[ESNext][BigInt] Add support for BigInt in SpeculatedType
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
2
3         [ESNext][BigInt] Add support for BigInt in SpeculatedType
4         https://bugs.webkit.org/show_bug.cgi?id=182470
5
6         Reviewed by Saam Barati.
7
8         * stress/big-int-spec-to-primitive.js: Added.
9         * stress/big-int-spec-to-this.js: Added.
10         * stress/big-int-strict-equals-jit.js: Added.
11         * stress/big-int-strict-spec-to-this.js: Added.
12         * stress/big-int-type-of-proven-type.js: Added.
13
14 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
15
16         DFG AI and clobberize should agree with each other
17         https://bugs.webkit.org/show_bug.cgi?id=184440
18
19         Reviewed by Saam Barati.
20         
21         Add tests for all of the bugs I fixed.
22
23         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
24         (foo):
25         * stress/new-typed-array-cse-effects.js: Added.
26         (foo):
27         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
28         (foo.theO):
29         (foo):
30         * stress/string-from-char-code-change-structure-not-dead.js: Added.
31         (foo):
32         (i.valueOf):
33         (weirdValue.valueOf):
34         * stress/string-from-char-code-change-structure.js: Added.
35         (foo):
36         (i.valueOf):
37         (weirdValue.valueOf):
38
39 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
40
41         Fix errant Test262 files CRLF to LF for consistency with the original source
42         https://bugs.webkit.org/show_bug.cgi?id=184425
43
44         Reviewed by Yusuke Suzuki.
45
46         * test262/test/built-ins/Math/acosh/nan-returns.js:
47         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
48         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
49         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
50         * test262/test/built-ins/Math/cbrt/prop-desc.js:
51         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
52         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
53         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
54         * test262/test/built-ins/Math/log2/log2-basicTests.js:
55         * test262/test/built-ins/Math/sign/sign-specialVals.js:
56         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
57         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
58         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
59         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
60
61 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
62
63         Unreviewed, remove incorrect entry in test262.yaml
64         https://bugs.webkit.org/show_bug.cgi?id=184266
65
66         * test262.yaml:
67
68 2018-04-08  Valerie Young  <valerie@bocoup.com>
69
70         [JSC] Update Test262 to April 6 version
71         https://bugs.webkit.org/show_bug.cgi?id=184266
72
73         Rubber stamped by Yusuke Suzuki.
74
75 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
76
77         [JSC] Introduce op_get_by_id_direct
78         https://bugs.webkit.org/show_bug.cgi?id=183970
79
80         Reviewed by Filip Pizlo.
81
82         * stress/generator-prototype-copy.js: Added.
83         (gen):
84         (catch):
85         Adopted JF's tests.
86
87         * stress/generator-type-check.js: Added.
88         (shouldThrow):
89         (foo2):
90         (i.shouldThrow):
91         * stress/get-by-id-direct-getter.js: Added.
92         (shouldBe):
93         (shouldThrow):
94         (obj.get hello):
95         (builtin.createBuiltin):
96         (obj2.get length):
97         * stress/get-by-id-direct.js: Added.
98         (shouldBe):
99         (shouldThrow):
100         (builtin.createBuiltin):
101         * test262.yaml:
102         We fixed long-standing spec compatibility issue.
103         As a result, this patch makes several test262 tests passed!
104
105
106 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
107
108         Unreviewed, annotate test with @skip if $memoryLimited
109         https://bugs.webkit.org/show_bug.cgi?id=183894
110
111         * stress/json-stringified-overflow.js:
112
113 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
114
115         Add svn:eol-style to line-terminator-normalisation-CR.js
116         https://bugs.webkit.org/show_bug.cgi?id=184341
117
118         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
119
120 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
121
122         Unreviewed, remove errant LF from existing test262 test for CR line endings.
123
124         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
125
126 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
127
128         Unreviewed, rolling out r230320.
129
130         Revert fix, as the root cause lies elsewhere.
131
132         Reverted changeset:
133
134         "[test262] Mark line-terminator-normalisation-CR.js as a
135         binary file."
136         https://bugs.webkit.org/show_bug.cgi?id=184341
137         https://trac.webkit.org/changeset/230320
138
139 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
140
141         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
142         https://bugs.webkit.org/show_bug.cgi?id=184341
143
144         Reviewed by Yusuke Suzuki.
145
146         This test is all about CR line endings, but `svn-apply` can't deal with them.
147         Treating the file as binary ensures that its contents never are never shown in a diff.
148
149         * .gitattributes: Added.
150
151 2018-04-05  Robin Morisset  <rmorisset@apple.com>
152
153         Fix testcase (missing try/catch).
154         https://bugs.webkit.org/show_bug.cgi?id=183657
155
156         Unreviewed.
157
158         * stress/large-unshift-splice.js
159
160 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
161
162         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
163         https://bugs.webkit.org/show_bug.cgi?id=184319
164
165         Reviewed by Saam Barati.
166
167         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
168         (foo):
169         (bar):
170         * stress/array-push-nan-to-double-array.js: Added.
171         (foo):
172         (bar):
173
174 2018-04-03  Mark Lam  <mark.lam@apple.com>
175
176         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
177         https://bugs.webkit.org/show_bug.cgi?id=184284
178
179         Reviewed by Saam Barati.
180
181         * stress/js-fixed-array-out-of-memory.js:
182
183 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
184
185         JSC crash in JIT code with for-of loop and Array/Set iterators
186         https://bugs.webkit.org/show_bug.cgi?id=183174
187
188         Reviewed by Saam Barati.
189
190         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
191         (foo):
192         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
193         (f):
194
195 2018-03-30  JF Bastien  <jfbastien@apple.com>
196
197         WebAssembly: support DataView compilation
198         https://bugs.webkit.org/show_bug.cgi?id=183342
199
200         Reviewed by Mark Lam.
201
202         Test WebAssembly compilation using a DataView with offset.
203
204         * wasm/regress/183342.js: Added.
205         (attempt.catch):
206
207 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
208
209         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
210         https://bugs.webkit.org/show_bug.cgi?id=184189
211
212         Reviewed by JF Bastien.
213
214         * stress/load-hole-from-scope-into-live-var.js: Added.
215         (result.eval.try.switch):
216         (catch):
217
218 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
219
220         Unreviewed, rolling out r230102.
221
222         Caused assertion failures on JSC bots.
223
224         Reverted changeset:
225
226         "A stack overflow in the parsing of a builtin (called by
227         createExecutable) cause a crash instead of a catchable js
228         exception"
229         https://bugs.webkit.org/show_bug.cgi?id=184074
230         https://trac.webkit.org/changeset/230102
231
232 2018-03-30  Robin Morisset  <rmorisset@apple.com>
233
234         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
235         https://bugs.webkit.org/show_bug.cgi?id=183812
236
237         Reviewed by Keith Miller.
238
239         * stress/inlining-unreachable-non-tail.js: Added.
240         (foo.):
241         (foo):
242
243 2018-03-30  Robin Morisset  <rmorisset@apple.com>
244
245         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
246         https://bugs.webkit.org/show_bug.cgi?id=184074
247         <rdar://problem/37165897>
248
249         Reviewed by Keith Miller.
250
251         * stress/stack-overflow-while-parsing-builtin.js: Added.
252         (f):
253
254 2018-03-30  Robin Morisset  <rmorisset@apple.com>
255
256         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
257         https://bugs.webkit.org/show_bug.cgi?id=183657
258
259         Reviewed by Keith Miller.
260
261         * stress/large-unshift-splice.js: Added.
262         (make_contig_arr):
263
264 2018-03-28  Robin Morisset  <rmorisset@apple.com>
265
266         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
267         https://bugs.webkit.org/show_bug.cgi?id=183894
268
269         Reviewed by Saam Barati.
270
271         * stress/json-stringified-overflow.js: Added.
272         (catch):
273
274 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
275
276         DFG should know that CreateThis can be effectful
277         https://bugs.webkit.org/show_bug.cgi?id=184013
278
279         Reviewed by Saam Barati.
280
281         * stress/create-this-property-change.js: Added.
282         (Foo):
283         (RealBar):
284         (get if):
285         * stress/create-this-structure-change-without-cse.js: Added.
286         (Foo):
287         (RealBar):
288         (get if):
289         * stress/create-this-structure-change.js: Added.
290         (Foo):
291         (RealBar):
292         (get if):
293
294 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
295
296         [DFG] Introduces fused compare and jump
297         https://bugs.webkit.org/show_bug.cgi?id=177100
298
299         Reviewed by Mark Lam.
300
301         * stress/fused-jeq-slow.js: Added.
302         (shouldBe):
303         (testJEQ):
304         (testJNEQB):
305         (testJEQB):
306         (testJNEQF):
307         (testJEQF):
308         * stress/fused-jeq.js: Added.
309         (shouldBe):
310         (testJEQ):
311         (testJNEQB):
312         (testJEQB):
313         (testJNEQF):
314         (testJEQF):
315         * stress/fused-jstricteq-slow.js: Added.
316         (shouldBe):
317         (testJSTRICTEQ):
318         (testJNSTRICTEQB):
319         (testJSTRICTEQB):
320         (testJNSTRICTEQF):
321         (testJSTRICTEQF):
322         * stress/fused-jstricteq.js: Added.
323         (shouldBe):
324         (testJSTRICTEQ):
325         (testJNSTRICTEQB):
326         (testJSTRICTEQB):
327         (testJNSTRICTEQF):
328         (testJSTRICTEQF):
329
330 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
331
332         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
333         https://bugs.webkit.org/show_bug.cgi?id=183559
334
335         Reviewed by Mark Lam.
336
337         * stress/double-to-string-in-loop-removed.js: Added.
338         (test):
339         * stress/int32-to-string-in-loop-removed.js: Added.
340         (test):
341         * stress/int52-to-string-in-loop-removed.js: Added.
342         (test):
343
344 2018-03-22  Michael Saboff  <msaboff@apple.com>
345
346         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
347         https://bugs.webkit.org/show_bug.cgi?id=183901
348
349         Reviewed by Keith Miller.
350
351         New test.
352
353         * stress/array-reverse-doesnt-clobber.js: Added.
354         (testArrayReverse):
355         (createArrayOfArrays):
356         (createArrayStorage):
357
358 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
359
360         ScopedArguments should do poisoning and index masking
361         https://bugs.webkit.org/show_bug.cgi?id=183863
362
363         Reviewed by Mark Lam.
364         
365         Adds another stress test of scoped arguments.
366
367         * stress/scoped-arguments-test.js: Added.
368         (foo):
369
370 2018-03-20  Saam Barati  <sbarati@apple.com>
371
372         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
373         https://bugs.webkit.org/show_bug.cgi?id=183795
374         <rdar://problem/38298694>
375
376         Reviewed by JF Bastien.
377
378         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
379         (foo):
380         (bar):
381
382 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
383
384         [DFG][FTL] Add vectorLengthHint for NewArray
385         https://bugs.webkit.org/show_bug.cgi?id=183694
386
387         Reviewed by Saam Barati.
388
389         * stress/vector-length-hint-array-constructor.js: Added.
390         (shouldBe):
391         (test):
392         * stress/vector-length-hint-new-array.js: Added.
393         (shouldBe):
394         (test):
395
396 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
397
398         [DFG][FTL] Make ArraySlice(0) code tight
399         https://bugs.webkit.org/show_bug.cgi?id=183590
400
401         Reviewed by Saam Barati.
402
403         * stress/array-slice-with-zero.js: Added.
404         (shouldBe):
405         (test):
406         (test2):
407         * stress/array-slice-zero-args.js: Added.
408         (shouldBe):
409         (test):
410
411 2018-03-14  Caitlin Potter  <caitp@igalia.com>
412
413         [JSC] fix order of evaluation for ClassDefinitionEvaluation
414         https://bugs.webkit.org/show_bug.cgi?id=183523
415
416         Reviewed by Keith Miller.
417
418         Computed property names need to be evaluated in source order during class
419         definition evaluation, as it's observable (and specified to work this way).
420
421         This change improves compatibility with Chromium.
422
423         * stress/class_elements.js: Added.
424         (test):
425         (test.C.prototype.effect):
426         (test.C.effect):
427         (test.C.prototype.get effect):
428         (test.C.prototype.set effect):
429         (test.C):
430
431 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
432
433         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
434         https://bugs.webkit.org/show_bug.cgi?id=183310
435
436         Reviewed by Filip Pizlo.
437
438         * stress/ai-create-this-to-new-object-fire.js: Added.
439         (assert):
440         (test):
441         (func):
442         (check):
443         (test.body.A):
444         (test.body.B):
445         (test.body):
446         * stress/ai-create-this-to-new-object.js: Added.
447         (assert):
448         (test):
449         (func):
450         (check):
451         (test.body.A):
452         (test.body.B):
453         (test.body):
454
455 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
456
457         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
458         https://bugs.webkit.org/show_bug.cgi?id=181848
459
460         Reviewed by Sam Weinig.
461
462         * microbenchmarks/regexp-u-global-es5.js: Added.
463         (fn):
464         * microbenchmarks/regexp-u-global-es6.js: Added.
465         (fn):
466         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
467         (shouldBe):
468         (test):
469         (i.switch):
470         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
471         (shouldBe):
472         (test):
473
474 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
475
476         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
477         https://bugs.webkit.org/show_bug.cgi?id=183334
478
479         Reviewed by Žan Doberšek.
480
481         * stress/var-injection-cache-invalidation.js:
482
483 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
484
485         [ARM] Disable tests that run out of memory
486         https://bugs.webkit.org/show_bug.cgi?id=182699
487
488         Reviewed by Žan Doberšek.
489
490         Skip tests that run of of memory. Do not run
491         modules/module-jit-reachability.js without LLInt to prevent
492         running out of executable memory.
493
494         * modules.yaml:
495         * modules/module-jit-reachability.js:
496         * stress/has-own-property-name-cache-string-keys.js:
497         * stress/has-own-property-name-cache-symbol-keys.js:
498
499 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
500
501         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
502         https://bugs.webkit.org/show_bug.cgi?id=183173
503
504         Reviewed by Saam Barati.
505
506         * stress/async-arrow-function-in-class-heritage.js: Added.
507         (testSyntax):
508         (testSyntaxError):
509         (SyntaxError):
510
511 2018-03-01  Saam Barati  <sbarati@apple.com>
512
513         We need to clear cached structures when having a bad time
514         https://bugs.webkit.org/show_bug.cgi?id=183256
515         <rdar://problem/36245022>
516
517         Reviewed by Mark Lam.
518
519         * stress/having-a-bad-time-with-derived-arrays.js: Added.
520         (assert):
521         (defineSetter):
522         (iterate):
523         (doSlice):
524
525 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
526
527         JSC crash with `import("")`
528         https://bugs.webkit.org/show_bug.cgi?id=183175
529
530         Reviewed by Saam Barati.
531
532         * stress/import-with-empty-string.js: Added.
533
534 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
535
536         Unreviewed, skip FTL tests if FTL is disabled
537         https://bugs.webkit.org/show_bug.cgi?id=183071
538
539         * stress/has-indexed-property-array-storage-ftl.js:
540         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
541
542 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
543
544         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
545         https://bugs.webkit.org/show_bug.cgi?id=182965
546
547         Reviewed by Saam Barati.
548
549         * stress/put-by-val-array-storage.js: Added.
550         (shouldBe):
551         (testArrayStorageInBounds):
552         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
553         (shouldBe):
554         (testInt32.createBuiltin):
555         (set for):
556         * stress/put-by-val-slow-put-array-storage.js: Added.
557         (shouldBe):
558         (testArrayStorageInBounds):
559
560 2018-02-26  Saam Barati  <sbarati@apple.com>
561
562         validateStackAccess should not validate if the offset is within the stack bounds
563         https://bugs.webkit.org/show_bug.cgi?id=183067
564         <rdar://problem/37749988>
565
566         Reviewed by Mark Lam.
567
568         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
569         (assert):
570         (test.a):
571         (test.b):
572         (test):
573
574 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
575
576         Unreviewed, skip FTL tests if FTL is disabled
577         https://bugs.webkit.org/show_bug.cgi?id=183071
578
579         * stress/has-indexed-property-array-storage-ftl.js:
580         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
581
582 2018-02-23  Saam Barati  <sbarati@apple.com>
583
584         Make Number.isInteger an intrinsic
585         https://bugs.webkit.org/show_bug.cgi?id=183088
586
587         Reviewed by JF Bastien.
588
589         * stress/number-is-integer-intrinsic.js: Added.
590
591 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
592
593         WebAssembly: cache memory address / size on instance
594         https://bugs.webkit.org/show_bug.cgi?id=177305
595
596         Reviewed by JF Bastien.
597
598         * wasm/function-tests/memory-reuse.js: Added.
599         (createWasmInstance):
600         (doCheckTrap):
601         (doMemoryGrow):
602         (doCheck):
603         (checkWasmInstancesWithSharedMemory):
604
605 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
606
607         [JSC] Implement $vm.ftlTrue function for FTL testing
608         https://bugs.webkit.org/show_bug.cgi?id=183071
609
610         Reviewed by Mark Lam.
611
612         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
613         (foo):
614         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
615         (foo):
616         * stress/dead-fiat-value-to-int52.js:
617         (foo):
618         * stress/dead-osr-entry-value.js:
619         (foo):
620         * stress/fiat-value-to-int52-then-exit-not-double.js:
621         (foo):
622         * stress/fiat-value-to-int52-then-exit-not-int52.js:
623         (foo):
624         * stress/fiat-value-to-int52-then-fail-to-fold.js:
625         (foo):
626         * stress/fiat-value-to-int52-then-fold.js:
627         (foo):
628         * stress/fiat-value-to-int52.js:
629         (foo):
630         * stress/fold-based-on-int32-proof-mul-branch.js:
631         (foo):
632         * stress/fold-profiled-call-to-call.js:
633         (foo):
634         * stress/fold-to-double-constant-then-exit.js:
635         (foo):
636         * stress/fold-to-int52-constant-then-exit.js:
637         (foo):
638         * stress/fold-to-primitive-in-cfa.js:
639         (foo):
640         * stress/fold-to-primitive-to-identity-in-cfa.js:
641         (foo):
642         * stress/has-indexed-property-array-storage-ftl.js: Added.
643         (shouldBe):
644         (test1):
645         (test2):
646         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
647         (shouldBe):
648         (test1):
649         (test2):
650         * stress/int52-ai-add-then-filter-int32.js:
651         (foo):
652         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
653         (foo):
654         * stress/int52-ai-mul-then-filter-int32.js:
655         (foo):
656         * stress/int52-ai-neg-then-filter-int32.js:
657         (foo):
658         * stress/int52-ai-sub-then-filter-int32.js:
659         (foo):
660         * stress/licm-pre-header-cannot-exit-nested.js:
661         (foo):
662         * stress/licm-pre-header-cannot-exit.js:
663         (foo):
664         * stress/sparse-array-entry-update-144067.js:
665         (useMemoryToTriggerGCs):
666         * stress/test-spec-misc.js:
667         (foo):
668         * stress/tricky-array-bounds-checks.js:
669         (foo):
670
671 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
672
673         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
674         https://bugs.webkit.org/show_bug.cgi?id=182792
675
676         Reviewed by Mark Lam.
677
678         * stress/has-indexed-property-array-storage.js: Added.
679         (shouldBe):
680         (test1):
681         (test2):
682         * stress/has-indexed-property-slow-put-array-storage.js: Added.
683         (shouldBe):
684         (test1):
685         (test2):
686
687 2018-02-20  Saam Barati  <sbarati@apple.com>
688
689         DFG::VarargsForwardingPhase should eliminate getting argument length
690         https://bugs.webkit.org/show_bug.cgi?id=182959
691
692         Reviewed by Keith Miller.
693
694         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
695
696 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
697
698         [FTL] Support ArrayPush for ArrayStorage
699         https://bugs.webkit.org/show_bug.cgi?id=182782
700
701         Reviewed by Saam Barati.
702
703         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
704
705         * stress/array-push-array-storage-beyond-int32.js: Added.
706         (shouldBe):
707         (test):
708         * stress/array-push-array-storage.js: Added.
709         (shouldBe):
710         (test):
711         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
712         (shouldBe):
713         (test):
714         * stress/array-push-multiple-storage-continuous.js: Added.
715         (shouldBe):
716         (test):
717
718 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
719
720         [FTL] Support ArrayPop for ArrayStorage
721         https://bugs.webkit.org/show_bug.cgi?id=182783
722
723         Reviewed by Saam Barati.
724
725         * stress/array-pop-array-storage.js: Added.
726         (shouldBe):
727         (test):
728
729 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
730
731         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
732         https://bugs.webkit.org/show_bug.cgi?id=182731
733
734         Reviewed by Saam Barati.
735
736         * stress/arrayify-array-storage-array.js: Added.
737         (shouldBe):
738         (testArrayStorage):
739         * stress/arrayify-array-storage-non-array.js: Added.
740         (shouldBe):
741         (testArrayStorage):
742         * stress/arrayify-array-storage.js: Added.
743         (shouldBe):
744         (testArrayStorage):
745         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
746         (shouldBe):
747         (testArrayStorage):
748         * stress/arrayify-slow-put-array-storage.js: Added.
749         (shouldBe):
750         (testArrayStorage):
751
752 2018-02-19  Saam Barati  <sbarati@apple.com>
753
754         Don't use JSFunction's allocation profile when getting the prototype can be effectful
755         https://bugs.webkit.org/show_bug.cgi?id=182942
756         <rdar://problem/37584764>
757
758         Reviewed by Mark Lam.
759
760         * stress/get-prototype-create-this-effectful.js: Added.
761
762 2018-02-16  Saam Barati  <sbarati@apple.com>
763
764         Fix bugs from r228411
765         https://bugs.webkit.org/show_bug.cgi?id=182851
766         <rdar://problem/37577732>
767
768         Reviewed by JF Bastien.
769
770         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
771
772 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
773
774         Unreviewed, roll out r228366 since it did not progress anything.
775
776         * stress/gc-error-stack.js: Removed.
777         * stress/no-gc-error-stack.js: Removed.
778
779 2018-02-15  Tomas Popela  <tpopela@redhat.com>
780
781         Many stress tests fail with JIT disabled
782         https://bugs.webkit.org/show_bug.cgi?id=182730
783
784         Reviewed by Saam Barati.
785
786         These tests are broken by design if the JIT is disabled - they test
787         the return value of numberOfDFGCompiles(), which is always set to
788         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
789
790         * stress/arith-abs-on-various-types.js:
791         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
792         * stress/arith-acos-on-various-types.js:
793         * stress/arith-acosh-on-various-types.js:
794         * stress/arith-asin-on-various-types.js:
795         * stress/arith-asinh-on-various-types.js:
796         * stress/arith-atan-on-various-types.js:
797         * stress/arith-atanh-on-various-types.js:
798         * stress/arith-cbrt-on-various-types.js:
799         * stress/arith-ceil-on-various-types.js:
800         * stress/arith-clz32-on-various-types.js:
801         * stress/arith-cos-on-various-types.js:
802         * stress/arith-cosh-on-various-types.js:
803         * stress/arith-expm1-on-various-types.js:
804         * stress/arith-floor-on-various-types.js:
805         * stress/arith-fround-on-various-types.js:
806         * stress/arith-log-on-various-types.js:
807         * stress/arith-log10-on-various-types.js:
808         * stress/arith-log2-on-various-types.js:
809         * stress/arith-negate-on-various-types.js:
810         * stress/arith-round-on-various-types.js:
811         * stress/arith-sin-on-various-types.js:
812         * stress/arith-sinh-on-various-types.js:
813         * stress/arith-sqrt-on-various-types.js:
814         * stress/arith-tan-on-various-types.js:
815         * stress/arith-tanh-on-various-types.js:
816         * stress/arith-trunc-on-various-types.js:
817         * stress/compare-strict-eq-on-various-types.js:
818
819 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
820
821         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
822
823         Unreviewed test gardening.
824
825         * stress/new-largeish-contiguous-array-with-size.js:
826
827 2018-02-14  Saam Barati  <sbarati@apple.com>
828
829         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
830         https://bugs.webkit.org/show_bug.cgi?id=182801
831
832         Reviewed by Keith Miller.
833
834         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
835
836 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
837
838         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
839         https://bugs.webkit.org/show_bug.cgi?id=182526
840
841         Unreviewed test gardening.
842
843         * stress/activation-sink-default-value-tdz-error.js:
844
845 2018-02-13  Saam Barati  <sbarati@apple.com>
846
847         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
848         https://bugs.webkit.org/show_bug.cgi?id=182755
849         <rdar://problem/37080864>
850
851         Reviewed by Keith Miller.
852
853         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
854         (test1.o.get 10005):
855         (test1):
856         (test2.o.get 1000):
857         (test2):
858
859 2018-02-13  Caitlin Potter  <caitp@igalia.com>
860
861         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
862         https://bugs.webkit.org/show_bug.cgi?id=182717
863
864         Reviewed by Yusuke Suzuki.
865
866         https://github.com/tc39/ecma262/pull/890 imposes a change to template
867         literals, to allow template callsite arrays to be collected when the
868         code containing the tagged template call is collected. This spec change
869         has received concensus and been ratified.
870
871         This change eliminates the eternal map associating template contents
872         with arrays.
873
874         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
875         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
876         * stress/tagged-templates-identity.js:
877         * stress/template-string-tags-eval.js:
878         * test262.yaml:
879
880 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
881
882         Support GetArrayLength on ArrayStorage in the FTL
883         https://bugs.webkit.org/show_bug.cgi?id=182625
884
885         Reviewed by Saam Barati.
886
887         * stress/array-storage-length.js: Added.
888         (shouldBe):
889         (testInBound):
890         (testUncountable):
891         (testSlowPutInBound):
892         (testSlowPutUncountable):
893         * stress/undecided-length.js: Added.
894         (shouldBe):
895         (test2):
896
897 2018-02-12  Saam Barati  <sbarati@apple.com>
898
899         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
900         https://bugs.webkit.org/show_bug.cgi?id=182706
901         <rdar://problem/36833681>
902
903         Reviewed by Filip Pizlo.
904
905         * stress/get-array-length-phantom-new-array-buffer.js: Added.
906         (effects):
907         (foo):
908
909 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
910
911         Don't waste memory for error.stack
912         https://bugs.webkit.org/show_bug.cgi?id=182656
913
914         Reviewed by Saam Barati.
915         
916         Tests the policy.
917
918         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
919         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
920
921 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
922
923         [JSC] Update Test262 to Feb 9 version
924         https://bugs.webkit.org/show_bug.cgi?id=182468
925
926         Reviewed by Saam Barati.
927
928 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
929
930         Unreviewed, fix invalid line terminator in old test262 file part 2
931         https://bugs.webkit.org/show_bug.cgi?id=182468
932
933         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
934
935 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
936
937         Unreviewed, fix invalid line terminator in old test262 file
938         https://bugs.webkit.org/show_bug.cgi?id=182468
939
940         * test262/test/language/literals/regexp/7.8.5-1.js:
941
942 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
943
944         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
945         https://bugs.webkit.org/show_bug.cgi?id=182440
946
947         Reviewed by Darin Adler.
948
949         * stress/array-flatmap.js: Added.
950         (shouldBe):
951         (shouldBeArray):
952         (shouldThrow):
953         (var):
954         * stress/array-flatten.js: Added.
955         (shouldBe):
956         (shouldBeArray):
957         * test262.yaml:
958         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
959         (3.flatMap):
960         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
961
962 2018-02-06  Keith Miller  <keith_miller@apple.com>
963
964         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
965         https://bugs.webkit.org/show_bug.cgi?id=182549
966         <rdar://problem/36189995>
967
968         Reviewed by Saam Barati.
969
970         * stress/var-injection-cache-invalidation.js: Added.
971         (allocateLotsOfThings):
972         (test):
973
974 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
975
976         Unreviewed, follow up for test262 update
977         https://bugs.webkit.org/show_bug.cgi?id=182288
978
979         * test262.yaml:
980
981 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
982
983         Update test262 to Jan 30 version
984         https://bugs.webkit.org/show_bug.cgi?id=182288
985
986         Unreviewed test gardening.
987
988         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
989
990 2018-02-02  Saam Barati  <sbarati@apple.com>
991
992         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
993         https://bugs.webkit.org/show_bug.cgi?id=182368
994         <rdar://problem/36932466>
995
996         Reviewed by Mark Lam.
997
998         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
999         (runNearStackLimit.t):
1000         (runNearStackLimit):
1001         (try.runNearStackLimit):
1002         (catch):
1003
1004 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1005
1006         Update test262 to Jan 30 version
1007         https://bugs.webkit.org/show_bug.cgi?id=182288
1008
1009         Rubber stamped by Saam Barati.
1010
1011         This patch updates test262 to the latest one, Jan 30 version.
1012         Since added and changed files are too many, we cannot create ChangeLog.
1013         The following files are changed.
1014
1015         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1016         including some special line terminators (like u2028, u2029).
1017
1018         * test262.yaml:
1019         * test262/test262-Revision.txt:
1020         * test262/*:
1021
1022 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1023
1024         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1025         https://bugs.webkit.org/show_bug.cgi?id=182411
1026
1027         Reviewed by Carlos Alberto Lopez Perez.
1028
1029         This is skipped only on arm memory limited platforms. Until recently
1030         it was not a problem on MIPS as the butterfly was not initialized. But
1031         since r227435, the butterfly is initialized in that test and therefore
1032         memory is allocated, and the test typically takes around 512M, which
1033         means it generally gets OOM-killed on the MIPS buildbot.
1034
1035         * mozilla/mozilla-tests.yaml:
1036
1037 2018-02-01  Mark Lam  <mark.lam@apple.com>
1038
1039         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1040         https://bugs.webkit.org/show_bug.cgi?id=182419
1041         <rdar://problem/37044945>
1042
1043         Reviewed by Saam Barati.
1044
1045         * stress/regress-182419.js: Added.
1046
1047 2018-02-01  Keith Miller  <keith_miller@apple.com>
1048
1049         Fix crashes due to mishandling custom sections.
1050         https://bugs.webkit.org/show_bug.cgi?id=182404
1051         <rdar://problem/36935863>
1052
1053         Reviewed by Saam Barati.
1054
1055         * wasm/Builder.js:
1056         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1057         * wasm/js-api/validate.js:
1058         (assert.truthy):
1059
1060 2018-01-31  Saam Barati  <sbarati@apple.com>
1061
1062         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1063         https://bugs.webkit.org/show_bug.cgi?id=182074
1064         <rdar://problem/36846261>
1065
1066         Reviewed by Mark Lam.
1067
1068         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1069         (assert):
1070         (let.func):
1071         (let.o.foo):
1072         (varFunc):
1073
1074 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1075
1076         Unreviewed, update test262 expects
1077         https://bugs.webkit.org/show_bug.cgi?id=182232
1078
1079         * test262.yaml:
1080
1081 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1082
1083         [JSC] Implement trimStart and trimEnd
1084         https://bugs.webkit.org/show_bug.cgi?id=182233
1085
1086         Reviewed by Mark Lam.
1087
1088         * stress/trim.js: Added.
1089         (shouldBe):
1090         (startTest):
1091         (endTest):
1092         (trimTest):
1093
1094 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1095
1096         [JSC] Relax line terminators in String to make JSON subset of JS
1097         https://bugs.webkit.org/show_bug.cgi?id=182232
1098
1099         Reviewed by Keith Miller.
1100
1101         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1102         * stress/relaxed-line-terminators-in-string.js: Added.
1103         (shouldBe):
1104
1105 2018-01-29  Michael Saboff  <msaboff@apple.com>
1106
1107         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1108         https://bugs.webkit.org/show_bug.cgi?id=182249
1109
1110         Reviewed by Keith Miller.
1111
1112         New regression test.
1113
1114         * stress/compare-clobber-untypeduse.js: Added.
1115
1116 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1117
1118         Unreviewed, rolling out r227725.
1119
1120         This caused internal failures.
1121
1122         Reverted changeset:
1123
1124         "JSC Sampling Profiler: Detect tester and testee when sampling
1125         in RegExp JIT"
1126         https://bugs.webkit.org/show_bug.cgi?id=152729
1127         https://trac.webkit.org/changeset/227725
1128
1129 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1130
1131         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1132         https://bugs.webkit.org/show_bug.cgi?id=152729
1133
1134         Reviewed by Saam Barati.
1135
1136         * stress/sampling-profiler-regexp.js: Added.
1137         (platformSupportsSamplingProfiler.test):
1138         (platformSupportsSamplingProfiler.baz):
1139         (platformSupportsSamplingProfiler):
1140
1141 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1142
1143         [DFG][FTL] WeakMap#set should have DFG node
1144         https://bugs.webkit.org/show_bug.cgi?id=180015
1145
1146         Reviewed by Saam Barati.
1147
1148         * stress/weakmap-set-change-get.js: Added.
1149         (shouldBe):
1150         (test):
1151         * stress/weakmap-set-cse.js: Added.
1152         (shouldBe):
1153         (test):
1154         * stress/weakset-add-change-get.js: Added.
1155         (shouldBe):
1156         * stress/weakset-add-cse.js: Added.
1157         (shouldBe):
1158
1159 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1160
1161         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1162         https://bugs.webkit.org/show_bug.cgi?id=182213
1163
1164         Reviewed by Mark Lam.
1165
1166         * stress/int32-min-to-string.js: Added.
1167         (shouldBe):
1168         (test2):
1169         (test4):
1170         (test8):
1171         (test16):
1172         (test32):
1173         * stress/zero-to-string.js: Added.
1174         (shouldBe):
1175         (test2):
1176         (test4):
1177         (test8):
1178         (test16):
1179         (test32):
1180
1181 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1182
1183         Add more module scope related tests with code evaluation by string
1184         https://bugs.webkit.org/show_bug.cgi?id=181983
1185
1186         Reviewed by Sam Weinig.
1187
1188         Add more module scope related tests. When the original tests are landed,
1189         we do not have browser integration. This patch adds more module scope tests
1190         with dynamically created script evaluation. We add tests with Function
1191         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1192
1193         * modules/scopes-eval.js: Added.
1194         (shouldBe):
1195         * modules/scopes.js:
1196         (shouldBe):
1197
1198 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1199
1200         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1201
1202         * microbenchmarks/array-push-3.js: Removed.
1203         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1204         * microbenchmarks/double-to-int32.js: Removed.
1205         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1206         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1207         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1208         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1209         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1210         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1211         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1212         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1213         * microbenchmarks/map-constant-key.js: Removed.
1214         * microbenchmarks/nested-function-parsing.js: Removed.
1215         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1216         * microbenchmarks/spread-large-array.js: Removed.
1217         * microbenchmarks/string-add-constant-folding.js: Removed.
1218         * microbenchmarks/to-lower-case.js: Removed.
1219         * microbenchmarks/undefined-property-access.js: Removed.
1220         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1221         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1222         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1223         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1224         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1225         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1226         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1227         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1228         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1229         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1230         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1231         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1232         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1233         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1234         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1235         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1236         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1237         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1238
1239 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1240
1241         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1242         https://bugs.webkit.org/show_bug.cgi?id=181739
1243         <rdar://problem/36627662>
1244
1245         Reviewed by Saam Barati.
1246
1247         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1248         (foo):
1249         (bar):
1250
1251 2018-01-22  Michael Saboff  <msaboff@apple.com>
1252
1253         DFG abstract interpreter needs to properly model effects of some Math ops
1254         https://bugs.webkit.org/show_bug.cgi?id=181886
1255
1256         Reviewed by Saam Barati.
1257
1258         New regression test.
1259
1260         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1261         (test):
1262
1263 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1264
1265         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1266         https://bugs.webkit.org/show_bug.cgi?id=181182
1267
1268         Reviewed by Darin Adler.
1269
1270         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1271         * stress/big-int-prototype-to-string-exception.js: Added.
1272         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1273         * stress/number-prototype-to-string-cast-overflow.js: Added.
1274         * stress/number-prototype-to-string-exception.js: Added.
1275         * stress/number-prototype-to-string-wrong-values.js: Added.
1276
1277 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1278
1279         Disable Atomics when SharedArrayBuffer isn’t enabled
1280         https://bugs.webkit.org/show_bug.cgi?id=181572
1281
1282         Unreviewed test gardening.
1283
1284         * test262.yaml: Skip tests that fail after this change.
1285
1286 2018-01-19  Saam Barati  <sbarati@apple.com>
1287
1288         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1289         https://bugs.webkit.org/show_bug.cgi?id=181877
1290         <rdar://problem/36630552>
1291
1292         Reviewed by Mark Lam.
1293
1294         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1295         (runNearStackLimit):
1296         (f1):
1297         (f2):
1298         (f3):
1299         (i.catch):
1300         (i.try.runNearStackLimit):
1301         (catch):
1302
1303 2018-01-19  Saam Barati  <sbarati@apple.com>
1304
1305         Spread's effects are modeled incorrectly both in AI and in Clobberize
1306         https://bugs.webkit.org/show_bug.cgi?id=181867
1307         <rdar://problem/36290415>
1308
1309         Reviewed by Michael Saboff.
1310
1311         * stress/ai-needs-to-model-spreads-effects.js: Added.
1312         (try.p.Symbol.iterator):
1313         (try.go):
1314         (catch):
1315         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1316         (assert):
1317         (foo):
1318         (a.Symbol.iterator):
1319
1320 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1321
1322         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1323         https://bugs.webkit.org/show_bug.cgi?id=181535
1324
1325         * stress/inserted-recovery-with-set-last-index.js:
1326
1327 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1328
1329         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1330         https://bugs.webkit.org/show_bug.cgi?id=181535
1331
1332         Reviewed by Saam Barati.
1333
1334         * stress/inserted-recovery-with-set-last-index.js: Added.
1335         (shouldBe):
1336         (foo):
1337         * stress/materialize-regexp-at-osr-exit.js: Added.
1338         (shouldBe):
1339         (test):
1340         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1341         (shouldBe):
1342         (test):
1343         * stress/materialize-regexp-cyclic-regexp.js: Added.
1344         (shouldBe):
1345         (test):
1346         (i.switch):
1347         * stress/materialize-regexp-cyclic.js: Added.
1348         (shouldBe):
1349         (test):
1350         (i.switch):
1351         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1352         (bar):
1353         (foo):
1354         (test):
1355         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1356         (bar):
1357         (foo):
1358         (test):
1359         * stress/materialize-regexp.js: Added.
1360         (shouldBe):
1361         (test):
1362         * stress/phantom-regexp-regexp-exec.js: Added.
1363         (shouldBe):
1364         (test):
1365         * stress/phantom-regexp-string-match.js: Added.
1366         (shouldBe):
1367         (test):
1368         * stress/regexp-last-index-sinking.js: Added.
1369         (shouldBe):
1370         (test):
1371
1372 2018-01-17  Saam Barati  <sbarati@apple.com>
1373
1374         Disable Atomics when SharedArrayBuffer isn’t enabled
1375         https://bugs.webkit.org/show_bug.cgi?id=181572
1376         <rdar://problem/36553206>
1377
1378         Reviewed by Michael Saboff.
1379
1380         * stress/isLockFree.js:
1381
1382 2018-01-17  Saam Barati  <sbarati@apple.com>
1383
1384         DFG::Node::convertToConstant needs to clear the varargs flags
1385         https://bugs.webkit.org/show_bug.cgi?id=181697
1386         <rdar://problem/36497332>
1387
1388         Reviewed by Yusuke Suzuki.
1389
1390         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1391         (doIndexOf):
1392         (bar):
1393         (i.bar):
1394
1395 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1396
1397         Unreviewed, rolling out r226937.
1398
1399         Tests added with this change are failing due to a missing
1400         exception check.
1401
1402         Reverted changeset:
1403
1404         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1405         double to int32_t"
1406         https://bugs.webkit.org/show_bug.cgi?id=181182
1407         https://trac.webkit.org/changeset/226937
1408
1409 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1410
1411         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1412         https://bugs.webkit.org/show_bug.cgi?id=181182
1413
1414         Reviewed by Darin Adler.
1415
1416         * bigIntTests.yaml:
1417         * stress/big-int-constructor.js:
1418         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1419         (assert):
1420         (assertThrowRangeError):
1421         * stress/number-prototype-to-string-cast-overflow.js: Added.
1422         (assert):
1423         (assertThrowRangeError):
1424
1425 2018-01-12  Saam Barati  <sbarati@apple.com>
1426
1427         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1428         https://bugs.webkit.org/show_bug.cgi?id=181177
1429         <rdar://problem/36205704>
1430
1431         Reviewed by Yusuke Suzuki.
1432
1433         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1434         (runNearStackLimit.t):
1435         (runNearStackLimit):
1436         (test.f):
1437         (test):
1438
1439 2018-01-12  Saam Barati  <sbarati@apple.com>
1440
1441         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1442         https://bugs.webkit.org/show_bug.cgi?id=181562
1443         <rdar://problem/36445624>
1444
1445         Reviewed by Yusuke Suzuki.
1446
1447         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1448         (f):
1449         (foo):
1450
1451 2018-01-11  Saam Barati  <sbarati@apple.com>
1452
1453         When inserting Unreachable in byte code parser we need to flush all the right things
1454         https://bugs.webkit.org/show_bug.cgi?id=181509
1455         <rdar://problem/36423110>
1456
1457         Reviewed by Mark Lam.
1458
1459         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1460
1461 2018-01-11  Saam Barati  <sbarati@apple.com>
1462
1463         JITMathIC code in the FTL is wrong when code gets duplicated
1464         https://bugs.webkit.org/show_bug.cgi?id=181525
1465         <rdar://problem/36351993>
1466
1467         Reviewed by Michael Saboff and Keith Miller.
1468
1469         * stress/allow-math-ic-b3-code-duplication.js: Added.
1470
1471 2018-01-11  Saam Barati  <sbarati@apple.com>
1472
1473         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1474         https://bugs.webkit.org/show_bug.cgi?id=181508
1475
1476         Reviewed by Yusuke Suzuki.
1477
1478         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1479         (assert):
1480         (test1.foo):
1481         (test1):
1482         (test2.foo):
1483         (test2):
1484
1485 2018-01-09  Mark Lam  <mark.lam@apple.com>
1486
1487         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1488         https://bugs.webkit.org/show_bug.cgi?id=181388
1489         <rdar://problem/36349351>
1490
1491         Reviewed by Saam Barati.
1492
1493         * stress/regress-181388.js: Added.
1494
1495 2018-01-08  JF Bastien  <jfbastien@apple.com>
1496
1497         WebAssembly: mask indexed accesses to Table
1498         https://bugs.webkit.org/show_bug.cgi?id=181412
1499         <rdar://problem/36363236>
1500
1501         Reviewed by Saam Barati.
1502
1503         Update error messages.
1504
1505         * wasm/js-api/table.js:
1506         (assert.throws.WebAssembly.Table.prototype.grow):
1507
1508 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1509
1510         Disable SharedArrayBuffer tests missed in r226386.
1511         https://bugs.webkit.org/show_bug.cgi?id=181266
1512
1513         Unreviewed test gardening.
1514
1515         * test262.yaml:
1516
1517 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1518
1519         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1520         https://bugs.webkit.org/show_bug.cgi?id=181321
1521
1522         Reviewed by Saam Barati.
1523
1524         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1525         (shouldBe):
1526         (testFunction):
1527         * test262.yaml:
1528
1529 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1530
1531         Unreviewed, attempt to fix test262 after r226386.
1532
1533         * test262.yaml:
1534
1535 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1536
1537         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1538         https://bugs.webkit.org/show_bug.cgi?id=179911
1539
1540         Reviewed by Saam Barati.
1541
1542         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1543
1544         * stress/map-set-change-get.js: Added.
1545         (shouldBe):
1546         (test):
1547         * stress/map-set-create-bucket.js: Added.
1548         (shouldBe):
1549         (test):
1550         * stress/set-add-create-bucket.js: Added.
1551         (shouldBe):
1552
1553 2018-01-03  Michael Saboff  <msaboff@apple.com>
1554
1555         Disable SharedArrayBuffers from Web API
1556         https://bugs.webkit.org/show_bug.cgi?id=181266
1557
1558         Reviewed by Saam Barati.
1559
1560         Disabled SharedArrayBuffer tests.
1561
1562         * stress/SharedArrayBuffer-opt.js:
1563         * stress/SharedArrayBuffer.js:
1564         * stress/array-buffer-byte-length.js:
1565         * stress/atomics-add-uint32.js:
1566         * stress/atomics-known-int-use.js:
1567         * stress/atomics-neg-zero.js:
1568         * stress/atomics-store-return.js:
1569         * stress/lars-sab-workers.js:
1570         * stress/regress-159779-1.js:
1571         * stress/regress-159779-2.js:
1572         * stress/regress-170473.js:
1573         * test262.yaml:
1574
1575 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1576
1577         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1578         https://bugs.webkit.org/show_bug.cgi?id=181258
1579
1580         Reviewed by Antonio Gomes.
1581
1582         * stress/big-int-constructor-gc.js:
1583         * stress/big-int-constructor-oom.js:
1584
1585 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1586
1587         Inlining of a function that ends in op_unreachable crashes
1588         https://bugs.webkit.org/show_bug.cgi?id=181027
1589
1590         Reviewed by Filip Pizlo.
1591
1592         * stress/inlining-unreachable.js: Added.
1593         (bar):
1594         (baz):
1595         (i.catch):
1596
1597 2018-01-02  Saam Barati  <sbarati@apple.com>
1598
1599         Incorrect assertion inside AccessCase
1600         https://bugs.webkit.org/show_bug.cgi?id=181200
1601         <rdar://problem/35494754>
1602
1603         Reviewed by Yusuke Suzuki.
1604
1605         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1606         (ctor):
1607         (theFunc):
1608         (run):
1609
1610 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1611
1612         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1613         https://bugs.webkit.org/show_bug.cgi?id=175359
1614
1615         Reviewed by Yusuke Suzuki.
1616
1617         * bigIntTests.yaml:
1618         * stress/big-int-as-key.js: Added.
1619         * stress/big-int-constructor-gc.js: Added.
1620         * stress/big-int-constructor-oom.js: Added.
1621         * stress/big-int-constructor-properties.js: Added.
1622         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
1623         * stress/big-int-constructor-prototype.js: Added.
1624         * stress/big-int-constructor.js: Added.
1625         * stress/big-int-function-apply.js:
1626         * stress/big-int-length.js: Added.
1627         * stress/big-int-prop-descriptor.js: Added.
1628         * stress/big-int-proto-constructor.js: Added.
1629         * stress/big-int-proto-name.js: Added.
1630         * stress/big-int-prototype-properties.js: Added.
1631         * stress/big-int-prototype-proto.js: Added.
1632         * stress/big-int-prototype-value-of.js: Added.
1633         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
1634         * stress/big-int-prototype-to-string-apply.js: Added.
1635         * stress/big-int-to-object.js: Added.
1636         * stress/big-int-to-string.js: Added.
1637
1638 2017-12-28  Saam Barati  <sbarati@apple.com>
1639
1640         Assertion used to determine if something is an async generator is wrong
1641         https://bugs.webkit.org/show_bug.cgi?id=181168
1642         <rdar://problem/35640560>
1643
1644         Reviewed by Yusuke Suzuki.
1645
1646         * stress/async-generator-assertion.js: Added.
1647
1648 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1649
1650         Skip stress/splay-flash-access tests on memory limited platforms
1651         https://bugs.webkit.org/show_bug.cgi?id=181086
1652
1653         Reviewed by Carlos Alberto Lopez Perez.
1654
1655         These tests use about 185M of memory, and occasionally get OOM-killed
1656         on memory limited platforms.
1657
1658         * stress/splay-flash-access-1ms.js:
1659         * stress/splay-flash-access.js:
1660
1661 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
1662
1663         Skip slow jsc tests on embedded platforms
1664         https://bugs.webkit.org/show_bug.cgi?id=180937
1665
1666         Reviewed by Carlos Alberto Lopez Perez.
1667
1668         The tests typeProfiler/deltablue-for-of.js and
1669         typeProfiler/getter-richards.js take a very long time in the
1670         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
1671         thus always timeout. They should be skipped on these platforms.
1672
1673         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
1674         * typeProfiler/getter-richards.js: Skip on arm*/mips.
1675
1676 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1677
1678         [JSC] Do not check isValid() in op_new_regexp
1679         https://bugs.webkit.org/show_bug.cgi?id=180970
1680
1681         Reviewed by Saam Barati.
1682
1683         * stress/regexp-syntax-error-invalid-flags.js: Added.
1684         (shouldThrow):
1685
1686 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
1687
1688         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
1689         https://bugs.webkit.org/show_bug.cgi?id=180712
1690
1691         Reviewed by Michael Catanzaro.
1692
1693         stress/call-apply-exponential-bytecode-size.js crashes if the
1694         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
1695         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
1696         should skip the test on other platforms.
1697
1698         * stress/call-apply-exponential-bytecode-size.js:
1699
1700 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1701
1702         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
1703         https://bugs.webkit.org/show_bug.cgi?id=179762
1704
1705         Reviewed by Saam Barati.
1706
1707         * stress/call-varargs-double-new-array-buffer.js: Added.
1708         (assert):
1709         (bar):
1710         (foo):
1711         * stress/call-varargs-spread-new-array-buffer.js: Added.
1712         (assert):
1713         (bar):
1714         (foo):
1715         * stress/call-varargs-spread-new-array-buffer2.js: Added.
1716         (assert):
1717         (bar):
1718         (foo):
1719         * stress/forward-varargs-double-new-array-buffer.js: Added.
1720         (assert):
1721         (test.baz):
1722         (test.bar):
1723         (test.foo):
1724         (test):
1725         * stress/new-array-buffer-sinking-osrexit.js: Added.
1726         (target):
1727         (test):
1728         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
1729         (shouldBe):
1730         (test):
1731         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
1732         (shouldBe):
1733         (target):
1734         (test):
1735         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
1736         (assert):
1737         (test1.bar):
1738         (test1.foo):
1739         (test1):
1740         (test2.bar):
1741         (test2.foo):
1742         (test3.baz):
1743         (test3.bar):
1744         (test3.foo):
1745         (test4.baz):
1746         (test4.bar):
1747         (test4.foo):
1748         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
1749         (assert):
1750         (test.baz):
1751         (test.bar):
1752         (test.foo):
1753         (test):
1754         * stress/phantom-new-array-buffer-osr-exit.js: Added.
1755         (assert):
1756         (baz):
1757         (bar):
1758         (effects):
1759         (foo):
1760
1761 2017-12-14  Saam Barati  <sbarati@apple.com>
1762
1763         The CleanUp after LICM is erroneously removing a Check
1764         https://bugs.webkit.org/show_bug.cgi?id=180852
1765         <rdar://problem/36063494>
1766
1767         Reviewed by Filip Pizlo.
1768
1769         * stress/dont-run-cleanup-after-licm.js: Added.
1770
1771 2017-12-14  Michael Saboff  <msaboff@apple.com>
1772
1773         REGRESSION (r225695): Repro crash on yahoo login page
1774         https://bugs.webkit.org/show_bug.cgi?id=180761
1775
1776         Reviewed by JF Bastien.
1777
1778         New regression test.
1779
1780         * stress/regress-180761.js: Added.
1781
1782 2017-12-13  Keith Miller  <keith_miller@apple.com>
1783
1784         JSObjects should have a mask for loading indexed properties
1785         https://bugs.webkit.org/show_bug.cgi?id=180768
1786
1787         Reviewed by Mark Lam.
1788
1789         * stress/int16-put-by-val-in-and-out-of-bounds.js:
1790         (test):
1791
1792 2017-12-13  Saam Barati  <sbarati@apple.com>
1793
1794         Arrow functions need their own structure because they have different properties than sloppy functions
1795         https://bugs.webkit.org/show_bug.cgi?id=180779
1796         <rdar://problem/35814591>
1797
1798         Reviewed by Mark Lam.
1799
1800         * stress/arrow-function-needs-its-own-structure.js: Added.
1801         (assert):
1802         (readPrototype):
1803         (noInline.let.f1):
1804         (noInline):
1805
1806 2017-12-13  Saam Barati  <sbarati@apple.com>
1807
1808         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1809         https://bugs.webkit.org/show_bug.cgi?id=163579
1810         <rdar://problem/35455798>
1811
1812         Reviewed by Mark Lam.
1813
1814         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
1815         (assert):
1816         (test1):
1817         (i.test1):
1818         (i.test1.C):
1819         (i.test1.async.foo):
1820         (i.test1.foo):
1821         (test2):
1822
1823 2017-12-13  Saam Barati  <sbarati@apple.com>
1824
1825         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1826         https://bugs.webkit.org/show_bug.cgi?id=180734
1827         <rdar://problem/35640547>
1828
1829         Reviewed by Yusuke Suzuki.
1830
1831         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
1832         (__isPropertyOfType):
1833         (__getProperties):
1834         (__getObjects):
1835         (__getRandomObject):
1836         (theClass.):
1837         (theClass):
1838         (childClass):
1839         (counter.catch):
1840
1841 2017-12-12  Saam Barati  <sbarati@apple.com>
1842
1843         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1844         https://bugs.webkit.org/show_bug.cgi?id=180725
1845         <rdar://problem/35970511>
1846
1847         Reviewed by Michael Saboff.
1848
1849         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
1850         (f1):
1851         (f2):
1852         (let.o2.valueOf):
1853
1854 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1855
1856         [JSC] Implement optimized WeakMap and WeakSet
1857         https://bugs.webkit.org/show_bug.cgi?id=179929
1858
1859         Reviewed by Saam Barati.
1860
1861         * microbenchmarks/weak-map-key.js:
1862         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
1863         (assert):
1864         (objectKey):
1865         (let.start.Date.now):
1866         * stress/basic-weakmap.js: Added.
1867         (shouldBe):
1868         (test):
1869         * stress/basic-weakset.js: Added.
1870         (shouldBe):
1871         (test.set new):
1872         * stress/weakmap-cse-set-break.js: Added.
1873         (shouldBe):
1874         (test):
1875         * stress/weakmap-cse.js: Added.
1876         (shouldBe):
1877         (test):
1878         * stress/weakmap-gc.js: Added.
1879         (test):
1880         * stress/weakset-cse-add-break.js: Added.
1881         (shouldBe):
1882         (test.set new):
1883         * stress/weakset-cse.js: Added.
1884         (shouldBe):
1885         (test.set new):
1886         * stress/weakset-gc.js: Added.
1887         (test.set add):
1888         (test.set new):
1889         (test):
1890
1891 2017-12-12  Saam Barati  <sbarati@apple.com>
1892
1893         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1894         https://bugs.webkit.org/show_bug.cgi?id=180723
1895         <rdar://problem/35859726>
1896
1897         Reviewed by JF Bastien.
1898
1899         * stress/get-my-argument-by-val-constant-folding.js: Added.
1900         (test):
1901         (catch):
1902
1903 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1904
1905         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1906         https://bugs.webkit.org/show_bug.cgi?id=179000
1907
1908         Reviewed by Darin Adler and Yusuke Suzuki.
1909
1910         * bigIntTests.yaml: Added.
1911         * stress/big-int-literal-line-terminator.js: Added.
1912         * stress/big-int-literals.js: Added.
1913         * stress/big-int-operations-error.js: Added.
1914         * stress/big-int-type-of.js: Added.
1915         * stress/big-int-white-space-trailing-leading.js: Added.
1916         * stress/big-int-function-apply.js: Added.
1917
1918 2017-12-11  Saam Barati  <sbarati@apple.com>
1919
1920         We need to disableCaching() in ErrorInstance when we materialize properties
1921         https://bugs.webkit.org/show_bug.cgi?id=180343
1922         <rdar://problem/35833002>
1923
1924         Reviewed by Mark Lam.
1925
1926         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
1927         (assert):
1928         (makeError):
1929         (storeToStack):
1930         (storeToStackAlreadyMaterialized):
1931
1932 2017-12-05  JF Bastien  <jfbastien@apple.com>
1933
1934         WebAssembly: don't eagerly checksum
1935         https://bugs.webkit.org/show_bug.cgi?id=180441
1936         <rdar://problem/35156628>
1937
1938         Reviewed by Saam Barati.
1939
1940         Checksum is now disabled, so tests only have <?> as the module
1941         name.
1942
1943         * wasm/function-tests/nameSection.js:
1944         * wasm/function-tests/stack-overflow.js:
1945         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
1946         (assertOverflows.assertThrows):
1947         (assertOverflows):
1948         * wasm/function-tests/stack-trace.js:
1949
1950 2017-12-04  JF Bastien  <jfbastien@apple.com>
1951
1952         Proxy all functions, except the $ objects
1953         https://bugs.webkit.org/show_bug.cgi?id=180375
1954
1955         Reviewed by Saam Barati.
1956
1957         It looks like this test may have broken some executions because I
1958         call some internal objects. Explicitly ignore objects whose name
1959         starts with "$" because it's a bad idea anyways.
1960
1961         * stress/proxy-all-the-parameters.js:
1962         (generateObjects):
1963         (get throw):
1964
1965 2017-12-04  Saam Barati  <sbarati@apple.com>
1966
1967         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
1968         https://bugs.webkit.org/show_bug.cgi?id=180366
1969         <rdar://problem/35685877>
1970
1971         Reviewed by Michael Saboff.
1972
1973         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
1974         (theParent):
1975         (test1.base.getParentStaticValue):
1976         (test1.base):
1977         (test1.__v_24888.prototype.set prop):
1978         (test1.__v_24888):
1979         (test2.base.getParentStaticValue):
1980         (test2.base):
1981         (test2.__v_24888.prototype.set prop):
1982         (test2.__v_24888):
1983         (test2):
1984
1985 2017-12-01  JF Bastien  <jfbastien@apple.com>
1986
1987         Try proxying all function arguments
1988         https://bugs.webkit.org/show_bug.cgi?id=180306
1989
1990         Reviewed by Saam Barati.
1991
1992         * stress/proxy-all-the-parameters.js: Added.
1993         (isPropertyOfType):
1994         (getProperties):
1995         (generateObjects):
1996         (getObjects):
1997         (getFunctions):
1998         (get throw):
1999         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2000
2001 2017-12-01  JF Bastien  <jfbastien@apple.com>
2002
2003         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2004         https://bugs.webkit.org/show_bug.cgi?id=180297
2005         <rdar://problem/35745556>
2006
2007         Reviewed by Mark Lam.
2008
2009         * stress/math-exceptions.js: Added.
2010         (get try):
2011         (catch):
2012
2013 2017-12-01  JF Bastien  <jfbastien@apple.com>
2014
2015         JavaScriptCore: add test for weird class static getters
2016         https://bugs.webkit.org/show_bug.cgi?id=180281
2017         <rdar://problem/35592139>
2018
2019         Reviewed by Mark Lam.
2020
2021         I fixed a bug for it in r224927 and didn't add a test. Do so.
2022
2023         * stress/class-static-get-weird.js: Added.
2024         (c.prototype.get name):
2025         (c):
2026         (c.prototype.get arguments):
2027         (c.prototype.get caller):
2028         (c.prototype.get length):
2029
2030 2017-12-01  Saam Barati  <sbarati@apple.com>
2031
2032         Having a bad time needs to handle ArrayClass indexing type as well
2033         https://bugs.webkit.org/show_bug.cgi?id=180274
2034         <rdar://problem/35667869>
2035
2036         Reviewed by Keith Miller and Mark Lam.
2037
2038         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2039         (assert):
2040         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2041         (assert):
2042
2043 2017-12-01  JF Bastien  <jfbastien@apple.com>
2044
2045         WebAssembly: restore cached stack limit after out-call
2046         https://bugs.webkit.org/show_bug.cgi?id=179106
2047         <rdar://problem/35337525>
2048
2049         Reviewed by Saam Barati.
2050
2051         * wasm/function-tests/double-instance.js: Added.
2052         (const.imp.boom):
2053         (const.imp.get callAnother):
2054
2055 2017-11-30  JF Bastien  <jfbastien@apple.com>
2056
2057         WebAssembly: improve stack trace
2058         https://bugs.webkit.org/show_bug.cgi?id=179343
2059
2060         Reviewed by Saam Barati.
2061
2062         Update the tests to follow the new format. Notably, SHA1 module
2063         hash is now included in traces, and stubs are properly identified.
2064
2065         * wasm/assert.js: Add an assertion which matches regular expressions.
2066         * wasm/function-tests/nameSection.js:
2067         * wasm/function-tests/stack-overflow.js:
2068         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2069         (assertOverflows.assertThrows.wasm.1):
2070         (assertOverflows.assertThrows.wasm.0):
2071         (assertOverflows.assertThrows):
2072         (assertOverflows):
2073         * wasm/function-tests/stack-trace.js:
2074         (import.Builder.from.string_appeared_here.assert): Deleted.
2075         * wasm/function-tests/trap-after-cross-instance-call.js:
2076         (wasmFrameCountFromError):
2077         * wasm/function-tests/trap-load-2.js:
2078         (wasmFrameCountFromError):
2079         * wasm/function-tests/trap-load.js:
2080         (wasmFrameCountFromError):
2081
2082 2017-11-30  Mark Lam  <mark.lam@apple.com>
2083
2084         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2085         https://bugs.webkit.org/show_bug.cgi?id=180219
2086         <rdar://problem/35696536>
2087
2088         Reviewed by Filip Pizlo.
2089
2090         * stress/regress-180219.js: Added.
2091
2092 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2093
2094         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2095         https://bugs.webkit.org/show_bug.cgi?id=180190
2096
2097         Reviewed by Mark Lam.
2098
2099         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2100         (shouldBe):
2101         (test1):
2102         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2103         (shouldBe):
2104         (test1):
2105         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2106         (shouldBe):
2107         (test1):
2108         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2109         (shouldBe):
2110         (test1):
2111         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2112         (shouldBe):
2113         (test1):
2114         * stress/operation-in-may-have-negative-int32.js: Added.
2115         (shouldBe):
2116         (test2):
2117         * stress/operation-in-negative-int32-cast.js: Added.
2118         (shouldBe):
2119         (test1):
2120
2121 2017-11-28  JF Bastien  <jfbastien@apple.com>
2122
2123         Strict and sloppy functions shouldn't share structure
2124         https://bugs.webkit.org/show_bug.cgi?id=180103
2125         <rdar://problem/35667847>
2126
2127         Reviewed by Saam Barati.
2128
2129         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2130         because the IC was wrong.
2131         (foo):
2132         (bar):
2133         (baz):
2134         (catch):
2135         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2136         in this patch, but may as well test odd strict mode corner cases.
2137         (bar):
2138         (baz):
2139         (catch):
2140         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2141         (foo):
2142         (bar):
2143         (baz):
2144         (catch):
2145         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2146         next file, but with invalidation of the FunctionExecutable's
2147         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2148         slower path.
2149         (foo):
2150         (bar.const.x):
2151         (bar.const.y):
2152         (bar):
2153         (catch):
2154         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2155         strict nesting works correctly.
2156         (foo):
2157         (bar.baz):
2158         (bar):
2159         * stress/strict-function-structure.js: Added. The test used to
2160         assert in objectProtoFuncHasOwnProperty.
2161         (foo):
2162         (bar):
2163         (baz):
2164         * stress/strict-nested-function-structure.js: Added. Nesting.
2165         (foo):
2166         (bar):
2167         (baz.boo):
2168         (baz):
2169
2170 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2171
2172         The recursive tail call optimisation is wrong on closures
2173         https://bugs.webkit.org/show_bug.cgi?id=179835
2174
2175         Reviewed by Saam Barati.
2176
2177         * stress/closure-recursive-tail-call.js: Added.
2178         (makeClosure):
2179
2180 2017-11-27  JF Bastien  <jfbastien@apple.com>
2181
2182         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2183         https://bugs.webkit.org/show_bug.cgi?id=180051
2184         <rdar://problem/35614371>
2185
2186         Reviewed by Saam Barati.
2187
2188         * stress/rest-parameter-negative.js: Added.
2189         (__f_5484):
2190         (catch):
2191         (__f_5485):
2192         (__v_22598.catch):
2193
2194 2017-11-27  Saam Barati  <sbarati@apple.com>
2195
2196         Spread can escape when CreateRest does not
2197         https://bugs.webkit.org/show_bug.cgi?id=180057
2198         <rdar://problem/35676119>
2199
2200         Reviewed by JF Bastien.
2201
2202         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2203         (assert):
2204         (getProperties):
2205         (theFunc):
2206         (let.obj.valueOf):
2207
2208 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2209
2210         [DFG] Add NormalizeMapKey DFG IR
2211         https://bugs.webkit.org/show_bug.cgi?id=179912
2212
2213         Reviewed by Saam Barati.
2214
2215         * stress/map-untyped-normalize-cse.js: Added.
2216         (shouldBe):
2217         (test):
2218         * stress/map-untyped-normalize.js: Added.
2219         (shouldBe):
2220         (test):
2221         * stress/set-untyped-normalize-cse.js: Added.
2222         (shouldBe):
2223         (set return.set has.set has):
2224         * stress/set-untyped-normalize.js: Added.
2225         (shouldBe):
2226         (set return.set has):
2227
2228 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2229
2230         [FTL] Support DeleteById and DeleteByVal
2231         https://bugs.webkit.org/show_bug.cgi?id=180022
2232
2233         Reviewed by Saam Barati.
2234
2235         * stress/delete-by-id.js: Added.
2236         (shouldBe):
2237         (test1):
2238         (test2):
2239         * stress/delete-by-val-ftl.js: Added.
2240         (shouldBe):
2241         (test1):
2242         (test2):
2243
2244 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2245
2246         [DFG] Introduce {Set,Map,WeakMap}Fields
2247         https://bugs.webkit.org/show_bug.cgi?id=179925
2248
2249         Reviewed by Saam Barati.
2250
2251         * stress/map-set-clobber-map-get.js: Added.
2252         (shouldBe):
2253         (test):
2254         * stress/map-set-does-not-clobber-set-has.js: Added.
2255         (shouldBe):
2256         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2257         (shouldBe):
2258         (test):
2259         * stress/set-add-clobber-set-has.js: Added.
2260         (shouldBe):
2261         * stress/set-add-does-not-clobber-map-get.js: Added.
2262         (shouldBe):
2263
2264 2017-11-24  Mark Lam  <mark.lam@apple.com>
2265
2266         Move unsafe jsc shell test functions to the $vm object.
2267         https://bugs.webkit.org/show_bug.cgi?id=179980
2268
2269         Reviewed by Yusuke Suzuki.
2270
2271         * controlFlowProfiler/driver/driver.js:
2272         * controlFlowProfiler/execution-count.js:
2273         * controlFlowProfiler/if-statement.js:
2274         * controlFlowProfiler/loop-statements.js:
2275         * controlFlowProfiler/switch-statements.js:
2276         * controlFlowProfiler/test-jit.js:
2277         * exceptionFuzz/3d-cube.js:
2278         * exceptionFuzz/date-format-xparb.js:
2279         * exceptionFuzz/earley-boyer.js:
2280         * heapProfiler/basic-edges.js:
2281         * heapProfiler/property-edge-types.js:
2282         * microbenchmarks/try-get-by-id-basic.js:
2283         * microbenchmarks/try-get-by-id-polymorphic.js:
2284         * modules/namespace-object-try-get.js:
2285         * stress/argument-count-bytecode.js:
2286         * stress/argument-intrinsic-basic.js:
2287         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2288         * stress/argument-intrinsic-inlining-with-result-escape.js:
2289         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2290         * stress/argument-intrinsic-inlining-with-vararg.js:
2291         * stress/argument-intrinsic-nested-inlining.js:
2292         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2293         * stress/argument-intrinsic-with-stack-write.js:
2294         * stress/arity-mismatch-get-argument.js:
2295         * stress/array-message-passing.js:
2296         * stress/array-push-with-force-exit.js:
2297         * stress/check-dom-with-signature.js:
2298         * stress/check-sub-class.js:
2299         * stress/compare-eq-incomplete-profile.js:
2300         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2301         * stress/do-eval-virtual-call-correctly.js:
2302         * stress/dom-jit-with-poly-proto.js:
2303         * stress/domjit-exception-ic.js:
2304         * stress/domjit-exception.js:
2305         * stress/domjit-getter-complex-with-incorrect-object.js:
2306         * stress/domjit-getter-complex.js:
2307         * stress/domjit-getter-poly.js:
2308         * stress/domjit-getter-proto.js:
2309         * stress/domjit-getter-super-poly.js:
2310         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2311         * stress/domjit-getter-type-check.js:
2312         * stress/domjit-getter.js:
2313         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2314         * stress/for-in-proxy-target-changed-structure.js:
2315         * stress/for-in-proxy.js:
2316         * stress/generational-opaque-roots.js:
2317         * stress/global-const-redeclaration-setting-2.js:
2318         * stress/global-const-redeclaration-setting-3.js:
2319         * stress/global-const-redeclaration-setting-4.js:
2320         * stress/global-const-redeclaration-setting-5.js:
2321         * stress/global-const-redeclaration-setting.js:
2322         * stress/import-basic.js:
2323         * stress/import-from-eval.js:
2324         * stress/import-reject-with-exception.js:
2325         * stress/import-syntax.js:
2326         * stress/impure-get-own-property-slot-inline-cache.js:
2327         * stress/is-constructor.js:
2328         * stress/istypedarrayview-intrinsic.js:
2329         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2330         * stress/jsc-test-functions-should-be-more-robust.js:
2331         * stress/object-toString-with-proxy.js:
2332         * stress/poly-proto-custom-value-and-accessor.js:
2333         * stress/proxy-inline-cache.js:
2334         * stress/re-execute-error-module.js:
2335         * stress/regress-150532.js:
2336         * stress/regress-156992.js:
2337         * stress/regress-179619.js:
2338         * stress/resources/shadow-chicken-support.js:
2339         * stress/runtime-array.js:
2340         * stress/sampling-profiler-microtasks.js:
2341         * stress/shadow-chicken-enabled.js:
2342         * stress/spread-correct-global-object-on-exception.js:
2343         * stress/super-get-by-id.js:
2344         * stress/tailCallForwardArguments.js:
2345         * stress/to-object-intrinsic-boolean-edge.js:
2346         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2347         * stress/to-object-intrinsic-number-edge.js:
2348         * stress/to-object-intrinsic-object-edge.js:
2349         * stress/to-object-intrinsic-string-edge.js:
2350         * stress/to-object-intrinsic-symbol-edge.js:
2351         * stress/to-object-intrinsic.js:
2352         * stress/try-catch-custom-getter-as-get-by-id.js:
2353         * stress/try-get-by-id-poly-proto.js:
2354         * stress/try-get-by-id-should-spill-registers-dfg.js:
2355         * stress/try-get-by-id.js:
2356         * typeProfiler/arrow-functions.js:
2357         * typeProfiler/basic.js:
2358         * typeProfiler/captured.js:
2359         * typeProfiler/classes.js:
2360         * typeProfiler/dfg-jit-optimizations.js:
2361         * typeProfiler/dictionary-mode.js:
2362         * typeProfiler/es6-block-scoping.js:
2363         * typeProfiler/es6-classes.js:
2364         * typeProfiler/inheritance.js:
2365         * typeProfiler/int52-dfg.js:
2366         * typeProfiler/loop.js:
2367         * typeProfiler/optional-fields.js:
2368         * typeProfiler/overflow.js:
2369         * typeProfiler/return.js:
2370         * typeProfiler/symbol.js:
2371         * typeProfiler/weird-prototype-chain.js:
2372
2373 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2374
2375         [DFG][FTL] Support MapSet / SetAdd intrinsics
2376         https://bugs.webkit.org/show_bug.cgi?id=179858
2377
2378         Reviewed by Saam Barati.
2379
2380         * microbenchmarks/map-has-and-set.js: Added.
2381         (test):
2382         * stress/map-set-check-failure.js: Added.
2383         (shouldBe):
2384         (shouldThrow):
2385         (target):
2386         * stress/map-set-cse.js: Added.
2387         (shouldBe):
2388         (test):
2389         * stress/set-add-check-failure.js: Added.
2390         (shouldBe):
2391         (shouldThrow):
2392         (set shouldThrow):
2393         * stress/set-add-cse.js: Added.
2394         (shouldBe):
2395
2396 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2397
2398         [JSC] Allow poly proto for intrinsic getters
2399         https://bugs.webkit.org/show_bug.cgi?id=179550
2400
2401         Reviewed by Saam Barati.
2402
2403         This change is also tested by existing tests.
2404
2405             1. stress/intrinsic-getter-with-poly-proto.js
2406             2. stress/poly-proto-intrinsic-getter-correctness.js
2407
2408         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2409         (shouldBe):
2410         (makePolyProtoObject.foo.C):
2411         (makePolyProtoObject.foo):
2412         (makePolyProtoObject):
2413         (target):
2414         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2415         (shouldBe):
2416         (makePolyProtoObject.foo.C):
2417         (makePolyProtoObject.foo):
2418         (makePolyProtoObject):
2419         (target):
2420
2421 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2422
2423         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2424         https://bugs.webkit.org/show_bug.cgi?id=179744
2425
2426         Reviewed by Michael Catanzaro.
2427
2428         This test uses too much memory for our buildbots on these platforms
2429         and gets OOM-killed.
2430
2431         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2432         Skip if $memoryLimited and linux.
2433
2434 2017-11-17  JF Bastien  <jfbastien@apple.com>
2435
2436         WebAssembly JS API: throw when a promise can't be created
2437         https://bugs.webkit.org/show_bug.cgi?id=179826
2438         <rdar://problem/35455813>
2439
2440         Reviewed by Mark Lam.
2441
2442         Test WebAssembly.{compile,instantiate} where promise creation
2443         fails because of a stack overflow.
2444
2445         * wasm/js-api/promise-stack-overflow.js: Added.
2446         (const.runNearStackLimit.f.const.t):
2447         (async.testCompile):
2448         (async.testInstantiate):
2449
2450 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2451
2452         Unreviewed, mark regress-178385.js as memory exhausting
2453
2454         * stress/regress-178385.js:
2455
2456 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2457
2458         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2459
2460         Unreviewed test gardening.
2461
2462         * test262.yaml:
2463
2464 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2465
2466         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2467         https://bugs.webkit.org/show_bug.cgi?id=179763
2468         <rdar://problem/35550513>
2469
2470         Reviewed by Keith Miller.
2471
2472         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2473
2474         * stress/tdz-this-in-try-catch.js: Added.
2475         (__v_6388):
2476         (__v_6392):
2477
2478 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2479
2480         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2481         https://bugs.webkit.org/show_bug.cgi?id=179594
2482
2483         Reviewed by Saam Barati.
2484
2485         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2486         (shouldBe):
2487         (args):
2488         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2489         (shouldBe):
2490         (args):
2491
2492 2017-11-14  Saam Barati  <sbarati@apple.com>
2493
2494         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2495         https://bugs.webkit.org/show_bug.cgi?id=179639
2496         <rdar://problem/35513018>
2497
2498         Reviewed by JF Bastien.
2499
2500         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2501         (escape):
2502         (i.func):
2503
2504 2017-11-13  Mark Lam  <mark.lam@apple.com>
2505
2506         Add more overflow check book-keeping for MarkedArgumentBuffer.
2507         https://bugs.webkit.org/show_bug.cgi?id=179634
2508         <rdar://problem/35492517>
2509
2510         Reviewed by Saam Barati.
2511
2512         * stress/regress-179634.js: Added.
2513
2514 2017-11-13  Mark Lam  <mark.lam@apple.com>
2515
2516         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2517         https://bugs.webkit.org/show_bug.cgi?id=179619
2518         <rdar://problem/35492518>
2519
2520         Reviewed by Saam Barati.
2521
2522         * stress/regress-179619.js: Added.
2523
2524 2017-11-12  Mark Lam  <mark.lam@apple.com>
2525
2526         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2527         https://bugs.webkit.org/show_bug.cgi?id=179562
2528         <rdar://problem/35467022>
2529
2530         Reviewed by Saam Barati.
2531
2532         * regress-179562.js: Added.
2533
2534 2017-11-08  Saam Barati  <sbarati@apple.com>
2535
2536         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2537         https://bugs.webkit.org/show_bug.cgi?id=177792
2538
2539         Reviewed by Yusuke Suzuki.
2540
2541         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2542         (assert):
2543         (foo.Foo.prototype.ensureX):
2544         (foo.Foo):
2545         (foo):
2546         (access):
2547
2548 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2549
2550         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2551         https://bugs.webkit.org/show_bug.cgi?id=178592
2552
2553         Unreviewed test gardening.
2554
2555         * test262.yaml:
2556
2557 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2558
2559         Turn recursive tail calls into loops
2560         https://bugs.webkit.org/show_bug.cgi?id=176601
2561
2562         Reviewed by Saam Barati.
2563
2564         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2565
2566         Add some simple test that computes factorial in several ways, and other trivial computations.
2567         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2568         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2569         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2570         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2571
2572         * stress/inline-call-to-recursive-tail-call.js: Added.
2573         (factorial.aux):
2574         (factorial):
2575         (factorial2.aux2):
2576         (factorial2.id):
2577         (factorial2):
2578         (factorial3.aux3):
2579         (factorial3):
2580         (aux4):
2581         (factorial4):
2582         (foo):
2583         (auxBar):
2584         (bar):
2585         (test):
2586
2587 2017-11-07  Mark Lam  <mark.lam@apple.com>
2588
2589         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2590         https://bugs.webkit.org/show_bug.cgi?id=179355
2591         <rdar://problem/35263053>
2592
2593         Reviewed by Saam Barati.
2594
2595         * stress/regress-179355.js: Added.
2596
2597 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2598
2599         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2600         https://bugs.webkit.org/show_bug.cgi?id=144458
2601
2602         Reviewed by Saam Barati.
2603
2604         * microbenchmarks/dfg-internal-function-call.js: Added.
2605         (target):
2606         * microbenchmarks/dfg-internal-function-construct.js: Added.
2607         (target):
2608         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2609         (target):
2610         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2611         (target):
2612         * stress/dfg-internal-function-call.js: Added.
2613         (shouldBe):
2614         (target):
2615         * stress/dfg-internal-function-construct.js: Added.
2616         (shouldBe):
2617         (target):
2618         * stress/internal-function-call.js: Added.
2619         (shouldBe):
2620         * stress/internal-function-construct.js: Added.
2621         (shouldBe):
2622
2623 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
2624
2625         [Win] Skip stress/regress-178385.js.
2626         https://bugs.webkit.org/show_bug.cgi?id=179298
2627
2628         Unreviewed test gardening.
2629
2630         * stress/regress-178385.js:
2631
2632 2017-11-03  Keith Miller  <keith_miller@apple.com>
2633
2634         Add test for ic with side effects
2635         https://bugs.webkit.org/show_bug.cgi?id=179268
2636
2637         Reviewed by Saam Barati.
2638
2639         * stress/put-inline-cache-side-effects.js: Added.
2640         (let.i.of.objs.keys):
2641         (f):
2642
2643 2017-11-03  Mark Lam  <mark.lam@apple.com>
2644
2645         CachedCall (and its clients) needs overflow checks.
2646         https://bugs.webkit.org/show_bug.cgi?id=179185
2647
2648         Reviewed by JF Bastien.
2649
2650         * stress/regress-179185.js: Added.
2651
2652 2017-11-02  Michael Saboff  <msaboff@apple.com>
2653
2654         DFG needs to handle code motion of code in for..in loop bodies
2655         https://bugs.webkit.org/show_bug.cgi?id=179212
2656
2657         Reviewed by Keith Miller.
2658
2659         New regression test.
2660
2661         * stress/for-in-side-effects.js: Added.
2662         (getPrototypeOf):
2663         (reset):
2664         (testWithoutFTL.f):
2665         (testWithoutFTL):
2666         (testWithFTL.f):
2667         (testWithFTL):
2668
2669 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2670
2671         AI does not correctly model the clobber case of ArithClz32
2672         https://bugs.webkit.org/show_bug.cgi?id=179188
2673
2674         Reviewed by Michael Saboff.
2675
2676         * stress/arith-clz32-effects.js: Added.
2677         (foo):
2678         (valueOf):
2679
2680 2017-11-01  Michael Saboff  <msaboff@apple.com>
2681
2682         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2683         https://bugs.webkit.org/show_bug.cgi?id=179140
2684
2685         Reviewed by Saam Barati.
2686
2687         New regression test.
2688
2689         * stress/regress-179140.js: Added.
2690         (testWithoutFTL):
2691         (testWithFTL):
2692
2693 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2694
2695         [JSC] Introduce @toObject
2696         https://bugs.webkit.org/show_bug.cgi?id=178726
2697
2698         Reviewed by Saam Barati.
2699
2700         * stress/array-copywithin.js:
2701         (shouldThrow):
2702         * stress/object-constructor-boolean-edge.js: Added.
2703         (shouldBe):
2704         (test):
2705         * stress/object-constructor-global.js: Added.
2706         (shouldBe):
2707         * stress/object-constructor-null-edge.js: Added.
2708         (shouldBe):
2709         (test):
2710         * stress/object-constructor-number-edge.js: Added.
2711         (shouldBe):
2712         (test):
2713         * stress/object-constructor-object-edge.js: Added.
2714         (shouldBe):
2715         (test):
2716         (i.arg):
2717         * stress/object-constructor-string-edge.js: Added.
2718         (shouldBe):
2719         (test):
2720         * stress/object-constructor-symbol-edge.js: Added.
2721         (shouldBe):
2722         (test):
2723         * stress/object-constructor-undefined-edge.js: Added.
2724         (shouldBe):
2725         (test):
2726         * stress/symbol-array-from.js: Added.
2727         (shouldBe):
2728         * stress/to-object-intrinsic-boolean-edge.js: Added.
2729         (shouldBe):
2730         (builtin.createBuiltin):
2731         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
2732         (shouldThrow):
2733         * stress/to-object-intrinsic-number-edge.js: Added.
2734         (shouldBe):
2735         (builtin.createBuiltin):
2736         * stress/to-object-intrinsic-object-edge.js: Added.
2737         (shouldBe):
2738         (builtin.createBuiltin):
2739         (i.arg):
2740         * stress/to-object-intrinsic-string-edge.js: Added.
2741         (shouldBe):
2742         (builtin.createBuiltin):
2743         * stress/to-object-intrinsic-symbol-edge.js: Added.
2744         (shouldBe):
2745         (builtin.createBuiltin):
2746         * stress/to-object-intrinsic.js: Added.
2747         (shouldBe):
2748         (shouldThrow):
2749         (builtin.createBuiltin):
2750
2751 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2752
2753         [DFG][FTL] Introduce StringSlice
2754         https://bugs.webkit.org/show_bug.cgi?id=178934
2755
2756         Reviewed by Saam Barati.
2757
2758         * microbenchmarks/string-slice-empty.js: Added.
2759         (slice):
2760         * microbenchmarks/string-slice-one-char.js: Added.
2761         (slice):
2762         * microbenchmarks/string-slice.js: Added.
2763         (slice):
2764
2765 2017-10-26  Michael Saboff  <msaboff@apple.com>
2766
2767         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2768         https://bugs.webkit.org/show_bug.cgi?id=178890
2769
2770         Reviewed by Keith Miller.
2771
2772         New regression test.
2773
2774         * stress/regress-178890.js: Added.
2775
2776 2017-10-26  Mark Lam  <mark.lam@apple.com>
2777
2778         JSRopeString::RopeBuilder::append() should check for overflows.
2779         https://bugs.webkit.org/show_bug.cgi?id=178385
2780         <rdar://problem/35027468>
2781
2782         Reviewed by Saam Barati.
2783
2784         * stress/regress-178385.js: Added.
2785
2786 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
2787
2788         Unreviewed, rolling out r223961.
2789
2790         The change that required this has been rolled out.
2791
2792         Reverted changeset:
2793
2794         "Mark test262.yaml/test262/test/language/statements/try/tco-
2795         catch.js as passing."
2796         https://bugs.webkit.org/show_bug.cgi?id=178592
2797         https://trac.webkit.org/changeset/223961
2798
2799 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2800
2801         Unreviewed, rolling out r223691 and r223729.
2802         https://bugs.webkit.org/show_bug.cgi?id=178834
2803
2804         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2805         by rniwa on #webkit).
2806
2807         Reverted changesets:
2808
2809         "Turn recursive tail calls into loops"
2810         https://bugs.webkit.org/show_bug.cgi?id=176601
2811         https://trac.webkit.org/changeset/223691
2812
2813         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2814         comparison is always false due to limited range of data type
2815         [-Wtype-limits]"
2816         https://bugs.webkit.org/show_bug.cgi?id=178543
2817         https://trac.webkit.org/changeset/223729
2818
2819 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
2820
2821         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2822         https://bugs.webkit.org/show_bug.cgi?id=178592
2823
2824         Unreviewed test gardening.
2825
2826         * test262.yaml:
2827
2828 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2829
2830         [FTL] Support NewStringObject
2831         https://bugs.webkit.org/show_bug.cgi?id=178737
2832
2833         Reviewed by Saam Barati.
2834
2835         * stress/new-string-object.js: Added.
2836         (shouldBe):
2837         (test):
2838
2839 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2840
2841         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2842         https://bugs.webkit.org/show_bug.cgi?id=178308
2843
2844         Reviewed by Mark Lam.
2845
2846         * test262.yaml:
2847
2848 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2849
2850         [JSC] Use fastJoin in Array#toString
2851         https://bugs.webkit.org/show_bug.cgi?id=178062
2852
2853         Reviewed by Darin Adler.
2854
2855         * microbenchmarks/contiguous-array-to-string.js: Added.
2856         (target):
2857         * microbenchmarks/double-array-to-string.js: Added.
2858         (target):
2859         * microbenchmarks/int32-array-to-string.js: Added.
2860         (target):
2861
2862 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
2863
2864         stress/check-string-ident.js is improperly skipped
2865         https://bugs.webkit.org/show_bug.cgi?id=178642
2866
2867         Reviewed by Saam Barati.
2868
2869         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
2870         since it enforces the run-jsc-stress-tests script to still set up the
2871         test to run, despite the skip directive that's used before.
2872
2873 2017-10-20  Mark Lam  <mark.lam@apple.com>
2874
2875         Add a test case for r214334.
2876         https://bugs.webkit.org/show_bug.cgi?id=169941
2877         <rdar://problem/31221258>
2878
2879         Reviewed by JF Bastien.
2880
2881         * stress/regress-169941.js: Added.
2882
2883 2017-10-19  JF Bastien  <jfbastien@apple.com>
2884
2885         WebAssembly: no VM / JS version of everything but Instance
2886         https://bugs.webkit.org/show_bug.cgi?id=177473
2887
2888         Reviewed by Filip Pizlo, Saam Barati.
2889
2890         - Exceeding max on memory growth now returns a range error as per
2891         spec. This is a (very minor) breaking change: it used to throw OOM
2892         error. Update the corresponding test.
2893
2894         * wasm/js-api/memory-grow.js:
2895         (assertEq):
2896         * wasm/js-api/table.js:
2897         (assert.throws):
2898
2899 2017-10-19  Mark Lam  <mark.lam@apple.com>
2900
2901         Stringifier::appendStringifiedValue() is missing an exception check.
2902         https://bugs.webkit.org/show_bug.cgi?id=178386
2903         <rdar://problem/35027610>
2904
2905         Reviewed by Saam Barati.
2906
2907         * stress/regress-178386.js: Added.
2908
2909 2017-10-19  Michael Saboff  <msaboff@apple.com>
2910
2911         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2912         https://bugs.webkit.org/show_bug.cgi?id=178521
2913
2914         Reviewed by JF Bastien.
2915
2916         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
2917         now passes with the current version (5.0) of the Emoji spec.
2918
2919 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2920
2921         Turn recursive tail calls into loops
2922         https://bugs.webkit.org/show_bug.cgi?id=176601
2923
2924         Reviewed by Saam Barati.
2925
2926         Add some simple test that computes factorial in several ways, and other trivial computations.
2927         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2928         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2929         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2930         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2931
2932         * stress/inline-call-to-recursive-tail-call.js: Added.
2933         (factorial.aux):
2934         (factorial):
2935         (factorial2.aux):
2936         (factorial2.id):
2937         (factorial2):
2938         (factorial3.aux):
2939         (factorial3):
2940         (aux):
2941         (factorial4):
2942         (test):
2943
2944 2017-10-18  Mark Lam  <mark.lam@apple.com>
2945
2946         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2947         https://bugs.webkit.org/show_bug.cgi?id=177600
2948         <rdar://problem/34710985>
2949
2950         Reviewed by Saam Barati.
2951
2952         * stress/regress-177600.js: Added.
2953
2954 2017-10-18  Mark Lam  <mark.lam@apple.com>
2955
2956         The compiler should always register a structure when it adds its transitionWatchPointSet.
2957         https://bugs.webkit.org/show_bug.cgi?id=178420
2958         <rdar://problem/34814024>
2959
2960         Reviewed by Saam Barati and Filip Pizlo.
2961
2962         * stress/regress-178420.js: Added.
2963         (new.Array.10000.map):
2964
2965 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2966
2967         [JSC] __proto__ getter should be fast
2968         https://bugs.webkit.org/show_bug.cgi?id=178067
2969
2970         Reviewed by Saam Barati.
2971
2972         * stress/dfg-object-proto-accessor.js: Added.
2973         (shouldBe):
2974         (shouldThrow):
2975         (target):
2976         * stress/dfg-object-proto-getter.js: Added.
2977         (shouldBe):
2978         (shouldThrow):
2979         (target):
2980         * stress/dfg-object-prototype-of.js: Added.
2981         (shouldBe):
2982         (shouldThrow):
2983         (target):
2984         * stress/dfg-reflect-get-prototype-of.js: Added.
2985         (shouldBe):
2986         (shouldThrow):
2987         (target):
2988         * stress/intrinsic-getter-with-poly-proto.js: Added.
2989         (shouldBe):
2990         (makePolyProtoObject.foo.C):
2991         (makePolyProtoObject.foo):
2992         (makePolyProtoObject):
2993         (target):
2994         * stress/object-get-prototype-of-filtered.js: Added.
2995         (shouldBe):
2996         (shouldThrow):
2997         (target):
2998         (i.Cocoa):
2999         * stress/object-get-prototype-of-mono-proto.js: Added.
3000         (shouldBe):
3001         (makePolyProtoObject.foo.C):
3002         (makePolyProtoObject.foo):
3003         (makePolyProtoObject):
3004         (target):
3005         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3006         (shouldBe):
3007         (makePolyProtoObject.foo.C):
3008         (makePolyProtoObject.foo):
3009         (makePolyProtoObject):
3010         (target):
3011         * stress/object-get-prototype-of-poly-proto.js: Added.
3012         (shouldBe):
3013         (makePolyProtoObject.foo.C):
3014         (makePolyProtoObject.foo):
3015         (makePolyProtoObject):
3016         (target):
3017         * stress/object-proto-getter-filtered.js: Added.
3018         (shouldBe):
3019         (shouldThrow):
3020         (target):
3021         (i.Cocoa):
3022         * stress/object-proto-getter-poly-mono-proto.js: Added.
3023         (shouldBe):
3024         (makePolyProtoObject.foo.C):
3025         (makePolyProtoObject.foo):
3026         (makePolyProtoObject):
3027         (target):
3028         * stress/object-proto-getter-poly-proto.js: Added.
3029         (shouldBe):
3030         (makePolyProtoObject.foo.C):
3031         (makePolyProtoObject.foo):
3032         (makePolyProtoObject):
3033         (target):
3034         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3035         * stress/string-proto.js: Added.
3036         (shouldBe):
3037         (target):
3038
3039 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3040
3041         Unreviewed, rolling out r223523.
3042
3043         A test for this change is failing on debug JSC bots.
3044
3045         Reverted changeset:
3046
3047         "[JSC] __proto__ getter should be fast"
3048         https://bugs.webkit.org/show_bug.cgi?id=178067
3049         https://trac.webkit.org/changeset/223523
3050
3051 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3052
3053         [JSC] __proto__ getter should be fast
3054         https://bugs.webkit.org/show_bug.cgi?id=178067
3055
3056         Reviewed by Saam Barati.
3057
3058         * stress/dfg-object-proto-accessor.js: Added.
3059         (shouldBe):
3060         (shouldThrow):
3061         (target):
3062         * stress/dfg-object-proto-getter.js: Added.
3063         (shouldBe):
3064         (shouldThrow):
3065         (target):
3066         * stress/dfg-object-prototype-of.js: Added.
3067         (shouldBe):
3068         (shouldThrow):
3069         (target):
3070         * stress/dfg-reflect-get-prototype-of.js: Added.
3071         (shouldBe):
3072         (shouldThrow):
3073         (target):
3074         * stress/object-get-prototype-of-filtered.js: Added.
3075         (shouldBe):
3076         (shouldThrow):
3077         (target):
3078         (i.Cocoa):
3079         * stress/object-get-prototype-of-mono-proto.js: Added.
3080         (shouldBe):
3081         (makePolyProtoObject.foo.C):
3082         (makePolyProtoObject.foo):
3083         (makePolyProtoObject):
3084         (target):
3085         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3086         (shouldBe):
3087         (makePolyProtoObject.foo.C):
3088         (makePolyProtoObject.foo):
3089         (makePolyProtoObject):
3090         (target):
3091         * stress/object-get-prototype-of-poly-proto.js: Added.
3092         (shouldBe):
3093         (makePolyProtoObject.foo.C):
3094         (makePolyProtoObject.foo):
3095         (makePolyProtoObject):
3096         (target):
3097         * stress/object-proto-getter-filtered.js: Added.
3098         (shouldBe):
3099         (shouldThrow):
3100         (target):
3101         (i.Cocoa):
3102         * stress/object-proto-getter-poly-mono-proto.js: Added.
3103         (shouldBe):
3104         (makePolyProtoObject.foo.C):
3105         (makePolyProtoObject.foo):
3106         (makePolyProtoObject):
3107         (target):
3108         * stress/object-proto-getter-poly-proto.js: Added.
3109         (shouldBe):
3110         (makePolyProtoObject.foo.C):
3111         (makePolyProtoObject.foo):
3112         (makePolyProtoObject):
3113         (target):
3114         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3115         * stress/string-proto.js: Added.
3116         (shouldBe):
3117         (target):
3118
3119 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3120
3121         Reland "Add Above/Below comparisons for UInt32 patterns"
3122         https://bugs.webkit.org/show_bug.cgi?id=177281
3123
3124         Reviewed by Saam Barati.
3125
3126         * stress/uint32-comparison-jump.js: Added.
3127         (shouldBe):
3128         (above):
3129         (aboveOrEqual):
3130         (below):
3131         (belowOrEqual):
3132         (notAbove):
3133         (notAboveOrEqual):
3134         (notBelow):
3135         (notBelowOrEqual):
3136         * stress/uint32-comparison.js: Added.
3137         (shouldBe):
3138         (above):
3139         (aboveOrEqual):
3140         (below):
3141         (belowOrEqual):
3142         (aboveTest):
3143         (aboveOrEqualTest):
3144         (belowTest):
3145         (belowOrEqualTest):
3146
3147 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3148
3149         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3150         https://bugs.webkit.org/show_bug.cgi?id=178210
3151
3152         Reviewed by Saam Barati.
3153
3154         * wasm/function-tests/trap-from-start-async.js:
3155         (async.StartTrapsAsync):
3156         * wasm/function-tests/trap-from-start.js:
3157         (StartTraps):
3158         * wasm/js-api/web-assembly-function.js:
3159         (assert.eq.Object.getPrototypeOf):
3160         * wasm/js-api/wrapper-function.js:
3161         (return.new.WebAssembly.Module):
3162         (assert.throws.makeInstance): Deleted.
3163         (assert.throws.Bar): Deleted.
3164         (assert.throws): Deleted.
3165
3166 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3167
3168         Enable gigacage on iOS
3169         https://bugs.webkit.org/show_bug.cgi?id=177586
3170
3171         Reviewed by JF Bastien.
3172         
3173         Add tests for when Gigacage gets runtime disabled.
3174
3175         * stress/disable-gigacage-arrays.js: Added.
3176         (foo):
3177         * stress/disable-gigacage-strings.js: Added.
3178         (foo):
3179         * stress/disable-gigacage-typed-arrays.js: Added.
3180         (foo):
3181
3182 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3183
3184         import.meta should not be assignable
3185         https://bugs.webkit.org/show_bug.cgi?id=178202
3186
3187         Reviewed by Saam Barati.
3188
3189         * modules/import-meta-assignment.js: Added.
3190         (shouldThrow):
3191         (SyntaxError.import.meta.can.shouldThrow):
3192
3193 2017-10-11  Saam Barati  <sbarati@apple.com>
3194
3195         Unreviewed. Actually skip certain type profiler tests in debug.
3196
3197         * typeProfiler.yaml:
3198         * typeProfiler/deltablue-for-of.js:
3199         * typeProfiler/getter-richards.js:
3200
3201 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3202
3203         Unreviewed, rolling out r223113 and r223121.
3204         https://bugs.webkit.org/show_bug.cgi?id=178182
3205
3206         Reintroduced 20% regression on Kraken (Requested by rniwa on
3207         #webkit).
3208
3209         Reverted changesets:
3210
3211         "Enable gigacage on iOS"
3212         https://bugs.webkit.org/show_bug.cgi?id=177586
3213         https://trac.webkit.org/changeset/223113
3214
3215         "Use one virtual allocation for all gigacages and their
3216         runways"
3217         https://bugs.webkit.org/show_bug.cgi?id=178050
3218         https://trac.webkit.org/changeset/223121
3219
3220 2017-10-11  Michael Saboff  <msaboff@apple.com>
3221
3222         Disable test262 named capture group tests with direct unicode names and with references before definitions
3223         https://bugs.webkit.org/show_bug.cgi?id=178177
3224
3225         Reviewed by Keith Miller.
3226
3227         Bugs to track fixing these test are:
3228         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3229             "Add support in named capture group identifiers for direct surrogate pairs"
3230         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3231             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3232
3233         * test262.yaml:
3234
3235 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3236
3237         Object properties are undefined in super.call() but not in this.call()
3238         https://bugs.webkit.org/show_bug.cgi?id=177230
3239
3240         Reviewed by Saam Barati.
3241
3242         * stress/super-call-function-subclass.js: Added.
3243         (assert):
3244         (A.prototype.t):
3245         (A):
3246         * stress/super-dot-call-and-apply.js: Added.
3247         (assert):
3248         (A):
3249         (A.prototype.call):
3250         (A.prototype.apply):
3251         (B.prototype.testSuper):
3252         (B):
3253         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3254         (D.prototype.testSuper):
3255         (D):
3256
3257 2017-10-10  Saam Barati  <sbarati@apple.com>
3258
3259         The prototype cache should be aware of the Executable it generates a Structure for
3260         https://bugs.webkit.org/show_bug.cgi?id=177907
3261
3262         Reviewed by Filip Pizlo.
3263
3264         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3265         (assert):
3266         (foo.C):
3267         (foo):
3268         (bar.C):
3269         (bar):
3270         (access):
3271         (makeLongChain):
3272         (accessY):
3273
3274 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3275
3276         `async` should be able to be used as an imported binding name
3277         https://bugs.webkit.org/show_bug.cgi?id=176573
3278
3279         Reviewed by Saam Barati.
3280
3281         * modules/import-default-async.js: Added.
3282         * modules/import-named-async-as.js: Added.
3283         * modules/import-named-async.js: Added.
3284         * modules/import-named-async/target.js: Added.
3285         * modules/import-namespace-async.js: Added.
3286         * test262.yaml:
3287
3288 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3289
3290         Enable gigacage on iOS
3291         https://bugs.webkit.org/show_bug.cgi?id=177586
3292
3293         Reviewed by JF Bastien.
3294         
3295         Add tests for when Gigacage gets runtime disabled.
3296
3297         * stress/disable-gigacage-arrays.js: Added.
3298         (foo):
3299         * stress/disable-gigacage-strings.js: Added.
3300         (foo):
3301         * stress/disable-gigacage-typed-arrays.js: Added.
3302         (foo):
3303
3304 2017-10-09  Michael Saboff  <msaboff@apple.com>
3305
3306         Implement RegExp Unicode property escapes
3307         https://bugs.webkit.org/show_bug.cgi?id=172069
3308
3309         Reviewed by JF Bastien.
3310
3311         Enabled Unicode Property tests.
3312
3313         * test262.yaml:
3314
3315 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3316
3317         Unreviewed, rolling out r223015 and r223025.
3318         https://bugs.webkit.org/show_bug.cgi?id=178093
3319
3320         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3321         #webkit).
3322
3323         Reverted changesets:
3324
3325         "Enable gigacage on iOS"
3326         https://bugs.webkit.org/show_bug.cgi?id=177586
3327         http://trac.webkit.org/changeset/223015
3328
3329         "Unreviewed, disable Gigacage on ARM64 Linux"
3330         https://bugs.webkit.org/show_bug.cgi?id=177586
3331         http://trac.webkit.org/changeset/223025
3332
3333 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3334
3335         Update expectations for test262 tests that pass after r223043.
3336         https://bugs.webkit.org/show_bug.cgi?id=176685
3337
3338         Unreviewed test gardening.
3339
3340         * test262.yaml:
3341
3342 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3343
3344         Unreviewed, rolling out r223022.
3345
3346         This change introduced 18 test262 failures.
3347
3348         Reverted changeset:
3349
3350         "`async` should be able to be used as an imported binding
3351         name"
3352         https://bugs.webkit.org/show_bug.cgi?id=176573
3353         http://trac.webkit.org/changeset/223022
3354
3355 2017-10-09  Saam Barati  <sbarati@apple.com>
3356
3357         3 poly-proto JSC tests timing out on debug after r222827
3358         https://bugs.webkit.org/show_bug.cgi?id=177880
3359         <rdar://problem/34817122>
3360
3361         Unreviewed.
3362
3363         I'm skipping these type profiler tests on debug since they are long running.
3364
3365         * typeProfiler/deltablue-for-of.js:
3366         * typeProfiler/getter-richards.js:
3367
3368 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3369
3370         Safari 10 /11 problem with if (!await get(something)).
3371         https://bugs.webkit.org/show_bug.cgi?id=176685
3372
3373         Reviewed by Saam Barati.
3374
3375         * stress/async-await-basic.js:
3376         (awaitEpression.async):
3377         * stress/async-await-syntax.js:
3378         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3379         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3380
3381 2017-10-08  Saam Barati  <sbarati@apple.com>
3382
3383         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3384
3385         * typeProfiler/deltablue-for-of.js:
3386         * typeProfiler/getter-richards.js:
3387
3388 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3389
3390         `async` should be able to be used as an imported binding name
3391         https://bugs.webkit.org/show_bug.cgi?id=176573
3392
3393         Reviewed by Darin Adler.
3394
3395         * modules/import-default-async.js: Added.
3396         * modules/import-named-async-as.js: Added.
3397         * modules/import-named-async.js: Added.
3398         * modules/import-named-async/target.js: Added.
3399         * modules/import-namespace-async.js: Added.
3400
3401 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3402
3403         Enable gigacage on iOS
3404         https://bugs.webkit.org/show_bug.cgi?id=177586
3405
3406         Reviewed by JF Bastien.
3407         
3408         Add tests for when Gigacage gets runtime disabled.
3409
3410         * stress/disable-gigacage-arrays.js: Added.
3411         (foo):
3412         * stress/disable-gigacage-strings.js: Added.
3413         (foo):
3414         * stress/disable-gigacage-typed-arrays.js: Added.
3415         (foo):
3416
3417 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3418
3419         Unreviewed, rolling out r222791 and r222873.
3420         https://bugs.webkit.org/show_bug.cgi?id=178031
3421
3422         Caused crashes with workers/wasm LayoutTests (Requested by
3423         ryanhaddad on #webkit).
3424
3425         Reverted changesets:
3426
3427         "WebAssembly: no VM / JS version of everything but Instance"
3428         https://bugs.webkit.org/show_bug.cgi?id=177473
3429         http://trac.webkit.org/changeset/222791
3430
3431         "WebAssembly: address no VM / JS follow-ups"
3432         https://bugs.webkit.org/show_bug.cgi?id=177887
3433         http://trac.webkit.org/changeset/222873
3434
3435 2017-10-05  Saam Barati  <sbarati@apple.com>
3436
3437         Make sure all prototypes under poly proto get added into the VM's prototype map
3438         https://bugs.webkit.org/show_bug.cgi?id=177909
3439
3440         Reviewed by Keith Miller.
3441
3442         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3443         (assert):
3444         (foo.C):
3445         (foo):
3446         (set x):
3447
3448 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3449
3450         [JSC] Introduce import.meta
3451         https://bugs.webkit.org/show_bug.cgi?id=177703
3452
3453         Reviewed by Filip Pizlo.
3454
3455         * modules/import-meta-syntax.js: Added.
3456         (shouldThrow):
3457         (shouldNotThrow):
3458         * modules/import-meta.js: Added.
3459         * modules/import-meta/cocoa.js: Added.
3460         * modules/resources/assert.js:
3461         (export.shouldNotThrow):
3462         * stress/import-syntax.js:
3463
3464 2017-10-04  Saam Barati  <sbarati@apple.com>
3465
3466         Make pertinent AccessCases watch the poly proto watchpoint
3467         https://bugs.webkit.org/show_bug.cgi?id=177765
3468
3469         Reviewed by Keith Miller.
3470
3471         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3472         (assert):
3473         (foo.C):
3474         (foo):
3475         (validate):
3476         * stress/poly-proto-clear-stub.js: Added.
3477         (assert):
3478         (foo.C):
3479         (foo):
3480
3481 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3482
3483         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3484
3485         Unreviewed test gardening.
3486
3487         * test262.yaml:
3488
3489 2017-10-04  Saam Barati  <sbarati@apple.com>
3490
3491         3 poly-proto JSC tests timing out on debug after r222827
3492         https://bugs.webkit.org/show_bug.cgi?id=177880
3493
3494         Rubber stamped by Mark Lam.
3495
3496         * microbenchmarks/poly-proto-access.js:
3497         * typeProfiler/deltablue-for-of.js:
3498         * typeProfiler/getter-richards.js:
3499
3500 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3501
3502         Unreviewed, marking tco-catch.js as a failure after test262 update
3503         https://bugs.webkit.org/show_bug.cgi?id=177859
3504
3505         * test262.yaml:
3506
3507 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3508
3509         Unreviewed, marking one async iterator test262 test failed
3510         https://bugs.webkit.org/show_bug.cgi?id=177859
3511
3512         * test262.yaml:
3513
3514 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3515
3516         [Test262] Update Test262 to Oct 4 version
3517         https://bugs.webkit.org/show_bug.cgi?id=177859
3518
3519         Reviewed by Sam Weinig.
3520
3521         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3522         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3523
3524         * test262.yaml:
3525         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3526         (checkSequence):
3527         * test262/harness/typeCoercion.js:
3528         (testCoercibleToIndexZero):
3529         (testCoercibleToIndexOne):
3530         (testCoercibleToIndexFromIndex):
3531         (testNotCoercibleToIndex.testPrimitiveValue):
3532         (testNotCoercibleToInteger):
3533         (testCoercibleToBigIntZero.testPrimitiveValue):
3534         (testCoercibleToBigIntZero):
3535         (testCoercibleToBigIntOne.testPrimitiveValue):
3536         (testCoercibleToBigIntOne):
3537         (testPrimitiveValue):
3538         (testCoercibleToBigIntFromBigInt):
3539         (testNotCoercibleToBigInt.testPrimitiveValue):
3540         (testNotCoercibleToBigInt.testStringValue):
3541         (testNotCoercibleToBigInt):
3542         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3543         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3544         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3545         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3546         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3547         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3548         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3549         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3550         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3551         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3552         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3553         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3554         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3555         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3556         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3557         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3558         (testCoercibleToBigIntZero):
3559         (testCoercibleToBigIntOne):
3560         (testNotCoercibleToBigInt):
3561         (MyError): Deleted.
3562         (valueOf): Deleted.
3563         (toString): Deleted.
3564         (Symbol.toPrimitive): Deleted.
3565         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3566         (testCoercibleToIndexZero):
3567         (testCoercibleToIndexOne):
3568         (testNotCoercibleToIndex):
3569         (MyError): Deleted.
3570         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3571         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3572         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3573         (BigInt.asIntN.valueOf): Deleted.
3574         (BigInt.asIntN.toString): Deleted.
3575         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3576         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3577         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3578         (testCoercibleToBigIntZero):
3579         (testCoercibleToBigIntOne):
3580         (testNotCoercibleToBigInt):
3581         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3582         (testCoercibleToIndexZero):
3583         (testCoercibleToIndexOne):
3584         (testNotCoercibleToIndex):
3585         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3586         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3587         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3588         (bits.valueOf):
3589         (bigint.valueOf):
3590         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3591         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3592         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3593         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3594         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3595         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3596         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3597         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3598         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3599         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3600         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3601         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3602         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3603         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3604         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3605         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3606         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3607         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3608         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3609         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3610         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3611         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3612         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3613         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3614         (replacer):
3615         (BigInt.prototype.toJSON):
3616         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3617         (replacer):
3618         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3619         (BigInt.prototype.toJSON):
3620         * test262/test/built-ins/JSON/stringify/bigint.js:
3621         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3622         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
3623         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
3624         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
3625         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
3626         * test262/test/built-ins/Object/proto-from-ctor.js:
3627         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
3628         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
3629         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
3630         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
3631         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
3632         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
3633         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
3634         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
3635         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
3636         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
3637         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
3638         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
3639         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
3640         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
3641         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
3642         * test262/test/built-ins/Proxy/get-fn-realm.js:
3643         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
3644         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
3645         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
3646         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
3647         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
3648         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
3649         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
3650         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
3651         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
3652         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
3653         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
3654         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
3655         (i6.replace):
3656         (i6b.replace):
3657         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
3658         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
3659         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
3660         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
3661         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
3662         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
3663         * test262/test/built-ins/RegExp/u180e.js: Added.
3664         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
3665         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
3666         * test262/test/built-ins/String/proto-from-ctor-realm.js:
3667         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
3668         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
3669         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
3670         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
3671         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
3672         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
3673         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
3674         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
3675         * test262/test/built-ins/String/prototype/endsWith/length.js:
3676         * test262/test/built-ins/String/prototype/endsWith/name.js:
3677         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
3678         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
3679         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
3680         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
3681         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
3682         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
3683         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
3684         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
3685         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
3686         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
3687         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
3688         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
3689         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
3690         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
3691         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
3692         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
3693         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
3694         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
3695         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
3696         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
3697         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
3698         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
3699         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
3700         * test262/test/built-ins/String/prototype/includes/includes.js:
3701         * test262/test/built-ins/String/prototype/includes/length.js:
3702         * test262/test/built-ins/String/prototype/includes/name.js:
3703         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
3704         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
3705         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
3706         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
3707         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
3708         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
3709         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
3710         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
3711         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
3712         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
3713         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
3714         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
3715         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
3716         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
3717         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
3718         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
3719         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
3720         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
3721         * test262/test/built-ins/String/prototype/trim/u180e.js:
3722         * test262/test/built-ins/Symbol/for/cross-realm.js:
3723         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
3724         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
3725         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
3726         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
3727         * test262/test/built-ins/Symbol/match/cross-realm.js:
3728         * test262/test/built-ins/Symbol/replace/cross-realm.js:
3729         * test262/test/built-ins/Symbol/search/cross-realm.js:
3730         * test262/test/built-ins/Symbol/species/cross-realm.js:
3731         * test262/test/built-ins/Symbol/split/cross-realm.js:
3732         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
3733         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
3734         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
3735         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
3736         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
3737         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
3738         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
3739         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
3740         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
3741         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
3742         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
3743         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
3744         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
3745         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
3746         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
3747         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
3748         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
3749         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
3750         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
3751         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
3752         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
3753         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
3754         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
3755         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
3756         * test262/test/language/comments/mongolian-vowel-separator-single.js:
3757         * test262/test/language/eval-code/indirect/realm.js:
3758         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
3759         (o.get z):
3760         (o.get a):
3761         * test262/test/language/expressions/call/eval-realm-indirect.js:
3762         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
3763         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
3764         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
3765         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
3766         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
3767         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
3768         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
3769         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
3770         * test262/test/language/expressions/greater-than/bigint-and-number.js:
3771         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
3772         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
3773         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
3774         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
3775         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
3776         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
3777         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
3778         * test262/test/language/expressions/less-than/bigint-and-number.js:
3779         * test262/test/language/expressions/new/non-ctor-err-realm.js:
3780         * test262/test/language/expressions/super/realm.js:
3781         * test262/test/language/expressions/tagged-template/cache-realm.js:
3782         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
3783         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
3784         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
3785         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
3786         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
3787         * test262/test/language/literals/string/mongolian-vowel-separator.js:
3788         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
3789         (o.get z):
3790         (o.get a):
3791         * test262/test/language/statements/for-of/iterator-next-reference.js:
3792         (next):
3793         (iterator.next): Deleted.
3794         (x.of.iterable.): Deleted.
3795         (x.of.iterable.get return): Deleted.
3796         (x.of.iterable.iterator.next): Deleted.
3797         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
3798         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
3799         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
3800         * test262/test/language/white-space/mongolian-vowel-separator.js:
3801         * test262/test262-Revision.txt:
3802
3803 2017-10-03  Saam Barati  <sbarati@apple.com>
3804
3805         Implement polymorphic prototypes
3806         https://bugs.webkit.org/show_bug.cgi?id=176391
3807
3808         Reviewed by Filip Pizlo.
3809
3810         * microbenchmarks/poly-proto-access.js: Added.
3811         (assert):
3812         (foo.C):
3813         (foo.C.prototype.get bar):
3814         (foo):
3815         (bar):
3816         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
3817         (assert):
3818         (makePolyProtoObject.foo.C):
3819         (makePolyProtoObject.foo):
3820         (makePolyProtoObject):
3821         (performSet):
3822         * microbenchmarks/poly-proto-setter-speed.js: Added.
3823         (assert):
3824         (makePolyProtoObject.foo.C):
3825         (makePolyProtoObject.foo.C.prototype.set p):
3826         (makePolyProtoObject.foo):
3827         (makePolyProtoObject):
3828         (performSet):
3829         * stress/constructor-with-return.js:
3830         (i.tests.forEach.Constructor):
3831         (i.tests.forEach):
3832         (tests.forEach.Constructor): Deleted.
3833         (tests.forEach): Deleted.
3834         * stress/dom-jit-with-poly-proto.js: Added.
3835         (assert):
3836         (makePolyProtoObject.foo.C):
3837         (makePolyProtoObject.foo):
3838         (makePolyProtoObject):
3839         (validate):
3840         * stress/poly-proto-custom-value-and-accessor.js: Added.
3841         (assert):
3842         (makePolyProtoObject.foo.C):
3843         (makePolyProtoObject.foo):
3844         (makePolyProtoObject):
3845         (items.forEach):
3846         (set get for):
3847         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
3848         (assert):
3849         (makePolyProtoObject.foo.C):
3850         (makePolyProtoObject.foo):
3851         (makePolyProtoObject):
3852         (foo):
3853         * stress/poly-proto-miss.js: Added.
3854         (makePolyProtoInstanceWithNullPrototype.foo.C):
3855         (makePolyProtoInstanceWithNullPrototype.foo):
3856         (makePolyProtoInstanceWithNullPrototype):
3857         (assert):
3858         (validate):
3859         * stress/poly-proto-op-in-caching.js: Added.
3860         (assert):
3861         (makePolyProtoObject.foo.C):
3862         (makePolyProtoObject.foo):
3863         (makePolyProtoObject):
3864         (validate):
3865         (validate2):
3866         * stress/poly-proto-put-transition.js: Added.
3867         (assert):
3868         (makePolyProtoObject.foo.C):
3869         (makePolyProtoObject.foo):
3870         (makePolyProtoObject):
3871         (performSet):
3872         (i.obj.__proto__.set p):
3873         * stress/poly-proto-set-prototype.js: Added.
3874         (assert):
3875         (let.alternateProto.get x):
3876         (let.alternateProto2.get y):
3877         (let.alternateProto2.get x):
3878         (foo.C):
3879         (foo):
3880         (validate):
3881         * stress/poly-proto-setter.js: Added.
3882         (assert):
3883         (makePolyProtoObject.foo.C):
3884         (makePolyProtoObject.foo.C.prototype.set p):
3885         (makePolyProtoObject.foo.C.prototype.get p):
3886         (makePolyProtoObject.foo):
3887         (makePolyProtoObject):
3888         (performSet):
3889         * stress/poly-proto-using-inheritance.js: Added.
3890         (assert):
3891         (foo.C):
3892         (foo.C.prototype.get baz):
3893         (foo):
3894         (bar.C):
3895         (bar):
3896         (validate):
3897         * stress/primitive-poly-proto.js: Added.
3898         (makePolyProtoInstance.foo.C):
3899         (makePolyProtoInstance.foo):
3900         (makePolyProtoInstance):
3901         (assert):
3902         (validate):
3903         * stress/prototype-is-not-js-object.js: Added.
3904         (foo.bar):
3905         (foo):
3906         (assert):
3907         (validate):
3908         * stress/try-get-by-id-poly-proto.js: Added.
3909         (assert):
3910         (makePolyProtoObject.foo.C):
3911         (makePolyProtoObject.foo):
3912         (makePolyProtoObject):
3913         (tryGetByIdText):
3914         (x.__proto__.get bar):
3915         (validate):
3916         * typeProfiler/overflow.js:
3917
3918 2017-10-03  JF Bastien  <jfbastien@apple.com>
3919
3920         WebAssembly: no VM / JS version of everything but Instance
3921         https://bugs.webkit.org/show_bug.cgi?id=177473
3922
3923         Reviewed by Filip Pizlo.
3924
3925         - Exceeding max on memory growth now returns a range error as per
3926         spec. This is a (very minor) breaking change: it used to throw OOM
3927         error. Update the corresponding test.
3928
3929         * wasm/js-api/memory-grow.js:
3930         (assertEq):
3931         * wasm/js-api/table.js:
3932         (assert.throws):
3933
3934 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
3935
3936         Skip JSC test stress/regress-159779-2.js on debug.
3937         https://bugs.webkit.org/show_bug.cgi?id=177204
3938
3939         Unreviewed test gardening.
3940
3941         * stress/regress-159779-2.js:
3942
3943 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
3944
3945         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
3946         https://bugs.webkit.org/show_bug.cgi?id=175642
3947
3948         Reviewed by Darin Adler.
3949
3950         * ChakraCore/test/Function/apply3.baseline-jsc:
3951
3952 2017-10-01  Commit Queue  <commit-queue@webkit.org>
3953
3954         Unreviewed, rolling out r222564.
3955         https://bugs.webkit.org/show_bug.cgi?id=177720
3956
3957         "It regressed JetStream by 2% on iOS caused by a 50%
3958         regression on the bigfib subtest" (Requested by saamyjoon on
3959         #webkit).
3960
3961         Reverted changeset:
3962
3963         "Add Above/Below comparisons for UInt32 patterns"
3964         https://bugs.webkit.org/show_bug.cgi?id=177281
3965         http://trac.webkit.org/changeset/222564
3966
3967 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3968
3969         [DFG] Support ArrayPush with multiple args
3970         https://bugs.webkit.org/show_bug.cgi?id=175823
3971
3972         Reviewed by Saam Barati.
3973
3974         * microbenchmarks/array-push-0.js: Added.
3975         (arrayPush0):
3976         * microbenchmarks/array-push-1.js: Added.
3977         (arrayPush1):
3978         * microbenchmarks/array-push-2.js: Added.
3979         (arrayPush2):
3980         * microbenchmarks/array-push-3.js: Added.
3981         (arrayPush3):
3982         * stress/array-push-multiple-contiguous.js: Added.
3983         (shouldBe):
3984         (test):
3985         * stress/array-push-multiple-double-nan.js: Added.
3986         (shouldBe):
3987         (test):
3988         * stress/array-push-multiple-double.js: Added.
3989         (shouldBe):
3990         (test):
3991         * stress/array-push-multiple-int32.js: Added.
3992         (shouldBe):
3993         (test):
3994         * stress/array-push-multiple-many-contiguous.js: Added.
3995         (shouldBe):
3996         (test):
3997         * stress/array-push-multiple-many-double.js: Added.
3998         (shouldBe):
3999         (test):
4000         * stress/array-push-multiple-many-int32.js: Added.
4001         (shouldBe):
4002         (test):
4003         * stress/array-push-multiple-many-storage.js: Added.
4004         (shouldBe):
4005         (test):
4006         * stress/array-push-multiple-storage.js: Added.
4007         (shouldBe):
4008         (test):
4009         * stress/array-push-with-force-exit.js: Added.
4010         (target.createBuiltin):
4011
4012 2017-09-29  Saam Barati  <sbarati@apple.com>
4013
4014         Custom GetterSetterAccessCase does not use the correct slotBase when making call
4015         https://bugs.webkit.org/show_bug.cgi?id=177639
4016
4017         Reviewed by Geoffrey Garen.
4018
4019         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js: Added.
4020         (assert):
4021         (Class):
4022         (items.forEach):
4023         (set get for):
4024
4025 2017-09-29  Commit Queue  <commit-queue@webkit.org>
4026
4027         Unreviewed, rolling out r222563, r222565, and r222581.
4028         https://bugs.webkit.org/show_bug.cgi?id=177675
4029
4030         "It causes a crash when playing youtube videos" (Requested by
4031         saamyjoon on #webkit).
4032
4033         Reverted changesets:
4034
4035         "[DFG] Support ArrayPush with multiple args"
4036         https://bugs.webkit.org/show_bug.cgi?id=175823
4037         http://trac.webkit.org/changeset/222563
4038
4039         "Unreviewed, build fix after r222563"
4040         https://bugs.webkit.org/show_bug.cgi?id=175823
4041         http://trac.webkit.org/changeset/222565
4042
4043         "Unreviewed, fix x86 breaking due to exhausted registers"
4044         https://bugs.webkit.org/show_bug.cgi?id=175823
4045         http://trac.webkit.org/changeset/222581
4046
4047 2017-09-28  Mark Lam  <mark.lam@apple.com>
4048
4049         test262: Unexpected passes after r222617 and r222618.
4050         https://bugs.webkit.org/show_bug.cgi?id=177622
4051         <rdar://problem/34725960>
4052
4053         Reviewed by Saam Barati.
4054
4055         Update test262.yaml for tests that are now passing.
4056
4057         * test262.yaml:
4058
4059 2017-09-27  Michael Saboff  <msaboff@apple.com>
4060
4061         REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
4062         https://bugs.webkit.org/show_bug.cgi?id=177570
4063
4064         Reviewed by Filip Pizlo.
4065
4066         New regression test.
4067
4068         * stress/regress-177570.js: Added.
4069
4070 2017-09-28  Michael Saboff  <msaboff@apple.com>
4071
4072         Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
4073         https://bugs.webkit.org/show_bug.cgi?id=177423
4074
4075         Reviewed by Mark Lam.
4076
4077         Updated regression test.
4078
4079         * stress/regress-177423.js:
4080         (catch):
4081
4082 2017-09-27  Mark Lam  <mark.lam@apple.com>
4083
4084         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
4085         https://bugs.webkit.org/show_bug.cgi?id=177584
4086         <rdar://problem/34463903>
4087
4088         Reviewed by Saam Barati.
4089
4090         * stress/regress-177584.js: Added.
4091         (assertEqual):
4092         (Array.prototype.Symbol.species):
4093
4094 2017-09-27  Saam Barati  <sbarati@apple.com>
4095
4096         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
4097         https://bugs.webkit.org/show_bug.cgi?id=177523
4098
4099         Reviewed by Mark Lam.
4100
4101         * stress/prototype-chain-has-dictionary-structure-for-in-caching.js: Added.
4102         (assert):
4103         (Test):
4104         (addMethods.Test.prototype.string_appeared_here.i.methodNumber):
4105         (addMethods):
4106         (i.Test.prototype.propName):
4107
4108 2017-09-27  Mark Lam  <mark.lam@apple.com>
4109
4110         Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
4111         https://bugs.webkit.org/show_bug.cgi?id=177423
4112         <rdar://problem/34621320>
4113
4114         Reviewed by Keith Miller.
4115
4116         * stress/regress-177423.js: Added.
4117
4118 2017-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>
4119
4120         Add Above/Below comparisons for UInt32 patterns
4121         https://bugs.webkit.org/show_bug.cgi?id=177281
4122
4123         Reviewed by Saam Barati.
4124
4125         * stress/uint32-comparison-jump.js: Added.
4126         (shouldBe):
4127         (above):
4128         (aboveOrEqual):
4129         (below):
4130         (belowOrEqual):
4131         (notAbove):
4132         (notAboveOrEqual):
4133         (notBelow):
4134         (notBelowOrEqual):
4135         * stress/uint32-comparison.js: Added.
4136         (shouldBe):
4137         (above):
4138         (aboveOrEqual):
4139         (below):
4140         (belowOrEqual):
4141         (aboveTest):
4142         (aboveOrEqualTest):
4143         (belowTest):
4144         (belowOrEqualTest):
4145
4146 2017-09-25  Yusuke Suzuki  <utatane.tea@gmail.com>
4147
4148         [DFG] Support ArrayPush with multiple args
4149         https://bugs.webkit.org/show_bug.cgi?id=175823
4150
4151         Reviewed by Saam Barati.
4152
4153         * microbenchmarks/array-push-0.js: Added.
4154         (arrayPush0):
4155         * microbenchmarks/array-push-1.js: Added.
4156         (arrayPush1):
4157         * microbenchmarks/array-push-2.js: Added.
4158         (arrayPush2):
4159         * microbenchmarks/array-push-3.js: Added.
4160         (arrayPush3):
4161         * stress/array-push-multiple-contiguous.js: Added.
4162         (shouldBe):
4163         (test):
4164         * stress/array-push-multiple-double-nan.js: Added.
4165         (shouldBe):
4166         (test):
4167         * stress/array-push-multiple-double.js: Added.
4168         (shouldBe):
4169         (test):
4170         * stress/array-push-multiple-int32.js: Added.
4171         (shouldBe):
4172         (test):
4173         * stress/array-push-multiple-many-contiguous.js: Added.
4174         (shouldBe):
4175         (test):
4176         * stress/array-push-multiple-many-double.js: Added.
4177         (shouldBe):
4178         (test):
4179         * stress/array-push-multiple-many-int32.js: Added.
4180         (shouldBe):
4181         (test):
4182         * stress/array-push-multiple-many-storage.js: Added.
4183         (shouldBe):
4184         (test):
4185         * stress/array-push-multiple-storage.js: Added.
4186         (shouldBe):
4187         (test):
4188
4189 2017-09-26  Commit Queue  <commit-queue@webkit.org>
4190
4191         Unreviewed, rolling out r222518.
4192         https://bugs.webkit.org/show_bug.cgi?id=177507
4193
4194         Break the High Sierra build (Requested by yusukesuzuki on
4195         #webkit).
4196
4197         Reverted changeset:
4198
4199         "Add Above/Below comparisons for UInt32 patterns"
4200         https://bugs.webkit.org/show_bug.cgi?id=177281
4201         http://trac.webkit.org/changeset/222518
4202
4203 2017-09-26  Yusuke Suzuki  <utatane.tea@gmail.com>
4204
4205         Add Above/Below comparisons for UInt32 patterns
4206         https://bugs.webkit.org/show_bug.cgi?id=177281
4207
4208         Reviewed by Saam Barati.
4209
4210         * stress/uint32-comparison-jump.js: Added.
4211         (shouldBe):
4212         (above):
4213         (aboveOrEqual):
4214         (below):
4215         (belowOrEqual):
4216         (notAbove):
4217         (notAboveOrEqual):
4218         (notBelow):
4219         (notBelowOrEqual):
4220         * stress/uint32-comparison.js: Added.
4221         (shouldBe):
4222         (above):
4223         (aboveOrEqual):
4224         (below):
4225         (belowOrEqual):
4226         (aboveTest):
4227         (aboveOrEqualTest):
4228         (belowTest):
4229         (belowOrEqualTest):
4230
4231 2017-09-23  Keith Miller  <keith_miller@apple.com>
4232
4233         Fix infinite looping test262 test
4234         https://bugs.webkit.org/show_bug.cgi?id=177412
4235
4236         Reviewed by Yusuke Suzuki.
4237
4238         This test was poorly designed since failing it would cause the vm
4239         to inifinite loop. I've fixed it locally and will fix it on github pending
4240         the results of next weeks tc39 meeting.
4241
4242         * test262.yaml:
4243         * test262/test/language/statements/for-of/iterator-next-reference.js:
4244
4245 2017-09-23  Joseph Pecoraro  <pecoraro@apple.com>
4246
4247         test262: $.agent became $262.agent in test262 update
4248         https://bugs.webkit.org/show_bug.cgi?id=177407
4249
4250         Reviewed by Yusuke Suzuki.
4251
4252         * test262.yaml:
4253         ~320 tests pass now that we correctly make $262 available.
4254
4255 2017-09-22  Keith Miller  <keith_miller@apple.com>
4256
4257         Speculatively change iteration protocall to use the same next function
4258         https://bugs.webkit.org/show_bug.cgi?id=175653
4259
4260         Reviewed by Saam Barati.
4261
4262         Change test to match the new iteration behavior.
4263
4264         * stress/spread-optimized-properly.js:
4265
4266 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
4267
4268         [DFG][FTL] Profile array vector length for array allocation
4269         https://bugs.webkit.org/show_bug.cgi?id=177051
4270
4271         Reviewed by Saam Barati.
4272
4273         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4274         (target):
4275
4276 2017-09-22  Commit Queue  <commit-queue@webkit.org>
4277
4278         Unreviewed, rolling out r222380.
4279         https://bugs.webkit.org/show_bug.cgi?id=177352
4280
4281         Octane/box2d shows 8% regression (Requested by yusukesuzuki on
4282         #webkit).
4283
4284         Reverted changeset:
4285
4286         "[DFG][FTL] Profile array vector length for array allocation"
4287         https://bugs.webkit.org/show_bug.cgi?id=177051
4288         http://trac.webkit.org/changeset/222380
4289
4290 2017-09-21  Yusuke Suzuki  <utatane.tea@gmail.com>
4291
4292         [DFG][FTL] Profile array vector length for array allocation
4293         https://bugs.webkit.org/show_bug.cgi?id=177051
4294
4295         Reviewed by Saam Barati.
4296
4297         * microbenchmarks/new-array-buffer-vector-profile.js: Added.
4298         (target):
4299
4300 2017-09-21  Joseph Pecoraro  <pecoraro@apple.com>
4301
4302         Skip new hanging test262 tests.
4303         https://bugs.webkit.org/show_bug.cgi?id=177326
4304
4305         Unreviewed test gardening.
4306
4307         * test262.yaml:
4308
4309 2017-09-21  Ryan Haddad  <ryanhaddad@apple.com>
4310
4311         Mark 6 test262 tests as passing.
4312         https://bugs.webkit.org/show_bug.cgi?id=177307
4313
4314         Unreviewed test gardening.
4315
4316         * test262.yaml:
4317
4318 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
4319
4320         Unreviewed follow-up to r222311.
4321
4322         * test262/harness/sta.js:
4323         * test262/test/built-ins/Array/from/calling-from-valid-1-noStrict.js:
4324         * test262/test/built-ins/Array/from/calling-from-valid-1-onlyStrict.js:
4325         * test262/test/built-ins/Array/from/calling-from-valid-2.js:
4326         * test262/test/built-ins/Array/from/elements-added-after.js:
4327         * test262/test/built-ins/Array/from/elements-deleted-after.js:
4328         * test262/test/built-ins/Array/from/elements-updated-after.js:
4329         * test262/test/built-ins/Array/from/from-array.js:
4330         * test262/test/built-ins/Array/from/mapfn-is-not-callable-typeerror.js:
4331         * test262/test/built-ins/Array/from/mapfn-throws-exception.js:
4332         * test262/test/built-ins/Array/from/source-array-boundary.js:
4333         * test262/test/built-ins/Array/from/source-object-constructor.js:
4334         * test262/test/built-ins/Array/from/source-object-iterator-1.js:
4335         * test262/test/built-ins/Array/from/source-object-iterator-2.js:
4336         * test262/test/built-ins/Array/from/source-object-length.js:
4337         * test262/test/built-ins/Array/from/source-object-missing.js:
4338         * test262/test/built-ins/Array/from/source-object-without.js:
4339         * test262/test/built-ins/Array/from/this-null.js:
4340         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
4341         * test262/test/language/line-terminators/S7.3_A3.2_T1.js:
4342         * test262/test/language/literals/numeric/7.8.3-1gs.js:
4343         * test262/test/language/literals/numeric/7.8.3-2gs.js:
4344         * test262/test/language/literals/numeric/7.8.3-3gs.js:
4345         * test262/test/language/literals/regexp/7.8.5-1gs.js:
4346         * test262/test/language/literals/string/7.8.4-1gs.js:
4347         Fix some files that I failed to update when I applied my patch.
4348
4349 2017-09-20  Joseph Pecoraro  <pecoraro@apple.com>
4350
4351         Update test262 tests
4352         https://bugs.webkit.org/show_bug.cgi?id=177220
4353
4354         Reviewed by Saam Barati and Yusuke Suzuki.
4355
4356         * test262.yaml:
4357         * test262/test262-Revision.txt:
4358         New rebaselined expectations for all tests.
4359
4360         * test262/*:
4361         Updated.
4362
4363 2017-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
4364
4365         [DFG] Remove ToThis more aggressively
4366         https://bugs.webkit.org/show_bug.cgi?id=177056
4367
4368         Reviewed by Saam Barati.
4369
4370         * stress/generator-with-this-strict.js: Added.
4371         (shouldBe):
4372         (generator):
4373         (target):
4374         * stress/generator-with-this.js: Added.
4375         (shouldBe):
4376         (generator):
4377         (target):
4378
4379 2017-09-17  Michael Saboff  <msaboff@apple.com>
4380
4381         https://bugs.webkit.org/show_bug.cgi?id=177038
4382         Add an option to run-jsc-stress-tests to limit tests variations to a basic set
4383
4384         Reviewed by JF Bastien.
4385
4386         * stress/unshiftCountSlowCase-correct-postCapacity.js: Disabled this test on ARM64 iOS devices
4387         as it dies using too much memory.
4388
4389 2017-09-15  Saam Barati  <sbarati@apple.com>
4390
4391         Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
4392         https://bugs.webkit.org/show_bug.cgi?id=176981
4393
4394         Reviewed by Yusuke Suzuki.
4395
4396         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js: Added.
4397         (assert):
4398         (verify):
4399         (func):
4400         (const.bar.createBuiltin):
4401
4402 2017-09-14  Saam Barati  <sbarati@apple.com>
4403
4404         It should be valid to exit before each set when doing arity fixup when inlining
4405         https://bugs.webkit.org/show_bug.cgi?id=176948
4406
4407         Reviewed by Keith Miller.
4408
4409</