Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests...
[WebKit-https.git] / JSTests / ChangeLog
1 2018-04-27  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed test gardening, update expectations for test262/intl402/PluralRules tests after r231047.
4
5         * test262.yaml: Mark tests as passing.
6
7 2018-04-26  Caio Lima  <ticaiolima@gmail.com>
8
9         [ESNext][BigInt] Implement support for "*" operation
10         https://bugs.webkit.org/show_bug.cgi?id=183721
11
12         Reviewed by Saam Barati.
13
14         * bigIntTests.yaml:
15         * stress/big-int-mul-jit.js: Added.
16         * stress/big-int-mul-to-primitive-precedence.js: Added.
17         * stress/big-int-mul-to-primitive.js: Added.
18         * stress/big-int-mul-type-error.js: Added.
19         * stress/big-int-mul-wrapped-value.js: Added.
20         * stress/big-int-multiplication.js: Added.
21         * stress/big-int-multiply-memory-stress.js: Added.
22
23 2018-04-25  Robin Morisset  <rmorisset@apple.com>
24
25         In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
26         https://bugs.webkit.org/show_bug.cgi?id=184773
27         <rdar://problem/37773612>
28
29         Reviewed by Filip Pizlo.
30
31         This bug requires a race between the thread doing FTL compilation and the main thread, but it triggers in 100% of cases (before the fix) on my machine
32         so I decided to add it to the stress tests nonetheless.
33
34         * stress/create-rest-while-having-a-bad-time.js: Added.
35         (f):
36         (g):
37         (h):
38
39 2018-04-25  Keith Miller  <keith_miller@apple.com>
40
41         Add missing scope release to functionProtoFuncToString
42         https://bugs.webkit.org/show_bug.cgi?id=184995
43
44         Reviewed by Saam Barati.
45
46         * stress/function-toString-arrow.js: Added.
47         (async):
48
49 2018-04-24  Keith Miller  <keith_miller@apple.com>
50
51         fromCharCode is missing some exception checks
52         https://bugs.webkit.org/show_bug.cgi?id=184952
53
54         Reviewed by Saam Barati.
55
56         * stress/fromCharCode-exception-check.js: Added.
57         (get catch):
58
59 2018-04-24  Mark Lam  <mark.lam@apple.com>
60
61         Gardening: test fix after r230863.
62         https://bugs.webkit.org/show_bug.cgi?id=184846
63         <rdar://problem/39390672>
64
65         Not reviewed.
66
67         * stress/json-stringified-overflow-2.js:
68         (catch):
69         * stress/json-stringified-overflow.js:
70         (catch):
71
72 2018-04-20  JF Bastien  <jfbastien@apple.com>
73
74         Handle more JSON stringify OOM
75         https://bugs.webkit.org/show_bug.cgi?id=184846
76         <rdar://problem/39390672>
77
78         Reviewed by Mark Lam.
79
80         * stress/json-stringified-overflow-2.js: Added. Same as the one
81         below, but with a bigger input which will trigger a different code
82         path.
83         (catch):
84         * stress/json-stringified-overflow.js: Modify the test to only
85         catch OOM on stringification. not on string creation.
86
87 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
88
89         [WebAssembly][Modules] Import tables in wasm modules
90         https://bugs.webkit.org/show_bug.cgi?id=184738
91
92         Reviewed by JF Bastien.
93
94         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
95         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
96         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
97         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
98         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
99         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
100         * wasm/modules/wasm-imports-wasm-exports.js:
101         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
102         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
103         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
104         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
105
106 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
107
108         [WebAssembly][Modules] Import globals from wasm modules
109         https://bugs.webkit.org/show_bug.cgi?id=184736
110
111         Reviewed by JF Bastien.
112
113         * wasm.yaml:
114         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js:
115         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm:
116         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat:
117         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js:
118         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm:
119         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat:
120         * wasm/modules/wasm-imports-wasm-exports.js:
121         * wasm/modules/wasm-imports-wasm-exports/imports.wasm:
122         * wasm/modules/wasm-imports-wasm-exports/imports.wat:
123         * wasm/modules/wasm-imports-wasm-exports/sum.wasm:
124         * wasm/modules/wasm-imports-wasm-exports/sum.wat:
125
126 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
127
128         Unreviewed, reland r230697, r230720, and r230724.
129         https://bugs.webkit.org/show_bug.cgi?id=184600
130
131         * wasm.yaml:
132         * wasm/modules/constant.wasm: Added.
133         * wasm/modules/constant.wat: Added.
134         * wasm/modules/default-import-star-error.js: Added.
135         (then):
136         * wasm/modules/default-import-star-error/entry.wasm: Added.
137         * wasm/modules/default-import-star-error/entry.wat: Added.
138         * wasm/modules/default-import-star-error/t0.js: Added.
139         * wasm/modules/default-import-star-error/t1.js: Added.
140         * wasm/modules/default-import-star-error/t2.js: Added.
141         (export.default.Cocoa):
142         * wasm/modules/js-wasm-cycle.js: Added.
143         * wasm/modules/js-wasm-cycle/entry.js: Added.
144         (from.string_appeared_here.export.return42):
145         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
146         * wasm/modules/js-wasm-cycle/sum.wat: Added.
147         * wasm/modules/js-wasm-function-namespace.js: Added.
148         (assert.throws):
149         * wasm/modules/js-wasm-function.js: Added.
150         (assert.throws):
151         * wasm/modules/js-wasm-global-namespace.js: Added.
152         (assert.throws):
153         * wasm/modules/js-wasm-global.js: Added.
154         (assert.throws):
155         * wasm/modules/js-wasm-memory-namespace.js: Added.
156         (assert.throws):
157         * wasm/modules/js-wasm-memory.js: Added.
158         (assert.throws):
159         * wasm/modules/js-wasm-start.js: Added.
160         (then):
161         * wasm/modules/js-wasm-table-namespace.js: Added.
162         (assert.throws):
163         * wasm/modules/js-wasm-table.js: Added.
164         (assert.throws):
165         * wasm/modules/memory.wasm: Added.
166         * wasm/modules/memory.wat: Added.
167         * wasm/modules/run-from-wasm.wasm: Added.
168         * wasm/modules/run-from-wasm.wat: Added.
169         * wasm/modules/run-from-wasm/check.js: Added.
170         (export.check):
171         * wasm/modules/start.wasm: Added.
172         * wasm/modules/start.wat: Added.
173         * wasm/modules/sum.wasm: Added.
174         * wasm/modules/sum.wat: Added.
175         * wasm/modules/table.wasm: Added.
176         * wasm/modules/table.wat: Added.
177         * wasm/modules/wasm-imports-js-exports.js: Added.
178         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
179         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
180         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
181         (export.sum):
182         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
183         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
184         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
185         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
186         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
187         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
188         * wasm/modules/wasm-imports-wasm-exports.js: Added.
189         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
190         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
191         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
192         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
193         * wasm/modules/wasm-js-cycle.js: Added.
194         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
195         * wasm/modules/wasm-js-cycle/entry.wat: Added.
196         * wasm/modules/wasm-js-cycle/sum.js: Added.
197         (from.string_appeared_here.export.sum):
198         * wasm/modules/wasm-wasm-cycle.js: Added.
199         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
200         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
201         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
202         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
203
204 2018-04-17  Commit Queue  <commit-queue@webkit.org>
205
206         Unreviewed, rolling out r230697, r230720, and r230724.
207         https://bugs.webkit.org/show_bug.cgi?id=184717
208
209         These caused multiple failures on the Test262 testers.
210         (Requested by mlewis13 on #webkit).
211
212         Reverted changesets:
213
214         "[WebAssembly][Modules] Prototype wasm import"
215         https://bugs.webkit.org/show_bug.cgi?id=184600
216         https://trac.webkit.org/changeset/230697
217
218         "[WebAssembly][Modules] Implement function import from wasm
219         modules"
220         https://bugs.webkit.org/show_bug.cgi?id=184689
221         https://trac.webkit.org/changeset/230720
222
223         "[JSC] Rename runWebAssembly to runWebAssemblySuite"
224         https://bugs.webkit.org/show_bug.cgi?id=184703
225         https://trac.webkit.org/changeset/230724
226
227 2018-04-17  JF Bastien  <jfbastien@apple.com>
228
229         A put is not an ExistingProperty put when we transition a structure because of an attributes change
230         https://bugs.webkit.org/show_bug.cgi?id=184706
231         <rdar://problem/38871451>
232
233         Reviewed by Saam Barati.
234
235         * stress/put-by-id-direct-strict-transition.js: Added.
236         (const.foo):
237         (j.const.obj.set hello):
238         * stress/put-by-id-direct-transition.js: Added.
239         (const.foo):
240         (j.const.obj.set hello):
241         * stress/put-getter-setter-by-id-strict-transition.js: Added.
242         (const.foo):
243         (j.const.obj.set hello):
244         * stress/put-getter-setter-by-id-transition.js: Added.
245         (const.foo):
246         (j.const.obj.set hello):
247
248 2018-04-16  Filip Pizlo  <fpizlo@apple.com>
249
250         PutStackSinkingPhase should know that KillStack means ConflictingFlush
251         https://bugs.webkit.org/show_bug.cgi?id=184672
252
253         Reviewed by Michael Saboff.
254
255         * stress/sink-put-stack-over-kill-stack.js: Added.
256         (avocado_1):
257         (apricot_0):
258         (__c_0):
259         (banana_2):
260
261 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
262
263         [JSC] Rename runWebAssembly to runWebAssemblySuite
264         https://bugs.webkit.org/show_bug.cgi?id=184703
265
266         Reviewed by JF Bastien.
267
268         And add runWebAssembly as a command to simplely run wasm modules.
269
270         * wasm.yaml:
271
272 2018-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
273
274         [WebAssembly][Modules] Implement function import from wasm modules
275         https://bugs.webkit.org/show_bug.cgi?id=184689
276
277         Reviewed by JF Bastien.
278
279         * wasm.yaml:
280         * wasm/modules/js-wasm-cycle.js: Added.
281         * wasm/modules/js-wasm-cycle/entry.js: Added.
282         (from.string_appeared_here.export.return42):
283         * wasm/modules/js-wasm-cycle/sum.wasm: Added.
284         * wasm/modules/js-wasm-cycle/sum.wat: Added.
285         * wasm/modules/run-from-wasm.wasm: Added.
286         * wasm/modules/run-from-wasm.wat: Added.
287         * wasm/modules/run-from-wasm/check.js: Added.
288         (export.check):
289         * wasm/modules/wasm-imports-js-exports.js: Added.
290         * wasm/modules/wasm-imports-js-exports/imports.wasm: Added.
291         * wasm/modules/wasm-imports-js-exports/imports.wat: Added.
292         * wasm/modules/wasm-imports-js-exports/sum.js: Added.
293         (export.sum):
294         * wasm/modules/wasm-imports-js-re-exports-wasm-exports.js: Added.
295         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wasm: Added.
296         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/imports.wat: Added.
297         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/re-export.js: Added.
298         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wasm: Added.
299         * wasm/modules/wasm-imports-js-re-exports-wasm-exports/sum.wat: Added.
300         * wasm/modules/wasm-imports-wasm-exports.js: Added.
301         * wasm/modules/wasm-imports-wasm-exports/imports.wasm: Added.
302         * wasm/modules/wasm-imports-wasm-exports/imports.wat: Added.
303         * wasm/modules/wasm-imports-wasm-exports/sum.wasm: Added.
304         * wasm/modules/wasm-imports-wasm-exports/sum.wat: Added.
305         * wasm/modules/wasm-js-cycle.js: Added.
306         * wasm/modules/wasm-js-cycle/entry.wasm: Added.
307         * wasm/modules/wasm-js-cycle/entry.wat: Added.
308         * wasm/modules/wasm-js-cycle/sum.js: Added.
309         (from.string_appeared_here.export.sum):
310         * wasm/modules/wasm-wasm-cycle.js: Added.
311         * wasm/modules/wasm-wasm-cycle/entry.wasm: Added.
312         * wasm/modules/wasm-wasm-cycle/entry.wat: Added.
313         * wasm/modules/wasm-wasm-cycle/sum.wasm: Added.
314         * wasm/modules/wasm-wasm-cycle/sum.wat: Added.
315
316 2018-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
317
318         [WebAssembly][Modules] Prototype wasm import
319         https://bugs.webkit.org/show_bug.cgi?id=184600
320
321         Reviewed by JF Bastien.
322
323         Add wasm and wat files since module loader want to load wasm files from FS.
324         Currently, importing the other modules from wasm is not supported.
325
326         * wasm.yaml:
327         * wasm/modules/constant.wasm: Added.
328         * wasm/modules/constant.wat: Added.
329         * wasm/modules/js-wasm-function-namespace.js: Added.
330         (assert.throws):
331         * wasm/modules/js-wasm-function.js: Added.
332         (assert.throws):
333         * wasm/modules/js-wasm-global-namespace.js: Added.
334         (assert.throws):
335         * wasm/modules/js-wasm-global.js: Added.
336         (assert.throws):
337         * wasm/modules/js-wasm-memory-namespace.js: Added.
338         (assert.throws):
339         * wasm/modules/js-wasm-memory.js: Added.
340         (assert.throws):
341         * wasm/modules/js-wasm-start.js: Added.
342         (then):
343         * wasm/modules/js-wasm-table-namespace.js: Added.
344         (assert.throws):
345         * wasm/modules/js-wasm-table.js: Added.
346         (assert.throws):
347         * wasm/modules/memory.wasm: Added.
348         * wasm/modules/memory.wat: Added.
349         * wasm/modules/start.wasm: Added.
350         * wasm/modules/start.wat: Added.
351         * wasm/modules/sum.wasm: Added.
352         * wasm/modules/sum.wat: Added.
353         * wasm/modules/table.wasm: Added.
354         * wasm/modules/table.wat: Added.
355
356 2018-04-14  Filip Pizlo  <fpizlo@apple.com>
357
358         Function.prototype.caller shouldn't return generator bodies
359         https://bugs.webkit.org/show_bug.cgi?id=184630
360
361         Reviewed by Yusuke Suzuki.
362
363         * stress/function-caller-async-arrow-function-body.js: Added.
364         * stress/function-caller-async-function-body.js: Added.
365         * stress/function-caller-async-generator-body.js: Added.
366         * stress/function-caller-generator-body.js: Added.
367         * stress/function-caller-generator-method-body.js: Added.
368
369 2018-04-12  Tomas Popela  <tpopela@redhat.com>
370
371         Unreviewed, skip JIT tests if it isn't enabled
372
373         See https://bugs.webkit.org/show_bug.cgi?id=182730.
374
375         * stress/big-int-spec-to-primitive.js:
376         * stress/big-int-spec-to-this.js:
377
378 2018-04-10  Caio Lima  <ticaiolima@gmail.com>
379
380         [ESNext][BigInt] Add support for BigInt in SpeculatedType
381         https://bugs.webkit.org/show_bug.cgi?id=182470
382
383         Reviewed by Saam Barati.
384
385         * stress/big-int-spec-to-primitive.js: Added.
386         * stress/big-int-spec-to-this.js: Added.
387         * stress/big-int-strict-equals-jit.js: Added.
388         * stress/big-int-strict-spec-to-this.js: Added.
389         * stress/big-int-type-of-proven-type.js: Added.
390
391 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
392
393         DFG AI and clobberize should agree with each other
394         https://bugs.webkit.org/show_bug.cgi?id=184440
395
396         Reviewed by Saam Barati.
397         
398         Add tests for all of the bugs I fixed.
399
400         * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
401         (foo):
402         * stress/new-typed-array-cse-effects.js: Added.
403         (foo):
404         * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
405         (foo.theO):
406         (foo):
407         * stress/string-from-char-code-change-structure-not-dead.js: Added.
408         (foo):
409         (i.valueOf):
410         (weirdValue.valueOf):
411         * stress/string-from-char-code-change-structure.js: Added.
412         (foo):
413         (i.valueOf):
414         (weirdValue.valueOf):
415
416 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
417
418         Fix errant Test262 files CRLF to LF for consistency with the original source
419         https://bugs.webkit.org/show_bug.cgi?id=184425
420
421         Reviewed by Yusuke Suzuki.
422
423         * test262/test/built-ins/Math/acosh/nan-returns.js:
424         * test262/test/built-ins/Math/asinh/asinh-specialVals.js:
425         * test262/test/built-ins/Math/atanh/atanh-specialVals.js:
426         * test262/test/built-ins/Math/cbrt/cbrt-specialValues.js:
427         * test262/test/built-ins/Math/cbrt/prop-desc.js:
428         * test262/test/built-ins/Math/cosh/cosh-specialVals.js:
429         * test262/test/built-ins/Math/expm1/expm1-specialVals.js:
430         * test262/test/built-ins/Math/log10/Log10-specialVals.js:
431         * test262/test/built-ins/Math/log2/log2-basicTests.js:
432         * test262/test/built-ins/Math/sign/sign-specialVals.js:
433         * test262/test/built-ins/Math/sinh/sinh-specialVals.js:
434         * test262/test/built-ins/Math/tanh/tanh-specialVals.js:
435         * test262/test/built-ins/Math/trunc/trunc-sampleTests.js:
436         * test262/test/built-ins/Math/trunc/trunc-specialVals.js:
437
438 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
439
440         Unreviewed, remove incorrect entry in test262.yaml
441         https://bugs.webkit.org/show_bug.cgi?id=184266
442
443         * test262.yaml:
444
445 2018-04-08  Valerie Young  <valerie@bocoup.com>
446
447         [JSC] Update Test262 to April 6 version
448         https://bugs.webkit.org/show_bug.cgi?id=184266
449
450         Rubber stamped by Yusuke Suzuki.
451
452 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
453
454         [JSC] Introduce op_get_by_id_direct
455         https://bugs.webkit.org/show_bug.cgi?id=183970
456
457         Reviewed by Filip Pizlo.
458
459         * stress/generator-prototype-copy.js: Added.
460         (gen):
461         (catch):
462         Adopted JF's tests.
463
464         * stress/generator-type-check.js: Added.
465         (shouldThrow):
466         (foo2):
467         (i.shouldThrow):
468         * stress/get-by-id-direct-getter.js: Added.
469         (shouldBe):
470         (shouldThrow):
471         (obj.get hello):
472         (builtin.createBuiltin):
473         (obj2.get length):
474         * stress/get-by-id-direct.js: Added.
475         (shouldBe):
476         (shouldThrow):
477         (builtin.createBuiltin):
478         * test262.yaml:
479         We fixed long-standing spec compatibility issue.
480         As a result, this patch makes several test262 tests passed!
481
482
483 2018-04-07  Yusuke Suzuki  <utatane.tea@gmail.com>
484
485         Unreviewed, annotate test with @skip if $memoryLimited
486         https://bugs.webkit.org/show_bug.cgi?id=183894
487
488         * stress/json-stringified-overflow.js:
489
490 2018-04-06  Alexey Proskuryakov  <ap@apple.com>
491
492         Add svn:eol-style to line-terminator-normalisation-CR.js
493         https://bugs.webkit.org/show_bug.cgi?id=184341
494
495         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js: Added property svn:eol-style.
496
497 2018-04-06  Ross Kirsling  <ross.kirsling@sony.com>
498
499         Unreviewed, remove errant LF from existing test262 test for CR line endings.
500
501         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
502
503 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
504
505         Unreviewed, rolling out r230320.
506
507         Revert fix, as the root cause lies elsewhere.
508
509         Reverted changeset:
510
511         "[test262] Mark line-terminator-normalisation-CR.js as a
512         binary file."
513         https://bugs.webkit.org/show_bug.cgi?id=184341
514         https://trac.webkit.org/changeset/230320
515
516 2018-04-05  Ross Kirsling  <ross.kirsling@sony.com>
517
518         [test262] Mark line-terminator-normalisation-CR.js as a binary file.
519         https://bugs.webkit.org/show_bug.cgi?id=184341
520
521         Reviewed by Yusuke Suzuki.
522
523         This test is all about CR line endings, but `svn-apply` can't deal with them.
524         Treating the file as binary ensures that its contents never are never shown in a diff.
525
526         * .gitattributes: Added.
527
528 2018-04-05  Robin Morisset  <rmorisset@apple.com>
529
530         Fix testcase (missing try/catch).
531         https://bugs.webkit.org/show_bug.cgi?id=183657
532
533         Unreviewed.
534
535         * stress/large-unshift-splice.js
536
537 2018-04-04  Filip Pizlo  <fpizlo@apple.com>
538
539         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
540         https://bugs.webkit.org/show_bug.cgi?id=184319
541
542         Reviewed by Saam Barati.
543
544         * stress/array-push-nan-to-double-array-cse-sane-and-insane-chain.js: Added.
545         (foo):
546         (bar):
547         * stress/array-push-nan-to-double-array.js: Added.
548         (foo):
549         (bar):
550
551 2018-04-03  Mark Lam  <mark.lam@apple.com>
552
553         Test js-fixed-array-out-of-memory.js should be excluded for memory limited devices.
554         https://bugs.webkit.org/show_bug.cgi?id=184284
555
556         Reviewed by Saam Barati.
557
558         * stress/js-fixed-array-out-of-memory.js:
559
560 2018-03-31  Filip Pizlo  <fpizlo@apple.com>
561
562         JSC crash in JIT code with for-of loop and Array/Set iterators
563         https://bugs.webkit.org/show_bug.cgi?id=183174
564
565         Reviewed by Saam Barati.
566
567         * microbenchmarks/hoist-get-by-offset-tower-with-inferred-types.js: Added. This test shows that fixing the bug didn't break hoisting of GetByOffset with inferred types. I confirmed that if I did break it, this test slows down by >7x.
568         (foo):
569         * stress/hoist-get-by-offset-with-control-dependent-inferred-type.js: Added. This test shows that the bug is fixed.
570         (f):
571
572 2018-03-30  JF Bastien  <jfbastien@apple.com>
573
574         WebAssembly: support DataView compilation
575         https://bugs.webkit.org/show_bug.cgi?id=183342
576
577         Reviewed by Mark Lam.
578
579         Test WebAssembly compilation using a DataView with offset.
580
581         * wasm/regress/183342.js: Added.
582         (attempt.catch):
583
584 2018-03-30  Filip Pizlo  <fpizlo@apple.com>
585
586         Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
587         https://bugs.webkit.org/show_bug.cgi?id=184189
588
589         Reviewed by JF Bastien.
590
591         * stress/load-hole-from-scope-into-live-var.js: Added.
592         (result.eval.try.switch):
593         (catch):
594
595 2018-03-30  Ryan Haddad  <ryanhaddad@apple.com>
596
597         Unreviewed, rolling out r230102.
598
599         Caused assertion failures on JSC bots.
600
601         Reverted changeset:
602
603         "A stack overflow in the parsing of a builtin (called by
604         createExecutable) cause a crash instead of a catchable js
605         exception"
606         https://bugs.webkit.org/show_bug.cgi?id=184074
607         https://trac.webkit.org/changeset/230102
608
609 2018-03-30  Robin Morisset  <rmorisset@apple.com>
610
611         Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
612         https://bugs.webkit.org/show_bug.cgi?id=183812
613
614         Reviewed by Keith Miller.
615
616         * stress/inlining-unreachable-non-tail.js: Added.
617         (foo.):
618         (foo):
619
620 2018-03-30  Robin Morisset  <rmorisset@apple.com>
621
622         A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
623         https://bugs.webkit.org/show_bug.cgi?id=184074
624         <rdar://problem/37165897>
625
626         Reviewed by Keith Miller.
627
628         * stress/stack-overflow-while-parsing-builtin.js: Added.
629         (f):
630
631 2018-03-30  Robin Morisset  <rmorisset@apple.com>
632
633         Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
634         https://bugs.webkit.org/show_bug.cgi?id=183657
635
636         Reviewed by Keith Miller.
637
638         * stress/large-unshift-splice.js: Added.
639         (make_contig_arr):
640
641 2018-03-28  Robin Morisset  <rmorisset@apple.com>
642
643         appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
644         https://bugs.webkit.org/show_bug.cgi?id=183894
645
646         Reviewed by Saam Barati.
647
648         * stress/json-stringified-overflow.js: Added.
649         (catch):
650
651 2018-03-26  Filip Pizlo  <fpizlo@apple.com>
652
653         DFG should know that CreateThis can be effectful
654         https://bugs.webkit.org/show_bug.cgi?id=184013
655
656         Reviewed by Saam Barati.
657
658         * stress/create-this-property-change.js: Added.
659         (Foo):
660         (RealBar):
661         (get if):
662         * stress/create-this-structure-change-without-cse.js: Added.
663         (Foo):
664         (RealBar):
665         (get if):
666         * stress/create-this-structure-change.js: Added.
667         (Foo):
668         (RealBar):
669         (get if):
670
671 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
672
673         [DFG] Introduces fused compare and jump
674         https://bugs.webkit.org/show_bug.cgi?id=177100
675
676         Reviewed by Mark Lam.
677
678         * stress/fused-jeq-slow.js: Added.
679         (shouldBe):
680         (testJEQ):
681         (testJNEQB):
682         (testJEQB):
683         (testJNEQF):
684         (testJEQF):
685         * stress/fused-jeq.js: Added.
686         (shouldBe):
687         (testJEQ):
688         (testJNEQB):
689         (testJEQB):
690         (testJNEQF):
691         (testJEQF):
692         * stress/fused-jstricteq-slow.js: Added.
693         (shouldBe):
694         (testJSTRICTEQ):
695         (testJNSTRICTEQB):
696         (testJSTRICTEQB):
697         (testJNSTRICTEQF):
698         (testJSTRICTEQF):
699         * stress/fused-jstricteq.js: Added.
700         (shouldBe):
701         (testJSTRICTEQ):
702         (testJNSTRICTEQB):
703         (testJSTRICTEQB):
704         (testJNSTRICTEQF):
705         (testJSTRICTEQF):
706
707 2018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
708
709         [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
710         https://bugs.webkit.org/show_bug.cgi?id=183559
711
712         Reviewed by Mark Lam.
713
714         * stress/double-to-string-in-loop-removed.js: Added.
715         (test):
716         * stress/int32-to-string-in-loop-removed.js: Added.
717         (test):
718         * stress/int52-to-string-in-loop-removed.js: Added.
719         (test):
720
721 2018-03-22  Michael Saboff  <msaboff@apple.com>
722
723         Race Condition in arrayProtoFuncReverse() causes wrong results or crash
724         https://bugs.webkit.org/show_bug.cgi?id=183901
725
726         Reviewed by Keith Miller.
727
728         New test.
729
730         * stress/array-reverse-doesnt-clobber.js: Added.
731         (testArrayReverse):
732         (createArrayOfArrays):
733         (createArrayStorage):
734
735 2018-03-21  Filip Pizlo  <fpizlo@apple.com>
736
737         ScopedArguments should do poisoning and index masking
738         https://bugs.webkit.org/show_bug.cgi?id=183863
739
740         Reviewed by Mark Lam.
741         
742         Adds another stress test of scoped arguments.
743
744         * stress/scoped-arguments-test.js: Added.
745         (foo):
746
747 2018-03-20  Saam Barati  <sbarati@apple.com>
748
749         We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
750         https://bugs.webkit.org/show_bug.cgi?id=183795
751         <rdar://problem/38298694>
752
753         Reviewed by JF Bastien.
754
755         * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
756         (foo):
757         (bar):
758
759 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
760
761         [DFG][FTL] Add vectorLengthHint for NewArray
762         https://bugs.webkit.org/show_bug.cgi?id=183694
763
764         Reviewed by Saam Barati.
765
766         * stress/vector-length-hint-array-constructor.js: Added.
767         (shouldBe):
768         (test):
769         * stress/vector-length-hint-new-array.js: Added.
770         (shouldBe):
771         (test):
772
773 2018-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
774
775         [DFG][FTL] Make ArraySlice(0) code tight
776         https://bugs.webkit.org/show_bug.cgi?id=183590
777
778         Reviewed by Saam Barati.
779
780         * stress/array-slice-with-zero.js: Added.
781         (shouldBe):
782         (test):
783         (test2):
784         * stress/array-slice-zero-args.js: Added.
785         (shouldBe):
786         (test):
787
788 2018-03-14  Caitlin Potter  <caitp@igalia.com>
789
790         [JSC] fix order of evaluation for ClassDefinitionEvaluation
791         https://bugs.webkit.org/show_bug.cgi?id=183523
792
793         Reviewed by Keith Miller.
794
795         Computed property names need to be evaluated in source order during class
796         definition evaluation, as it's observable (and specified to work this way).
797
798         This change improves compatibility with Chromium.
799
800         * stress/class_elements.js: Added.
801         (test):
802         (test.C.prototype.effect):
803         (test.C.effect):
804         (test.C.prototype.get effect):
805         (test.C.prototype.set effect):
806         (test.C):
807
808 2018-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
809
810         [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
811         https://bugs.webkit.org/show_bug.cgi?id=183310
812
813         Reviewed by Filip Pizlo.
814
815         * stress/ai-create-this-to-new-object-fire.js: Added.
816         (assert):
817         (test):
818         (func):
819         (check):
820         (test.body.A):
821         (test.body.B):
822         (test.body):
823         * stress/ai-create-this-to-new-object.js: Added.
824         (assert):
825         (test):
826         (func):
827         (check):
828         (test.body.A):
829         (test.body.B):
830         (test.body):
831
832 2018-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
833
834         [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
835         https://bugs.webkit.org/show_bug.cgi?id=181848
836
837         Reviewed by Sam Weinig.
838
839         * microbenchmarks/regexp-u-global-es5.js: Added.
840         (fn):
841         * microbenchmarks/regexp-u-global-es6.js: Added.
842         (fn):
843         * stress/materialized-regexp-has-correct-last-index-set-by-match-at-osr-exit.js: Added.
844         (shouldBe):
845         (test):
846         (i.switch):
847         * stress/materialized-regexp-has-correct-last-index-set-by-match.js: Added.
848         (shouldBe):
849         (test):
850
851 2018-03-07  Dominik Infuehr  <dinfuehr@igalia.com>
852
853         Disable test stress/var-injection-cache-invalidation.js on systems with limited memory
854         https://bugs.webkit.org/show_bug.cgi?id=183334
855
856         Reviewed by Žan Doberšek.
857
858         * stress/var-injection-cache-invalidation.js:
859
860 2018-03-06  Dominik Infuehr  <dinfuehr@igalia.com>
861
862         [ARM] Disable tests that run out of memory
863         https://bugs.webkit.org/show_bug.cgi?id=182699
864
865         Reviewed by Žan Doberšek.
866
867         Skip tests that run of of memory. Do not run
868         modules/module-jit-reachability.js without LLInt to prevent
869         running out of executable memory.
870
871         * modules.yaml:
872         * modules/module-jit-reachability.js:
873         * stress/has-own-property-name-cache-string-keys.js:
874         * stress/has-own-property-name-cache-symbol-keys.js:
875
876 2018-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
877
878         ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
879         https://bugs.webkit.org/show_bug.cgi?id=183173
880
881         Reviewed by Saam Barati.
882
883         * stress/async-arrow-function-in-class-heritage.js: Added.
884         (testSyntax):
885         (testSyntaxError):
886         (SyntaxError):
887
888 2018-03-01  Saam Barati  <sbarati@apple.com>
889
890         We need to clear cached structures when having a bad time
891         https://bugs.webkit.org/show_bug.cgi?id=183256
892         <rdar://problem/36245022>
893
894         Reviewed by Mark Lam.
895
896         * stress/having-a-bad-time-with-derived-arrays.js: Added.
897         (assert):
898         (defineSetter):
899         (iterate):
900         (doSlice):
901
902 2018-02-28  Yusuke Suzuki  <utatane.tea@gmail.com>
903
904         JSC crash with `import("")`
905         https://bugs.webkit.org/show_bug.cgi?id=183175
906
907         Reviewed by Saam Barati.
908
909         * stress/import-with-empty-string.js: Added.
910
911 2018-02-27  Yusuke Suzuki  <utatane.tea@gmail.com>
912
913         Unreviewed, skip FTL tests if FTL is disabled
914         https://bugs.webkit.org/show_bug.cgi?id=183071
915
916         * stress/has-indexed-property-array-storage-ftl.js:
917         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
918
919 2018-02-25  Yusuke Suzuki  <utatane.tea@gmail.com>
920
921         [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
922         https://bugs.webkit.org/show_bug.cgi?id=182965
923
924         Reviewed by Saam Barati.
925
926         * stress/put-by-val-array-storage.js: Added.
927         (shouldBe):
928         (testArrayStorageInBounds):
929         * stress/put-by-val-direct-out-of-bounds-setter.js: Added.
930         (shouldBe):
931         (testInt32.createBuiltin):
932         (set for):
933         * stress/put-by-val-slow-put-array-storage.js: Added.
934         (shouldBe):
935         (testArrayStorageInBounds):
936
937 2018-02-26  Saam Barati  <sbarati@apple.com>
938
939         validateStackAccess should not validate if the offset is within the stack bounds
940         https://bugs.webkit.org/show_bug.cgi?id=183067
941         <rdar://problem/37749988>
942
943         Reviewed by Mark Lam.
944
945         * stress/dont-validate-stack-offset-in-b3-because-it-might-be-guarded-by-control-flow.js: Added.
946         (assert):
947         (test.a):
948         (test.b):
949         (test):
950
951 2018-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
952
953         Unreviewed, skip FTL tests if FTL is disabled
954         https://bugs.webkit.org/show_bug.cgi?id=183071
955
956         * stress/has-indexed-property-array-storage-ftl.js:
957         * stress/has-indexed-property-slow-put-array-storage-ftl.js:
958
959 2018-02-23  Saam Barati  <sbarati@apple.com>
960
961         Make Number.isInteger an intrinsic
962         https://bugs.webkit.org/show_bug.cgi?id=183088
963
964         Reviewed by JF Bastien.
965
966         * stress/number-is-integer-intrinsic.js: Added.
967
968 2018-02-23  Oleksandr Skachkov  <gskachkov@gmail.com>
969
970         WebAssembly: cache memory address / size on instance
971         https://bugs.webkit.org/show_bug.cgi?id=177305
972
973         Reviewed by JF Bastien.
974
975         * wasm/function-tests/memory-reuse.js: Added.
976         (createWasmInstance):
977         (doCheckTrap):
978         (doMemoryGrow):
979         (doCheck):
980         (checkWasmInstancesWithSharedMemory):
981
982 2018-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
983
984         [JSC] Implement $vm.ftlTrue function for FTL testing
985         https://bugs.webkit.org/show_bug.cgi?id=183071
986
987         Reviewed by Mark Lam.
988
989         * stress/dead-fiat-value-to-int52-then-exit-not-double.js:
990         (foo):
991         * stress/dead-fiat-value-to-int52-then-exit-not-int52.js:
992         (foo):
993         * stress/dead-fiat-value-to-int52.js:
994         (foo):
995         * stress/dead-osr-entry-value.js:
996         (foo):
997         * stress/fiat-value-to-int52-then-exit-not-double.js:
998         (foo):
999         * stress/fiat-value-to-int52-then-exit-not-int52.js:
1000         (foo):
1001         * stress/fiat-value-to-int52-then-fail-to-fold.js:
1002         (foo):
1003         * stress/fiat-value-to-int52-then-fold.js:
1004         (foo):
1005         * stress/fiat-value-to-int52.js:
1006         (foo):
1007         * stress/fold-based-on-int32-proof-mul-branch.js:
1008         (foo):
1009         * stress/fold-profiled-call-to-call.js:
1010         (foo):
1011         * stress/fold-to-double-constant-then-exit.js:
1012         (foo):
1013         * stress/fold-to-int52-constant-then-exit.js:
1014         (foo):
1015         * stress/fold-to-primitive-in-cfa.js:
1016         (foo):
1017         * stress/fold-to-primitive-to-identity-in-cfa.js:
1018         (foo):
1019         * stress/has-indexed-property-array-storage-ftl.js: Added.
1020         (shouldBe):
1021         (test1):
1022         (test2):
1023         * stress/has-indexed-property-slow-put-array-storage-ftl.js: Added.
1024         (shouldBe):
1025         (test1):
1026         (test2):
1027         * stress/int52-ai-add-then-filter-int32.js:
1028         (foo):
1029         * stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js:
1030         (foo):
1031         * stress/int52-ai-mul-then-filter-int32.js:
1032         (foo):
1033         * stress/int52-ai-neg-then-filter-int32.js:
1034         (foo):
1035         * stress/int52-ai-sub-then-filter-int32.js:
1036         (foo):
1037         * stress/licm-pre-header-cannot-exit-nested.js:
1038         (foo):
1039         * stress/licm-pre-header-cannot-exit.js:
1040         (foo):
1041         * stress/sparse-array-entry-update-144067.js:
1042         (useMemoryToTriggerGCs):
1043         * stress/test-spec-misc.js:
1044         (foo):
1045         * stress/tricky-array-bounds-checks.js:
1046         (foo):
1047
1048 2018-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1049
1050         [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
1051         https://bugs.webkit.org/show_bug.cgi?id=182792
1052
1053         Reviewed by Mark Lam.
1054
1055         * stress/has-indexed-property-array-storage.js: Added.
1056         (shouldBe):
1057         (test1):
1058         (test2):
1059         * stress/has-indexed-property-slow-put-array-storage.js: Added.
1060         (shouldBe):
1061         (test1):
1062         (test2):
1063
1064 2018-02-20  Saam Barati  <sbarati@apple.com>
1065
1066         DFG::VarargsForwardingPhase should eliminate getting argument length
1067         https://bugs.webkit.org/show_bug.cgi?id=182959
1068
1069         Reviewed by Keith Miller.
1070
1071         * microbenchmarks/forward-arguments-dont-escape-on-arguments-length.js: Added.
1072
1073 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1074
1075         [FTL] Support ArrayPush for ArrayStorage
1076         https://bugs.webkit.org/show_bug.cgi?id=182782
1077
1078         Reviewed by Saam Barati.
1079
1080         Existing array-push-multiple-storage.js covers ArrayPush(ArrayStorage) multiple arguments case.
1081
1082         * stress/array-push-array-storage-beyond-int32.js: Added.
1083         (shouldBe):
1084         (test):
1085         * stress/array-push-array-storage.js: Added.
1086         (shouldBe):
1087         (test):
1088         * stress/array-push-multiple-array-storage-beyond-int32.js: Added.
1089         (shouldBe):
1090         (test):
1091         * stress/array-push-multiple-storage-continuous.js: Added.
1092         (shouldBe):
1093         (test):
1094
1095 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1096
1097         [FTL] Support ArrayPop for ArrayStorage
1098         https://bugs.webkit.org/show_bug.cgi?id=182783
1099
1100         Reviewed by Saam Barati.
1101
1102         * stress/array-pop-array-storage.js: Added.
1103         (shouldBe):
1104         (test):
1105
1106 2018-02-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1107
1108         [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
1109         https://bugs.webkit.org/show_bug.cgi?id=182731
1110
1111         Reviewed by Saam Barati.
1112
1113         * stress/arrayify-array-storage-array.js: Added.
1114         (shouldBe):
1115         (testArrayStorage):
1116         * stress/arrayify-array-storage-non-array.js: Added.
1117         (shouldBe):
1118         (testArrayStorage):
1119         * stress/arrayify-array-storage.js: Added.
1120         (shouldBe):
1121         (testArrayStorage):
1122         * stress/arrayify-slow-put-array-storage-pass-array-storage.js: Added.
1123         (shouldBe):
1124         (testArrayStorage):
1125         * stress/arrayify-slow-put-array-storage.js: Added.
1126         (shouldBe):
1127         (testArrayStorage):
1128
1129 2018-02-19  Saam Barati  <sbarati@apple.com>
1130
1131         Don't use JSFunction's allocation profile when getting the prototype can be effectful
1132         https://bugs.webkit.org/show_bug.cgi?id=182942
1133         <rdar://problem/37584764>
1134
1135         Reviewed by Mark Lam.
1136
1137         * stress/get-prototype-create-this-effectful.js: Added.
1138
1139 2018-02-16  Saam Barati  <sbarati@apple.com>
1140
1141         Fix bugs from r228411
1142         https://bugs.webkit.org/show_bug.cgi?id=182851
1143         <rdar://problem/37577732>
1144
1145         Reviewed by JF Bastien.
1146
1147         * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
1148
1149 2018-02-15  Filip Pizlo  <fpizlo@apple.com>
1150
1151         Unreviewed, roll out r228366 since it did not progress anything.
1152
1153         * stress/gc-error-stack.js: Removed.
1154         * stress/no-gc-error-stack.js: Removed.
1155
1156 2018-02-15  Tomas Popela  <tpopela@redhat.com>
1157
1158         Many stress tests fail with JIT disabled
1159         https://bugs.webkit.org/show_bug.cgi?id=182730
1160
1161         Reviewed by Saam Barati.
1162
1163         These tests are broken by design if the JIT is disabled - they test
1164         the return value of numberOfDFGCompiles(), which is always set to
1165         1000000.0 in TestRunnerUtils.cpp and makes the tests to fail.
1166
1167         * stress/arith-abs-on-various-types.js:
1168         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1169         * stress/arith-acos-on-various-types.js:
1170         * stress/arith-acosh-on-various-types.js:
1171         * stress/arith-asin-on-various-types.js:
1172         * stress/arith-asinh-on-various-types.js:
1173         * stress/arith-atan-on-various-types.js:
1174         * stress/arith-atanh-on-various-types.js:
1175         * stress/arith-cbrt-on-various-types.js:
1176         * stress/arith-ceil-on-various-types.js:
1177         * stress/arith-clz32-on-various-types.js:
1178         * stress/arith-cos-on-various-types.js:
1179         * stress/arith-cosh-on-various-types.js:
1180         * stress/arith-expm1-on-various-types.js:
1181         * stress/arith-floor-on-various-types.js:
1182         * stress/arith-fround-on-various-types.js:
1183         * stress/arith-log-on-various-types.js:
1184         * stress/arith-log10-on-various-types.js:
1185         * stress/arith-log2-on-various-types.js:
1186         * stress/arith-negate-on-various-types.js:
1187         * stress/arith-round-on-various-types.js:
1188         * stress/arith-sin-on-various-types.js:
1189         * stress/arith-sinh-on-various-types.js:
1190         * stress/arith-sqrt-on-various-types.js:
1191         * stress/arith-tan-on-various-types.js:
1192         * stress/arith-tanh-on-various-types.js:
1193         * stress/arith-trunc-on-various-types.js:
1194         * stress/compare-strict-eq-on-various-types.js:
1195
1196 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1197
1198         Skip stress/new-largeish-contiguous-array-with-size.js on arm.
1199
1200         Unreviewed test gardening.
1201
1202         * stress/new-largeish-contiguous-array-with-size.js:
1203
1204 2018-02-14  Saam Barati  <sbarati@apple.com>
1205
1206         Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
1207         https://bugs.webkit.org/show_bug.cgi?id=182801
1208
1209         Reviewed by Keith Miller.
1210
1211         * stress/watchdog-dont-malloc-when-in-c-code.js: Added.
1212
1213 2018-02-14  Ryan Haddad  <ryanhaddad@apple.com>
1214
1215         Skip JSC test stress/activation-sink-default-value-tdz-error.js on debug.
1216         https://bugs.webkit.org/show_bug.cgi?id=182526
1217
1218         Unreviewed test gardening.
1219
1220         * stress/activation-sink-default-value-tdz-error.js:
1221
1222 2018-02-13  Saam Barati  <sbarati@apple.com>
1223
1224         putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
1225         https://bugs.webkit.org/show_bug.cgi?id=182755
1226         <rdar://problem/37080864>
1227
1228         Reviewed by Keith Miller.
1229
1230         * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
1231         (test1.o.get 10005):
1232         (test1):
1233         (test2.o.get 1000):
1234         (test2):
1235
1236 2018-02-13  Caitlin Potter  <caitp@igalia.com>
1237
1238         [JSC] cache TaggedTemplate arrays by callsite rather than by contents
1239         https://bugs.webkit.org/show_bug.cgi?id=182717
1240
1241         Reviewed by Yusuke Suzuki.
1242
1243         https://github.com/tc39/ecma262/pull/890 imposes a change to template
1244         literals, to allow template callsite arrays to be collected when the
1245         code containing the tagged template call is collected. This spec change
1246         has received concensus and been ratified.
1247
1248         This change eliminates the eternal map associating template contents
1249         with arrays.
1250
1251         * stress/tagged-template-object-collect.js: Renamed from JSTests/stress/tagged-template-registry-key-collect.js.
1252         * stress/tagged-template-object.js: Renamed from JSTests/stress/tagged-template-registry-key.js.
1253         * stress/tagged-templates-identity.js:
1254         * stress/template-string-tags-eval.js:
1255         * test262.yaml:
1256
1257 2018-02-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1258
1259         Support GetArrayLength on ArrayStorage in the FTL
1260         https://bugs.webkit.org/show_bug.cgi?id=182625
1261
1262         Reviewed by Saam Barati.
1263
1264         * stress/array-storage-length.js: Added.
1265         (shouldBe):
1266         (testInBound):
1267         (testUncountable):
1268         (testSlowPutInBound):
1269         (testSlowPutUncountable):
1270         * stress/undecided-length.js: Added.
1271         (shouldBe):
1272         (test2):
1273
1274 2018-02-12  Saam Barati  <sbarati@apple.com>
1275
1276         DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
1277         https://bugs.webkit.org/show_bug.cgi?id=182706
1278         <rdar://problem/36833681>
1279
1280         Reviewed by Filip Pizlo.
1281
1282         * stress/get-array-length-phantom-new-array-buffer.js: Added.
1283         (effects):
1284         (foo):
1285
1286 2018-02-09  Filip Pizlo  <fpizlo@apple.com>
1287
1288         Don't waste memory for error.stack
1289         https://bugs.webkit.org/show_bug.cgi?id=182656
1290
1291         Reviewed by Saam Barati.
1292         
1293         Tests the policy.
1294
1295         * stress/gc-error-stack.js: Added. Shows that the GC forgets frames now.
1296         * stress/no-gc-error-stack.js: Added. Shows that the GC won't forget things if you ask for the stack.
1297
1298 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1299
1300         [JSC] Update Test262 to Feb 9 version
1301         https://bugs.webkit.org/show_bug.cgi?id=182468
1302
1303         Reviewed by Saam Barati.
1304
1305 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1306
1307         Unreviewed, fix invalid line terminator in old test262 file part 2
1308         https://bugs.webkit.org/show_bug.cgi?id=182468
1309
1310         * test262/test/built-ins/Function/prototype/toString/line-terminator-normalisation-CR.js:
1311
1312 2018-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1313
1314         Unreviewed, fix invalid line terminator in old test262 file
1315         https://bugs.webkit.org/show_bug.cgi?id=182468
1316
1317         * test262/test/language/literals/regexp/7.8.5-1.js:
1318
1319 2018-02-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1320
1321         [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
1322         https://bugs.webkit.org/show_bug.cgi?id=182440
1323
1324         Reviewed by Darin Adler.
1325
1326         * stress/array-flatmap.js: Added.
1327         (shouldBe):
1328         (shouldBeArray):
1329         (shouldThrow):
1330         (var):
1331         * stress/array-flatten.js: Added.
1332         (shouldBe):
1333         (shouldBeArray):
1334         * test262.yaml:
1335         * test262/test/built-ins/Array/prototype/flatMap/depth-always-one.js:
1336         (3.flatMap):
1337         Pick test262 82c6148980332febe92a544a1fb653718e9fdb57 change.
1338
1339 2018-02-06  Keith Miller  <keith_miller@apple.com>
1340
1341         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
1342         https://bugs.webkit.org/show_bug.cgi?id=182549
1343         <rdar://problem/36189995>
1344
1345         Reviewed by Saam Barati.
1346
1347         * stress/var-injection-cache-invalidation.js: Added.
1348         (allocateLotsOfThings):
1349         (test):
1350
1351 2018-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1352
1353         Unreviewed, follow up for test262 update
1354         https://bugs.webkit.org/show_bug.cgi?id=182288
1355
1356         * test262.yaml:
1357
1358 2018-02-02  Ryan Haddad  <ryanhaddad@apple.com>
1359
1360         Update test262 to Jan 30 version
1361         https://bugs.webkit.org/show_bug.cgi?id=182288
1362
1363         Unreviewed test gardening.
1364
1365         * test262.yaml: Remove entry for missing test language/expressions/assignment/white-space.js
1366
1367 2018-02-02  Saam Barati  <sbarati@apple.com>
1368
1369         When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
1370         https://bugs.webkit.org/show_bug.cgi?id=182368
1371         <rdar://problem/36932466>
1372
1373         Reviewed by Mark Lam.
1374
1375         * stress/flush-after-force-exit-in-bytecodeparser-needs-to-update-argument-positions.js: Added.
1376         (runNearStackLimit.t):
1377         (runNearStackLimit):
1378         (try.runNearStackLimit):
1379         (catch):
1380
1381 2018-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1382
1383         Update test262 to Jan 30 version
1384         https://bugs.webkit.org/show_bug.cgi?id=182288
1385
1386         Rubber stamped by Saam Barati.
1387
1388         This patch updates test262 to the latest one, Jan 30 version.
1389         Since added and changed files are too many, we cannot create ChangeLog.
1390         The following files are changed.
1391
1392         Several files are intentionally omitted due to merge failures. We should investigate how to merge files
1393         including some special line terminators (like u2028, u2029).
1394
1395         * test262.yaml:
1396         * test262/test262-Revision.txt:
1397         * test262/*:
1398
1399 2018-02-02  Guillaume Emont  <guijemont@igalia.com>
1400
1401         JSTests: Skip mozilla/js1_5/Array/regress-157652.js on all memory limited platforms
1402         https://bugs.webkit.org/show_bug.cgi?id=182411
1403
1404         Reviewed by Carlos Alberto Lopez Perez.
1405
1406         This is skipped only on arm memory limited platforms. Until recently
1407         it was not a problem on MIPS as the butterfly was not initialized. But
1408         since r227435, the butterfly is initialized in that test and therefore
1409         memory is allocated, and the test typically takes around 512M, which
1410         means it generally gets OOM-killed on the MIPS buildbot.
1411
1412         * mozilla/mozilla-tests.yaml:
1413
1414 2018-02-01  Mark Lam  <mark.lam@apple.com>
1415
1416         Fix broken bounds check in FTL's compileGetMyArgumentByVal().
1417         https://bugs.webkit.org/show_bug.cgi?id=182419
1418         <rdar://problem/37044945>
1419
1420         Reviewed by Saam Barati.
1421
1422         * stress/regress-182419.js: Added.
1423
1424 2018-02-01  Keith Miller  <keith_miller@apple.com>
1425
1426         Fix crashes due to mishandling custom sections.
1427         https://bugs.webkit.org/show_bug.cgi?id=182404
1428         <rdar://problem/36935863>
1429
1430         Reviewed by Saam Barati.
1431
1432         * wasm/Builder.js:
1433         (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
1434         * wasm/js-api/validate.js:
1435         (assert.truthy):
1436
1437 2018-01-31  Saam Barati  <sbarati@apple.com>
1438
1439         JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
1440         https://bugs.webkit.org/show_bug.cgi?id=182074
1441         <rdar://problem/36846261>
1442
1443         Reviewed by Mark Lam.
1444
1445         * stress/jsonp-program-evaluate-path-must-consider-global-lexical-environment.js: Added.
1446         (assert):
1447         (let.func):
1448         (let.o.foo):
1449         (varFunc):
1450
1451 2018-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1452
1453         Unreviewed, update test262 expects
1454         https://bugs.webkit.org/show_bug.cgi?id=182232
1455
1456         * test262.yaml:
1457
1458 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1459
1460         [JSC] Implement trimStart and trimEnd
1461         https://bugs.webkit.org/show_bug.cgi?id=182233
1462
1463         Reviewed by Mark Lam.
1464
1465         * stress/trim.js: Added.
1466         (shouldBe):
1467         (startTest):
1468         (endTest):
1469         (trimTest):
1470
1471 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1472
1473         [JSC] Relax line terminators in String to make JSON subset of JS
1474         https://bugs.webkit.org/show_bug.cgi?id=182232
1475
1476         Reviewed by Keith Miller.
1477
1478         * ChakraCore/test/es5/Lex_u3.baseline-jsc:
1479         * stress/relaxed-line-terminators-in-string.js: Added.
1480         (shouldBe):
1481
1482 2018-01-29  Michael Saboff  <msaboff@apple.com>
1483
1484         REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
1485         https://bugs.webkit.org/show_bug.cgi?id=182249
1486
1487         Reviewed by Keith Miller.
1488
1489         New regression test.
1490
1491         * stress/compare-clobber-untypeduse.js: Added.
1492
1493 2018-01-29  Matt Lewis  <jlewis3@apple.com>
1494
1495         Unreviewed, rolling out r227725.
1496
1497         This caused internal failures.
1498
1499         Reverted changeset:
1500
1501         "JSC Sampling Profiler: Detect tester and testee when sampling
1502         in RegExp JIT"
1503         https://bugs.webkit.org/show_bug.cgi?id=152729
1504         https://trac.webkit.org/changeset/227725
1505
1506 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1507
1508         JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
1509         https://bugs.webkit.org/show_bug.cgi?id=152729
1510
1511         Reviewed by Saam Barati.
1512
1513         * stress/sampling-profiler-regexp.js: Added.
1514         (platformSupportsSamplingProfiler.test):
1515         (platformSupportsSamplingProfiler.baz):
1516         (platformSupportsSamplingProfiler):
1517
1518 2018-01-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1519
1520         [DFG][FTL] WeakMap#set should have DFG node
1521         https://bugs.webkit.org/show_bug.cgi?id=180015
1522
1523         Reviewed by Saam Barati.
1524
1525         * stress/weakmap-set-change-get.js: Added.
1526         (shouldBe):
1527         (test):
1528         * stress/weakmap-set-cse.js: Added.
1529         (shouldBe):
1530         (test):
1531         * stress/weakset-add-change-get.js: Added.
1532         (shouldBe):
1533         * stress/weakset-add-cse.js: Added.
1534         (shouldBe):
1535
1536 2018-01-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1537
1538         DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
1539         https://bugs.webkit.org/show_bug.cgi?id=182213
1540
1541         Reviewed by Mark Lam.
1542
1543         * stress/int32-min-to-string.js: Added.
1544         (shouldBe):
1545         (test2):
1546         (test4):
1547         (test8):
1548         (test16):
1549         (test32):
1550         * stress/zero-to-string.js: Added.
1551         (shouldBe):
1552         (test2):
1553         (test4):
1554         (test8):
1555         (test16):
1556         (test32):
1557
1558 2018-01-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1559
1560         Add more module scope related tests with code evaluation by string
1561         https://bugs.webkit.org/show_bug.cgi?id=181983
1562
1563         Reviewed by Sam Weinig.
1564
1565         Add more module scope related tests. When the original tests are landed,
1566         we do not have browser integration. This patch adds more module scope tests
1567         with dynamically created script evaluation. We add tests with Function
1568         constructor, direct eval, indirect eval, setTimeout, setInterval, and event handlers.
1569
1570         * modules/scopes-eval.js: Added.
1571         (shouldBe):
1572         * modules/scopes.js:
1573         (shouldBe):
1574
1575 2018-01-23  Filip Pizlo  <fpizlo@apple.com>
1576
1577         Unreviewed, retire some microbenchmarks that are proportionately very slow. Benchmark running time should be proportional to their value. Microbenchmarks have little value, so they should be very fast.
1578
1579         * microbenchmarks/array-push-3.js: Removed.
1580         * microbenchmarks/bigswitch-indirect-symbol-or-undefined.js: Removed.
1581         * microbenchmarks/double-to-int32.js: Removed.
1582         * microbenchmarks/fake-iterators-that-throw-when-finished.js: Removed.
1583         * microbenchmarks/ftl-polymorphic-bitand.js: Removed.
1584         * microbenchmarks/ftl-polymorphic-bitor.js: Removed.
1585         * microbenchmarks/ftl-polymorphic-bitxor.js: Removed.
1586         * microbenchmarks/ftl-polymorphic-lshift.js: Removed.
1587         * microbenchmarks/ftl-polymorphic-rshift.js: Removed.
1588         * microbenchmarks/ftl-polymorphic-sub.js: Removed.
1589         * microbenchmarks/ftl-polymorphic-urshift.js: Removed.
1590         * microbenchmarks/map-constant-key.js: Removed.
1591         * microbenchmarks/nested-function-parsing.js: Removed.
1592         * microbenchmarks/rest-parameter-allocation-elimination.js: Removed.
1593         * microbenchmarks/spread-large-array.js: Removed.
1594         * microbenchmarks/string-add-constant-folding.js: Removed.
1595         * microbenchmarks/to-lower-case.js: Removed.
1596         * microbenchmarks/undefined-property-access.js: Removed.
1597         * slowMicrobenchmarks/array-push-3.js: Copied from JSTests/microbenchmarks/array-push-3.js.
1598         * slowMicrobenchmarks/bigswitch-indirect-symbol-or-undefined.js: Copied from JSTests/microbenchmarks/bigswitch-indirect-symbol-or-undefined.js.
1599         * slowMicrobenchmarks/double-to-int32.js: Copied from JSTests/microbenchmarks/double-to-int32.js.
1600         * slowMicrobenchmarks/fake-iterators-that-throw-when-finished.js: Copied from JSTests/microbenchmarks/fake-iterators-that-throw-when-finished.js.
1601         * slowMicrobenchmarks/ftl-polymorphic-bitand.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitand.js.
1602         * slowMicrobenchmarks/ftl-polymorphic-bitor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitor.js.
1603         * slowMicrobenchmarks/ftl-polymorphic-bitxor.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-bitxor.js.
1604         * slowMicrobenchmarks/ftl-polymorphic-lshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-lshift.js.
1605         * slowMicrobenchmarks/ftl-polymorphic-rshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-rshift.js.
1606         * slowMicrobenchmarks/ftl-polymorphic-sub.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-sub.js.
1607         * slowMicrobenchmarks/ftl-polymorphic-urshift.js: Copied from JSTests/microbenchmarks/ftl-polymorphic-urshift.js.
1608         * slowMicrobenchmarks/map-constant-key.js: Copied from JSTests/microbenchmarks/map-constant-key.js.
1609         * slowMicrobenchmarks/nested-function-parsing.js: Copied from JSTests/microbenchmarks/nested-function-parsing.js.
1610         * slowMicrobenchmarks/rest-parameter-allocation-elimination.js: Copied from JSTests/microbenchmarks/rest-parameter-allocation-elimination.js.
1611         * slowMicrobenchmarks/spread-large-array.js: Copied from JSTests/microbenchmarks/spread-large-array.js.
1612         * slowMicrobenchmarks/string-add-constant-folding.js: Copied from JSTests/microbenchmarks/string-add-constant-folding.js.
1613         * slowMicrobenchmarks/to-lower-case.js: Copied from JSTests/microbenchmarks/to-lower-case.js.
1614         * slowMicrobenchmarks/undefined-property-access.js: Copied from JSTests/microbenchmarks/undefined-property-access.js.
1615
1616 2018-01-23  Robin Morisset  <rmorisset@apple.com>
1617
1618         Update the argument count in DFGByteCodeParser::handleRecursiveCall
1619         https://bugs.webkit.org/show_bug.cgi?id=181739
1620         <rdar://problem/36627662>
1621
1622         Reviewed by Saam Barati.
1623
1624         * stress/recursive-tail-call-with-different-argument-count.js: Added.
1625         (foo):
1626         (bar):
1627
1628 2018-01-22  Michael Saboff  <msaboff@apple.com>
1629
1630         DFG abstract interpreter needs to properly model effects of some Math ops
1631         https://bugs.webkit.org/show_bug.cgi?id=181886
1632
1633         Reviewed by Saam Barati.
1634
1635         New regression test.
1636
1637         * stress/arith-nodes-abstract-interpreter-untypeduse.js: Added.
1638         (test):
1639
1640 2018-01-20  Caio Lima  <ticaiolima@gmail.com>
1641
1642         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1643         https://bugs.webkit.org/show_bug.cgi?id=181182
1644
1645         Reviewed by Darin Adler.
1646
1647         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1648         * stress/big-int-prototype-to-string-exception.js: Added.
1649         * stress/big-int-prototype-to-string-wrong-values.js: Added.
1650         * stress/number-prototype-to-string-cast-overflow.js: Added.
1651         * stress/number-prototype-to-string-exception.js: Added.
1652         * stress/number-prototype-to-string-wrong-values.js: Added.
1653
1654 2018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
1655
1656         Disable Atomics when SharedArrayBuffer isn’t enabled
1657         https://bugs.webkit.org/show_bug.cgi?id=181572
1658
1659         Unreviewed test gardening.
1660
1661         * test262.yaml: Skip tests that fail after this change.
1662
1663 2018-01-19  Saam Barati  <sbarati@apple.com>
1664
1665         Kill ArithNegate's ArithProfile assert inside BytecodeParser
1666         https://bugs.webkit.org/show_bug.cgi?id=181877
1667         <rdar://problem/36630552>
1668
1669         Reviewed by Mark Lam.
1670
1671         * stress/arith-profile-for-negate-can-see-non-number-due-to-dfg-osr-exit-profiling.js: Added.
1672         (runNearStackLimit):
1673         (f1):
1674         (f2):
1675         (f3):
1676         (i.catch):
1677         (i.try.runNearStackLimit):
1678         (catch):
1679
1680 2018-01-19  Saam Barati  <sbarati@apple.com>
1681
1682         Spread's effects are modeled incorrectly both in AI and in Clobberize
1683         https://bugs.webkit.org/show_bug.cgi?id=181867
1684         <rdar://problem/36290415>
1685
1686         Reviewed by Michael Saboff.
1687
1688         * stress/ai-needs-to-model-spreads-effects.js: Added.
1689         (try.p.Symbol.iterator):
1690         (try.go):
1691         (catch):
1692         * stress/clobberize-needs-to-model-spread-effects.js: Added.
1693         (assert):
1694         (foo):
1695         (a.Symbol.iterator):
1696
1697 2018-01-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1698
1699         Unreviewed, reduce count of iteration to fix timing out debug JSC test
1700         https://bugs.webkit.org/show_bug.cgi?id=181535
1701
1702         * stress/inserted-recovery-with-set-last-index.js:
1703
1704 2018-01-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1705
1706         [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
1707         https://bugs.webkit.org/show_bug.cgi?id=181535
1708
1709         Reviewed by Saam Barati.
1710
1711         * stress/inserted-recovery-with-set-last-index.js: Added.
1712         (shouldBe):
1713         (foo):
1714         * stress/materialize-regexp-at-osr-exit.js: Added.
1715         (shouldBe):
1716         (test):
1717         * stress/materialize-regexp-cyclic-regexp-at-osr-exit.js: Added.
1718         (shouldBe):
1719         (test):
1720         * stress/materialize-regexp-cyclic-regexp.js: Added.
1721         (shouldBe):
1722         (test):
1723         (i.switch):
1724         * stress/materialize-regexp-cyclic.js: Added.
1725         (shouldBe):
1726         (test):
1727         (i.switch):
1728         * stress/materialize-regexp-referenced-from-phantom-regexp-cyclic.js: Added.
1729         (bar):
1730         (foo):
1731         (test):
1732         * stress/materialize-regexp-referenced-from-phantom-regexp.js: Added.
1733         (bar):
1734         (foo):
1735         (test):
1736         * stress/materialize-regexp.js: Added.
1737         (shouldBe):
1738         (test):
1739         * stress/phantom-regexp-regexp-exec.js: Added.
1740         (shouldBe):
1741         (test):
1742         * stress/phantom-regexp-string-match.js: Added.
1743         (shouldBe):
1744         (test):
1745         * stress/regexp-last-index-sinking.js: Added.
1746         (shouldBe):
1747         (test):
1748
1749 2018-01-17  Saam Barati  <sbarati@apple.com>
1750
1751         Disable Atomics when SharedArrayBuffer isn’t enabled
1752         https://bugs.webkit.org/show_bug.cgi?id=181572
1753         <rdar://problem/36553206>
1754
1755         Reviewed by Michael Saboff.
1756
1757         * stress/isLockFree.js:
1758
1759 2018-01-17  Saam Barati  <sbarati@apple.com>
1760
1761         DFG::Node::convertToConstant needs to clear the varargs flags
1762         https://bugs.webkit.org/show_bug.cgi?id=181697
1763         <rdar://problem/36497332>
1764
1765         Reviewed by Yusuke Suzuki.
1766
1767         * stress/dfg-node-convert-to-constant-must-clear-varargs-flags.js: Added.
1768         (doIndexOf):
1769         (bar):
1770         (i.bar):
1771
1772 2018-01-16  Ryan Haddad  <ryanhaddad@apple.com>
1773
1774         Unreviewed, rolling out r226937.
1775
1776         Tests added with this change are failing due to a missing
1777         exception check.
1778
1779         Reverted changeset:
1780
1781         "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
1782         double to int32_t"
1783         https://bugs.webkit.org/show_bug.cgi?id=181182
1784         https://trac.webkit.org/changeset/226937
1785
1786 2018-01-13  Caio Lima  <ticaiolima@gmail.com>
1787
1788         [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
1789         https://bugs.webkit.org/show_bug.cgi?id=181182
1790
1791         Reviewed by Darin Adler.
1792
1793         * bigIntTests.yaml:
1794         * stress/big-int-constructor.js:
1795         * stress/big-int-prototype-to-string-cast-overflow.js: Added.
1796         (assert):
1797         (assertThrowRangeError):
1798         * stress/number-prototype-to-string-cast-overflow.js: Added.
1799         (assert):
1800         (assertThrowRangeError):
1801
1802 2018-01-12  Saam Barati  <sbarati@apple.com>
1803
1804         CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
1805         https://bugs.webkit.org/show_bug.cgi?id=181177
1806         <rdar://problem/36205704>
1807
1808         Reviewed by Yusuke Suzuki.
1809
1810         * stress/check-structure-ir-ensures-empty-does-not-flow-through.js: Added.
1811         (runNearStackLimit.t):
1812         (runNearStackLimit):
1813         (test.f):
1814         (test):
1815
1816 2018-01-12  Saam Barati  <sbarati@apple.com>
1817
1818         Each variant of a polymorphic inlined call should be exitOK at the top of the block
1819         https://bugs.webkit.org/show_bug.cgi?id=181562
1820         <rdar://problem/36445624>
1821
1822         Reviewed by Yusuke Suzuki.
1823
1824         * stress/each-block-at-top-of-polymorphic-call-inlining-should-be-exitOK.js: Added.
1825         (f):
1826         (foo):
1827
1828 2018-01-11  Saam Barati  <sbarati@apple.com>
1829
1830         When inserting Unreachable in byte code parser we need to flush all the right things
1831         https://bugs.webkit.org/show_bug.cgi?id=181509
1832         <rdar://problem/36423110>
1833
1834         Reviewed by Mark Lam.
1835
1836         * stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.
1837
1838 2018-01-11  Saam Barati  <sbarati@apple.com>
1839
1840         JITMathIC code in the FTL is wrong when code gets duplicated
1841         https://bugs.webkit.org/show_bug.cgi?id=181525
1842         <rdar://problem/36351993>
1843
1844         Reviewed by Michael Saboff and Keith Miller.
1845
1846         * stress/allow-math-ic-b3-code-duplication.js: Added.
1847
1848 2018-01-11  Saam Barati  <sbarati@apple.com>
1849
1850         Our for-in caching is wrong when we add indexed properties on things in the prototype chain
1851         https://bugs.webkit.org/show_bug.cgi?id=181508
1852
1853         Reviewed by Yusuke Suzuki.
1854
1855         * stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
1856         (assert):
1857         (test1.foo):
1858         (test1):
1859         (test2.foo):
1860         (test2):
1861
1862 2018-01-09  Mark Lam  <mark.lam@apple.com>
1863
1864         ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
1865         https://bugs.webkit.org/show_bug.cgi?id=181388
1866         <rdar://problem/36349351>
1867
1868         Reviewed by Saam Barati.
1869
1870         * stress/regress-181388.js: Added.
1871
1872 2018-01-08  JF Bastien  <jfbastien@apple.com>
1873
1874         WebAssembly: mask indexed accesses to Table
1875         https://bugs.webkit.org/show_bug.cgi?id=181412
1876         <rdar://problem/36363236>
1877
1878         Reviewed by Saam Barati.
1879
1880         Update error messages.
1881
1882         * wasm/js-api/table.js:
1883         (assert.throws.WebAssembly.Table.prototype.grow):
1884
1885 2018-01-08  Ryan Haddad  <ryanhaddad@apple.com>
1886
1887         Disable SharedArrayBuffer tests missed in r226386.
1888         https://bugs.webkit.org/show_bug.cgi?id=181266
1889
1890         Unreviewed test gardening.
1891
1892         * test262.yaml:
1893
1894 2018-01-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1895
1896         Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
1897         https://bugs.webkit.org/show_bug.cgi?id=181321
1898
1899         Reviewed by Saam Barati.
1900
1901         * stress/bound-function-does-not-have-caller-and-arguments.js: Added.
1902         (shouldBe):
1903         (testFunction):
1904         * test262.yaml:
1905
1906 2018-01-05  Ryan Haddad  <ryanhaddad@apple.com>
1907
1908         Unreviewed, attempt to fix test262 after r226386.
1909
1910         * test262.yaml:
1911
1912 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1913
1914         [DFG] Define defs for MapSet/SetAdd to participate in CSE
1915         https://bugs.webkit.org/show_bug.cgi?id=179911
1916
1917         Reviewed by Saam Barati.
1918
1919         In addition to these tests, map-set-cse.js and set-add-cse.js work.
1920
1921         * stress/map-set-change-get.js: Added.
1922         (shouldBe):
1923         (test):
1924         * stress/map-set-create-bucket.js: Added.
1925         (shouldBe):
1926         (test):
1927         * stress/set-add-create-bucket.js: Added.
1928         (shouldBe):
1929
1930 2018-01-03  Michael Saboff  <msaboff@apple.com>
1931
1932         Disable SharedArrayBuffers from Web API
1933         https://bugs.webkit.org/show_bug.cgi?id=181266
1934
1935         Reviewed by Saam Barati.
1936
1937         Disabled SharedArrayBuffer tests.
1938
1939         * stress/SharedArrayBuffer-opt.js:
1940         * stress/SharedArrayBuffer.js:
1941         * stress/array-buffer-byte-length.js:
1942         * stress/atomics-add-uint32.js:
1943         * stress/atomics-known-int-use.js:
1944         * stress/atomics-neg-zero.js:
1945         * stress/atomics-store-return.js:
1946         * stress/lars-sab-workers.js:
1947         * stress/regress-159779-1.js:
1948         * stress/regress-159779-2.js:
1949         * stress/regress-170473.js:
1950         * test262.yaml:
1951
1952 2018-01-03  Caio Lima  <ticaiolima@gmail.com>
1953
1954         [ESNext][BigInt] Failing test stress/big-int-constructor-oom.js into MIPS
1955         https://bugs.webkit.org/show_bug.cgi?id=181258
1956
1957         Reviewed by Antonio Gomes.
1958
1959         * stress/big-int-constructor-gc.js:
1960         * stress/big-int-constructor-oom.js:
1961
1962 2018-01-03  Robin Morisset  <rmorisset@apple.com>
1963
1964         Inlining of a function that ends in op_unreachable crashes
1965         https://bugs.webkit.org/show_bug.cgi?id=181027
1966
1967         Reviewed by Filip Pizlo.
1968
1969         * stress/inlining-unreachable.js: Added.
1970         (bar):
1971         (baz):
1972         (i.catch):
1973
1974 2018-01-02  Saam Barati  <sbarati@apple.com>
1975
1976         Incorrect assertion inside AccessCase
1977         https://bugs.webkit.org/show_bug.cgi?id=181200
1978         <rdar://problem/35494754>
1979
1980         Reviewed by Yusuke Suzuki.
1981
1982         * stress/setter-same-base-and-rhs-invalid-assertion-inside-access-case.js: Added.
1983         (ctor):
1984         (theFunc):
1985         (run):
1986
1987 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
1988
1989         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
1990         https://bugs.webkit.org/show_bug.cgi?id=175359
1991
1992         Reviewed by Yusuke Suzuki.
1993
1994         * bigIntTests.yaml:
1995         * stress/big-int-as-key.js: Added.
1996         * stress/big-int-constructor-gc.js: Added.
1997         * stress/big-int-constructor-oom.js: Added.
1998         * stress/big-int-constructor-properties.js: Added.
1999         * stress/big-int-constructor-prototype-prop-descriptor.js: Added.
2000         * stress/big-int-constructor-prototype.js: Added.
2001         * stress/big-int-constructor.js: Added.
2002         * stress/big-int-function-apply.js:
2003         * stress/big-int-length.js: Added.
2004         * stress/big-int-prop-descriptor.js: Added.
2005         * stress/big-int-proto-constructor.js: Added.
2006         * stress/big-int-proto-name.js: Added.
2007         * stress/big-int-prototype-properties.js: Added.
2008         * stress/big-int-prototype-proto.js: Added.
2009         * stress/big-int-prototype-value-of.js: Added.
2010         * stress/big-int-prototype-symbol-to-string-tag.js: Added.
2011         * stress/big-int-prototype-to-string-apply.js: Added.
2012         * stress/big-int-to-object.js: Added.
2013         * stress/big-int-to-string.js: Added.
2014
2015 2017-12-28  Saam Barati  <sbarati@apple.com>
2016
2017         Assertion used to determine if something is an async generator is wrong
2018         https://bugs.webkit.org/show_bug.cgi?id=181168
2019         <rdar://problem/35640560>
2020
2021         Reviewed by Yusuke Suzuki.
2022
2023         * stress/async-generator-assertion.js: Added.
2024
2025 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2026
2027         Skip stress/splay-flash-access tests on memory limited platforms
2028         https://bugs.webkit.org/show_bug.cgi?id=181086
2029
2030         Reviewed by Carlos Alberto Lopez Perez.
2031
2032         These tests use about 185M of memory, and occasionally get OOM-killed
2033         on memory limited platforms.
2034
2035         * stress/splay-flash-access-1ms.js:
2036         * stress/splay-flash-access.js:
2037
2038 2017-12-21  Guillaume Emont  <guijemont@igalia.com>
2039
2040         Skip slow jsc tests on embedded platforms
2041         https://bugs.webkit.org/show_bug.cgi?id=180937
2042
2043         Reviewed by Carlos Alberto Lopez Perez.
2044
2045         The tests typeProfiler/deltablue-for-of.js and
2046         typeProfiler/getter-richards.js take a very long time in the
2047         ftl-no-cjit-type-profiler-force-poly-proto on embedded platform, and
2048         thus always timeout. They should be skipped on these platforms.
2049
2050         * typeProfiler/deltablue-for-of.js: Skip on arm*/mips.
2051         * typeProfiler/getter-richards.js: Skip on arm*/mips.
2052
2053 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2054
2055         [JSC] Do not check isValid() in op_new_regexp
2056         https://bugs.webkit.org/show_bug.cgi?id=180970
2057
2058         Reviewed by Saam Barati.
2059
2060         * stress/regexp-syntax-error-invalid-flags.js: Added.
2061         (shouldThrow):
2062
2063 2017-12-18  Guillaume Emont  <guijemont@igalia.com>
2064
2065         Skip stress/call-apply-exponential-bytecode-size.js unless x86-64 or arm64
2066         https://bugs.webkit.org/show_bug.cgi?id=180712
2067
2068         Reviewed by Michael Catanzaro.
2069
2070         stress/call-apply-exponential-bytecode-size.js crashes if the
2071         ExecutableAllocator's fixedExecutableMemoryPoolSize is less than 64
2072         MB. Currently it is 64 MB or more only on x86-64 and arm64, so we
2073         should skip the test on other platforms.
2074
2075         * stress/call-apply-exponential-bytecode-size.js:
2076
2077 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2078
2079         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
2080         https://bugs.webkit.org/show_bug.cgi?id=179762
2081
2082         Reviewed by Saam Barati.
2083
2084         * stress/call-varargs-double-new-array-buffer.js: Added.
2085         (assert):
2086         (bar):
2087         (foo):
2088         * stress/call-varargs-spread-new-array-buffer.js: Added.
2089         (assert):
2090         (bar):
2091         (foo):
2092         * stress/call-varargs-spread-new-array-buffer2.js: Added.
2093         (assert):
2094         (bar):
2095         (foo):
2096         * stress/forward-varargs-double-new-array-buffer.js: Added.
2097         (assert):
2098         (test.baz):
2099         (test.bar):
2100         (test.foo):
2101         (test):
2102         * stress/new-array-buffer-sinking-osrexit.js: Added.
2103         (target):
2104         (test):
2105         * stress/new-array-with-spread-double-new-array-buffer.js: Added.
2106         (shouldBe):
2107         (test):
2108         * stress/new-array-with-spread-with-phantom-new-array-buffer.js: Added.
2109         (shouldBe):
2110         (target):
2111         (test):
2112         * stress/phantom-new-array-buffer-forward-varargs.js: Added.
2113         (assert):
2114         (test1.bar):
2115         (test1.foo):
2116         (test1):
2117         (test2.bar):
2118         (test2.foo):
2119         (test3.baz):
2120         (test3.bar):
2121         (test3.foo):
2122         (test4.baz):
2123         (test4.bar):
2124         (test4.foo):
2125         * stress/phantom-new-array-buffer-forward-varargs2.js: Added.
2126         (assert):
2127         (test.baz):
2128         (test.bar):
2129         (test.foo):
2130         (test):
2131         * stress/phantom-new-array-buffer-osr-exit.js: Added.
2132         (assert):
2133         (baz):
2134         (bar):
2135         (effects):
2136         (foo):
2137
2138 2017-12-14  Saam Barati  <sbarati@apple.com>
2139
2140         The CleanUp after LICM is erroneously removing a Check
2141         https://bugs.webkit.org/show_bug.cgi?id=180852
2142         <rdar://problem/36063494>
2143
2144         Reviewed by Filip Pizlo.
2145
2146         * stress/dont-run-cleanup-after-licm.js: Added.
2147
2148 2017-12-14  Michael Saboff  <msaboff@apple.com>
2149
2150         REGRESSION (r225695): Repro crash on yahoo login page
2151         https://bugs.webkit.org/show_bug.cgi?id=180761
2152
2153         Reviewed by JF Bastien.
2154
2155         New regression test.
2156
2157         * stress/regress-180761.js: Added.
2158
2159 2017-12-13  Keith Miller  <keith_miller@apple.com>
2160
2161         JSObjects should have a mask for loading indexed properties
2162         https://bugs.webkit.org/show_bug.cgi?id=180768
2163
2164         Reviewed by Mark Lam.
2165
2166         * stress/int16-put-by-val-in-and-out-of-bounds.js:
2167         (test):
2168
2169 2017-12-13  Saam Barati  <sbarati@apple.com>
2170
2171         Arrow functions need their own structure because they have different properties than sloppy functions
2172         https://bugs.webkit.org/show_bug.cgi?id=180779
2173         <rdar://problem/35814591>
2174
2175         Reviewed by Mark Lam.
2176
2177         * stress/arrow-function-needs-its-own-structure.js: Added.
2178         (assert):
2179         (readPrototype):
2180         (noInline.let.f1):
2181         (noInline):
2182
2183 2017-12-13  Saam Barati  <sbarati@apple.com>
2184
2185         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
2186         https://bugs.webkit.org/show_bug.cgi?id=163579
2187         <rdar://problem/35455798>
2188
2189         Reviewed by Mark Lam.
2190
2191         * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Added.
2192         (assert):
2193         (test1):
2194         (i.test1):
2195         (i.test1.C):
2196         (i.test1.async.foo):
2197         (i.test1.foo):
2198         (test2):
2199
2200 2017-12-13  Saam Barati  <sbarati@apple.com>
2201
2202         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
2203         https://bugs.webkit.org/show_bug.cgi?id=180734
2204         <rdar://problem/35640547>
2205
2206         Reviewed by Yusuke Suzuki.
2207
2208         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js: Added.
2209         (__isPropertyOfType):
2210         (__getProperties):
2211         (__getObjects):
2212         (__getRandomObject):
2213         (theClass.):
2214         (theClass):
2215         (childClass):
2216         (counter.catch):
2217
2218 2017-12-12  Saam Barati  <sbarati@apple.com>
2219
2220         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
2221         https://bugs.webkit.org/show_bug.cgi?id=180725
2222         <rdar://problem/35970511>
2223
2224         Reviewed by Michael Saboff.
2225
2226         * stress/model-effects-properly-of-spread-over-phantom-create-rest.js: Added.
2227         (f1):
2228         (f2):
2229         (let.o2.valueOf):
2230
2231 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2232
2233         [JSC] Implement optimized WeakMap and WeakSet
2234         https://bugs.webkit.org/show_bug.cgi?id=179929
2235
2236         Reviewed by Saam Barati.
2237
2238         * microbenchmarks/weak-map-key.js:
2239         * microbenchmarks/weak-set-key.js: Copied from JSTests/microbenchmarks/weak-map-key.js.
2240         (assert):
2241         (objectKey):
2242         (let.start.Date.now):
2243         * stress/basic-weakmap.js: Added.
2244         (shouldBe):
2245         (test):
2246         * stress/basic-weakset.js: Added.
2247         (shouldBe):
2248         (test.set new):
2249         * stress/weakmap-cse-set-break.js: Added.
2250         (shouldBe):
2251         (test):
2252         * stress/weakmap-cse.js: Added.
2253         (shouldBe):
2254         (test):
2255         * stress/weakmap-gc.js: Added.
2256         (test):
2257         * stress/weakset-cse-add-break.js: Added.
2258         (shouldBe):
2259         (test.set new):
2260         * stress/weakset-cse.js: Added.
2261         (shouldBe):
2262         (test.set new):
2263         * stress/weakset-gc.js: Added.
2264         (test.set add):
2265         (test.set new):
2266         (test):
2267
2268 2017-12-12  Saam Barati  <sbarati@apple.com>
2269
2270         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
2271         https://bugs.webkit.org/show_bug.cgi?id=180723
2272         <rdar://problem/35859726>
2273
2274         Reviewed by JF Bastien.
2275
2276         * stress/get-my-argument-by-val-constant-folding.js: Added.
2277         (test):
2278         (catch):
2279
2280 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
2281
2282         [ESNext][BigInt] Implement BigInt literals and JSBigInt
2283         https://bugs.webkit.org/show_bug.cgi?id=179000
2284
2285         Reviewed by Darin Adler and Yusuke Suzuki.
2286
2287         * bigIntTests.yaml: Added.
2288         * stress/big-int-literal-line-terminator.js: Added.
2289         * stress/big-int-literals.js: Added.
2290         * stress/big-int-operations-error.js: Added.
2291         * stress/big-int-type-of.js: Added.
2292         * stress/big-int-white-space-trailing-leading.js: Added.
2293         * stress/big-int-function-apply.js: Added.
2294
2295 2017-12-11  Saam Barati  <sbarati@apple.com>
2296
2297         We need to disableCaching() in ErrorInstance when we materialize properties
2298         https://bugs.webkit.org/show_bug.cgi?id=180343
2299         <rdar://problem/35833002>
2300
2301         Reviewed by Mark Lam.
2302
2303         * stress/disable-caching-when-lazy-materializing-error-property-on-put.js: Added.
2304         (assert):
2305         (makeError):
2306         (storeToStack):
2307         (storeToStackAlreadyMaterialized):
2308
2309 2017-12-05  JF Bastien  <jfbastien@apple.com>
2310
2311         WebAssembly: don't eagerly checksum
2312         https://bugs.webkit.org/show_bug.cgi?id=180441
2313         <rdar://problem/35156628>
2314
2315         Reviewed by Saam Barati.
2316
2317         Checksum is now disabled, so tests only have <?> as the module
2318         name.
2319
2320         * wasm/function-tests/nameSection.js:
2321         * wasm/function-tests/stack-overflow.js:
2322         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2323         (assertOverflows.assertThrows):
2324         (assertOverflows):
2325         * wasm/function-tests/stack-trace.js:
2326
2327 2017-12-04  JF Bastien  <jfbastien@apple.com>
2328
2329         Proxy all functions, except the $ objects
2330         https://bugs.webkit.org/show_bug.cgi?id=180375
2331
2332         Reviewed by Saam Barati.
2333
2334         It looks like this test may have broken some executions because I
2335         call some internal objects. Explicitly ignore objects whose name
2336         starts with "$" because it's a bad idea anyways.
2337
2338         * stress/proxy-all-the-parameters.js:
2339         (generateObjects):
2340         (get throw):
2341
2342 2017-12-04  Saam Barati  <sbarati@apple.com>
2343
2344         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2345         https://bugs.webkit.org/show_bug.cgi?id=180366
2346         <rdar://problem/35685877>
2347
2348         Reviewed by Michael Saboff.
2349
2350         * stress/ftl-tail-call-throw-exception-from-slow-path-recover-stack-values.js: Added.
2351         (theParent):
2352         (test1.base.getParentStaticValue):
2353         (test1.base):
2354         (test1.__v_24888.prototype.set prop):
2355         (test1.__v_24888):
2356         (test2.base.getParentStaticValue):
2357         (test2.base):
2358         (test2.__v_24888.prototype.set prop):
2359         (test2.__v_24888):
2360         (test2):
2361
2362 2017-12-01  JF Bastien  <jfbastien@apple.com>
2363
2364         Try proxying all function arguments
2365         https://bugs.webkit.org/show_bug.cgi?id=180306
2366
2367         Reviewed by Saam Barati.
2368
2369         * stress/proxy-all-the-parameters.js: Added.
2370         (isPropertyOfType):
2371         (getProperties):
2372         (generateObjects):
2373         (getObjects):
2374         (getFunctions):
2375         (get throw):
2376         (let.o.of.getObjects.let.f.of.getFunctions.catch):
2377
2378 2017-12-01  JF Bastien  <jfbastien@apple.com>
2379
2380         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2381         https://bugs.webkit.org/show_bug.cgi?id=180297
2382         <rdar://problem/35745556>
2383
2384         Reviewed by Mark Lam.
2385
2386         * stress/math-exceptions.js: Added.
2387         (get try):
2388         (catch):
2389
2390 2017-12-01  JF Bastien  <jfbastien@apple.com>
2391
2392         JavaScriptCore: add test for weird class static getters
2393         https://bugs.webkit.org/show_bug.cgi?id=180281
2394         <rdar://problem/35592139>
2395
2396         Reviewed by Mark Lam.
2397
2398         I fixed a bug for it in r224927 and didn't add a test. Do so.
2399
2400         * stress/class-static-get-weird.js: Added.
2401         (c.prototype.get name):
2402         (c):
2403         (c.prototype.get arguments):
2404         (c.prototype.get caller):
2405         (c.prototype.get length):
2406
2407 2017-12-01  Saam Barati  <sbarati@apple.com>
2408
2409         Having a bad time needs to handle ArrayClass indexing type as well
2410         https://bugs.webkit.org/show_bug.cgi?id=180274
2411         <rdar://problem/35667869>
2412
2413         Reviewed by Keith Miller and Mark Lam.
2414
2415         * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
2416         (assert):
2417         * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
2418         (assert):
2419
2420 2017-12-01  JF Bastien  <jfbastien@apple.com>
2421
2422         WebAssembly: restore cached stack limit after out-call
2423         https://bugs.webkit.org/show_bug.cgi?id=179106
2424         <rdar://problem/35337525>
2425
2426         Reviewed by Saam Barati.
2427
2428         * wasm/function-tests/double-instance.js: Added.
2429         (const.imp.boom):
2430         (const.imp.get callAnother):
2431
2432 2017-11-30  JF Bastien  <jfbastien@apple.com>
2433
2434         WebAssembly: improve stack trace
2435         https://bugs.webkit.org/show_bug.cgi?id=179343
2436
2437         Reviewed by Saam Barati.
2438
2439         Update the tests to follow the new format. Notably, SHA1 module
2440         hash is now included in traces, and stubs are properly identified.
2441
2442         * wasm/assert.js: Add an assertion which matches regular expressions.
2443         * wasm/function-tests/nameSection.js:
2444         * wasm/function-tests/stack-overflow.js:
2445         (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.assertOverflows):
2446         (assertOverflows.assertThrows.wasm.1):
2447         (assertOverflows.assertThrows.wasm.0):
2448         (assertOverflows.assertThrows):
2449         (assertOverflows):
2450         * wasm/function-tests/stack-trace.js:
2451         (import.Builder.from.string_appeared_here.assert): Deleted.
2452         * wasm/function-tests/trap-after-cross-instance-call.js:
2453         (wasmFrameCountFromError):
2454         * wasm/function-tests/trap-load-2.js:
2455         (wasmFrameCountFromError):
2456         * wasm/function-tests/trap-load.js:
2457         (wasmFrameCountFromError):
2458
2459 2017-11-30  Mark Lam  <mark.lam@apple.com>
2460
2461         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2462         https://bugs.webkit.org/show_bug.cgi?id=180219
2463         <rdar://problem/35696536>
2464
2465         Reviewed by Filip Pizlo.
2466
2467         * stress/regress-180219.js: Added.
2468
2469 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2470
2471         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2472         https://bugs.webkit.org/show_bug.cgi?id=180190
2473
2474         Reviewed by Mark Lam.
2475
2476         * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
2477         (shouldBe):
2478         (test1):
2479         * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
2480         (shouldBe):
2481         (test1):
2482         * stress/operation-in-may-have-negative-int32-double-array.js: Added.
2483         (shouldBe):
2484         (test1):
2485         * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
2486         (shouldBe):
2487         (test1):
2488         * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
2489         (shouldBe):
2490         (test1):
2491         * stress/operation-in-may-have-negative-int32.js: Added.
2492         (shouldBe):
2493         (test2):
2494         * stress/operation-in-negative-int32-cast.js: Added.
2495         (shouldBe):
2496         (test1):
2497
2498 2017-11-28  JF Bastien  <jfbastien@apple.com>
2499
2500         Strict and sloppy functions shouldn't share structure
2501         https://bugs.webkit.org/show_bug.cgi?id=180103
2502         <rdar://problem/35667847>
2503
2504         Reviewed by Saam Barati.
2505
2506         * stress/get-by-id-strict-arguments.js: Added. Used to not throw
2507         because the IC was wrong.
2508         (foo):
2509         (bar):
2510         (baz):
2511         (catch):
2512         * stress/get-by-id-strict-callee.js: Added. Not strictly necessary
2513         in this patch, but may as well test odd strict mode corner cases.
2514         (bar):
2515         (baz):
2516         (catch):
2517         * stress/get-by-id-strict-caller.js: Added. Also IC'd wrong.
2518         (foo):
2519         (bar):
2520         (baz):
2521         (catch):
2522         * stress/get-by-id-strict-nested-arguments-2.js: Added. Same as
2523         next file, but with invalidation of the FunctionExecutable's
2524         singletonFunction() to hit SpeculativeJIT::compileNewFunction's
2525         slower path.
2526         (foo):
2527         (bar.const.x):
2528         (bar.const.y):
2529         (bar):
2530         (catch):
2531         * stress/get-by-id-strict-nested-arguments.js: Added. Make sure
2532         strict nesting works correctly.
2533         (foo):
2534         (bar.baz):
2535         (bar):
2536         * stress/strict-function-structure.js: Added. The test used to
2537         assert in objectProtoFuncHasOwnProperty.
2538         (foo):
2539         (bar):
2540         (baz):
2541         * stress/strict-nested-function-structure.js: Added. Nesting.
2542         (foo):
2543         (bar):
2544         (baz.boo):
2545         (baz):
2546
2547 2017-11-29  Robin Morisset  <rmorisset@apple.com>
2548
2549         The recursive tail call optimisation is wrong on closures
2550         https://bugs.webkit.org/show_bug.cgi?id=179835
2551
2552         Reviewed by Saam Barati.
2553
2554         * stress/closure-recursive-tail-call.js: Added.
2555         (makeClosure):
2556
2557 2017-11-27  JF Bastien  <jfbastien@apple.com>
2558
2559         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
2560         https://bugs.webkit.org/show_bug.cgi?id=180051
2561         <rdar://problem/35614371>
2562
2563         Reviewed by Saam Barati.
2564
2565         * stress/rest-parameter-negative.js: Added.
2566         (__f_5484):
2567         (catch):
2568         (__f_5485):
2569         (__v_22598.catch):
2570
2571 2017-11-27  Saam Barati  <sbarati@apple.com>
2572
2573         Spread can escape when CreateRest does not
2574         https://bugs.webkit.org/show_bug.cgi?id=180057
2575         <rdar://problem/35676119>
2576
2577         Reviewed by JF Bastien.
2578
2579         * stress/spread-escapes-but-create-rest-does-not.js: Added.
2580         (assert):
2581         (getProperties):
2582         (theFunc):
2583         (let.obj.valueOf):
2584
2585 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2586
2587         [DFG] Add NormalizeMapKey DFG IR
2588         https://bugs.webkit.org/show_bug.cgi?id=179912
2589
2590         Reviewed by Saam Barati.
2591
2592         * stress/map-untyped-normalize-cse.js: Added.
2593         (shouldBe):
2594         (test):
2595         * stress/map-untyped-normalize.js: Added.
2596         (shouldBe):
2597         (test):
2598         * stress/set-untyped-normalize-cse.js: Added.
2599         (shouldBe):
2600         (set return.set has.set has):
2601         * stress/set-untyped-normalize.js: Added.
2602         (shouldBe):
2603         (set return.set has):
2604
2605 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2606
2607         [FTL] Support DeleteById and DeleteByVal
2608         https://bugs.webkit.org/show_bug.cgi?id=180022
2609
2610         Reviewed by Saam Barati.
2611
2612         * stress/delete-by-id.js: Added.
2613         (shouldBe):
2614         (test1):
2615         (test2):
2616         * stress/delete-by-val-ftl.js: Added.
2617         (shouldBe):
2618         (test1):
2619         (test2):
2620
2621 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2622
2623         [DFG] Introduce {Set,Map,WeakMap}Fields
2624         https://bugs.webkit.org/show_bug.cgi?id=179925
2625
2626         Reviewed by Saam Barati.
2627
2628         * stress/map-set-clobber-map-get.js: Added.
2629         (shouldBe):
2630         (test):
2631         * stress/map-set-does-not-clobber-set-has.js: Added.
2632         (shouldBe):
2633         * stress/map-set-does-not-clobber-weak-map-get.js: Added.
2634         (shouldBe):
2635         (test):
2636         * stress/set-add-clobber-set-has.js: Added.
2637         (shouldBe):
2638         * stress/set-add-does-not-clobber-map-get.js: Added.
2639         (shouldBe):
2640
2641 2017-11-24  Mark Lam  <mark.lam@apple.com>
2642
2643         Move unsafe jsc shell test functions to the $vm object.
2644         https://bugs.webkit.org/show_bug.cgi?id=179980
2645
2646         Reviewed by Yusuke Suzuki.
2647
2648         * controlFlowProfiler/driver/driver.js:
2649         * controlFlowProfiler/execution-count.js:
2650         * controlFlowProfiler/if-statement.js:
2651         * controlFlowProfiler/loop-statements.js:
2652         * controlFlowProfiler/switch-statements.js:
2653         * controlFlowProfiler/test-jit.js:
2654         * exceptionFuzz/3d-cube.js:
2655         * exceptionFuzz/date-format-xparb.js:
2656         * exceptionFuzz/earley-boyer.js:
2657         * heapProfiler/basic-edges.js:
2658         * heapProfiler/property-edge-types.js:
2659         * microbenchmarks/try-get-by-id-basic.js:
2660         * microbenchmarks/try-get-by-id-polymorphic.js:
2661         * modules/namespace-object-try-get.js:
2662         * stress/argument-count-bytecode.js:
2663         * stress/argument-intrinsic-basic.js:
2664         * stress/argument-intrinsic-inlining-use-caller-arg.js:
2665         * stress/argument-intrinsic-inlining-with-result-escape.js:
2666         * stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
2667         * stress/argument-intrinsic-inlining-with-vararg.js:
2668         * stress/argument-intrinsic-nested-inlining.js:
2669         * stress/argument-intrinsic-not-convert-to-get-argument.js:
2670         * stress/argument-intrinsic-with-stack-write.js:
2671         * stress/arity-mismatch-get-argument.js:
2672         * stress/array-message-passing.js:
2673         * stress/array-push-with-force-exit.js:
2674         * stress/check-dom-with-signature.js:
2675         * stress/check-sub-class.js:
2676         * stress/compare-eq-incomplete-profile.js:
2677         * stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
2678         * stress/do-eval-virtual-call-correctly.js:
2679         * stress/dom-jit-with-poly-proto.js:
2680         * stress/domjit-exception-ic.js:
2681         * stress/domjit-exception.js:
2682         * stress/domjit-getter-complex-with-incorrect-object.js:
2683         * stress/domjit-getter-complex.js:
2684         * stress/domjit-getter-poly.js:
2685         * stress/domjit-getter-proto.js:
2686         * stress/domjit-getter-super-poly.js:
2687         * stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
2688         * stress/domjit-getter-type-check.js:
2689         * stress/domjit-getter.js:
2690         * stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
2691         * stress/for-in-proxy-target-changed-structure.js:
2692         * stress/for-in-proxy.js:
2693         * stress/generational-opaque-roots.js:
2694         * stress/global-const-redeclaration-setting-2.js:
2695         * stress/global-const-redeclaration-setting-3.js:
2696         * stress/global-const-redeclaration-setting-4.js:
2697         * stress/global-const-redeclaration-setting-5.js:
2698         * stress/global-const-redeclaration-setting.js:
2699         * stress/import-basic.js:
2700         * stress/import-from-eval.js:
2701         * stress/import-reject-with-exception.js:
2702         * stress/import-syntax.js:
2703         * stress/impure-get-own-property-slot-inline-cache.js:
2704         * stress/is-constructor.js:
2705         * stress/istypedarrayview-intrinsic.js:
2706         * stress/jsc-setImpureGetterDelegate-on-bad-type.js:
2707         * stress/jsc-test-functions-should-be-more-robust.js:
2708         * stress/object-toString-with-proxy.js:
2709         * stress/poly-proto-custom-value-and-accessor.js:
2710         * stress/proxy-inline-cache.js:
2711         * stress/re-execute-error-module.js:
2712         * stress/regress-150532.js:
2713         * stress/regress-156992.js:
2714         * stress/regress-179619.js:
2715         * stress/resources/shadow-chicken-support.js:
2716         * stress/runtime-array.js:
2717         * stress/sampling-profiler-microtasks.js:
2718         * stress/shadow-chicken-enabled.js:
2719         * stress/spread-correct-global-object-on-exception.js:
2720         * stress/super-get-by-id.js:
2721         * stress/tailCallForwardArguments.js:
2722         * stress/to-object-intrinsic-boolean-edge.js:
2723         * stress/to-object-intrinsic-null-or-undefined-edge.js:
2724         * stress/to-object-intrinsic-number-edge.js:
2725         * stress/to-object-intrinsic-object-edge.js:
2726         * stress/to-object-intrinsic-string-edge.js:
2727         * stress/to-object-intrinsic-symbol-edge.js:
2728         * stress/to-object-intrinsic.js:
2729         * stress/try-catch-custom-getter-as-get-by-id.js:
2730         * stress/try-get-by-id-poly-proto.js:
2731         * stress/try-get-by-id-should-spill-registers-dfg.js:
2732         * stress/try-get-by-id.js:
2733         * typeProfiler/arrow-functions.js:
2734         * typeProfiler/basic.js:
2735         * typeProfiler/captured.js:
2736         * typeProfiler/classes.js:
2737         * typeProfiler/dfg-jit-optimizations.js:
2738         * typeProfiler/dictionary-mode.js:
2739         * typeProfiler/es6-block-scoping.js:
2740         * typeProfiler/es6-classes.js:
2741         * typeProfiler/inheritance.js:
2742         * typeProfiler/int52-dfg.js:
2743         * typeProfiler/loop.js:
2744         * typeProfiler/optional-fields.js:
2745         * typeProfiler/overflow.js:
2746         * typeProfiler/return.js:
2747         * typeProfiler/symbol.js:
2748         * typeProfiler/weird-prototype-chain.js:
2749
2750 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2751
2752         [DFG][FTL] Support MapSet / SetAdd intrinsics
2753         https://bugs.webkit.org/show_bug.cgi?id=179858
2754
2755         Reviewed by Saam Barati.
2756
2757         * microbenchmarks/map-has-and-set.js: Added.
2758         (test):
2759         * stress/map-set-check-failure.js: Added.
2760         (shouldBe):
2761         (shouldThrow):
2762         (target):
2763         * stress/map-set-cse.js: Added.
2764         (shouldBe):
2765         (test):
2766         * stress/set-add-check-failure.js: Added.
2767         (shouldBe):
2768         (shouldThrow):
2769         (set shouldThrow):
2770         * stress/set-add-cse.js: Added.
2771         (shouldBe):
2772
2773 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2774
2775         [JSC] Allow poly proto for intrinsic getters
2776         https://bugs.webkit.org/show_bug.cgi?id=179550
2777
2778         Reviewed by Saam Barati.
2779
2780         This change is also tested by existing tests.
2781
2782             1. stress/intrinsic-getter-with-poly-proto.js
2783             2. stress/poly-proto-intrinsic-getter-correctness.js
2784
2785         * stress/intrinsic-getter-with-poly-proto-getter-change.js: Added.
2786         (shouldBe):
2787         (makePolyProtoObject.foo.C):
2788         (makePolyProtoObject.foo):
2789         (makePolyProtoObject):
2790         (target):
2791         * stress/intrinsic-getter-with-poly-proto-proto-change.js: Added.
2792         (shouldBe):
2793         (makePolyProtoObject.foo.C):
2794         (makePolyProtoObject.foo):
2795         (makePolyProtoObject):
2796         (target):
2797
2798 2017-11-20  Guillaume Emont  <guijemont@igalia.com>
2799
2800         Skip stress/unshiftCountSlowCase-correct-postCapacity.js on embedded Linux
2801         https://bugs.webkit.org/show_bug.cgi?id=179744
2802
2803         Reviewed by Michael Catanzaro.
2804
2805         This test uses too much memory for our buildbots on these platforms
2806         and gets OOM-killed.
2807
2808         * stress/unshiftCountSlowCase-correct-postCapacity.js:
2809         Skip if $memoryLimited and linux.
2810
2811 2017-11-17  JF Bastien  <jfbastien@apple.com>
2812
2813         WebAssembly JS API: throw when a promise can't be created
2814         https://bugs.webkit.org/show_bug.cgi?id=179826
2815         <rdar://problem/35455813>
2816
2817         Reviewed by Mark Lam.
2818
2819         Test WebAssembly.{compile,instantiate} where promise creation
2820         fails because of a stack overflow.
2821
2822         * wasm/js-api/promise-stack-overflow.js: Added.
2823         (const.runNearStackLimit.f.const.t):
2824         (async.testCompile):
2825         (async.testInstantiate):
2826
2827 2017-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2828
2829         Unreviewed, mark regress-178385.js as memory exhausting
2830
2831         * stress/regress-178385.js:
2832
2833 2017-11-16  Ryan Haddad  <ryanhaddad@apple.com>
2834
2835         Mark test262/test/language/statements/class/definition/fn-name-static-precedence.js as passing after r224927.
2836
2837         Unreviewed test gardening.
2838
2839         * test262.yaml:
2840
2841 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2842
2843         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2844         https://bugs.webkit.org/show_bug.cgi?id=179763
2845         <rdar://problem/35550513>
2846
2847         Reviewed by Keith Miller.
2848
2849         Just adding a slightly cleaned-up version of the original fuzzer-found test.
2850
2851         * stress/tdz-this-in-try-catch.js: Added.
2852         (__v_6388):
2853         (__v_6392):
2854
2855 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2856
2857         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2858         https://bugs.webkit.org/show_bug.cgi?id=179594
2859
2860         Reviewed by Saam Barati.
2861
2862         * stress/direct-arguments-in-bounds-to-out-of-bounds.js: Added.
2863         (shouldBe):
2864         (args):
2865         * stress/direct-arguments-out-of-bounds-watchpoint.js: Added.
2866         (shouldBe):
2867         (args):
2868
2869 2017-11-14  Saam Barati  <sbarati@apple.com>
2870
2871         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2872         https://bugs.webkit.org/show_bug.cgi?id=179639
2873         <rdar://problem/35513018>
2874
2875         Reviewed by JF Bastien.
2876
2877         * wasm/function-tests/grow-memory-cause-gc.js: Added.
2878         (escape):
2879         (i.func):
2880
2881 2017-11-13  Mark Lam  <mark.lam@apple.com>
2882
2883         Add more overflow check book-keeping for MarkedArgumentBuffer.
2884         https://bugs.webkit.org/show_bug.cgi?id=179634
2885         <rdar://problem/35492517>
2886
2887         Reviewed by Saam Barati.
2888
2889         * stress/regress-179634.js: Added.
2890
2891 2017-11-13  Mark Lam  <mark.lam@apple.com>
2892
2893         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2894         https://bugs.webkit.org/show_bug.cgi?id=179619
2895         <rdar://problem/35492518>
2896
2897         Reviewed by Saam Barati.
2898
2899         * stress/regress-179619.js: Added.
2900
2901 2017-11-12  Mark Lam  <mark.lam@apple.com>
2902
2903         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2904         https://bugs.webkit.org/show_bug.cgi?id=179562
2905         <rdar://problem/35467022>
2906
2907         Reviewed by Saam Barati.
2908
2909         * regress-179562.js: Added.
2910
2911 2017-11-08  Saam Barati  <sbarati@apple.com>
2912
2913         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2914         https://bugs.webkit.org/show_bug.cgi?id=177792
2915
2916         Reviewed by Yusuke Suzuki.
2917
2918         * microbenchmarks/poly-proto-clear-js-function-allocation-profile.js: Added.
2919         (assert):
2920         (foo.Foo.prototype.ensureX):
2921         (foo.Foo):
2922         (foo):
2923         (access):
2924
2925 2017-11-08  Ryan Haddad  <ryanhaddad@apple.com>
2926
2927         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
2928         https://bugs.webkit.org/show_bug.cgi?id=178592
2929
2930         Unreviewed test gardening.
2931
2932         * test262.yaml:
2933
2934 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2935
2936         Turn recursive tail calls into loops
2937         https://bugs.webkit.org/show_bug.cgi?id=176601
2938
2939         Reviewed by Saam Barati.
2940
2941         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2942
2943         Add some simple test that computes factorial in several ways, and other trivial computations.
2944         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
2945         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
2946         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
2947         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
2948
2949         * stress/inline-call-to-recursive-tail-call.js: Added.
2950         (factorial.aux):
2951         (factorial):
2952         (factorial2.aux2):
2953         (factorial2.id):
2954         (factorial2):
2955         (factorial3.aux3):
2956         (factorial3):
2957         (aux4):
2958         (factorial4):
2959         (foo):
2960         (auxBar):
2961         (bar):
2962         (test):
2963
2964 2017-11-07  Mark Lam  <mark.lam@apple.com>
2965
2966         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2967         https://bugs.webkit.org/show_bug.cgi?id=179355
2968         <rdar://problem/35263053>
2969
2970         Reviewed by Saam Barati.
2971
2972         * stress/regress-179355.js: Added.
2973
2974 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2975
2976         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2977         https://bugs.webkit.org/show_bug.cgi?id=144458
2978
2979         Reviewed by Saam Barati.
2980
2981         * microbenchmarks/dfg-internal-function-call.js: Added.
2982         (target):
2983         * microbenchmarks/dfg-internal-function-construct.js: Added.
2984         (target):
2985         * microbenchmarks/dfg-internal-function-not-handled-call.js: Added.
2986         (target):
2987         * microbenchmarks/dfg-internal-function-not-handled-construct.js: Added.
2988         (target):
2989         * stress/dfg-internal-function-call.js: Added.
2990         (shouldBe):
2991         (target):
2992         * stress/dfg-internal-function-construct.js: Added.
2993         (shouldBe):
2994         (target):
2995         * stress/internal-function-call.js: Added.
2996         (shouldBe):
2997         * stress/internal-function-construct.js: Added.
2998         (shouldBe):
2999
3000 2017-11-05  Per Arne Vollan  <pvollan@apple.com>
3001
3002         [Win] Skip stress/regress-178385.js.
3003         https://bugs.webkit.org/show_bug.cgi?id=179298
3004
3005         Unreviewed test gardening.
3006
3007         * stress/regress-178385.js:
3008
3009 2017-11-03  Keith Miller  <keith_miller@apple.com>
3010
3011         Add test for ic with side effects
3012         https://bugs.webkit.org/show_bug.cgi?id=179268
3013
3014         Reviewed by Saam Barati.
3015
3016         * stress/put-inline-cache-side-effects.js: Added.
3017         (let.i.of.objs.keys):
3018         (f):
3019
3020 2017-11-03  Mark Lam  <mark.lam@apple.com>
3021
3022         CachedCall (and its clients) needs overflow checks.
3023         https://bugs.webkit.org/show_bug.cgi?id=179185
3024
3025         Reviewed by JF Bastien.
3026
3027         * stress/regress-179185.js: Added.
3028
3029 2017-11-02  Michael Saboff  <msaboff@apple.com>
3030
3031         DFG needs to handle code motion of code in for..in loop bodies
3032         https://bugs.webkit.org/show_bug.cgi?id=179212
3033
3034         Reviewed by Keith Miller.
3035
3036         New regression test.
3037
3038         * stress/for-in-side-effects.js: Added.
3039         (getPrototypeOf):
3040         (reset):
3041         (testWithoutFTL.f):
3042         (testWithoutFTL):
3043         (testWithFTL.f):
3044         (testWithFTL):
3045
3046 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3047
3048         AI does not correctly model the clobber case of ArithClz32
3049         https://bugs.webkit.org/show_bug.cgi?id=179188
3050
3051         Reviewed by Michael Saboff.
3052
3053         * stress/arith-clz32-effects.js: Added.
3054         (foo):
3055         (valueOf):
3056
3057 2017-11-01  Michael Saboff  <msaboff@apple.com>
3058
3059         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3060         https://bugs.webkit.org/show_bug.cgi?id=179140
3061
3062         Reviewed by Saam Barati.
3063
3064         New regression test.
3065
3066         * stress/regress-179140.js: Added.
3067         (testWithoutFTL):
3068         (testWithFTL):
3069
3070 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3071
3072         [JSC] Introduce @toObject
3073         https://bugs.webkit.org/show_bug.cgi?id=178726
3074
3075         Reviewed by Saam Barati.
3076
3077         * stress/array-copywithin.js:
3078         (shouldThrow):
3079         * stress/object-constructor-boolean-edge.js: Added.
3080         (shouldBe):
3081         (test):
3082         * stress/object-constructor-global.js: Added.
3083         (shouldBe):
3084         * stress/object-constructor-null-edge.js: Added.
3085         (shouldBe):
3086         (test):
3087         * stress/object-constructor-number-edge.js: Added.
3088         (shouldBe):
3089         (test):
3090         * stress/object-constructor-object-edge.js: Added.
3091         (shouldBe):
3092         (test):
3093         (i.arg):
3094         * stress/object-constructor-string-edge.js: Added.
3095         (shouldBe):
3096         (test):
3097         * stress/object-constructor-symbol-edge.js: Added.
3098         (shouldBe):
3099         (test):
3100         * stress/object-constructor-undefined-edge.js: Added.
3101         (shouldBe):
3102         (test):
3103         * stress/symbol-array-from.js: Added.
3104         (shouldBe):
3105         * stress/to-object-intrinsic-boolean-edge.js: Added.
3106         (shouldBe):
3107         (builtin.createBuiltin):
3108         * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
3109         (shouldThrow):
3110         * stress/to-object-intrinsic-number-edge.js: Added.
3111         (shouldBe):
3112         (builtin.createBuiltin):
3113         * stress/to-object-intrinsic-object-edge.js: Added.
3114         (shouldBe):
3115         (builtin.createBuiltin):
3116         (i.arg):
3117         * stress/to-object-intrinsic-string-edge.js: Added.
3118         (shouldBe):
3119         (builtin.createBuiltin):
3120         * stress/to-object-intrinsic-symbol-edge.js: Added.
3121         (shouldBe):
3122         (builtin.createBuiltin):
3123         * stress/to-object-intrinsic.js: Added.
3124         (shouldBe):
3125         (shouldThrow):
3126         (builtin.createBuiltin):
3127
3128 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3129
3130         [DFG][FTL] Introduce StringSlice
3131         https://bugs.webkit.org/show_bug.cgi?id=178934
3132
3133         Reviewed by Saam Barati.
3134
3135         * microbenchmarks/string-slice-empty.js: Added.
3136         (slice):
3137         * microbenchmarks/string-slice-one-char.js: Added.
3138         (slice):
3139         * microbenchmarks/string-slice.js: Added.
3140         (slice):
3141
3142 2017-10-26  Michael Saboff  <msaboff@apple.com>
3143
3144         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3145         https://bugs.webkit.org/show_bug.cgi?id=178890
3146
3147         Reviewed by Keith Miller.
3148
3149         New regression test.
3150
3151         * stress/regress-178890.js: Added.
3152
3153 2017-10-26  Mark Lam  <mark.lam@apple.com>
3154
3155         JSRopeString::RopeBuilder::append() should check for overflows.
3156         https://bugs.webkit.org/show_bug.cgi?id=178385
3157         <rdar://problem/35027468>
3158
3159         Reviewed by Saam Barati.
3160
3161         * stress/regress-178385.js: Added.
3162
3163 2017-10-26  Ryan Haddad  <ryanhaddad@apple.com>
3164
3165         Unreviewed, rolling out r223961.
3166
3167         The change that required this has been rolled out.
3168
3169         Reverted changeset:
3170
3171         "Mark test262.yaml/test262/test/language/statements/try/tco-
3172         catch.js as passing."
3173         https://bugs.webkit.org/show_bug.cgi?id=178592
3174         https://trac.webkit.org/changeset/223961
3175
3176 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3177
3178         Unreviewed, rolling out r223691 and r223729.
3179         https://bugs.webkit.org/show_bug.cgi?id=178834
3180
3181         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3182         by rniwa on #webkit).
3183
3184         Reverted changesets:
3185
3186         "Turn recursive tail calls into loops"
3187         https://bugs.webkit.org/show_bug.cgi?id=176601
3188         https://trac.webkit.org/changeset/223691
3189
3190         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3191         comparison is always false due to limited range of data type
3192         [-Wtype-limits]"
3193         https://bugs.webkit.org/show_bug.cgi?id=178543
3194         https://trac.webkit.org/changeset/223729
3195
3196 2017-10-25  Ryan Haddad  <ryanhaddad@apple.com>
3197
3198         Mark test262.yaml/test262/test/language/statements/try/tco-catch.js as passing.
3199         https://bugs.webkit.org/show_bug.cgi?id=178592
3200
3201         Unreviewed test gardening.
3202
3203         * test262.yaml:
3204
3205 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3206
3207         [FTL] Support NewStringObject
3208         https://bugs.webkit.org/show_bug.cgi?id=178737
3209
3210         Reviewed by Saam Barati.
3211
3212         * stress/new-string-object.js: Added.
3213         (shouldBe):
3214         (test):
3215
3216 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3217
3218         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3219         https://bugs.webkit.org/show_bug.cgi?id=178308
3220
3221         Reviewed by Mark Lam.
3222
3223         * test262.yaml:
3224
3225 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3226
3227         [JSC] Use fastJoin in Array#toString
3228         https://bugs.webkit.org/show_bug.cgi?id=178062
3229
3230         Reviewed by Darin Adler.
3231
3232         * microbenchmarks/contiguous-array-to-string.js: Added.
3233         (target):
3234         * microbenchmarks/double-array-to-string.js: Added.
3235         (target):
3236         * microbenchmarks/int32-array-to-string.js: Added.
3237         (target):
3238
3239 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3240
3241         stress/check-string-ident.js is improperly skipped
3242         https://bugs.webkit.org/show_bug.cgi?id=178642
3243
3244         Reviewed by Saam Barati.
3245
3246         * stress/check-string-ident.js: Drop the defaultNoEagerRun directive
3247         since it enforces the run-jsc-stress-tests script to still set up the
3248         test to run, despite the skip directive that's used before.
3249
3250 2017-10-20  Mark Lam  <mark.lam@apple.com>
3251
3252         Add a test case for r214334.
3253         https://bugs.webkit.org/show_bug.cgi?id=169941
3254         <rdar://problem/31221258>
3255
3256         Reviewed by JF Bastien.
3257
3258         * stress/regress-169941.js: Added.
3259
3260 2017-10-19  JF Bastien  <jfbastien@apple.com>
3261
3262         WebAssembly: no VM / JS version of everything but Instance
3263         https://bugs.webkit.org/show_bug.cgi?id=177473
3264
3265         Reviewed by Filip Pizlo, Saam Barati.
3266
3267         - Exceeding max on memory growth now returns a range error as per
3268         spec. This is a (very minor) breaking change: it used to throw OOM
3269         error. Update the corresponding test.
3270
3271         * wasm/js-api/memory-grow.js:
3272         (assertEq):
3273         * wasm/js-api/table.js:
3274         (assert.throws):
3275
3276 2017-10-19  Mark Lam  <mark.lam@apple.com>
3277
3278         Stringifier::appendStringifiedValue() is missing an exception check.
3279         https://bugs.webkit.org/show_bug.cgi?id=178386
3280         <rdar://problem/35027610>
3281
3282         Reviewed by Saam Barati.
3283
3284         * stress/regress-178386.js: Added.
3285
3286 2017-10-19  Michael Saboff  <msaboff@apple.com>
3287
3288         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
3289         https://bugs.webkit.org/show_bug.cgi?id=178521
3290
3291         Reviewed by JF Bastien.
3292
3293         * test262.yaml: Enabled test262/test/built-ins/RegExp/property-escapes/generated/Emoji_Component.js as it
3294         now passes with the current version (5.0) of the Emoji spec.
3295
3296 2017-10-19  Robin Morisset  <rmorisset@apple.com>
3297
3298         Turn recursive tail calls into loops
3299         https://bugs.webkit.org/show_bug.cgi?id=176601
3300
3301         Reviewed by Saam Barati.
3302
3303         Add some simple test that computes factorial in several ways, and other trivial computations.
3304         They all tests the case where foo calls bar (in an inlineable way) that then does a tail call.
3305         Depending on the nature of both calls, it is possible or not to turn the tail call into a loop.
3306         I have no clear way of checking that the call was indeed transformed, but I can check that the code computes the right result
3307         (which it doesn't if that tail call is transformed into a loop in the unsound cases).
3308
3309         * stress/inline-call-to-recursive-tail-call.js: Added.
3310         (factorial.aux):
3311         (factorial):
3312         (factorial2.aux):
3313         (factorial2.id):
3314         (factorial2):
3315         (factorial3.aux):
3316         (factorial3):
3317         (aux):
3318         (factorial4):
3319         (test):
3320
3321 2017-10-18  Mark Lam  <mark.lam@apple.com>
3322
3323         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
3324         https://bugs.webkit.org/show_bug.cgi?id=177600
3325         <rdar://problem/34710985>
3326
3327         Reviewed by Saam Barati.
3328
3329         * stress/regress-177600.js: Added.
3330
3331 2017-10-18  Mark Lam  <mark.lam@apple.com>
3332
3333         The compiler should always register a structure when it adds its transitionWatchPointSet.
3334         https://bugs.webkit.org/show_bug.cgi?id=178420
3335         <rdar://problem/34814024>
3336
3337         Reviewed by Saam Barati and Filip Pizlo.
3338
3339         * stress/regress-178420.js: Added.
3340         (new.Array.10000.map):
3341
3342 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3343
3344         [JSC] __proto__ getter should be fast
3345         https://bugs.webkit.org/show_bug.cgi?id=178067
3346
3347         Reviewed by Saam Barati.
3348
3349         * stress/dfg-object-proto-accessor.js: Added.
3350         (shouldBe):
3351         (shouldThrow):
3352         (target):
3353         * stress/dfg-object-proto-getter.js: Added.
3354         (shouldBe):
3355         (shouldThrow):
3356         (target):
3357         * stress/dfg-object-prototype-of.js: Added.
3358         (shouldBe):
3359         (shouldThrow):
3360         (target):
3361         * stress/dfg-reflect-get-prototype-of.js: Added.
3362         (shouldBe):
3363         (shouldThrow):
3364         (target):
3365         * stress/intrinsic-getter-with-poly-proto.js: Added.
3366         (shouldBe):
3367         (makePolyProtoObject.foo.C):
3368         (makePolyProtoObject.foo):
3369         (makePolyProtoObject):
3370         (target):
3371         * stress/object-get-prototype-of-filtered.js: Added.
3372         (shouldBe):
3373         (shouldThrow):
3374         (target):
3375         (i.Cocoa):
3376         * stress/object-get-prototype-of-mono-proto.js: Added.
3377         (shouldBe):
3378         (makePolyProtoObject.foo.C):
3379         (makePolyProtoObject.foo):
3380         (makePolyProtoObject):
3381         (target):
3382         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3383         (shouldBe):
3384         (makePolyProtoObject.foo.C):
3385         (makePolyProtoObject.foo):
3386         (makePolyProtoObject):
3387         (target):
3388         * stress/object-get-prototype-of-poly-proto.js: Added.
3389         (shouldBe):
3390         (makePolyProtoObject.foo.C):
3391         (makePolyProtoObject.foo):
3392         (makePolyProtoObject):
3393         (target):
3394         * stress/object-proto-getter-filtered.js: Added.
3395         (shouldBe):
3396         (shouldThrow):
3397         (target):
3398         (i.Cocoa):
3399         * stress/object-proto-getter-poly-mono-proto.js: Added.
3400         (shouldBe):
3401         (makePolyProtoObject.foo.C):
3402         (makePolyProtoObject.foo):
3403         (makePolyProtoObject):
3404         (target):
3405         * stress/object-proto-getter-poly-proto.js: Added.
3406         (shouldBe):
3407         (makePolyProtoObject.foo.C):
3408         (makePolyProtoObject.foo):
3409         (makePolyProtoObject):
3410         (target):
3411         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3412         * stress/string-proto.js: Added.
3413         (shouldBe):
3414         (target):
3415
3416 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3417
3418         Unreviewed, rolling out r223523.
3419
3420         A test for this change is failing on debug JSC bots.
3421
3422         Reverted changeset:
3423
3424         "[JSC] __proto__ getter should be fast"
3425         https://bugs.webkit.org/show_bug.cgi?id=178067
3426         https://trac.webkit.org/changeset/223523
3427
3428 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3429
3430         [JSC] __proto__ getter should be fast
3431         https://bugs.webkit.org/show_bug.cgi?id=178067
3432
3433         Reviewed by Saam Barati.
3434
3435         * stress/dfg-object-proto-accessor.js: Added.
3436         (shouldBe):
3437         (shouldThrow):
3438         (target):
3439         * stress/dfg-object-proto-getter.js: Added.
3440         (shouldBe):
3441         (shouldThrow):
3442         (target):
3443         * stress/dfg-object-prototype-of.js: Added.
3444         (shouldBe):
3445         (shouldThrow):
3446         (target):
3447         * stress/dfg-reflect-get-prototype-of.js: Added.
3448         (shouldBe):
3449         (shouldThrow):
3450         (target):
3451         * stress/object-get-prototype-of-filtered.js: Added.
3452         (shouldBe):
3453         (shouldThrow):
3454         (target):
3455         (i.Cocoa):
3456         * stress/object-get-prototype-of-mono-proto.js: Added.
3457         (shouldBe):
3458         (makePolyProtoObject.foo.C):
3459         (makePolyProtoObject.foo):
3460         (makePolyProtoObject):
3461         (target):
3462         * stress/object-get-prototype-of-poly-mono-proto.js: Added.
3463         (shouldBe):
3464         (makePolyProtoObject.foo.C):
3465         (makePolyProtoObject.foo):
3466         (makePolyProtoObject):
3467         (target):
3468         * stress/object-get-prototype-of-poly-proto.js: Added.
3469         (shouldBe):
3470         (makePolyProtoObject.foo.C):
3471         (makePolyProtoObject.foo):
3472         (makePolyProtoObject):
3473         (target):
3474         * stress/object-proto-getter-filtered.js: Added.
3475         (shouldBe):
3476         (shouldThrow):
3477         (target):
3478         (i.Cocoa):
3479         * stress/object-proto-getter-poly-mono-proto.js: Added.
3480         (shouldBe):
3481         (makePolyProtoObject.foo.C):
3482         (makePolyProtoObject.foo):
3483         (makePolyProtoObject):
3484         (target):
3485         * stress/object-proto-getter-poly-proto.js: Added.
3486         (shouldBe):
3487         (makePolyProtoObject.foo.C):
3488         (makePolyProtoObject.foo):
3489         (makePolyProtoObject):
3490         (target):
3491         * stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js:
3492         * stress/string-proto.js: Added.
3493         (shouldBe):
3494         (target):
3495
3496 2017-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3497
3498         Reland "Add Above/Below comparisons for UInt32 patterns"
3499         https://bugs.webkit.org/show_bug.cgi?id=177281
3500
3501         Reviewed by Saam Barati.
3502
3503         * stress/uint32-comparison-jump.js: Added.
3504         (shouldBe):
3505         (above):
3506         (aboveOrEqual):
3507         (below):
3508         (belowOrEqual):
3509         (notAbove):
3510         (notAboveOrEqual):
3511         (notBelow):
3512         (notBelowOrEqual):
3513         * stress/uint32-comparison.js: Added.
3514         (shouldBe):
3515         (above):
3516         (aboveOrEqual):
3517         (below):
3518         (belowOrEqual):
3519         (aboveTest):
3520         (aboveOrEqualTest):
3521         (belowTest):
3522         (belowOrEqualTest):
3523
3524 2017-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3525
3526         WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3527         https://bugs.webkit.org/show_bug.cgi?id=178210
3528
3529         Reviewed by Saam Barati.
3530
3531         * wasm/function-tests/trap-from-start-async.js:
3532         (async.StartTrapsAsync):
3533         * wasm/function-tests/trap-from-start.js:
3534         (StartTraps):
3535         * wasm/js-api/web-assembly-function.js:
3536         (assert.eq.Object.getPrototypeOf):
3537         * wasm/js-api/wrapper-function.js:
3538         (return.new.WebAssembly.Module):
3539         (assert.throws.makeInstance): Deleted.
3540         (assert.throws.Bar): Deleted.
3541         (assert.throws): Deleted.
3542
3543 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3544
3545         Enable gigacage on iOS
3546         https://bugs.webkit.org/show_bug.cgi?id=177586
3547
3548         Reviewed by JF Bastien.
3549         
3550         Add tests for when Gigacage gets runtime disabled.
3551
3552         * stress/disable-gigacage-arrays.js: Added.
3553         (foo):
3554         * stress/disable-gigacage-strings.js: Added.
3555         (foo):
3556         * stress/disable-gigacage-typed-arrays.js: Added.
3557         (foo):
3558
3559 2017-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3560
3561         import.meta should not be assignable
3562         https://bugs.webkit.org/show_bug.cgi?id=178202
3563
3564         Reviewed by Saam Barati.
3565
3566         * modules/import-meta-assignment.js: Added.
3567         (shouldThrow):
3568         (SyntaxError.import.meta.can.shouldThrow):
3569
3570 2017-10-11  Saam Barati  <sbarati@apple.com>
3571
3572         Unreviewed. Actually skip certain type profiler tests in debug.
3573
3574         * typeProfiler.yaml:
3575         * typeProfiler/deltablue-for-of.js:
3576         * typeProfiler/getter-richards.js:
3577
3578 2017-10-11  Commit Queue  <commit-queue@webkit.org>
3579
3580         Unreviewed, rolling out r223113 and r223121.
3581         https://bugs.webkit.org/show_bug.cgi?id=178182
3582
3583         Reintroduced 20% regression on Kraken (Requested by rniwa on
3584         #webkit).
3585
3586         Reverted changesets:
3587
3588         "Enable gigacage on iOS"
3589         https://bugs.webkit.org/show_bug.cgi?id=177586
3590         https://trac.webkit.org/changeset/223113
3591
3592         "Use one virtual allocation for all gigacages and their
3593         runways"
3594         https://bugs.webkit.org/show_bug.cgi?id=178050
3595         https://trac.webkit.org/changeset/223121
3596
3597 2017-10-11  Michael Saboff  <msaboff@apple.com>
3598
3599         Disable test262 named capture group tests with direct unicode names and with references before definitions
3600         https://bugs.webkit.org/show_bug.cgi?id=178177
3601
3602         Reviewed by Keith Miller.
3603
3604         Bugs to track fixing these test are:
3605         https://bugs.webkit.org/show_bug.cgi?id=178174 -
3606             "Add support in named capture group identifiers for direct surrogate pairs"
3607         https://bugs.webkit.org/show_bug.cgi?id=178175 -
3608             "Test262 failure with Named Capture Groups - using a reference before the group is defined"
3609
3610         * test262.yaml:
3611
3612 2017-10-11  Caio Lima  <ticaiolima@gmail.com>
3613
3614         Object properties are undefined in super.call() but not in this.call()
3615         https://bugs.webkit.org/show_bug.cgi?id=177230
3616
3617         Reviewed by Saam Barati.
3618
3619         * stress/super-call-function-subclass.js: Added.
3620         (assert):
3621         (A.prototype.t):
3622         (A):
3623         * stress/super-dot-call-and-apply.js: Added.
3624         (assert):
3625         (A):
3626         (A.prototype.call):
3627         (A.prototype.apply):
3628         (B.prototype.testSuper):
3629         (B):
3630         (const.obj.new.B.string_appeared_here.obj.testSuper.C):
3631         (D.prototype.testSuper):
3632         (D):
3633
3634 2017-10-10  Saam Barati  <sbarati@apple.com>
3635
3636         The prototype cache should be aware of the Executable it generates a Structure for
3637         https://bugs.webkit.org/show_bug.cgi?id=177907
3638
3639         Reviewed by Filip Pizlo.
3640
3641         * microbenchmarks/dont-confuse-structures-from-different-executable-as-poly-proto.js: Added.
3642         (assert):
3643         (foo.C):
3644         (foo):
3645         (bar.C):
3646         (bar):
3647         (access):
3648         (makeLongChain):
3649         (accessY):
3650
3651 2017-10-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3652
3653         `async` should be able to be used as an imported binding name
3654         https://bugs.webkit.org/show_bug.cgi?id=176573
3655
3656         Reviewed by Saam Barati.
3657
3658         * modules/import-default-async.js: Added.
3659         * modules/import-named-async-as.js: Added.
3660         * modules/import-named-async.js: Added.
3661         * modules/import-named-async/target.js: Added.
3662         * modules/import-namespace-async.js: Added.
3663         * test262.yaml:
3664
3665 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3666
3667         Enable gigacage on iOS
3668         https://bugs.webkit.org/show_bug.cgi?id=177586
3669
3670         Reviewed by JF Bastien.
3671         
3672         Add tests for when Gigacage gets runtime disabled.
3673
3674         * stress/disable-gigacage-arrays.js: Added.
3675         (foo):
3676         * stress/disable-gigacage-strings.js: Added.
3677         (foo):
3678         * stress/disable-gigacage-typed-arrays.js: Added.
3679         (foo):
3680
3681 2017-10-09  Michael Saboff  <msaboff@apple.com>
3682
3683         Implement RegExp Unicode property escapes
3684         https://bugs.webkit.org/show_bug.cgi?id=172069
3685
3686         Reviewed by JF Bastien.
3687
3688         Enabled Unicode Property tests.
3689
3690         * test262.yaml:
3691
3692 2017-10-09  Commit Queue  <commit-queue@webkit.org>
3693
3694         Unreviewed, rolling out r223015 and r223025.
3695         https://bugs.webkit.org/show_bug.cgi?id=178093
3696
3697         Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
3698         #webkit).
3699
3700         Reverted changesets:
3701
3702         "Enable gigacage on iOS"
3703         https://bugs.webkit.org/show_bug.cgi?id=177586
3704         http://trac.webkit.org/changeset/223015
3705
3706         "Unreviewed, disable Gigacage on ARM64 Linux"
3707         https://bugs.webkit.org/show_bug.cgi?id=177586
3708         http://trac.webkit.org/changeset/223025
3709
3710 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3711
3712         Update expectations for test262 tests that pass after r223043.
3713         https://bugs.webkit.org/show_bug.cgi?id=176685
3714
3715         Unreviewed test gardening.
3716
3717         * test262.yaml:
3718
3719 2017-10-09  Ryan Haddad  <ryanhaddad@apple.com>
3720
3721         Unreviewed, rolling out r223022.
3722
3723         This change introduced 18 test262 failures.
3724
3725         Reverted changeset:
3726
3727         "`async` should be able to be used as an imported binding
3728         name"
3729         https://bugs.webkit.org/show_bug.cgi?id=176573
3730         http://trac.webkit.org/changeset/223022
3731
3732 2017-10-09  Saam Barati  <sbarati@apple.com>
3733
3734         3 poly-proto JSC tests timing out on debug after r222827
3735         https://bugs.webkit.org/show_bug.cgi?id=177880
3736         <rdar://problem/34817122>
3737
3738         Unreviewed.
3739
3740         I'm skipping these type profiler tests on debug since they are long running.
3741
3742         * typeProfiler/deltablue-for-of.js:
3743         * typeProfiler/getter-richards.js:
3744
3745 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3746
3747         Safari 10 /11 problem with if (!await get(something)).
3748         https://bugs.webkit.org/show_bug.cgi?id=176685
3749
3750         Reviewed by Saam Barati.
3751
3752         * stress/async-await-basic.js:
3753         (awaitEpression.async):
3754         * stress/async-await-syntax.js:
3755         (testTopLevelAsyncAwaitSyntaxSloppyMode.testSyntax):
3756         (prototype.testTopLevelAsyncAwaitSyntaxStrictMode):
3757
3758 2017-10-08  Saam Barati  <sbarati@apple.com>
3759
3760         Unreviewed. Make some type profiler tests run for less time to avoid debug timeouts.
3761
3762         * typeProfiler/deltablue-for-of.js:
3763         * typeProfiler/getter-richards.js:
3764
3765 2017-10-07  Yusuke Suzuki  <utatane.tea@gmail.com>
3766
3767         `async` should be able to be used as an imported binding name
3768         https://bugs.webkit.org/show_bug.cgi?id=176573
3769
3770         Reviewed by Darin Adler.
3771
3772         * modules/import-default-async.js: Added.
3773         * modules/import-named-async-as.js: Added.
3774         * modules/import-named-async.js: Added.
3775         * modules/import-named-async/target.js: Added.
3776         * modules/import-namespace-async.js: Added.
3777
3778 2017-09-29  Filip Pizlo  <fpizlo@apple.com>
3779
3780         Enable gigacage on iOS
3781         https://bugs.webkit.org/show_bug.cgi?id=177586
3782
3783         Reviewed by JF Bastien.
3784         
3785         Add tests for when Gigacage gets runtime disabled.
3786
3787         * stress/disable-gigacage-arrays.js: Added.
3788         (foo):
3789         * stress/disable-gigacage-strings.js: Added.
3790         (foo):
3791         * stress/disable-gigacage-typed-arrays.js: Added.
3792         (foo):
3793
3794 2017-10-06  Commit Queue  <commit-queue@webkit.org>
3795
3796         Unreviewed, rolling out r222791 and r222873.
3797         https://bugs.webkit.org/show_bug.cgi?id=178031
3798
3799         Caused crashes with workers/wasm LayoutTests (Requested by
3800         ryanhaddad on #webkit).
3801
3802         Reverted changesets:
3803
3804         "WebAssembly: no VM / JS version of everything but Instance"
3805         https://bugs.webkit.org/show_bug.cgi?id=177473
3806         http://trac.webkit.org/changeset/222791
3807
3808         "WebAssembly: address no VM / JS follow-ups"
3809         https://bugs.webkit.org/show_bug.cgi?id=177887
3810         http://trac.webkit.org/changeset/222873
3811
3812 2017-10-05  Saam Barati  <sbarati@apple.com>
3813
3814         Make sure all prototypes under poly proto get added into the VM's prototype map
3815         https://bugs.webkit.org/show_bug.cgi?id=177909
3816
3817         Reviewed by Keith Miller.
3818
3819         * stress/poly-proto-prototype-map-having-a-bad-time.js: Added.
3820         (assert):
3821         (foo.C):
3822         (foo):
3823         (set x):
3824
3825 2017-09-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3826
3827         [JSC] Introduce import.meta
3828         https://bugs.webkit.org/show_bug.cgi?id=177703
3829
3830         Reviewed by Filip Pizlo.
3831
3832         * modules/import-meta-syntax.js: Added.
3833         (shouldThrow):
3834         (shouldNotThrow):
3835         * modules/import-meta.js: Added.
3836         * modules/import-meta/cocoa.js: Added.
3837         * modules/resources/assert.js:
3838         (export.shouldNotThrow):
3839         * stress/import-syntax.js:
3840
3841 2017-10-04  Saam Barati  <sbarati@apple.com>
3842
3843         Make pertinent AccessCases watch the poly proto watchpoint
3844         https://bugs.webkit.org/show_bug.cgi?id=177765
3845
3846         Reviewed by Keith Miller.
3847
3848         * microbenchmarks/poly-proto-and-non-poly-proto-same-ic.js: Added.
3849         (assert):
3850         (foo.C):
3851         (foo):
3852         (validate):
3853         * stress/poly-proto-clear-stub.js: Added.
3854         (assert):
3855         (foo.C):
3856         (foo):
3857
3858 2017-10-04  Ryan Haddad  <ryanhaddad@apple.com>
3859
3860         Remove failure expectation for async-func-decl-dstr-obj-id-put-unresolvable-no-strict.js.
3861
3862         Unreviewed test gardening.
3863
3864         * test262.yaml:
3865
3866 2017-10-04  Saam Barati  <sbarati@apple.com>
3867
3868         3 poly-proto JSC tests timing out on debug after r222827
3869         https://bugs.webkit.org/show_bug.cgi?id=177880
3870
3871         Rubber stamped by Mark Lam.
3872
3873         * microbenchmarks/poly-proto-access.js:
3874         * typeProfiler/deltablue-for-of.js:
3875         * typeProfiler/getter-richards.js:
3876
3877 2017-10-04  Joseph Pecoraro  <pecoraro@apple.com>
3878
3879         Unreviewed, marking tco-catch.js as a failure after test262 update
3880         https://bugs.webkit.org/show_bug.cgi?id=177859
3881
3882         * test262.yaml:
3883
3884 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3885
3886         Unreviewed, marking one async iterator test262 test failed
3887         https://bugs.webkit.org/show_bug.cgi?id=177859
3888
3889         * test262.yaml:
3890
3891 2017-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3892
3893         [Test262] Update Test262 to Oct 4 version
3894         https://bugs.webkit.org/show_bug.cgi?id=177859
3895
3896         Reviewed by Sam Weinig.
3897
3898         Let's rebaseline test262. Since it includes the latest changes to ArrayIterator::next,
3899         we no longer need to mark it skip/fail. Also this update includes bunch of BigInt tests.
3900
3901         * test262.yaml:
3902         * test262/harness/promiseHelper.js: Renamed from JSTests/test262/harness/PromiseHelper.js.
3903         (checkSequence):
3904         * test262/harness/typeCoercion.js:
3905         (testCoercibleToIndexZero):
3906         (testCoercibleToIndexOne):
3907         (testCoercibleToIndexFromIndex):
3908         (testNotCoercibleToIndex.testPrimitiveValue):
3909         (testNotCoercibleToInteger):
3910         (testCoercibleToBigIntZero.testPrimitiveValue):
3911         (testCoercibleToBigIntZero):
3912         (testCoercibleToBigIntOne.testPrimitiveValue):
3913         (testCoercibleToBigIntOne):
3914         (testPrimitiveValue):
3915         (testCoercibleToBigIntFromBigInt):
3916         (testNotCoercibleToBigInt.testPrimitiveValue):
3917         (testNotCoercibleToBigInt.testStringValue):
3918         (testNotCoercibleToBigInt):
3919         * test262/test/built-ins/Array/from/proto-from-ctor-realm.js:
3920         * test262/test/built-ins/Array/length/define-own-prop-length-overflow-realm.js:
3921         * test262/test/built-ins/Array/of/proto-from-ctor-realm.js:
3922         * test262/test/built-ins/Array/proto-from-ctor-realm.js:
3923         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js:
3924         * test262/test/built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js:
3925         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js:
3926         * test262/test/built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js:
3927         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js:
3928         * test262/test/built-ins/Array/prototype/map/create-proto-from-ctor-realm-non-array.js:
3929         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js:
3930         * test262/test/built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js:
3931         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js:
3932         * test262/test/built-ins/Array/prototype/splice/create-proto-from-ctor-realm-non-array.js:
3933         * test262/test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
3934         * test262/test/built-ins/BigInt/asIntN/bigint-tobigint.js:
3935         (testCoercibleToBigIntZero):
3936         (testCoercibleToBigIntOne):
3937         (testNotCoercibleToBigInt):
3938         (MyError): Deleted.
3939         (valueOf): Deleted.
3940         (toString): Deleted.
3941         (Symbol.toPrimitive): Deleted.
3942         * test262/test/built-ins/BigInt/asIntN/bits-toindex.js:
3943         (testCoercibleToIndexZero):
3944         (testCoercibleToIndexOne):
3945         (testNotCoercibleToIndex):
3946         (MyError): Deleted.
3947         (assert.sameValue.BigInt.asIntN.valueOf): Deleted.
3948         (assert.sameValue.BigInt.asIntN.toString): Deleted.
3949         (BigInt.asIntN.Symbol.toPrimitive): Deleted.
3950         (BigInt.asIntN.valueOf): Deleted.
3951         (BigInt.asIntN.toString): Deleted.
3952         * test262/test/built-ins/BigInt/asUintN/arithmetic.js: Added.
3953         * test262/test/built-ins/BigInt/asUintN/asUintN.js: Added.
3954         * test262/test/built-ins/BigInt/asUintN/bigint-tobigint.js: Added.
3955         (testCoercibleToBigIntZero):
3956         (testCoercibleToBigIntOne):
3957         (testNotCoercibleToBigInt):
3958         * test262/test/built-ins/BigInt/asUintN/bits-toindex.js: Added.
3959         (testCoercibleToIndexZero):
3960         (testCoercibleToIndexOne):
3961         (testNotCoercibleToIndex):
3962         * test262/test/built-ins/BigInt/asUintN/length.js: Added.
3963         * test262/test/built-ins/BigInt/asUintN/name.js: Added.
3964         * test262/test/built-ins/BigInt/asUintN/order-of-steps.js: Added.
3965         (bits.valueOf):
3966         (bigint.valueOf):
3967         * test262/test/built-ins/BigInt/prototype/valueOf/length.js: Added.
3968         * test262/test/built-ins/BigInt/prototype/valueOf/name.js: Added.
3969         * test262/test/built-ins/BigInt/prototype/valueOf/prop-desc.js: Added.
3970         * test262/test/built-ins/BigInt/prototype/valueOf/return.js: Added.
3971         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-object-throws.js: Added.
3972         * test262/test/built-ins/BigInt/prototype/valueOf/this-value-invalid-primitive-throws.js: Added.
3973         * test262/test/built-ins/Boolean/proto-from-ctor-realm.js:
3974         * test262/test/built-ins/DataView/proto-from-ctor-realm-sab.js:
3975         * test262/test/built-ins/DataView/proto-from-ctor-realm.js:
3976         * test262/test/built-ins/Date/proto-from-ctor-realm-one.js:
3977         * test262/test/built-ins/Date/proto-from-ctor-realm-two.js:
3978         * test262/test/built-ins/Date/proto-from-ctor-realm-zero.js:
3979         * test262/test/built-ins/Error/proto-from-ctor-realm.js:
3980         * test262/test/built-ins/Function/call-bind-this-realm-undef.js:
3981         * test262/test/built-ins/Function/call-bind-this-realm-value.js:
3982         * test262/test/built-ins/Function/internals/Call/class-ctor-realm.js:
3983         * test262/test/built-ins/Function/internals/Construct/base-ctor-revoked-proxy-realm.js:
3984         * test262/test/built-ins/Function/internals/Construct/derived-return-val-realm.js:
3985         * test262/test/built-ins/Function/internals/Construct/derived-this-uninitialized-realm.js:
3986         * test262/test/built-ins/Function/proto-from-ctor-realm.js:
3987         * test262/test/built-ins/Function/prototype/bind/get-fn-realm.js:
3988         * test262/test/built-ins/Function/prototype/bind/proto-from-ctor-realm.js:
3989         * test262/test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
3990         * test262/test/built-ins/JSON/stringify/bigint-order.js: Added.
3991         (replacer):
3992         (BigInt.prototype.toJSON):
3993         * test262/test/built-ins/JSON/stringify/bigint-replacer.js: Added.
3994         (replacer):
3995         * test262/test/built-ins/JSON/stringify/bigint-tojson.js: Added.
3996         (BigInt.prototype.toJSON):
3997         * test262/test/built-ins/JSON/stringify/bigint.js:
3998         * test262/test/built-ins/Map/proto-from-ctor-realm.js:
3999         * test262/test/built-ins/Number/S9.3.1_A2_U180E.js:
4000         * test262/test/built-ins/Number/S9.3.1_A3_T1_U180E.js:
4001         * test262/test/built-ins/Number/S9.3.1_A3_T2_U180E.js:
4002         * test262/test/built-ins/Number/proto-from-ctor-realm.js:
4003         * test262/test/built-ins/Object/proto-from-ctor.js:
4004         * test262/test/built-ins/Promise/proto-from-ctor-realm.js:
4005         * test262/test/built-ins/Proxy/apply/arguments-realm.js:
4006         * test262/test/built-ins/Proxy/apply/trap-is-not-callable-realm.js:
4007         * test262/test/built-ins/Proxy/construct/arguments-realm.js:
4008         * test262/test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
4009         * test262/test/built-ins/Proxy/construct/trap-is-undefined-proto-from-ctor-realm.js:
4010         * test262/test/built-ins/Proxy/defineProperty/desc-realm.js:
4011         * test262/test/built-ins/Proxy/defineProperty/null-handler-realm.js:
4012         * test262/test/built-ins/Proxy/defineProperty/targetdesc-configurable-desc-not-configurable-realm.js:
4013         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-not-configurable-target-realm.js:
4014         * test262/test/built-ins/Proxy/defineProperty/targetdesc-not-compatible-descriptor-realm.js:
4015         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-not-configurable-descriptor-realm.js:
4016         * test262/test/built-ins/Proxy/defineProperty/targetdesc-undefined-target-is-not-extensible-realm.js:
4017         * test262/test/built-ins/Proxy/defineProperty/trap-is-not-callable-realm.js:
4018         * test262/test/built-ins/Proxy/deleteProperty/trap-is-not-callable-realm.js:
4019         * test262/test/built-ins/Proxy/get-fn-realm.js:
4020         * test262/test/built-ins/Proxy/get/trap-is-not-callable-realm.js:
4021         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/result-type-is-not-object-nor-undefined-realm.js:
4022         * test262/test/built-ins/Proxy/getOwnPropertyDescriptor/trap-is-not-callable-realm.js:
4023         * test262/test/built-ins/Proxy/getPrototypeOf/trap-is-not-callable-realm.js:
4024         * test262/test/built-ins/Proxy/has/trap-is-not-callable-realm.js:
4025         * test262/test/built-ins/Proxy/isExtensible/trap-is-not-callable-realm.js:
4026         * test262/test/built-ins/Proxy/ownKeys/return-not-list-object-throws-realm.js:
4027         * test262/test/built-ins/Proxy/ownKeys/trap-is-not-callable-realm.js:
4028         * test262/test/built-ins/Proxy/preventExtensions/trap-is-not-callable-realm.js:
4029         * test262/test/built-ins/Proxy/set/trap-is-not-callable-realm.js:
4030         * test262/test/built-ins/Proxy/setPrototypeOf/trap-is-not-callable-realm.js:
4031         * test262/test/built-ins/RegExp/S15.10.2.12_A1_T1.js:
4032         (i6.replace):
4033         (i6b.replace):
4034         * test262/test/built-ins/RegExp/dotall/with-dotall-unicode.js:
4035         * test262/test/built-ins/RegExp/dotall/with-dotall.js:
4036         * test262/test/built-ins/RegExp/dotall/without-dotall-unicode.js:
4037         * test262/test/built-ins/RegExp/dotall/without-dotall.js:
4038         * test262/test/built-ins/RegExp/proto-from-ctor-realm.js:
4039         * test262/test/built-ins/RegExp/prototype/Symbol.split/splitter-proto-from-ctor-realm.js:
4040         * test262/test/built-ins/RegExp/u180e.js: Added.
4041         * test262/test/built-ins/Set/proto-from-ctor-realm.js:
4042         * test262/test/built-ins/SharedArrayBuffer/proto-from-ctor-realm.js:
4043         * test262/test/built-ins/String/proto-from-ctor-realm.js:
4044         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail.js:
4045         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Fail_2.js:
4046         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success.js:
4047         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_2.js:
4048         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_3.js:
4049         * test262/test/built-ins/String/prototype/endsWith/String.prototype.endsWith_Success_4.js:
4050         * test262/test/built-ins/String/prototype/endsWith/coerced-values-of-position.js:
4051         * test262/test/built-ins/String/prototype/endsWith/endsWith.js:
4052         * test262/test/built-ins/String/prototype/endsWith/length.js:
4053         * test262/test/built-ins/String/prototype/endsWith/name.js:
4054         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position-as-symbol.js:
4055         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-position.js:
4056         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-as-symbol.js:
4057         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring-regexp-test.js:
4058         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-searchstring.js:
4059         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this-as-symbol.js:
4060         * test262/test/built-ins/String/prototype/endsWith/return-abrupt-from-this.js:
4061         * test262/test/built-ins/String/prototype/endsWith/return-false-if-search-start-is-less-than-zero.js:
4062         * test262/test/built-ins/String/prototype/endsWith/return-true-if-searchstring-is-empty.js:
4063         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-with-position.js:
4064         * test262/test/built-ins/String/prototype/endsWith/searchstring-found-without-position.js:
4065         * test262/test/built-ins/String/prototype/endsWith/searchstring-is-regexp-throws.js:
4066         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-with-position.js:
4067         * test262/test/built-ins/String/prototype/endsWith/searchstring-not-found-without-position.js:
4068         * test262/test/built-ins/String/prototype/endsWith/this-is-null-throws.js:
4069         * test262/test/built-ins/String/prototype/endsWith/this-is-undefined-throws.js:
4070         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailBadLocation.js:
4071         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailLocation.js:
4072         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_FailMissingLetter.js:
4073         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_Success.js:
4074         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_SuccessNoLocation.js:
4075         * test262/test/built-ins/String/prototype/includes/String.prototype.includes_lengthProp.js:
4076         * test262/test/built-ins/String/prototype/includes/coerced-values-of-position.js:
4077         * test262/test/built-ins/String/prototype/includes/includes.js:
4078         * test262/test/built-ins/String/prototype/includes/length.js:
4079         * test262/test/built-ins/String/prototype/includes/name.js:
4080         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position-as-symbol.js:
4081         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-position.js:
4082         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-as-symbol.js:
4083         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring-regexp-test.js:
4084         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-searchstring.js:
4085         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this-as-symbol.js:
4086         * test262/test/built-ins/String/prototype/includes/return-abrupt-from-this.js:
4087         * test262/test/built-ins/String/prototype/includes/return-false-with-out-of-bounds-position.js:
4088         * test262/test/built-ins/String/prototype/includes/return-true-if-searchstring-is-empty.js:
4089         * test262/test/built-ins/String/prototype/includes/searchstring-found-with-position.js:
4090         * test262/test/built-ins/String/prototype/includes/searchstring-found-without-position.js:
4091         * test262/test/built-ins/String/prototype/includes/searchstring-is-regexp-throws.js:
4092         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-with-position.js:
4093         * test262/test/built-ins/String/prototype/includes/searchstring-not-found-without-position.js:
4094         * test262/test/built-ins/String/prototype/includes/this-is-null-throws.js:
4095         * test262/test/built-ins/String/prototype/includes/this-is-undefined-throws.js:
4096         * test262/test/built-ins/String/prototype/toLocaleLowerCase/Final_Sigma_U180E.js:
4097         * test262/test/built-ins/String/prototype/toLowerCase/Final_Sigma_U180E.js:
4098         * test262/test/built-ins/String/prototype/trim/u180e.js:
4099         * test262/test/built-ins/Symbol/for/cross-realm.js:
4100         * test262/test/built-ins/Symbol/hasInstance/cross-realm.js:
4101         * test262/test/built-ins/Symbol/isConcatSpreadable/cross-realm.js:
4102         * test262/test/built-ins/Symbol/iterator/cross-realm.js:
4103         * test262/test/built-ins/Symbol/keyFor/cross-realm.js:
4104         * test262/test/built-ins/Symbol/match/cross-realm.js:
4105         * test262/test/built-ins/Symbol/replace/cross-realm.js:
4106         * test262/test/built-ins/Symbol/search/cross-realm.js:
4107         * test262/test/built-ins/Symbol/species/cross-realm.js:
4108         * test262/test/built-ins/Symbol/split/cross-realm.js:
4109         * test262/test/built-ins/Symbol/toPrimitive/cross-realm.js:
4110         * test262/test/built-ins/Symbol/toStringTag/cross-realm.js:
4111         * test262/test/built-ins/Symbol/unscopables/cross-realm.js:
4112         * test262/test/built-ins/ThrowTypeError/distinct-cross-realm.js:
4113         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm-sab.js:
4114         * test262/test/built-ins/TypedArrays/buffer-arg-proto-from-ctor-realm.js:
4115         * test262/test/built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm.js:
4116         * test262/test/built-ins/TypedArrays/internals/Get/detached-buffer-realm.js:
4117         * test262/test/built-ins/TypedArrays/internals/GetOwnProperty/detached-buffer-realm.js:
4118         * test262/test/built-ins/TypedArrays/internals/HasProperty/detached-buffer-realm.js:
4119         * test262/test/built-ins/TypedArrays/internals/Set/detached-buffer-realm.js:
4120         * test262/test/built-ins/TypedArrays/length-arg-proto-from-ctor-realm.js:
4121         * test262/test/built-ins/TypedArrays/no-args-proto-from-ctor-realm.js:
4122         * test262/test/built-ins/TypedArrays/object-arg-proto-from-ctor-realm.js:
4123         * test262/test/built-ins/TypedArrays/typedarray-arg-other-ctor-buffer-ctor-custom-species-proto-from-ctor-realm.js:
4124         * test262/test/built-ins/TypedArrays/typedarray-arg-proto-from-ctor-realm.js:
4125         * test262/test/built-ins/TypedArrays/typedarray-arg-same-ctor-buffer-ctor-species-custom-proto-from-ctor-realm.js:
4126         * test262/test/built-ins/WeakMap/proto-from-ctor-realm.js:
4127         * test262/test/built-ins/WeakSet/proto-from-ctor-realm.js:
4128         * test262/test/built-ins/parseFloat/S15.1.2.3_A2_T10_U180E.js:
4129         * test262/test/built-ins/parseInt/S15.1.2.2_A2_T10_U180E.js:
4130         * test262/test/intl402/NumberFormat/prototype/formatToParts/length.js:
4131         * test262/test/language/comments/mongolian-vowel-separator-multi.js:
4132         * test262/test/language/comments/mongolian-vowel-separator-single-eval.js:
4133         * test262/test/language/comments/mongolian-vowel-separator-single.js:
4134         * test262/test/language/eval-code/indirect/realm.js:
4135         * test262/test/language/expressions/assignment/dstr-obj-rest-order.js: Added.
4136         (o.get z):
4137         (o.get a):
4138         * test262/test/language/expressions/call/eval-realm-indirect.js:
4139         * test262/test/language/expressions/generators/eval-body-proto-realm.js:
4140         * test262/test/language/expressions/greater-than-or-equal/bigint-and-bigint.js: Added.
4141         * test262/test/language/expressions/greater-than-or-equal/bigint-and-non-finite.js: Added.
4142         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number-extremes.js: Added.
4143         * test262/test/language/expressions/greater-than-or-equal/bigint-and-number.js:
4144         * test262/test/language/expressions/greater-than/bigint-and-bigint.js: Added.
4145         * test262/test/language/expressions/greater-than/bigint-and-non-finite.js: Added.
4146         * test262/test/language/expressions/greater-than/bigint-and-number-extremes.js: Added.
4147         * test262/test/language/expressions/greater-than/bigint-and-number.js:
4148         * test262/test/language/expressions/less-than-or-equal/bigint-and-bigint.js: Added.
4149         * test262/test/language/expressions/less-than-or-equal/bigint-and-non-finite.js: Added.
4150         * test262/test/language/expressions/less-than-or-equal/bigint-and-number-extremes.js: Added.
4151         * test262/test/language/expressions/less-than-or-equal/bigint-and-number.js:
4152         * test262/test/language/expressions/less-than/bigint-and-bigint.js: Added.
4153         * test262/test/language/expressions/less-than/bigint-and-non-finite.js: Added.
4154         * test262/test/language/expressions/less-than/bigint-and-number-extremes.js: Added.
4155         * test262/test/language/expressions/less-than/bigint-and-number.js:
4156         * test262/test/language/expressions/new/non-ctor-err-realm.js:
4157         * test262/test/language/expressions/super/realm.js:
4158         * test262/test/language/expressions/tagged-template/cache-realm.js:
4159         * test262/test/language/expressions/template-literal/mongolian-vowel-separator-eval.js:
4160         * test262/test/language/expressions/template-literal/mongolian-vowel-separator.js:
4161         * test262/test/language/literals/regexp/mongolian-vowel-separator-eval.js:
4162         * test262/test/language/literals/regexp/mongolian-vowel-separator.js:
4163         * test262/test/language/literals/string/mongolian-vowel-separator-eval.js:
4164         * test262/test/language/literals/string/mongolian-vowel-separator.js:
4165         * test262/test/language/statements/for-of/dstr-obj-rest-order.js: Added.
4166         (o.get z):
4167         (o.get a):
4168         * test262/test/language/statements/for-of/iterator-next-reference.js:
4169         (next):
4170         (iterator.next): Deleted.
4171         (x.of.iterable.): Deleted.
4172         (x.of.iterable.get return): Deleted.
4173         (x.of.iterable.iterator.next): Deleted.
4174         * test262/test/language/types/reference/get-value-prop-base-primitive-realm.js:
4175         * test262/test/language/types/reference/put-value-prop-base-primitive-realm.js:
4176         * test262/test/language/white-space/mongolian-vowel-separator-eval.js:
4177         * test262/test/language/white-space/mongolian-vowel-separator.js:
4178         * test262/test262-Revision.txt:
4179
4180 2017-10-03  Saam Barati  <sbarati@apple.com>
4181
4182         Implement polymorphic prototypes
4183         https://bugs.webkit.org/show_bug.cgi?id=176391
4184
4185         Reviewed by Filip Pizlo.
4186
4187         * microbenchmarks/poly-proto-access.js: Added.
4188         (assert):
4189         (foo.C):
4190         (foo.C.prototype.get bar):
4191         (foo):
4192         (bar):
4193         * microbenchmarks/poly-proto-put-transition-speed.js: Added.
4194         (assert):
4195         (makePolyProtoObject.foo.C):
4196         (makePolyProtoObject.foo):
4197         (makePolyProtoObject):
4198         (performSet):
4199         * microbenchmarks/poly-proto-setter-speed.js: Added.
4200         (assert):
4201         (makePolyProtoObject.foo.C):
4202         (makePolyProtoObject.foo.C.prototype.set p):
4203         (makePolyProtoObject.foo):
4204         (makePolyProtoObject):
4205         (performSet):
4206         * stress/constructor-with-return.js:
4207         (i.tests.forEach.Constructor):
4208         (i.tests.forEach):
4209         (tests.forEach.Constructor): Deleted.
4210         (tests.forEach): Deleted.
4211         * stress/dom-jit-with-poly-proto.js: Added.
4212         (assert):
4213         (makePolyProtoObject.foo.C):
4214         (makePolyProtoObject.foo):
4215         (makePolyProtoObject):
4216         (validate):
4217         * stress/poly-proto-custom-value-and-accessor.js: Added.
4218         (assert):
4219         (makePolyProtoObject.foo.C):
4220         (makePolyProtoObject.foo):
4221         (makePolyProtoObject):
4222         (items.forEach):
4223         (set get for):
4224         * stress/poly-proto-intrinsic-getter-correctness.js: Added.
4225         (assert):
4226         (makePolyProtoObject.foo.C):
4227         (makePolyProtoObject.foo):
4228         (makePolyProtoObject):
4229         (foo):
4230         * stress/poly-proto-miss.js: Added.
4231         (makePolyProtoInstanceWithNullPrototype.foo.C):
4232         (makePolyProtoInstanceWithNullPrototype.foo):
4233         (makePolyProtoInstanceWithNullPrototype):
4234         (assert):
4235         (validate):
4236         * stress/poly-proto-op-in-caching.js: Added.
4237         (assert):
4238         (makePolyProtoObject.foo.C):
4239         (makePolyProtoObject.foo):
4240         (makePolyProtoObject):
4241         (validate):
4242         (validate2):
4243         * stress/poly-proto-put-transition.js: Added.
4244         (assert):
4245         (makePolyProtoObject.foo.C):
4246         (makePolyProtoObject.foo):
4247         (makePolyProtoObject):
4248         (performSet):
4249         (i.obj.__proto__.set p):
4250         * stress/poly-proto-set-prototype.js: Added.
4251         (assert):
4252         (let.alternateProto.get x):
4253         (let.alternateProto2.get y):
4254         (let.alternateProto2.get x):
4255         (foo.C):
4256         (foo):
4257         (validate):
4258         * stress/poly-proto-setter.js: Added.
4259         (assert):
4260         (makePolyProtoObject.foo.C):
4261         (makePolyProtoObject.foo.C.prototype.set p):
4262         (makePolyProtoObject.foo.C.prototype.get p):
4263         (makePolyProtoObject.foo):
4264         (makePolyProtoObject):
4265         (performSet):
4266         * stress/poly-proto-using-inheritance.js: Added.
4267         (assert):
4268         (foo.C):
4269         (foo.C.prototype.get baz):
4270         (foo):
4271         (bar.C):
4272         (bar):
4273         (validate):
4274         * stress/primitive-poly-proto.js: Added.
4275         (makePolyProtoInstance.foo.C):
4276         (makePolyProtoInstance.foo):
4277         (makePolyProtoInstance):
4278         (assert):
4279         (validate):
4280         * stress/prototype-is-not-js-object.js: Added.
4281         (foo.bar):
4282         (foo):
4283         (assert):
4284         (validate):
4285         * stress/try-get-by-id-poly-proto.js: Added.
4286         (assert):
4287         (makePolyProtoObject.foo.C):
4288         (makePolyProtoObject.foo):
4289         (makePolyProtoObject):
4290         (tryGetByIdText):
4291         (x.__proto__.get bar):
4292         (validate):
4293         * typeProfiler/overflow.js:
4294
4295 2017-10-03  JF Bastien  <jfbastien@apple.com>
4296
4297         WebAssembly: no VM / JS version of everything but Instance
4298         https://bugs.webkit.org/show_bug.cgi?id=177473
4299
4300         Reviewed by Filip Pizlo.
4301
4302         - Exceeding max on memory growth now returns a range error as per
4303         spec. This is a (very minor) breaking change: it used to throw OOM
4304         error. Update the corresponding test.
4305
4306         * wasm/js-api/memory-grow.js:
4307         (assertEq):
4308         * wasm/js-api/table.js:
4309         (assert.throws):
4310
4311 2017-10-03  Ryan Haddad  <ryanhaddad@apple.com>
4312
4313         Skip JSC test stress/regress-159779-2.js on debug.
4314         https://bugs.webkit.org/show_bug.cgi?id=177204
4315
4316         Unreviewed test gardening.
4317
4318         * stress/regress-159779-2.js:
4319
4320 2017-10-02  Caio Lima  <ticaiolima@gmail.com>
4321
4322         ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
4323         https://bugs.webkit.org/show_bug.cgi?id=175642
4324
4325         Reviewed by Darin Adler.
4326
4327         * ChakraCore/test/Function/apply3.baseline-jsc:
4328
4329 2017-10-01  Commit Queue  <commit-queue@webkit.org>
4330
4331         Unreviewed, rolling out r222564.
4332         https://bugs.webkit.org/show_bug.cgi?id=177720
4333
4334         "It regressed JetStream by 2% on iOS caused by a 50%
4335         regression on the bigfib subtest" (Requested by saamyjoon on
4336         #webkit).
4337
4338         Reverted changeset:
4339
4340         "Add Above/Below comparisons for UInt32 patterns"
4341         https://bugs.webkit.org/show_bug.cgi?id=177281
4342         http://trac.webkit.org/changeset/222564
4343
4344 2017-09-29  Yusuke Suzuki  <utatane.tea@gmail.com>
4345
4346         [DFG] Support ArrayPush with multiple args
4347         https://bugs.webkit.org/show_bug.cgi?id=175823
4348
4349         Reviewed by Saam Barati.
4350
4351         * microbenchmarks/array-push-0.js: Added.
4352         (arrayPush0):
4353         * microbenchmarks/array-push-1.js: Added.
4354         (arrayPush1):
4355         * microbenchmarks/array-push-2.js: Added.
4356         (arrayPush2):
4357         * microbenchmarks/array-push-3.js: Added.
4358         (arrayPush3):
4359         * stress/array-push-multiple-contiguous.js: Added.
4360         (shouldBe):
4361         (test):
4362         * stress/array-push-multiple-double-nan.js: Added.
4363         (shouldBe):
4364         (test):
4365         * stress/array-push-multiple-double.js: Added.
4366         (shouldBe):
4367         (test):
4368         * stress/array-push-multiple-int32.js: Added.
4369         (shouldBe):
4370         (test):
4371         * stress/array-push-multiple-many-contiguous.js: Added.
4372         (shouldBe):
4373         (test):
4374         * stress/array-push-multiple-many-double.js: Added.
4375         (shouldBe):
4376         (test):
4377         * stress/array-push-multiple-many-int32.js: Added.
4378         (shouldBe):
4379         (test):
4380         * stress/array-push-multiple-many-storage.js: Added.
4381         (shouldBe):
4382         (test):
4383         * stress/array-push-multiple-storage.js: Added.
4384         (shouldBe):
4385         (test):
4386         * stress/array-push-with-force-exit.js: Added.