PutStackSinkingPhase should know that KillStack means ConflictingFlush
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
2
3         PutStackSinkingPhase should know that KillStack means ConflictingFlush
4         https://bugs.webkit.org/show_bug.cgi?id=184672
5
6         Reviewed by Michael Saboff.
7
8         * stress/sink-put-stack-over-kill-stack.js: Added.
9         (avocado_1):
10         (apricot_0):
11         (__c_0):
12         (banana_2):
13
14 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
15
16         [JSC] Rename runWebAssembly to runWebAssemblySuite
17         https://bugs.webkit.org/show_bug.cgi?id=184703
18
19         Reviewed by JF Bastien.
20
21         And add runWebAssembly as a command to simplely run wasm modules.
22
23         * wasm.yaml:
24
25 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
26
27         [WebAssembly][Modules] Implement function import from wasm modules
28         https://bugs.webkit.org/show_bug.cgi?id=184689
29
30         Reviewed by JF Bastien.
31
32         * wasm.yaml:
33         * wasm/modules/js-wasm-cycle.js: Added.
34         * wasm/modules/js-wasm-cycle/entry.js: Added.
35         (from.string_appeared_here.export.return42):
36         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
37         * wasm/modules/js-wasm-cycle/sum.wat: Added.
38         * wasm/modules/run-from-wasm.wasm: Added.
39         * wasm/modules/run-from-wasm.wat: Added.
40         * wasm/modules/run-from-wasm/check.js: Added.
41         (export.check):
42         * wasm/modules/wasm-imports-js-exports.js: Added.
43         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
44         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
45         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
46         (export.sum):
47         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
48         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
49         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
50         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
51         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
52         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
53         * wasm/modules/wasm-imports-wasm-exports.js: Added.
54         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
55         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
56         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
57         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
58         * wasm/modules/wasm-js-cycle.js: Added.
59         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
60         * wasm/modules/wasm-js-cycle/entry.wat: Added.
61         * wasm/modules/wasm-js-cycle/sum.js: Added.
62         (from.string_appeared_here.export.sum):
63         * wasm/modules/wasm-wasm-cycle.js: Added.
64         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
65         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
66         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
67         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
68
69 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
70
71         [WebAssembly][Modules] Prototype wasm import
72         https://bugs.webkit.org/show_bug.cgi?id=184600
73
74         Reviewed by JF Bastien.
75
76         Add wasm and wat files since module loader want to load wasm files from FS.
77         Currently, importing the other modules from wasm is not supported.
78
79         * wasm.yaml:
80         * wasm/modules/constant.wasm: Added.
81         * wasm/modules/constant.wat: Added.
82         * wasm/modules/js-wasm-function-namespace.js: Added.
83         (assert.throws):
84         * wasm/modules/js-wasm-function.js: Added.
85         (assert.throws):
86         * wasm/modules/js-wasm-global-namespace.js: Added.
87         (assert.throws):
88         * wasm/modules/js-wasm-global.js: Added.
89         (assert.throws):
90         * wasm/modules/js-wasm-memory-namespace.js: Added.
91         (assert.throws):
92         * wasm/modules/js-wasm-memory.js: Added.
93         (assert.throws):
94         * wasm/modules/js-wasm-start.js: Added.
95         (then):
96         * wasm/modules/js-wasm-table-namespace.js: Added.
97         (assert.throws):
98         * wasm/modules/js-wasm-table.js: Added.
99         (assert.throws):
100         * wasm/modules/memory.wasm: Added.
101         * wasm/modules/memory.wat: Added.
102         * wasm/modules/start.wasm: Added.
103         * wasm/modules/start.wat: Added.
104         * wasm/modules/sum.wasm: Added.
105         * wasm/modules/sum.wat: Added.
106         * wasm/modules/table.wasm: Added.
107         * wasm/modules/table.wat: Added.
108
109 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
110
111         Function.prototype.caller shouldn't return generator bodies
112         https://bugs.webkit.org/show_bug.cgi?id=184630
113
114         Reviewed by Yusuke Suzuki.
115
116         * stress/function-caller-async-arrow-function-body.js: Added.
117         * stress/function-caller-async-function-body.js: Added.
118         * stress/function-caller-async-generator-body.js: Added.
119         * stress/function-caller-generator-body.js: Added.
120         * stress/function-caller-generator-method-body.js: Added.
121
122 2018-04-12  Tomas Popela  <tpopela@redhat.com>
123
124         Unreviewed, skip JIT tests if it isn't enabled
125
126         See https://bugs.webkit.org/show_bug.cgi?id=182730.
127
128         * stress/big-int-spec-to-primitive.js:
129         * stress/big-int-spec-to-this.js:
130
131 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
132
133         [ESNext][BigInt] Add support for BigInt in SpeculatedType
134         https://bugs.webkit.org/show_bug.cgi?id=182470
135
136         Reviewed by Saam Barati.
137
138         * stress/big-int-spec-to-primitive.js: Added.
139         * stress/big-int-spec-to-this.js: Added.
140         * stress/big-int-strict-equals-jit.js: Added.
141         * stress/big-int-strict-spec-to-this.js: Added.
142         * stress/big-int-type-of-proven-type.js: Added.
143
144 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
145
146         DFG AI and clobberize should agree with each other
147         https://bugs.webkit.org/show_bug.cgi?id=184440
148
149         Reviewed by Saam Barati.
150         
151         Add tests for all of the bugs I fixed.
152
153         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
154         (foo):
155         * stress/new-typed-array-cse-effects.js: Added.
156         (foo):
157         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
158         (foo.theO):
159         (foo):
160         * stress/string-from-char-code-change-structure-not-dead.js: Added.
161         (foo):
162         (i.valueOf):
163         (weirdValue.valueOf):
164         * stress/string-from-char-code-change-structure.js: Added.
165         (foo):
166         (i.valueOf):
167         (weirdValue.valueOf):
168
169 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
170
171         Fix errant Test262 files CRLF to LF for consistency with the original source
172         https://bugs.webkit.org/show_bug.cgi?id=184425
173
174         Reviewed by Yusuke Suzuki.
175
176         * test262/test/built-ins/Math/acosh/nan-returns.js:
177         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
178         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
179         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
180         * test262/test/built-ins/Math/cbrt/prop-desc.js:
181         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
182         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
183         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
184         * test262/test/built-ins/Math/log2/log2-basicTests.js:
185         * test262/test/built-ins/Math/sign/sign-specialVals.js:
186         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
187         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
188         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
189         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
190
191 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
192
193         Unreviewed, remove incorrect entry in test262.yaml
194         https://bugs.webkit.org/show_bug.cgi?id=184266
195
196         * test262.yaml:
197
198 2018-04-08  Valerie Young  <valerie@bocoup.com>
199
200         [JSC] Update Test262 to April 6 version
201         https://bugs.webkit.org/show_bug.cgi?id=184266
202
203         Rubber stamped by Yusuke Suzuki.
204
205 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
206
207         [JSC] Introduce op_get_by_id_direct
208         https://bugs.webkit.org/show_bug.cgi?id=183970
209
210         Reviewed by Filip Pizlo.
211
212         * stress/generator-prototype-copy.js: Added.
213         (gen):
214         (catch):
215         Adopted JF's tests.
216
217         * stress/generator-type-check.js: Added.
218         (shouldThrow):
219         (foo2):
220         (i.shouldThrow):
221         * stress/get-by-id-direct-getter.js: Added.
222         (shouldBe):
223         (shouldThrow):
224         (obj.get hello):
225         (builtin.createBuiltin):
226         (obj2.get length):
227         * stress/get-by-id-direct.js: Added.
228         (shouldBe):
229         (shouldThrow):
230         (builtin.createBuiltin):
231         * test262.yaml:
232         We fixed long-standing spec compatibility issue.
233         As a result, this patch makes several test262 tests passed!
234
235
236 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
237
238         Unreviewed, annotate test with @skip if $memoryLimited
239         https://bugs.webkit.org/show_bug.cgi?id=183894
240
241         * stress/json-stringified-overflow.js:
242
243 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
244
245         Add svn:eol-style to line-terminator-normalisation-CR.js
246         https://bugs.webkit.org/show_bug.cgi?id=184341
247
248         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
249
250 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
251
252         Unreviewed, remove errant LF from existing test262 test for CR line endings.
253
254         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
255
256 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
257
258         Unreviewed, rolling out r230320.
259
260         Revert fix, as the root cause lies elsewhere.
261
262         Reverted changeset:
263
264         "[test262] Mark line-terminator-normalisation-CR.js as a
265         binary file."
266         https://bugs.webkit.org/show_bug.cgi?id=184341
267         https://trac.webkit.org/changeset/230320
268
269 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
270
271         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
272         https://bugs.webkit.org/show_bug.cgi?id=184341
273
274         Reviewed by Yusuke Suzuki.
275
276         This test is all about CR line endings, but `svn-apply` can't deal with them.
277         Treating the file as binary ensures that its contents never are never shown in a diff.
278
279         * .gitattributes: Added.
280
281 2018-04-05  Robin Morisset  <rmorisset@apple.com>
282
283         Fix testcase (missing try/catch).
284         https://bugs.webkit.org/show_bug.cgi?id=183657
285
286         Unreviewed.
287
288         * stress/large-unshift-splice.js
289
290 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
291
292         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
293         https://bugs.webkit.org/show_bug.cgi?id=184319
294
295         Reviewed by Saam Barati.
296
297         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
298         (foo):
299         (bar):
300         * stress/array-push-nan-to-double-array.js: Added.
301         (foo):
302         (bar):
303
304 2018-04-03  Mark Lam  <mark.lam@apple.com>
305
306         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
307         https://bugs.webkit.org/show_bug.cgi?id=184284
308
309         Reviewed by Saam Barati.
310
311         * stress/js-fixed-array-out-of-memory.js:
312
313 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
314
315         JSC crash in JIT code with for-of loop and Array/Set iterators
316         https://bugs.webkit.org/show_bug.cgi?id=183174
317
318         Reviewed by Saam Barati.
319
320         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
321         (foo):
322         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
323         (f):
324
325 2018-03-30  JF Bastien  <jfbastien@apple.com>
326
327         WebAssembly: support DataView compilation
328         https://bugs.webkit.org/show_bug.cgi?id=183342
329
330         Reviewed by Mark Lam.
331
332         Test WebAssembly compilation using a DataView with offset.
333
334         * wasm/regress/183342.js: Added.
335         (attempt.catch):
336
337 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
338
339         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
340         https://bugs.webkit.org/show_bug.cgi?id=184189
341
342         Reviewed by JF Bastien.
343
344         * stress/load-hole-from-scope-into-live-var.js: Added.
345         (result.eval.try.switch):
346         (catch):
347
348 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
349
350         Unreviewed, rolling out r230102.
351
352         Caused assertion failures on JSC bots.
353
354         Reverted changeset:
355
356         "A stack overflow in the parsing of a builtin (called by
357         createExecutable) cause a crash instead of a catchable js
358         exception"
359         https://bugs.webkit.org/show_bug.cgi?id=184074
360         https://trac.webkit.org/changeset/230102
361
362 2018-03-30  Robin Morisset  <rmorisset@apple.com>
363
364         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
365         https://bugs.webkit.org/show_bug.cgi?id=183812
366
367         Reviewed by Keith Miller.
368
369         * stress/inlining-unreachable-non-tail.js: Added.
370         (foo.):
371         (foo):
372
373 2018-03-30  Robin Morisset  <rmorisset@apple.com>
374
375         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
376         https://bugs.webkit.org/show_bug.cgi?id=184074
377         <rdar://problem/37165897>
378
379         Reviewed by Keith Miller.
380
381         * stress/stack-overflow-while-parsing-builtin.js: Added.
382         (f):
383
384 2018-03-30  Robin Morisset  <rmorisset@apple.com>
385
386         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
387         https://bugs.webkit.org/show_bug.cgi?id=183657
388
389         Reviewed by Keith Miller.
390
391         * stress/large-unshift-splice.js: Added.
392         (make_contig_arr):
393
394 2018-03-28  Robin Morisset  <rmorisset@apple.com>
395
396         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
397         https://bugs.webkit.org/show_bug.cgi?id=183894
398
399         Reviewed by Saam Barati.
400
401         * stress/json-stringified-overflow.js: Added.
402         (catch):
403
404 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
405
406         DFG should know that CreateThis can be effectful
407         https://bugs.webkit.org/show_bug.cgi?id=184013
408
409         Reviewed by Saam Barati.
410
411         * stress/create-this-property-change.js: Added.
412         (Foo):
413         (RealBar):
414         (get if):
415         * stress/create-this-structure-change-without-cse.js: Added.
416         (Foo):
417         (RealBar):
418         (get if):
419         * stress/create-this-structure-change.js: Added.
420         (Foo):
421         (RealBar):
422         (get if):
423
424 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
425
426         [DFG] Introduces fused compare and jump
427         https://bugs.webkit.org/show_bug.cgi?id=177100
428
429         Reviewed by Mark Lam.
430
431         * stress/fused-jeq-slow.js: Added.
432         (shouldBe):
433         (testJEQ):
434         (testJNEQB):
435         (testJEQB):
436         (testJNEQF):
437         (testJEQF):
438         * stress/fused-jeq.js: Added.
439         (shouldBe):
440         (testJEQ):
441         (testJNEQB):
442         (testJEQB):
443         (testJNEQF):
444         (testJEQF):
445         * stress/fused-jstricteq-slow.js: Added.
446         (shouldBe):
447         (testJSTRICTEQ):
448         (testJNSTRICTEQB):
449         (testJSTRICTEQB):
450         (testJNSTRICTEQF):
451         (testJSTRICTEQF):
452         * stress/fused-jstricteq.js: Added.
453         (shouldBe):
454         (testJSTRICTEQ):
455         (testJNSTRICTEQB):
456         (testJSTRICTEQB):
457         (testJNSTRICTEQF):
458         (testJSTRICTEQF):
459
460 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
461
462         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
463         https://bugs.webkit.org/show_bug.cgi?id=183559
464
465         Reviewed by Mark Lam.
466
467         * stress/double-to-string-in-loop-removed.js: Added.
468         (test):
469         * stress/int32-to-string-in-loop-removed.js: Added.
470         (test):
471         * stress/int52-to-string-in-loop-removed.js: Added.
472         (test):
473
474 2018-03-22  Michael Saboff  <msaboff@apple.com>
475
476         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
477         https://bugs.webkit.org/show_bug.cgi?id=183901
478
479         Reviewed by Keith Miller.
480
481         New test.
482
483         * stress/array-reverse-doesnt-clobber.js: Added.
484         (testArrayReverse):
485         (createArrayOfArrays):
486         (createArrayStorage):
487
488 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
489
490         ScopedArguments should do poisoning and index masking
491         https://bugs.webkit.org/show_bug.cgi?id=183863
492
493         Reviewed by Mark Lam.
494         
495         Adds another stress test of scoped arguments.
496
497         * stress/scoped-arguments-test.js: Added.
498         (foo):
499
500 2018-03-20  Saam Barati  <sbarati@apple.com>
501
502         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
503         https://bugs.webkit.org/show_bug.cgi?id=183795
504         <rdar://problem/38298694>
505
506         Reviewed by JF Bastien.
507
508         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
509         (foo):
510         (bar):
511
512 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
513
514         [DFG][FTL] Add vectorLengthHint for NewArray
515         https://bugs.webkit.org/show_bug.cgi?id=183694
516
517         Reviewed by Saam Barati.
518
519         * stress/vector-length-hint-array-constructor.js: Added.
520         (shouldBe):
521         (test):
522         * stress/vector-length-hint-new-array.js: Added.
523         (shouldBe):
524         (test):
525
526 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
527
528         [DFG][FTL] Make ArraySlice(0) code tight
529         https://bugs.webkit.org/show_bug.cgi?id=183590
530
531         Reviewed by Saam Barati.
532
533         * stress/array-slice-with-zero.js: Added.
534         (shouldBe):
535         (test):
536         (test2):
537         * stress/array-slice-zero-args.js: Added.
538         (shouldBe):
539         (test):
540
541 2018-03-14  Caitlin Potter  <caitp@igalia.com>
542
543         [JSC] fix order of evaluation for ClassDefinitionEvaluation
544         https://bugs.webkit.org/show_bug.cgi?id=183523
545
546         Reviewed by Keith Miller.
547
548         Computed property names need to be evaluated in source order during class
549         definition evaluation, as it's observable (and specified to work this way).
550
551         This change improves compatibility with Chromium.
552
553         * stress/class_elements.js: Added.
554         (test):
555         (test.C.prototype.effect):
556         (test.C.effect):
557         (test.C.prototype.get effect):
558         (test.C.prototype.set effect):
559         (test.C):
560
561 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
562
563         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
564         https://bugs.webkit.org/show_bug.cgi?id=183310
565
566         Reviewed by Filip Pizlo.
567
568         * stress/ai-create-this-to-new-object-fire.js: Added.
569         (assert):
570         (test):
571         (func):
572         (check):
573         (test.body.A):
574         (test.body.B):
575         (test.body):
576         * stress/ai-create-this-to-new-object.js: Added.
577         (assert):
578         (test):
579         (func):
580         (check):
581         (test.body.A):
582         (test.body.B):
583         (test.body):
584
585 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
586
587         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
588         https://bugs.webkit.org/show_bug.cgi?id=181848
589
590         Reviewed by Sam Weinig.
591
592         * microbenchmarks/regexp-u-global-es5.js: Added.
593         (fn):
594         * microbenchmarks/regexp-u-global-es6.js: Added.
595         (fn):
596         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
597         (shouldBe):
598         (test):
599         (i.switch):
600         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
601         (shouldBe):
602         (test):
603
604 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
605
606         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
607         https://bugs.webkit.org/show_bug.cgi?id=183334
608
609         Reviewed by Žan Doberšek.
610
611         * stress/var-injection-cache-invalidation.js:
612
613 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
614
615         [ARM] Disable tests that run out of memory
616         https://bugs.webkit.org/show_bug.cgi?id=182699
617
618         Reviewed by Žan Doberšek.
619
620         Skip tests that run of of memory. Do not run
621         modules/module-jit-reachability.js without LLInt to prevent
622         running out of executable memory.
623
624         * modules.yaml:
625         * modules/module-jit-reachability.js:
626         * stress/has-own-property-name-cache-string-keys.js:
627         * stress/has-own-property-name-cache-symbol-keys.js:
628
629 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
630
631         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
632         https://bugs.webkit.org/show_bug.cgi?id=183173
633
634         Reviewed by Saam Barati.
635
636         * stress/async-arrow-function-in-class-heritage.js: Added.
637         (testSyntax):
638         (testSyntaxError):
639         (SyntaxError):
640
641 2018-03-01  Saam Barati  <sbarati@apple.com>
642
643         We need to clear cached structures when having a bad time
644         https://bugs.webkit.org/show_bug.cgi?id=183256
645         <rdar://problem/36245022>
646
647         Reviewed by Mark Lam.
648
649         * stress/having-a-bad-time-with-derived-arrays.js: Added.
650         (assert):
651         (defineSetter):
652         (iterate):
653         (doSlice):
654
655 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
656
657         JSC crash with `import("")`
658         https://bugs.webkit.org/show_bug.cgi?id=183175
659
660         Reviewed by Saam Barati.
661
662         * stress/import-with-empty-string.js: Added.
663
664 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
665
666         Unreviewed, skip FTL tests if FTL is disabled
667         https://bugs.webkit.org/show_bug.cgi?id=183071
668
669         * stress/has-indexed-property-array-storage-ftl.js:
670         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
671
672 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
673
674         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
675         https://bugs.webkit.org/show_bug.cgi?id=182965
676
677         Reviewed by Saam Barati.
678
679         * stress/put-by-val-array-storage.js: Added.
680         (shouldBe):
681         (testArrayStorageInBounds):
682         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
683         (shouldBe):
684         (testInt32.createBuiltin):
685         (set for):
686         * stress/put-by-val-slow-put-array-storage.js: Added.
687         (shouldBe):
688         (testArrayStorageInBounds):
689
690 2018-02-26  Saam Barati  <sbarati@apple.com>
691
692         validateStackAccess should not validate if the offset is within the stack bounds
693         https://bugs.webkit.org/show_bug.cgi?id=183067
694         <rdar://problem/37749988>
695
696         Reviewed by Mark Lam.
697
698         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
699         (assert):
700         (test.a):
701         (test.b):
702         (test):
703
704 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
705
706         Unreviewed, skip FTL tests if FTL is disabled
707         https://bugs.webkit.org/show_bug.cgi?id=183071
708
709         * stress/has-indexed-property-array-storage-ftl.js:
710         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
711
712 2018-02-23  Saam Barati  <sbarati@apple.com>
713
714         Make Number.isInteger an intrinsic
715         https://bugs.webkit.org/show_bug.cgi?id=183088
716
717         Reviewed by JF Bastien.
718
719         * stress/number-is-integer-intrinsic.js: Added.
720
721 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
722
723         WebAssembly: cache memory address / size on instance
724         https://bugs.webkit.org/show_bug.cgi?id=177305
725
726         Reviewed by JF Bastien.
727
728         * wasm/function-tests/memory-reuse.js: Added.
729         (createWasmInstance):
730         (doCheckTrap):
731         (doMemoryGrow):
732         (doCheck):
733         (checkWasmInstancesWithSharedMemory):
734
735 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
736
737         [JSC] Implement $vm.ftlTrue function for FTL testing
738         https://bugs.webkit.org/show_bug.cgi?id=183071
739
740         Reviewed by Mark Lam.
741
742         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
743         (foo):
744         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
745         (foo):
746         * stress/dead-fiat-value-to-int52.js:
747         (foo):
748         * stress/dead-osr-entry-value.js:
749         (foo):
750         * stress/fiat-value-to-int52-then-exit-not-double.js:
751         (foo):
752         * stress/fiat-value-to-int52-then-exit-not-int52.js:
753         (foo):
754         * stress/fiat-value-to-int52-then-fail-to-fold.js:
755         (foo):
756         * stress/fiat-value-to-int52-then-fold.js:
757         (foo):
758         * stress/fiat-value-to-int52.js:
759         (foo):
760         * stress/fold-based-on-int32-proof-mul-branch.js:
761         (foo):
762         * stress/fold-profiled-call-to-call.js:
763         (foo):
764         * stress/fold-to-double-constant-then-exit.js:
765         (foo):
766         * stress/fold-to-int52-constant-then-exit.js:
767         (foo):
768         * stress/fold-to-primitive-in-cfa.js:
769         (foo):
770         * stress/fold-to-primitive-to-identity-in-cfa.js:
771         (foo):
772         * stress/has-indexed-property-array-storage-ftl.js: Added.
773         (shouldBe):
774         (test1):
775         (test2):
776         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
777         (shouldBe):
778         (test1):
779         (test2):
780         * stress/int52-ai-add-then-filter-int32.js:
781         (foo):
782         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
783         (foo):
784         * stress/int52-ai-mul-then-filter-int32.js:
785         (foo):
786         * stress/int52-ai-neg-then-filter-int32.js:
787         (foo):
788         * stress/int52-ai-sub-then-filter-int32.js:
789         (foo):
790         * stress/licm-pre-header-cannot-exit-nested.js:
791         (foo):
792         * stress/licm-pre-header-cannot-exit.js:
793         (foo):
794         * stress/sparse-array-entry-update-144067.js:
795         (useMemoryToTriggerGCs):
796         * stress/test-spec-misc.js:
797         (foo):
798         * stress/tricky-array-bounds-checks.js:
799         (foo):
800
801 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
802
803         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
804         https://bugs.webkit.org/show_bug.cgi?id=182792
805
806         Reviewed by Mark Lam.
807
808         * stress/has-indexed-property-array-storage.js: Added.
809         (shouldBe):
810         (test1):
811         (test2):
812         * stress/has-indexed-property-slow-put-array-storage.js: Added.
813         (shouldBe):
814         (test1):
815         (test2):
816
817 2018-02-20  Saam Barati  <sbarati@apple.com>
818
819         DFG::VarargsForwardingPhase should eliminate getting argument length
820         https://bugs.webkit.org/show_bug.cgi?id=182959
821
822         Reviewed by Keith Miller.
823
824         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
825
826 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
827
828         [FTL] Support ArrayPush for ArrayStorage
829         https://bugs.webkit.org/show_bug.cgi?id=182782
830
831         Reviewed by Saam Barati.
832
833         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
834
835         * stress/array-push-array-storage-beyond-int32.js: Added.
836         (shouldBe):
837         (test):
838         * stress/array-push-array-storage.js: Added.
839         (shouldBe):
840         (test):
841         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
842         (shouldBe):
843         (test):
844         * stress/array-push-multiple-storage-continuous.js: Added.
845         (shouldBe):
846         (test):
847
848 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
849
850         [FTL] Support ArrayPop for ArrayStorage
851         https://bugs.webkit.org/show_bug.cgi?id=182783
852
853         Reviewed by Saam Barati.
854
855         * stress/array-pop-array-storage.js: Added.
856         (shouldBe):
857         (test):
858
859 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
860
861         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
862         https://bugs.webkit.org/show_bug.cgi?id=182731
863
864         Reviewed by Saam Barati.
865
866         * stress/arrayify-array-storage-array.js: Added.
867         (shouldBe):
868         (testArrayStorage):
869         * stress/arrayify-array-storage-non-array.js: Added.
870         (shouldBe):
871         (testArrayStorage):
872         * stress/arrayify-array-storage.js: Added.
873         (shouldBe):
874         (testArrayStorage):
875         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
876         (shouldBe):
877         (testArrayStorage):
878         * stress/arrayify-slow-put-array-storage.js: Added.
879         (shouldBe):
880         (testArrayStorage):
881
882 2018-02-19  Saam Barati  <sbarati@apple.com>
883
884         Don't use JSFunction's allocation profile when getting the prototype can be effectful
885         https://bugs.webkit.org/show_bug.cgi?id=182942
886         <rdar://problem/37584764>
887
888         Reviewed by Mark Lam.
889
890         * stress/get-prototype-create-this-effectful.js: Added.
891
892 2018-02-16  Saam Barati  <sbarati@apple.com>
893
894         Fix bugs from r228411
895         https://bugs.webkit.org/show_bug.cgi?id=182851
896         <rdar://problem/37577732>
897
898         Reviewed by JF Bastien.
899
900         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
901
902 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
903
904         Unreviewed, roll out r228366 since it did not progress anything.
905
906         * stress/gc-error-stack.js: Removed.
907         * stress/no-gc-error-stack.js: Removed.
908
909 2018-02-15  Tomas Popela  <tpopela@redhat.com>
910
911         Many stress tests fail with JIT disabled
912         https://bugs.webkit.org/show_bug.cgi?id=182730
913
914         Reviewed by Saam Barati.
915
916         These tests are broken by design if the JIT is disabled - they test
917         the return value of numberOfDFGCompiles(), which is always set to
918         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
919
920         * stress/arith-abs-on-various-types.js:
921         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
922         * stress/arith-acos-on-various-types.js:
923         * stress/arith-acosh-on-various-types.js:
924         * stress/arith-asin-on-various-types.js:
925         * stress/arith-asinh-on-various-types.js:
926         * stress/arith-atan-on-various-types.js:
927         * stress/arith-atanh-on-various-types.js:
928         * stress/arith-cbrt-on-various-types.js:
929         * stress/arith-ceil-on-various-types.js:
930         * stress/arith-clz32-on-various-types.js:
931         * stress/arith-cos-on-various-types.js:
932         * stress/arith-cosh-on-various-types.js:
933         * stress/arith-expm1-on-various-types.js:
934         * stress/arith-floor-on-various-types.js:
935         * stress/arith-fround-on-various-types.js:
936         * stress/arith-log-on-various-types.js:
937         * stress/arith-log10-on-various-types.js:
938         * stress/arith-log2-on-various-types.js:
939         * stress/arith-negate-on-various-types.js:
940         * stress/arith-round-on-various-types.js:
941         * stress/arith-sin-on-various-types.js:
942         * stress/arith-sinh-on-various-types.js:
943         * stress/arith-sqrt-on-various-types.js:
944         * stress/arith-tan-on-various-types.js:
945         * stress/arith-tanh-on-various-types.js:
946         * stress/arith-trunc-on-various-types.js:
947         * stress/compare-strict-eq-on-various-types.js:
948
949 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
950
951         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
952
953         Unreviewed test gardening.
954
955         * stress/new-largeish-contiguous-array-with-size.js:
956
957 2018-02-14  Saam Barati  <sbarati@apple.com>
958
959         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
960         https://bugs.webkit.org/show_bug.cgi?id=182801
961
962         Reviewed by Keith Miller.
963
964         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
965
966 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
967
968         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
969         https://bugs.webkit.org/show_bug.cgi?id=182526
970
971         Unreviewed test gardening.
972
973         * stress/activation-sink-default-value-tdz-error.js:
974
975 2018-02-13  Saam Barati  <sbarati@apple.com>
976
977         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
978         https://bugs.webkit.org/show_bug.cgi?id=182755
979         <rdar://problem/37080864>
980
981         Reviewed by Keith Miller.
982
983         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
984         (test1.o.get 10005):
985         (test1):
986         (test2.o.get 1000):
987         (test2):
988
989 2018-02-13  Caitlin Potter  <caitp@igalia.com>
990
991         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
992         https://bugs.webkit.org/show_bug.cgi?id=182717
993
994         Reviewed by Yusuke Suzuki.
995
996         https://github.com/tc39/ecma262/pull/890 imposes a change to template
997         literals, to allow template callsite arrays to be collected when the
998         code containing the tagged template call is collected. This spec change
999         has received concensus and been ratified.
1000
1001         This change eliminates the eternal map associating template contents
1002         with arrays.
1003
1004         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1005         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1006         * stress/tagged-templates-identity.js:
1007         * stress/template-string-tags-eval.js:
1008         * test262.yaml:
1009
1010 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1011
1012         Support GetArrayLength on ArrayStorage in the FTL
1013         https://bugs.webkit.org/show_bug.cgi?id=182625
1014
1015         Reviewed by Saam Barati.
1016
1017         * stress/array-storage-length.js: Added.
1018         (shouldBe):
1019         (testInBound):
1020         (testUncountable):
1021         (testSlowPutInBound):
1022         (testSlowPutUncountable):
1023         * stress/undecided-length.js: Added.
1024         (shouldBe):
1025         (test2):
1026
1027 2018-02-12  Saam Barati  <sbarati@apple.com>
1028
1029         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1030         https://bugs.webkit.org/show_bug.cgi?id=182706
1031         <rdar://problem/36833681>
1032
1033         Reviewed by Filip Pizlo.
1034
1035         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1036         (effects):
1037         (foo):
1038
1039 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1040
1041         Don't waste memory for error.stack
1042         https://bugs.webkit.org/show_bug.cgi?id=182656
1043
1044         Reviewed by Saam Barati.
1045         
1046         Tests the policy.
1047
1048         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1049         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1050
1051 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1052
1053         [JSC] Update Test262 to Feb 9 version
1054         https://bugs.webkit.org/show_bug.cgi?id=182468
1055
1056         Reviewed by Saam Barati.
1057
1058 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1059
1060         Unreviewed, fix invalid line terminator in old test262 file part 2
1061         https://bugs.webkit.org/show_bug.cgi?id=182468
1062
1063         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1064
1065 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1066
1067         Unreviewed, fix invalid line terminator in old test262 file
1068         https://bugs.webkit.org/show_bug.cgi?id=182468
1069
1070         * test262/test/language/literals/regexp/7.8.5-1.js:
1071
1072 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1073
1074         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1075         https://bugs.webkit.org/show_bug.cgi?id=182440
1076
1077         Reviewed by Darin Adler.
1078
1079         * stress/array-flatmap.js: Added.
1080         (shouldBe):
1081         (shouldBeArray):
1082         (shouldThrow):
1083         (var):
1084         * stress/array-flatten.js: Added.
1085         (shouldBe):
1086         (shouldBeArray):
1087         * test262.yaml:
1088         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1089         (3.flatMap):
1090         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1091
1092 2018-02-06  Keith Miller  <keith_miller@apple.com>
1093
1094         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1095         https://bugs.webkit.org/show_bug.cgi?id=182549
1096         <rdar://problem/36189995>
1097
1098         Reviewed by Saam Barati.
1099
1100         * stress/var-injection-cache-invalidation.js: Added.
1101         (allocateLotsOfThings):
1102         (test):
1103
1104 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1105
1106         Unreviewed, follow up for test262 update
1107         https://bugs.webkit.org/show_bug.cgi?id=182288
1108
1109         * test262.yaml:
1110
1111 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1112
1113         Update test262 to Jan 30 version
1114         https://bugs.webkit.org/show_bug.cgi?id=182288
1115
1116         Unreviewed test gardening.
1117
1118         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1119
1120 2018-02-02  Saam Barati  <sbarati@apple.com>
1121
1122         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1123         https://bugs.webkit.org/show_bug.cgi?id=182368
1124         <rdar://problem/36932466>
1125
1126         Reviewed by Mark Lam.
1127
1128         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1129         (runNearStackLimit.t):
1130         (runNearStackLimit):
1131         (try.runNearStackLimit):
1132         (catch):
1133
1134 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1135
1136         Update test262 to Jan 30 version
1137         https://bugs.webkit.org/show_bug.cgi?id=182288
1138
1139         Rubber stamped by Saam Barati.
1140
1141         This patch updates test262 to the latest one, Jan 30 version.
1142         Since added and changed files are too many, we cannot create ChangeLog.
1143         The following files are changed.
1144
1145         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1146         including some special line terminators (like u2028, u2029).
1147
1148         * test262.yaml:
1149         * test262/test262-Revision.txt:
1150         * test262/*:
1151
1152 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1153
1154         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1155         https://bugs.webkit.org/show_bug.cgi?id=182411
1156
1157         Reviewed by Carlos Alberto Lopez Perez.
1158
1159         This is skipped only on arm memory limited platforms. Until recently
1160         it was not a problem on MIPS as the butterfly was not initialized. But
1161         since r227435, the butterfly is initialized in that test and therefore
1162         memory is allocated, and the test typically takes around 512M, which
1163         means it generally gets OOM-killed on the MIPS buildbot.
1164
1165         * mozilla/mozilla-tests.yaml:
1166
1167 2018-02-01  Mark Lam  <mark.lam@apple.com>
1168
1169         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1170         https://bugs.webkit.org/show_bug.cgi?id=182419
1171         <rdar://problem/37044945>
1172
1173         Reviewed by Saam Barati.
1174
1175         * stress/regress-182419.js: Added.
1176
1177 2018-02-01  Keith Miller  <keith_miller@apple.com>
1178
1179         Fix crashes due to mishandling custom sections.
1180         https://bugs.webkit.org/show_bug.cgi?id=182404
1181         <rdar://problem/36935863>
1182
1183         Reviewed by Saam Barati.
1184
1185         * wasm/Builder.js:
1186         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1187         * wasm/js-api/validate.js:
1188         (assert.truthy):
1189
1190 2018-01-31  Saam Barati  <sbarati@apple.com>
1191
1192         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1193         https://bugs.webkit.org/show_bug.cgi?id=182074
1194         <rdar://problem/36846261>
1195
1196         Reviewed by Mark Lam.
1197
1198         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1199         (assert):
1200         (let.func):
1201         (let.o.foo):
1202         (varFunc):
1203
1204 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1205
1206         Unreviewed, update test262 expects
1207         https://bugs.webkit.org/show_bug.cgi?id=182232
1208
1209         * test262.yaml:
1210
1211 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1212
1213         [JSC] Implement trimStart and trimEnd
1214         https://bugs.webkit.org/show_bug.cgi?id=182233
1215
1216         Reviewed by Mark Lam.
1217
1218         * stress/trim.js: Added.
1219         (shouldBe):
1220         (startTest):
1221         (endTest):
1222         (trimTest):
1223
1224 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1225
1226         [JSC] Relax line terminators in String to make JSON subset of JS
1227         https://bugs.webkit.org/show_bug.cgi?id=182232
1228
1229         Reviewed by Keith Miller.
1230
1231         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1232         * stress/relaxed-line-terminators-in-string.js: Added.
1233         (shouldBe):
1234
1235 2018-01-29  Michael Saboff  <msaboff@apple.com>
1236
1237         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1238         https://bugs.webkit.org/show_bug.cgi?id=182249
1239
1240         Reviewed by Keith Miller.
1241
1242         New regression test.
1243
1244         * stress/compare-clobber-untypeduse.js: Added.
1245
1246 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1247
1248         Unreviewed, rolling out r227725.
1249
1250         This caused internal failures.
1251
1252         Reverted changeset:
1253
1254         "JSC Sampling Profiler: Detect tester and testee when sampling
1255         in RegExp JIT"
1256         https://bugs.webkit.org/show_bug.cgi?id=152729
1257         https://trac.webkit.org/changeset/227725
1258
1259 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1260
1261         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1262         https://bugs.webkit.org/show_bug.cgi?id=152729
1263
1264         Reviewed by Saam Barati.
1265
1266         * stress/sampling-profiler-regexp.js: Added.
1267         (platformSupportsSamplingProfiler.test):
1268         (platformSupportsSamplingProfiler.baz):
1269         (platformSupportsSamplingProfiler):
1270
1271 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1272
1273         [DFG][FTL] WeakMap#set should have DFG node
1274         https://bugs.webkit.org/show_bug.cgi?id=180015
1275
1276         Reviewed by Saam Barati.
1277
1278         * stress/weakmap-set-change-get.js: Added.
1279         (shouldBe):
1280         (test):
1281         * stress/weakmap-set-cse.js: Added.
1282         (shouldBe):
1283         (test):
1284         * stress/weakset-add-change-get.js: Added.
1285         (shouldBe):
1286         * stress/weakset-add-cse.js: Added.
1287         (shouldBe):
1288
1289 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1290
1291         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1292         https://bugs.webkit.org/show_bug.cgi?id=182213
1293
1294         Reviewed by Mark Lam.
1295
1296         * stress/int32-min-to-string.js: Added.
1297         (shouldBe):
1298         (test2):
1299         (test4):
1300         (test8):
1301         (test16):
1302         (test32):
1303         * stress/zero-to-string.js: Added.
1304         (shouldBe):
1305         (test2):
1306         (test4):
1307         (test8):
1308         (test16):
1309         (test32):
1310
1311 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1312
1313         Add more module scope related tests with code evaluation by string
1314         https://bugs.webkit.org/show_bug.cgi?id=181983
1315
1316         Reviewed by Sam Weinig.
1317
1318         Add more module scope related tests. When the original tests are landed,
1319         we do not have browser integration. This patch adds more module scope tests
1320         with dynamically created script evaluation. We add tests with Function
1321         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1322
1323         * modules/scopes-eval.js: Added.
1324         (shouldBe):
1325         * modules/scopes.js:
1326         (shouldBe):
1327
1328 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1329
1330         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1331
1332         * microbenchmarks/array-push-3.js: Removed.
1333         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1334         * microbenchmarks/double-to-int32.js: Removed.
1335         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1336         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1337         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1338         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1339         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1340         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1341         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1342         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1343         * microbenchmarks/map-constant-key.js: Removed.
1344         * microbenchmarks/nested-function-parsing.js: Removed.
1345         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1346         * microbenchmarks/spread-large-array.js: Removed.
1347         * microbenchmarks/string-add-constant-folding.js: Removed.
1348         * microbenchmarks/to-lower-case.js: Removed.
1349         * microbenchmarks/undefined-property-access.js: Removed.
1350         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1351         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1352         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1353         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1354         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1355         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1356         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1357         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1358         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1359         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1360         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1361         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1362         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1363         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1364         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1365         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1366         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1367         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1368
1369 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1370
1371         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1372         https://bugs.webkit.org/show_bug.cgi?id=181739
1373         <rdar://problem/36627662>
1374
1375         Reviewed by Saam Barati.
1376
1377         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1378         (foo):
1379         (bar):
1380
1381 2018-01-22  Michael Saboff  <msaboff@apple.com>
1382
1383         DFG abstract interpreter needs to properly model effects of some Math ops
1384         https://bugs.webkit.org/show_bug.cgi?id=181886
1385
1386         Reviewed by Saam Barati.
1387
1388         New regression test.
1389
1390         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1391         (test):
1392
1393 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1394
1395         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1396         https://bugs.webkit.org/show_bug.cgi?id=181182
1397
1398         Reviewed by Darin Adler.
1399
1400         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1401         * stress/big-int-prototype-to-string-exception.js: Added.
1402         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1403         * stress/number-prototype-to-string-cast-overflow.js: Added.
1404         * stress/number-prototype-to-string-exception.js: Added.
1405         * stress/number-prototype-to-string-wrong-values.js: Added.
1406
1407 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1408
1409         Disable Atomics when SharedArrayBuffer isn’t enabled
1410         https://bugs.webkit.org/show_bug.cgi?id=181572
1411
1412         Unreviewed test gardening.
1413
1414         * test262.yaml: Skip tests that fail after this change.
1415
1416 2018-01-19  Saam Barati  <sbarati@apple.com>
1417
1418         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1419         https://bugs.webkit.org/show_bug.cgi?id=181877
1420         <rdar://problem/36630552>
1421
1422         Reviewed by Mark Lam.
1423
1424         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1425         (runNearStackLimit):
1426         (f1):
1427         (f2):
1428         (f3):
1429         (i.catch):
1430         (i.try.runNearStackLimit):
1431         (catch):
1432
1433 2018-01-19  Saam Barati  <sbarati@apple.com>
1434
1435         Spread's effects are modeled incorrectly both in AI and in Clobberize
1436         https://bugs.webkit.org/show_bug.cgi?id=181867
1437         <rdar://problem/36290415>
1438
1439         Reviewed by Michael Saboff.
1440
1441         * stress/ai-needs-to-model-spreads-effects.js: Added.
1442         (try.p.Symbol.iterator):
1443         (try.go):
1444         (catch):
1445         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1446         (assert):
1447         (foo):
1448         (a.Symbol.iterator):
1449
1450 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1451
1452         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1453         https://bugs.webkit.org/show_bug.cgi?id=181535
1454
1455         * stress/inserted-recovery-with-set-last-index.js:
1456
1457 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1458
1459         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1460         https://bugs.webkit.org/show_bug.cgi?id=181535
1461
1462         Reviewed by Saam Barati.
1463
1464         * stress/inserted-recovery-with-set-last-index.js: Added.
1465         (shouldBe):
1466         (foo):
1467         * stress/materialize-regexp-at-osr-exit.js: Added.
1468         (shouldBe):
1469         (test):
1470         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1471         (shouldBe):
1472         (test):
1473         * stress/materialize-regexp-cyclic-regexp.js: Added.
1474         (shouldBe):
1475         (test):
1476         (i.switch):
1477         * stress/materialize-regexp-cyclic.js: Added.
1478         (shouldBe):
1479         (test):
1480         (i.switch):
1481         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1482         (bar):
1483         (foo):
1484         (test):
1485         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1486         (bar):
1487         (foo):
1488         (test):
1489         * stress/materialize-regexp.js: Added.
1490         (shouldBe):
1491         (test):
1492         * stress/phantom-regexp-regexp-exec.js: Added.
1493         (shouldBe):
1494         (test):
1495         * stress/phantom-regexp-string-match.js: Added.
1496         (shouldBe):
1497         (test):
1498         * stress/regexp-last-index-sinking.js: Added.
1499         (shouldBe):
1500         (test):
1501
1502 2018-01-17  Saam Barati  <sbarati@apple.com>
1503
1504         Disable Atomics when SharedArrayBuffer isn’t enabled
1505         https://bugs.webkit.org/show_bug.cgi?id=181572
1506         <rdar://problem/36553206>
1507
1508         Reviewed by Michael Saboff.
1509
1510         * stress/isLockFree.js:
1511
1512 2018-01-17  Saam Barati  <sbarati@apple.com>
1513
1514         DFG::Node::convertToConstant needs to clear the varargs flags
1515         https://bugs.webkit.org/show_bug.cgi?id=181697
1516         <rdar://problem/36497332>
1517
1518         Reviewed by Yusuke Suzuki.
1519
1520         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1521         (doIndexOf):
1522         (bar):
1523         (i.bar):
1524
1525 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1526
1527         Unreviewed, rolling out r226937.
1528
1529         Tests added with this change are failing due to a missing
1530         exception check.
1531
1532         Reverted changeset:
1533
1534         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1535         double to int32_t"
1536         https://bugs.webkit.org/show_bug.cgi?id=181182
1537         https://trac.webkit.org/changeset/226937
1538
1539 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1540
1541         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1542         https://bugs.webkit.org/show_bug.cgi?id=181182
1543
1544         Reviewed by Darin Adler.
1545
1546         * bigIntTests.yaml:
1547         * stress/big-int-constructor.js:
1548         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1549         (assert):
1550         (assertThrowRangeError):
1551         * stress/number-prototype-to-string-cast-overflow.js: Added.
1552         (assert):
1553         (assertThrowRangeError):
1554
1555 2018-01-12  Saam Barati  <sbarati@apple.com>
1556
1557         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1558         https://bugs.webkit.org/show_bug.cgi?id=181177
1559         <rdar://problem/36205704>
1560
1561         Reviewed by Yusuke Suzuki.
1562
1563         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1564         (runNearStackLimit.t):
1565         (runNearStackLimit):
1566         (test.f):
1567         (test):
1568
1569 2018-01-12  Saam Barati  <sbarati@apple.com>
1570
1571         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1572         https://bugs.webkit.org/show_bug.cgi?id=181562
1573         <rdar://problem/36445624>
1574
1575         Reviewed by Yusuke Suzuki.
1576
1577         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1578         (f):
1579         (foo):
1580
1581 2018-01-11  Saam Barati  <sbarati@apple.com>
1582
1583         When inserting Unreachable in byte code parser we need to flush all the right things
1584         https://bugs.webkit.org/show_bug.cgi?id=181509
1585         <rdar://problem/36423110>
1586
1587         Reviewed by Mark Lam.
1588
1589         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1590
1591 2018-01-11  Saam Barati  <sbarati@apple.com>
1592
1593         JITMathIC code in the FTL is wrong when code gets duplicated
1594         https://bugs.webkit.org/show_bug.cgi?id=181525
1595         <rdar://problem/36351993>
1596
1597         Reviewed by Michael Saboff and Keith Miller.
1598
1599         * stress/allow-math-ic-b3-code-duplication.js: Added.
1600
1601 2018-01-11  Saam Barati  <sbarati@apple.com>
1602
1603         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1604         https://bugs.webkit.org/show_bug.cgi?id=181508
1605
1606         Reviewed by Yusuke Suzuki.
1607
1608         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1609         (assert):
1610         (test1.foo):
1611         (test1):
1612         (test2.foo):
1613         (test2):
1614
1615 2018-01-09  Mark Lam  <mark.lam@apple.com>
1616
1617         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1618         https://bugs.webkit.org/show_bug.cgi?id=181388
1619         <rdar://problem/36349351>
1620
1621         Reviewed by Saam Barati.
1622
1623         * stress/regress-181388.js: Added.
1624
1625 2018-01-08  JF Bastien  <jfbastien@apple.com>
1626
1627         WebAssembly: mask indexed accesses to Table
1628         https://bugs.webkit.org/show_bug.cgi?id=181412
1629         <rdar://problem/36363236>
1630
1631         Reviewed by Saam Barati.
1632
1633         Update error messages.
1634
1635         * wasm/js-api/table.js:
1636         (assert.throws.WebAssembly.Table.prototype.grow):
1637
1638 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1639
1640         Disable SharedArrayBuffer tests missed in r226386.
1641         https://bugs.webkit.org/show_bug.cgi?id=181266
1642
1643         Unreviewed test gardening.
1644
1645         * test262.yaml:
1646
1647 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1648
1649         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1650         https://bugs.webkit.org/show_bug.cgi?id=181321
1651
1652         Reviewed by Saam Barati.
1653
1654         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1655         (shouldBe):
1656         (testFunction):
1657         * test262.yaml:
1658
1659 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1660
1661         Unreviewed, attempt to fix test262 after r226386.
1662
1663         * test262.yaml:
1664
1665 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1666
1667         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1668         https://bugs.webkit.org/show_bug.cgi?id=179911
1669
1670         Reviewed by Saam Barati.
1671
1672         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1673
1674         * stress/map-set-change-get.js: Added.
1675         (shouldBe):
1676         (test):
1677         * stress/map-set-create-bucket.js: Added.
1678         (shouldBe):
1679         (test):
1680         * stress/set-add-create-bucket.js: Added.
1681         (shouldBe):
1682
1683 2018-01-03  Michael Saboff  <msaboff@apple.com>
1684
1685         Disable SharedArrayBuffers from Web API
1686         https://bugs.webkit.org/show_bug.cgi?id=181266
1687
1688         Reviewed by Saam Barati.
1689
1690         Disabled SharedArrayBuffer tests.
1691
1692         * stress/SharedArrayBuffer-opt.js:
1693         * stress/SharedArrayBuffer.js:
1694         * stress/array-buffer-byte-length.js:
1695         * stress/atomics-add-uint32.js:
1696         * stress/atomics-known-int-use.js:
1697         * stress/atomics-neg-zero.js:
1698         * stress/atomics-store-return.js:
1699         * stress/lars-sab-workers.js:
1700         * stress/regress-159779-1.js:
1701         * stress/regress-159779-2.js:
1702         * stress/regress-170473.js:
1703         * test262.yaml:
1704
1705 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1706
1707         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1708         https://bugs.webkit.org/show_bug.cgi?id=181258
1709
1710         Reviewed by Antonio Gomes.
1711
1712         * stress/big-int-constructor-gc.js:
1713         * stress/big-int-constructor-oom.js:
1714
1715 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1716
1717         Inlining of a function that ends in op_unreachable crashes
1718         https://bugs.webkit.org/show_bug.cgi?id=181027
1719
1720         Reviewed by Filip Pizlo.
1721
1722         * stress/inlining-unreachable.js: Added.
1723         (bar):
1724         (baz):
1725         (i.catch):
1726
1727 2018-01-02  Saam Barati  <sbarati@apple.com>
1728
1729         Incorrect assertion inside AccessCase
1730         https://bugs.webkit.org/show_bug.cgi?id=181200
1731         <rdar://problem/35494754>
1732
1733         Reviewed by Yusuke Suzuki.
1734
1735         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1736         (ctor):
1737         (theFunc):
1738         (run):
1739
1740 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1741
1742         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1743         https://bugs.webkit.org/show_bug.cgi?id=175359
1744
1745         Reviewed by Yusuke Suzuki.
1746
1747         * bigIntTests.yaml:
1748         * stress/big-int-as-key.js: Added.
1749         * stress/big-int-constructor-gc.js: Added.
1750         * stress/big-int-constructor-oom.js: Added.
1751         * stress/big-int-constructor-properties.js: Added.
1752         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1753         * stress/big-int-constructor-prototype.js: Added.
1754         * stress/big-int-constructor.js: Added.
1755         * stress/big-int-function-apply.js:
1756         * stress/big-int-length.js: Added.
1757         * stress/big-int-prop-descriptor.js: Added.
1758         * stress/big-int-proto-constructor.js: Added.
1759         * stress/big-int-proto-name.js: Added.
1760         * stress/big-int-prototype-properties.js: Added.
1761         * stress/big-int-prototype-proto.js: Added.
1762         * stress/big-int-prototype-value-of.js: Added.
1763         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1764         * stress/big-int-prototype-to-string-apply.js: Added.
1765         * stress/big-int-to-object.js: Added.
1766         * stress/big-int-to-string.js: Added.
1767
1768 2017-12-28  Saam Barati  <sbarati@apple.com>
1769
1770         Assertion used to determine if something is an async generator is wrong
1771         https://bugs.webkit.org/show_bug.cgi?id=181168
1772         <rdar://problem/35640560>
1773
1774         Reviewed by Yusuke Suzuki.
1775
1776         * stress/async-generator-assertion.js: Added.
1777
1778 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1779
1780         Skip stress/splay-flash-access tests on memory limited platforms
1781         https://bugs.webkit.org/show_bug.cgi?id=181086
1782
1783         Reviewed by Carlos Alberto Lopez Perez.
1784
1785         These tests use about 185M of memory, and occasionally get OOM-killed
1786         on memory limited platforms.
1787
1788         * stress/splay-flash-access-1ms.js:
1789         * stress/splay-flash-access.js:
1790
1791 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1792
1793         Skip slow jsc tests on embedded platforms
1794         https://bugs.webkit.org/show_bug.cgi?id=180937
1795
1796         Reviewed by Carlos Alberto Lopez Perez.
1797
1798         The tests typeProfiler/deltablue-for-of.js and
1799         typeProfiler/getter-richards.js take a very long time in the
1800         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1801         thus always timeout. They should be skipped on these platforms.
1802
1803         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1804         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1805
1806 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1807
1808         [JSC] Do not check isValid() in op_new_regexp
1809         https://bugs.webkit.org/show_bug.cgi?id=180970
1810
1811         Reviewed by Saam Barati.
1812
1813         * stress/regexp-syntax-error-invalid-flags.js: Added.
1814         (shouldThrow):
1815
1816 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1817
1818         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1819         https://bugs.webkit.org/show_bug.cgi?id=180712
1820
1821         Reviewed by Michael Catanzaro.
1822
1823         stress/call-apply-exponential-bytecode-size.js crashes if the
1824         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1825         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1826         should skip the test on other platforms.
1827
1828         * stress/call-apply-exponential-bytecode-size.js:
1829
1830 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1831
1832         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1833         https://bugs.webkit.org/show_bug.cgi?id=179762
1834
1835         Reviewed by Saam Barati.
1836
1837         * stress/call-varargs-double-new-array-buffer.js: Added.
1838         (assert):
1839         (bar):
1840         (foo):
1841         * stress/call-varargs-spread-new-array-buffer.js: Added.
1842         (assert):
1843         (bar):
1844         (foo):
1845         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1846         (assert):
1847         (bar):
1848         (foo):
1849         * stress/forward-varargs-double-new-array-buffer.js: Added.
1850         (assert):
1851         (test.baz):
1852         (test.bar):
1853         (test.foo):
1854         (test):
1855         * stress/new-array-buffer-sinking-osrexit.js: Added.
1856         (target):
1857         (test):
1858         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1859         (shouldBe):
1860         (test):
1861         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1862         (shouldBe):
1863         (target):
1864         (test):
1865         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1866         (assert):
1867         (test1.bar):
1868         (test1.foo):
1869         (test1):
1870         (test2.bar):
1871         (test2.foo):
1872         (test3.baz):
1873         (test3.bar):
1874         (test3.foo):
1875         (test4.baz):
1876         (test4.bar):
1877         (test4.foo):
1878         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1879         (assert):
1880         (test.baz):
1881         (test.bar):
1882         (test.foo):
1883         (test):
1884         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1885         (assert):
1886         (baz):
1887         (bar):
1888         (effects):
1889         (foo):
1890
1891 2017-12-14  Saam Barati  <sbarati@apple.com>
1892
1893         The CleanUp after LICM is erroneously removing a Check
1894         https://bugs.webkit.org/show_bug.cgi?id=180852
1895         <rdar://problem/36063494>
1896
1897         Reviewed by Filip Pizlo.
1898
1899         * stress/dont-run-cleanup-after-licm.js: Added.
1900
1901 2017-12-14  Michael Saboff  <msaboff@apple.com>
1902
1903         REGRESSION (r225695): Repro crash on yahoo login page
1904         https://bugs.webkit.org/show_bug.cgi?id=180761
1905
1906         Reviewed by JF Bastien.
1907
1908         New regression test.
1909
1910         * stress/regress-180761.js: Added.
1911
1912 2017-12-13  Keith Miller  <keith_miller@apple.com>
1913
1914         JSObjects should have a mask for loading indexed properties
1915         https://bugs.webkit.org/show_bug.cgi?id=180768
1916
1917         Reviewed by Mark Lam.
1918
1919         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1920         (test):
1921
1922 2017-12-13  Saam Barati  <sbarati@apple.com>
1923
1924         Arrow functions need their own structure because they have different properties than sloppy functions
1925         https://bugs.webkit.org/show_bug.cgi?id=180779
1926         <rdar://problem/35814591>
1927
1928         Reviewed by Mark Lam.
1929
1930         * stress/arrow-function-needs-its-own-structure.js: Added.
1931         (assert):
1932         (readPrototype):
1933         (noInline.let.f1):
1934         (noInline):
1935
1936 2017-12-13  Saam Barati  <sbarati@apple.com>
1937
1938         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1939         https://bugs.webkit.org/show_bug.cgi?id=163579
1940         <rdar://problem/35455798>
1941
1942         Reviewed by Mark Lam.
1943
1944         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1945         (assert):
1946         (test1):
1947         (i.test1):
1948         (i.test1.C):
1949         (i.test1.async.foo):
1950         (i.test1.foo):
1951         (test2):
1952
1953 2017-12-13  Saam Barati  <sbarati@apple.com>
1954
1955         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1956         https://bugs.webkit.org/show_bug.cgi?id=180734
1957         <rdar://problem/35640547>
1958
1959         Reviewed by Yusuke Suzuki.
1960
1961         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1962         (__isPropertyOfType):
1963         (__getProperties):
1964         (__getObjects):
1965         (__getRandomObject):
1966         (theClass.):
1967         (theClass):
1968         (childClass):
1969         (counter.catch):
1970
1971 2017-12-12  Saam Barati  <sbarati@apple.com>
1972
1973         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1974         https://bugs.webkit.org/show_bug.cgi?id=180725
1975         <rdar://problem/35970511>
1976
1977         Reviewed by Michael Saboff.
1978
1979         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1980         (f1):
1981         (f2):
1982         (let.o2.valueOf):
1983
1984 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1985
1986         [JSC] Implement optimized WeakMap and WeakSet
1987         https://bugs.webkit.org/show_bug.cgi?id=179929
1988
1989         Reviewed by Saam Barati.
1990
1991         * microbenchmarks/weak-map-key.js:
1992         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1993         (assert):
1994         (objectKey):
1995         (let.start.Date.now):
1996         * stress/basic-weakmap.js: Added.
1997         (shouldBe):
1998         (test):
1999         * stress/basic-weakset.js: Added.
2000         (shouldBe):
2001         (test.set new):
2002         * stress/weakmap-cse-set-break.js: Added.
2003         (shouldBe):
2004         (test):
2005         * stress/weakmap-cse.js: Added.
2006         (shouldBe):
2007         (test):
2008         * stress/weakmap-gc.js: Added.
2009         (test):
2010         * stress/weakset-cse-add-break.js: Added.
2011         (shouldBe):
2012         (test.set new):
2013         * stress/weakset-cse.js: Added.
2014         (shouldBe):
2015         (test.set new):
2016         * stress/weakset-gc.js: Added.
2017         (test.set add):
2018         (test.set new):
2019         (test):
2020
2021 2017-12-12  Saam Barati  <sbarati@apple.com>
2022
2023         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2024         https://bugs.webkit.org/show_bug.cgi?id=180723
2025         <rdar://problem/35859726>
2026
2027         Reviewed by JF Bastien.
2028
2029         * stress/get-my-argument-by-val-constant-folding.js: Added.
2030         (test):
2031         (catch):
2032
2033 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2034
2035         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2036         https://bugs.webkit.org/show_bug.cgi?id=179000
2037
2038         Reviewed by Darin Adler and Yusuke Suzuki.
2039
2040         * bigIntTests.yaml: Added.
2041         * stress/big-int-literal-line-terminator.js: Added.
2042         * stress/big-int-literals.js: Added.
2043         * stress/big-int-operations-error.js: Added.
2044         * stress/big-int-type-of.js: Added.
2045         * stress/big-int-white-space-trailing-leading.js: Added.
2046         * stress/big-int-function-apply.js: Added.
2047
2048 2017-12-11  Saam Barati  <sbarati@apple.com>
2049
2050         We need to disableCaching() in ErrorInstance when we materialize properties
2051         https://bugs.webkit.org/show_bug.cgi?id=180343
2052         <rdar://problem/35833002>
2053
2054         Reviewed by Mark Lam.
2055
2056         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2057         (assert):
2058         (makeError):
2059         (storeToStack):
2060         (storeToStackAlreadyMaterialized):
2061
2062 2017-12-05  JF Bastien  <jfbastien@apple.com>
2063
2064         WebAssembly: don't eagerly checksum
2065         https://bugs.webkit.org/show_bug.cgi?id=180441
2066         <rdar://problem/35156628>
2067
2068         Reviewed by Saam Barati.
2069
2070         Checksum is now disabled, so tests only have <?> as the module
2071         name.
2072
2073         * wasm/function-tests/nameSection.js:
2074         * wasm/function-tests/stack-overflow.js:
2075         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2076         (assertOverflows.assertThrows):
2077         (assertOverflows):
2078         * wasm/function-tests/stack-trace.js:
2079
2080 2017-12-04  JF Bastien  <jfbastien@apple.com>
2081
2082         Proxy all functions, except the $ objects
2083         https://bugs.webkit.org/show_bug.cgi?id=180375
2084
2085         Reviewed by Saam Barati.
2086
2087         It looks like this test may have broken some executions because I
2088         call some internal objects. Explicitly ignore objects whose name
2089         starts with "$" because it's a bad idea anyways.
2090
2091         * stress/proxy-all-the-parameters.js:
2092         (generateObjects):
2093         (get throw):
2094
2095 2017-12-04  Saam Barati  <sbarati@apple.com>
2096
2097         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2098         https://bugs.webkit.org/show_bug.cgi?id=180366
2099         <rdar://problem/35685877>
2100
2101         Reviewed by Michael Saboff.
2102
2103         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2104         (theParent):
2105         (test1.base.getParentStaticValue):
2106         (test1.base):
2107         (test1.__v_24888.prototype.set prop):
2108         (test1.__v_24888):
2109         (test2.base.getParentStaticValue):
2110         (test2.base):
2111         (test2.__v_24888.prototype.set prop):
2112         (test2.__v_24888):
2113         (test2):
2114
2115 2017-12-01  JF Bastien  <jfbastien@apple.com>
2116
2117         Try proxying all function arguments
2118         https://bugs.webkit.org/show_bug.cgi?id=180306
2119
2120         Reviewed by Saam Barati.
2121
2122         * stress/proxy-all-the-parameters.js: Added.
2123         (isPropertyOfType):
2124         (getProperties):
2125         (generateObjects):
2126         (getObjects):
2127         (getFunctions):
2128         (get throw):
2129         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2130
2131 2017-12-01  JF Bastien  <jfbastien@apple.com>
2132
2133         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2134         https://bugs.webkit.org/show_bug.cgi?id=180297
2135         <rdar://problem/35745556>
2136
2137         Reviewed by Mark Lam.
2138
2139         * stress/math-exceptions.js: Added.
2140         (get try):
2141         (catch):
2142
2143 2017-12-01  JF Bastien  <jfbastien@apple.com>
2144
2145         JavaScriptCore: add test for weird class static getters
2146         https://bugs.webkit.org/show_bug.cgi?id=180281
2147         <rdar://problem/35592139>
2148
2149         Reviewed by Mark Lam.
2150
2151         I fixed a bug for it in r224927 and didn't add a test. Do so.
2152
2153         * stress/class-static-get-weird.js: Added.
2154         (c.prototype.get name):
2155         (c):
2156         (c.prototype.get arguments):
2157         (c.prototype.get caller):
2158         (c.prototype.get length):
2159
2160 2017-12-01  Saam Barati  <sbarati@apple.com>
2161
2162         Having a bad time needs to handle ArrayClass indexing type as well
2163         https://bugs.webkit.org/show_bug.cgi?id=180274
2164         <rdar://problem/35667869>
2165
2166         Reviewed by Keith Miller and Mark Lam.
2167
2168         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2169         (assert):
2170         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2171         (assert):
2172
2173 2017-12-01  JF Bastien  <jfbastien@apple.com>
2174
2175         WebAssembly: restore cached stack limit after out-call
2176         https://bugs.webkit.org/show_bug.cgi?id=179106
2177         <rdar://problem/35337525>
2178
2179         Reviewed by Saam Barati.
2180
2181         * wasm/function-tests/double-instance.js: Added.
2182         (const.imp.boom):
2183         (const.imp.get callAnother):
2184
2185 2017-11-30  JF Bastien  <jfbastien@apple.com>
2186
2187         WebAssembly: improve stack trace
2188         https://bugs.webkit.org/show_bug.cgi?id=179343
2189
2190         Reviewed by Saam Barati.
2191
2192         Update the tests to follow the new format. Notably, SHA1 module
2193         hash is now included in traces, and stubs are properly identified.
2194
2195         * wasm/assert.js: Add an assertion which matches regular expressions.
2196         * wasm/function-tests/nameSection.js:
2197         * wasm/function-tests/stack-overflow.js:
2198         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2199         (assertOverflows.assertThrows.wasm.1):
2200         (assertOverflows.assertThrows.wasm.0):
2201         (assertOverflows.assertThrows):
2202         (assertOverflows):
2203         * wasm/function-tests/stack-trace.js:
2204         (import.Builder.from.string_appeared_here.assert): Deleted.
2205         * wasm/function-tests/trap-after-cross-instance-call.js:
2206         (wasmFrameCountFromError):
2207         * wasm/function-tests/trap-load-2.js:
2208         (wasmFrameCountFromError):
2209         * wasm/function-tests/trap-load.js:
2210         (wasmFrameCountFromError):
2211
2212 2017-11-30  Mark Lam  <mark.lam@apple.com>
2213
2214         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2215         https://bugs.webkit.org/show_bug.cgi?id=180219
2216         <rdar://problem/35696536>
2217
2218         Reviewed by Filip Pizlo.
2219
2220         * stress/regress-180219.js: Added.
2221
2222 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2223
2224         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2225         https://bugs.webkit.org/show_bug.cgi?id=180190
2226
2227         Reviewed by Mark Lam.
2228
2229         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2230         (shouldBe):
2231         (test1):
2232         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2233         (shouldBe):
2234         (test1):
2235         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2236         (shouldBe):
2237         (test1):
2238         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2239         (shouldBe):
2240         (test1):
2241         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2242         (shouldBe):
2243         (test1):
2244         * stress/operation-in-may-have-negative-int32.js: Added.
2245         (shouldBe):
2246         (test2):
2247         * stress/operation-in-negative-int32-cast.js: Added.
2248         (shouldBe):
2249         (test1):
2250
2251 2017-11-28  JF Bastien  <jfbastien@apple.com>
2252
2253         Strict and sloppy functions shouldn't share structure
2254         https://bugs.webkit.org/show_bug.cgi?id=180103
2255         <rdar://problem/35667847>
2256
2257         Reviewed by Saam Barati.
2258
2259         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2260         because the IC was wrong.
2261         (foo):
2262         (bar):
2263         (baz):
2264         (catch):
2265         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2266         in this patch, but may as well test odd strict mode corner cases.
2267         (bar):
2268         (baz):
2269         (catch):
2270         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2271         (foo):
2272         (bar):
2273         (baz):
2274         (catch):
2275         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2276         next file, but with invalidation of the FunctionExecutable's
2277         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2278         slower path.
2279         (foo):
2280         (bar.const.x):
2281         (bar.const.y):
2282         (bar):
2283         (catch):
2284         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2285         strict nesting works correctly.
2286         (foo):
2287         (bar.baz):
2288         (bar):
2289         * stress/strict-function-structure.js: Added. The test used to
2290         assert in objectProtoFuncHasOwnProperty.
2291         (foo):
2292         (bar):
2293         (baz):
2294         * stress/strict-nested-function-structure.js: Added. Nesting.
2295         (foo):
2296         (bar):
2297         (baz.boo):
2298         (baz):
2299
2300 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2301
2302         The recursive tail call optimisation is wrong on closures
2303         https://bugs.webkit.org/show_bug.cgi?id=179835
2304
2305         Reviewed by Saam Barati.
2306
2307         * stress/closure-recursive-tail-call.js: Added.
2308         (makeClosure):
2309
2310 2017-11-27  JF Bastien  <jfbastien@apple.com>
2311
2312         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2313         https://bugs.webkit.org/show_bug.cgi?id=180051
2314         <rdar://problem/35614371>
2315
2316         Reviewed by Saam Barati.
2317
2318         * stress/rest-parameter-negative.js: Added.
2319         (__f_5484):
2320         (catch):
2321         (__f_5485):
2322         (__v_22598.catch):
2323
2324 2017-11-27  Saam Barati  <sbarati@apple.com>
2325
2326         Spread can escape when CreateRest does not
2327         https://bugs.webkit.org/show_bug.cgi?id=180057
2328         <rdar://problem/35676119>
2329
2330         Reviewed by JF Bastien.
2331
2332         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2333         (assert):
2334         (getProperties):
2335         (theFunc):
2336         (let.obj.valueOf):
2337
2338 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2339
2340         [DFG] Add NormalizeMapKey DFG IR
2341         https://bugs.webkit.org/show_bug.cgi?id=179912
2342
2343         Reviewed by Saam Barati.
2344
2345         * stress/map-untyped-normalize-cse.js: Added.
2346         (shouldBe):
2347         (test):
2348         * stress/map-untyped-normalize.js: Added.
2349         (shouldBe):
2350         (test):
2351         * stress/set-untyped-normalize-cse.js: Added.
2352         (shouldBe):
2353         (set return.set has.set has):
2354         * stress/set-untyped-normalize.js: Added.
2355         (shouldBe):
2356         (set return.set has):
2357
2358 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2359
2360         [FTL] Support DeleteById and DeleteByVal
2361         https://bugs.webkit.org/show_bug.cgi?id=180022
2362
2363         Reviewed by Saam Barati.
2364
2365         * stress/delete-by-id.js: Added.
2366         (shouldBe):
2367         (test1):
2368         (test2):
2369         * stress/delete-by-val-ftl.js: Added.
2370         (shouldBe):
2371         (test1):
2372         (test2):
2373
2374 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2375
2376         [DFG] Introduce {Set,Map,WeakMap}Fields
2377         https://bugs.webkit.org/show_bug.cgi?id=179925
2378
2379         Reviewed by Saam Barati.
2380
2381         * stress/map-set-clobber-map-get.js: Added.
2382         (shouldBe):
2383         (test):
2384         * stress/map-set-does-not-clobber-set-has.js: Added.
2385         (shouldBe):
2386         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2387         (shouldBe):
2388         (test):
2389         * stress/set-add-clobber-set-has.js: Added.
2390         (shouldBe):
2391         * stress/set-add-does-not-clobber-map-get.js: Added.
2392         (shouldBe):
2393
2394 2017-11-24  Mark Lam  <mark.lam@apple.com>
2395
2396         Move unsafe jsc shell test functions to the $vm object.
2397         https://bugs.webkit.org/show_bug.cgi?id=179980
2398
2399         Reviewed by Yusuke Suzuki.
2400
2401         * controlFlowProfiler/driver/driver.js:
2402         * controlFlowProfiler/execution-count.js:
2403         * controlFlowProfiler/if-statement.js:
2404         * controlFlowProfiler/loop-statements.js:
2405         * controlFlowProfiler/switch-statements.js:
2406         * controlFlowProfiler/test-jit.js:
2407         * exceptionFuzz/3d-cube.js:
2408         * exceptionFuzz/date-format-xparb.js:
2409         * exceptionFuzz/earley-boyer.js:
2410         * heapProfiler/basic-edges.js:
2411         * heapProfiler/property-edge-types.js:
2412         * microbenchmarks/try-get-by-id-basic.js:
2413         * microbenchmarks/try-get-by-id-polymorphic.js:
2414         * modules/namespace-object-try-get.js:
2415         * stress/argument-count-bytecode.js:
2416         * stress/argument-intrinsic-basic.js:
2417         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2418         * stress/argument-intrinsic-inlining-with-result-escape.js:
2419         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2420         * stress/argument-intrinsic-inlining-with-vararg.js:
2421         * stress/argument-intrinsic-nested-inlining.js:
2422         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2423         * stress/argument-intrinsic-with-stack-write.js:
2424         * stress/arity-mismatch-get-argument.js:
2425         * stress/array-message-passing.js:
2426         * stress/array-push-with-force-exit.js:
2427         * stress/check-dom-with-signature.js:
2428         * stress/check-sub-class.js:
2429         * stress/compare-eq-incomplete-profile.js:
2430         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2431         * stress/do-eval-virtual-call-correctly.js:
2432         * stress/dom-jit-with-poly-proto.js:
2433         * stress/domjit-exception-ic.js:
2434         * stress/domjit-exception.js:
2435         * stress/domjit-getter-complex-with-incorrect-object.js:
2436         * stress/domjit-getter-complex.js:
2437         * stress/domjit-getter-poly.js:
2438         * stress/domjit-getter-proto.js:
2439         * stress/domjit-getter-super-poly.js:
2440         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2441         * stress/domjit-getter-type-check.js:
2442         * stress/domjit-getter.js:
2443         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2444         * stress/for-in-proxy-target-changed-structure.js:
2445         * stress/for-in-proxy.js:
2446         * stress/generational-opaque-roots.js:
2447         * stress/global-const-redeclaration-setting-2.js:
2448         * stress/global-const-redeclaration-setting-3.js:
2449         * stress/global-const-redeclaration-setting-4.js:
2450         * stress/global-const-redeclaration-setting-5.js:
2451         * stress/global-const-redeclaration-setting.js:
2452         * stress/import-basic.js:
2453         * stress/import-from-eval.js:
2454         * stress/import-reject-with-exception.js:
2455         * stress/import-syntax.js:
2456         * stress/impure-get-own-property-slot-inline-cache.js:
2457         * stress/is-constructor.js:
2458         * stress/istypedarrayview-intrinsic.js:
2459         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2460         * stress/jsc-test-functions-should-be-more-robust.js:
2461         * stress/object-toString-with-proxy.js:
2462         * stress/poly-proto-custom-value-and-accessor.js:
2463         * stress/proxy-inline-cache.js:
2464         * stress/re-execute-error-module.js:
2465         * stress/regress-150532.js:
2466         * stress/regress-156992.js:
2467         * stress/regress-179619.js:
2468         * stress/resources/shadow-chicken-support.js:
2469         * stress/runtime-array.js:
2470         * stress/sampling-profiler-microtasks.js:
2471         * stress/shadow-chicken-enabled.js:
2472         * stress/spread-correct-global-object-on-exception.js:
2473         * stress/super-get-by-id.js:
2474         * stress/tailCallForwardArguments.js:
2475         * stress/to-object-intrinsic-boolean-edge.js:
2476         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2477         * stress/to-object-intrinsic-number-edge.js:
2478         * stress/to-object-intrinsic-object-edge.js:
2479         * stress/to-object-intrinsic-string-edge.js:
2480         * stress/to-object-intrinsic-symbol-edge.js:
2481         * stress/to-object-intrinsic.js:
2482         * stress/try-catch-custom-getter-as-get-by-id.js:
2483         * stress/try-get-by-id-poly-proto.js:
2484         * stress/try-get-by-id-should-spill-registers-dfg.js:
2485         * stress/try-get-by-id.js:
2486         * typeProfiler/arrow-functions.js:
2487         * typeProfiler/basic.js:
2488         * typeProfiler/captured.js:
2489         * typeProfiler/classes.js:
2490         * typeProfiler/dfg-jit-optimizations.js:
2491         * typeProfiler/dictionary-mode.js:
2492         * typeProfiler/es6-block-scoping.js:
2493         * typeProfiler/es6-classes.js:
2494         * typeProfiler/inheritance.js:
2495         * typeProfiler/int52-dfg.js:
2496         * typeProfiler/loop.js:
2497         * typeProfiler/optional-fields.js:
2498         * typeProfiler/overflow.js:
2499         * typeProfiler/return.js:
2500         * typeProfiler/symbol.js:
2501         * typeProfiler/weird-prototype-chain.js:
2502
2503 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2504
2505         [DFG][FTL] Support MapSet / SetAdd intrinsics
2506         https://bugs.webkit.org/show_bug.cgi?id=179858
2507
2508         Reviewed by Saam Barati.
2509
2510         * microbenchmarks/map-has-and-set.js: Added.
2511         (test):
2512         * stress/map-set-check-failure.js: Added.
2513         (shouldBe):
2514         (shouldThrow):
2515         (target):
2516         * stress/map-set-cse.js: Added.
2517         (shouldBe):
2518         (test):
2519         * stress/set-add-check-failure.js: Added.
2520         (shouldBe):
2521         (shouldThrow):
2522         (set shouldThrow):
2523         * stress/set-add-cse.js: Added.
2524         (shouldBe):
2525
2526 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2527
2528         [JSC] Allow poly proto for intrinsic getters
2529         https://bugs.webkit.org/show_bug.cgi?id=179550
2530
2531         Reviewed by Saam Barati.
2532
2533         This change is also tested by existing tests.
2534
2535             1. stress/intrinsic-getter-with-poly-proto.js
2536             2. stress/poly-proto-intrinsic-getter-correctness.js
2537
2538         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2539         (shouldBe):
2540         (makePolyProtoObject.foo.C):
2541         (makePolyProtoObject.foo):
2542         (makePolyProtoObject):
2543         (target):
2544         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2545         (shouldBe):
2546         (makePolyProtoObject.foo.C):
2547         (makePolyProtoObject.foo):
2548         (makePolyProtoObject):
2549         (target):
2550
2551 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2552
2553         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2554         https://bugs.webkit.org/show_bug.cgi?id=179744
2555
2556         Reviewed by Michael Catanzaro.
2557
2558         This test uses too much memory for our buildbots on these platforms
2559         and gets OOM-killed.
2560
2561         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2562         Skip if $memoryLimited and linux.
2563
2564 2017-11-17  JF Bastien  <jfbastien@apple.com>
2565
2566         WebAssembly JS API: throw when a promise can't be created
2567         https://bugs.webkit.org/show_bug.cgi?id=179826
2568         <rdar://problem/35455813>
2569
2570         Reviewed by Mark Lam.
2571
2572         Test WebAssembly.{compile,instantiate} where promise creation
2573         fails because of a stack overflow.
2574
2575         * wasm/js-api/promise-stack-overflow.js: Added.
2576         (const.runNearStackLimit.f.const.t):
2577         (async.testCompile):
2578         (async.testInstantiate):
2579
2580 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2581
2582         Unreviewed, mark regress-178385.js as memory exhausting
2583
2584         * stress/regress-178385.js:
2585
2586 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2587
2588         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2589
2590         Unreviewed test gardening.
2591
2592         * test262.yaml:
2593
2594 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2595
2596         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2597         https://bugs.webkit.org/show_bug.cgi?id=179763
2598         <rdar://problem/35550513>
2599
2600         Reviewed by Keith Miller.
2601
2602         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2603
2604         * stress/tdz-this-in-try-catch.js: Added.
2605         (__v_6388):
2606         (__v_6392):
2607
2608 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2609
2610         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2611         https://bugs.webkit.org/show_bug.cgi?id=179594
2612
2613         Reviewed by Saam Barati.
2614
2615         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2616         (shouldBe):
2617         (args):
2618         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2619         (shouldBe):
2620         (args):
2621
2622 2017-11-14  Saam Barati  <sbarati@apple.com>
2623
2624         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2625         https://bugs.webkit.org/show_bug.cgi?id=179639
2626         <rdar://problem/35513018>
2627
2628         Reviewed by JF Bastien.
2629
2630         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2631         (escape):
2632         (i.func):
2633
2634 2017-11-13  Mark Lam  <mark.lam@apple.com>
2635
2636         Add more overflow check book-keeping for MarkedArgumentBuffer.
2637         https://bugs.webkit.org/show_bug.cgi?id=179634
2638         <rdar://problem/35492517>
2639
2640         Reviewed by Saam Barati.
2641
2642         * stress/regress-179634.js: Added.
2643
2644 2017-11-13  Mark Lam  <mark.lam@apple.com>
2645
2646         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2647         https://bugs.webkit.org/show_bug.cgi?id=179619
2648         <rdar://problem/35492518>
2649
2650         Reviewed by Saam Barati.
2651
2652         * stress/regress-179619.js: Added.
2653
2654 2017-11-12  Mark Lam  <mark.lam@apple.com>
2655
2656         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2657         https://bugs.webkit.org/show_bug.cgi?id=179562
2658         <rdar://problem/35467022>
2659
2660         Reviewed by Saam Barati.
2661
2662         * regress-179562.js: Added.
2663
2664 2017-11-08  Saam Barati  <sbarati@apple.com>
2665
2666         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2667         https://bugs.webkit.org/show_bug.cgi?id=177792
2668
2669         Reviewed by Yusuke Suzuki.
2670
2671         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2672         (assert):
2673         (foo.Foo.prototype.ensureX):
2674         (foo.Foo):
2675         (foo):
2676         (access):
2677
2678 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2679
2680         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2681         https://bugs.webkit.org/show_bug.cgi?id=178592
2682
2683         Unreviewed test gardening.
2684
2685         * test262.yaml:
2686
2687 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2688
2689         Turn recursive tail calls into loops
2690         https://bugs.webkit.org/show_bug.cgi?id=176601
2691
2692         Reviewed by Saam Barati.
2693
2694         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2695
2696         Add some simple test that computes factorial in several ways, and other trivial computations.
2697         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2698         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2699         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2700         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2701
2702         * stress/inline-call-to-recursive-tail-call.js: Added.
2703         (factorial.aux):
2704         (factorial):
2705         (factorial2.aux2):
2706         (factorial2.id):
2707         (factorial2):
2708         (factorial3.aux3):
2709         (factorial3):
2710         (aux4):
2711         (factorial4):
2712         (foo):
2713         (auxBar):
2714         (bar):
2715         (test):
2716
2717 2017-11-07  Mark Lam  <mark.lam@apple.com>
2718
2719         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2720         https://bugs.webkit.org/show_bug.cgi?id=179355
2721         <rdar://problem/35263053>
2722
2723         Reviewed by Saam Barati.
2724
2725         * stress/regress-179355.js: Added.
2726
2727 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2728
2729         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2730         https://bugs.webkit.org/show_bug.cgi?id=144458
2731
2732         Reviewed by Saam Barati.
2733
2734         * microbenchmarks/dfg-internal-function-call.js: Added.
2735         (target):
2736         * microbenchmarks/dfg-internal-function-construct.js: Added.
2737         (target):
2738         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2739         (target):
2740         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2741         (target):
2742         * stress/dfg-internal-function-call.js: Added.
2743         (shouldBe):
2744         (target):
2745         * stress/dfg-internal-function-construct.js: Added.
2746         (shouldBe):
2747         (target):
2748         * stress/internal-function-call.js: Added.
2749         (shouldBe):
2750         * stress/internal-function-construct.js: Added.
2751         (shouldBe):
2752
2753 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2754
2755         [Win] Skip stress/regress-178385.js.
2756         https://bugs.webkit.org/show_bug.cgi?id=179298
2757
2758         Unreviewed test gardening.
2759
2760         * stress/regress-178385.js:
2761
2762 2017-11-03  Keith Miller  <keith_miller@apple.com>
2763
2764         Add test for ic with side effects
2765         https://bugs.webkit.org/show_bug.cgi?id=179268
2766
2767         Reviewed by Saam Barati.
2768
2769         * stress/put-inline-cache-side-effects.js: Added.
2770         (let.i.of.objs.keys):
2771         (f):
2772
2773 2017-11-03  Mark Lam  <mark.lam@apple.com>
2774
2775         CachedCall (and its clients) needs overflow checks.
2776         https://bugs.webkit.org/show_bug.cgi?id=179185
2777
2778         Reviewed by JF Bastien.
2779
2780         * stress/regress-179185.js: Added.
2781
2782 2017-11-02  Michael Saboff  <msaboff@apple.com>
2783
2784         DFG needs to handle code motion of code in for..in loop bodies
2785         https://bugs.webkit.org/show_bug.cgi?id=179212
2786
2787         Reviewed by Keith Miller.
2788
2789         New regression test.
2790
2791         * stress/for-in-side-effects.js: Added.
2792         (getPrototypeOf):
2793         (reset):
2794         (testWithoutFTL.f):
2795         (testWithoutFTL):
2796         (testWithFTL.f):
2797         (testWithFTL):
2798
2799 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2800
2801         AI does not correctly model the clobber case of ArithClz32
2802         https://bugs.webkit.org/show_bug.cgi?id=179188
2803
2804         Reviewed by Michael Saboff.
2805
2806         * stress/arith-clz32-effects.js: Added.
2807         (foo):
2808         (valueOf):
2809
2810 2017-11-01  Michael Saboff  <msaboff@apple.com>
2811
2812         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2813         https://bugs.webkit.org/show_bug.cgi?id=179140
2814
2815         Reviewed by Saam Barati.
2816
2817         New regression test.
2818
2819         * stress/regress-179140.js: Added.
2820         (testWithoutFTL):
2821         (testWithFTL):
2822
2823 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2824
2825         [JSC] Introduce @toObject
2826         https://bugs.webkit.org/show_bug.cgi?id=178726
2827
2828         Reviewed by Saam Barati.
2829
2830         * stress/array-copywithin.js:
2831         (shouldThrow):
2832         * stress/object-constructor-boolean-edge.js: Added.
2833         (shouldBe):
2834         (test):
2835         * stress/object-constructor-global.js: Added.
2836         (shouldBe):
2837         * stress/object-constructor-null-edge.js: Added.
2838         (shouldBe):
2839         (test):
2840         * stress/object-constructor-number-edge.js: Added.
2841         (shouldBe):
2842         (test):
2843         * stress/object-constructor-object-edge.js: Added.
2844         (shouldBe):
2845         (test):
2846         (i.arg):
2847         * stress/object-constructor-string-edge.js: Added.
2848         (shouldBe):
2849         (test):
2850         * stress/object-constructor-symbol-edge.js: Added.
2851         (shouldBe):
2852         (test):
2853         * stress/object-constructor-undefined-edge.js: Added.
2854         (shouldBe):
2855         (test):
2856         * stress/symbol-array-from.js: Added.
2857         (shouldBe):
2858         * stress/to-object-intrinsic-boolean-edge.js: Added.
2859         (shouldBe):
2860         (builtin.createBuiltin):
2861         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2862         (shouldThrow):
2863         * stress/to-object-intrinsic-number-edge.js: Added.
2864         (shouldBe):
2865         (builtin.createBuiltin):
2866         * stress/to-object-intrinsic-object-edge.js: Added.
2867         (shouldBe):
2868         (builtin.createBuiltin):
2869         (i.arg):
2870         * stress/to-object-intrinsic-string-edge.js: Added.
2871         (shouldBe):
2872         (builtin.createBuiltin):
2873         * stress/to-object-intrinsic-symbol-edge.js: Added.
2874         (shouldBe):
2875         (builtin.createBuiltin):
2876         * stress/to-object-intrinsic.js: Added.
2877         (shouldBe):
2878         (shouldThrow):
2879         (builtin.createBuiltin):
2880
2881 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2882
2883         [DFG][FTL] Introduce StringSlice
2884         https://bugs.webkit.org/show_bug.cgi?id=178934
2885
2886         Reviewed by Saam Barati.
2887
2888         * microbenchmarks/string-slice-empty.js: Added.
2889         (slice):
2890         * microbenchmarks/string-slice-one-char.js: Added.
2891         (slice):
2892         * microbenchmarks/string-slice.js: Added.
2893         (slice):
2894
2895 2017-10-26  Michael Saboff  <msaboff@apple.com>
2896
2897         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2898         https://bugs.webkit.org/show_bug.cgi?id=178890
2899
2900         Reviewed by Keith Miller.
2901
2902         New regression test.
2903
2904         * stress/regress-178890.js: Added.
2905
2906 2017-10-26  Mark Lam  <mark.lam@apple.com>
2907
2908         JSRopeString::RopeBuilder::append() should check for overflows.
2909         https://bugs.webkit.org/show_bug.cgi?id=178385
2910         <rdar://problem/35027468>
2911
2912         Reviewed by Saam Barati.
2913
2914         * stress/regress-178385.js: Added.
2915
2916 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2917
2918         Unreviewed, rolling out r223961.
2919
2920         The change that required this has been rolled out.
2921
2922         Reverted changeset:
2923
2924         "Mark test262.yaml/test262/test/language/statements/try/tco-
2925         catch.js as passing."
2926         https://bugs.webkit.org/show_bug.cgi?id=178592
2927         https://trac.webkit.org/changeset/223961
2928
2929 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2930
2931         Unreviewed, rolling out r223691 and r223729.
2932         https://bugs.webkit.org/show_bug.cgi?id=178834
2933
2934         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2935         by rniwa on #webkit).
2936
2937         Reverted changesets:
2938
2939         "Turn recursive tail calls into loops"
2940         https://bugs.webkit.org/show_bug.cgi?id=176601
2941         https://trac.webkit.org/changeset/223691
2942
2943         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2944         comparison is always false due to limited range of data type
2945         [-Wtype-limits]"
2946         https://bugs.webkit.org/show_bug.cgi?id=178543
2947         https://trac.webkit.org/changeset/223729
2948
2949 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2950
2951         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2952         https://bugs.webkit.org/show_bug.cgi?id=178592
2953
2954         Unreviewed test gardening.
2955
2956         * test262.yaml:
2957
2958 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2959
2960         [FTL] Support NewStringObject
2961         https://bugs.webkit.org/show_bug.cgi?id=178737
2962
2963         Reviewed by Saam Barati.
2964
2965         * stress/new-string-object.js: Added.
2966         (shouldBe):
2967         (test):
2968
2969 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2970
2971         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2972         https://bugs.webkit.org/show_bug.cgi?id=178308
2973
2974         Reviewed by Mark Lam.
2975
2976         * test262.yaml:
2977
2978 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2979
2980         [JSC] Use fastJoin in Array#toString
2981         https://bugs.webkit.org/show_bug.cgi?id=178062
2982
2983         Reviewed by Darin Adler.
2984
2985         * microbenchmarks/contiguous-array-to-string.js: Added.
2986         (target):
2987         * microbenchmarks/double-array-to-string.js: Added.
2988         (target):
2989         * microbenchmarks/int32-array-to-string.js: Added.
2990         (target):
2991
2992 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2993
2994         stress/check-string-ident.js is improperly skipped
2995         https://bugs.webkit.org/show_bug.cgi?id=178642
2996
2997         Reviewed by Saam Barati.
2998
2999         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3000         since it enforces the run-jsc-stress-tests script to still set up the
3001         test to run, despite the skip directive that's used before.
3002
3003 2017-10-20  Mark Lam  <mark.lam@apple.com>
3004
3005         Add a test case for r214334.
3006         https://bugs.webkit.org/show_bug.cgi?id=169941
3007         <rdar://problem/31221258>
3008
3009         Reviewed by JF Bastien.
3010
3011         * stress/regress-169941.js: Added.
3012
3013 2017-10-19  JF Bastien  <jfbastien@apple.com>
3014
3015         WebAssembly: no VM / JS version of everything but Instance
3016         https://bugs.webkit.org/show_bug.cgi?id=177473
3017
3018         Reviewed by Filip Pizlo, Saam Barati.
3019
3020         - Exceeding max on memory growth now returns a range error as per
3021         spec. This is a (very minor) breaking change: it used to throw OOM
3022         error. Update the corresponding test.
3023
3024         * wasm/js-api/memory-grow.js:
3025         (assertEq):
3026         * wasm/js-api/table.js:
3027         (assert.throws):
3028
3029 2017-10-19  Mark Lam  <mark.lam@apple.com>
3030
3031         Stringifier::appendStringifiedValue() is missing an exception check.
3032         https://bugs.webkit.org/show_bug.cgi?id=178386
3033         <rdar://problem/35027610>
3034
3035         Reviewed by Saam Barati.
3036
3037         * stress/regress-178386.js: Added.
3038
3039 2017-10-19  Michael Saboff  <msaboff@apple.com>
3040
3041         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3042         https://bugs.webkit.org/show_bug.cgi?id=178521
3043
3044         Reviewed by JF Bastien.
3045
3046         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3047         now passes with the current version (5.0) of the Emoji spec.
3048
3049 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3050
3051         Turn recursive tail calls into loops
3052         https://bugs.webkit.org/show_bug.cgi?id=176601
3053
3054         Reviewed by Saam Barati.
3055
3056         Add some simple test that computes factorial in several ways, and other trivial computations.
3057         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3058         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3059         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3060         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3061
3062         * stress/inline-call-to-recursive-tail-call.js: Added.
3063         (factorial.aux):
3064         (factorial):
3065         (factorial2.aux):
3066         (factorial2.id):
3067         (factorial2):
3068         (factorial3.aux):
3069         (factorial3):
3070         (aux):
3071         (factorial4):
3072         (test):
3073
3074 2017-10-18  Mark Lam  <mark.lam@apple.com>
3075
3076         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3077         https://bugs.webkit.org/show_bug.cgi?id=177600
3078         <rdar://problem/34710985>
3079
3080         Reviewed by Saam Barati.
3081
3082         * stress/regress-177600.js: Added.
3083
3084 2017-10-18  Mark Lam  <mark.lam@apple.com>
3085
3086         The compiler should always register a structure when it adds its transitionWatchPointSet.
3087         https://bugs.webkit.org/show_bug.cgi?id=178420
3088         <rdar://problem/34814024>
3089
3090         Reviewed by Saam Barati and Filip Pizlo.
3091
3092         * stress/regress-178420.js: Added.
3093         (new.Array.10000.map):
3094
3095 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3096
3097         [JSC] __proto__ getter should be fast
3098         https://bugs.webkit.org/show_bug.cgi?id=178067
3099
3100         Reviewed by Saam Barati.
3101
3102         * stress/dfg-object-proto-accessor.js: Added.
3103         (shouldBe):
3104         (shouldThrow):
3105         (target):
3106         * stress/dfg-object-proto-getter.js: Added.
3107         (shouldBe):
3108         (shouldThrow):
3109         (target):
3110         * stress/dfg-object-prototype-of.js: Added.
3111         (shouldBe):
3112         (shouldThrow):
3113         (target):
3114         * stress/dfg-reflect-get-prototype-of.js: Added.
3115         (shouldBe):
3116         (shouldThrow):
3117         (target):
3118         * stress/intrinsic-getter-with-poly-proto.js: Added.
3119         (shouldBe):
3120         (makePolyProtoObject.foo.C):
3121         (makePolyProtoObject.foo):
3122         (makePolyProtoObject):
3123         (target):
3124         * stress/object-get-prototype-of-filtered.js: Added.
3125         (shouldBe):
3126         (shouldThrow):
3127         (target):
3128         (i.Cocoa):
3129         * stress/object-get-prototype-of-mono-proto.js: Added.
3130         (shouldBe):
3131         (makePolyProtoObject.foo.C):
3132         (makePolyProtoObject.foo):
3133         (makePolyProtoObject):
3134         (target):
3135         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3136         (shouldBe):
3137         (makePolyProtoObject.foo.C):
3138         (makePolyProtoObject.foo):
3139         (makePolyProtoObject):
3140         (target):
3141         * stress/object-get-prototype-of-poly-proto.js: Added.
3142         (shouldBe):
3143         (makePolyProtoObject.foo.C):
3144         (makePolyProtoObject.foo):
3145         (makePolyProtoObject):
3146         (target):
3147         * stress/object-proto-getter-filtered.js: Added.
3148         (shouldBe):
3149         (shouldThrow):
3150         (target):
3151         (i.Cocoa):
3152         * stress/object-proto-getter-poly-mono-proto.js: Added.
3153         (shouldBe):
3154         (makePolyProtoObject.foo.C):
3155         (makePolyProtoObject.foo):
3156         (makePolyProtoObject):
3157         (target):
3158         * stress/object-proto-getter-poly-proto.js: Added.
3159         (shouldBe):
3160         (makePolyProtoObject.foo.C):
3161         (makePolyProtoObject.foo):
3162         (makePolyProtoObject):
3163         (target):
3164         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3165         * stress/string-proto.js: Added.
3166         (shouldBe):
3167         (target):
3168
3169 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3170
3171         Unreviewed, rolling out r223523.
3172
3173         A test for this change is failing on debug JSC bots.
3174
3175         Reverted changeset:
3176
3177         "[JSC] __proto__ getter should be fast"
3178         https://bugs.webkit.org/show_bug.cgi?id=178067
3179         https://trac.webkit.org/changeset/223523
3180
3181 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3182
3183         [JSC] __proto__ getter should be fast
3184         https://bugs.webkit.org/show_bug.cgi?id=178067
3185
3186         Reviewed by Saam Barati.
3187
3188         * stress/dfg-object-proto-accessor.js: Added.
3189         (shouldBe):
3190         (shouldThrow):
3191         (target):
3192         * stress/dfg-object-proto-getter.js: Added.
3193         (shouldBe):
3194         (shouldThrow):
3195         (target):
3196         * stress/dfg-object-prototype-of.js: Added.
3197         (shouldBe):
3198         (shouldThrow):
3199         (target):
3200         * stress/dfg-reflect-get-prototype-of.js: Added.
3201         (shouldBe):
3202         (shouldThrow):
3203         (target):
3204         * stress/object-get-prototype-of-filtered.js: Added.
3205         (shouldBe):
3206         (shouldThrow):
3207         (target):
3208         (i.Cocoa):
3209         * stress/object-get-prototype-of-mono-proto.js: Added.
3210         (shouldBe):
3211         (makePolyProtoObject.foo.C):
3212         (makePolyProtoObject.foo):
3213         (makePolyProtoObject):
3214         (target):
3215         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3216         (shouldBe):
3217         (makePolyProtoObject.foo.C):
3218         (makePolyProtoObject.foo):
3219         (makePolyProtoObject):
3220         (target):
3221         * stress/object-get-prototype-of-poly-proto.js: Added.
3222         (shouldBe):
3223         (makePolyProtoObject.foo.C):
3224         (makePolyProtoObject.foo):
3225         (makePolyProtoObject):
3226         (target):
3227         * stress/object-proto-getter-filtered.js: Added.
3228         (shouldBe):
3229         (shouldThrow):
3230         (target):
3231         (i.Cocoa):
3232         * stress/object-proto-getter-poly-mono-proto.js: Added.
3233         (shouldBe):
3234         (makePolyProtoObject.foo.C):
3235         (makePolyProtoObject.foo):
3236         (makePolyProtoObject):
3237         (target):
3238         * stress/object-proto-getter-poly-proto.js: Added.
3239         (shouldBe):
3240         (makePolyProtoObject.foo.C):
3241         (makePolyProtoObject.foo):
3242         (makePolyProtoObject):
3243         (target):
3244         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3245         * stress/string-proto.js: Added.
3246         (shouldBe):
3247         (target):
3248
3249 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3250
3251         Reland "Add Above/Below comparisons for UInt32 patterns"
3252         https://bugs.webkit.org/show_bug.cgi?id=177281
3253
3254         Reviewed by Saam Barati.
3255
3256         * stress/uint32-comparison-jump.js: Added.
3257         (shouldBe):
3258         (above):
3259         (aboveOrEqual):
3260         (below):
3261         (belowOrEqual):
3262         (notAbove):
3263         (notAboveOrEqual):
3264         (notBelow):
3265         (notBelowOrEqual):
3266         * stress/uint32-comparison.js: Added.
3267         (shouldBe):
3268         (above):
3269         (aboveOrEqual):
3270         (below):
3271         (belowOrEqual):
3272         (aboveTest):
3273         (aboveOrEqualTest):
3274         (belowTest):
3275         (belowOrEqualTest):
3276
3277 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3278
3279         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3280         https://bugs.webkit.org/show_bug.cgi?id=178210
3281
3282         Reviewed by Saam Barati.
3283
3284         * wasm/function-tests/trap-from-start-async.js:
3285         (async.StartTrapsAsync):
3286         * wasm/function-tests/trap-from-start.js:
3287         (StartTraps):
3288         * wasm/js-api/web-assembly-function.js:
3289         (assert.eq.Object.getPrototypeOf):
3290         * wasm/js-api/wrapper-function.js:
3291         (return.new.WebAssembly.Module):
3292         (assert.throws.makeInstance): Deleted.
3293         (assert.throws.Bar): Deleted.
3294         (assert.throws): Deleted.
3295
3296 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3297
3298         Enable gigacage on iOS
3299         https://bugs.webkit.org/show_bug.cgi?id=177586
3300
3301         Reviewed by JF Bastien.
3302         
3303         Add tests for when Gigacage gets runtime disabled.
3304
3305         * stress/disable-gigacage-arrays.js: Added.
3306         (foo):
3307         * stress/disable-gigacage-strings.js: Added.
3308         (foo):
3309         * stress/disable-gigacage-typed-arrays.js: Added.
3310         (foo):
3311
3312 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3313
3314         import.meta should not be assignable
3315         https://bugs.webkit.org/show_bug.cgi?id=178202
3316
3317         Reviewed by Saam Barati.
3318
3319         * modules/import-meta-assignment.js: Added.
3320         (shouldThrow):
3321         (SyntaxError.import.meta.can.shouldThrow):
3322
3323 2017-10-11  Saam Barati  <sbarati@apple.com>
3324
3325         Unreviewed. Actually skip certain type profiler tests in debug.
3326
3327         * typeProfiler.yaml:
3328         * typeProfiler/deltablue-for-of.js:
3329         * typeProfiler/getter-richards.js:
3330
3331 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3332
3333         Unreviewed, rolling out r223113 and r223121.
3334         https://bugs.webkit.org/show_bug.cgi?id=178182
3335
3336         Reintroduced 20% regression on Kraken (Requested by rniwa on
3337         #webkit).
3338
3339         Reverted changesets:
3340
3341         "Enable gigacage on iOS"
3342         https://bugs.webkit.org/show_bug.cgi?id=177586
3343         https://trac.webkit.org/changeset/223113
3344
3345         "Use one virtual allocation for all gigacages and their
3346         runways"
3347         https://bugs.webkit.org/show_bug.cgi?id=178050
3348         https://trac.webkit.org/changeset/223121
3349
3350 2017-10-11  Michael Saboff  <msaboff@apple.com>
3351
3352         Disable test262 named capture group tests with direct unicode names and with references before definitions
3353         https://bugs.webkit.org/show_bug.cgi?id=178177
3354
3355         Reviewed by Keith Miller.
3356
3357         Bugs to track fixing these test are:
3358         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3359             "Add support in named capture group identifiers for direct surrogate pairs"
3360         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3361             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3362
3363         * test262.yaml:
3364
3365 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3366
3367         Object properties are undefined in super.call() but not in this.call()
3368         https://bugs.webkit.org/show_bug.cgi?id=177230
3369
3370         Reviewed by Saam Barati.
3371
3372         * stress/super-call-function-subclass.js: Added.
3373         (assert):
3374         (A.prototype.t):
3375         (A):
3376         * stress/super-dot-call-and-apply.js: Added.
3377         (assert):
3378         (A):
3379         (A.prototype.call):
3380         (A.prototype.apply):
3381         (B.prototype.testSuper):
3382         (B):
3383         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3384         (D.prototype.testSuper):
3385         (D):
3386
3387 2017-10-10  Saam Barati  <sbarati@apple.com>
3388
3389         The prototype cache should be aware of the Executable it generates a Structure for
3390         https://bugs.webkit.org/show_bug.cgi?id=177907
3391
3392         Reviewed by Filip Pizlo.
3393
3394         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3395         (assert):
3396         (foo.C):
3397         (foo):
3398         (bar.C):
3399         (bar):
3400         (access):
3401         (makeLongChain):
3402         (accessY):
3403
3404 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3405
3406         `async` should be able to be used as an imported binding name
3407         https://bugs.webkit.org/show_bug.cgi?id=176573
3408
3409         Reviewed by Saam Barati.
3410
3411         * modules/import-default-async.js: Added.
3412         * modules/import-named-async-as.js: Added.
3413         * modules/import-named-async.js: Added.
3414         * modules/import-named-async/target.js: Added.
3415         * modules/import-namespace-async.js: Added.
3416         * test262.yaml:
3417
3418 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3419
3420         Enable gigacage on iOS
3421         https://bugs.webkit.org/show_bug.cgi?id=177586
3422
3423         Reviewed by JF Bastien.
3424         
3425         Add tests for when Gigacage gets runtime disabled.
3426
3427         * stress/disable-gigacage-arrays.js: Added.
3428         (foo):
3429         * stress/disable-gigacage-strings.js: Added.
3430         (foo):
3431         * stress/disable-gigacage-typed-arrays.js: Added.
3432         (foo):
3433
3434 2017-10-09  Michael Saboff  <msaboff@apple.com>
3435
3436         Implement RegExp Unicode property escapes
3437         https://bugs.webkit.org/show_bug.cgi?id=172069
3438
3439         Reviewed by JF Bastien.
3440
3441         Enabled Unicode Property tests.
3442
3443         * test262.yaml:
3444
3445 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3446
3447         Unreviewed, rolling out r223015 and r223025.
3448         https://bugs.webkit.org/show_bug.cgi?id=178093
3449
3450         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3451         #webkit).
3452
3453         Reverted changesets:
3454
3455         "Enable gigacage on iOS"
3456         https://bugs.webkit.org/show_bug.cgi?id=177586
3457         http://trac.webkit.org/changeset/223015
3458
3459         "Unreviewed, disable Gigacage on ARM64 Linux"
3460         https://bugs.webkit.org/show_bug.cgi?id=177586
3461         http://trac.webkit.org/changeset/223025
3462
3463 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3464
3465         Update expectations for test262 tests that pass after r223043.
3466         https://bugs.webkit.org/show_bug.cgi?id=176685
3467
3468         Unreviewed test gardening.
3469
3470         * test262.yaml:
3471
3472 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3473
3474         Unreviewed, rolling out r223022.
3475
3476         This change introduced 18 test262 failures.
3477
3478         Reverted changeset:
3479
3480         "`async` should be able to be used as an imported binding
3481         name"
3482         https://bugs.webkit.org/show_bug.cgi?id=176573
3483         http://trac.webkit.org/changeset/223022
3484
3485 2017-10-09  Saam Barati  <sbarati@apple.com>
3486
3487         3 poly-proto JSC tests timing out on debug after r222827
3488         https://bugs.webkit.org/show_bug.cgi?id=177880
3489         <rdar://problem/34817122>
3490
3491         Unreviewed.
3492
3493         I'm skipping these type profiler tests on debug since they are long running.
3494
3495         * typeProfiler/deltablue-for-of.js:
3496         * typeProfiler/getter-richards.js:
3497
3498 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3499
3500         Safari 10 /11 problem with if (!await get(something)).
3501         https://bugs.webkit.org/show_bug.cgi?id=176685
3502
3503         Reviewed by Saam Barati.
3504
3505         * stress/async-await-basic.js:
3506         (awaitEpression.async):
3507         * stress/async-await-syntax.js:
3508         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3509         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3510
3511 2017-10-08  Saam Barati  <sbarati@apple.com>
3512
3513         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3514
3515         * typeProfiler/deltablue-for-of.js:
3516         * typeProfiler/getter-richards.js:
3517
3518 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3519
3520         `async` should be able to be used as an imported binding name
3521         https://bugs.webkit.org/show_bug.cgi?id=176573
3522
3523         Reviewed by Darin Adler.
3524
3525         * modules/import-default-async.js: Added.
3526         * modules/import-named-async-as.js: Added.
3527         * modules/import-named-async.js: Added.
3528         * modules/import-named-async/target.js: Added.
3529         * modules/import-namespace-async.js: Added.
3530
3531 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3532
3533         Enable gigacage on iOS
3534         https://bugs.webkit.org/show_bug.cgi?id=177586
3535
3536         Reviewed by JF Bastien.
3537         
3538         Add tests for when Gigacage gets runtime disabled.
3539
3540         * stress/disable-gigacage-arrays.js: Added.
3541         (foo):
3542         * stress/disable-gigacage-strings.js: Added.
3543         (foo):
3544         * stress/disable-gigacage-typed-arrays.js: Added.
3545         (foo):
3546
3547 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3548
3549         Unreviewed, rolling out r222791 and r222873.
3550         https://bugs.webkit.org/show_bug.cgi?id=178031
3551
3552         Caused crashes with workers/wasm LayoutTests (Requested by
3553         ryanhaddad on #webkit).
3554
3555         Reverted changesets:
3556
3557         "WebAssembly: no VM / JS version of everything but Instance"
3558         https://bugs.webkit.org/show_bug.cgi?id=177473
3559         http://trac.webkit.org/changeset/222791
3560
3561         "WebAssembly: address no VM / JS follow-ups"
3562         https://bugs.webkit.org/show_bug.cgi?id=177887
3563         http://trac.webkit.org/changeset/222873
3564
3565 2017-10-05  Saam Barati  <sbarati@apple.com>
3566
3567         Make sure all prototypes under poly proto get added into the VM's prototype map
3568         https://bugs.webkit.org/show_bug.cgi?id=177909
3569
3570         Reviewed by Keith Miller.
3571
3572         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3573         (assert):
3574         (foo.C):
3575         (foo):
3576         (set x):
3577
3578 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3579
3580         [JSC] Introduce import.meta
3581         https://bugs.webkit.org/show_bug.cgi?id=177703
3582
3583         Reviewed by Filip Pizlo.
3584
3585         * modules/import-meta-syntax.js: Added.
3586         (shouldThrow):
3587         (shouldNotThrow):
3588         * modules/import-meta.js: Added.
3589         * modules/import-meta/cocoa.js: Added.
3590         * modules/resources/assert.js:
3591         (export.shouldNotThrow):
3592         * stress/import-syntax.js:
3593
3594 2017-10-04  Saam Barati  <sbarati@apple.com>
3595
3596         Make pertinent AccessCases watch the poly proto watchpoint
3597         https://bugs.webkit.org/show_bug.cgi?id=177765
3598
3599         Reviewed by Keith Miller.
3600
3601         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3602         (assert):
3603         (foo.C):
3604         (foo):
3605         (validate):
3606         * stress/poly-proto-clear-stub.js: Added.
3607         (assert):
3608         (foo.C):
3609         (foo):
3610
3611 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3612
3613         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3614
3615         Unreviewed test gardening.
3616
3617         * test262.yaml:
3618
3619 2017-10-04  Saam Barati  <sbarati@apple.com>
3620
3621         3 poly-proto JSC tests timing out on debug after r222827
3622         https://bugs.webkit.org/show_bug.cgi?id=177880
3623
3624         Rubber stamped by Mark Lam.
3625
3626         * microbenchmarks/poly-proto-access.js:
3627         * typeProfiler/deltablue-for-of.js:
3628         * typeProfiler/getter-richards.js:
3629
3630 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3631
3632         Unreviewed, marking tco-catch.js as a failure after test262 update
3633         https://bugs.webkit.org/show_bug.cgi?id=177859
3634
3635         * test262.yaml:
3636
3637 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3638
3639         Unreviewed, marking one async iterator test262 test failed
3640         https://bugs.webkit.org/show_bug.cgi?id=177859
3641
3642         * test262.yaml:
3643
3644 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3645
3646         [Test262] Update Test262 to Oct 4 version
3647         https://bugs.webkit.org/show_bug.cgi?id=177859
3648
3649         Reviewed by Sam Weinig.
3650
3651         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3652         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3653
3654         * test262.yaml:
3655         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3656         (checkSequence):
3657         * test262/harness/typeCoercion.js:
3658         (testCoercibleToIndexZero):
3659         (testCoercibleToIndexOne):
3660         (testCoercibleToIndexFromIndex):
3661         (testNotCoercibleToIndex.testPrimitiveValue):
3662         (testNotCoercibleToInteger):
3663         (testCoercibleToBigIntZero.testPrimitiveValue):
3664         (testCoercibleToBigIntZero):
3665         (testCoercibleToBigIntOne.testPrimitiveValue):
3666         (testCoercibleToBigIntOne):
3667         (testPrimitiveValue):
3668         (testCoercibleToBigIntFromBigInt):
3669         (testNotCoercibleToBigInt.testPrimitiveValue):
3670         (testNotCoercibleToBigInt.testStringValue):
3671         (testNotCoercibleToBigInt):
3672         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3673         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3674         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3675         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3676         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3677         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3678         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3679         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3680         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3681         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3682         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3683         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3684         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3685         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3686         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3687         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3688         (testCoercibleToBigIntZero):
3689         (testCoercibleToBigIntOne):
3690         (testNotCoercibleToBigInt):
3691         (MyError): Deleted.
3692         (valueOf): Deleted.
3693         (toString): Deleted.
3694         (Symbol.toPrimitive): Deleted.
3695         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3696         (testCoercibleToIndexZero):
3697         (testCoercibleToIndexOne):
3698         (testNotCoercibleToIndex):
3699         (MyError): Deleted.
3700         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3701         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3702         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3703         (BigInt.asIntN.valueOf): Deleted.
3704         (BigInt.asIntN.toString): Deleted.
3705         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3706         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3707         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3708         (testCoercibleToBigIntZero):
3709         (testCoercibleToBigIntOne):
3710         (testNotCoercibleToBigInt):
3711         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3712         (testCoercibleToIndexZero):
3713         (testCoercibleToIndexOne):
3714         (testNotCoercibleToIndex):
3715         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3716         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3717         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3718         (bits.valueOf):
3719         (bigint.valueOf):
3720         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3721         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3722         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3723         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3724         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3725         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3726         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3727         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3728         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3729         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3730         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3731         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3732         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3733         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3734         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3735         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3736         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3737         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3738         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3739         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3740         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3741         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3742         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3743         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3744         (replacer):
3745         (BigInt.prototype.toJSON):
3746         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3747         (replacer):
3748         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3749         (BigInt.prototype.toJSON):
3750         * test262/test/built-ins/JSON/stringify/bigint.js:
3751         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3752         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3753         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3754         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3755         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3756         * test262/test/built-ins/Object/proto-from-ctor.js:
3757         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3758         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3759         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3760         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3761         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3762         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3763         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3764         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3765         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3766         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3767         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3768         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3769         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3770         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3771         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3772         * test262/test/built-ins/Proxy/get-fn-realm.js:
3773         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3774         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3775         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3776         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3777         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3778         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3779         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3780         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3781         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3782         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3783         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3784         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3785         (i6.replace):
3786         (i6b.replace):
3787         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3788         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3789         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3790         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3791         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3792         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3793         * test262/test/built-ins/RegExp/u180e.js: Added.
3794         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3795         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3796         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3797         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3798         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3799         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3800         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3801         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3802         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3803         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3804         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3805         * test262/test/built-ins/String/prototype/endsWith/length.js:
3806         * test262/test/built-ins/String/prototype/endsWith/name.js:
3807         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3808         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3809         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3810         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3811         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3812         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3813         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3814         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3815         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3816         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3817         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3818         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3819         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3820         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3821         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3822         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3823         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3824         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3825         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3826         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3827         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3828         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3829         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3830         * test262/test/built-ins/String/prototype/includes/includes.js:
3831         * test262/test/built-ins/String/prototype/includes/length.js:
3832         * test262/test/built-ins/String/prototype/includes/name.js:
3833         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3834         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3835         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3836         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3837         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3838         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3839         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3840         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3841         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3842         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3843         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3844         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3845         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3846         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3847         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3848         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3849         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3850         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3851         * test262/test/built-ins/String/prototype/trim/u180e.js:
3852         * test262/test/built-ins/Symbol/for/cross-realm.js:
3853         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3854         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3855         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3856         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3857         * test262/test/built-ins/Symbol/match/cross-realm.js:
3858         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3859         * test262/test/built-ins/Symbol/search/cross-realm.js:
3860         * test262/test/built-ins/Symbol/species/cross-realm.js:
3861         * test262/test/built-ins/Symbol/split/cross-realm.js:
3862         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3863         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3864         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3865         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3866         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3867         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3868         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3869         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3870         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3871         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3872         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3873         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3874         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3875         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3876         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3877         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3878         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3879         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3880         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3881         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3882         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3883         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3884         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3885         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3886         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3887         * test262/test/language/eval-code/indirect/realm.js:
3888         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3889         (o.get z):
3890         (o.get a):
3891         * test262/test/language/expressions/call/eval-realm-indirect.js:
3892         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3893         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3894         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3895         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3896         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3897         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3898         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3899         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3900         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3901         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3902         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3903         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3904         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3905         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3906         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3907         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3908         * test262/test/language/expressions/less-than/bigint-and-number.js:
3909         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3910         * test262/test/language/expressions/super/realm.js:
3911         * test262/test/language/expressions/tagged-template/cache-realm.js:
3912         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3913         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3914         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3915         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3916         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3917         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3918         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3919         (o.get z):
3920         (o.get a):
3921         * test262/test/language/statements/for-of/iterator-next-reference.js:
3922         (next):
3923         (iterator.next): Deleted.
3924         (x.of.iterable.): Deleted.
3925         (x.of.iterable.get return): Deleted.
3926         (x.of.iterable.iterator.next): Deleted.
3927         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3928         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3929         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3930         * test262/test/language/white-space/mongolian-vowel-separator.js:
3931         * test262/test262-Revision.txt:
3932
3933 2017-10-03  Saam Barati  <sbarati@apple.com>
3934
3935         Implement polymorphic prototypes
3936         https://bugs.webkit.org/show_bug.cgi?id=176391
3937
3938         Reviewed by Filip Pizlo.
3939
3940         * microbenchmarks/poly-proto-access.js: Added.
3941         (assert):
3942         (foo.C):
3943         (foo.C.prototype.get bar):
3944         (foo):
3945         (bar):
3946         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3947         (assert):
3948         (makePolyProtoObject.foo.C):
3949         (makePolyProtoObject.foo):
3950         (makePolyProtoObject):
3951         (performSet):
3952         * microbenchmarks/poly-proto-setter-speed.js: Added.
3953         (assert):
3954         (makePolyProtoObject.foo.C):
3955         (makePolyProtoObject.foo.C.prototype.set p):
3956         (makePolyProtoObject.foo):
3957         (makePolyProtoObject):
3958         (performSet):
3959         * stress/constructor-with-return.js:
3960         (i.tests.forEach.Constructor):
3961         (i.tests.forEach):
3962         (tests.forEach.Constructor): Deleted.
3963         (tests.forEach): Deleted.
3964         * stress/dom-jit-with-poly-proto.js: Added.
3965         (assert):
3966         (makePolyProtoObject.foo.C):
3967         (makePolyProtoObject.foo):
3968         (makePolyProtoObject):
3969         (validate):
3970         * stress/poly-proto-custom-value-and-accessor.js: Added.
3971         (assert):
3972         (makePolyProtoObject.foo.C):
3973         (makePolyProtoObject.foo):
3974         (makePolyProtoObject):
3975         (items.forEach):
3976         (set get for):
3977         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3978         (assert):
3979         (makePolyProtoObject.foo.C):
3980         (makePolyProtoObject.foo):
3981         (makePolyProtoObject):
3982         (foo):
3983         * stress/poly-proto-miss.js: Added.
3984         (makePolyProtoInstanceWithNullPrototype.foo.C):
3985         (makePolyProtoInstanceWithNullPrototype.foo):
3986         (makePolyProtoInstanceWithNullPrototype):
3987         (assert):
3988         (validate):
3989         * stress/poly-proto-op-in-caching.js: Added.
3990         (assert):
3991         (makePolyProtoObject.foo.C):
3992         (makePolyProtoObject.foo):
3993         (makePolyProtoObject):
3994         (validate):
3995         (validate2):
3996         * stress/poly-proto-put-transition.js: Added.
3997         (assert):
3998         (makePolyProtoObject.foo.C):
3999         (makePolyProtoObject.foo):
4000         (makePolyProtoObject):
4001         (performSet):
4002         (i.obj.__proto__.set p):
4003         * stress/poly-proto-set-prototype.js: Added.
4004         (assert):
4005         (let.alternateProto.get x):
4006         (let.alternateProto2.get y):
4007         (let.alternateProto2.get x):
4008         (foo.C):
4009         (foo):
4010         (validate):
4011         * stress/poly-proto-setter.js: Added.
4012         (assert):
4013         (makePolyProtoObject.foo.C):
4014         (makePolyProtoObject.foo.C.prototype.set p):
4015         (makePolyProtoObject.foo.C.prototype.get p):
4016         (makePolyProtoObject.foo):
4017         (makePolyProtoObject):
4018         (performSet):
4019         * stress/poly-proto-using-inheritance.js: Added.
4020         (assert):
4021         (foo.C):
4022         (foo.C.prototype.get baz):
4023         (foo):
4024         (bar.C):
4025         (bar):
4026         (validate):
4027         * stress/primitive-poly-proto.js: Added.
4028         (makePolyProtoInstance.foo.C):
4029         (makePolyProtoInstance.foo):
4030         (makePolyProtoInstance):
4031         (assert):
4032         (validate):
4033         * stress/prototype-is-not-js-object.js: Added.
4034         (foo.bar):
4035         (foo):
4036         (assert):
4037         (validate):
4038         * stress/try-get-by-id-poly-proto.js: Added.
4039         (assert):
4040         (makePolyProtoObject.foo.C):
4041         (makePolyProtoObject.foo):
4042         (makePolyProtoObject):
4043         (tryGetByIdText):
4044         (x.__proto__.get bar):
4045         (validate):
4046         * typeProfiler/overflow.js:
4047
4048 2017-10-03  JF Bastien  <jfbastien@apple.com>
4049
4050         WebAssembly: no VM / JS version of everything but Instance
4051         https://bugs.webkit.org/show_bug.cgi?id=177473
4052
4053         Reviewed by Filip Pizlo.
4054
4055         - Exceeding max on memory growth now returns a range error as per
4056         spec. This is a (very minor) breaking change: it used to throw OOM
4057         error. Update the corresponding test.
4058
4059         * wasm/js-api/memory-grow.js:
4060         (assertEq):
4061         * wasm/js-api/table.js:
4062         (assert.throws):
4063
4064 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
4065
4066         Skip JSC test stress/regress-159779-2.js on debug.
4067         https://bugs.webkit.org/show_bug.cgi?id=177204
4068
4069         Unreviewed test gardening.
4070
4071         * stress/regress-159779-2.js:
4072
4073 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
4074
4075         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
4076         https://bugs.webkit.org/show_bug.cgi?id=175642
4077
4078         Reviewed by Darin Adler.
4079
4080         * ChakraCore/test/Function/apply3.baseline-jsc:
4081
4082 2017-10-01  Commit Queue  <commit-queue@webkit.org>
4083
4084         Unreviewed, rolling out r222564.
4085         https://bugs.webkit.org/show_bug.cgi?id=177720
4086
4087         "It regressed JetStream by 2% on iOS caused by a 50%
4088         regression on the bigfib subtest" (Requested by saamyjoon on
4089         #webkit).
4090
4091         Reverted changeset:
4092
4093         "Add Above/Below comparisons for UInt32 patterns"
4094         https://bugs.webkit.org/show_bug.cgi?id=177281
4095         http://trac.webkit.org/changeset/222564
4096
4097 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
4098
4099         [DFG] Support ArrayPush with multiple args
4100         https://bugs.webkit.org/show_bug.cgi?id=175823
4101
4102         Reviewed by Saam Barati.
4103
4104         * microbenchmarks/array-push-0.js: Added.
4105         (arrayPush0):
4106         * microbenchmarks/array-push-1.js: Added.
4107         (arrayPush1):
4108         * microbenchmarks/array-push-2.js: Added.
4109         (arrayPush2):
4110         * microbenchmarks/array-push-3.js: Added.
4111         (arrayPush3):
4112         * stress/array-push-multiple-contiguous.js: Added.
4113         (shouldBe):
4114         (test):
4115         * stress/array-push-multiple-double-nan.js: Added.
4116         (shouldBe):
4117         (test):
4118         * stress/array-push-multiple-double.js: Added.
4119         (shouldBe):
4120         (test):
4121         * stress/array-push-multiple-int32.js: Added.
4122         (shouldBe):
4123         (test):
4124         * stress/array-push-multiple-many-contiguous.js: Added.
4125         (shouldBe):
4126         (test):
4127         * stress/array-push-multiple-many-double.js: Added.
4128         (shouldBe):
4129         (test):
4130         * stress/array-push-multiple-many-int32.js: Added.
4131         (shouldBe):
4132         (test):
4133         * stress/array-push-multiple-many-storage.js: Added.
4134         (shouldBe):
4135         (test):
4136         * stress/array-push-multiple-storage.js: Added.
4137         (shouldBe):
4138         (test):
4139         * stress/array-push-with-force-exit.js: Added.
4140         (target.createBuiltin):
4141
4142 2017-09-29  Saam Barati  <sbarati@apple.com>
4143
4144         Custom GetterSetterAccessCase does not use the correct slotBase when making call
4145         https://bugs.webkit.org/show_bug.cgi?id=177639
4146
4147         Reviewed by Geoffrey Garen.
4148
4149         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
4150         (assert):
4151         (Class):
4152         (items.forEach):
4153         (set get for):
4154
4155 2017-09-29  Commit Queue  <commit-queue@webkit.org>
4156
4157         Unreviewed, rolling out r222563, r222565, and r222581.
4158         https://bugs.webkit.org/show_bug.cgi?id=177675
4159
4160         "It causes a crash when playing youtube videos" (Requested by
4161         saamyjoon on #webkit).
4162
4163         Reverted changesets:
4164
4165         "[DFG] Support ArrayPush with multiple args"
4166         https://bugs.webkit.org/show_bug.cgi?id=175823
4167         http://trac.webkit.org/changeset/222563
4168
4169         "Unreviewed, build fix after r222563"
4170         https://bugs.webkit.org/show_bug.cgi?id=175823
4171         http://trac.webkit.org/changeset/222565
4172
4173         "Unreviewed, fix x86 breaking due to exhausted registers"
4174         https://bugs.webkit.org/show_bug.cgi?id=175823
4175         http://trac.webkit.org/changeset/222581
4176
4177 2017-09-28  Mark Lam  <mark.lam@apple.com>
4178
4179         test262: Unexpected passes after r222617 and r222618.
4180         https://bugs.webkit.org/show_bug.cgi?id=177622
4181         <rdar://problem/34725960>
4182
4183         Reviewed by Saam Barati.
4184
4185         Update test262.yaml for tests that are now passing.
4186
4187         * test262.yaml:
4188
4189 2017-09-27  Michael Saboff  <msaboff@apple.com>
4190
4191         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
4192         https://bugs.webkit.org/show_bug.cgi?id=177570
4193
4194         Reviewed by Filip Pizlo.
4195
4196         New regression test.
4197
4198         * stress/regress-177570.js: Added.
4199
4200 2017-09-28  Michael Saboff  <msaboff@apple.com>
4201
4202         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4203         https://bugs.webkit.org/show_bug.cgi?id=177423
4204
4205         Reviewed by Mark Lam.
4206
4207         Updated regression test.
4208
4209         * stress/regress-177423.js:
4210         (catch):
4211
4212 2017-09-27  Mark Lam  <mark.lam@apple.com>
4213
4214         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
4215         https://bugs.webkit.org/show_bug.cgi?id=177584
4216         <rdar://problem/34463903>
4217
4218         Reviewed by Saam Barati.
4219
4220         * stress/regress-177584.js: Added.
4221         (assertEqual):
4222         (Array.prototype.Symbol.species):
4223
4224 2017-09-27  Saam Barati  <sbarati@apple.com>
4225
4226         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
4227         https://bugs.webkit.org/show_bug.cgi?id=177523
4228
4229         Reviewed by Mark Lam.
4230
4231         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
4232         (assert):
4233         (Test):
4234         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
4235         (addMethods):
4236         (i.Test.prototype.propName):
4237
4238 2017-09-27  Mark Lam  <mark.lam@apple.com>
4239
4240         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
4241         https://bugs.webkit.org/show_bug.cgi?id=177423
4242         <rdar://problem/34621320>
4243
4244         Reviewed by Keith Miller.
4245
4246         * stress/regress-177423.js: Added.
4247
4248 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
4249
4250         Add Above/Below comparisons for UInt32 patterns
4251         https://bugs.webkit.org/show_bug.cgi?id=177281
4252
4253         Reviewed by Saam Barati.
4254
4255         * stress/uint32-comparison-jump.js: Added.
4256         (shouldBe):
4257         (above):
4258         (aboveOrEqual):
4259         (below):
4260         (belowOrEqual):
4261         (notAbove):
4262         (notAboveOrEqual):
4263         (notBelow):
4264         (notBelowOrEqual):
4265         * stress/uint32-comparison.js: Added.
4266         (shouldBe):
4267         (above):
4268         (aboveOrEqual):
4269         (below):
4270         (belowOrEqual):
4271         (aboveTest):
4272         (aboveOrEqualTest):
4273         (belowTest):
4274         (belowOrEqualTest):
4275
4276 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
4277
4278         [DFG] Support ArrayPush with multiple args
4279         https://bugs.webkit.org/show_bug.cgi?id=175823
4280
4281         Reviewed by Saam Barati.
4282
4283         * microbenchmarks/array-push-0.js: Added.
4284         (arrayPush0):
4285         * microbenchmarks/array-push-1.js: Added.
4286         (arrayPush1):
4287         * microbenchmarks/array-push-2.js: Added.
4288         (arrayPush2):
4289         * microbenchmarks/array-push-3.js: Added.
4290         (arrayPush3):
4291         * stress/array-push-multiple-contiguous.js: Added.
4292         (shouldBe):
4293         (test):
4294         * stress/array-push-multiple-double-nan.js: Added.
4295         (shouldBe):
4296         (test):
4297         * stress/array-push-multiple-double.js: Added.
4298         (shouldBe):
4299         (test):
4300         * stress/array-push-multiple-int32.js: Added.
4301         (shouldBe):
4302         (test):
4303         * stress/array-push-multiple-many-contiguous.js: Added.
4304         (shouldBe):
4305         (test):
4306         * stress/array-push-multiple-many-double.js: Added.
4307         (shouldBe):
4308         (test):
4309         * stress/array-push-multiple-many-int32.js: Added.
4310         (shouldBe):
4311         (test):
4312         * stress/array-push-multiple-many-storage.js: Added.
4313         (shouldBe):
4314         (test):
4315         * stress/array-push-multiple-storage.js: Added.
4316         (shouldBe):
4317         (test):
4318
4319 2017-09-26  Commit Queue  <commit-queue@webkit.org>
4320
4321         Unreviewed, rolling out r222518.
4322         https://bugs.webkit.org/show_bug.cgi?id=177507
4323
4324         Break the High Sierra build (Requested by yusukesuzuki on
4325         #webkit).
4326
4327         Reverted changeset:
4328
4329         "Add Above/Below comparisons for UInt32 patterns"
4330         https://bugs.webkit.org/show_bug.cgi?id=177281
4331         http://trac.webkit.org/changeset/222518
4332
4333 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
4334
4335         Add Above/Below comparisons for UInt32 patterns
4336         https://bugs.webkit.org/show_bug.cgi?id=177281
4337
4338         Reviewed by Saam Barati.
4339
4340         * stress/uint32-comparison-jump.js: Added.
4341         (shouldBe):
4342         (above):
4343         (aboveOrEqual):
4344         (below):
4345         (belowOrEqual):
4346         (notAbove):
4347         (notAboveOrEqual):
4348         (notBelow):
4349         (notBelowOrEqual):
4350         * stress/uint32-comparison.js: Added.
4351         (shouldBe):
4352         (above):
4353         (aboveOrEqual):
4354         (below):
4355         (belowOrEqual):
4356         (aboveTest):
4357         (aboveOrEqualTest):
4358         (belowTest):
4359         (belowOrEqualTest):
4360
4361 2017-09-23  Keith Miller  <keith_miller@apple.com>
4362
4363         Fix infinite looping test262 test
4364         https://bugs.webkit.org/show_bug.cgi?id=177412
4365
4366         Reviewed by Yusuke Suzuki.
4367
4368         This test was poorly designed since failing it would cause the vm
4369         to inifinite loop. I've fixed it locally and will fix it on github pending
4370         the results of next weeks tc39 meeting.
4371
4372         * test262.yaml:
4373         * test262/test/language/statements/for-of/iterator-next-reference.js:
4374
4375 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
4376
4377         test262: $.agent became $262.agent in test262 update
4378         https://bugs.webkit.org/show_bug.cgi?id=177407
4379
4380         Reviewed by Yusuke Suzuki.
4381
4382         * test262.yaml:
4383         ~320 tests pass now that we correctly make $262 available.
4384
4385 2017-09-22  Keith Miller  <keith_miller@apple.com>
4386
4387         Speculatively change iteration protocall to use the same next function
4388         https://bugs.webkit.org/show_bug.cgi?id=175653
4389
4390         Reviewed by Saam Barati.
4391
4392         Change test to match the new iteration behavior.
4393
4394         * stress/spread-optimized-properly.js:
4395
4396 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
4397
4398         [DFG][FTL] Profile array vector length for array allocation
4399         https://bugs.webkit.org/show_bug.cgi?id=177051
4400
4401         Reviewed by Saam Barati.
4402
4403         * microbenchmarks/new-array-buffer-vector-profile.js: Added.