Bastien.
207
208         * wasm.yaml:
209         * wasm/modules/js-wasm-cycle.js: Added.
210         * wasm/modules/js-wasm-cycle/entry.js: Added.
211         (from.string_appeared_here.export.return42):
212         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
213         * wasm/modules/js-wasm-cycle/sum.wat: Added.
214         * wasm/modules/run-from-wasm.wasm: Added.
215         * wasm/modules/run-from-wasm.wat: Added.
216         * wasm/modules/run-from-wasm/check.js: Added.
217         (export.check):
218         * wasm/modules/wasm-imports-js-exports.js: Added.
219         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
220         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
221         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
222         (export.sum):
223         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
224         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
225         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
226         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
227         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
228         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
229         * wasm/modules/wasm-imports-wasm-exports.js: Added.
230         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
231         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
232         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
233         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
234         * wasm/modules/wasm-js-cycle.js: Added.
235         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
236         * wasm/modules/wasm-js-cycle/entry.wat: Added.
237         * wasm/modules/wasm-js-cycle/sum.js: Added.
238         (from.string_appeared_here.export.sum):
239         * wasm/modules/wasm-wasm-cycle.js: Added.
240         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
241         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
242         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
243         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
244
245 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
246
247         [WebAssembly][Modules] Prototype wasm import
248         https://bugs.webkit.org/show_bug.cgi?id=184600
249
250         Reviewed by JF Bastien.
251
252         Add wasm and wat files since module loader want to load wasm files from FS.
253         Currently, importing the other modules from wasm is not supported.
254
255         * wasm.yaml:
256         * wasm/modules/constant.wasm: Added.
257         * wasm/modules/constant.wat: Added.
258         * wasm/modules/js-wasm-function-namespace.js: Added.
259         (assert.throws):
260         * wasm/modules/js-wasm-function.js: Added.
261         (assert.throws):
262         * wasm/modules/js-wasm-global-namespace.js: Added.
263         (assert.throws):
264         * wasm/modules/js-wasm-global.js: Added.
265         (assert.throws):
266         * wasm/modules/js-wasm-memory-namespace.js: Added.
267         (assert.throws):
268         * wasm/modules/js-wasm-memory.js: Added.
269         (assert.throws):
270         * wasm/modules/js-wasm-start.js: Added.
271         (then):
272         * wasm/modules/js-wasm-table-namespace.js: Added.
273         (assert.throws):
274         * wasm/modules/js-wasm-table.js: Added.
275         (assert.throws):
276         * wasm/modules/memory.wasm: Added.
277         * wasm/modules/memory.wat: Added.
278         * wasm/modules/start.wasm: Added.
279         * wasm/modules/start.wat: Added.
280         * wasm/modules/sum.wasm: Added.
281         * wasm/modules/sum.wat: Added.
282         * wasm/modules/table.wasm: Added.
283         * wasm/modules/table.wat: Added.
284
285 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
286
287         Function.prototype.caller shouldn't return generator bodies
288         https://bugs.webkit.org/show_bug.cgi?id=184630
289
290         Reviewed by Yusuke Suzuki.
291
292         * stress/function-caller-async-arrow-function-body.js: Added.
293         * stress/function-caller-async-function-body.js: Added.
294         * stress/function-caller-async-generator-body.js: Added.
295         * stress/function-caller-generator-body.js: Added.
296         * stress/function-caller-generator-method-body.js: Added.
297
298 2018-04-12  Tomas Popela  <tpopela@redhat.com>
299
300         Unreviewed, skip JIT tests if it isn't enabled
301
302         See https://bugs.webkit.org/show_bug.cgi?id=182730.
303
304         * stress/big-int-spec-to-primitive.js:
305         * stress/big-int-spec-to-this.js:
306
307 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
308
309         [ESNext][BigInt] Add support for BigInt in SpeculatedType
310         https://bugs.webkit.org/show_bug.cgi?id=182470
311
312         Reviewed by Saam Barati.
313
314         * stress/big-int-spec-to-primitive.js: Added.
315         * stress/big-int-spec-to-this.js: Added.
316         * stress/big-int-strict-equals-jit.js: Added.
317         * stress/big-int-strict-spec-to-this.js: Added.
318         * stress/big-int-type-of-proven-type.js: Added.
319
320 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
321
322         DFG AI and clobberize should agree with each other
323         https://bugs.webkit.org/show_bug.cgi?id=184440
324
325         Reviewed by Saam Barati.
326         
327         Add tests for all of the bugs I fixed.
328
329         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
330         (foo):
331         * stress/new-typed-array-cse-effects.js: Added.
332         (foo):
333         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
334         (foo.theO):
335         (foo):
336         * stress/string-from-char-code-change-structure-not-dead.js: Added.
337         (foo):
338         (i.valueOf):
339         (weirdValue.valueOf):
340         * stress/string-from-char-code-change-structure.js: Added.
341         (foo):
342         (i.valueOf):
343         (weirdValue.valueOf):
344
345 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
346
347         Fix errant Test262 files CRLF to LF for consistency with the original source
348         https://bugs.webkit.org/show_bug.cgi?id=184425
349
350         Reviewed by Yusuke Suzuki.
351
352         * test262/test/built-ins/Math/acosh/nan-returns.js:
353         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
354         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
355         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
356         * test262/test/built-ins/Math/cbrt/prop-desc.js:
357         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
358         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
359         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
360         * test262/test/built-ins/Math/log2/log2-basicTests.js:
361         * test262/test/built-ins/Math/sign/sign-specialVals.js:
362         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
363         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
364         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
365         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
366
367 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
368
369         Unreviewed, remove incorrect entry in test262.yaml
370         https://bugs.webkit.org/show_bug.cgi?id=184266
371
372         * test262.yaml:
373
374 2018-04-08  Valerie Young  <valerie@bocoup.com>
375
376         [JSC] Update Test262 to April 6 version
377         https://bugs.webkit.org/show_bug.cgi?id=184266
378
379         Rubber stamped by Yusuke Suzuki.
380
381 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
382
383         [JSC] Introduce op_get_by_id_direct
384         https://bugs.webkit.org/show_bug.cgi?id=183970
385
386         Reviewed by Filip Pizlo.
387
388         * stress/generator-prototype-copy.js: Added.
389         (gen):
390         (catch):
391         Adopted JF's tests.
392
393         * stress/generator-type-check.js: Added.
394         (shouldThrow):
395         (foo2):
396         (i.shouldThrow):
397         * stress/get-by-id-direct-getter.js: Added.
398         (shouldBe):
399         (shouldThrow):
400         (obj.get hello):
401         (builtin.createBuiltin):
402         (obj2.get length):
403         * stress/get-by-id-direct.js: Added.
404         (shouldBe):
405         (shouldThrow):
406         (builtin.createBuiltin):
407         * test262.yaml:
408         We fixed long-standing spec compatibility issue.
409         As a result, this patch makes several test262 tests passed!
410
411
412 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
413
414         Unreviewed, annotate test with @skip if $memoryLimited
415         https://bugs.webkit.org/show_bug.cgi?id=183894
416
417         * stress/json-stringified-overflow.js:
418
419 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
420
421         Add svn:eol-style to line-terminator-normalisation-CR.js
422         https://bugs.webkit.org/show_bug.cgi?id=184341
423
424         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
425
426 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
427
428         Unreviewed, remove errant LF from existing test262 test for CR line endings.
429
430         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
431
432 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
433
434         Unreviewed, rolling out r230320.
435
436         Revert fix, as the root cause lies elsewhere.
437
438         Reverted changeset:
439
440         "[test262] Mark line-terminator-normalisation-CR.js as a
441         binary file."
442         https://bugs.webkit.org/show_bug.cgi?id=184341
443         https://trac.webkit.org/changeset/230320
444
445 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
446
447         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
448         https://bugs.webkit.org/show_bug.cgi?id=184341
449
450         Reviewed by Yusuke Suzuki.
451
452         This test is all about CR line endings, but `svn-apply` can't deal with them.
453         Treating the file as binary ensures that its contents never are never shown in a diff.
454
455         * .gitattributes: Added.
456
457 2018-04-05  Robin Morisset  <rmorisset@apple.com>
458
459         Fix testcase (missing try/catch).
460         https://bugs.webkit.org/show_bug.cgi?id=183657
461
462         Unreviewed.
463
464         * stress/large-unshift-splice.js
465
466 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
467
468         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
469         https://bugs.webkit.org/show_bug.cgi?id=184319
470
471         Reviewed by Saam Barati.
472
473         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
474         (foo):
475         (bar):
476         * stress/array-push-nan-to-double-array.js: Added.
477         (foo):
478         (bar):
479
480 2018-04-03  Mark Lam  <mark.lam@apple.com>
481
482         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
483         https://bugs.webkit.org/show_bug.cgi?id=184284
484
485         Reviewed by Saam Barati.
486
487         * stress/js-fixed-array-out-of-memory.js:
488
489 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
490
491         JSC crash in JIT code with for-of loop and Array/Set iterators
492         https://bugs.webkit.org/show_bug.cgi?id=183174
493
494         Reviewed by Saam Barati.
495
496         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
497         (foo):
498         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
499         (f):
500
501 2018-03-30  JF Bastien  <jfbastien@apple.com>
502
503         WebAssembly: support DataView compilation
504         https://bugs.webkit.org/show_bug.cgi?id=183342
505
506         Reviewed by Mark Lam.
507
508         Test WebAssembly compilation using a DataView with offset.
509
510         * wasm/regress/183342.js: Added.
511         (attempt.catch):
512
513 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
514
515         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
516         https://bugs.webkit.org/show_bug.cgi?id=184189
517
518         Reviewed by JF Bastien.
519
520         * stress/load-hole-from-scope-into-live-var.js: Added.
521         (result.eval.try.switch):
522         (catch):
523
524 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
525
526         Unreviewed, rolling out r230102.
527
528         Caused assertion failures on JSC bots.
529
530         Reverted changeset:
531
532         "A stack overflow in the parsing of a builtin (called by
533         createExecutable) cause a crash instead of a catchable js
534         exception"
535         https://bugs.webkit.org/show_bug.cgi?id=184074
536         https://trac.webkit.org/changeset/230102
537
538 2018-03-30  Robin Morisset  <rmorisset@apple.com>
539
540         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
541         https://bugs.webkit.org/show_bug.cgi?id=183812
542
543         Reviewed by Keith Miller.
544
545         * stress/inlining-unreachable-non-tail.js: Added.
546         (foo.):
547         (foo):
548
549 2018-03-30  Robin Morisset  <rmorisset@apple.com>
550
551         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
552         https://bugs.webkit.org/show_bug.cgi?id=184074
553         <rdar://problem/37165897>
554
555         Reviewed by Keith Miller.
556
557         * stress/stack-overflow-while-parsing-builtin.js: Added.
558         (f):
559
560 2018-03-30  Robin Morisset  <rmorisset@apple.com>
561
562         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
563         https://bugs.webkit.org/show_bug.cgi?id=183657
564
565         Reviewed by Keith Miller.
566
567         * stress/large-unshift-splice.js: Added.
568         (make_contig_arr):
569
570 2018-03-28  Robin Morisset  <rmorisset@apple.com>
571
572         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
573         https://bugs.webkit.org/show_bug.cgi?id=183894
574
575         Reviewed by Saam Barati.
576
577         * stress/json-stringified-overflow.js: Added.
578         (catch):
579
580 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
581
582         DFG should know that CreateThis can be effectful
583         https://bugs.webkit.org/show_bug.cgi?id=184013
584
585         Reviewed by Saam Barati.
586
587         * stress/create-this-property-change.js: Added.
588         (Foo):
589         (RealBar):
590         (get if):
591         * stress/create-this-structure-change-without-cse.js: Added.
592         (Foo):
593         (RealBar):
594         (get if):
595         * stress/create-this-structure-change.js: Added.
596         (Foo):
597         (RealBar):
598         (get if):
599
600 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
601
602         [DFG] Introduces fused compare and jump
603         https://bugs.webkit.org/show_bug.cgi?id=177100
604
605         Reviewed by Mark Lam.
606
607         * stress/fused-jeq-slow.js: Added.
608         (shouldBe):
609         (testJEQ):
610         (testJNEQB):
611         (testJEQB):
612         (testJNEQF):
613         (testJEQF):
614         * stress/fused-jeq.js: Added.
615         (shouldBe):
616         (testJEQ):
617         (testJNEQB):
618         (testJEQB):
619         (testJNEQF):
620         (testJEQF):
621         * stress/fused-jstricteq-slow.js: Added.
622         (shouldBe):
623         (testJSTRICTEQ):
624         (testJNSTRICTEQB):
625         (testJSTRICTEQB):
626         (testJNSTRICTEQF):
627         (testJSTRICTEQF):
628         * stress/fused-jstricteq.js: Added.
629         (shouldBe):
630         (testJSTRICTEQ):
631         (testJNSTRICTEQB):
632         (testJSTRICTEQB):
633         (testJNSTRICTEQF):
634         (testJSTRICTEQF):
635
636 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
637
638         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
639         https://bugs.webkit.org/show_bug.cgi?id=183559
640
641         Reviewed by Mark Lam.
642
643         * stress/double-to-string-in-loop-removed.js: Added.
644         (test):
645         * stress/int32-to-string-in-loop-removed.js: Added.
646         (test):
647         * stress/int52-to-string-in-loop-removed.js: Added.
648         (test):
649
650 2018-03-22  Michael Saboff  <msaboff@apple.com>
651
652         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
653         https://bugs.webkit.org/show_bug.cgi?id=183901
654
655         Reviewed by Keith Miller.
656
657         New test.
658
659         * stress/array-reverse-doesnt-clobber.js: Added.
660         (testArrayReverse):
661         (createArrayOfArrays):
662         (createArrayStorage):
663
664 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
665
666         ScopedArguments should do poisoning and index masking
667         https://bugs.webkit.org/show_bug.cgi?id=183863
668
669         Reviewed by Mark Lam.
670         
671         Adds another stress test of scoped arguments.
672
673         * stress/scoped-arguments-test.js: Added.
674         (foo):
675
676 2018-03-20  Saam Barati  <sbarati@apple.com>
677
678         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
679         https://bugs.webkit.org/show_bug.cgi?id=183795
680         <rdar://problem/38298694>
681
682         Reviewed by JF Bastien.
683
684         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
685         (foo):
686         (bar):
687
688 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
689
690         [DFG][FTL] Add vectorLengthHint for NewArray
691         https://bugs.webkit.org/show_bug.cgi?id=183694
692
693         Reviewed by Saam Barati.
694
695         * stress/vector-length-hint-array-constructor.js: Added.
696         (shouldBe):
697         (test):
698         * stress/vector-length-hint-new-array.js: Added.
699         (shouldBe):
700         (test):
701
702 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
703
704         [DFG][FTL] Make ArraySlice(0) code tight
705         https://bugs.webkit.org/show_bug.cgi?id=183590
706
707         Reviewed by Saam Barati.
708
709         * stress/array-slice-with-zero.js: Added.
710         (shouldBe):
711         (test):
712         (test2):
713         * stress/array-slice-zero-args.js: Added.
714         (shouldBe):
715         (test):
716
717 2018-03-14  Caitlin Potter  <caitp@igalia.com>
718
719         [JSC] fix order of evaluation for ClassDefinitionEvaluation
720         https://bugs.webkit.org/show_bug.cgi?id=183523
721
722         Reviewed by Keith Miller.
723
724         Computed property names need to be evaluated in source order during class
725         definition evaluation, as it's observable (and specified to work this way).
726
727         This change improves compatibility with Chromium.
728
729         * stress/class_elements.js: Added.
730         (test):
731         (test.C.prototype.effect):
732         (test.C.effect):
733         (test.C.prototype.get effect):
734         (test.C.prototype.set effect):
735         (test.C):
736
737 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
738
739         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
740         https://bugs.webkit.org/show_bug.cgi?id=183310
741
742         Reviewed by Filip Pizlo.
743
744         * stress/ai-create-this-to-new-object-fire.js: Added.
745         (assert):
746         (test):
747         (func):
748         (check):
749         (test.body.A):
750         (test.body.B):
751         (test.body):
752         * stress/ai-create-this-to-new-object.js: Added.
753         (assert):
754         (test):
755         (func):
756         (check):
757         (test.body.A):
758         (test.body.B):
759         (test.body):
760
761 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
762
763         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
764         https://bugs.webkit.org/show_bug.cgi?id=181848
765
766         Reviewed by Sam Weinig.
767
768         * microbenchmarks/regexp-u-global-es5.js: Added.
769         (fn):
770         * microbenchmarks/regexp-u-global-es6.js: Added.
771         (fn):
772         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
773         (shouldBe):
774         (test):
775         (i.switch):
776         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
777         (shouldBe):
778         (test):
779
780 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
781
782         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
783         https://bugs.webkit.org/show_bug.cgi?id=183334
784
785         Reviewed by Žan Doberšek.
786
787         * stress/var-injection-cache-invalidation.js:
788
789 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
790
791         [ARM] Disable tests that run out of memory
792         https://bugs.webkit.org/show_bug.cgi?id=182699
793
794         Reviewed by Žan Doberšek.
795
796         Skip tests that run of of memory. Do not run
797         modules/module-jit-reachability.js without LLInt to prevent
798         running out of executable memory.
799
800         * modules.yaml:
801         * modules/module-jit-reachability.js:
802         * stress/has-own-property-name-cache-string-keys.js:
803         * stress/has-own-property-name-cache-symbol-keys.js:
804
805 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
806
807         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
808         https://bugs.webkit.org/show_bug.cgi?id=183173
809
810         Reviewed by Saam Barati.
811
812         * stress/async-arrow-function-in-class-heritage.js: Added.
813         (testSyntax):
814         (testSyntaxError):
815         (SyntaxError):
816
817 2018-03-01  Saam Barati  <sbarati@apple.com>
818
819         We need to clear cached structures when having a bad time
820         https://bugs.webkit.org/show_bug.cgi?id=183256
821         <rdar://problem/36245022>
822
823         Reviewed by Mark Lam.
824
825         * stress/having-a-bad-time-with-derived-arrays.js: Added.
826         (assert):
827         (defineSetter):
828         (iterate):
829         (doSlice):
830
831 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
832
833         JSC crash with `import("")`
834         https://bugs.webkit.org/show_bug.cgi?id=183175
835
836         Reviewed by Saam Barati.
837
838         * stress/import-with-empty-string.js: Added.
839
840 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
841
842         Unreviewed, skip FTL tests if FTL is disabled
843         https://bugs.webkit.org/show_bug.cgi?id=183071
844
845         * stress/has-indexed-property-array-storage-ftl.js:
846         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
847
848 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
849
850         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
851         https://bugs.webkit.org/show_bug.cgi?id=182965
852
853         Reviewed by Saam Barati.
854
855         * stress/put-by-val-array-storage.js: Added.
856         (shouldBe):
857         (testArrayStorageInBounds):
858         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
859         (shouldBe):
860         (testInt32.createBuiltin):
861         (set for):
862         * stress/put-by-val-slow-put-array-storage.js: Added.
863         (shouldBe):
864         (testArrayStorageInBounds):
865
866 2018-02-26  Saam Barati  <sbarati@apple.com>
867
868         validateStackAccess should not validate if the offset is within the stack bounds
869         https://bugs.webkit.org/show_bug.cgi?id=183067
870         <rdar://problem/37749988>
871
872         Reviewed by Mark Lam.
873
874         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
875         (assert):
876         (test.a):
877         (test.b):
878         (test):
879
880 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
881
882         Unreviewed, skip FTL tests if FTL is disabled
883         https://bugs.webkit.org/show_bug.cgi?id=183071
884
885         * stress/has-indexed-property-array-storage-ftl.js:
886         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
887
888 2018-02-23  Saam Barati  <sbarati@apple.com>
889
890         Make Number.isInteger an intrinsic
891         https://bugs.webkit.org/show_bug.cgi?id=183088
892
893         Reviewed by JF Bastien.
894
895         * stress/number-is-integer-intrinsic.js: Added.
896
897 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
898
899         WebAssembly: cache memory address / size on instance
900         https://bugs.webkit.org/show_bug.cgi?id=177305
901
902         Reviewed by JF Bastien.
903
904         * wasm/function-tests/memory-reuse.js: Added.
905         (createWasmInstance):
906         (doCheckTrap):
907         (doMemoryGrow):
908         (doCheck):
909         (checkWasmInstancesWithSharedMemory):
910
911 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
912
913         [JSC] Implement $vm.ftlTrue function for FTL testing
914         https://bugs.webkit.org/show_bug.cgi?id=183071
915
916         Reviewed by Mark Lam.
917
918         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
919         (foo):
920         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
921         (foo):
922         * stress/dead-fiat-value-to-int52.js:
923         (foo):
924         * stress/dead-osr-entry-value.js:
925         (foo):
926         * stress/fiat-value-to-int52-then-exit-not-double.js:
927         (foo):
928         * stress/fiat-value-to-int52-then-exit-not-int52.js:
929         (foo):
930         * stress/fiat-value-to-int52-then-fail-to-fold.js:
931         (foo):
932         * stress/fiat-value-to-int52-then-fold.js:
933         (foo):
934         * stress/fiat-value-to-int52.js:
935         (foo):
936         * stress/fold-based-on-int32-proof-mul-branch.js:
937         (foo):
938         * stress/fold-profiled-call-to-call.js:
939         (foo):
940         * stress/fold-to-double-constant-then-exit.js:
941         (foo):
942         * stress/fold-to-int52-constant-then-exit.js:
943         (foo):
944         * stress/fold-to-primitive-in-cfa.js:
945         (foo):
946         * stress/fold-to-primitive-to-identity-in-cfa.js:
947         (foo):
948         * stress/has-indexed-property-array-storage-ftl.js: Added.
949         (shouldBe):
950         (test1):
951         (test2):
952         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
953         (shouldBe):
954         (test1):
955         (test2):
956         * stress/int52-ai-add-then-filter-int32.js:
957         (foo):
958         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
959         (foo):
960         * stress/int52-ai-mul-then-filter-int32.js:
961         (foo):
962         * stress/int52-ai-neg-then-filter-int32.js:
963         (foo):
964         * stress/int52-ai-sub-then-filter-int32.js:
965         (foo):
966         * stress/licm-pre-header-cannot-exit-nested.js:
967         (foo):
968         * stress/licm-pre-header-cannot-exit.js:
969         (foo):
970         * stress/sparse-array-entry-update-144067.js:
971         (useMemoryToTriggerGCs):
972         * stress/test-spec-misc.js:
973         (foo):
974         * stress/tricky-array-bounds-checks.js:
975         (foo):
976
977 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
978
979         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
980         https://bugs.webkit.org/show_bug.cgi?id=182792
981
982         Reviewed by Mark Lam.
983
984         * stress/has-indexed-property-array-storage.js: Added.
985         (shouldBe):
986         (test1):
987         (test2):
988         * stress/has-indexed-property-slow-put-array-storage.js: Added.
989         (shouldBe):
990         (test1):
991         (test2):
992
993 2018-02-20  Saam Barati  <sbarati@apple.com>
994
995         DFG::VarargsForwardingPhase should eliminate getting argument length
996         https://bugs.webkit.org/show_bug.cgi?id=182959
997
998         Reviewed by Keith Miller.
999
1000         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1001
1002 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1003
1004         [FTL] Support ArrayPush for ArrayStorage
1005         https://bugs.webkit.org/show_bug.cgi?id=182782
1006
1007         Reviewed by Saam Barati.
1008
1009         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1010
1011         * stress/array-push-array-storage-beyond-int32.js: Added.
1012         (shouldBe):
1013         (test):
1014         * stress/array-push-array-storage.js: Added.
1015         (shouldBe):
1016         (test):
1017         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1018         (shouldBe):
1019         (test):
1020         * stress/array-push-multiple-storage-continuous.js: Added.
1021         (shouldBe):
1022         (test):
1023
1024 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1025
1026         [FTL] Support ArrayPop for ArrayStorage
1027         https://bugs.webkit.org/show_bug.cgi?id=182783
1028
1029         Reviewed by Saam Barati.
1030
1031         * stress/array-pop-array-storage.js: Added.
1032         (shouldBe):
1033         (test):
1034
1035 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1036
1037         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1038         https://bugs.webkit.org/show_bug.cgi?id=182731
1039
1040         Reviewed by Saam Barati.
1041
1042         * stress/arrayify-array-storage-array.js: Added.
1043         (shouldBe):
1044         (testArrayStorage):
1045         * stress/arrayify-array-storage-non-array.js: Added.
1046         (shouldBe):
1047         (testArrayStorage):
1048         * stress/arrayify-array-storage.js: Added.
1049         (shouldBe):
1050         (testArrayStorage):
1051         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1052         (shouldBe):
1053         (testArrayStorage):
1054         * stress/arrayify-slow-put-array-storage.js: Added.
1055         (shouldBe):
1056         (testArrayStorage):
1057
1058 2018-02-19  Saam Barati  <sbarati@apple.com>
1059
1060         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1061         https://bugs.webkit.org/show_bug.cgi?id=182942
1062         <rdar://problem/37584764>
1063
1064         Reviewed by Mark Lam.
1065
1066         * stress/get-prototype-create-this-effectful.js: Added.
1067
1068 2018-02-16  Saam Barati  <sbarati@apple.com>
1069
1070         Fix bugs from r228411
1071         https://bugs.webkit.org/show_bug.cgi?id=182851
1072         <rdar://problem/37577732>
1073
1074         Reviewed by JF Bastien.
1075
1076         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1077
1078 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1079
1080         Unreviewed, roll out r228366 since it did not progress anything.
1081
1082         * stress/gc-error-stack.js: Removed.
1083         * stress/no-gc-error-stack.js: Removed.
1084
1085 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1086
1087         Many stress tests fail with JIT disabled
1088         https://bugs.webkit.org/show_bug.cgi?id=182730
1089
1090         Reviewed by Saam Barati.
1091
1092         These tests are broken by design if the JIT is disabled - they test
1093         the return value of numberOfDFGCompiles(), which is always set to
1094         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1095
1096         * stress/arith-abs-on-various-types.js:
1097         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1098         * stress/arith-acos-on-various-types.js:
1099         * stress/arith-acosh-on-various-types.js:
1100         * stress/arith-asin-on-various-types.js:
1101         * stress/arith-asinh-on-various-types.js:
1102         * stress/arith-atan-on-various-types.js:
1103         * stress/arith-atanh-on-various-types.js:
1104         * stress/arith-cbrt-on-various-types.js:
1105         * stress/arith-ceil-on-various-types.js:
1106         * stress/arith-clz32-on-various-types.js:
1107         * stress/arith-cos-on-various-types.js:
1108         * stress/arith-cosh-on-various-types.js:
1109         * stress/arith-expm1-on-various-types.js:
1110         * stress/arith-floor-on-various-types.js:
1111         * stress/arith-fround-on-various-types.js:
1112         * stress/arith-log-on-various-types.js:
1113         * stress/arith-log10-on-various-types.js:
1114         * stress/arith-log2-on-various-types.js:
1115         * stress/arith-negate-on-various-types.js:
1116         * stress/arith-round-on-various-types.js:
1117         * stress/arith-sin-on-various-types.js:
1118         * stress/arith-sinh-on-various-types.js:
1119         * stress/arith-sqrt-on-various-types.js:
1120         * stress/arith-tan-on-various-types.js:
1121         * stress/arith-tanh-on-various-types.js:
1122         * stress/arith-trunc-on-various-types.js:
1123         * stress/compare-strict-eq-on-various-types.js:
1124
1125 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1126
1127         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1128
1129         Unreviewed test gardening.
1130
1131         * stress/new-largeish-contiguous-array-with-size.js:
1132
1133 2018-02-14  Saam Barati  <sbarati@apple.com>
1134
1135         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1136         https://bugs.webkit.org/show_bug.cgi?id=182801
1137
1138         Reviewed by Keith Miller.
1139
1140         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1141
1142 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1143
1144         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1145         https://bugs.webkit.org/show_bug.cgi?id=182526
1146
1147         Unreviewed test gardening.
1148
1149         * stress/activation-sink-default-value-tdz-error.js:
1150
1151 2018-02-13  Saam Barati  <sbarati@apple.com>
1152
1153         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1154         https://bugs.webkit.org/show_bug.cgi?id=182755
1155         <rdar://problem/37080864>
1156
1157         Reviewed by Keith Miller.
1158
1159         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1160         (test1.o.get 10005):
1161         (test1):
1162         (test2.o.get 1000):
1163         (test2):
1164
1165 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1166
1167         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1168         https://bugs.webkit.org/show_bug.cgi?id=182717
1169
1170         Reviewed by Yusuke Suzuki.
1171
1172         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1173         literals, to allow template callsite arrays to be collected when the
1174         code containing the tagged template call is collected. This spec change
1175         has received concensus and been ratified.
1176
1177         This change eliminates the eternal map associating template contents
1178         with arrays.
1179
1180         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1181         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1182         * stress/tagged-templates-identity.js:
1183         * stress/template-string-tags-eval.js:
1184         * test262.yaml:
1185
1186 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1187
1188         Support GetArrayLength on ArrayStorage in the FTL
1189         https://bugs.webkit.org/show_bug.cgi?id=182625
1190
1191         Reviewed by Saam Barati.
1192
1193         * stress/array-storage-length.js: Added.
1194         (shouldBe):
1195         (testInBound):
1196         (testUncountable):
1197         (testSlowPutInBound):
1198         (testSlowPutUncountable):
1199         * stress/undecided-length.js: Added.
1200         (shouldBe):
1201         (test2):
1202
1203 2018-02-12  Saam Barati  <sbarati@apple.com>
1204
1205         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1206         https://bugs.webkit.org/show_bug.cgi?id=182706
1207         <rdar://problem/36833681>
1208
1209         Reviewed by Filip Pizlo.
1210
1211         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1212         (effects):
1213         (foo):
1214
1215 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1216
1217         Don't waste memory for error.stack
1218         https://bugs.webkit.org/show_bug.cgi?id=182656
1219
1220         Reviewed by Saam Barati.
1221         
1222         Tests the policy.
1223
1224         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1225         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1226
1227 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1228
1229         [JSC] Update Test262 to Feb 9 version
1230         https://bugs.webkit.org/show_bug.cgi?id=182468
1231
1232         Reviewed by Saam Barati.
1233
1234 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1235
1236         Unreviewed, fix invalid line terminator in old test262 file part 2
1237         https://bugs.webkit.org/show_bug.cgi?id=182468
1238
1239         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1240
1241 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1242
1243         Unreviewed, fix invalid line terminator in old test262 file
1244         https://bugs.webkit.org/show_bug.cgi?id=182468
1245
1246         * test262/test/language/literals/regexp/7.8.5-1.js:
1247
1248 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1249
1250         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1251         https://bugs.webkit.org/show_bug.cgi?id=182440
1252
1253         Reviewed by Darin Adler.
1254
1255         * stress/array-flatmap.js: Added.
1256         (shouldBe):
1257         (shouldBeArray):
1258         (shouldThrow):
1259         (var):
1260         * stress/array-flatten.js: Added.
1261         (shouldBe):
1262         (shouldBeArray):
1263         * test262.yaml:
1264         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1265         (3.flatMap):
1266         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1267
1268 2018-02-06  Keith Miller  <keith_miller@apple.com>
1269
1270         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1271         https://bugs.webkit.org/show_bug.cgi?id=182549
1272         <rdar://problem/36189995>
1273
1274         Reviewed by Saam Barati.
1275
1276         * stress/var-injection-cache-invalidation.js: Added.
1277         (allocateLotsOfThings):
1278         (test):
1279
1280 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1281
1282         Unreviewed, follow up for test262 update
1283         https://bugs.webkit.org/show_bug.cgi?id=182288
1284
1285         * test262.yaml:
1286
1287 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1288
1289         Update test262 to Jan 30 version
1290         https://bugs.webkit.org/show_bug.cgi?id=182288
1291
1292         Unreviewed test gardening.
1293
1294         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1295
1296 2018-02-02  Saam Barati  <sbarati@apple.com>
1297
1298         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1299         https://bugs.webkit.org/show_bug.cgi?id=182368
1300         <rdar://problem/36932466>
1301
1302         Reviewed by Mark Lam.
1303
1304         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1305         (runNearStackLimit.t):
1306         (runNearStackLimit):
1307         (try.runNearStackLimit):
1308         (catch):
1309
1310 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1311
1312         Update test262 to Jan 30 version
1313         https://bugs.webkit.org/show_bug.cgi?id=182288
1314
1315         Rubber stamped by Saam Barati.
1316
1317         This patch updates test262 to the latest one, Jan 30 version.
1318         Since added and changed files are too many, we cannot create ChangeLog.
1319         The following files are changed.
1320
1321         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1322         including some special line terminators (like u2028, u2029).
1323
1324         * test262.yaml:
1325         * test262/test262-Revision.txt:
1326         * test262/*:
1327
1328 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1329
1330         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1331         https://bugs.webkit.org/show_bug.cgi?id=182411
1332
1333         Reviewed by Carlos Alberto Lopez Perez.
1334
1335         This is skipped only on arm memory limited platforms. Until recently
1336         it was not a problem on MIPS as the butterfly was not initialized. But
1337         since r227435, the butterfly is initialized in that test and therefore
1338         memory is allocated, and the test typically takes around 512M, which
1339         means it generally gets OOM-killed on the MIPS buildbot.
1340
1341         * mozilla/mozilla-tests.yaml:
1342
1343 2018-02-01  Mark Lam  <mark.lam@apple.com>
1344
1345         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1346         https://bugs.webkit.org/show_bug.cgi?id=182419
1347         <rdar://problem/37044945>
1348
1349         Reviewed by Saam Barati.
1350
1351         * stress/regress-182419.js: Added.
1352
1353 2018-02-01  Keith Miller  <keith_miller@apple.com>
1354
1355         Fix crashes due to mishandling custom sections.
1356         https://bugs.webkit.org/show_bug.cgi?id=182404
1357         <rdar://problem/36935863>
1358
1359         Reviewed by Saam Barati.
1360
1361         * wasm/Builder.js:
1362         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1363         * wasm/js-api/validate.js:
1364         (assert.truthy):
1365
1366 2018-01-31  Saam Barati  <sbarati@apple.com>
1367
1368         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1369         https://bugs.webkit.org/show_bug.cgi?id=182074
1370         <rdar://problem/36846261>
1371
1372         Reviewed by Mark Lam.
1373
1374         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1375         (assert):
1376         (let.func):
1377         (let.o.foo):
1378         (varFunc):
1379
1380 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1381
1382         Unreviewed, update test262 expects
1383         https://bugs.webkit.org/show_bug.cgi?id=182232
1384
1385         * test262.yaml:
1386
1387 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1388
1389         [JSC] Implement trimStart and trimEnd
1390         https://bugs.webkit.org/show_bug.cgi?id=182233
1391
1392         Reviewed by Mark Lam.
1393
1394         * stress/trim.js: Added.
1395         (shouldBe):
1396         (startTest):
1397         (endTest):
1398         (trimTest):
1399
1400 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1401
1402         [JSC] Relax line terminators in String to make JSON subset of JS
1403         https://bugs.webkit.org/show_bug.cgi?id=182232
1404
1405         Reviewed by Keith Miller.
1406
1407         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1408         * stress/relaxed-line-terminators-in-string.js: Added.
1409         (shouldBe):
1410
1411 2018-01-29  Michael Saboff  <msaboff@apple.com>
1412
1413         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1414         https://bugs.webkit.org/show_bug.cgi?id=182249
1415
1416         Reviewed by Keith Miller.
1417
1418         New regression test.
1419
1420         * stress/compare-clobber-untypeduse.js: Added.
1421
1422 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1423
1424         Unreviewed, rolling out r227725.
1425
1426         This caused internal failures.
1427
1428         Reverted changeset:
1429
1430         "JSC Sampling Profiler: Detect tester and testee when sampling
1431         in RegExp JIT"
1432         https://bugs.webkit.org/show_bug.cgi?id=152729
1433         https://trac.webkit.org/changeset/227725
1434
1435 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1436
1437         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1438         https://bugs.webkit.org/show_bug.cgi?id=152729
1439
1440         Reviewed by Saam Barati.
1441
1442         * stress/sampling-profiler-regexp.js: Added.
1443         (platformSupportsSamplingProfiler.test):
1444         (platformSupportsSamplingProfiler.baz):
1445         (platformSupportsSamplingProfiler):
1446
1447 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1448
1449         [DFG][FTL] WeakMap#set should have DFG node
1450         https://bugs.webkit.org/show_bug.cgi?id=180015
1451
1452         Reviewed by Saam Barati.
1453
1454         * stress/weakmap-set-change-get.js: Added.
1455         (shouldBe):
1456         (test):
1457         * stress/weakmap-set-cse.js: Added.
1458         (shouldBe):
1459         (test):
1460         * stress/weakset-add-change-get.js: Added.
1461         (shouldBe):
1462         * stress/weakset-add-cse.js: Added.
1463         (shouldBe):
1464
1465 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1466
1467         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1468         https://bugs.webkit.org/show_bug.cgi?id=182213
1469
1470         Reviewed by Mark Lam.
1471
1472         * stress/int32-min-to-string.js: Added.
1473         (shouldBe):
1474         (test2):
1475         (test4):
1476         (test8):
1477         (test16):
1478         (test32):
1479         * stress/zero-to-string.js: Added.
1480         (shouldBe):
1481         (test2):
1482         (test4):
1483         (test8):
1484         (test16):
1485         (test32):
1486
1487 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1488
1489         Add more module scope related tests with code evaluation by string
1490         https://bugs.webkit.org/show_bug.cgi?id=181983
1491
1492         Reviewed by Sam Weinig.
1493
1494         Add more module scope related tests. When the original tests are landed,
1495         we do not have browser integration. This patch adds more module scope tests
1496         with dynamically created script evaluation. We add tests with Function
1497         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1498
1499         * modules/scopes-eval.js: Added.
1500         (shouldBe):
1501         * modules/scopes.js:
1502         (shouldBe):
1503
1504 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1505
1506         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1507
1508         * microbenchmarks/array-push-3.js: Removed.
1509         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1510         * microbenchmarks/double-to-int32.js: Removed.
1511         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1512         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1513         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1514         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1515         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1516         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1517         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1518         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1519         * microbenchmarks/map-constant-key.js: Removed.
1520         * microbenchmarks/nested-function-parsing.js: Removed.
1521         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1522         * microbenchmarks/spread-large-array.js: Removed.
1523         * microbenchmarks/string-add-constant-folding.js: Removed.
1524         * microbenchmarks/to-lower-case.js: Removed.
1525         * microbenchmarks/undefined-property-access.js: Removed.
1526         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1527         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1528         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1529         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1530         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1531         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1532         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1533         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1534         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1535         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1536         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1537         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1538         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1539         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1540         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1541         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1542         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1543         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1544
1545 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1546
1547         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1548         https://bugs.webkit.org/show_bug.cgi?id=181739
1549         <rdar://problem/36627662>
1550
1551         Reviewed by Saam Barati.
1552
1553         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1554         (foo):
1555         (bar):
1556
1557 2018-01-22  Michael Saboff  <msaboff@apple.com>
1558
1559         DFG abstract interpreter needs to properly model effects of some Math ops
1560         https://bugs.webkit.org/show_bug.cgi?id=181886
1561
1562         Reviewed by Saam Barati.
1563
1564         New regression test.
1565
1566         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1567         (test):
1568
1569 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1570
1571         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1572         https://bugs.webkit.org/show_bug.cgi?id=181182
1573
1574         Reviewed by Darin Adler.
1575
1576         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1577         * stress/big-int-prototype-to-string-exception.js: Added.
1578         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1579         * stress/number-prototype-to-string-cast-overflow.js: Added.
1580         * stress/number-prototype-to-string-exception.js: Added.
1581         * stress/number-prototype-to-string-wrong-values.js: Added.
1582
1583 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1584
1585         Disable Atomics when SharedArrayBuffer isn’t enabled
1586         https://bugs.webkit.org/show_bug.cgi?id=181572
1587
1588         Unreviewed test gardening.
1589
1590         * test262.yaml: Skip tests that fail after this change.
1591
1592 2018-01-19  Saam Barati  <sbarati@apple.com>
1593
1594         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1595         https://bugs.webkit.org/show_bug.cgi?id=181877
1596         <rdar://problem/36630552>
1597
1598         Reviewed by Mark Lam.
1599
1600         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1601         (runNearStackLimit):
1602         (f1):
1603         (f2):
1604         (f3):
1605         (i.catch):
1606         (i.try.runNearStackLimit):
1607         (catch):
1608
1609 2018-01-19  Saam Barati  <sbarati@apple.com>
1610
1611         Spread's effects are modeled incorrectly both in AI and in Clobberize
1612         https://bugs.webkit.org/show_bug.cgi?id=181867
1613         <rdar://problem/36290415>
1614
1615         Reviewed by Michael Saboff.
1616
1617         * stress/ai-needs-to-model-spreads-effects.js: Added.
1618         (try.p.Symbol.iterator):
1619         (try.go):
1620         (catch):
1621         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1622         (assert):
1623         (foo):
1624         (a.Symbol.iterator):
1625
1626 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1627
1628         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1629         https://bugs.webkit.org/show_bug.cgi?id=181535
1630
1631         * stress/inserted-recovery-with-set-last-index.js:
1632
1633 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1634
1635         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1636         https://bugs.webkit.org/show_bug.cgi?id=181535
1637
1638         Reviewed by Saam Barati.
1639
1640         * stress/inserted-recovery-with-set-last-index.js: Added.
1641         (shouldBe):
1642         (foo):
1643         * stress/materialize-regexp-at-osr-exit.js: Added.
1644         (shouldBe):
1645         (test):
1646         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1647         (shouldBe):
1648         (test):
1649         * stress/materialize-regexp-cyclic-regexp.js: Added.
1650         (shouldBe):
1651         (test):
1652         (i.switch):
1653         * stress/materialize-regexp-cyclic.js: Added.
1654         (shouldBe):
1655         (test):
1656         (i.switch):
1657         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1658         (bar):
1659         (foo):
1660         (test):
1661         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1662         (bar):
1663         (foo):
1664         (test):
1665         * stress/materialize-regexp.js: Added.
1666         (shouldBe):
1667         (test):
1668         * stress/phantom-regexp-regexp-exec.js: Added.
1669         (shouldBe):
1670         (test):
1671         * stress/phantom-regexp-string-match.js: Added.
1672         (shouldBe):
1673         (test):
1674         * stress/regexp-last-index-sinking.js: Added.
1675         (shouldBe):
1676         (test):
1677
1678 2018-01-17  Saam Barati  <sbarati@apple.com>
1679
1680         Disable Atomics when SharedArrayBuffer isn’t enabled
1681         https://bugs.webkit.org/show_bug.cgi?id=181572
1682         <rdar://problem/36553206>
1683
1684         Reviewed by Michael Saboff.
1685
1686         * stress/isLockFree.js:
1687
1688 2018-01-17  Saam Barati  <sbarati@apple.com>
1689
1690         DFG::Node::convertToConstant needs to clear the varargs flags
1691         https://bugs.webkit.org/show_bug.cgi?id=181697
1692         <rdar://problem/36497332>
1693
1694         Reviewed by Yusuke Suzuki.
1695
1696         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1697         (doIndexOf):
1698         (bar):
1699         (i.bar):
1700
1701 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1702
1703         Unreviewed, rolling out r226937.
1704
1705         Tests added with this change are failing due to a missing
1706         exception check.
1707
1708         Reverted changeset:
1709
1710         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1711         double to int32_t"
1712         https://bugs.webkit.org/show_bug.cgi?id=181182
1713         https://trac.webkit.org/changeset/226937
1714
1715 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1716
1717         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1718         https://bugs.webkit.org/show_bug.cgi?id=181182
1719
1720         Reviewed by Darin Adler.
1721
1722         * bigIntTests.yaml:
1723         * stress/big-int-constructor.js:
1724         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1725         (assert):
1726         (assertThrowRangeError):
1727         * stress/number-prototype-to-string-cast-overflow.js: Added.
1728         (assert):
1729         (assertThrowRangeError):
1730
1731 2018-01-12  Saam Barati  <sbarati@apple.com>
1732
1733         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1734         https://bugs.webkit.org/show_bug.cgi?id=181177
1735         <rdar://problem/36205704>
1736
1737         Reviewed by Yusuke Suzuki.
1738
1739         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1740         (runNearStackLimit.t):
1741         (runNearStackLimit):
1742         (test.f):
1743         (test):
1744
1745 2018-01-12  Saam Barati  <sbarati@apple.com>
1746
1747         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1748         https://bugs.webkit.org/show_bug.cgi?id=181562
1749         <rdar://problem/36445624>
1750
1751         Reviewed by Yusuke Suzuki.
1752
1753         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1754         (f):
1755         (foo):
1756
1757 2018-01-11  Saam Barati  <sbarati@apple.com>
1758
1759         When inserting Unreachable in byte code parser we need to flush all the right things
1760         https://bugs.webkit.org/show_bug.cgi?id=181509
1761         <rdar://problem/36423110>
1762
1763         Reviewed by Mark Lam.
1764
1765         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1766
1767 2018-01-11  Saam Barati  <sbarati@apple.com>
1768
1769         JITMathIC code in the FTL is wrong when code gets duplicated
1770         https://bugs.webkit.org/show_bug.cgi?id=181525
1771         <rdar://problem/36351993>
1772
1773         Reviewed by Michael Saboff and Keith Miller.
1774
1775         * stress/allow-math-ic-b3-code-duplication.js: Added.
1776
1777 2018-01-11  Saam Barati  <sbarati@apple.com>
1778
1779         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1780         https://bugs.webkit.org/show_bug.cgi?id=181508
1781
1782         Reviewed by Yusuke Suzuki.
1783
1784         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1785         (assert):
1786         (test1.foo):
1787         (test1):
1788         (test2.foo):
1789         (test2):
1790
1791 2018-01-09  Mark Lam  <mark.lam@apple.com>
1792
1793         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1794         https://bugs.webkit.org/show_bug.cgi?id=181388
1795         <rdar://problem/36349351>
1796
1797         Reviewed by Saam Barati.
1798
1799         * stress/regress-181388.js: Added.
1800
1801 2018-01-08  JF Bastien  <jfbastien@apple.com>
1802
1803         WebAssembly: mask indexed accesses to Table
1804         https://bugs.webkit.org/show_bug.cgi?id=181412
1805         <rdar://problem/36363236>
1806
1807         Reviewed by Saam Barati.
1808
1809         Update error messages.
1810
1811         * wasm/js-api/table.js:
1812         (assert.throws.WebAssembly.Table.prototype.grow):
1813
1814 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1815
1816         Disable SharedArrayBuffer tests missed in r226386.
1817         https://bugs.webkit.org/show_bug.cgi?id=181266
1818
1819         Unreviewed test gardening.
1820
1821         * test262.yaml:
1822
1823 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1824
1825         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1826         https://bugs.webkit.org/show_bug.cgi?id=181321
1827
1828         Reviewed by Saam Barati.
1829
1830         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1831         (shouldBe):
1832         (testFunction):
1833         * test262.yaml:
1834
1835 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1836
1837         Unreviewed, attempt to fix test262 after r226386.
1838
1839         * test262.yaml:
1840
1841 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1842
1843         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1844         https://bugs.webkit.org/show_bug.cgi?id=179911
1845
1846         Reviewed by Saam Barati.
1847
1848         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1849
1850         * stress/map-set-change-get.js: Added.
1851         (shouldBe):
1852         (test):
1853         * stress/map-set-create-bucket.js: Added.
1854         (shouldBe):
1855         (test):
1856         * stress/set-add-create-bucket.js: Added.
1857         (shouldBe):
1858
1859 2018-01-03  Michael Saboff  <msaboff@apple.com>
1860
1861         Disable SharedArrayBuffers from Web API
1862         https://bugs.webkit.org/show_bug.cgi?id=181266
1863
1864         Reviewed by Saam Barati.
1865
1866         Disabled SharedArrayBuffer tests.
1867
1868         * stress/SharedArrayBuffer-opt.js:
1869         * stress/SharedArrayBuffer.js:
1870         * stress/array-buffer-byte-length.js:
1871         * stress/atomics-add-uint32.js:
1872         * stress/atomics-known-int-use.js:
1873         * stress/atomics-neg-zero.js:
1874         * stress/atomics-store-return.js:
1875         * stress/lars-sab-workers.js:
1876         * stress/regress-159779-1.js:
1877         * stress/regress-159779-2.js:
1878         * stress/regress-170473.js:
1879         * test262.yaml:
1880
1881 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1882
1883         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1884         https://bugs.webkit.org/show_bug.cgi?id=181258
1885
1886         Reviewed by Antonio Gomes.
1887
1888         * stress/big-int-constructor-gc.js:
1889         * stress/big-int-constructor-oom.js:
1890
1891 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1892
1893         Inlining of a function that ends in op_unreachable crashes
1894         https://bugs.webkit.org/show_bug.cgi?id=181027
1895
1896         Reviewed by Filip Pizlo.
1897
1898         * stress/inlining-unreachable.js: Added.
1899         (bar):
1900         (baz):
1901         (i.catch):
1902
1903 2018-01-02  Saam Barati  <sbarati@apple.com>
1904
1905         Incorrect assertion inside AccessCase
1906         https://bugs.webkit.org/show_bug.cgi?id=181200
1907         <rdar://problem/35494754>
1908
1909         Reviewed by Yusuke Suzuki.
1910
1911         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1912         (ctor):
1913         (theFunc):
1914         (run):
1915
1916 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1917
1918         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1919         https://bugs.webkit.org/show_bug.cgi?id=175359
1920
1921         Reviewed by Yusuke Suzuki.
1922
1923         * bigIntTests.yaml:
1924         * stress/big-int-as-key.js: Added.
1925         * stress/big-int-constructor-gc.js: Added.
1926         * stress/big-int-constructor-oom.js: Added.
1927         * stress/big-int-constructor-properties.js: Added.
1928         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1929         * stress/big-int-constructor-prototype.js: Added.
1930         * stress/big-int-constructor.js: Added.
1931         * stress/big-int-function-apply.js:
1932         * stress/big-int-length.js: Added.
1933         * stress/big-int-prop-descriptor.js: Added.
1934         * stress/big-int-proto-constructor.js: Added.
1935         * stress/big-int-proto-name.js: Added.
1936         * stress/big-int-prototype-properties.js: Added.
1937         * stress/big-int-prototype-proto.js: Added.
1938         * stress/big-int-prototype-value-of.js: Added.
1939         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1940         * stress/big-int-prototype-to-string-apply.js: Added.
1941         * stress/big-int-to-object.js: Added.
1942         * stress/big-int-to-string.js: Added.
1943
1944 2017-12-28  Saam Barati  <sbarati@apple.com>
1945
1946         Assertion used to determine if something is an async generator is wrong
1947         https://bugs.webkit.org/show_bug.cgi?id=181168
1948         <rdar://problem/35640560>
1949
1950         Reviewed by Yusuke Suzuki.
1951
1952         * stress/async-generator-assertion.js: Added.
1953
1954 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1955
1956         Skip stress/splay-flash-access tests on memory limited platforms
1957         https://bugs.webkit.org/show_bug.cgi?id=181086
1958
1959         Reviewed by Carlos Alberto Lopez Perez.
1960
1961         These tests use about 185M of memory, and occasionally get OOM-killed
1962         on memory limited platforms.
1963
1964         * stress/splay-flash-access-1ms.js:
1965         * stress/splay-flash-access.js:
1966
1967 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1968
1969         Skip slow jsc tests on embedded platforms
1970         https://bugs.webkit.org/show_bug.cgi?id=180937
1971
1972         Reviewed by Carlos Alberto Lopez Perez.
1973
1974         The tests typeProfiler/deltablue-for-of.js and
1975         typeProfiler/getter-richards.js take a very long time in the
1976         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1977         thus always timeout. They should be skipped on these platforms.
1978
1979         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1980         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1981
1982 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1983
1984         [JSC] Do not check isValid() in op_new_regexp
1985         https://bugs.webkit.org/show_bug.cgi?id=180970
1986
1987         Reviewed by Saam Barati.
1988
1989         * stress/regexp-syntax-error-invalid-flags.js: Added.
1990         (shouldThrow):
1991
1992 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1993
1994         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1995         https://bugs.webkit.org/show_bug.cgi?id=180712
1996
1997         Reviewed by Michael Catanzaro.
1998
1999         stress/call-apply-exponential-bytecode-size.js crashes if the
2000         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2001         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2002         should skip the test on other platforms.
2003
2004         * stress/call-apply-exponential-bytecode-size.js:
2005
2006 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2007
2008         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2009         https://bugs.webkit.org/show_bug.cgi?id=179762
2010
2011         Reviewed by Saam Barati.
2012
2013         * stress/call-varargs-double-new-array-buffer.js: Added.
2014         (assert):
2015         (bar):
2016         (foo):
2017         * stress/call-varargs-spread-new-array-buffer.js: Added.
2018         (assert):
2019         (bar):
2020         (foo):
2021         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2022         (assert):
2023         (bar):
2024         (foo):
2025         * stress/forward-varargs-double-new-array-buffer.js: Added.
2026         (assert):
2027         (test.baz):
2028         (test.bar):
2029         (test.foo):
2030         (test):
2031         * stress/new-array-buffer-sinking-osrexit.js: Added.
2032         (target):
2033         (test):
2034         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2035         (shouldBe):
2036         (test):
2037         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2038         (shouldBe):
2039         (target):
2040         (test):
2041         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2042         (assert):
2043         (test1.bar):
2044         (test1.foo):
2045         (test1):
2046         (test2.bar):
2047         (test2.foo):
2048         (test3.baz):
2049         (test3.bar):
2050         (test3.foo):
2051         (test4.baz):
2052         (test4.bar):
2053         (test4.foo):
2054         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2055         (assert):
2056         (test.baz):
2057         (test.bar):
2058         (test.foo):
2059         (test):
2060         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2061         (assert):
2062         (baz):
2063         (bar):
2064         (effects):
2065         (foo):
2066
2067 2017-12-14  Saam Barati  <sbarati@apple.com>
2068
2069         The CleanUp after LICM is erroneously removing a Check
2070         https://bugs.webkit.org/show_bug.cgi?id=180852
2071         <rdar://problem/36063494>
2072
2073         Reviewed by Filip Pizlo.
2074
2075         * stress/dont-run-cleanup-after-licm.js: Added.
2076
2077 2017-12-14  Michael Saboff  <msaboff@apple.com>
2078
2079         REGRESSION (r225695): Repro crash on yahoo login page
2080         https://bugs.webkit.org/show_bug.cgi?id=180761
2081
2082         Reviewed by JF Bastien.
2083
2084         New regression test.
2085
2086         * stress/regress-180761.js: Added.
2087
2088 2017-12-13  Keith Miller  <keith_miller@apple.com>
2089
2090         JSObjects should have a mask for loading indexed properties
2091         https://bugs.webkit.org/show_bug.cgi?id=180768
2092
2093         Reviewed by Mark Lam.
2094
2095         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2096         (test):
2097
2098 2017-12-13  Saam Barati  <sbarati@apple.com>
2099
2100         Arrow functions need their own structure because they have different properties than sloppy functions
2101         https://bugs.webkit.org/show_bug.cgi?id=180779
2102         <rdar://problem/35814591>
2103
2104         Reviewed by Mark Lam.
2105
2106         * stress/arrow-function-needs-its-own-structure.js: Added.
2107         (assert):
2108         (readPrototype):
2109         (noInline.let.f1):
2110         (noInline):
2111
2112 2017-12-13  Saam Barati  <sbarati@apple.com>
2113
2114         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2115         https://bugs.webkit.org/show_bug.cgi?id=163579
2116         <rdar://problem/35455798>
2117
2118         Reviewed by Mark Lam.
2119
2120         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2121         (assert):
2122         (test1):
2123         (i.test1):
2124         (i.test1.C):
2125         (i.test1.async.foo):
2126         (i.test1.foo):
2127         (test2):
2128
2129 2017-12-13  Saam Barati  <sbarati@apple.com>
2130
2131         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2132         https://bugs.webkit.org/show_bug.cgi?id=180734
2133         <rdar://problem/35640547>
2134
2135         Reviewed by Yusuke Suzuki.
2136
2137         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2138         (__isPropertyOfType):
2139         (__getProperties):
2140         (__getObjects):
2141         (__getRandomObject):
2142         (theClass.):
2143         (theClass):
2144         (childClass):
2145         (counter.catch):
2146
2147 2017-12-12  Saam Barati  <sbarati@apple.com>
2148
2149         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2150         https://bugs.webkit.org/show_bug.cgi?id=180725
2151         <rdar://problem/35970511>
2152
2153         Reviewed by Michael Saboff.
2154
2155         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2156         (f1):
2157         (f2):
2158         (let.o2.valueOf):
2159
2160 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2161
2162         [JSC] Implement optimized WeakMap and WeakSet
2163         https://bugs.webkit.org/show_bug.cgi?id=179929
2164
2165         Reviewed by Saam Barati.
2166
2167         * microbenchmarks/weak-map-key.js:
2168         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2169         (assert):
2170         (objectKey):
2171         (let.start.Date.now):
2172         * stress/basic-weakmap.js: Added.
2173         (shouldBe):
2174         (test):
2175         * stress/basic-weakset.js: Added.
2176         (shouldBe):
2177         (test.set new):
2178         * stress/weakmap-cse-set-break.js: Added.
2179         (shouldBe):
2180         (test):
2181         * stress/weakmap-cse.js: Added.
2182         (shouldBe):
2183         (test):
2184         * stress/weakmap-gc.js: Added.
2185         (test):
2186         * stress/weakset-cse-add-break.js: Added.
2187         (shouldBe):
2188         (test.set new):
2189         * stress/weakset-cse.js: Added.
2190         (shouldBe):
2191         (test.set new):
2192         * stress/weakset-gc.js: Added.
2193         (test.set add):
2194         (test.set new):
2195         (test):
2196
2197 2017-12-12  Saam Barati  <sbarati@apple.com>
2198
2199         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2200         https://bugs.webkit.org/show_bug.cgi?id=180723
2201         <rdar://problem/35859726>
2202
2203         Reviewed by JF Bastien.
2204
2205         * stress/get-my-argument-by-val-constant-folding.js: Added.
2206         (test):
2207         (catch):
2208
2209 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2210
2211         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2212         https://bugs.webkit.org/show_bug.cgi?id=179000
2213
2214         Reviewed by Darin Adler and Yusuke Suzuki.
2215
2216         * bigIntTests.yaml: Added.
2217         * stress/big-int-literal-line-terminator.js: Added.
2218         * stress/big-int-literals.js: Added.
2219         * stress/big-int-operations-error.js: Added.
2220         * stress/big-int-type-of.js: Added.
2221         * stress/big-int-white-space-trailing-leading.js: Added.
2222         * stress/big-int-function-apply.js: Added.
2223
2224 2017-12-11  Saam Barati  <sbarati@apple.com>
2225
2226         We need to disableCaching() in ErrorInstance when we materialize properties
2227         https://bugs.webkit.org/show_bug.cgi?id=180343
2228         <rdar://problem/35833002>
2229
2230         Reviewed by Mark Lam.
2231
2232         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2233         (assert):
2234         (makeError):
2235         (storeToStack):
2236         (storeToStackAlreadyMaterialized):
2237
2238 2017-12-05  JF Bastien  <jfbastien@apple.com>
2239
2240         WebAssembly: don't eagerly checksum
2241         https://bugs.webkit.org/show_bug.cgi?id=180441
2242         <rdar://problem/35156628>
2243
2244         Reviewed by Saam Barati.
2245
2246         Checksum is now disabled, so tests only have <?> as the module
2247         name.
2248
2249         * wasm/function-tests/nameSection.js:
2250         * wasm/function-tests/stack-overflow.js:
2251         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2252         (assertOverflows.assertThrows):
2253         (assertOverflows):
2254         * wasm/function-tests/stack-trace.js:
2255
2256 2017-12-04  JF Bastien  <jfbastien@apple.com>
2257
2258         Proxy all functions, except the $ objects
2259         https://bugs.webkit.org/show_bug.cgi?id=180375
2260
2261         Reviewed by Saam Barati.
2262
2263         It looks like this test may have broken some executions because I
2264         call some internal objects. Explicitly ignore objects whose name
2265         starts with "$" because it's a bad idea anyways.
2266
2267         * stress/proxy-all-the-parameters.js:
2268         (generateObjects):
2269         (get throw):
2270
2271 2017-12-04  Saam Barati  <sbarati@apple.com>
2272
2273         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2274         https://bugs.webkit.org/show_bug.cgi?id=180366
2275         <rdar://problem/35685877>
2276
2277         Reviewed by Michael Saboff.
2278
2279         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2280         (theParent):
2281         (test1.base.getParentStaticValue):
2282         (test1.base):
2283         (test1.__v_24888.prototype.set prop):
2284         (test1.__v_24888):
2285         (test2.base.getParentStaticValue):
2286         (test2.base):
2287         (test2.__v_24888.prototype.set prop):
2288         (test2.__v_24888):
2289         (test2):
2290
2291 2017-12-01  JF Bastien  <jfbastien@apple.com>
2292
2293         Try proxying all function arguments
2294         https://bugs.webkit.org/show_bug.cgi?id=180306
2295
2296         Reviewed by Saam Barati.
2297
2298         * stress/proxy-all-the-parameters.js: Added.
2299         (isPropertyOfType):
2300         (getProperties):
2301         (generateObjects):
2302         (getObjects):
2303         (getFunctions):
2304         (get throw):
2305         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2306
2307 2017-12-01  JF Bastien  <jfbastien@apple.com>
2308
2309         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2310         https://bugs.webkit.org/show_bug.cgi?id=180297
2311         <rdar://problem/35745556>
2312
2313         Reviewed by Mark Lam.
2314
2315         * stress/math-exceptions.js: Added.
2316         (get try):
2317         (catch):
2318
2319 2017-12-01  JF Bastien  <jfbastien@apple.com>
2320
2321         JavaScriptCore: add test for weird class static getters
2322         https://bugs.webkit.org/show_bug.cgi?id=180281
2323         <rdar://problem/35592139>
2324
2325         Reviewed by Mark Lam.
2326
2327         I fixed a bug for it in r224927 and didn't add a test. Do so.
2328
2329         * stress/class-static-get-weird.js: Added.
2330         (c.prototype.get name):
2331         (c):
2332         (c.prototype.get arguments):
2333         (c.prototype.get caller):
2334         (c.prototype.get length):
2335
2336 2017-12-01  Saam Barati  <sbarati@apple.com>
2337
2338         Having a bad time needs to handle ArrayClass indexing type as well
2339         https://bugs.webkit.org/show_bug.cgi?id=180274
2340         <rdar://problem/35667869>
2341
2342         Reviewed by Keith Miller and Mark Lam.
2343
2344         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2345         (assert):
2346         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2347         (assert):
2348
2349 2017-12-01  JF Bastien  <jfbastien@apple.com>
2350
2351         WebAssembly: restore cached stack limit after out-call
2352         https://bugs.webkit.org/show_bug.cgi?id=179106
2353         <rdar://problem/35337525>
2354
2355         Reviewed by Saam Barati.
2356
2357         * wasm/function-tests/double-instance.js: Added.
2358         (const.imp.boom):
2359         (const.imp.get callAnother):
2360
2361 2017-11-30  JF Bastien  <jfbastien@apple.com>
2362
2363         WebAssembly: improve stack trace
2364         https://bugs.webkit.org/show_bug.cgi?id=179343
2365
2366         Reviewed by Saam Barati.
2367
2368         Update the tests to follow the new format. Notably, SHA1 module
2369         hash is now included in traces, and stubs are properly identified.
2370
2371         * wasm/assert.js: Add an assertion which matches regular expressions.
2372         * wasm/function-tests/nameSection.js:
2373         * wasm/function-tests/stack-overflow.js:
2374         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2375         (assertOverflows.assertThrows.wasm.1):
2376         (assertOverflows.assertThrows.wasm.0):
2377         (assertOverflows.assertThrows):
2378         (assertOverflows):
2379         * wasm/function-tests/stack-trace.js:
2380         (import.Builder.from.string_appeared_here.assert): Deleted.
2381         * wasm/function-tests/trap-after-cross-instance-call.js:
2382         (wasmFrameCountFromError):
2383         * wasm/function-tests/trap-load-2.js:
2384         (wasmFrameCountFromError):
2385         * wasm/function-tests/trap-load.js:
2386         (wasmFrameCountFromError):
2387
2388 2017-11-30  Mark Lam  <mark.lam@apple.com>
2389
2390         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2391         https://bugs.webkit.org/show_bug.cgi?id=180219
2392         <rdar://problem/35696536>
2393
2394         Reviewed by Filip Pizlo.
2395
2396         * stress/regress-180219.js: Added.
2397
2398 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2399
2400         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2401         https://bugs.webkit.org/show_bug.cgi?id=180190
2402
2403         Reviewed by Mark Lam.
2404
2405         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2406         (shouldBe):
2407         (test1):
2408         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2409         (shouldBe):
2410         (test1):
2411         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2412         (shouldBe):
2413         (test1):
2414         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2415         (shouldBe):
2416         (test1):
2417         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2418         (shouldBe):
2419         (test1):
2420         * stress/operation-in-may-have-negative-int32.js: Added.
2421         (shouldBe):
2422         (test2):
2423         * stress/operation-in-negative-int32-cast.js: Added.
2424         (shouldBe):
2425         (test1):
2426
2427 2017-11-28  JF Bastien  <jfbastien@apple.com>
2428
2429         Strict and sloppy functions shouldn't share structure
2430         https://bugs.webkit.org/show_bug.cgi?id=180103
2431         <rdar://problem/35667847>
2432
2433         Reviewed by Saam Barati.
2434
2435         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2436         because the IC was wrong.
2437         (foo):
2438         (bar):
2439         (baz):
2440         (catch):
2441         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2442         in this patch, but may as well test odd strict mode corner cases.
2443         (bar):
2444         (baz):
2445         (catch):
2446         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2447         (foo):
2448         (bar):
2449         (baz):
2450         (catch):
2451         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2452         next file, but with invalidation of the FunctionExecutable's
2453         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2454         slower path.
2455         (foo):
2456         (bar.const.x):
2457         (bar.const.y):
2458         (bar):
2459         (catch):
2460         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2461         strict nesting works correctly.
2462         (foo):
2463         (bar.baz):
2464         (bar):
2465         * stress/strict-function-structure.js: Added. The test used to
2466         assert in objectProtoFuncHasOwnProperty.
2467         (foo):
2468         (bar):
2469         (baz):
2470         * stress/strict-nested-function-structure.js: Added. Nesting.
2471         (foo):
2472         (bar):
2473         (baz.boo):
2474         (baz):
2475
2476 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2477
2478         The recursive tail call optimisation is wrong on closures
2479         https://bugs.webkit.org/show_bug.cgi?id=179835
2480
2481         Reviewed by Saam Barati.
2482
2483         * stress/closure-recursive-tail-call.js: Added.
2484         (makeClosure):
2485
2486 2017-11-27  JF Bastien  <jfbastien@apple.com>
2487
2488         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2489         https://bugs.webkit.org/show_bug.cgi?id=180051
2490         <rdar://problem/35614371>
2491
2492         Reviewed by Saam Barati.
2493
2494         * stress/rest-parameter-negative.js: Added.
2495         (__f_5484):
2496         (catch):
2497         (__f_5485):
2498         (__v_22598.catch):
2499
2500 2017-11-27  Saam Barati  <sbarati@apple.com>
2501
2502         Spread can escape when CreateRest does not
2503         https://bugs.webkit.org/show_bug.cgi?id=180057
2504         <rdar://problem/35676119>
2505
2506         Reviewed by JF Bastien.
2507
2508         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2509         (assert):
2510         (getProperties):
2511         (theFunc):
2512         (let.obj.valueOf):
2513
2514 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2515
2516         [DFG] Add NormalizeMapKey DFG IR
2517         https://bugs.webkit.org/show_bug.cgi?id=179912
2518
2519         Reviewed by Saam Barati.
2520
2521         * stress/map-untyped-normalize-cse.js: Added.
2522         (shouldBe):
2523         (test):
2524         * stress/map-untyped-normalize.js: Added.
2525         (shouldBe):
2526         (test):
2527         * stress/set-untyped-normalize-cse.js: Added.
2528         (shouldBe):
2529         (set return.set has.set has):
2530         * stress/set-untyped-normalize.js: Added.
2531         (shouldBe):
2532         (set return.set has):
2533
2534 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2535
2536         [FTL] Support DeleteById and DeleteByVal
2537         https://bugs.webkit.org/show_bug.cgi?id=180022
2538
2539         Reviewed by Saam Barati.
2540
2541         * stress/delete-by-id.js: Added.
2542         (shouldBe):
2543         (test1):
2544         (test2):
2545         * stress/delete-by-val-ftl.js: Added.
2546         (shouldBe):
2547         (test1):
2548         (test2):
2549
2550 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2551
2552         [DFG] Introduce {Set,Map,WeakMap}Fields
2553         https://bugs.webkit.org/show_bug.cgi?id=179925
2554
2555         Reviewed by Saam Barati.
2556
2557         * stress/map-set-clobber-map-get.js: Added.
2558         (shouldBe):
2559         (test):
2560         * stress/map-set-does-not-clobber-set-has.js: Added.
2561         (shouldBe):
2562         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2563         (shouldBe):
2564         (test):
2565         * stress/set-add-clobber-set-has.js: Added.
2566         (shouldBe):
2567         * stress/set-add-does-not-clobber-map-get.js: Added.
2568         (shouldBe):
2569
2570 2017-11-24  Mark Lam  <mark.lam@apple.com>
2571
2572         Move unsafe jsc shell test functions to the $vm object.
2573         https://bugs.webkit.org/show_bug.cgi?id=179980
2574
2575         Reviewed by Yusuke Suzuki.
2576
2577         * controlFlowProfiler/driver/driver.js:
2578         * controlFlowProfiler/execution-count.js:
2579         * controlFlowProfiler/if-statement.js:
2580         * controlFlowProfiler/loop-statements.js:
2581         * controlFlowProfiler/switch-statements.js:
2582         * controlFlowProfiler/test-jit.js:
2583         * exceptionFuzz/3d-cube.js:
2584         * exceptionFuzz/date-format-xparb.js:
2585         * exceptionFuzz/earley-boyer.js:
2586         * heapProfiler/basic-edges.js:
2587         * heapProfiler/property-edge-types.js:
2588         * microbenchmarks/try-get-by-id-basic.js:
2589         * microbenchmarks/try-get-by-id-polymorphic.js:
2590         * modules/namespace-object-try-get.js:
2591         * stress/argument-count-bytecode.js:
2592         * stress/argument-intrinsic-basic.js:
2593         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2594         * stress/argument-intrinsic-inlining-with-result-escape.js:
2595         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2596         * stress/argument-intrinsic-inlining-with-vararg.js:
2597         * stress/argument-intrinsic-nested-inlining.js:
2598         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2599         * stress/argument-intrinsic-with-stack-write.js:
2600         * stress/arity-mismatch-get-argument.js:
2601         * stress/array-message-passing.js:
2602         * stress/array-push-with-force-exit.js:
2603         * stress/check-dom-with-signature.js:
2604         * stress/check-sub-class.js:
2605         * stress/compare-eq-incomplete-profile.js:
2606         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2607         * stress/do-eval-virtual-call-correctly.js:
2608         * stress/dom-jit-with-poly-proto.js:
2609         * stress/domjit-exception-ic.js:
2610         * stress/domjit-exception.js:
2611         * stress/domjit-getter-complex-with-incorrect-object.js:
2612         * stress/domjit-getter-complex.js:
2613         * stress/domjit-getter-poly.js:
2614         * stress/domjit-getter-proto.js:
2615         * stress/domjit-getter-super-poly.js:
2616         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2617         * stress/domjit-getter-type-check.js:
2618         * stress/domjit-getter.js:
2619         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2620         * stress/for-in-proxy-target-changed-structure.js:
2621         * stress/for-in-proxy.js:
2622         * stress/generational-opaque-roots.js:
2623         * stress/global-const-redeclaration-setting-2.js:
2624         * stress/global-const-redeclaration-setting-3.js:
2625         * stress/global-const-redeclaration-setting-4.js:
2626         * stress/global-const-redeclaration-setting-5.js:
2627         * stress/global-const-redeclaration-setting.js:
2628         * stress/import-basic.js:
2629         * stress/import-from-eval.js:
2630         * stress/import-reject-with-exception.js:
2631         * stress/import-syntax.js:
2632         * stress/impure-get-own-property-slot-inline-cache.js:
2633         * stress/is-constructor.js:
2634         * stress/istypedarrayview-intrinsic.js:
2635         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2636         * stress/jsc-test-functions-should-be-more-robust.js:
2637         * stress/object-toString-with-proxy.js:
2638         * stress/poly-proto-custom-value-and-accessor.js:
2639         * stress/proxy-inline-cache.js:
2640         * stress/re-execute-error-module.js:
2641         * stress/regress-150532.js:
2642         * stress/regress-156992.js:
2643         * stress/regress-179619.js:
2644         * stress/resources/shadow-chicken-support.js:
2645         * stress/runtime-array.js:
2646         * stress/sampling-profiler-microtasks.js:
2647         * stress/shadow-chicken-enabled.js:
2648         * stress/spread-correct-global-object-on-exception.js:
2649         * stress/super-get-by-id.js:
2650         * stress/tailCallForwardArguments.js:
2651         * stress/to-object-intrinsic-boolean-edge.js:
2652         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2653         * stress/to-object-intrinsic-number-edge.js:
2654         * stress/to-object-intrinsic-object-edge.js:
2655         * stress/to-object-intrinsic-string-edge.js:
2656         * stress/to-object-intrinsic-symbol-edge.js:
2657         * stress/to-object-intrinsic.js:
2658         * stress/try-catch-custom-getter-as-get-by-id.js:
2659         * stress/try-get-by-id-poly-proto.js:
2660         * stress/try-get-by-id-should-spill-registers-dfg.js:
2661         * stress/try-get-by-id.js:
2662         * typeProfiler/arrow-functions.js:
2663         * typeProfiler/basic.js:
2664         * typeProfiler/captured.js:
2665         * typeProfiler/classes.js:
2666         * typeProfiler/dfg-jit-optimizations.js:
2667         * typeProfiler/dictionary-mode.js:
2668         * typeProfiler/es6-block-scoping.js:
2669         * typeProfiler/es6-classes.js:
2670         * typeProfiler/inheritance.js:
2671         * typeProfiler/int52-dfg.js:
2672         * typeProfiler/loop.js:
2673         * typeProfiler/optional-fields.js:
2674         * typeProfiler/overflow.js:
2675         * typeProfiler/return.js:
2676         * typeProfiler/symbol.js:
2677         * typeProfiler/weird-prototype-chain.js:
2678
2679 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2680
2681         [DFG][FTL] Support MapSet / SetAdd intrinsics
2682         https://bugs.webkit.org/show_bug.cgi?id=179858
2683
2684         Reviewed by Saam Barati.
2685
2686         * microbenchmarks/map-has-and-set.js: Added.
2687         (test):
2688         * stress/map-set-check-failure.js: Added.
2689         (shouldBe):
2690         (shouldThrow):
2691         (target):
2692         * stress/map-set-cse.js: Added.
2693         (shouldBe):
2694         (test):
2695         * stress/set-add-check-failure.js: Added.
2696         (shouldBe):
2697         (shouldThrow):
2698         (set shouldThrow):
2699         * stress/set-add-cse.js: Added.
2700         (shouldBe):
2701
2702 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2703
2704         [JSC] Allow poly proto for intrinsic getters
2705         https://bugs.webkit.org/show_bug.cgi?id=179550
2706
2707         Reviewed by Saam Barati.
2708
2709         This change is also tested by existing tests.
2710
2711             1. stress/intrinsic-getter-with-poly-proto.js
2712             2. stress/poly-proto-intrinsic-getter-correctness.js
2713
2714         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2715         (shouldBe):
2716         (makePolyProtoObject.foo.C):
2717         (makePolyProtoObject.foo):
2718         (makePolyProtoObject):
2719         (target):
2720         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2721         (shouldBe):
2722         (makePolyProtoObject.foo.C):
2723         (makePolyProtoObject.foo):
2724         (makePolyProtoObject):
2725         (target):
2726
2727 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2728
2729         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2730         https://bugs.webkit.org/show_bug.cgi?id=179744
2731
2732         Reviewed by Michael Catanzaro.
2733
2734         This test uses too much memory for our buildbots on these platforms
2735         and gets OOM-killed.
2736
2737         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2738         Skip if $memoryLimited and linux.
2739
2740 2017-11-17  JF Bastien  <jfbastien@apple.com>
2741
2742         WebAssembly JS API: throw when a promise can't be created
2743         https://bugs.webkit.org/show_bug.cgi?id=179826
2744         <rdar://problem/35455813>
2745
2746         Reviewed by Mark Lam.
2747
2748         Test WebAssembly.{compile,instantiate} where promise creation
2749         fails because of a stack overflow.
2750
2751         * wasm/js-api/promise-stack-overflow.js: Added.
2752         (const.runNearStackLimit.f.const.t):
2753         (async.testCompile):
2754         (async.testInstantiate):
2755
2756 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2757
2758         Unreviewed, mark regress-178385.js as memory exhausting
2759
2760         * stress/regress-178385.js:
2761
2762 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2763
2764         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2765
2766         Unreviewed test gardening.
2767
2768         * test262.yaml:
2769
2770 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2771
2772         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2773         https://bugs.webkit.org/show_bug.cgi?id=179763
2774         <rdar://problem/35550513>
2775
2776         Reviewed by Keith Miller.
2777
2778         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2779
2780         * stress/tdz-this-in-try-catch.js: Added.
2781         (__v_6388):
2782         (__v_6392):
2783
2784 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2785
2786         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2787         https://bugs.webkit.org/show_bug.cgi?id=179594
2788
2789         Reviewed by Saam Barati.
2790
2791         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2792         (shouldBe):
2793         (args):
2794         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2795         (shouldBe):
2796         (args):
2797
2798 2017-11-14  Saam Barati  <sbarati@apple.com>
2799
2800         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2801         https://bugs.webkit.org/show_bug.cgi?id=179639
2802         <rdar://problem/35513018>
2803
2804         Reviewed by JF Bastien.
2805
2806         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2807         (escape):
2808         (i.func):
2809
2810 2017-11-13  Mark Lam  <mark.lam@apple.com>
2811
2812         Add more overflow check book-keeping for MarkedArgumentBuffer.
2813         https://bugs.webkit.org/show_bug.cgi?id=179634
2814         <rdar://problem/35492517>
2815
2816         Reviewed by Saam Barati.
2817
2818         * stress/regress-179634.js: Added.
2819
2820 2017-11-13  Mark Lam  <mark.lam@apple.com>
2821
2822         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2823         https://bugs.webkit.org/show_bug.cgi?id=179619
2824         <rdar://problem/35492518>
2825
2826         Reviewed by Saam Barati.
2827
2828         * stress/regress-179619.js: Added.
2829
2830 2017-11-12  Mark Lam  <mark.lam@apple.com>
2831
2832         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2833         https://bugs.webkit.org/show_bug.cgi?id=179562
2834         <rdar://problem/35467022>
2835
2836         Reviewed by Saam Barati.
2837
2838         * regress-179562.js: Added.
2839
2840 2017-11-08  Saam Barati  <sbarati@apple.com>
2841
2842         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2843         https://bugs.webkit.org/show_bug.cgi?id=177792
2844
2845         Reviewed by Yusuke Suzuki.
2846
2847         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2848         (assert):
2849         (foo.Foo.prototype.ensureX):
2850         (foo.Foo):
2851         (foo):
2852         (access):
2853
2854 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2855
2856         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2857         https://bugs.webkit.org/show_bug.cgi?id=178592
2858
2859         Unreviewed test gardening.
2860
2861         * test262.yaml:
2862
2863 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2864
2865         Turn recursive tail calls into loops
2866         https://bugs.webkit.org/show_bug.cgi?id=176601
2867
2868         Reviewed by Saam Barati.
2869
2870         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2871
2872         Add some simple test that computes factorial in several ways, and other trivial computations.
2873         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2874         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2875         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2876         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2877
2878         * stress/inline-call-to-recursive-tail-call.js: Added.
2879         (factorial.aux):
2880         (factorial):
2881         (factorial2.aux2):
2882         (factorial2.id):
2883         (factorial2):
2884         (factorial3.aux3):
2885         (factorial3):
2886         (aux4):
2887         (factorial4):
2888         (foo):
2889         (auxBar):
2890         (bar):
2891         (test):
2892
2893 2017-11-07  Mark Lam  <mark.lam@apple.com>
2894
2895         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2896         https://bugs.webkit.org/show_bug.cgi?id=179355
2897         <rdar://problem/35263053>
2898
2899         Reviewed by Saam Barati.
2900
2901         * stress/regress-179355.js: Added.
2902
2903 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2904
2905         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2906         https://bugs.webkit.org/show_bug.cgi?id=144458
2907
2908         Reviewed by Saam Barati.
2909
2910         * microbenchmarks/dfg-internal-function-call.js: Added.
2911         (target):
2912         * microbenchmarks/dfg-internal-function-construct.js: Added.
2913         (target):
2914         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2915         (target):
2916         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2917         (target):
2918         * stress/dfg-internal-function-call.js: Added.
2919         (shouldBe):
2920         (target):
2921         * stress/dfg-internal-function-construct.js: Added.
2922         (shouldBe):
2923         (target):
2924         * stress/internal-function-call.js: Added.
2925         (shouldBe):
2926         * stress/internal-function-construct.js: Added.
2927         (shouldBe):
2928
2929 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2930
2931         [Win] Skip stress/regress-178385.js.
2932         https://bugs.webkit.org/show_bug.cgi?id=179298
2933
2934         Unreviewed test gardening.
2935
2936         * stress/regress-178385.js:
2937
2938 2017-11-03  Keith Miller  <keith_miller@apple.com>
2939
2940         Add test for ic with side effects
2941         https://bugs.webkit.org/show_bug.cgi?id=179268
2942
2943         Reviewed by Saam Barati.
2944
2945         * stress/put-inline-cache-side-effects.js: Added.
2946         (let.i.of.objs.keys):
2947         (f):
2948
2949 2017-11-03  Mark Lam  <mark.lam@apple.com>
2950
2951         CachedCall (and its clients) needs overflow checks.
2952         https://bugs.webkit.org/show_bug.cgi?id=179185
2953
2954         Reviewed by JF Bastien.
2955
2956         * stress/regress-179185.js: Added.
2957
2958 2017-11-02  Michael Saboff  <msaboff@apple.com>
2959
2960         DFG needs to handle code motion of code in for..in loop bodies
2961         https://bugs.webkit.org/show_bug.cgi?id=179212
2962
2963         Reviewed by Keith Miller.
2964
2965         New regression test.
2966
2967         * stress/for-in-side-effects.js: Added.
2968         (getPrototypeOf):
2969         (reset):
2970         (testWithoutFTL.f):
2971         (testWithoutFTL):
2972         (testWithFTL.f):
2973         (testWithFTL):
2974
2975 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2976
2977         AI does not correctly model the clobber case of ArithClz32
2978         https://bugs.webkit.org/show_bug.cgi?id=179188
2979
2980         Reviewed by Michael Saboff.
2981
2982         * stress/arith-clz32-effects.js: Added.
2983         (foo):
2984         (valueOf):
2985
2986 2017-11-01  Michael Saboff  <msaboff@apple.com>
2987
2988         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2989         https://bugs.webkit.org/show_bug.cgi?id=179140
2990
2991         Reviewed by Saam Barati.
2992
2993         New regression test.
2994
2995         * stress/regress-179140.js: Added.
2996         (testWithoutFTL):
2997         (testWithFTL):
2998
2999 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3000
3001         [JSC] Introduce @toObject
3002         https://bugs.webkit.org/show_bug.cgi?id=178726
3003
3004         Reviewed by Saam Barati.
3005
3006         * stress/array-copywithin.js:
3007         (shouldThrow):
3008         * stress/object-constructor-boolean-edge.js: Added.
3009         (shouldBe):
3010         (test):
3011         * stress/object-constructor-global.js: Added.
3012         (shouldBe):
3013         * stress/object-constructor-null-edge.js: Added.
3014         (shouldBe):
3015         (test):
3016         * stress/object-constructor-number-edge.js: Added.
3017         (shouldBe):
3018         (test):
3019         * stress/object-constructor-object-edge.js: Added.
3020         (shouldBe):
3021         (test):
3022         (i.arg):
3023         * stress/object-constructor-string-edge.js: Added.
3024         (shouldBe):
3025         (test):
3026         * stress/object-constructor-symbol-edge.js: Added.
3027         (shouldBe):
3028         (test):
3029         * stress/object-constructor-undefined-edge.js: Added.
3030         (shouldBe):
3031         (test):
3032         * stress/symbol-array-from.js: Added.
3033         (shouldBe):
3034         * stress/to-object-intrinsic-boolean-edge.js: Added.
3035         (shouldBe):
3036         (builtin.createBuiltin):
3037         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3038         (shouldThrow):
3039         * stress/to-object-intrinsic-number-edge.js: Added.
3040         (shouldBe):
3041         (builtin.createBuiltin):
3042         * stress/to-object-intrinsic-object-edge.js: Added.
3043         (shouldBe):
3044         (builtin.createBuiltin):
3045         (i.arg):
3046         * stress/to-object-intrinsic-string-edge.js: Added.
3047         (shouldBe):
3048         (builtin.createBuiltin):
3049         * stress/to-object-intrinsic-symbol-edge.js: Added.
3050         (shouldBe):
3051         (builtin.createBuiltin):
3052         * stress/to-object-intrinsic.js: Added.
3053         (shouldBe):
3054         (shouldThrow):
3055         (builtin.createBuiltin):
3056
3057 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3058
3059         [DFG][FTL] Introduce StringSlice
3060         https://bugs.webkit.org/show_bug.cgi?id=178934
3061
3062         Reviewed by Saam Barati.
3063
3064         * microbenchmarks/string-slice-empty.js: Added.
3065         (slice):
3066         * microbenchmarks/string-slice-one-char.js: Added.
3067         (slice):
3068         * microbenchmarks/string-slice.js: Added.
3069         (slice):
3070
3071 2017-10-26  Michael Saboff  <msaboff@apple.com>
3072
3073         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3074         https://bugs.webkit.org/show_bug.cgi?id=178890
3075
3076         Reviewed by Keith Miller.
3077
3078         New regression test.
3079
3080         * stress/regress-178890.js: Added.
3081
3082 2017-10-26  Mark Lam  <mark.lam@apple.com>
3083
3084         JSRopeString::RopeBuilder::append() should check for overflows.
3085         https://bugs.webkit.org/show_bug.cgi?id=178385
3086         <rdar://problem/35027468>
3087
3088         Reviewed by Saam Barati.
3089
3090         * stress/regress-178385.js: Added.
3091
3092 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3093
3094         Unreviewed, rolling out r223961.
3095
3096         The change that required this has been rolled out.
3097
3098         Reverted changeset:
3099
3100         "Mark test262.yaml/test262/test/language/statements/try/tco-
3101         catch.js as passing."
3102         https://bugs.webkit.org/show_bug.cgi?id=178592
3103         https://trac.webkit.org/changeset/223961
3104
3105 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3106
3107         Unreviewed, rolling out r223691 and r223729.
3108         https://bugs.webkit.org/show_bug.cgi?id=178834
3109
3110         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3111         by rniwa on #webkit).
3112
3113         Reverted changesets:
3114
3115         "Turn recursive tail calls into loops"
3116         https://bugs.webkit.org/show_bug.cgi?id=176601
3117         https://trac.webkit.org/changeset/223691
3118
3119         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3120         comparison is always false due to limited range of data type
3121         [-Wtype-limits]"
3122         https://bugs.webkit.org/show_bug.cgi?id=178543
3123         https://trac.webkit.org/changeset/223729
3124
3125 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3126
3127         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3128         https://bugs.webkit.org/show_bug.cgi?id=178592
3129
3130         Unreviewed test gardening.
3131
3132         * test262.yaml:
3133
3134 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3135
3136         [FTL] Support NewStringObject
3137         https://bugs.webkit.org/show_bug.cgi?id=178737
3138
3139         Reviewed by Saam Barati.
3140
3141         * stress/new-string-object.js: Added.
3142         (shouldBe):
3143         (test):
3144
3145 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3146
3147         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3148         https://bugs.webkit.org/show_bug.cgi?id=178308
3149
3150         Reviewed by Mark Lam.
3151
3152         * test262.yaml:
3153
3154 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3155
3156         [JSC] Use fastJoin in Array#toString
3157         https://bugs.webkit.org/show_bug.cgi?id=178062
3158
3159         Reviewed by Darin Adler.
3160
3161         * microbenchmarks/contiguous-array-to-string.js: Added.
3162         (target):
3163         * microbenchmarks/double-array-to-string.js: Added.
3164         (target):
3165         * microbenchmarks/int32-array-to-string.js: Added.
3166         (target):
3167
3168 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3169
3170         stress/check-string-ident.js is improperly skipped
3171         https://bugs.webkit.org/show_bug.cgi?id=178642
3172
3173         Reviewed by Saam Barati.
3174
3175         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3176         since it enforces the run-jsc-stress-tests script to still set up the
3177         test to run, despite the skip directive that's used before.
3178
3179 2017-10-20  Mark Lam  <mark.lam@apple.com>
3180
3181         Add a test case for r214334.
3182         https://bugs.webkit.org/show_bug.cgi?id=169941
3183         <rdar://problem/31221258>
3184
3185         Reviewed by JF Bastien.
3186
3187         * stress/regress-169941.js: Added.
3188
3189 2017-10-19  JF Bastien  <jfbastien@apple.com>
3190
3191         WebAssembly: no VM / JS version of everything but Instance
3192         https://bugs.webkit.org/show_bug.cgi?id=177473
3193
3194         Reviewed by Filip Pizlo, Saam Barati.
3195
3196         - Exceeding max on memory growth now returns a range error as per
3197         spec. This is a (very minor) breaking change: it used to throw OOM
3198         error. Update the corresponding test.
3199
3200         * wasm/js-api/memory-grow.js:
3201         (assertEq):
3202         * wasm/js-api/table.js:
3203         (assert.throws):
3204
3205 2017-10-19  Mark Lam  <mark.lam@apple.com>
3206
3207         Stringifier::appendStringifiedValue() is missing an exception check.
3208         https://bugs.webkit.org/show_bug.cgi?id=178386
3209         <rdar://problem/35027610>
3210
3211         Reviewed by Saam Barati.
3212
3213         * stress/regress-178386.js: Added.
3214
3215 2017-10-19  Michael Saboff  <msaboff@apple.com>
3216
3217         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3218         https://bugs.webkit.org/show_bug.cgi?id=178521
3219
3220         Reviewed by JF Bastien.
3221
3222         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3223         now passes with the current version (5.0) of the Emoji spec.
3224
3225 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3226
3227         Turn recursive tail calls into loops
3228         https://bugs.webkit.org/show_bug.cgi?id=176601
3229
3230         Reviewed by Saam Barati.
3231
3232         Add some simple test that computes factorial in several ways, and other trivial computations.
3233         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3234         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3235         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3236         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3237
3238         * stress/inline-call-to-recursive-tail-call.js: Added.
3239         (factorial.aux):
3240         (factorial):
3241         (factorial2.aux):
3242         (factorial2.id):
3243         (factorial2):
3244         (factorial3.aux):
3245         (factorial3):
3246         (aux):
3247         (factorial4):
3248         (test):
3249
3250 2017-10-18  Mark Lam  <mark.lam@apple.com>
3251
3252         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3253         https://bugs.webkit.org/show_bug.cgi?id=177600
3254         <rdar://problem/34710985>
3255
3256         Reviewed by Saam Barati.
3257
3258         * stress/regress-177600.js: Added.
3259
3260 2017-10-18  Mark Lam  <mark.lam@apple.com>
3261
3262         The compiler should always register a structure when it adds its transitionWatchPointSet.
3263         https://bugs.webkit.org/show_bug.cgi?id=178420
3264         <rdar://problem/34814024>
3265
3266         Reviewed by Saam Barati and Filip Pizlo.
3267
3268         * stress/regress-178420.js: Added.
3269         (new.Array.10000.map):
3270
3271 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3272
3273         [JSC] __proto__ getter should be fast
3274         https://bugs.webkit.org/show_bug.cgi?id=178067
3275
3276         Reviewed by Saam Barati.
3277
3278         * stress/dfg-object-proto-accessor.js: Added.
3279         (shouldBe):
3280         (shouldThrow):
3281         (target):
3282         * stress/dfg-object-proto-getter.js: Added.
3283         (shouldBe):
3284         (shouldThrow):
3285         (target):
3286         * stress/dfg-object-prototype-of.js: Added.
3287         (shouldBe):
3288         (shouldThrow):
3289         (target):
3290         * stress/dfg-reflect-get-prototype-of.js: Added.
3291         (shouldBe):
3292         (shouldThrow):
3293         (target):
3294         * stress/intrinsic-getter-with-poly-proto.js: Added.
3295         (shouldBe):
3296         (makePolyProtoObject.foo.C):
3297         (makePolyProtoObject.foo):
3298         (makePolyProtoObject):
3299         (target):
3300         * stress/object-get-prototype-of-filtered.js: Added.
3301         (shouldBe):
3302         (shouldThrow):
3303         (target):
3304         (i.Cocoa):
3305         * stress/object-get-prototype-of-mono-proto.js: Added.
3306         (shouldBe):
3307         (makePolyProtoObject.foo.C):
3308         (makePolyProtoObject.foo):
3309         (makePolyProtoObject):
3310         (target):
3311         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3312         (shouldBe):
3313         (makePolyProtoObject.foo.C):
3314         (makePolyProtoObject.foo):
3315         (makePolyProtoObject):
3316         (target):
3317         * stress/object-get-prototype-of-poly-proto.js: Added.
3318         (shouldBe):
3319         (makePolyProtoObject.foo.C):
3320         (makePolyProtoObject.foo):
3321         (makePolyProtoObject):
3322         (target):
3323         * stress/object-proto-getter-filtered.js: Added.
3324         (shouldBe):
3325         (shouldThrow):
3326         (target):
3327         (i.Cocoa):
3328         * stress/object-proto-getter-poly-mono-proto.js: Added.
3329         (shouldBe):
3330         (makePolyProtoObject.foo.C):
3331         (makePolyProtoObject.foo):
3332         (makePolyProtoObject):
3333         (target):
3334         * stress/object-proto-getter-poly-proto.js: Added.
3335         (shouldBe):
3336         (makePolyProtoObject.foo.C):
3337         (makePolyProtoObject.foo):
3338         (makePolyProtoObject):
3339         (target):
3340         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3341         * stress/string-proto.js: Added.
3342         (shouldBe):
3343         (target):
3344
3345 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3346
3347         Unreviewed, rolling out r223523.
3348
3349         A test for this change is failing on debug JSC bots.
3350
3351         Reverted changeset:
3352
3353         "[JSC] __proto__ getter should be fast"
3354         https://bugs.webkit.org/show_bug.cgi?id=178067
3355         https://trac.webkit.org/changeset/223523
3356
3357 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3358
3359         [JSC] __proto__ getter should be fast
3360         https://bugs.webkit.org/show_bug.cgi?id=178067
3361
3362         Reviewed by Saam Barati.
3363
3364         * stress/dfg-object-proto-accessor.js: Added.
3365         (shouldBe):
3366         (shouldThrow):
3367         (target):
3368         * stress/dfg-object-proto-getter.js: Added.
3369         (shouldBe):
3370         (shouldThrow):
3371         (target):
3372         * stress/dfg-object-prototype-of.js: Added.
3373         (shouldBe):
3374         (shouldThrow):
3375         (target):
3376         * stress/dfg-reflect-get-prototype-of.js: Added.
3377         (shouldBe):
3378         (shouldThrow):
3379         (target):
3380         * stress/object-get-prototype-of-filtered.js: Added.
3381         (shouldBe):
3382         (shouldThrow):
3383         (target):
3384         (i.Cocoa):
3385         * stress/object-get-prototype-of-mono-proto.js: Added.
3386         (shouldBe):
3387         (makePolyProtoObject.foo.C):
3388         (makePolyProtoObject.foo):
3389         (makePolyProtoObject):
3390         (target):
3391         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3392         (shouldBe):
3393         (makePolyProtoObject.foo.C):
3394         (makePolyProtoObject.foo):
3395         (makePolyProtoObject):
3396         (target):
3397         * stress/object-get-prototype-of-poly-proto.js: Added.
3398         (shouldBe):
3399         (makePolyProtoObject.foo.C):
3400         (makePolyProtoObject.foo):
3401         (makePolyProtoObject):
3402         (target):
3403         * stress/object-proto-getter-filtered.js: Added.
3404         (shouldBe):
3405         (shouldThrow):
3406         (target):
3407         (i.Cocoa):
3408         * stress/object-proto-getter-poly-mono-proto.js: Added.
3409         (shouldBe):
3410         (makePolyProtoObject.foo.C):
3411         (makePolyProtoObject.foo):
3412         (makePolyProtoObject):
3413         (target):
3414         * stress/object-proto-getter-poly-proto.js: Added.
3415         (shouldBe):
3416         (makePolyProtoObject.foo.C):
3417         (makePolyProtoObject.foo):
3418         (makePolyProtoObject):
3419         (target):
3420         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3421         * stress/string-proto.js: Added.
3422         (shouldBe):
3423         (target):
3424
3425 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3426
3427         Reland "Add Above/Below comparisons for UInt32 patterns"
3428         https://bugs.webkit.org/show_bug.cgi?id=177281
3429
3430         Reviewed by Saam Barati.
3431
3432         * stress/uint32-comparison-jump.js: Added.
3433         (shouldBe):
3434         (above):
3435         (aboveOrEqual):
3436         (below):
3437         (belowOrEqual):
3438         (notAbove):
3439         (notAboveOrEqual):
3440         (notBelow):
3441         (notBelowOrEqual):
3442         * stress/uint32-comparison.js: Added.
3443         (shouldBe):
3444         (above):
3445         (aboveOrEqual):
3446         (below):
3447         (belowOrEqual):
3448         (aboveTest):
3449         (aboveOrEqualTest):
3450         (belowTest):
3451         (belowOrEqualTest):
3452
3453 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3454
3455         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3456         https://bugs.webkit.org/show_bug.cgi?id=178210
3457
3458         Reviewed by Saam Barati.
3459
3460         * wasm/function-tests/trap-from-start-async.js:
3461         (async.StartTrapsAsync):
3462         * wasm/function-tests/trap-from-start.js:
3463         (StartTraps):
3464         * wasm/js-api/web-assembly-function.js:
3465         (assert.eq.Object.getPrototypeOf):
3466         * wasm/js-api/wrapper-function.js:
3467         (return.new.WebAssembly.Module):
3468         (assert.throws.makeInstance): Deleted.
3469         (assert.throws.Bar): Deleted.
3470         (assert.throws): Deleted.
3471
3472 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3473
3474         Enable gigacage on iOS
3475         https://bugs.webkit.org/show_bug.cgi?id=177586
3476
3477         Reviewed by JF Bastien.
3478         
3479         Add tests for when Gigacage gets runtime disabled.
3480
3481         * stress/disable-gigacage-arrays.js: Added.
3482         (foo):
3483         * stress/disable-gigacage-strings.js: Added.
3484         (foo):
3485         * stress/disable-gigacage-typed-arrays.js: Added.
3486         (foo):
3487
3488 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3489
3490         import.meta should not be assignable
3491         https://bugs.webkit.org/show_bug.cgi?id=178202
3492
3493         Reviewed by Saam Barati.
3494
3495         * modules/import-meta-assignment.js: Added.
3496         (shouldThrow):
3497         (SyntaxError.import.meta.can.shouldThrow):
3498
3499 2017-10-11  Saam Barati  <sbarati@apple.com>
3500
3501         Unreviewed. Actually skip certain type profiler tests in debug.
3502
3503         * typeProfiler.yaml:
3504         * typeProfiler/deltablue-for-of.js:
3505         * typeProfiler/getter-richards.js:
3506
3507 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3508
3509         Unreviewed, rolling out r223113 and r223121.
3510         https://bugs.webkit.org/show_bug.cgi?id=178182
3511
3512         Reintroduced 20% regression on Kraken (Requested by rniwa on
3513         #webkit).
3514
3515         Reverted changesets:
3516
3517         "Enable gigacage on iOS"
3518         https://bugs.webkit.org/show_bug.cgi?id=177586
3519         https://trac.webkit.org/changeset/223113
3520
3521         "Use one virtual allocation for all gigacages and their
3522         runways"
3523         https://bugs.webkit.org/show_bug.cgi?id=178050
3524         https://trac.webkit.org/changeset/223121
3525
3526 2017-10-11  Michael Saboff  <msaboff@apple.com>
3527
3528         Disable test262 named capture group tests with direct unicode names and with references before definitions
3529         https://bugs.webkit.org/show_bug.cgi?id=178177
3530
3531         Reviewed by Keith Miller.
3532
3533         Bugs to track fixing these test are:
3534         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3535             "Add support in named capture group identifiers for direct surrogate pairs"
3536         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3537             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3538
3539         * test262.yaml:
3540
3541 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3542
3543         Object properties are undefined in super.call() but not in this.call()
3544         https://bugs.webkit.org/show_bug.cgi?id=177230
3545
3546         Reviewed by Saam Barati.
3547
3548         * stress/super-call-function-subclass.js: Added.
3549         (assert):
3550         (A.prototype.t):
3551         (A):
3552         * stress/super-dot-call-and-apply.js: Added.
3553         (assert):
3554         (A):
3555         (A.prototype.call):
3556         (A.prototype.apply):
3557         (B.prototype.testSuper):
3558         (B):
3559         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3560         (D.prototype.testSuper):
3561         (D):
3562
3563 2017-10-10  Saam Barati  <sbarati@apple.com>
3564
3565         The prototype cache should be aware of the Executable it generates a Structure for
3566         https://bugs.webkit.org/show_bug.cgi?id=177907
3567
3568         Reviewed by Filip Pizlo.
3569
3570         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3571         (assert):
3572         (foo.C):
3573         (foo):
3574         (bar.C):
3575         (bar):
3576         (access):
3577         (makeLongChain):
3578         (accessY):
3579
3580 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3581
3582         `async` should be able to be used as an imported binding name
3583         https://bugs.webkit.org/show_bug.cgi?id=176573
3584
3585         Reviewed by Saam Barati.
3586
3587         * modules/import-default-async.js: Added.
3588         * modules/import-named-async-as.js: Added.
3589         * modules/import-named-async.js: Added.
3590         * modules/import-named-async/target.js: Added.
3591         * modules/import-namespace-async.js: Added.
3592         * test262.yaml:
3593
3594 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3595
3596         Enable gigacage on iOS
3597         https://bugs.webkit.org/show_bug.cgi?id=177586
3598
3599         Reviewed by JF Bastien.
3600         
3601         Add tests for when Gigacage gets runtime disabled.
3602
3603         * stress/disable-gigacage-arrays.js: Added.
3604         (foo):
3605         * stress/disable-gigacage-strings.js: Added.
3606         (foo):
3607         * stress/disable-gigacage-typed-arrays.js: Added.
3608         (foo):
3609
3610 2017-10-09  Michael Saboff  <msaboff@apple.com>
3611
3612         Implement RegExp Unicode property escapes
3613         https://bugs.webkit.org/show_bug.cgi?id=172069
3614
3615         Reviewed by JF Bastien.
3616
3617         Enabled Unicode Property tests.
3618
3619         * test262.yaml:
3620
3621 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3622
3623         Unreviewed, rolling out r223015 and r223025.
3624         https://bugs.webkit.org/show_bug.cgi?id=178093
3625
3626         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3627         #webkit).
3628
3629         Reverted changesets:
3630
3631         "Enable gigacage on iOS"
3632         https://bugs.webkit.org/show_bug.cgi?id=177586
3633         http://trac.webkit.org/changeset/223015
3634
3635         "Unreviewed, disable Gigacage on ARM64 Linux"
3636         https://bugs.webkit.org/show_bug.cgi?id=177586
3637         http://trac.webkit.org/changeset/223025
3638
3639 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3640
3641         Update expectations for test262 tests that pass after r223043.
3642         https://bugs.webkit.org/show_bug.cgi?id=176685
3643
3644         Unreviewed test gardening.
3645
3646         * test262.yaml:
3647
3648 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3649
3650         Unreviewed, rolling out r223022.
3651
3652         This change introduced 18 test262 failures.
3653
3654         Reverted changeset:
3655
3656         "`async` should be able to be used as an imported binding
3657         name"
3658         https://bugs.webkit.org/show_bug.cgi?id=176573
3659         http://trac.webkit.org/changeset/223022
3660
3661 2017-10-09  Saam Barati  <sbarati@apple.com>
3662
3663         3 poly-proto JSC tests timing out on debug after r222827
3664         https://bugs.webkit.org/show_bug.cgi?id=177880
3665         <rdar://problem/34817122>
3666
3667         Unreviewed.
3668
3669         I'm skipping these type profiler tests on debug since they are long running.
3670
3671         * typeProfiler/deltablue-for-of.js:
3672         * typeProfiler/getter-richards.js:
3673
3674 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3675
3676         Safari 10 /11 problem with if (!await get(something)).
3677         https://bugs.webkit.org/show_bug.cgi?id=176685
3678
3679         Reviewed by Saam Barati.
3680
3681         * stress/async-await-basic.js:
3682         (awaitEpression.async):
3683         * stress/async-await-syntax.js:
3684         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3685         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3686
3687 2017-10-08  Saam Barati  <sbarati@apple.com>
3688
3689         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3690
3691         * typeProfiler/deltablue-for-of.js:
3692         * typeProfiler/getter-richards.js:
3693
3694 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3695
3696         `async` should be able to be used as an imported binding name
3697         https://bugs.webkit.org/show_bug.cgi?id=176573
3698
3699         Reviewed by Darin Adler.
3700
3701         * modules/import-default-async.js: Added.
3702         * modules/import-named-async-as.js: Added.
3703         * modules/import-named-async.js: Added.
3704         * modules/import-named-async/target.js: Added.
3705         * modules/import-namespace-async.js: Added.
3706
3707 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3708
3709         Enable gigacage on iOS
3710         https://bugs.webkit.org/show_bug.cgi?id=177586
3711
3712         Reviewed by JF Bastien.
3713         
3714         Add tests for when Gigacage gets runtime disabled.
3715
3716         * stress/disable-gigacage-arrays.js: Added.
3717         (foo):
3718         * stress/disable-gigacage-strings.js: Added.
3719         (foo):
3720         * stress/disable-gigacage-typed-arrays.js: Added.
3721         (foo):
3722
3723 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3724
3725         Unreviewed, rolling out r222791 and r222873.
3726         https://bugs.webkit.org/show_bug.cgi?id=178031
3727
3728         Caused crashes with workers/wasm LayoutTests (Requested by
3729         ryanhaddad on #webkit).
3730
3731         Reverted changesets:
3732
3733         "WebAssembly: no VM / JS version of everything but Instance"
3734         https://bugs.webkit.org/show_bug.cgi?id=177473
3735         http://trac.webkit.org/changeset/222791
3736
3737         "WebAssembly: address no VM / JS follow-ups"
3738         https://bugs.webkit.org/show_bug.cgi?id=177887
3739         http://trac.webkit.org/changeset/222873
3740
3741 2017-10-05  Saam Barati  <sbarati@apple.com>
3742
3743         Make sure all prototypes under poly proto get added into the VM's prototype map
3744         https://bugs.webkit.org/show_bug.cgi?id=177909
3745
3746         Reviewed by Keith Miller.
3747
3748         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3749         (assert):
3750         (foo.C):
3751         (foo):
3752         (set x):
3753
3754 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3755
3756         [JSC] Introduce import.meta
3757         https://bugs.webkit.org/show_bug.cgi?id=177703
3758
3759         Reviewed by Filip Pizlo.
3760
3761         * modules/import-meta-syntax.js: Added.
3762         (shouldThrow):
3763         (shouldNotThrow):
3764         * modules/import-meta.js: Added.
3765         * modules/import-meta/cocoa.js: Added.
3766         * modules/resources/assert.js:
3767         (export.shouldNotThrow):
3768         * stress/import-syntax.js:
3769
3770 2017-10-04  Saam Barati  <sbarati@apple.com>
3771
3772         Make pertinent AccessCases watch the poly proto watchpoint
3773         https://bugs.webkit.org/show_bug.cgi?id=177765
3774
3775         Reviewed by Keith Miller.
3776
3777         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3778         (assert):
3779         (foo.C):
3780         (foo):
3781         (validate):
3782         * stress/poly-proto-clear-stub.js: Added.
3783         (assert):
3784         (foo.C):
3785         (foo):
3786
3787 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3788
3789         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3790
3791         Unreviewed test gardening.
3792
3793         * test262.yaml:
3794
3795 2017-10-04  Saam Barati  <sbarati@apple.com>
3796
3797         3 poly-proto JSC tests timing out on debug after r222827
3798         https://bugs.webkit.org/show_bug.cgi?id=177880
3799
3800         Rubber stamped by Mark Lam.
3801
3802         * microbenchmarks/poly-proto-access.js:
3803         * typeProfiler/deltablue-for-of.js:
3804         * typeProfiler/getter-richards.js:
3805
3806 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3807
3808         Unreviewed, marking tco-catch.js as a failure after test262 update
3809         https://bugs.webkit.org/show_bug.cgi?id=177859
3810
3811         * test262.yaml:
3812
3813 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3814
3815         Unreviewed, marking one async iterator test262 test failed
3816         https://bugs.webkit.org/show_bug.cgi?id=177859
3817
3818         * test262.yaml:
3819
3820 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3821
3822         [Test262] Update Test262 to Oct 4 version
3823         https://bugs.webkit.org/show_bug.cgi?id=177859
3824
3825         Reviewed by Sam Weinig.
3826
3827         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3828         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3829
3830         * test262.yaml:
3831         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3832         (checkSequence):
3833         * test262/harness/typeCoercion.js:
3834         (testCoercibleToIndexZero):
3835         (testCoercibleToIndexOne):
3836         (testCoercibleToIndexFromIndex):
3837         (testNotCoercibleToIndex.testPrimitiveValue):
3838         (testNotCoercibleToInteger):
3839         (testCoercibleToBigIntZero.testPrimitiveValue):
3840         (testCoercibleToBigIntZero):
3841         (testCoercibleToBigIntOne.testPrimitiveValue):
3842         (testCoercibleToBigIntOne):
3843         (testPrimitiveValue):
3844         (testCoercibleToBigIntFromBigInt):
3845         (testNotCoercibleToBigInt.testPrimitiveValue):
3846         (testNotCoercibleToBigInt.testStringValue):
3847         (testNotCoercibleToBigInt):
3848         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3849         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3850         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3851         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3852         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3853         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3854         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3855         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3856         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3857         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3858         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3859         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3860         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3861         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3862         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3863         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3864         (testCoercibleToBigIntZero):
3865         (testCoercibleToBigIntOne):
3866         (testNotCoercibleToBigInt):
3867         (MyError): Deleted.
3868         (valueOf): Deleted.
3869         (toString): Deleted.
3870         (Symbol.toPrimitive): Deleted.
3871         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3872         (testCoercibleToIndexZero):
3873         (testCoercibleToIndexOne):
3874         (testNotCoercibleToIndex):
3875         (MyError): Deleted.
3876         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3877         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3878         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3879         (BigInt.asIntN.valueOf): Deleted.
3880         (BigInt.asIntN.toString): Deleted.
3881         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3882         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3883         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3884         (testCoercibleToBigIntZero):
3885         (testCoercibleToBigIntOne):
3886         (testNotCoercibleToBigInt):
3887         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3888         (testCoercibleToIndexZero):
3889         (testCoercibleToIndexOne):
3890         (testNotCoercibleToIndex):
3891         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3892         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3893         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3894         (bits.valueOf):
3895         (bigint.valueOf):
3896         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3897         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3898         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3899         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3900         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3901         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3902         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3903         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3904         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3905         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3906         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3907         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3908         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3909         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3910         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3911         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3912         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3913         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3914         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3915         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3916         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3917         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3918         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3919         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3920         (replacer):
3921         (BigInt.prototype.toJSON):
3922         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3923         (replacer):
3924         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3925         (BigInt.prototype.toJSON):
3926         * test262/test/built-ins/JSON/stringify/bigint.js:
3927         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3928         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3929         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3930         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3931         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3932         * test262/test/built-ins/Object/proto-from-ctor.js:
3933         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3934         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3935         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3936         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3937         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3938         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3939         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3940         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3941         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3942         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3943         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3944         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3945         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3946         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3947         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3948         * test262/test/built-ins/Proxy/get-fn-realm.js:
3949         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3950         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3951         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3952         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3953         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3954         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3955         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3956         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3957         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3958         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3959         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3960         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3961         (i6.replace):
3962         (i6b.replace):
3963         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3964         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3965         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3966         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3967         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3968         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3969         * test262/test/built-ins/RegExp/u180e.js: Added.
3970         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3971         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3972         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3973         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3974         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3975         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3976         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3977         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3978         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3979         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3980         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3981         * test262/test/built-ins/String/prototype/endsWith/length.js:
3982         * test262/test/built-ins/String/prototype/endsWith/name.js:
3983         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3984         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3985         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3986         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3987         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3988         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3989         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3990         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3991         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3992         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3993         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3994         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3995         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3996         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3997         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3998         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3999         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4000         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4001         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4002         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4003         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4004         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4005         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4006         * test262/test/built-ins/String/prototype/includes/includes.js:
4007         * test262/test/built-ins/String/prototype/includes/length.js:
4008         * test262/test/built-ins/String/prototype/includes/name.js:
4009         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4010         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4011         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4012         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4013         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4014         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4015         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4016         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4017         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4018         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4019         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4020         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4021         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4022         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4023         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4024         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4025         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4026         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4027         * test262/test/built-ins/String/prototype/trim/u180e.js:
4028         * test262/test/built-ins/Symbol/for/cross-realm.js:
4029         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4030         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4031         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4032         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4033         * test262/test/built-ins/Symbol/match/cross-realm.js:
4034         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4035         * test262/test/built-ins/Symbol/search/cross-realm.js:
4036         * test262/test/built-ins/Symbol/species/cross-realm.js:
4037         * test262/test/built-ins/Symbol/split/cross-realm.js:
4038         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4039         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4040         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4041         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4042         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4043         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4044         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4045         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4046         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4047         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4048         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4049         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4050         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4051         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4052         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4053         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4054         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4055         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4056         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4057         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4058         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4059         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4060         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4061         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4062         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4063         * test262/test/language/eval-code/indirect/realm.js:
4064         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4065         (o.get z):
4066         (o.get a):
4067         * test262/test/language/expressions/call/eval-realm-indirect.js:
4068         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4069         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4070         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4071         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4072         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4073         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4074         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4075         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4076         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4077         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4078         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
4079         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
4080         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
4081         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
4082         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
4083         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
4084         * test262/test/language/expressions/less-than/bigint-and-number.js:
4085         * test262/test/language/expressions/new/non-ctor-err-realm.js:
4086         * test262/test/language/expressions/super/realm.js:
4087         * test262/test/language/expressions/tagged-template/cache-realm.js:
4088         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
4089         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
4090         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
4091         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
4092         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
4093         * test262/test/language/literals/string/mongolian-vowel-separator.js:
4094         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
4095         (o.get z):
4096         (o.get a):
4097         * test262/test/language/statements/for-of/iterator-next-reference.js:
4098         (next):
4099         (iterator.next): Deleted.
4100         (x.of.iterable.): Deleted.
4101         (x.of.iterable.get return): Deleted.
4102         (x.of.iterable.iterator.next): Deleted.
4103         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
4104         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
4105         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
4106         * test262/test/language/white-space/mongolian-vowel-separator.js:
4107         * test262/test262-Revision.txt:
4108
4109 2017-10-03  Saam Barati  <sbarati@apple.com>
4110
4111         Implement polymorphic prototypes
4112         https://bugs.webkit.org/show_bug.cgi?id=176391
4113
4114         Reviewed by Filip Pizlo.
4115
4116         * microbenchmarks/poly-proto-access.js: Added.
4117         (assert):
4118         (foo.C):
4119         (foo.C.prototype.get bar):
4120         (foo):
4121         (bar):
4122         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
4123         (assert):
4124         (makePolyProtoObject.foo.C):
4125         (makePolyProtoObject.foo):
4126         (makePolyProtoObject):
4127         (performSet):
4128         * microbenchmarks/poly-proto-setter-speed.js: Added.
4129         (assert):
4130         (makePolyProtoObject.foo.C):
4131         (makePolyProtoObject.foo.C.prototype.set p):
4132         (makePolyProtoObject.foo):
4133         (makePolyProtoObject):
4134         (performSet):
4135         * stress/constructor-with-return.js:
4136         (i.tests.forEach.Constructor):
4137         (i.tests.forEach):
4138         (tests.forEach.Constructor): Deleted.
4139         (tests.forEach): Deleted.
4140         * stress/dom-jit-with-poly-proto.js: Added.
4141         (assert):
4142         (makePolyProtoObject.foo.C):
4143         (makePolyProtoObject.foo):
4144         (makePolyProtoObject):
4145         (validate):
4146         * stress/poly-proto-custom-value-and-accessor.js: Added.
4147         (assert):
4148         (makePolyProtoObject.foo.C):
4149         (makePolyProtoObject.foo):
4150         (makePolyProtoObject):
4151         (items.forEach):
4152         (set get for):
4153         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
4154         (assert):
4155         (makePolyProtoObject.foo.C):
4156         (makePolyProtoObject.foo):
4157         (makePolyProtoObject):
4158         (foo):
4159         * stress/poly-proto-miss.js: Added.
4160         (makePolyProtoInstanceWithNullPrototype.foo.C):
4161         (makePolyProtoInstanceWithNullPrototype.foo):
4162         (makePolyProtoInstanceWithNullPrototype):
4163         (assert):
4164         (validate):
4165         * stress/poly-proto-op-in-caching.js: Added.
4166         (assert):
4167         (makePolyProtoObject.foo.C):
4168         (makePolyProtoObject.foo):
4169         (makePolyProtoObject):
4170         (validate):
4171         (validate2):
4172         * stress/poly-proto-put-transition.js: Added.
4173         (assert):
4174         (makePolyProtoObject.foo.C):
4175         (makePolyProtoObject.foo):
4176         (makePolyProtoObject):
4177         (performSet):
4178         (i.obj.__proto__.set p):
4179         * stress/poly-proto-set-prototype.js: Added.
4180         (assert):
4181         (let.alternateProto.get x):
4182         (let.alternateProto2.get y):
4183         (let.alternateProto2.get x):
4184         (foo.C):
4185         (foo):
4186         (validate):
4187         * stress/poly-proto-setter.js: Added.
4188         (assert):
4189         (makePolyProtoObject.foo.C):
4190         (makePolyProtoObject.foo.C.prototype.set p):
4191         (makePolyProtoObject.foo.C.prototype.get p):
4192         (makePolyProtoObject.foo):
4193         (makePolyProtoObject):
4194         (performSet):
4195         * stress/poly-proto-using-inheritance.js: Added.
4196         (assert):
4197         (foo.C):
4198         (foo.C.prototype.get baz):
4199         (foo):
4200         (bar.C):
4201         (bar):
4202         (validate):
4203         * stress/primitive-poly-proto.js: Added.
4204         (makePolyProtoInstance.foo.C):
4205         (makePolyProtoInstance.foo):
4206         (makePolyProtoInstance):
4207         (assert):
4208         (validate):
4209         * stress/prototype-is-not-js-object.js: Added.
4210         (foo.bar):
4211         (foo):
4212         (assert):
4213         (validate):
4214         * stress/try-get-by-id-poly-proto.js: Added.
4215         (assert):
4216         (makePolyProtoObject.foo.C):
4217         (makePolyProtoObject.foo):
4218         (makePolyProtoObject):
4219         (tryGetByIdText):
4220         (x.__proto__.get bar):
4221         (validate):
4222         * typeProfiler/overflow.js:
4223
4224 2017-10-03  JF Bastien  <jfbastien@apple.com>
4225
4226         WebAssembly: no VM / JS version of everything but Instance
4227         https://bugs.webkit.org/show_bug.cgi?id=177473
4228
4229         Reviewed by Filip Pizlo.
4230
4231         - Exceeding max on memory growth now returns a range error as per
4232         spec. This is a (very minor) breaking change: it used to throw OOM
4233         error. Update the corresponding test.
4234
4235         * wasm/js-api/memory-grow.js:
4236         (assertEq):
4237         * wasm/js-api/table.js:
4238         (assert.throws):
4239
4240 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
4241
4242         Skip JSC test stress/regress-159779-2.js on debug.
4243         https://bugs.webkit.org/show_bug.cgi?id=177204
4244
4245         Unreviewed test gardening.
4246
4247         * stress/regress-159779-2.js:
4248
4249 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
4250
4251         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
4252         https://bugs.webkit.org/show_bug.cgi?id=175642
4253
4254         Reviewed by Darin Adler.
4255
4256         * ChakraCore/test/Function/apply3.baseline-jsc:
4257
4258 2017-10-01  Commit Queue  <commit-queue@webkit.org>
4259
4260         Unreviewed, rolling out r222564.
4261         https://bugs.webkit.org/show_bug.cgi?id=177720
4262
4263         "It regressed JetStream by 2% on iOS caused by a 50%
4264         regression on the bigfib subtest" (Requested by saamyjoon on
4265         #webkit).
4266
4267         Reverted changeset:
4268
4269         "Add Above/Below comparisons for UInt32 patterns"
4270         https://bugs.webkit.org/show_bug.cgi?id=177281
4271         http://trac.webkit.org/changeset/222564
4272
4273 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
4274
4275         [DFG] Support ArrayPush with multiple args
4276         https://bugs.webkit.org/show_bug.cgi?id=175823
4277
4278         Reviewed by Saam Barati.
4279
4280         * microbenchmarks/array-push-0.js: Added.
4281         (arrayPush0):
4282         * microbenchmarks/array-push-1.js: Added.
4283         (arrayPush1):
4284         * microbenchmarks/array-push-2.js: Added.
4285         (arrayPush2):
4286         * microbenchmarks/array-push-3.js: Added.
4287         (arrayPush3):
4288         * stress/array-push-multiple-contiguous.js: Added.
4289         (shouldBe):
4290         (test):
4291         * stress/array-push-multiple-double-nan.js: Added.
4292         (shouldBe):
4293         (test):
4294         * stress/array-push-multiple-double.js: Added.
4295         (shouldBe):
4296         (test):
4297         * stress/array-push-multiple-int32.js: Added.
4298         (shouldBe):
4299         (test):
4300         * stress/array-push-multiple-many-contiguous.js: Added.
4301         (shouldBe):
4302         (test):
4303         * stress/array-push-multiple-many-double.js: Added.
4304         (shouldBe):
4305         (test):
4306         * stress/array-push-multiple-many-int32.js: Added.
4307         (shouldBe):
4308         (test):
4309         * stress/array-push-multiple-many-storage.js: Added.
4310         (shouldBe):
4311         (test):
4312         * stress/array-push-multiple-storage.js: Added.
4313         (shouldBe):
4314         (test):
4315         * stress/array-push-with-force-exit.js: Added.
4316         (target.createBuiltin):
4317
4318 2017-09-29  Saam Barati  <sbarati@apple.com>
4319
4320         Custom GetterSetterAccessCase does not use the correct slotBase when making call
4321         https://bugs.webkit.org/show_bug.cgi?id=177639
4322
4323         Reviewed by Geoffrey Garen.
4324
4325         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
4326         (assert):
4327         (Class):
4328         (items.forEach):
4329         (set get for):
4330
4331 2017-09-29  Commit Queue  <commit-queue@webkit.org>
4332
4333         Unreviewed, rolling out r222563, r222565, and r222581.
4334         https://bugs.webkit.org/show_bug.cgi?id=177675
4335
4336         "It causes a crash when playing youtube videos" (Requested by
4337         saamyjoon on #webkit).
4338
4339         Reverted changesets:
4340
4341         "[DFG] Support ArrayPush with multiple args"
4342         https://bugs.webkit.org/show_bug.cgi?id=175823
4343         http://trac.webkit.org/changeset/222563
4344
4345         "Unreviewed, build fix after r222563"
4346         https://bugs.webkit.org/show_bug.cgi?id=175823
4347         http://trac.webkit.org/changeset/222565
4348
4349         "Unreviewed, fix x86 breaking due to exhausted registers"
4350         https://bugs.webkit.org/show_bug.cgi?id=175823
4351         http://trac.webkit.org/changeset/222581
4352
4353 2017-09-28  Mark Lam  <mark.lam@apple.com>
4354
4355         test262: Unexpected passes after r222617 and r222618.
4356         https://bugs.webkit.org/show_bug.cgi?id=177622
4357         <rdar://problem/34725960>
4358
4359         Reviewed by Saam Barati.
4360
4361         Update test262.yaml for tests that are now passing.
4362
4363         * test262.yaml:
4364
4365 2017-09-27  Michael Saboff  <msaboff@apple.com>
4366
4367         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
4368         https://bugs.webkit.org/show_bug.cgi?id=177570
4369
4370         Reviewed by Filip Pizlo.
4371
4372         New regression test.
4373
4374         * stress/regress-177570.js: Added.
4375
4376 2017-09-28  Michael Saboff  <msaboff@apple.com>
4377
4378         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4379         https://bugs.webkit.org/show_bug.cgi?id=177423
4380
4381         Reviewed by Mark Lam.
4382
4383         Updated regression test.
4384
4385         * stress/regress-177423.js:
4386         (catch):
4387
4388 2017-09-27  Mark Lam  <mark.lam@apple.com>